• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • Support for BIND DNS has been removed from Plesk for Windows due to security and maintenance risks.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS.

Question Why i can't add nginx ModSecurity OWASP rules for a custom domain - "Nur genaue Übereinstimmungen werden unterstützt"

J

jmar83

Regular Pleskian
Server operating system version
Debian 10.13
Plesk version and microupdate number
18.0.69 Update #2
Hi there

As the title says, i have a problem with custom webapp fw rules on a custom domain (so not in the general webapp fw settings section)

Get that message...
*****************************************************
Die folgenden Werte sind nicht gültig: SecRule REQUEST_URI|ARGS_NAMES "@contains Chitoge" "id:1001001, phase:1, deny, status:403, msg:Blocked Chitoge Access", SecRule ARGS_NAMES "@rx ^(Chitoge|Gorila|Kirisaki|idx_file|upload)$" "id:1001002, phase:1, deny, status:403, msg:Suspicious parameter", SecRule REQUEST_BODY "@rx eval base64_decode" "id:1001003, phase:2, deny, status:403, msg:Blocked Obfuscated Payload", SecRule REQUEST_URI "@rx ^.*wp-content|uploads|images|cache.*\.(php|phtml)$" "id:1001004, phase:1, deny, status:403, msg:Suspicious file path", SecRule REQUEST_METHOD "POST" "chain, id:1001005, phase:1, deny, status:403, msg:Suspicious file upload", SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data" "msg:Multipart form data detected". Die Regelnachricht darf nur Buchstaben, Ziffern, Leerzeichen und die folgenden Zeichen enthalten: -:;.,!?#&$%*()/.

Nur genaue Übereinstimmungen werden unterstützt.
*****************************************************




...when i try to add that rules:

Code: 
SecRule REQUEST_URI|ARGS_NAMES "@contains Chitoge" "id:1001001, phase:1, deny, status:403, msg:Blocked Chitoge Access"
SecRule ARGS_NAMES "@rx ^(Chitoge|Gorila|Kirisaki|idx_file|upload)$" "id:1001002, phase:1, deny, status:403, msg:Suspicious parameter"
SecRule REQUEST_BODY "@rx eval base64_decode" "id:1001003, phase:2, deny, status:403, msg:Blocked Obfuscated Payload"
SecRule REQUEST_URI "@rx ^.*wp-content|uploads|images|cache.*\.(php|phtml)$" "id:1001004, phase:1, deny, status:403, msg:Suspicious file path"
SecRule REQUEST_METHOD "POST" "chain, id:1001005, phase:1, deny, status:403, msg:Suspicious file upload"
SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data" "msg:Multipart form data detected"


Screenshot here:

1746399983996.png

Why?

Thank you very much for your feedback(s).
 
PS: Firstly, i tried it with comments, but removing them did not solved the problem (The rules was created via ChatGPT...)


Code: 
# Blockiert Requests mit dem GET/POST-Parameter "Chitoge"
SecRule REQUEST_URI|ARGS_NAMES "@contains Chitoge" \
    "id:1001001, phase:1, deny, status:403, msg:'[WAF] Blocked Chitoge Backdoor Access Attempt', log, severity:CRITICAL"

# Blockiert typische Schlüsselnamen von bekannten Webshell-Varianten
SecRule ARGS_NAMES "@rx ^(Chitoge|Gorila|Kirisaki|idx_file|upload)$" \
    "id:1001002, phase:1, deny, status:403, msg:'[WAF] Suspicious parameter name detected (Backdoor Variant)', log, severity:CRITICAL"

# Blockiert eval(base64_decode( im Body
SecRule REQUEST_BODY "@rx eval\s*\(\s*base64_decode\s*\(" \
    "id:1001003, phase:2, deny, status:403, msg:'[WAF] Blocked Obfuscated Payload (eval(base64_decode))', log, severity:CRITICAL, ctl:requestBodyAccess=on"

