This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote Desktop Gateway WAF Error 0x3000008 Failed to Sync Outlook Session

Hi everyone!

I am sorry for opening another thread on this, but None of the existing threads was exclusively written RDG :)

 

The Problem is straight forward, WAF used to publish RDP over RDG on Server2008R2 RDG and Sophos UTM 9.411-3.

I configured the firewall profile and exceptions for rpc but I did not add /remoteDesktopGateway as it seems to change communication to a new protocol not supported by utm (not rpc via HTTP anymore?)

 

Windows 7 - 10 RDP (mstsc): works great (fast!)

Android Microsoft RDP Client: totally random error 0x3000008 (iOS adds a Zero in hex - 0x03000008) or multiple (up to 10x) credentials wrong popups (although correctly entered)

iOS Microsoft RDP Client: same behavior as andorid!

 

thats really frustrating as I wasn't able to find a bahvior behind the errors... as I said totally random, from time to time the first login works but sometimes you have to enter 3x the credentials to getover the 0x300008 error.

 

As I found out, the iis logs and RemoteGateway - Operational logs ond RDG server are clear and don't record anything, when the client recieves the 0x3000008 error.

So I checked the Sophos logs and found this to be the cause:

2017:04:19-17:25:19 * reverseproxy: id="0299" srcip="xxxx" localip="yyyy" size="13" user="-" host="xxxx" method="RPC_IN_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="9802" url="/rpc/rpcproxy.dll" server="remote.*.*" referer="-" cookie="-" set-cookie="-"

2017:04:19-17:25:19 * reverseproxy: id="0299" srcip="xxxx" localip="yyyy" size="13" user="-" host="xxxx" method="RPC_IN_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="1183" url="/rpc/rpcproxy.dll" server="remote.*.*" referer="-" cookie="-" set-cookie="-"

2017:04:19-17:25:19 * reverseproxy: id="0299" srcip="xxxx" localip="yyyy" size="20" user="-" host="xxxx" method="RPC_IN_DATA" statuscode="200" reason="-" extra="-" exceptions="-" time="5517" url="/rpc/rpcproxy.dll" server="remote.*.*" referer="-" cookie="-" set-cookie="-"

 

Up to here is expected behavior and looks equally when using mstsc.

(110)Connection timed out: [client xxx:63301] RPC_IN_DATA: Failed to sync Outlook Session af5b438e-a5d3-e542-75ca-90be05a20271: -1

(70015)Could not find specified socket in poll list.: [client xxx:63301] RPC_IN_DATA: There is no registered Outlook Session af5b438e-a5d3-e542-75ca-90be05a20271 in Cache

Now this is strange... it looks like utm is not able to identify the current mobile session to a previously established one. why does this never happen with mstsc??

 

I hope some Sophos guy can comment this because in the current state I cannot let users use rdg via Sophos as it is too unstable...



This thread was automatically locked due to age.
Parents
  • Does anyone find some solution for this problem ?

     

    Remote Desktop Gateway over Waf with Android does not connect.... RDP on windows machines works fine.

     

    My logs:

     

    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4003548016] [client 171.151.211.201] ModSecurity: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "52"] [id "960911"] [rev "2"] [msg "Invalid HTTP Request Line"] [data "RDG_OUT_DATA https://mywebrdp.xxx.net:443/remoteDesktopGateway/ HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] [hostname "mywebrdp.xxx.net"] [uri "/remoteDesktopGateway/"] [unique_id "WiFDLgqQBf4AAEUCS-kAAABz"]
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4003548016] [client 171.151.211.201] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "RDG_OUT_DATA"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "mywebrdp.xxx.net"] [uri "/remoteDesktopGateway/"] [unique_id "WiFDLgqQBf4AAEUCS-kAAABz"]
    2017:12:01-09:55:26 myutm httpd[17666]: [url_hardening:error] [pid 17666:tid 4003548016] [client 171.151.211.201:49073] URI prefix does not match, URI: mywebrdp.xxx.net:443/.../
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4003548016] [client 171.151.211.201] ModSecurity: Warning. String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "399"] [id "960020"] [rev "1"] [msg "Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [ver "OWASP_CRS/2.2.7"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [hostname "mywebrdp.xxx.net"] [uri "/remoteDesktopGateway/"] [unique_id "WiFDLgqQBf4AAEUCS-kAAABz"]
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4003548016] [client 171.151.211.201] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960911-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-REQUEST_LINE. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [data "Last Matched Data: RDG_OUT_DATA https://mywebrdp.xxx.net:443/remoteDesktopGateway/ HTTP/1.1"] [hostname "mywebrdp.xxx.net"] [uri "/remoteDesktopGateway/"] [unique_id "WiFDLgqQBf4AAEUCS-kAAABz"]
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4003548016] [client 171.151.211.201] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 7, SQLi=, XSS=): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [hostname "mywebrdp.xxx.net"] [uri "/remoteDesktopGateway/"] [unique_id "WiFDLgqQBf4AAEUCS-kAAABz"]
    2017:12:01-09:55:26 myutm httpd: id="0299" srcip="171.151.211.201" localip="186.193.226.254" size="230" user="-" host="171.151.211.201" method="RDG_OUT_DATA" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Pragma Header requires Cache-Control Header for HTTP/1.1 requests." exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipFormHardening, SkipCookieSigning, SkipThreatsFilter" time="1009" url="/remoteDesktopGateway/" server="mywebrdp.xxx.net" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="WiFDLgqQBf4AAEUCS-kAAABz"
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4062296944] [client 171.151.211.201] ModSecurity: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "52"] [id "960911"] [rev "2"] [msg "Invalid HTTP Request Line"] [data "RPC_OUT_DATA https://mywebrdp.xxx.net/rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEUCS-oAAABs"]
    2017:12:01-09:55:26 myutm httpd[18484]: [security2:error] [pid 18484:tid 4028726128] [client 171.151.211.201] ModSecurity: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "52"] [id "960911"] [rev "2"] [msg "Invalid HTTP Request Line"] [data "RPC_IN_DATA https://mywebrdp.xxx.net/rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEg04ToAAAAM"]
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4062296944] [client 171.151.211.201] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "RPC_OUT_DATA"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEUCS-oAAABs"]
    2017:12:01-09:55:26 myutm httpd[18484]: [security2:error] [pid 18484:tid 4028726128] [client 171.151.211.201] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "RPC_IN_DATA"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEg04ToAAAAM"]
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4062296944] [client 171.151.211.201] ModSecurity: Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "88"] [id "960035"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".dll"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEUCS-oAAABs"]
    2017:12:01-09:55:26 myutm httpd[18484]: [security2:error] [pid 18484:tid 4028726128] [client 171.151.211.201] ModSecurity: Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "88"] [id "960035"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".dll"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEg04ToAAAAM"]
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4062296944] [client 171.151.211.201] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960911-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-REQUEST_LINE. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy"] [data "Last Matched Data: RPC_OUT_DATA https://mywebrdp.xxx.net/rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEUCS-oAAABs"]
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4062296944] [client 171.151.211.201] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8, SQLi=, XSS=): URL file extension is restricted by policy"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEUCS-oAAABs"]
    2017:12:01-09:55:26 myutm httpd: id="0299" srcip="171.151.211.201" localip="186.193.226.254" size="225" user="-" host="171.151.211.201" method="RPC_OUT_DATA" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipFormHardening, SkipCookieSigning, SkipThreatsFilter" time="1317" url="/rpc/rpcproxy.dll" server="mywebrdp.xxx.net" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" uid="WiFDLgqQBf4AAEUCS-oAAABs"
    2017:12:01-09:55:26 myutm httpd[18484]: [security2:error] [pid 18484:tid 4028726128] [client 171.151.211.201] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960911-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-REQUEST_LINE. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy"] [data "Last Matched Data: RPC_IN_DATA https://mywebrdp.xxx.net/rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEg04ToAAAAM"]
    2017:12:01-09:55:26 myutm httpd[18484]: [security2:error] [pid 18484:tid 4028726128] [client 171.151.211.201] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8, SQLi=, XSS=): URL file extension is restricted by policy"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEg04ToAAAAM"]
    2017:12:01-09:55:26 myutm httpd: id="0299" srcip="171.151.211.201" localip="186.193.226.254" size="225" user="-" host="171.151.211.201" method="RPC_IN_DATA" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipFormHardening, SkipCookieSigning, SkipThreatsFilter" time="1524" url="/rpc/rpcproxy.dll" server="mywebrdp.xxx.net" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" uid="WiFDLgqQBf4AAEg04ToAAAAM"

Reply
  • Does anyone find some solution for this problem ?

     

    Remote Desktop Gateway over Waf with Android does not connect.... RDP on windows machines works fine.

     

    My logs:

     

