ModSecurity Tools not logging all hits

verdon

Well-Known Member
Nov 1, 2003
945
16
168
Northern Ontario, Canada
cPanel Access Level
Root Administrator
I have found hits in /usr/local/apache/logs/error_log that are not in ModSecurity Tools > Hits List. I am using LiteSpeed (default cpanel setup). Should I be looking somewhere else? Is it possible Litespeed is logging somewhere else that ModSecurity Tools is not looking at?
 

verdon

Well-Known Member
Nov 1, 2003
945
16
168
Northern Ontario, Canada
cPanel Access Level
Root Administrator
So here's an example... there are several of these in the log, yet they are not in the ModSecurity Tools > Hits List

Code:
2023-03-22 12:52:10.867317 [NOTICE] [39665] [T4] [xx.xx.xx.xx:61822-H3:33C54DC092A3054D-52#APVH_xx.xx.xx.xx:443_xx.xx.com] [MODSEC] mod_security rule [id "211080"] at [/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf:150] triggered! 
[Wed Mar 22 12:52:10.865969 2023] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403, [Rule: 'MATCHED_VAR' '@rx [\r\n]\W*?(?:content-(type|length)|set-cookie|location):'] [id "211080"] [rev "2"] [msg "COMODO WAF: HTTP Response Splitting Attack||xx.xx.com|F|2"] [logdata "Matched Data: 
..."] [severity "CRITICAL"] [tag "CWAF"] [tag "Protocol"] [hostname "xx.xx.com"] [uri "/wp-admin/admin.php?page=wpjb-job&action=add"], referer: https://xx.xx.com/wp-admin/admin.php?page=wpjb-job&action=add
 

quietFinn

Well-Known Member
Feb 4, 2006
1,902
465
438
Finland
cPanel Access Level
Root Administrator
Seems you are using Comodo's rules. They are not supported by the current ModSecurity version (should be 2.9.7).
 
  • Like
Reactions: verdon and cPRex

verdon

Well-Known Member
Nov 1, 2003
945
16
168
Northern Ontario, Canada
cPanel Access Level
Root Administrator
@quietFinn yes, you're right. I've been using these rules so long, I forgot. I used the OWASP rules for a little while when first introduced by cPanel, but I had so much trouble with false positives, I went back to the Comodo rules that had been working for me. I guess I have to switch now :)
 
Last edited:

verdon

Well-Known Member
Nov 1, 2003
945
16
168
Northern Ontario, Canada
cPanel Access Level
Root Administrator
So, I've been using the OWASP rules for about a week now instead of the old Commodo ones. I discovered last night that there are still some hits not showing up in the hits list.

Here is a couple examples grepped from the apache error_log that are not in the ModSecurity™ Tools » Hits List

Code:
2023-03-28 17:09:50.941467 [NOTICE] [165535] [T5] [xx.xx.xx.xx:50946:HTTP2-677#APVH_xxxxx.com:443] [MODSEC] mod_security rule [id "941160"] at [/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf:74] triggered!
[Tue Mar 28 17:09:50.934994 2023] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403, [Rule: 'REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/*' '(?i)<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*(?:\W*?s\W*?c\W*?r\W*?i\W*?p\W*?t|\W*?f\W*?o\W*?r\W*?m|\W*?s\W*?t\W*?y\W*?l\W*?e|\W*?s\W*?v\W*?g|\W*?m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e|(?:\W*?l\W*?i\W*?n\W*?k|\W*?o\W*?b\W*?j\W*?e\W*?c\W*?t|\W*?e\W*?m\W*?b\W*?e\W*?d|\W*?a\W*?p\W*?p\W*?l\W*?e\W*?t|\W*?p\W*?a\W*?r\W*?a\W*?m|\W*?i?\W*?f\W*?r\W*?a\W*?m\W*?e|\W*?b\W*?a\W*?s\W*?e|\W*?b\W*?o\W*?d\W*?y|\W*?m\W*?e\W*?t\W*?a|\W*?i\W*?m\W*?a?\W*?g\W*?e?|\W*?v\W*?i\W*?d\W*?e\W*?o|\W*?a\W*?u\W*?d\W*?i\W*?o|\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s|\W*?s\W*?e\W*?t|\W*?a\W*?n\W*?i\W*?m\W*?a\W*?t\W*?e)[^>\w])|(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:formaction|style|background|src|lowsrc|ping|on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)?|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|m(?:o(?:z(?:pointerlock(?:change|error)|(?:orientation|time)change|fullscreen(?:change|error)|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|u(?:ccess|spend|bmit)|peech(?:start|end)|ound(?:start|end)|croll|how)|b(?:e(?:for(?:e(?:(?:scriptexecu|activa)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|deactivate)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ime(?:update|out)|ransitionend|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom))[\s\x08]*?='] [id "941160"] [rev "2"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [logdata "Matched Data: <img  found within <img class="aligncenter wp-image-3803 size-full" src="https://xxxxx.com/wp-content/uploads/2023/03/Facebook-Event-Cover-revised.jpg" alt="A poster for the 2023 Sun Dog Theatre Festival." width="1200" height="628" />


