It's whatever cPanel supplies by default. Maybe that's part of the problem.
On the ARGS, I just stopped copying too soon. I think this is it:
SecRule ARGS \
"(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System
Command
Injection',id:'950907',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule
"REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs|User-Agent)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES"
\
"(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
"phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System
Command
Injection',id:'959907',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
On Wed, Sep 22, 2010 at 5:06 PM, Ryan Barnett <[email protected]>wrote:
> Rus,
> What CRS version are you using? This looks old as the newer versions are
> listed in the alert using the rev action. Also i believe the variable
> listing/targets for this rule were updated as it is missing ARGS.
>
> Sent from my iPhone
>
> On Sep 22, 2010, at 7:56 PM, "Russell Clemings" <[email protected]>
> wrote:
>
> > I could use some help dealing with the following false positive (some
> identifying details masked):
> >
> > 116818:[Tue Sep 21 22:52:43 2010] [error] [client XX.XX.XX.XX]
> ModSecurity: Access denied with code 501 (phase 2). Pattern match
> "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*?
> ..." at REQUEST_COOKIES:__utmz. [file
> "/usr/local/apache/conf/modsec2.user.conf"] [line "149"] [id "959006"] [msg
> "System Command Injection"] [data "/mail"] [severity "CRITICAL"] [tag
> "WEB_ATTACK/COMMAND_INJECTION"] [hostname "xxx.xxx.xxx"] [uri
> "/xxxx-xxxxx-xxxxxxxx"] [unique_id "TJlve0CDUIUAAHyD6SMAAAAL"]
> >
> > A couple of previous posts suggest that this is hitting on a Google
> Analytics cookie (REQUEST_COOKIES:__utmz) that tracks where the user came
> from. It only seems to affect a few users. I've commented out the rule, and
> that fixed the immediate problem, but of course I would rather create a
> narrow exemption and leave the rule intact otherwise.
> >
> > How would I do that? FWIW, this is a cPanel VPS so the exceptions have to
> go in an unusual place (e.g.
> /usr/local/apache/conf/userdata/std/2/etc/etc/etc) but I can handle that
> part. It's how to write the rule that confuses me.
> >
> > Here's the rule as it stands now:
> >
> > SecRule
> REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES
> \
> >
> "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))"
> \
> >
> "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System
> Command
> Injection',id:'959006',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
> >
> > I probably should add that I'm functionally regex-illiterate, so please
> speak slowly :)
> >
> > rac
> >
> > _______________________________________________
> > Owasp-modsecurity-core-rule-set mailing list
> > [email protected]
> > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
>
--
============================================
Russell Clemings
<[email protected]>
National Association of Science Writers cybrarian:
<[email protected]>
============================================
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
