This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF for Synology DSM

Hello,

I've enabled WAF for Synology DSM. I have mixed success.

At first I was getting blocked due to cookie signature checks, and I've bypassed that through an exception. Now I'm able to access Synology Note web application, but I cannot access the main DSM page.

Seems like the 403 error generated by the WAF is the following:

 
ModSecurity: Access denied with code 403 (phase 4). Pattern match "(.*)" at TX:981000-OWASP_CRS/MALICIOUS_IFRAME-RESPONSE_BODY. [file "/usr/apache/conf/waf/modsecurity_crs_outbound_blocking.conf"] [line "24"] [id "981200"] [msg "Outbound Anomaly Score Exceeded (score 7): Last Matched Message: Possibly malicious iframe tag in output"] [data "Last Matched Data:

What do I need to check to bypass that?

I'm also getting warning like the ones below, but I guess they're not critical (just warnings) and not blocking the access (I removed the hostname):

ModSecurity: Warning. Operator GE matched 4 at TX[:$]utbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "40"] [id "981205"] [msg "Outbound Anomaly Score Exceeded (score 7): Possibly malicious iframe tag in output"] [hostname "removed"] [uri "/webman/index.cgi"] [unique_id "VCy1nMCoAQEAAHhaEZkAAABC"]
ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "removed"] [uri "/webapi/_______________________________________________________entry.cgi"] [unique_id "VCy2ksCoAQEAAHhaEZoAAABD"]
Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_anomalies.conf"] [line "66"] [id "960009"] [rev "1"] [msg "Request Missing a User Agent Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "removed"] [uri "/webapi/_______________________________________________________entry.cgi"] [unique_id "VCy2ksCoAQEAAHhaEZoAAABD"]
Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 4, SQLi=, XSS=): Request Missing a User Agent Header"] [hostname "removed"] [uri "/webapi/_______________________________________________________entry.cgi"] [unique_id "VCy2ksCoAQEAAHhaEZoAAABD"]

Thanks!
Dmitri

This thread was automatically locked due to age.

0 dmitripr over 10 years ago
I also have enabled blacklist option, but in live log I'm getting the following error:

[authz_blacklist:warn] [pid 3141:tid 4072921968] [client 166.176.122.118:14536] DNS lookup for 118.122.176.166.black.rbl.ctipd.astaro.local. failed: Temporary failure in name resolution

Doesn't seem that it's working. Any ideas? I am using my UTM as the DNS server.
Cancel
Vote Up 0 Vote Down

Cancel
0 Scott_Klassen over 10 years ago

Seems like the 403 error generated by the WAF is the following:
Looks like you are getting a false positive.

See How to bypass individual WAF rules in UTM 9.2

Skip Filter Rule IDs as needed for your specific environment.

WAF includes tons of rules, as such it is not uncommon to get false positives with some web pages. If you are certain that there is no malicious code in your pages behind WAF, you tune it to your environment by skipping specific rule IDs.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel
0 dmitripr over 10 years ago

Thanks!

I figured there was something of this sort. This solved my issue -- I had to bypass about 10 rules or so.
Cancel
Vote Up 0 Vote Down

Cancel
0 rrosson over 10 years ago in reply to dmitripr

Thanks!

I figured there was something of this sort. This solved my issue -- I had to bypass about 10 rules or so.

Can you share the 10 rules that you had to bypass to get your sinology to work properly from the Internet? Also what ports do you have the WAF checking. I am curious since I am also a sinology owner. [:)]
Cancel
Vote Up 0 Vote Down

Cancel
0 dmitripr over 10 years ago

Here are the IDs:

960015
973347
960024
981173
981257
981245
981246
981243
981176
981204
981000
981001
981200
981205
981318
981203
960009
981247

But I'm sure this will depend on your version and apps you're using on the Synology. Use Live log to see what's happening.

-Dmitri
Cancel
Vote Up 0 Vote Down

Cancel
0 Evianne over 10 years ago in reply to dmitripr
Hi,

you should not skip the following rules. They are used for internal correlation and the actual blocking.

981176
981204
981200
981205
981203

In genereral, do NOT skip internal rules. These are located in

modsecurity_crs_common_exception.conf
modsecurity_crs_inbound_blocking.conf
modsecurity_crs_outbound_blocking.conf
modsecurity_crs_correlation.conf

Regards,
Sabine
Cancel
Vote Up 0 Vote Down

Cancel
0 dmitripr over 10 years ago in reply to Evianne
Hi,

you should not skip the following rules. They are used for internal correlation and the actual blocking.

981176
981204
981200
981205
981203

In genereral, do NOT skip internal rules. These are located in

modsecurity_crs_common_exception.conf
modsecurity_crs_inbound_blocking.conf
modsecurity_crs_outbound_blocking.conf
modsecurity_crs_correlation.conf

Regards,
Sabine

Hi, I've enabled those rules back. Did some basic tests and looks like my apps still work. I'll continue to monitor and will report back any issues.

Thanks for the heads up.
Cancel
Vote Up 0 Vote Down

Cancel