2023-03-28 22:43:48.309545 [NOTICE] [178240] [T1] [xx.xx.xx.xx:60001-H3:58D24C-596#APVH_xxxxx.com:443] [MODSEC] mod_security rule [id "921120"] at [/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-921-PROTOCOL-ATTACK.conf:62] triggered!
[Tue Mar 28 22:43:48.308630 2023] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403, [Rule: 'REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*' '[\r\n]\W*?(?:content-(type|length)|set-cookie|location):'] [id "921120"] [rev "2"] [msg "HTTP Response Splitting Attack"] [logdata "Matched Data:
This is two examples. There are several. The odd thing is that all the missing hits I am aware of map back to one user IP address, though it's more likely it is their content. These hits are all from Wordpress users trying to update content. For several users the hits are showing in the hits list. For this particular user, none of them are, though I suspect it has something to mod with the content they are trying to update/create. Rules this has been happening with are 921120 941100 941180 941160 930110 and perhaps more that have not been brought to my attention yet.
 

verdon

Well-Known Member
Nov 1, 2003
945
16
168
Northern Ontario, Canada
cPanel Access Level
Root Administrator
Are you running mod_ruid2 on the server? I don't think you would be because you mentioned Litespeed earlier, but just wanted to clarify.
Hi. Thanks. No, I am not. Yes, I am running Litespeed. Here are the mods I am running

Apache 2.4
  • config
  • config-runtime
  • mod_asis
  • mod_bwlimited
  • mod_cgid
  • mod_deflate
  • mod_env
  • mod_expires
  • mod_headers
  • mod_mpm_worker
  • mod_proxy
  • mod_proxy_fcgi
  • mod_proxy_http
  • mod_proxy_wstunnel
  • mod_security2
  • mod_ssl
  • mod_suexec
  • mod_suphp
  • mod_unique_id
  • mod_version
  • tools
 

verdon

Well-Known Member
Nov 1, 2003
945
16
168
Northern Ontario, Canada
cPanel Access Level
Root Administrator
I just wanted to bring a summary here. After some back and forth and trying a few controlled tests, there were two things going on.

The first issue was that when using Litespeed, you should tweak the type of logging used by mod_security.

When Concurrent mode is used, "ModSecurity Tools" looks for a log file created in concurrent mode. Since LiteSpeed only uses Serial mode regardless of SecAuditLogType configuration, "ModSecurity Tools" will be looking in the wrong place and won't report any hits.
To fix the problem and get LiteSpeed Web Server logging, turn off the ModSecurity concurrent logger configuration and change it to serial mode.
The second thing is that the ModSecurity Tools > Hits List in WHM does not log all activity by design, to keep the volume in there down. I can't say I'm thrilled about that. A logging tool that only shows some events seems more misleading than useful, but it is what it is.

I understand the confusion that the Hits List might cause for not reporting every rule. The list tries to grab the most relevant results from the logs to help reduce the potentially large amount of noise that can be generated on an active server when ModSecurity is enabled. Our most current documentation for this feature is in the following two articles:

https://docs.cpanel.net/whm/security-center/modsecurity-tools/
https://docs.cpanel.net/ea4/apache/apache-module-modsecurity/#configuration-details

Though, the exact algorithm is not documented as to which rules make the Hits List interface. WHM tries to simplify many operations to make running a web server easier than directly interfacing with the services, but this can sometimes come with a limitation when having more advanced needs. For those with more advanced needs, searching the full logs for the ModSecurity hits is recommended to ensure all the information you need can be found, and you can whitelist the rule manually through WHM.
In any case, great support as always from cPanel. Thanks.