# Optional: Blockiert direkten Zugriff auf bekannte Webshell-Dateien
SecRule REQUEST_URI "@rx ^.*(wp-content|uploads|images|cache)/.*\.(php|phtml)$" \
    "id:1001004, phase:1, deny, status:403, msg:'[WAF] Suspicious PHP file upload path', log, severity:CRITICAL"

# Blockiert Zugriffe mit Content-Type multipart/form-data (Uploadversuche), wenn POST in GET-Kombi
SecRule REQUEST_METHOD "POST" "chain, id:1001005, phase:1, deny, status:403, msg:'[WAF] Blocked suspicious file upload attempt via POST', log, severity:HIGH"
    SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data"
 
Hmmm... now i've told ChatGPT the reason and asked for an alternative output:


Code: 
SecRule REQUEST_URI "Chitoge" "id:1001001, phase:1, deny, status:403, msg:WAF Block Chitoge Backdoor Access Attempt"
SecRule ARGS_NAMES "Chitoge" "id:1001002, phase:1, deny, status:403, msg:WAF Suspicious parameter name Chitoge"
SecRule ARGS_NAMES "Gorila" "id:1001003, phase:1, deny, status:403, msg:WAF Suspicious parameter name Gorila"
SecRule ARGS_NAMES "Kirisaki" "id:1001004, phase:1, deny, status:403, msg:WAF Suspicious parameter name Kirisaki"
SecRule ARGS_NAMES "idx_file" "id:1001005, phase:1, deny, status:403, msg:WAF Suspicious parameter name idx_file"
SecRule ARGS_NAMES "upload" "id:1001006, phase:1, deny, status:403, msg:WAF Suspicious parameter name upload"
SecRule REQUEST_BODY "eval base64_decode" "id:1001007, phase:2, deny, status:403, msg:WAF Obfuscated Payload"
SecRule REQUEST_URI "wp-content" "id:1001008, phase:1, deny, status:403, msg:WAF Suspicious file path wp-content"
SecRule REQUEST_URI "uploads" "id:1001009, phase:1, deny, status:403, msg:WAF Suspicious file path uploads"
SecRule REQUEST_URI "images" "id:1001010, phase:1, deny, status:403, msg:WAF Suspicious file path images"
SecRule REQUEST_URI "cache" "id:1001011, phase:1, deny, status:403, msg:WAF Suspicious file path cache"
SecRule REQUEST_URI ".php" "id:1001012, phase:1, deny, status:403, msg:WAF Suspicious file extension php"
SecRule REQUEST_URI ".phtml" "id:1001013, phase:1, deny, status:403, msg:WAF Suspicious file extension phtml"
SecRule REQUEST_METHOD "POST" "id:1001014, phase:1, deny, status:403, msg:WAF Suspicious POST Request"
SecRule REQUEST_HEADERS:Content-Type "multipart/form-data" "id:1001015, phase:1, deny, status:403, msg:WAF Multipart form data detected"
 
also same problem with:

Code: 
SecRule REQUEST_URI|ARGS_NAMES Chitoge id:1001001, phase:1, deny, status:403, msg:[WAF] Blocked Chitoge Backdoor Access Attempt, log, severity:CRITICAL

SecRule ARGS_NAMES Chitoge id:1001002, phase:1, deny, status:403, msg:[WAF] Suspicious parameter name: Chitoge, log, severity:CRITICAL
SecRule ARGS_NAMES Gorila id:1001003, phase:1, deny, status:403, msg:[WAF] Suspicious parameter name: Gorila, log, severity:CRITICAL
SecRule ARGS_NAMES Kirisaki id:1001004, phase:1, deny, status:403, msg:[WAF] Suspicious parameter name: Kirisaki, log, severity:CRITICAL
SecRule ARGS_NAMES idx_file id:1001005, phase:1, deny, status:403, msg:[WAF] Suspicious parameter name: idx_file, log, severity:CRITICAL
SecRule ARGS_NAMES upload id:1001006, phase:1, deny, status:403, msg:[WAF] Suspicious parameter name: upload, log, severity:CRITICAL

