[solved]lsws + mod_geoip + modsec = fail

Discussion in 'Bug Reports' started by DraCoola, Jan 24, 2014.

  1. mistwang

    mistwang LiteSpeed Staff

    SecRule ENV:GEOIP_COUNTRY_CODE "@streq UK"

    should work, if it does not, please turn on mod_security debug logging with log level 9, check the error log see what happened with that rule.
     
  2. DraCoola

    DraCoola Member

    Hi George,

    I have use this rule to test :

    Code:
     SecGeoLookupDb /usr/local/share/GeoIP/GeoIP.dat
     SecRule REQUEST_URI "/asu.php" "chain,drop,log,msg:'Non-CA',ID:69696999"
     SecRule REMOTE_ADDR "@geoLookup" "chain"
     SecRule ENV:GEOIP_COUNTRY_CODE "!@streq CA" "t:none"
    
    And also this :

    Code:
     <IfModule LiteSpeed>
     SecGeoLookupDb /usr/local/share/GeoIP/GeoIP.dat
     SecRule REQUEST_URI "/asu.php" "chain,drop,log,msg:'Non-CA',ID:69696999"
     SecRule REMOTE_ADDR "@geoLookup" "chain"
     SecRule ENV:GEOIP_COUNTRY_CODE "!@streq CA" "t:none"
     </IfModule>
    



    Set mod_security log level to 9 as your suggestion, and then accessing asu.php from other than Canada.
    But it seems like both of rules above still doen't recognized as bellow :

