coreruleset: Rule exclusions for dynamically changing sections of home page not working. Please help a noob with Rule Exclusions! Site is live!

Description

I am upgrading CRS3.4 to CRS4. I have successfully installed the CRS4 upgrade, but now I am having some major issues on my Live website and cannot figure out the proper rule exclusions to fix the site.

On , my sites homepage, I am getting missing/broken images under the “Portfoliio” and “Latest Blogs” sections of the front page. The images under each blog post and portfolio post are missing. I am not very knowlegeable with Modsecurity Rules and am definitely a noob. So normally, I would just create rules exclusions for each picture that is being blocked, based off of URI and RULE ID.

That would look something like this:

SecRule REQUEST_URI "@streq /wp-content/uploads/2022/05/McMo-Art-Tryclops-1-scaled-768x1012.webpp" \
    "id:1050,\
    phase:1,\
    pass,\
    nolog,\
    ctl:ruleRemoveById=932236"

The Problem: This example is basically the extent of my knowledge when it comes to exclusing rules for specific static URI’s and modsec in general. The problem is, that the images under the “Portfolio” and “Latest Blogs” sections, aren’t static images, but dynamically changing images based on my most recent posts in other sections. Meaning, that if I create a URI based rule exclusion for each and every picture on the home page, it will work, until I update my blog page (not blog section on home page) or portfolio page (not portfolio section on home page) with a new post with new images. After I update the blog or portfolio pages, the corresponding home page images will most likely broken again, requiring me to once again create rule exclusions for the new and updated images that the portfolio/blog pages push to the homepage in it’s corresponding sections.

The Question: How can I make rule exclusions that will apply to not only each image, but any image that is pushed into it’s corresponding area when the blog/portfolio pages are updated? Esentially, I need to exclude not specifically each image, but rather the space or frame that provides for that image, regardless of what image file is actually shown in its corresponding space. Bear with me, I’m still very much a noob to Modsec, and am wondering if anyone can provide me with some rule exclusions to help facilitate this requirement. If you can do so, it would be highly appreciated! Thank you in advance for your help and effort with this issue all!

How to reproduce the misbehavior (-> curl call)

I don’t know how to reproduce with a curl call. Better off going to the live site in your web browser to reproduce. To fully reproduce, open your web browser and go to https://www.mcmo.is.

Logs

Below is a tail -f of my modsec error log when I navigate to my homepage on MacOS Safari.

---SxaC6Fgj---A--
[21/Feb/2024:13:10:05 -0600] 170854260591.962020 123.456.789.101 50691 10.8.8.2 443
---SxaC6Fgj---B--
GET /wp-content/uploads/2022/05/McMo-Art-Tryclops-1-scaled-768x1012.webp HTTP/2.0
host: www.mcmo.is
sec-fetch-dest: image
sec-fetch-mode: no-cors
accept: image/webp,image/avif,image/jxl,image/heic,image/heic-sequence,video/*;q=0.8,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5
sec-fetch-site: same-origin
accept-language: en-US,en;q=0.9
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2.1 Safari/605.1.15
cookie: _pk_id.1.37a4=9c073e4b2870a96d.1708542603.; _pk_ses.1.37a4=1; sbjs_current=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29; sbjs_current_add=fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29; sbjs_first=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29; sbjs_first_add=fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29; sbjs_migrations=1418474375998%3D1; sbjs_session=pgs%3D1%7C%7C%7Ccpg%3Dhttps%3A%2F%2Fwww.mcmo.is%2F; sbjs_udata=vst%3D1%7C%7C%7Cuip%3D%28none%29%7C%7C%7Cuag%3DMozilla%2F5.0%20%28Macintosh%3B%20Intel%20Mac%20OS%20X%2010_15_7%29%20AppleWebKit%2F605.1.15%20%28KHTML%2C%20like%20Gecko%29%20Version%2F17.2.1%20Safari%2F605.1.15
referer: https://www.mcmo.is/
accept-encoding: gzip, deflate, br

---SxaC6Fgj---E--
\xa1\x88\x04\x00 :\xb7\xceF\xe8\x84\x06\x0c\xf2\xa3)X\xc4\x82\x1bI=Y\xc8\x99]2\x92L\x0a\x0aZ\xa37|\xdc\xbe5I\xe4bPIXo\xd5\x05mi!\xeb\xcdn\xd3!\x14&\xcb$\x98d!\xd8Q\x19\xc5\x95\xca\xc5\xaar\x8c\x1bY\xd6\x80\xf0\xfa\xdc\xfe\xb8kD\xd3l\x00