    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4003548016] [client 171.151.211.201] ModSecurity: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "52"] [id "960911"] [rev "2"] [msg "Invalid HTTP Request Line"] [data "RDG_OUT_DATA https://mywebrdp.xxx.net:443/remoteDesktopGateway/ HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] [hostname "mywebrdp.xxx.net"] [uri "/remoteDesktopGateway/"] [unique_id "WiFDLgqQBf4AAEUCS-kAAABz"]
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4003548016] [client 171.151.211.201] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "RDG_OUT_DATA"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "mywebrdp.xxx.net"] [uri "/remoteDesktopGateway/"] [unique_id "WiFDLgqQBf4AAEUCS-kAAABz"]
    2017:12:01-09:55:26 myutm httpd[17666]: [url_hardening:error] [pid 17666:tid 4003548016] [client 171.151.211.201:49073] URI prefix does not match, URI: mywebrdp.xxx.net:443/.../
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4003548016] [client 171.151.211.201] ModSecurity: Warning. String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "399"] [id "960020"] [rev "1"] [msg "Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [ver "OWASP_CRS/2.2.7"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [hostname "mywebrdp.xxx.net"] [uri "/remoteDesktopGateway/"] [unique_id "WiFDLgqQBf4AAEUCS-kAAABz"]
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4003548016] [client 171.151.211.201] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960911-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-REQUEST_LINE. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [data "Last Matched Data: RDG_OUT_DATA https://mywebrdp.xxx.net:443/remoteDesktopGateway/ HTTP/1.1"] [hostname "mywebrdp.xxx.net"] [uri "/remoteDesktopGateway/"] [unique_id "WiFDLgqQBf4AAEUCS-kAAABz"]
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4003548016] [client 171.151.211.201] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 7, SQLi=, XSS=): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [hostname "mywebrdp.xxx.net"] [uri "/remoteDesktopGateway/"] [unique_id "WiFDLgqQBf4AAEUCS-kAAABz"]
    2017:12:01-09:55:26 myutm httpd: id="0299" srcip="171.151.211.201" localip="186.193.226.254" size="230" user="-" host="171.151.211.201" method="RDG_OUT_DATA" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Pragma Header requires Cache-Control Header for HTTP/1.1 requests." exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipFormHardening, SkipCookieSigning, SkipThreatsFilter" time="1009" url="/remoteDesktopGateway/" server="mywebrdp.xxx.net" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="WiFDLgqQBf4AAEUCS-kAAABz"
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4062296944] [client 171.151.211.201] ModSecurity: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "52"] [id "960911"] [rev "2"] [msg "Invalid HTTP Request Line"] [data "RPC_OUT_DATA https://mywebrdp.xxx.net/rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEUCS-oAAABs"]
    2017:12:01-09:55:26 myutm httpd[18484]: [security2:error] [pid 18484:tid 4028726128] [client 171.151.211.201] ModSecurity: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "52"] [id "960911"] [rev "2"] [msg "Invalid HTTP Request Line"] [data "RPC_IN_DATA https://mywebrdp.xxx.net/rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEg04ToAAAAM"]
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4062296944] [client 171.151.211.201] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "RPC_OUT_DATA"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEUCS-oAAABs"]
    2017:12:01-09:55:26 myutm httpd[18484]: [security2:error] [pid 18484:tid 4028726128] [client 171.151.211.201] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "RPC_IN_DATA"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEg04ToAAAAM"]
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4062296944] [client 171.151.211.201] ModSecurity: Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "88"] [id "960035"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".dll"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEUCS-oAAABs"]
    2017:12:01-09:55:26 myutm httpd[18484]: [security2:error] [pid 18484:tid 4028726128] [client 171.151.211.201] ModSecurity: Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "88"] [id "960035"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".dll"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEg04ToAAAAM"]
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4062296944] [client 171.151.211.201] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960911-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-REQUEST_LINE. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy"] [data "Last Matched Data: RPC_OUT_DATA https://mywebrdp.xxx.net/rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEUCS-oAAABs"]
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4062296944] [client 171.151.211.201] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8, SQLi=, XSS=): URL file extension is restricted by policy"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEUCS-oAAABs"]
    2017:12:01-09:55:26 myutm httpd: id="0299" srcip="171.151.211.201" localip="186.193.226.254" size="225" user="-" host="171.151.211.201" method="RPC_OUT_DATA" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipFormHardening, SkipCookieSigning, SkipThreatsFilter" time="1317" url="/rpc/rpcproxy.dll" server="mywebrdp.xxx.net" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" uid="WiFDLgqQBf4AAEUCS-oAAABs"
    2017:12:01-09:55:26 myutm httpd[18484]: [security2:error] [pid 18484:tid 4028726128] [client 171.151.211.201] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960911-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-REQUEST_LINE. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy"] [data "Last Matched Data: RPC_IN_DATA https://mywebrdp.xxx.net/rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEg04ToAAAAM"]
    2017:12:01-09:55:26 myutm httpd[18484]: [security2:error] [pid 18484:tid 4028726128] [client 171.151.211.201] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8, SQLi=, XSS=): URL file extension is restricted by policy"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEg04ToAAAAM"]
    2017:12:01-09:55:26 myutm httpd: id="0299" srcip="171.151.211.201" localip="186.193.226.254" size="225" user="-" host="171.151.211.201" method="RPC_IN_DATA" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipFormHardening, SkipCookieSigning, SkipThreatsFilter" time="1524" url="/rpc/rpcproxy.dll" server="mywebrdp.xxx.net" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" uid="WiFDLgqQBf4AAEg04ToAAAAM"

Children