    Code:
    root@evilism [/usr/local/apache/logs]# tail -f error_log | grep asu.php
    2014-02-20 08:12:55.622 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '!(?:(?:/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/horde3?/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(?:Downloads|Submit_News)|/admin\.php\?module=NS\-AddStory\&op=|/index\.php\?name=pnphpbb2&file=posting&mode=reply|/phpmyadmin/|/pnphpbb2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/node/[0-9]+/edit|/joomla/administrator/index2\.php|module=admin&act=dispLayoutAdminEdit&layout_srl=|upgrade.php?step=|^/ubbthreads/install/|^/projects/csb/milestone$|^/backoffice/index\.php\?controller=admintranslations)', len: 8, String '/asu.php', result: 0, reverse: 1
    2014-02-20 08:12:55.622 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '\.php', len: 29, String '/home/tes/public_html/asu.php', result: 1, reverse: 0
    2014-02-20 08:12:55.622 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '!(/mod_cmd/index\.php)', len: 29, String '/home/tes/public_html/asu.php', result: 0, reverse: 1
    2014-02-20 08:12:55.622 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '@pm php chr fopen fwrite globals system passthru serialize include php_uname popen proc_open mysql_query exec eval proc_nice proc_terminate proc_get_status proc_close pfsockopen leak apache_child_terminate posix_kill posix_mkfifo posix_setpgid posix_setsid posix_setuid phpinfo preg_ decode_base64 base64_decode base64_url_decode rot13 <? mfunc mclude dynamic-cached-content', len: 8, String '/asu.php', result: 3, reverse: 0
    2014-02-20 08:12:55.623 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '!(?:/(?:admin/(?:(?:build(?:/translate|language/edit|/edit)?|catalog_category)/|settings/site-information|catalog/edit)|(?:miadmin/catalog_product|sitebuilder)/|wizard/edit/html|node/add/|filter-xss)|\/(?:admin\/(?:surveys\/[0-9]+\/edit\/|\?page=spageedit)|node\/[0-9]+\/(?:webform\/components\/|edit|clone))|^(?:(/~[a-z0-9]+)?/\?q=node/[0-9]+/edit|\?(?:s|v))|c=myaccount&m=update_profile$|mt\.cgi|/nav\.php\?nav=addnews|/products\.php\?action=(?:edit|update)|/systemadmin/configproducts\.php|/admin/catalog_product/|/index\.php\?tab=admincatalog|/admin/settings/customerror|^/ndxz-?studio/\?a=|/editform\?|/wizard/edit/|\?tab=admin|\?content=admin|\?action=modif|\?exec=articles_edit$|/admin/preview\.php|/sysext/tstemplate/|/site-builder/|/(?:new|edit)/[0-9]+/(?:confirm|add)|/admin/editform|/cms/admin/editform|^/filemanager/filemanager\.php|^/([a-z]+/)?admin/structure/|^/support/agent/|^/content/item/edit/|^/index\.php/admin/system_config/|^/administrator/\?option=com_civicrm|^/za/zcadm|^/blog/roller-ui/authoring/entryedit|^/admin/p(?:age_save|roduct_groups/edit/))', len: 8, String '/asu.php', result: 0, reverse: 1
    2014-02-20 08:12:55.623 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '!(?:/(?:admin/(?:(?:build(?:/translate|/language/edit|/edit)?|catalog_category)/|settings/site-information|catalog/edit)|(?:miadmin/catalog_product|sitebuilder)/|wizard/edit/html|node/add/|filter-xss)|\/(?:admin\/(?:surveys\/[0-9]+\/edit\/|\?page=spageedit)|node\/[0-9]+\/(?:webform\/components\/|edit|clone))|^(?:\/\?(?:q=node\/[0-9]+\/edit|(s|v))|\?(s|v))|c=myaccount&m=update_profile$|mt\.cgi|/nav\.php\?nav=addnews|/products\.php\?action=(?:edit|update)|/systemadmin/configproducts\.php|/admin/catalog_product/|/index\.php\?tab=admincatalog|/admin/settings/customerror|^/ndxz-?studio/\?a=|/editform\?|/wizard/edit/|\?tab=admin|\?content=admin|\?action=modif|\?exec=articles_edit$|/admin/preview\.php|/sysext/tstemplate/|/site-builder/|/(?:new|edit)/[0-9]+/(?:confirm|add)|/admin/editform|/cms/admin/editform|^/filemanager/filemanager\.php|^/([a-z]+/)?admin/structure/|^/index.php/admin/system_config/|^/administrator/\?option=com_civicrm|^/za/zcadm|^/blog/roller-ui/authoring/entryedit|^/admin/page_save)', len: 8, String '/asu.php', result: 0, reverse: 1
    2014-02-20 08:12:55.623 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '!(\.asmx$)', len: 8, String '/asu.php', result: 0, reverse: 1
    2014-02-20 08:12:55.624 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '@pm ls find mysqldump ifconfig php echo perl killall kill python rpm yum apt-get emerge lynx links mkdir elinks wget lwp- uname cvs svn scp rcp ssh rsh netstat cat rexec smclient tftp ncftp curl telnet cc cpp g++ /sbin/ /bin/ /tmp /var fetch rm print mv unzip tar rm rar', len: 8, String '/asu.php', result: 26, reverse: 0
    2014-02-20 08:12:55.624 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '\.php', len: 29, String '/home/tes/public_html/asu.php', result: 1, reverse: 0
    2014-02-20 08:12:55.624 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '!(^/livehelp/admin_users_refresh\.php)', len: 8, String '/asu.php', result: 0, reverse: 1
    2014-02-20 08:12:55.625 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '\.php', len: 8, String '/asu.php', result: 1, reverse: 0
    2014-02-20 08:12:55.626 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '\.php', len: 8, String '/asu.php', result: 1, reverse: 0
    2014-02-20 08:12:55.627 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '/asu.php', len: 8, String '/asu.php', result: 1, reverse: 0
    2014-02-20 08:12:55.627 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] match [REQUEST_URI] against pattern [/asu.php], result: 1
    2014-02-20 08:12:56.071 [INFO] [140.0.69.xxx:10004-0#APVH_mydomain.com] [SECURITY] match [REQUEST_URI] against pattern [/asu.php], result: 0
    
     
  3. mistwang

    mistwang LiteSpeed Staff

    just get rid of
    SecRule REMOTE_ADDR "@geoLookup" "chain"
     
  4. DraCoola

    DraCoola Member

    Wonderful!
    It's now works like heaven!

