Question Why i can't add nginx ModSecurity OWASP rules for a custom domain - "Nur genaue Übereinstimmungen werden unterstützt"

[jmar83]

Server operating system version

Debian 10.13

Plesk version and microupdate number

18.0.69 Update #2

Hi there

As the title says, i have a problem with custom webapp fw rules on a custom domain (so not in the general webapp fw settings section)

Get that message...
*****************************************************
Die folgenden Werte sind nicht gültig: SecRule REQUEST_URI|ARGS_NAMES "@contains Chitoge" "id:1001001, phase:1, deny, status:403, msg:Blocked Chitoge Access", SecRule ARGS_NAMES "@rx ^(Chitoge|Gorila|Kirisaki|idx_file|upload)$" "id:1001002, phase:1, deny, status:403, msg:Suspicious parameter", SecRule REQUEST_BODY "@rx eval base64_decode" "id:1001003, phase:2, deny, status:403, msg:Blocked Obfuscated Payload", SecRule REQUEST_URI "@rx ^.*wp-content|uploads|images|cache.*\.(php|phtml)$" "id:1001004, phase:1, deny, status:403, msg:Suspicious file path", SecRule REQUEST_METHOD "POST" "chain, id:1001005, phase:1, deny, status:403, msg:Suspicious file upload", SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data" "msg:Multipart form data detected". Die Regelnachricht darf nur Buchstaben, Ziffern, Leerzeichen und die folgenden Zeichen enthalten: -:;.,!?#&$%*()/.

Nur genaue Übereinstimmungen werden unterstützt.
*****************************************************




...when i try to add that rules:

SecRule REQUEST_URI|ARGS_NAMES "@contains Chitoge" "id:1001001, phase:1, deny, status:403, msg:Blocked Chitoge Access"
SecRule ARGS_NAMES "@rx ^(Chitoge|Gorila|Kirisaki|idx_file|upload)$" "id:1001002, phase:1, deny, status:403, msg:Suspicious parameter"
SecRule REQUEST_BODY "@rx eval base64_decode" "id:1001003, phase:2, deny, status:403, msg:Blocked Obfuscated Payload"
SecRule REQUEST_URI "@rx ^.*wp-content|uploads|images|cache.*\.(php|phtml)$" "id:1001004, phase:1, deny, status:403, msg:Suspicious file path"
SecRule REQUEST_METHOD "POST" "chain, id:1001005, phase:1, deny, status:403, msg:Suspicious file upload"
SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data" "msg:Multipart form data detected"

Screenshot here:



Why?

Thank you very much for your feedback(s).

 

[jmar83]

PS: Firstly, i tried it with comments, but removing them did not solved the problem (The rules was created via ChatGPT...)

# Blockiert Requests mit dem GET/POST-Parameter "Chitoge"
SecRule REQUEST_URI|ARGS_NAMES "@contains Chitoge" \
    "id:1001001, phase:1, deny, status:403, msg:'[WAF] Blocked Chitoge Backdoor Access Attempt', log, severity:CRITICAL"

# Blockiert typische Schlüsselnamen von bekannten Webshell-Varianten
SecRule ARGS_NAMES "@rx ^(Chitoge|Gorila|Kirisaki|idx_file|upload)$" \
    "id:1001002, phase:1, deny, status:403, msg:'[WAF] Suspicious parameter name detected (Backdoor Variant)', log, severity:CRITICAL"

# Blockiert eval(base64_decode( im Body
SecRule REQUEST_BODY "@rx eval\s*\(\s*base64_decode\s*\(" \
    "id:1001003, phase:2, deny, status:403, msg:'[WAF] Blocked Obfuscated Payload (eval(base64_decode))', log, severity:CRITICAL, ctl:requestBodyAccess=on"

# Optional: Blockiert direkten Zugriff auf bekannte Webshell-Dateien
SecRule REQUEST_URI "@rx ^.*(wp-content|uploads|images|cache)/.*\.(php|phtml)$" \
    "id:1001004, phase:1, deny, status:403, msg:'[WAF] Suspicious PHP file upload path', log, severity:CRITICAL"

# Blockiert Zugriffe mit Content-Type multipart/form-data (Uploadversuche), wenn POST in GET-Kombi
SecRule REQUEST_METHOD "POST" "chain, id:1001005, phase:1, deny, status:403, msg:'[WAF] Blocked suspicious file upload attempt via POST', log, severity:HIGH"
    SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data"