---SxaC6Fgj---F--
HTTP/2.0 403
Server: nginx
Date: Wed, 21 Feb 2024 19:10:05 GMT
Content-Type: text/html
Connection: close
Content-Encoding: br

---SxaC6Fgj---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:^|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\ (8043 characters omitted)' against variable `REQUEST_COOKIES:sbjs_first_add' (Value: `fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1348"] [id "932236"] [rev ""] [msg "Remote Command Execution: Unix Command Injection (command without evasion)"] [data "Matched Data: fd found within REQUEST_COOKIES:sbjs_first_add: fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.8.8.2"] [uri "/wp-content/uploads/2022/05/McMo-Art-Tryclops-1-scaled-768x1012.webp"] [unique_id "170854260591.962020"] [ref "o0,2v801,96o0,2v1236,50o0,2v1090,96"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=' against variable `REQUEST_COOKIES:sbjs_current' (Value: `typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccn (63 characters omitted)' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "832"] [id "941150"] [rev ""] [msg "XSS Filter - Category 5: Disallowed HTML Attributes"] [data "Matched Data: src= found within REQUEST_COOKIES:sbjs_current: typ=typein|||src=(direct)|||mdm=(none)|||cmp=(none)|||cnt=(none)|||trm=(none)|||id=(none)"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [tag "paranoia-level/2"] [hostname "10.8.8.2"] [uri "/wp-content/uploads/2022/05/McMo-Art-Tryclops-1-scaled-768x1012.webp"] [unique_id "170854260591.962020"] [ref "o13,4v910,163t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNullso13,4v619,163t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `25' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 25)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.8.8.2"] [uri "/wp-content/uploads/2022/05/McMo-Art-Tryclops-1-scaled-768x1012.webp"] [unique_id "170854260591.962020"] [ref ""]

---SxaC6Fgj---J--

---SxaC6Fgj---K--

---SxaC6Fgj---Z--

---LwQToUl1---A--
[21/Feb/2024:13:10:05 -0600] 170854260598.500613 123.456.789.101 50691 10.8.8.2 443
---LwQToUl1---B--
GET /wp-content/uploads/2022/05/McMo-Art-The-Shape-of-Things-The-Shape-of-Things-Exhibit-1-4-768x400.webp HTTP/2.0
host: www.mcmo.is
sec-fetch-dest: image
sec-fetch-mode: no-cors
accept: image/webp,image/avif,image/jxl,image/heic,image/heic-sequence,video/*;q=0.8,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5
sec-fetch-site: same-origin
accept-language: en-US,en;q=0.9
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2.1 Safari/605.1.15
cookie: _pk_id.1.37a4=9c073e4b2870a96d.1708542603.; _pk_ses.1.37a4=1; sbjs_current=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29; sbjs_current_add=fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29; sbjs_first=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29; sbjs_first_add=fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29; sbjs_migrations=1418474375998%3D1; sbjs_session=pgs%3D1%7C%7C%7Ccpg%3Dhttps%3A%2F%2Fwww.mcmo.is%2F; sbjs_udata=vst%3D1%7C%7C%7Cuip%3D%28none%29%7C%7C%7Cuag%3DMozilla%2F5.0%20%28Macintosh%3B%20Intel%20Mac%20OS%20X%2010_15_7%29%20AppleWebKit%2F605.1.15%20%28KHTML%2C%20like%20Gecko%29%20Version%2F17.2.1%20Safari%2F605.1.15
referer: https://www.mcmo.is/
accept-encoding: gzip, deflate, br

---LwQToUl1---E--
\xa1\x88\x04\x00 :\xb7\xceF\xe8\x84\x06\x0c\xf2\xa3)X\xc4\x82\x1bI=Y\xc8\x99]2\x92L\x0a\x0aZ\xa37|\xdc\xbe5I\xe4bPIXo\xd5\x05mi!\xeb\xcdn\xd3!\x14&\xcb$\x98d!\xd8Q\x19\xc5\x95\xca\xc5\xaar\x8c\x1bY\xd6\x80\xf0\xfa\xdc\xfe\xb8kD\xd3l\x00

---LwQToUl1---F--
HTTP/2.0 403
Server: nginx
Date: Wed, 21 Feb 2024 19:10:05 GMT
Content-Type: text/html
Connection: close
Content-Encoding: br

