Author Topic: False positive for Magenet.com  (Read 158 times)

Offline postcd

  • Newbie
  • *
  • Posts: 19
False positive for Magenet.com
« on: September 10, 2017, 09:03:52 AM »
Hello,

i got false positive (FP) with rule #210350
IP: 207.244.67.107 (Magenet.com robot that is checking sites for placed links - a wanted robot)

 Action Description:
Access denied with code 403 (phase 2).
Justification:
Pattern match "\\b(close|keep-alive),[\\t\\n\\r ]{0,1}(close|keep-alive)\\b" at REQUEST_HEADERS:Connection.

Happens for multiple content management systems (CMS) like: Wordpress, SMF, PHPBB

Example error log entry:
[Sun Sep 10 * 2017] [error] [client 207.244.67.107] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\b(close|keep-alive),[\\\\t\\\\n\\\\r ]{0,1}(close|keep-alive)\\\\b" at REQUEST_HEADERS:Connection. [file "/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/13_HTTP_Protocol.conf"] [line "70"] [id "210350"] [rev "1"] [msg "COMODO WAF: Multiple/Conflicting Connection Header Data Found||mydomainhere.net|F|4"] [data "close, close"] [severity "WARNING"] [tag "CWAF"] [tag "Protocol"] [hostname "mydomainhere.net"] [uri "/url-here-t123.html"] [unique_id "WbUz3pteQx0AAHa[at]Y5IAAAAH"]
[Sun Sep 10 * 2017] [error] [client 207.244.67.107] File does not exist: /home/myusername/public_html/styles/supernova/template/colour-switcher.js, referer: https://myusername.net/url-here-t123.html

Hope you can narrow your rule so it do not have this false positive, improperly block Magenet.
If i can supply additional necessary information like headers, please kindly let me know how to do it. I am on Apache, SuPHP. Thank you
« Last Edit: September 10, 2017, 09:05:48 AM by postcd »

Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 357
Re: False positive for Magenet.com
« Reply #1 on: September 10, 2017, 04:36:44 PM »
Please provide mod security audit log for event like this.

Offline postcd

  • Newbie
  • *
  • Posts: 19
Re: False positive for Magenet.com
« Reply #2 on: September 10, 2017, 04:42:12 PM »
Please provide mod security audit log for event like this.

Hi, thanks for the post. I hope it is this part of the file. Let me know if it is not.
/usr/local/apache/logs/modsec_audit.log
Quote
--e910d421-Z--

--a8bce824-A--
[06/Sep/2017:* +0000] WbBIaJteQx0AAFfUoEEAAAAE 207.244.67.107 58404 myserveriphere 80
--a8bce824-B--
GET /server-administration-f47.html HTTP/1.1
Host: mysitehere.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
Connection: close, close
Accept-Encoding: gzip

--a8bce824-F--
HTTP/1.1 403 Forbidden
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 34
Connection: close
Content-Type: text/html; charset=iso-8859-1

--a8bce824-H--
Message: Access denied with code 403 (phase 2). Pattern match "\\b(close|keep-alive),[\\t\\n\\r ]{0,1}(close|keep-alive)\\b" at REQUEST_HEADERS:Connection. [file "/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/13_HTTP_Protocol.conf"] [line "70"] [id "210350"] [rev "1"] [msg "COMODO WAF: Multiple/Conflicting Connection Header Data Found||mysitehere.com|F|4"] [data "close, close"] [severity "WARNING"] [tag "CWAF"] [tag "Protocol"]
Action: Intercepted (phase 2)
Stopwatch: 1504725096411157 6757 (- - -)
Stopwatch2: 1504725096411157 6757; combined=1480, p1=667, p2=632, p3=0, p4=0, p5=141, sr=66, sw=40, l=0, gc=0
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "ENABLED"

--a8bce824-Z--

--4aa0b12d-A--

Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 357
Re: False positive for Magenet.com
« Reply #3 on: September 10, 2017, 05:21:22 PM »
We will fix this issue. Thank you for your feedback.

Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 357
Re: False positive for Magenet.com
« Reply #4 on: September 12, 2017, 09:04:51 AM »
After deeper investigation we have found that CWAF taking proper blocking action for this request, because your request contains multiple connection header:
Quote
Connection: close, close

It is not allowed by our ruleset.

Probably you (or somebody else) are using some kind of bot to work with site, modern browsers will not compose header like this. To fix the issue you can fix headers in request or disable the rule if it is blocking your application which you can't fix.

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek