• The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question Why i can't add nginx ModSecurity OWASP rules for a custom domain - "Nur genaue Übereinstimmungen werden unterstützt"

J

jmar83

Regular Pleskian
Server operating system version
Debian 10.13
Plesk version and microupdate number
18.0.69 Update #2
Hi there

As the title says, i have a problem with custom webapp fw rules on a custom domain (so not in the general webapp fw settings section)

Get that message...
*****************************************************
Die folgenden Werte sind nicht gültig: SecRule REQUEST_URI|ARGS_NAMES "@contains Chitoge" "id:1001001, phase:1, deny, status:403, msg:Blocked Chitoge Access", SecRule ARGS_NAMES "@rx ^(Chitoge|Gorila|Kirisaki|idx_file|upload)$" "id:1001002, phase:1, deny, status:403, msg:Suspicious parameter", SecRule REQUEST_BODY "@rx eval base64_decode" "id:1001003, phase:2, deny, status:403, msg:Blocked Obfuscated Payload", SecRule REQUEST_URI "@rx ^.*wp-content|uploads|images|cache.*\.(php|phtml)$" "id:1001004, phase:1, deny, status:403, msg:Suspicious file path", SecRule REQUEST_METHOD "POST" "chain, id:1001005, phase:1, deny, status:403, msg:Suspicious file upload", SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data" "msg:Multipart form data detected". Die Regelnachricht darf nur Buchstaben, Ziffern, Leerzeichen und die folgenden Zeichen enthalten: -:;.,!?#&$%*()/.

Nur genaue Übereinstimmungen werden unterstützt.
*****************************************************




...when i try to add that rules:

Code: 
SecRule REQUEST_URI|ARGS_NAMES "@contains Chitoge" "id:1001001, phase:1, deny, status:403, msg:Blocked Chitoge Access"
SecRule ARGS_NAMES "@rx ^(Chitoge|Gorila|Kirisaki|idx_file|upload)$" "id:1001002, phase:1, deny, status:403, msg:Suspicious parameter"
SecRule REQUEST_BODY "@rx eval base64_decode" "id:1001003, phase:2, deny, status:403, msg:Blocked Obfuscated Payload"
SecRule REQUEST_URI "@rx ^.*wp-content|uploads|images|cache.*\.(php|phtml)$" "id:1001004, phase:1, deny, status:403, msg:Suspicious file path"
SecRule REQUEST_METHOD "POST" "chain, id:1001005, phase:1, deny, status:403, msg:Suspicious file upload"
SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data" "msg:Multipart form data detected"


Screenshot here:

1746399983996.png

Why?

Thank you very much for your feedback(s).
 
PS: Firstly, i tried it with comments, but removing them did not solved the problem (The rules was created via ChatGPT...)


Code: 
# Blockiert Requests mit dem GET/POST-Parameter "Chitoge"
SecRule REQUEST_URI|ARGS_NAMES "@contains Chitoge" \
    "id:1001001, phase:1, deny, status:403, msg:'[WAF] Blocked Chitoge Backdoor Access Attempt', log, severity:CRITICAL"

# Blockiert typische Schlüsselnamen von bekannten Webshell-Varianten
SecRule ARGS_NAMES "@rx ^(Chitoge|Gorila|Kirisaki|idx_file|upload)$" \
    "id:1001002, phase:1, deny, status:403, msg:'[WAF] Suspicious parameter name detected (Backdoor Variant)', log, severity:CRITICAL"

# Blockiert eval(base64_decode( im Body
SecRule REQUEST_BODY "@rx eval\s*\(\s*base64_decode\s*\(" \
    "id:1001003, phase:2, deny, status:403, msg:'[WAF] Blocked Obfuscated Payload (eval(base64_decode))', log, severity:CRITICAL, ctl:requestBodyAccess=on"

