This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RPC not working in WAF

Hi there,

I facing an problem what I not can solve. I have publiched an exchange server through the WAF. Only RPC is not working for external clients. I think this is the error but maybe it is something else ? I followed this documentation.

sophserv.sophos.com/.../Exchange WAF Guide - UTM 9.3 - Nov 2015.pdf

2016:09:14-20:59:57 gateway-corpnet reverseproxy: [Wed Sep 14 20:59:57.811043 2016] [security2:error] [pid 27791:tid 4029447024] [client 217.121.xxx.xxx] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "RPC_OUT_DATA"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag] [tag] [tag] [tag] [tag] [hostname "autodiscover.xxxxxxx.nl"] [uri "/rpc/rpcproxy.dll"] [unique_id "V9meLVB-kFoAAGyPVbkAAACi"]
2016:09:14-20:59:57 gateway-corpnet reverseproxy: [Wed Sep 14 20:59:57.874813 2016] [url_hardening:error] [pid 27791:tid 4029447024] [client 217.121.xxx.xxx:38302] No signature found, URI: autodiscover.xxxxxxx.nl/.../rpcproxy.dll
2016:09:14-20:59:57 gateway-corpnet reverseproxy: [Wed Sep 14 20:59:57.876375 2016] [security2:error] [pid 27791:tid 4029447024] [client 217.121.xxx.xxx] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'][ ]*(([^a-z0-9~_:\\\\' ])|(in)).+?[.].+?=)" at REQUEST_COOKIES:OutlookSession. [file "/usr/apache/conf/waf/modsecurity_crs_xss_attacks.conf"] [line "510"] [id "973333"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data: \\x22{85E3224F-3D95-4722-918A-AF47EE153474} Outlook=16.0.7167.6539 OS= found within REQUEST_COOKIES:OutlookSession: \\x22{85E3224F-3D95-4722-918A-AF47EE153474} Outlook=16.0.7167.6539 OS=6.3.9600 CPUArchitecture=9\\x22"] [ver "OWASP_CRS/2.2.7"] [maturity "8"] [accuracy "8"] [tag] [tag] [tag] [tag] [tag] [tag] [hostname "autodiscover.xxxxxxx.nl"] [uri "/rpc/rpcproxy.dll"] [unique_id "V9meLVB-kFoAAGyPVbkAAACi"]
2016:09:14-20:59:57 gateway-corpnet reverseproxy: [Wed Sep 14 20:59:57.876537 2016] [security2:error] [pid 27791:tid 4029447024] [client 217.121.xxx.xxx] ModSecurity: Rule b300e70 [id "973332"][file "/usr/apache/conf/waf/modsecurity_crs_xss_attacks.conf"][line "514"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "autodiscover.xxxxxxx.nl"] [uri "/rpc/rpcproxy.dll"] [unique_id "V9meLVB-kFoAAGyPVbkAAACi"]
2016:09:14-20:59:57 gateway-corpnet reverseproxy: [Wed Sep 14 20:59:57.876728 2016] [security2:error] [pid 27791:tid 4029447024] [client 217.121.xxx.xxx] ModSecurity: Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "88"] [id "960035"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".dll"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag] [tag] [tag] [tag] [hostname "autodiscover.xxxxxxx.nl"] [uri "/rpc/rpcproxy.dll"] [unique_id "V9meLVB-kFoAAGyPVbkAAACi"]
2016:09:14-20:59:57 gateway-corpnet reverseproxy: [Wed Sep 14 20:59:57.877607 2016] [security2:error] [pid 27791:tid 4029447024] [client 217.121.xxx.xxx] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960032-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-REQUEST_METHOD. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 11, SQLi=, XSS=5): Last Matched Message: URL file extension is restricted by policy"] [data "Last Matched Data: RPC_OUT_DATA"] [hostname "autodiscover.xxxxxxx.nl"] [uri "/rpc/rpcproxy.dll"] [unique_id "V9meLVB-kFoAAGyPVbkAAACi"]
2016:09:14-20:59:57 gateway-corpnet reverseproxy: [Wed Sep 14 20:59:57.877885 2016] [security2:error] [pid 27791:tid 4029447024] [client 217.121.xxx.xxx] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 11, SQLi=, XSS=5): URL file extension is restricted by policy"] [hostname "autodiscover.xxxxxxx.nl"] [uri "/rpc/rpcproxy.dll"] [unique_id "V9meLVB-kFoAAGyPVbkAAACi"]
2016:09:14-20:59:57 gateway-corpnet reverseproxy: id="0299" srcip="217.121.xxx.xxx" localip="80.127.xxx.xx" size="225" user="-" host="217.121.xxx.xxx" method="RPC_OUT_DATA" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 11, SQLi=, XSS=5): Last Matched Message: URL file extension is restricted by policy" exceptions="-" time="67720" url="/rpc/rpcproxy.dll" server="autodiscover.xxxxxxxxx.nl" referer="-" cookie="OutlookSession=\"{85E3224F-3D95-4722-918A-AF47EE153474} Outlook=16.0.7167.6539 OS=6.3.9600 CPUArchitecture=9\"" set-cookie="-"



This thread was automatically locked due to age.
Parents Reply Children
No Data