Hi,
I'm seeing this in my logs:
[Mon Feb 03 15:41:38.279594 2020] [:error] [pid 9250] [client 1.2.3.4:2493]
[client 1.2.3.4] ModSecurity: Warning. Match of "within %{tx.allowed_methods}"
against "REQUEST_METHOD" required. [file
"/usr/share/modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line
"45"] [id "911100"] [msg "Method is not allowed by policy"] [data "DELETE"]
[severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag
"language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag
"OWASP_CRS"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"]
[tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname
"gw.mydomain.org"] [uri
"/api/tokens/29306699FAB939B9531CD2E5C8525D4CC10C500E0CDBD965CFAF500880667237"]
[unique_id "XjgxIiOWjFvp4Ckh-eibZgAAAAk"], referer: https://gw.mydomain.org/
[Mon Feb 03 15:41:38.280044 2020] [:error] [pid 9250] [client 1.2.3.4:2493]
[client 1.2.3.4] ModSecurity: Access denied with code 403 (phase 2). Operator
GE matched 5 at TX:anomaly_score. [file
"/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line
"91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"]
[severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag
"platform-multi"] [tag "attack-generic"] [hostname "gw.mydomain.org"] [uri
"/api/tokens/29306699FAB939B9531CD2E5C8525D4CC10C500E0CDBD965CFAF500880667237"]
[unique_id "XjgxIiOWjFvp4Ckh-eibZgAAAAk"], referer: https://gw.mydomain.org/
[Mon Feb 03 15:41:38.280179 2020] [:error] [pid 9250] [client 1.2.3.4:2493]
[client 1.2.3.4] ModSecurity: Warning. Operator GE matched 5 at
TX:inbound_anomaly_score. [file
"/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"]
[id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 -
SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level
scores: 5, 0, 0, 0"] [tag "event-correlation"] [hostname "gw.mydomain.org"]
[uri
"/api/tokens/29306699FAB939B9531CD2E5C8525D4CC10C500E0CDBD965CFAF500880667237"]
[unique_id "XjgxIiOWjFvp4Ckh-eibZgAAAAk"], referer: https://gw.mydomain.org/
# grep -n --after-context=12 --before-context=1 949110
/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
79-SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
80: "id:949110,\
81- phase:2,\
82- deny,\
83- t:none,\
84- log,\
85- msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE})',\
86- tag:'application-multi',\
87- tag:'language-multi',\
88- tag:'platform-multi',\
89- tag:'attack-generic',\
90- severity:'CRITICAL',\
91- setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
92-
Overall, Guacamole behind this reverse proxy seems to work fine (for
end-users), but I'm worried about the HTTP/403 reply...
Do you think it's worth looking into?
Do I need to tweak my modsecurity anomaly_score?
Vieri
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