---LwQToUl1---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:^|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\ (8043 characters omitted)' against variable `REQUEST_COOKIES:sbjs_first_add' (Value: `fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1348"] [id "932236"] [rev ""] [msg "Remote Command Execution: Unix Command Injection (command without evasion)"] [data "Matched Data: fd found within REQUEST_COOKIES:sbjs_first_add: fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.8.8.2"] [uri "/wp-content/uploads/2022/05/McMo-Art-The-Shape-of-Things-The-Shape-of-Things-Exhibit-1-4-768x400.webp"] [unique_id "170854260598.500613"] [ref "o0,2v834,96o0,2v1269,50o0,2v1123,96"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=' against variable `REQUEST_COOKIES:sbjs_current' (Value: `typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccn (63 characters omitted)' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "832"] [id "941150"] [rev ""] [msg "XSS Filter - Category 5: Disallowed HTML Attributes"] [data "Matched Data: src= found within REQUEST_COOKIES:sbjs_current: typ=typein|||src=(direct)|||mdm=(none)|||cmp=(none)|||cnt=(none)|||trm=(none)|||id=(none)"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [tag "paranoia-level/2"] [hostname "10.8.8.2"] [uri "/wp-content/uploads/2022/05/McMo-Art-The-Shape-of-Things-The-Shape-of-Things-Exhibit-1-4-768x400.webp"] [unique_id "170854260598.500613"] [ref "o13,4v943,163t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNullso13,4v652,163t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `25' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 25)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.8.8.2"] [uri "/wp-content/uploads/2022/05/McMo-Art-The-Shape-of-Things-The-Shape-of-Things-Exhibit-1-4-768x400.webp"] [unique_id "170854260598.500613"] [ref ""]

---LwQToUl1---J--

---LwQToUl1---K--

---LwQToUl1---Z--

---gVB3wYCJ---A--
[21/Feb/2024:13:10:05 -0600] 170854260536.498632 123.456.789.101 50691 10.8.8.2 443
---gVB3wYCJ---B--
GET /wp-content/uploads/2022/05/McMo-Art-Stoned-Totem-2-768x1010.webp HTTP/2.0
host: www.mcmo.is
sec-fetch-dest: image
sec-fetch-mode: no-cors
accept: image/webp,image/avif,image/jxl,image/heic,image/heic-sequence,video/*;q=0.8,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5
sec-fetch-site: same-origin
accept-language: en-US,en;q=0.9
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2.1 Safari/605.1.15
cookie: _pk_id.1.37a4=9c073e4b2870a96d.1708542603.; _pk_ses.1.37a4=1; sbjs_current=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29; sbjs_current_add=fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29; sbjs_first=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29; sbjs_first_add=fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29; sbjs_migrations=1418474375998%3D1; sbjs_session=pgs%3D1%7C%7C%7Ccpg%3Dhttps%3A%2F%2Fwww.mcmo.is%2F; sbjs_udata=vst%3D1%7C%7C%7Cuip%3D%28none%29%7C%7C%7Cuag%3DMozilla%2F5.0%20%28Macintosh%3B%20Intel%20Mac%20OS%20X%2010_15_7%29%20AppleWebKit%2F605.1.15%20%28KHTML%2C%20like%20Gecko%29%20Version%2F17.2.1%20Safari%2F605.1.15
referer: https://www.mcmo.is/
accept-encoding: gzip, deflate, br

---gVB3wYCJ---E--
\xa1\x88\x04\x00 :\xb7\xceF\xe8\x84\x06\x0c\xf2\xa3)X\xc4\x82\x1bI=Y\xc8\x99]2\x92L\x0a\x0aZ\xa37|\xdc\xbe5I\xe4bPIXo\xd5\x05mi!\xeb\xcdn\xd3!\x14&\xcb$\x98d!\xd8Q\x19\xc5\x95\xca\xc5\xaar\x8c\x1bY\xd6\x80\xf0\xfa\xdc\xfe\xb8kD\xd3l\x00

---gVB3wYCJ---F--
HTTP/2.0 403
Server: nginx
Date: Wed, 21 Feb 2024 19:10:05 GMT
Content-Type: text/html
Connection: close
Content-Encoding: br

