Hi. I'm not convinced that all hits to mod_security are showing up in ModSecurity Tools > Hits List. There are lots of results in there, but I'm fairly sure not all. Is that possible?
I have found hits in /usr/local/apache/logs/error_log that are not in ModSecurity Tools > Hits List. I am using LiteSpeed (default cpanel setup). Should I be looking somewhere else? Is it possible Litespeed is logging somewhere else that ModSecurity Tools is not looking at?
Litespeed is configured to use /var/log/apache2/error_log but the contents of those logs look the same (at least for the period in question).
So here's an example... there are several of these in the log, yet they are not in the ModSecurity Tools > Hits List
Code:
2023-03-22 12:52:10.867317 [NOTICE] [39665] [T4] [xx.xx.xx.xx:61822-H3:33C54DC092A3054D-52#APVH_xx.xx.xx.xx:443_xx.xx.com] [MODSEC] mod_security rule [id "211080"] at [/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf:150] triggered!
[Wed Mar 22 12:52:10.865969 2023] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403, [Rule: 'MATCHED_VAR' '@rx [\r\n]\W*?(?:content-(type|length)|set-cookie|location):'] [id "211080"] [rev "2"] [msg "COMODO WAF: HTTP Response Splitting Attack||xx.xx.com|F|2"] [logdata "Matched Data:
..."] [severity "CRITICAL"] [tag "CWAF"] [tag "Protocol"] [hostname "xx.xx.com"] [uri "/wp-admin/admin.php?page=wpjb-job&action=add"], referer: https://xx.xx.com/wp-admin/admin.php?page=wpjb-job&action=addSeems you are using Comodo's rules. They are not supported by the current ModSecurity version (should be 2.9.7).
@quietFinn yes, you're right. I've been using these rules so long, I forgot. I used the OWASP rules for a little while when first introduced by cPanel, but I had so much trouble with false positives, I went back to the Comodo rules that had been working for me. I guess I have to switch now 
Last edited:
So, I've been using the OWASP rules for about a week now instead of the old Commodo ones. I discovered last night that there are still some hits not showing up in the hits list.
Here is a couple examples grepped from the apache error_log that are not in the ModSecurity™ Tools » Hits List
This is two examples. There are several. The odd thing is that all the missing hits I am aware of map back to one user IP address, though it's more likely it is their content. These hits are all from Wordpress users trying to update content. For several users the hits are showing in the hits list. For this particular user, none of them are, though I suspect it has something to mod with the content they are trying to update/create. Rules this has been happening with are 921120 941100 941180 941160 930110 and perhaps more that have not been brought to my attention yet.
Here is a couple examples grepped from the apache error_log that are not in the ModSecurity™ Tools » Hits List
Code:
2023-03-28 17:09:50.941467 [NOTICE] [165535] [T5] [xx.xx.xx.xx:50946:HTTP2-677#APVH_xxxxx.com:443] [MODSEC] mod_security rule [id "941160"] at [/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf:74] triggered!
[Tue Mar 28 17:09:50.934994 2023] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403, [Rule: 'REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/*' '(?i)<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*(?:\W*?s\W*?c\W*?r\W*?i\W*?p\W*?t|\W*?f\W*?o\W*?r\W*?m|\W*?s\W*?t\W*?y\W*?l\W*?e|\W*?s\W*?v\W*?g|\W*?m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e|(?:\W*?l\W*?i\W*?n\W*?k|\W*?o\W*?b\W*?j\W*?e\W*?c\W*?t|\W*?e\W*?m\W*?b\W*?e\W*?d|\W*?a\W*?p\W*?p\W*?l\W*?e\W*?t|\W*?p\W*?a\W*?r\W*?a\W*?m|\W*?i?\W*?f\W*?r\W*?a\W*?m\W*?e|\W*?b\W*?a\W*?s\W*?e|\W*?b\W*?o\W*?d\W*?y|\W*?m\W*?e\W*?t\W*?a|\W*?i\W*?m\W*?a?\W*?g\W*?e?|\W*?v\W*?i\W*?d\W*?e\W*?o|\W*?a\W*?u\W*?d\W*?i\W*?o|\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s|\W*?s\W*?e\W*?t|\W*?a\W*?n\W*?i\W*?m\W*?a\W*?t\W*?e)[^>\w])|(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:formaction|style|background|src|lowsrc|ping|on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)?|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|m(?:o(?:z(?:pointerlock(?:change|error)|(?:orientation|time)change|fullscreen(?:change|error)|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|u(?:ccess|spend|bmit)|peech(?:start|end)|ound(?:start|end)|croll|how)|b(?:e(?:for(?:e(?:(?:scriptexecu|activa)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|deactivate)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ime(?:update|out)|ransitionend|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom))[\s\x08]*?='] [id "941160"] [rev "2"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [logdata "Matched Data: <img found within <img class="aligncenter wp-image-3803 size-full" src="https://xxxxx.com/wp-content/uploads/2023/03/Facebook-Event-Cover-revised.jpg" alt="A poster for the 2023 Sun Dog Theatre Festival." width="1200" height="628" />
2023-03-28 22:43:48.309545 [NOTICE] [178240] [T1] [xx.xx.xx.xx:60001-H3:58D24C-596#APVH_xxxxx.com:443] [MODSEC] mod_security rule [id "921120"] at [/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-921-PROTOCOL-ATTACK.conf:62] triggered!
[Tue Mar 28 22:43:48.308630 2023] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403, [Rule: 'REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*' '[\r\n]\W*?(?:content-(type|length)|set-cookie|location):'] [id "921120"] [rev "2"] [msg "HTTP Response Splitting Attack"] [logdata "Matched Data:
Are you running mod_ruid2 on the server? I don't think you would be because you mentioned Litespeed earlier, but just wanted to clarify.
Hi. Thanks. No, I am not. Yes, I am running Litespeed. Here are the mods I am running
Apache 2.4
- config
- config-runtime
- mod_asis
- mod_bwlimited
- mod_cgid
- mod_deflate
- mod_env
- mod_expires
- mod_headers
- mod_mpm_worker
- mod_proxy
- mod_proxy_fcgi
- mod_proxy_http
- mod_proxy_wstunnel
- mod_security2
- mod_ssl
- mod_suexec
- mod_suphp
- mod_unique_id
- mod_version
- tools
Sure thing - if you are able to submit a ticket, please post the number here so I can follow along.
I just wanted to bring a summary here. After some back and forth and trying a few controlled tests, there were two things going on.
The first issue was that when using Litespeed, you should tweak the type of logging used by mod_security.
The first issue was that when using Litespeed, you should tweak the type of logging used by mod_security.
The second thing is that the ModSecurity Tools > Hits List in WHM does not log all activity by design, to keep the volume in there down. I can't say I'm thrilled about that. A logging tool that only shows some events seems more misleading than useful, but it is what it is.
In any case, great support as always from cPanel. Thanks.