Hi. I'm not convinced that all hits to mod_security are showing up in ModSecurity Tools > Hits List. There are lots of results in there, but I'm fairly sure not all. Is that possible?
2023-03-22 12:52:10.867317 [NOTICE] [39665] [T4] [xx.xx.xx.xx:61822-H3:33C54DC092A3054D-52#APVH_xx.xx.xx.xx:443_xx.xx.com] [MODSEC] mod_security rule [id "211080"] at [/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf:150] triggered!
[Wed Mar 22 12:52:10.865969 2023] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403, [Rule: 'MATCHED_VAR' '@rx [\r\n]\W*?(?:content-(type|length)|set-cookie|location):'] [id "211080"] [rev "2"] [msg "COMODO WAF: HTTP Response Splitting Attack||xx.xx.com|F|2"] [logdata "Matched Data:
..."] [severity "CRITICAL"] [tag "CWAF"] [tag "Protocol"] [hostname "xx.xx.com"] [uri "/wp-admin/admin.php?page=wpjb-job&action=add"], referer: https://xx.xx.com/wp-admin/admin.php?page=wpjb-job&action=add
2023-03-28 17:09:50.941467 [NOTICE] [165535] [T5] [xx.xx.xx.xx:50946:HTTP2-677#APVH_xxxxx.com:443] [MODSEC] mod_security rule [id "941160"] at [/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf:74] triggered!
[Tue Mar 28 17:09:50.934994 2023] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403, [Rule: 'REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/*' '(?i)<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*(?:\W*?s\W*?c\W*?r\W*?i\W*?p\W*?t|\W*?f\W*?o\W*?r\W*?m|\W*?s\W*?t\W*?y\W*?l\W*?e|\W*?s\W*?v\W*?g|\W*?m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e|(?:\W*?l\W*?i\W*?n\W*?k|\W*?o\W*?b\W*?j\W*?e\W*?c\W*?t|\W*?e\W*?m\W*?b\W*?e\W*?d|\W*?a\W*?p\W*?p\W*?l\W*?e\W*?t|\W*?p\W*?a\W*?r\W*?a\W*?m|\W*?i?\W*?f\W*?r\W*?a\W*?m\W*?e|\W*?b\W*?a\W*?s\W*?e|\W*?b\W*?o\W*?d\W*?y|\W*?m\W*?e\W*?t\W*?a|\W*?i\W*?m\W*?a?\W*?g\W*?e?|\W*?v\W*?i\W*?d\W*?e\W*?o|\W*?a\W*?u\W*?d\W*?i\W*?o|\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s|\W*?s\W*?e\W*?t|\W*?a\W*?n\W*?i\W*?m\W*?a\W*?t\W*?e)[^>\w])|(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:formaction|style|background|src|lowsrc|ping|on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)?|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|m(?:o(?:z(?:pointerlock(?:change|error)|(?:orientation|time)change|fullscreen(?:change|error)|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|u(?:ccess|spend|bmit)|peech(?:start|end)|ound(?:start|end)|croll|how)|b(?:e(?:for(?:e(?:(?:scriptexecu|activa)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|deactivate)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ime(?:update|out)|ransitionend|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom))[\s\x08]*?='] [id "941160"] [rev "2"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [logdata "Matched Data: <img found within <img class="aligncenter wp-image-3803 size-full" src="https://xxxxx.com/wp-content/uploads/2023/03/Facebook-Event-Cover-revised.jpg" alt="A poster for the 2023 Sun Dog Theatre Festival." width="1200" height="628" />
2023-03-28 22:43:48.309545 [NOTICE] [178240] [T1] [xx.xx.xx.xx:60001-H3:58D24C-596#APVH_xxxxx.com:443] [MODSEC] mod_security rule [id "921120"] at [/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-921-PROTOCOL-ATTACK.conf:62] triggered!
[Tue Mar 28 22:43:48.308630 2023] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403, [Rule: 'REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*' '[\r\n]\W*?(?:content-(type|length)|set-cookie|location):'] [id "921120"] [rev "2"] [msg "HTTP Response Splitting Attack"] [logdata "Matched Data:
Hi. Thanks. No, I am not. Yes, I am running Litespeed. Here are the mods I am runningAre you running mod_ruid2 on the server? I don't think you would be because you mentioned Litespeed earlier, but just wanted to clarify.
94949031Sure thing - if you are able to submit a ticket, please post the number here so I can follow along.
The second thing is that the ModSecurity Tools > Hits List in WHM does not log all activity by design, to keep the volume in there down. I can't say I'm thrilled about that. A logging tool that only shows some events seems more misleading than useful, but it is what it is.When Concurrent mode is used, "ModSecurity Tools" looks for a log file created in concurrent mode. Since LiteSpeed only uses Serial mode regardless of SecAuditLogType configuration, "ModSecurity Tools" will be looking in the wrong place and won't report any hits.
To fix the problem and get LiteSpeed Web Server logging, turn off the ModSecurity concurrent logger configuration and change it to serial mode.
In any case, great support as always from cPanel. Thanks.I understand the confusion that the Hits List might cause for not reporting every rule. The list tries to grab the most relevant results from the logs to help reduce the potentially large amount of noise that can be generated on an active server when ModSecurity is enabled. Our most current documentation for this feature is in the following two articles:
https://docs.cpanel.net/whm/security-center/modsecurity-tools/
https://docs.cpanel.net/ea4/apache/apache-module-modsecurity/#configuration-details
Though, the exact algorithm is not documented as to which rules make the Hits List interface. WHM tries to simplify many operations to make running a web server easier than directly interfacing with the services, but this can sometimes come with a limitation when having more advanced needs. For those with more advanced needs, searching the full logs for the ModSecurity hits is recommended to ensure all the information you need can be found, and you can whitelist the rule manually through WHM.