---gVB3wYCJ---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:^|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\ (8043 characters omitted)' against variable `REQUEST_COOKIES:sbjs_first_add' (Value: `fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1348"] [id "932236"] [rev ""] [msg "Remote Command Execution: Unix Command Injection (command without evasion)"] [data "Matched Data: fd found within REQUEST_COOKIES:sbjs_first_add: fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.8.8.2"] [uri "/wp-content/uploads/2022/05/McMo-Art-Stoned-Totem-2-768x1010.webp"] [unique_id "170854260536.498632"] [ref "o0,2v798,96o0,2v1233,50o0,2v1087,96"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=' against variable `REQUEST_COOKIES:sbjs_current' (Value: `typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccn (63 characters omitted)' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "832"] [id "941150"] [rev ""] [msg "XSS Filter - Category 5: Disallowed HTML Attributes"] [data "Matched Data: src= found within REQUEST_COOKIES:sbjs_current: typ=typein|||src=(direct)|||mdm=(none)|||cmp=(none)|||cnt=(none)|||trm=(none)|||id=(none)"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [tag "paranoia-level/2"] [hostname "10.8.8.2"] [uri "/wp-content/uploads/2022/05/McMo-Art-Stoned-Totem-2-768x1010.webp"] [unique_id "170854260536.498632"] [ref "o13,4v907,163t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNullso13,4v616,163t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `25' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 25)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.8.8.2"] [uri "/wp-content/uploads/2022/05/McMo-Art-Stoned-Totem-2-768x1010.webp"] [unique_id "170854260536.498632"] [ref ""]

---gVB3wYCJ---J--

---gVB3wYCJ---K--

---gVB3wYCJ---Z--

---LpI0Ssxv---A--
[21/Feb/2024:13:10:05 -0600] 170854260580.473971 123.456.789.101 50691 10.8.8.2 443
---LpI0Ssxv---B--
GET /wp-content/uploads/2022/05/McMo-Art-The-Beautiful-People-2-768x1010.webp HTTP/2.0
host: www.mcmo.is
sec-fetch-dest: image
sec-fetch-mode: no-cors
accept: image/webp,image/avif,image/jxl,image/heic,image/heic-sequence,video/*;q=0.8,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5
sec-fetch-site: same-origin
accept-language: en-US,en;q=0.9
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2.1 Safari/605.1.15
cookie: _pk_id.1.37a4=9c073e4b2870a96d.1708542603.; _pk_ses.1.37a4=1; sbjs_current=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29; sbjs_current_add=fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29; sbjs_first=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29; sbjs_first_add=fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29; sbjs_migrations=1418474375998%3D1; sbjs_session=pgs%3D1%7C%7C%7Ccpg%3Dhttps%3A%2F%2Fwww.mcmo.is%2F; sbjs_udata=vst%3D1%7C%7C%7Cuip%3D%28none%29%7C%7C%7Cuag%3DMozilla%2F5.0%20%28Macintosh%3B%20Intel%20Mac%20OS%20X%2010_15_7%29%20AppleWebKit%2F605.1.15%20%28KHTML%2C%20like%20Gecko%29%20Version%2F17.2.1%20Safari%2F605.1.15
referer: https://www.mcmo.is/
accept-encoding: gzip, deflate, br

---LpI0Ssxv---E--
\xa1\x88\x04\x00 :\xb7\xceF\xe8\x84\x06\x0c\xf2\xa3)X\xc4\x82\x1bI=Y\xc8\x99]2\x92L\x0a\x0aZ\xa37|\xdc\xbe5I\xe4bPIXo\xd5\x05mi!\xeb\xcdn\xd3!\x14&\xcb$\x98d!\xd8Q\x19\xc5\x95\xca\xc5\xaar\x8c\x1bY\xd6\x80\xf0\xfa\xdc\xfe\xb8kD\xd3l\x00

---LpI0Ssxv---F--
HTTP/2.0 403
Server: nginx
Date: Wed, 21 Feb 2024 19:10:05 GMT
Content-Type: text/html
Connection: close
Content-Encoding: br

---LpI0Ssxv---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:^|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\ (8043 characters omitted)' against variable `REQUEST_COOKIES:sbjs_first_add' (Value: `fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1348"] [id "932236"] [rev ""] [msg "Remote Command Execution: Unix Command Injection (command without evasion)"] [data "Matched Data: fd found within REQUEST_COOKIES:sbjs_first_add: fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.8.8.2"] [uri "/wp-content/uploads/2022/05/McMo-Art-The-Beautiful-People-2-768x1010.webp"] [unique_id "170854260580.473971"] [ref "o0,2v806,96o0,2v1241,50o0,2v1095,96"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=' against variable `REQUEST_COOKIES:sbjs_current' (Value: `typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccn (63 characters omitted)' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "832"] [id "941150"] [rev ""] [msg "XSS Filter - Category 5: Disallowed HTML Attributes"] [data "Matched Data: src= found within REQUEST_COOKIES:sbjs_current: typ=typein|||src=(direct)|||mdm=(none)|||cmp=(none)|||cnt=(none)|||trm=(none)|||id=(none)"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [tag "paranoia-level/2"] [hostname "10.8.8.2"] [uri "/wp-content/uploads/2022/05/McMo-Art-The-Beautiful-People-2-768x1010.webp"] [unique_id "170854260580.473971"] [ref "o13,4v915,163t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNullso13,4v624,163t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `25' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 25)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.8.8.2"] [uri "/wp-content/uploads/2022/05/McMo-Art-The-Beautiful-People-2-768x1010.webp"] [unique_id "170854260580.473971"] [ref ""]