# Optional: Blockiert direkten Zugriff auf bekannte Webshell-Dateien
SecRule REQUEST_URI "@rx ^.*(wp-content|uploads|images|cache)/.*\.(php|phtml)$" \
    "id:1001004, phase:1, deny, status:403, msg:'[WAF] Suspicious PHP file upload path', log, severity:CRITICAL"

# Blockiert Zugriffe mit Content-Type multipart/form-data (Uploadversuche), wenn POST in GET-Kombi
SecRule REQUEST_METHOD "POST" "chain, id:1001005, phase:1, deny, status:403, msg:'[WAF] Blocked suspicious file upload attempt via POST', log, severity:HIGH"
    SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data"
 
Hmmm... now i've told ChatGPT the reason and asked for an alternative output:


Code: 
SecRule REQUEST_URI "Chitoge" "id:1001001, phase:1, deny, status:403, msg:WAF Block Chitoge Backdoor Access Attempt"
SecRule ARGS_NAMES "Chitoge" "id:1001002, phase:1, deny, status:403, msg:WAF Suspicious parameter name Chitoge"
SecRule ARGS_NAMES "Gorila" "id:1001003, phase:1, deny, status:403, msg:WAF Suspicious parameter name Gorila"
SecRule ARGS_NAMES "Kirisaki" "id:1001004, phase:1, deny, status:403, msg:WAF Suspicious parameter name Kirisaki"
SecRule ARGS_NAMES "idx_file" "id:1001005, phase:1, deny, status:403, msg:WAF Suspicious parameter name idx_file"
SecRule ARGS_NAMES "upload" "id:1001006, phase:1, deny, status:403, msg:WAF Suspicious parameter name upload"
SecRule REQUEST_BODY "eval base64_decode" "id:1001007, phase:2, deny, status:403, msg:WAF Obfuscated Payload"
SecRule REQUEST_URI "wp-content" "id:1001008, phase:1, deny, status:403, msg:WAF Suspicious file path wp-content"
SecRule REQUEST_URI "uploads" "id:1001009, phase:1, deny, status:403, msg:WAF Suspicious file path uploads"
SecRule REQUEST_URI "images" "id:1001010, phase:1, deny, status:403, msg:WAF Suspicious file path images"
SecRule REQUEST_URI "cache" "id:1001011, phase:1, deny, status:403, msg:WAF Suspicious file path cache"
SecRule REQUEST_URI ".php" "id:1001012, phase:1, deny, status:403, msg:WAF Suspicious file extension php"
SecRule REQUEST_URI ".phtml" "id:1001013, phase:1, deny, status:403, msg:WAF Suspicious file extension phtml"
SecRule REQUEST_METHOD "POST" "id:1001014, phase:1, deny, status:403, msg:WAF Suspicious POST Request"
SecRule REQUEST_HEADERS:Content-Type "multipart/form-data" "id:1001015, phase:1, deny, status:403, msg:WAF Multipart form data detected"
 
also same problem with:

Code: 
SecRule REQUEST_URI|ARGS_NAMES Chitoge id:1001001, phase:1, deny, status:403, msg:[WAF] Blocked Chitoge Backdoor Access Attempt, log, severity:CRITICAL

SecRule ARGS_NAMES Chitoge id:1001002, phase:1, deny, status:403, msg:[WAF] Suspicious parameter name: Chitoge, log, severity:CRITICAL
SecRule ARGS_NAMES Gorila id:1001003, phase:1, deny, status:403, msg:[WAF] Suspicious parameter name: Gorila, log, severity:CRITICAL
SecRule ARGS_NAMES Kirisaki id:1001004, phase:1, deny, status:403, msg:[WAF] Suspicious parameter name: Kirisaki, log, severity:CRITICAL
SecRule ARGS_NAMES idx_file id:1001005, phase:1, deny, status:403, msg:[WAF] Suspicious parameter name: idx_file, log, severity:CRITICAL
SecRule ARGS_NAMES upload id:1001006, phase:1, deny, status:403, msg:[WAF] Suspicious parameter name: upload, log, severity:CRITICAL

