Modsec Find Unique rules being triggered

In this post, we will go over how to rapidly parse an Apache Error log for unique Modsec Rules being triggered.

Here is an example of Modsec rule being triggered.

[Tue Jan 14 05:55:51.871347 2020] [:error] [pid 1046] [client 139.59.95.179:49472] [client 139.59.95.179] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\/wp-content\\\\/themes\\\\/twenty[^\\\\.]{0,108}\\\\.php" at REQUEST_URI. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/004_i360_4_custom.conf"] [line "48"] [id "77140740"] [msg "Twenty shell abuse attempt||MVN:REQUEST_URI||T:APACHE||MV:/demo/wp-content/themes/twentynineteen/styles.php||PC:4697"] [tag "i360custom"] [tag "wp_core"] [hostname "ramseywonderland.com"] [uri "/demo/wp-content/themes/twentynineteen/styles.php"] [unique_id "Xh2eN8-cJovWK5LCIlL98QAAABY"], referer: ramseywonderland.com

Sometimes you install a new plugin or update your site and you start having problems posting data and get a weird error. When this happens if its just one specific rule it’s pretty easy to identify and whitelist and be on your way.

sudo grep -E "$(date +"%b %d")|$(date '+%Y-%m-%d')" /usr/local/apache/logs/error_log|grep -i ModSecurity

What is a real pain is when you have a ton of rules being triggered and there are lots of errors repeating the same rules and your missing one rule id that needs to be whitelisted. This is where Regex comes to the rescue. We can do filter the results down by the domain, date, and even by unique ids and rules being hit.

Special Note:
The commands were made as universal as possible so it should work with LiteSpeed/Openlitespeed as well by just changing the log file in the command from the cPanel default “/usr/local/apache/logs/error_log” to the Cyberpanel default Litespeed log “/usr/local/lsws/logs/error.log”. The below shows an example of this ran on a Cyberpanel VPS with Litespeed.

[root@wcloud:~]# sudo grep -E "$(date --date='1 day ago' +"%b %d")|$(date --date='1 day ago' "+%Y-%m-%d")" /usr/local/lsws/logs/error.log| grep -i ModSecurity| grep -oE 'id "[[:digit:]]+"'| sed 's/[(id ")(")]//g'| sort -u
210492
232920
[root@wcloud:~]# sudo grep -E "$(date --date='1 day ago' +"%b %d")|$(date --date='1 day ago' "+%Y-%m-%d")" /usr/local/lsws/logs/error.log| grep -i ModSecurity| grep -E 'id "[[:digit:]]+"'
[Mon Jan 13 01:42:04 2020] [error] [client 194.60.254.128] ModSecurity: Access denied with code 403, [Rule: 'REQUEST_URI' '@pmFromFile bl_URLs'] [id "210492"] [rev "3"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"]
[Mon Jan 13 16:05:04 2020] [error] [client 140.0.18.166] ModSecurity: Access denied with code 403, [Rule: 'REQUEST_FILENAME' '@endsWith /wp-admin/admin-post.php'] [id "232920"] [rev "1"] [msg "COMODO WAF: RFI vulnerability in social warfare plugin before 3.5.3 for WordPress(CVE-2019-9978)"] [severity "CRITICAL"] [tag "CWAF"] [tag "WPPlugin"]
[Mon Jan 13 16:05:21 2020] [error] [client 140.0.18.166] ModSecurity: Access denied with code 403, [Rule: 'REQUEST_URI' '@pmFromFile bl_URLs'] [id "210492"] [rev "3"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"]
[Mon Jan 13 16:06:36 2020] [error] [client 140.0.18.166] ModSecurity: Access denied with code 403, [Rule: 'REQUEST_URI' '@pmFromFile bl_URLs'] [id "210492"] [rev "3"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"]
[Mon Jan 13 16:06:37 2020] [error] [client 140.0.18.166] ModSecurity: Access denied with code 403, [Rule: 'REQUEST_URI' '@pmFromFile bl_URLs'] [id "210492"] [rev "3"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"]
[Mon Jan 13 16:06:54 2020] [error] [client 140.0.18.166] ModSecurity: Access denied with code 403, [Rule: 'REQUEST_URI' '@pmFromFile bl_URLs'] [id "210492"] [rev "3"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"]
[root@wcloud:~]#

See top 10 unique modsec rules hit by count

grep -i ModSecurity /usr/local/apache/logs/error_log | grep -oE 'id "[[:digit:]]+"'| sed 's/[(id ")(")]//g'| sort| uniq -c| sort -n| tail
[root@cpanel ~]# grep ModSecurity /usr/local/apache/logs/error_log | grep -oE 'id "[[:digit:]]+"'| sed 's/[(id ")(")]//g'| sort| uniq -c| sort -n| tail
    534 77217210
    619 77140164
    946 77140878
   1994 77220150
   2762 77140735
   2831 77211650
   2934 77210492
   5147 77140739
  18657 77135155
 152283 33339
[root@cpanel ~]# 

See below for more lifesaving oneliners to further refine your search by date and domain.