SecRule REQUEST_BODY eval(base64_decode) id:1001007, phase:2, deny, status:403, msg:[WAF] Obfuscated Payload detected: eval(base64_decode), log, severity:CRITICAL, ctl:requestBodyAccess=on

SecRule REQUEST_URI wp-content/.php id:1001008, phase:1, deny, status:403, msg:[WAF] Suspicious file upload to wp-content/.php, log, severity:CRITICAL
SecRule REQUEST_URI uploads/.php id:1001009, phase:1, deny, status:403, msg:[WAF] Suspicious file upload to uploads/.php, log, severity:CRITICAL
SecRule REQUEST_URI images/.php id:1001010, phase:1, deny, status:403, msg:[WAF] Suspicious file upload to images/.php, log, severity:CRITICAL
SecRule REQUEST_URI cache/.php id:1001011, phase:1, deny, status:403, msg:[WAF] Suspicious file upload to cache/.php, log, severity:CRITICAL
SecRule REQUEST_URI wp-content/.phtml id:1001012, phase:1, deny, status:403, msg:[WAF] Suspicious file upload to wp-content/.phtml, log, severity:CRITICAL
SecRule REQUEST_URI uploads/.phtml id:1001013, phase:1, deny, status:403, msg:[WAF] Suspicious file upload to uploads/.phtml, log, severity:CRITICAL
SecRule REQUEST_URI images/.phtml id:1001014, phase:1, deny, status:403, msg:[WAF] Suspicious file upload to images/.phtml, log, severity:CRITICAL
SecRule REQUEST_URI cache/.phtml id:1001015, phase:1, deny, status:403, msg:[WAF] Suspicious file upload to cache/.phtml, log, severity:CRITICAL

Don't really unterstand - <Die Regelnachricht darf nur Buchstaben, Ziffern, Leerzeichen und die folgenden Zeichen enthalten: -:;.,!?#&$%*()/. Nur genaue Übereinstimmungen werden unterstützt>
 
same error message with


Code: 
SecRule REQUEST_URI ARGS_NAMES Chitoge id:1001001, phase:1, deny, status:403, msg:WAF Blocked Chitoge Backdoor Access Attempt, log, severity:CRITICAL

SecRule ARGS_NAMES Chitoge id:1001002, phase:1, deny, status:403, msg:WAF Suspicious parameter name: Chitoge, log, severity:CRITICAL
SecRule ARGS_NAMES Gorila id:1001003, phase:1, deny, status:403, msg:WAF Suspicious parameter name: Gorila, log, severity:CRITICAL
SecRule ARGS_NAMES Kirisaki id:1001004, phase:1, deny, status:403, msg:WAF Suspicious parameter name: Kirisaki, log, severity:CRITICAL
SecRule ARGS_NAMES idx file id:1001005, phase:1, deny, status:403, msg:WAF Suspicious parameter name: idx file, log, severity:CRITICAL
SecRule ARGS_NAMES upload id:1001006, phase:1, deny, status:403, msg:WAF Suspicious parameter name: upload, log, severity:CRITICAL

SecRule REQUEST_BODY eval(base64 decode) id:1001007, phase:2, deny, status:403, msg:WAF Obfuscated Payload detected: eval(base64 decode), log, severity:CRITICAL, ctl:requestBodyAccesson