SecRule REQUEST_BODY eval(base64_decode) id:1001007, phase:2, deny, status:403, msg:[WAF] Obfuscated Payload detected: eval(base64_decode), log, severity:CRITICAL, ctl:requestBodyAccess=on

SecRule REQUEST_URI wp-content/.php id:1001008, phase:1, deny, status:403, msg:[WAF] Suspicious file upload to wp-content/.php, log, severity:CRITICAL
SecRule REQUEST_URI uploads/.php id:1001009, phase:1, deny, status:403, msg:[WAF] Suspicious file upload to uploads/.php, log, severity:CRITICAL
SecRule REQUEST_URI images/.php id:1001010, phase:1, deny, status:403, msg:[WAF] Suspicious file upload to images/.php, log, severity:CRITICAL
SecRule REQUEST_URI cache/.php id:1001011, phase:1, deny, status:403, msg:[WAF] Suspicious file upload to cache/.php, log, severity:CRITICAL
SecRule REQUEST_URI wp-content/.phtml id:1001012, phase:1, deny, status:403, msg:[WAF] Suspicious file upload to wp-content/.phtml, log, severity:CRITICAL
SecRule REQUEST_URI uploads/.phtml id:1001013, phase:1, deny, status:403, msg:[WAF] Suspicious file upload to uploads/.phtml, log, severity:CRITICAL
SecRule REQUEST_URI images/.phtml id:1001014, phase:1, deny, status:403, msg:[WAF] Suspicious file upload to images/.phtml, log, severity:CRITICAL
SecRule REQUEST_URI cache/.phtml id:1001015, phase:1, deny, status:403, msg:[WAF] Suspicious file upload to cache/.phtml, log, severity:CRITICAL

Don't really unterstand - <Die Regelnachricht darf nur Buchstaben, Ziffern, Leerzeichen und die folgenden Zeichen enthalten: -:;.,!?#&$%*()/. Nur genaue Übereinstimmungen werden unterstützt>
 
same error message with


Code: 
SecRule REQUEST_URI ARGS_NAMES Chitoge id:1001001, phase:1, deny, status:403, msg:WAF Blocked Chitoge Backdoor Access Attempt, log, severity:CRITICAL

SecRule ARGS_NAMES Chitoge id:1001002, phase:1, deny, status:403, msg:WAF Suspicious parameter name: Chitoge, log, severity:CRITICAL
SecRule ARGS_NAMES Gorila id:1001003, phase:1, deny, status:403, msg:WAF Suspicious parameter name: Gorila, log, severity:CRITICAL
SecRule ARGS_NAMES Kirisaki id:1001004, phase:1, deny, status:403, msg:WAF Suspicious parameter name: Kirisaki, log, severity:CRITICAL
SecRule ARGS_NAMES idx file id:1001005, phase:1, deny, status:403, msg:WAF Suspicious parameter name: idx file, log, severity:CRITICAL
SecRule ARGS_NAMES upload id:1001006, phase:1, deny, status:403, msg:WAF Suspicious parameter name: upload, log, severity:CRITICAL

SecRule REQUEST_BODY eval(base64 decode) id:1001007, phase:2, deny, status:403, msg:WAF Obfuscated Payload detected: eval(base64 decode), log, severity:CRITICAL, ctl:requestBodyAccesson

