Custom Rule not working

weasel · April 27, 2016, 12:03pm

Hi

I am new to CWAF, so please don’t shoot me down if I ask stupid questions

I have CWAF 2.17 installed on an Apache 2.4.20 server with ruleset 1.75 running on a DirectAdmin installation (v1.5.0)

CWAF is working because I get the occasional message of the form

[file "/usr/local/cwaf/rules/10_HTTP_HTTP.conf"] [line "32"] [id "210740"] [rev "2"] [msg "COMODO WAF: HTTP header is restricted by policy"]

in my apache logs

But I am unable to add my own rules. I have copied the following into /usr/local/cwaf/etc/httpd/custom_user.conf and restarted the apache server but the rule does not seem to be working.


SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134

<Locationmatch "/wp-login.php">
        # Setup brute force detection.
        # React if block flag has been set.
        SecRule user:bf_block "[at]gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"

        # Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
        SecRule RESPONSE_STATUS "^302" "phase:5,t:none,log,pass,setvar:ip.bf_counter=0,id:5000136"
        SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,log,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
        SecRule ip:bf_counter "[at]gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</locationmatch>

The [at] references in the above have been rewritten by the board software so the really should be email "at"s

I do see the occasional message in the http logs of the form

[Wed Apr 27 12:34:21.712408 2016] [:error] [pid 1489] [client 91.200.12.73] ModSecurity: Warning. Pattern match "^302" at RESPONSE_STATUS. [file "/usr/local/cwaf/etc/httpd/custom_user.conf"] [line "11"] [id "5000136"] [hostname "my.host.name"] [uri "/wp-login.php"] [unique_id "VyCjvZdQD0cAAAXR6WUAAAAH"]

which indicates that the rule is at least being fired occasionally (when the user login is successful, but definitely not at each failed login attempt. I simply get HTTP 200s in my logs e.g.

[27/Apr/2016:12:50:19 +0100] "POST /wp-login.php HTTP/1.1" 200 3530 "http://my.host.name/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"

How do I diagnose where I have gone wrong

Thanks in advance
Chris

TDmitry · April 29, 2016, 2:58pm

Hi Chris,

Have you disabled CWAF Bruteforce rules before making your own? Just to test.
Such behavior could be achieved using SecAuditLogRelevantStatus, make sure you haven’t use this directive.
Also you can try to make same actions in phase:4 instead of logging phase:5.

weasel · April 29, 2016, 3:57pm

Thanks for the thought.

I disabled the brute force attack rule in CWAF and restarted apache - still no joy
I then changed phase:5 to phase 4 and restarted apache - still no joy

I suppose my next plan is to up the debugging levels

TDmitry · April 29, 2016, 4:32pm

I have tried your rules and they working fine for me.

[Fri Apr 29 16:28:32 2016] [error] [client X.X.X.X] ModSecurity: Warning. Pattern match "^302" at RESPONSE_STATUS. [file "/usr/local/CWAF/rules/xxx.conf"] [line "9"] [id "5000136"] [hostname "xxx.xxx"] [uri "/wp-login.php"] [unique_id "VyOLsH8AAAEAABxJAbIAAAAA"]
[Fri Apr 29 16:30:08 2016] [error] [client X.X.X.X] ModSecurity: Warning. Operator GT matched 10 at IP:bf_counter. [file "/usr/local/CWAF/rules/xxx.conf"] [line "10"] [id "5000137"] [hostname "xxx.xxx"] [uri "/wp-login.php"] [unique_id "VyOMEH8AAAEAABxSCnoAAAAJ"]

weasel · April 29, 2016, 4:38pm

Like that helps me! 88) 88) 88) Seriously though; thanks for taking the time to verify things

Well at least I know that the syntax and sematics of the rules are ok - I just need to figure out where/why they are not being fired