SecRule REQUEST_URI wp content/.php id:1001008, phase:1, deny, status:403, msg:WAF Suspicious file upload to wp content/.php, log, severity:CRITICAL
SecRule REQUEST_URI uploads/.php id:1001009, phase:1, deny, status:403, msg:WAF Suspicious file upload to uploads/.php, log, severity:CRITICAL
SecRule REQUEST_URI images/.php id:1001010, phase:1, deny, status:403, msg:WAF Suspicious file upload to images/.php, log, severity:CRITICAL
SecRule REQUEST_URI cache/.php id:1001011, phase:1, deny, status:403, msg:WAF Suspicious file upload to cache/.php, log, severity:CRITICAL
SecRule REQUEST_URI wp content/.phtml id:1001012, phase:1, deny, status:403, msg:WAF Suspicious file upload to wp content/.phtml, log, severity:CRITICAL
SecRule REQUEST_URI uploads/.phtml id:1001013, phase:1, deny, status:403, msg:WAF Suspicious file upload to uploads/.phtml, log, severity:CRITICAL
SecRule REQUEST_URI images/.phtml id:1001014, phase:1, deny, status:403, msg:WAF Suspicious file upload to images/.phtml, log, severity:CRITICAL
SecRule REQUEST_URI cache/.phtml id:1001015, phase:1, deny, status:403, msg:WAF Suspicious file upload to cache/.phtml, log, severity:CRITICAL
 
now it works with
Code: 
SecRule REQUEST URI ARGS NAMES Chitoge id:1001001, phase:1, deny, status:403, msg:WAF Blocked Chitoge Backdoor Access Attempt, log, severity:CRITICAL

SecRule ARGS NAMES Chitoge id:1001002, phase:1, deny, status:403, msg:WAF Suspicious parameter name: Chitoge, log, severity:CRITICAL
SecRule ARGS NAMES Gorila id:1001003, phase:1, deny, status:403, msg:WAF Suspicious parameter name: Gorila, log, severity:CRITICAL
SecRule ARGS NAMES Kirisaki id:1001004, phase:1, deny, status:403, msg:WAF Suspicious parameter name: Kirisaki, log, severity:CRITICAL
SecRule ARGS NAMES idx file id:1001005, phase:1, deny, status:403, msg:WAF Suspicious parameter name: idx file, log, severity:CRITICAL
SecRule ARGS NAMES upload id:1001006, phase:1, deny, status:403, msg:WAF Suspicious parameter name: upload, log, severity:CRITICAL

SecRule REQUEST BODY eval(base64 decode) id:1001007, phase:2, deny, status:403, msg:WAF Obfuscated Payload detected: eval(base64 decode), log, severity:CRITICAL, ctl:requestBodyAccesson
SecRule REQUEST URI wp content/.php id:1001008, phase:1, deny, status:403, msg:WAF Suspicious file upload to wp content/.php, log, severity:CRITICAL
SecRule REQUEST URI uploads/.php id:1001009, phase:1, deny, status:403, msg:WAF Suspicious file upload to uploads/.php, log, severity:CRITICAL
SecRule REQUEST URI images/.php id:1001010, phase:1, deny, status:403, msg:WAF Suspicious file upload to images/.php, log, severity:CRITICAL
SecRule REQUEST URI cache/.php id:1001011, phase:1, deny, status:403, msg:WAF Suspicious file upload to cache/.php, log, severity:CRITICAL
SecRule REQUEST URI wp content/.phtml id:1001012, phase:1, deny, status:403, msg:WAF Suspicious file upload to wp content/.phtml, log, severity:CRITICAL
SecRule REQUEST URI uploads/.phtml id:1001013, phase:1, deny, status:403, msg:WAF Suspicious file upload to uploads/.phtml, log, severity:CRITICAL
SecRule REQUEST URI images/.phtml id:1001014, phase:1, deny, status:403, msg:WAF Suspicious file upload to images/.phtml, log, severity:CRITICAL
SecRule REQUEST URI cache/.phtml id:1001015, phase:1, deny, status:403, msg:WAF Suspicious file upload to cache/.phtml, log, severity:CRITICAL
 
You must log in or register to reply here.

Similar threads

brother4
Question Custom rules for Mod Seruity 3.0 Nginx - WordPress protection
Replies
2
Views
862
brother4
brother4
Pascal_Netenvie
Resolved Modsecurity : Add custom rules with Regex
Replies
2
Views
2K
Pascal_Netenvie
Pascal_Netenvie
Back
Top