SecRule REQUEST_URI wp content/.php id:1001008, phase:1, deny, status:403, msg:WAF Suspicious file upload to wp content/.php, log, severity:CRITICAL
SecRule REQUEST_URI uploads/.php id:1001009, phase:1, deny, status:403, msg:WAF Suspicious file upload to uploads/.php, log, severity:CRITICAL
SecRule REQUEST_URI images/.php id:1001010, phase:1, deny, status:403, msg:WAF Suspicious file upload to images/.php, log, severity:CRITICAL
SecRule REQUEST_URI cache/.php id:1001011, phase:1, deny, status:403, msg:WAF Suspicious file upload to cache/.php, log, severity:CRITICAL
SecRule REQUEST_URI wp content/.phtml id:1001012, phase:1, deny, status:403, msg:WAF Suspicious file upload to wp content/.phtml, log, severity:CRITICAL
SecRule REQUEST_URI uploads/.phtml id:1001013, phase:1, deny, status:403, msg:WAF Suspicious file upload to uploads/.phtml, log, severity:CRITICAL
SecRule REQUEST_URI images/.phtml id:1001014, phase:1, deny, status:403, msg:WAF Suspicious file upload to images/.phtml, log, severity:CRITICAL
SecRule REQUEST_URI cache/.phtml id:1001015, phase:1, deny, status:403, msg:WAF Suspicious file upload to cache/.phtml, log, severity:CRITICAL
 
now it works with
Code: 
SecRule REQUEST URI ARGS NAMES Chitoge id:1001001, phase:1, deny, status:403, msg:WAF Blocked Chitoge Backdoor Access Attempt, log, severity:CRITICAL

SecRule ARGS NAMES Chitoge id:1001002, phase:1, deny, status:403, msg:WAF Suspicious parameter name: Chitoge, log, severity:CRITICAL
SecRule ARGS NAMES Gorila id:1001003, phase:1, deny, status:403, msg:WAF Suspicious parameter name: Gorila, log, severity:CRITICAL
SecRule ARGS NAMES Kirisaki id:1001004, phase:1, deny, status:403, msg:WAF Suspicious parameter name: Kirisaki, log, severity:CRITICAL
SecRule ARGS NAMES idx file id:1001005, phase:1, deny, status:403, msg:WAF Suspicious parameter name: idx file, log, severity:CRITICAL
SecRule ARGS NAMES upload id:1001006, phase:1, deny, status:403, msg:WAF Suspicious parameter name: upload, log, severity:CRITICAL

SecRule REQUEST BODY eval(base64 decode) id:1001007, phase:2, deny, status:403, msg:WAF Obfuscated Payload detected: eval(base64 decode), log, severity:CRITICAL, ctl:requestBodyAccesson
SecRule REQUEST URI wp content/.php id:1001008, phase:1, deny, status:403, msg:WAF Suspicious file upload to wp content/.php, log, severity:CRITICAL
SecRule REQUEST URI uploads/.php id:1001009, phase:1, deny, status:403, msg:WAF Suspicious file upload to uploads/.php, log, severity:CRITICAL
SecRule REQUEST URI images/.php id:1001010, phase:1, deny, status:403, msg:WAF Suspicious file upload to images/.php, log, severity:CRITICAL
SecRule REQUEST URI cache/.php id:1001011, phase:1, deny, status:403, msg:WAF Suspicious file upload to cache/.php, log, severity:CRITICAL
SecRule REQUEST URI wp content/.phtml id:1001012, phase:1, deny, status:403, msg:WAF Suspicious file upload to wp content/.phtml, log, severity:CRITICAL
SecRule REQUEST URI uploads/.phtml id:1001013, phase:1, deny, status:403, msg:WAF Suspicious file upload to uploads/.phtml, log, severity:CRITICAL
SecRule REQUEST URI images/.phtml id:1001014, phase:1, deny, status:403, msg:WAF Suspicious file upload to images/.phtml, log, severity:CRITICAL
SecRule REQUEST URI cache/.phtml id:1001015, phase:1, deny, status:403, msg:WAF Suspicious file upload to cache/.phtml, log, severity:CRITICAL
 
You must log in or register to reply here.

Similar threads

Pascal_Netenvie
Resolved Modsecurity : Add custom rules with Regex
Replies
2
Views
1K
Pascal_Netenvie
Pascal_Netenvie
Back
Top