    So many thanks, George!
     
  5. fisher006

    fisher006 New Member

    Hi, I have little question Im using atomicorp modsecurity rules and I need geolocation in my audit.log

    --2c20f52b-A--
    [22/Oct/2015:19:57:24 +0200] - 162.243.171.45 37847 185.23.21.15:80 80 - I WANT HERE COUNTRY CODE
    --2c20f52b-B--

    I'm trying this rule but don't work:

    SecGeoLookupDb /usr/local/lsws/geoip/GEOIP-Country.dat
    SecRule REMOTE_ADDR "@geoLookup", phase:1,t:none,pass,nolog


    Any sugesstions?
     
  6. mistwang

    mistwang LiteSpeed Staff

    Your need to configure GeoIP database in LiteSpeed native configuration.
    SecGeoLookupDB does not work.
     
  7. fisher006

    fisher006 New Member

    I have this configuration but audit.log still don't have GEO
    but in access logs i have this information.

    example "....eWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36" PL -"

    audit:

    --0d5fcf52-A--
    [22/Oct/2015:20:47:43 +0200] - myip 40664 serverip:80 80
    --0d5fcf52-B--

    Zrzut ekranu z 2015-10-22 20:30:14.png
     
    Last edited: Oct 22, 2015
  8. mistwang

    mistwang LiteSpeed Staff

    Does Apache's audit log have the GEO COUNTRY code in part A?

    As there is no clear definition of format of audit log part A, litespeed does not log the GEO COUNTRY code logged there.

    We can update our log format to include that.
     
  9. fisher006

    fisher006 New Member

    No GEO COUNTRY here.

    Full example

    Code:
    --37281efc-A--
    [22/Oct/2015:21:07:50 +0200] - 178.216.201.88 51548 xxx:443 443
    --37281efc-B--
    HEAD / HTTP/1.1
    User-Agent: Zabbix 2.4.5
    Host: xxx
    Accept: */*
    
    --37281efc-F--
    
    --37281efc-H--
    Message: Detected , [Rule: 'REMOTE_ADDR' '!@ipMatch 127.0.0.1,::1'] [id "331032"] [msg "Atomicorp.com WAF Rules: Suspicious activity detected - Host header is a numeric IP address"] [severity "NOTICE"] [MatchedString "xxx"]
    --37281efc-Z--
    
    --6bafa1c0-A--
    [22/Oct/2015:21:08:51 +0200] - xxx 55683 xxx:443 443
    --6bafa1c0-B--
    HEAD / HTTP/1.1
    User-Agent: Zabbix 2.4.5
    Host: xxx
    Accept: */*
    
    --6bafa1c0-F--
    
    --6bafa1c0-H--
    Message: Detected , [Rule: 'REMOTE_ADDR' '!@ipMatch 127.0.0.1,::1'] [id "331032"] [msg "Atomicorp.com WAF Rules: Suspicious activity detected - Host header is a numeric IP address"] [severity "NOTICE"] [MatchedString "xxx"]
    --6bafa1c0-Z--
    
    
    lovely, how i can get this feature?
     
  10. mistwang

    mistwang LiteSpeed Staff

    We need to follow the official mod_security format, cannot add something arbitrary to the log message.
     
  11. fisher006

    fisher006 New Member

    ok, I must wait for update lsws?
     
  12. fisher006

    fisher006 New Member

    Or maybe i can change it myself?
     
  13. innovot

    innovot Member

    fisher006, LSWS is following what the modsec team write out to that log. You will need to ask upstream for that to be included and then it would filter through to LSWS.
     

Share This Page