---LpI0Ssxv---J--

---LpI0Ssxv---K--

---LpI0Ssxv---Z--

---pV5ukjd3---A--
[21/Feb/2024:13:10:05 -0600] 170854260549.253276 123.456.789.101 50691 10.8.8.2 443
---pV5ukjd3---B--
GET /wp-content/uploads/2023/06/McMo-Earthworks-Art-Products-Red-Touches-Yellow-Cropped-17-600px-X-500px-WebP.webp HTTP/2.0
host: www.mcmo.is
sec-fetch-dest: image
sec-fetch-mode: no-cors
accept: image/webp,image/avif,image/jxl,image/heic,image/heic-sequence,video/*;q=0.8,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5
sec-fetch-site: same-origin
accept-language: en-US,en;q=0.9
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2.1 Safari/605.1.15
cookie: _pk_id.1.37a4=9c073e4b2870a96d.1708542603.; _pk_ses.1.37a4=1; sbjs_current=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29; sbjs_current_add=fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29; sbjs_first=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29; sbjs_first_add=fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29; sbjs_migrations=1418474375998%3D1; sbjs_session=pgs%3D1%7C%7C%7Ccpg%3Dhttps%3A%2F%2Fwww.mcmo.is%2F; sbjs_udata=vst%3D1%7C%7C%7Cuip%3D%28none%29%7C%7C%7Cuag%3DMozilla%2F5.0%20%28Macintosh%3B%20Intel%20Mac%20OS%20X%2010_15_7%29%20AppleWebKit%2F605.1.15%20%28KHTML%2C%20like%20Gecko%29%20Version%2F17.2.1%20Safari%2F605.1.15
referer: https://www.mcmo.is/
accept-encoding: gzip, deflate, br

---pV5ukjd3---E--
\xa1\x88\x04\x00 :\xb7\xceF\xe8\x84\x06\x0c\xf2\xa3)X\xc4\x82\x1bI=Y\xc8\x99]2\x92L\x0a\x0aZ\xa37|\xdc\xbe5I\xe4bPIXo\xd5\x05mi!\xeb\xcdn\xd3!\x14&\xcb$\x98d!\xd8Q\x19\xc5\x95\xca\xc5\xaar\x8c\x1bY\xd6\x80\xf0\xfa\xdc\xfe\xb8kD\xd3l\x00

---pV5ukjd3---F--
HTTP/2.0 403
Server: nginx
Date: Wed, 21 Feb 2024 19:10:05 GMT
Content-Type: text/html
Connection: close
Content-Encoding: br

---pV5ukjd3---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:^|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\ (8043 characters omitted)' against variable `REQUEST_COOKIES:sbjs_first_add' (Value: `fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1348"] [id "932236"] [rev ""] [msg "Remote Command Execution: Unix Command Injection (command without evasion)"] [data "Matched Data: fd found within REQUEST_COOKIES:sbjs_first_add: fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.8.8.2"] [uri "/wp-content/uploads/2023/06/McMo-Earthworks-Art-Products-Red-Touches-Yellow-Cropped-17-600px-X-500px-WebP.webp"] [unique_id "170854260549.253276"] [ref "o0,2v843,96o0,2v1278,50o0,2v1132,96"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=' against variable `REQUEST_COOKIES:sbjs_current' (Value: `typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccn (63 characters omitted)' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "832"] [id "941150"] [rev ""] [msg "XSS Filter - Category 5: Disallowed HTML Attributes"] [data "Matched Data: src= found within REQUEST_COOKIES:sbjs_current: typ=typein|||src=(direct)|||mdm=(none)|||cmp=(none)|||cnt=(none)|||trm=(none)|||id=(none)"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [tag "paranoia-level/2"] [hostname "10.8.8.2"] [uri "/wp-content/uploads/2023/06/McMo-Earthworks-Art-Products-Red-Touches-Yellow-Cropped-17-600px-X-500px-WebP.webp"] [unique_id "170854260549.253276"] [ref "o13,4v952,163t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNullso13,4v661,163t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `25' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 25)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.8.8.2"] [uri "/wp-content/uploads/2023/06/McMo-Earthworks-Art-Products-Red-Touches-Yellow-Cropped-17-600px-X-500px-WebP.webp"] [unique_id "170854260549.253276"] [ref ""]

