False positive for Magenet.com

postcd · September 10, 2017, 1:03pm

Hello,

i got false positive (FP) with rule #210350
IP: 207.244.67.107 (Magenet.com robot that is checking sites for placed links - a wanted robot)

Action Description:
Access denied with code 403 (phase 2).
Justification:
Pattern match “\b(close|keep-alive),[\t\n\r ]{0,1}(close|keep-alive)\b” at REQUEST_HEADERS:Connection.

Happens for multiple content management systems (CMS) like: Wordpress, SMF, PHPBB

Example error log entry:
[Sun Sep 10 * 2017] [error] [client 207.244.67.107] ModSecurity: Access denied with code 403 (phase 2). Pattern match “\\b(close|keep-alive),[\\t\\n\\r ]{0,1}(close|keep-alive)\\b” at REQUEST_HEADERS:Connection. [file “/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/13_HTTP_Protocol.conf”] [line “70”] [id “210350”] [rev “1”] [msg “COMODO WAF: Multiple/Conflicting Connection Header Data Found||mydomainhere.net|F|4”] [data “close, close”] [severity “WARNING”] [tag “CWAF”] [tag “Protocol”] [hostname “mydomainhere.net”] [uri “/url-here-t123.html”] [unique_id “WbUz3pteQx0AAHa[at]Y5IAAAAH”]
[Sun Sep 10 * 2017] [error] [client 207.244.67.107] File does not exist: /home/myusername/public_html/styles/supernova/template/colour-switcher.js, referer: https://myusername.net/url-here-t123.html

Hope you can narrow your rule so it do not have this false positive, improperly block Magenet.
If i can supply additional necessary information like headers, please kindly let me know how to do it. I am on Apache, SuPHP. Thank you

TDmitry · September 10, 2017, 8:36pm

Please provide mod security audit log for event like this.

postcd · September 10, 2017, 8:42pm

Hi, thanks for the post. I hope it is this part of the file. Let me know if it is not.
/usr/local/apache/logs/modsec_audit.log

--e910d421-Z--
–a8bce824-A–
[06/Sep/2017:* +0000] WbBIaJteQx0AAFfUoEEAAAAE 207.244.67.107 58404 myserveriphere 80
–a8bce824-B–
GET /server-administration-f47.html HTTP/1.1
Host: mysitehere.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
Connection: close, close
Accept-Encoding: gzip

–a8bce824-F–
HTTP/1.1 403 Forbidden
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 34
Connection: close
Content-Type: text/html; charset=iso-8859-1

–a8bce824-H–
Message: Access denied with code 403 (phase 2). Pattern match “\b(close|keep-alive),[\t\n\r ]{0,1}(close|keep-alive)\b” at REQUEST_HEADERS:Connection. [file “/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/13_HTTP_Protocol.conf”] [line “70”] [id “210350”] [rev “1”] [msg “COMODO WAF: Multiple/Conflicting Connection Header Data Found||mysitehere.com|F|4”] [data “close, close”] [severity “WARNING”] [tag “CWAF”] [tag “Protocol”]
Action: Intercepted (phase 2)
Stopwatch: 1504725096411157 6757 (- - -)
Stopwatch2: 1504725096411157 6757; combined=1480, p1=667, p2=632, p3=0, p4=0, p5=141, sr=66, sw=40, l=0, gc=0
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: “ENABLED”

–a8bce824-Z–

–4aa0b12d-A–

TDmitry · September 10, 2017, 9:21pm

We will fix this issue. Thank you for your feedback.

TDmitry · September 12, 2017, 1:04pm

After deeper investigation we have found that CWAF taking proper blocking action for this request, because your request contains multiple connection header:

Connection: close, close

It is not allowed by our ruleset.

Probably you (or somebody else) are using some kind of bot to work with site, modern browsers will not compose header like this. To fix the issue you can fix headers in request or disable the rule if it is blocking your application which you can’t fix.