Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 14571 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF for Synology DSM

dmitripr
Hello,

I've enabled WAF for Synology DSM. I have mixed success.

At first I was getting blocked due to cookie signature checks, and I've bypassed that through an exception. Now I'm able to access Synology Note web application, but I cannot access the main DSM page. 

Seems like the 403 error generated by the WAF is the following:
 
ModSecurity: Access denied with code 403 (phase 4). Pattern match "(.*)" at TX:981000-OWASP_CRS/MALICIOUS_IFRAME-RESPONSE_BODY. [file "/usr/apache/conf/waf/modsecurity_crs_outbound_blocking.conf"] [line "24"] [id "981200"] [msg "Outbound Anomaly Score Exceeded (score 7): Last Matched Message: Possibly malicious iframe tag in output"] [data "Last Matched Data: 


What do I need to check to bypass that?

I'm also getting warning like the ones below, but I guess they're not critical (just warnings) and not blocking the access (I removed the hostname):

ModSecurity: Warning. Operator GE matched 4 at TX[:$]utbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "40"] [id "981205"] [msg "Outbound Anomaly Score Exceeded (score 7): Possibly malicious iframe tag in output"] [hostname "removed"] [uri "/webman/index.cgi"] [unique_id "VCy1nMCoAQEAAHhaEZkAAABC"]
ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "removed"] [uri "/webapi/_______________________________________________________entry.cgi"] [unique_id "VCy2ksCoAQEAAHhaEZoAAABD"]
Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_anomalies.conf"] [line "66"] [id "960009"] [rev "1"] [msg "Request Missing a User Agent Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "removed"] [uri "/webapi/_______________________________________________________entry.cgi"] [unique_id "VCy2ksCoAQEAAHhaEZoAAABD"]
Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 4, SQLi=, XSS=): Request Missing a User Agent Header"] [hostname "removed"] [uri "/webapi/_______________________________________________________entry.cgi"] [unique_id "VCy2ksCoAQEAAHhaEZoAAABD"]


Thanks!
Dmitri


This thread was automatically locked due to age.
Parents
  • 0
    I also have enabled blacklist option, but in live log I'm getting the following error:

    [authz_blacklist:warn] [pid 3141:tid 4072921968] [client 166.176.122.118:14536] DNS lookup for 118.122.176.166.black.rbl.ctipd.astaro.local. failed: Temporary failure in name resolution


    Doesn't seem that it's working. Any ideas? I am using my UTM as the DNS server.
Reply
  • 0
    I also have enabled blacklist option, but in live log I'm getting the following error:

    [authz_blacklist:warn] [pid 3141:tid 4072921968] [client 166.176.122.118:14536] DNS lookup for 118.122.176.166.black.rbl.ctipd.astaro.local. failed: Temporary failure in name resolution


    Doesn't seem that it's working. Any ideas? I am using my UTM as the DNS server.
Children
No Data
Unfiltered HTML