---pV5ukjd3---J--

---pV5ukjd3---K--

---pV5ukjd3---Z--

---f1XRTGQA---A--
[21/Feb/2024:13:10:06 -0600] 170854260671.080076 123.456.789.101 50691 10.8.8.2 443
---f1XRTGQA---B--
GET /wp-content/uploads/2023/08/img_4584-825x510.jpg HTTP/2.0
host: www.mcmo.is
sec-fetch-dest: image
sec-fetch-mode: no-cors
accept: image/webp,image/avif,image/jxl,image/heic,image/heic-sequence,video/*;q=0.8,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5
sec-fetch-site: same-origin
accept-language: en-US,en;q=0.9
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2.1 Safari/605.1.15
cookie: _pk_id.1.37a4=9c073e4b2870a96d.1708542603.; _pk_ses.1.37a4=1; sbjs_current=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29; sbjs_current_add=fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29; sbjs_first=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29; sbjs_first_add=fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29; sbjs_migrations=1418474375998%3D1; sbjs_session=pgs%3D1%7C%7C%7Ccpg%3Dhttps%3A%2F%2Fwww.mcmo.is%2F; sbjs_udata=vst%3D1%7C%7C%7Cuip%3D%28none%29%7C%7C%7Cuag%3DMozilla%2F5.0%20%28Macintosh%3B%20Intel%20Mac%20OS%20X%2010_15_7%29%20AppleWebKit%2F605.1.15%20%28KHTML%2C%20like%20Gecko%29%20Version%2F17.2.1%20Safari%2F605.1.15
referer: https://www.mcmo.is/
accept-encoding: gzip, deflate, br

---f1XRTGQA---E--
\xa1\x88\x04\x00 :\xb7\xceF\xe8\x84\x06\x0c\xf2\xa3)X\xc4\x82\x1bI=Y\xc8\x99]2\x92L\x0a\x0aZ\xa37|\xdc\xbe5I\xe4bPIXo\xd5\x05mi!\xeb\xcdn\xd3!\x14&\xcb$\x98d!\xd8Q\x19\xc5\x95\xca\xc5\xaar\x8c\x1bY\xd6\x80\xf0\xfa\xdc\xfe\xb8kD\xd3l\x00

---f1XRTGQA---F--
HTTP/2.0 403
Server: nginx
Date: Wed, 21 Feb 2024 19:10:06 GMT
Content-Type: text/html
Connection: close
Content-Encoding: br

---f1XRTGQA---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:^|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\ (8043 characters omitted)' against variable `REQUEST_COOKIES:sbjs_first_add' (Value: `fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1348"] [id "932236"] [rev ""] [msg "Remote Command Execution: Unix Command Injection (command without evasion)"] [data "Matched Data: fd found within REQUEST_COOKIES:sbjs_first_add: fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.8.8.2"] [uri "/wp-content/uploads/2023/08/img_4584-825x510.jpg"] [unique_id "170854260671.080076"] [ref "o0,2v781,96o0,2v1216,50o0,2v1070,96"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=' against variable `REQUEST_COOKIES:sbjs_current' (Value: `typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccn (63 characters omitted)' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "832"] [id "941150"] [rev ""] [msg "XSS Filter - Category 5: Disallowed HTML Attributes"] [data "Matched Data: src= found within REQUEST_COOKIES:sbjs_current: typ=typein|||src=(direct)|||mdm=(none)|||cmp=(none)|||cnt=(none)|||trm=(none)|||id=(none)"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [tag "paranoia-level/2"] [hostname "10.8.8.2"] [uri "/wp-content/uploads/2023/08/img_4584-825x510.jpg"] [unique_id "170854260671.080076"] [ref "o13,4v890,163t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNullso13,4v599,163t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `25' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 25)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.8.8.2"] [uri "/wp-content/uploads/2023/08/img_4584-825x510.jpg"] [unique_id "170854260671.080076"] [ref ""]

---f1XRTGQA---J--

---f1XRTGQA---K--

---f1XRTGQA---Z--

---jbDd7NxS---A--
[21/Feb/2024:13:10:06 -0600] 170854260641.428316 123.456.789.101 50691 10.8.8.2 443
---jbDd7NxS---B--
GET /wp-content/uploads/2023/08/img_4626-825x510.jpg HTTP/2.0
host: www.mcmo.is
sec-fetch-dest: image
sec-fetch-mode: no-cors
accept: image/webp,image/avif,image/jxl,image/heic,image/heic-sequence,video/*;q=0.8,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5
sec-fetch-site: same-origin
accept-language: en-US,en;q=0.9
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2.1 Safari/605.1.15
cookie: _pk_id.1.37a4=9c073e4b2870a96d.1708542603.; _pk_ses.1.37a4=1; sbjs_current=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29; sbjs_current_add=fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29; sbjs_first=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29; sbjs_first_add=fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29; sbjs_migrations=1418474375998%3D1; sbjs_session=pgs%3D1%7C%7C%7Ccpg%3Dhttps%3A%2F%2Fwww.mcmo.is%2F; sbjs_udata=vst%3D1%7C%7C%7Cuip%3D%28none%29%7C%7C%7Cuag%3DMozilla%2F5.0%20%28Macintosh%3B%20Intel%20Mac%20OS%20X%2010_15_7%29%20AppleWebKit%2F605.1.15%20%28KHTML%2C%20like%20Gecko%29%20Version%2F17.2.1%20Safari%2F605.1.15
referer: https://www.mcmo.is/
accept-encoding: gzip, deflate, br

---jbDd7NxS---E--
\xa1\x88\x04\x00 :\xb7\xceF\xe8\x84\x06\x0c\xf2\xa3)X\xc4\x82\x1bI=Y\xc8\x99]2\x92L\x0a\x0aZ\xa37|\xdc\xbe5I\xe4bPIXo\xd5\x05mi!\xeb\xcdn\xd3!\x14&\xcb$\x98d!\xd8Q\x19\xc5\x95\xca\xc5\xaar\x8c\x1bY\xd6\x80\xf0\xfa\xdc\xfe\xb8kD\xd3l\x00

---jbDd7NxS---F--
HTTP/2.0 403
Server: nginx
Date: Wed, 21 Feb 2024 19:10:06 GMT
Content-Type: text/html
Connection: close
Content-Encoding: br

---jbDd7NxS---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:^|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\ (8043 characters omitted)' against variable `REQUEST_COOKIES:sbjs_first_add' (Value: `fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1348"] [id "932236"] [rev ""] [msg "Remote Command Execution: Unix Command Injection (command without evasion)"] [data "Matched Data: fd found within REQUEST_COOKIES:sbjs_first_add: fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.8.8.2"] [uri "/wp-content/uploads/2023/08/img_4626-825x510.jpg"] [unique_id "170854260641.428316"] [ref "o0,2v781,96o0,2v1216,50o0,2v1070,96"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=' against variable `REQUEST_COOKIES:sbjs_current' (Value: `typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccn (63 characters omitted)' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "832"] [id "941150"] [rev ""] [msg "XSS Filter - Category 5: Disallowed HTML Attributes"] [data "Matched Data: src= found within REQUEST_COOKIES:sbjs_current: typ=typein|||src=(direct)|||mdm=(none)|||cmp=(none)|||cnt=(none)|||trm=(none)|||id=(none)"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [tag "paranoia-level/2"] [hostname "10.8.8.2"] [uri "/wp-content/uploads/2023/08/img_4626-825x510.jpg"] [unique_id "170854260641.428316"] [ref "o13,4v890,163t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNullso13,4v599,163t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `25' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 25)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.8.8.2"] [uri "/wp-content/uploads/2023/08/img_4626-825x510.jpg"] [unique_id "170854260641.428316"] [ref ""]

---jbDd7NxS---J--

---jbDd7NxS---K--

---jbDd7NxS---Z--

---BFTd5OYt---A--
[21/Feb/2024:13:10:06 -0600] 170854260614.869347 123.456.789.101 50691 10.8.8.2 443
---BFTd5OYt---B--
GET /wp-content/uploads/2023/08/img_4495-825x510.jpg HTTP/2.0
host: www.mcmo.is
sec-fetch-dest: image
sec-fetch-mode: no-cors
accept: image/webp,image/avif,image/jxl,image/heic,image/heic-sequence,video/*;q=0.8,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5
sec-fetch-site: same-origin
accept-language: en-US,en;q=0.9
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2.1 Safari/605.1.15
cookie: _pk_id.1.37a4=9c073e4b2870a96d.1708542603.; _pk_ses.1.37a4=1; sbjs_current=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29; sbjs_current_add=fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29; sbjs_first=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29; sbjs_first_add=fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29; sbjs_migrations=1418474375998%3D1; sbjs_session=pgs%3D1%7C%7C%7Ccpg%3Dhttps%3A%2F%2Fwww.mcmo.is%2F; sbjs_udata=vst%3D1%7C%7C%7Cuip%3D%28none%29%7C%7C%7Cuag%3DMozilla%2F5.0%20%28Macintosh%3B%20Intel%20Mac%20OS%20X%2010_15_7%29%20AppleWebKit%2F605.1.15%20%28KHTML%2C%20like%20Gecko%29%20Version%2F17.2.1%20Safari%2F605.1.15
referer: https://www.mcmo.is/
accept-encoding: gzip, deflate, br

---BFTd5OYt---E--
\xa1\x88\x04\x00 :\xb7\xceF\xe8\x84\x06\x0c\xf2\xa3)X\xc4\x82\x1bI=Y\xc8\x99]2\x92L\x0a\x0aZ\xa37|\xdc\xbe5I\xe4bPIXo\xd5\x05mi!\xeb\xcdn\xd3!\x14&\xcb$\x98d!\xd8Q\x19\xc5\x95\xca\xc5\xaar\x8c\x1bY\xd6\x80\xf0\xfa\xdc\xfe\xb8kD\xd3l\x00

---BFTd5OYt---F--
HTTP/2.0 403
Server: nginx
Date: Wed, 21 Feb 2024 19:10:06 GMT
Content-Type: text/html
Connection: close
Content-Encoding: br

---BFTd5OYt---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:^|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\ (8043 characters omitted)' against variable `REQUEST_COOKIES:sbjs_first_add' (Value: `fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1348"] [id "932236"] [rev ""] [msg "Remote Command Execution: Unix Command Injection (command without evasion)"] [data "Matched Data: fd found within REQUEST_COOKIES:sbjs_first_add: fd%3D2024-02-21%2019%3A10%3A02%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.8.8.2"] [uri "/wp-content/uploads/2023/08/img_4495-825x510.jpg"] [unique_id "170854260614.869347"] [ref "o0,2v781,96o0,2v1216,50o0,2v1070,96"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=' against variable `REQUEST_COOKIES:sbjs_current' (Value: `typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccn (63 characters omitted)' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "832"] [id "941150"] [rev ""] [msg "XSS Filter - Category 5: Disallowed HTML Attributes"] [data "Matched Data: src= found within REQUEST_COOKIES:sbjs_current: typ=typein|||src=(direct)|||mdm=(none)|||cmp=(none)|||cnt=(none)|||trm=(none)|||id=(none)"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [tag "paranoia-level/2"] [hostname "10.8.8.2"] [uri "/wp-content/uploads/2023/08/img_4495-825x510.jpg"] [unique_id "170854260614.869347"] [ref "o13,4v890,163t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNullso13,4v599,163t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `25' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 25)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.8.8.2"] [uri "/wp-content/uploads/2023/08/img_4495-825x510.jpg"] [unique_id "170854260614.869347"] [ref ""]

---BFTd5OYt---J--

---BFTd5OYt---K--

---BFTd5OYt---Z--

Your Environment

  • CRS version (e.g., v3.3.4): 4.0
  • Paranoia level setting (e.g. PL1) : PL2
  • ModSecurity version (e.g., 2.9.6): Modsecurity-Nginx v1.03, Libmodsecurity v3.0.12
  • Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54): Nginx v1.25.4 Mainline
  • Operating System and version: Ubuntu Server 20.04.6 LTS (Focal Fossa) for Raspberry Pi 4 (aarch64)

Confirmation

[ X] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

About this issue

  • Original URL
  • State: open
  • Created 4 months ago
  • Comments: 18 (12 by maintainers)

Most upvoted comments

@Danrancan My advice is to roll back to your previous installation of CRS. v4 is a major update and you’ll need to tune the installation. It’s probably easiest to install v4 alongside v3 but in DetectionOnly mode. That way you’re still protected and can tune away FPs for a couple of days / weeks before switching.

+1
theseion on Feb 21, 2024
Read more comments on GitHub
← coreruleset: Rule: 942370: False positive 0202
coreruleset: Rule Id: 932150 false positive on time keyword →