See top 10 Modsec hits for today

sudo grep -E "$(date +"%b %d")|$(date '+%Y-%m-%d')" /usr/local/apache/logs/error_log| grep -i ModSecurity| grep -oE 'id "[[:digit:]]+"'| sed 's/[(id ")(")]//g'| sort| uniq -c| sort -n| tail
[root@cpanel ~]# sudo grep -E "$(date +"%b %d")|$(date '+%Y-%m-%d')" /usr/local/apache/logs/error_log| grep -i ModSecurity| grep -oE 'id "[[:digit:]]+"'| sed 's/[(id ")(")]//g'| sort| uniq -c| sort -n| tail
      1 77140932
      2 77240000
      4 33339
      4 77210831
      6 77140735
      6 77140740
      9 77140739
     15 77210492
     18 77217210
     45 77222212
[root@cpanel ~]#

See top 10 Modsec hits for yesterday

sudo grep -E "$(date --date='1 day ago' +"%b %d")|$(date --date='1 day ago' "+%Y-%m-%d")" /usr/local/apache/logs/error_log| grep -i ModSecurity| grep -oE 'id "[[:digit:]]+"'| sed 's/[(id ")(")]//g'| sort| uniq -c| sort -n| tail
[root@cpanel ~]# sudo grep -E "$(date --date='1 day ago' +"%b %d")|$(date --date='1 day ago' "+%Y-%m-%d")" /usr/local/apache/logs/error_log| grep -i ModSecurity| grep -oE 'id "[[:digit:]]+"'| sed 's/[(id ")(")]//g'| sort| uniq -c| sort -n| tail
     15 77211650
     16 77211750
     17 77240000
     24 77217210
     25 77134464
     25 77140878
     27 77140735
     32 77140164
     38 77210492
     44 77140739
[root@cpanel ~]#

See top 10 Modsec hits for today by domain

Domain="example.com"; sudo grep -E "$(date +"%b %d")|$(date '+%Y-%m-%d')" /usr/local/apache/logs/error_log| grep -i ModSecurity|grep -E "${Domain}"| grep -oE 'id "[[:digit:]]+"'| sed 's/[(id ")(")]//g'| sort| uniq -c| sort -n| tail
[root@cpanel ~]# Domain="ramseywonderland.com"; sudo grep -E "$(date +"%b %d")|$(date '+%Y-%m-%d')" /usr/local/apache/logs/error_log| grep -i ModSecurity|grep -E "${Domain}"| grep -oE 'id "[[:digit:]]+"'| sed 's/[(id ")(")]//g'| sort| uniq -c| sort -n| tail
      2 77140740
[root@cpanel ~]# 

See top 10 Modsec hits for yesterday by domain

Domain="example.com"; sudo grep -E "$(date --date='1 day ago' +"%b %d")|$(date --date='1 day ago' "+%Y-%m-%d")" /usr/local/apache/logs/error_log| grep -i ModSecurity|grep -E "${Domain}"| grep -oE 'id "[[:digit:]]+"'| sed 's/[(id ")(")]//g'| sort| uniq -c| sort -n| tail
[root@cpanel ~]# Domain="ramseywonderland.com"; sudo grep -E "$(date --date='1 day ago' +"%b %d")|$(date --date='1 day ago' "+%Y-%m-%d")" /usr/local/apache/logs/error_log| grep -i ModSecurity|grep -E "${Domain}"| grep -oE 'id "[[:digit:]]+"'| sed 's/[(id ")(")]//g'| sort| uniq -c| sort -n| tail
      2 33339
[root@cpanel ~]#

See all unique modsec rules hit

grep -i ModSecurity /usr/local/apache/logs/error_log | grep -oE 'id "[[:digit:]]+"'| sed 's/[(id ")(")]//g'| sort -u
[root@cpanel ~]# grep -i ModSecurity /usr/local/apache/logs/error_log | grep -oE 'id "[[:digit:]]+"'| sed 's/[(id ")(")]//g'| sort -u
33308
33339
77134464
77135155
77222050
77222212
77225160
77228950
77228990
77229060
77232920
77240000
77240022
77243930
77311540
77311938
77312551
77316228
[root@cpanel ~]#

See all unique modsec rules hit today

sudo grep -E "$(date +"%b %d")|$(date '+%Y-%m-%d')" /usr/local/apache/logs/error_log| grep -i ModSecurity| grep -oE 'id "[[:digit:]]+"'| sed 's/[(id ")(")]//g'| sort -u
[root@cpanel ~]# sudo grep -E "$(date +"%b %d")|$(date '+%Y-%m-%d')" /usr/local/apache/logs/error_log| grep -i ModSecurity| grep -oE 'id "[[:digit:]]+"'| sed 's/[(id ")(")]//g'| sort -u
33339
77140735
77140739
77140740
77140864
77140932
77210492
77210831
77217210
77222212
77240000
[root@cpanel ~]#

See all unique modsec rules hit yesterday

sudo grep -E "$(date --date='1 day ago' +"%b %d")|$(date --date='1 day ago' "+%Y-%m-%d")" /usr/local/apache/logs/error_log| grep -i ModSecurity| grep -oE 'id "[[:digit:]]+"'| sed 's/[(id ")(")]//g'| sort -u
[root@cpanel ~]# sudo grep -E "$(date --date='1 day ago' +"%b %d")|$(date --date='1 day ago' "+%Y-%m-%d")" /usr/local/apache/logs/error_log| grep -i ModSecurity| grep -oE 'id "[[:digit:]]+"'| sed 's/[(id ")(")]//g'| sort -u
33308
33339
77134464
77140164
77140735
77140739
77140878
77140932
77210492
77210801
77211010
77211630
77211650
77211710
77211750
77211820
77217210
77218530
77221260
77222212
77232920
77240000
[root@cpanel ~]#

See all unique modsec rules hit by domain

Domain="example.com"; grep -i ModSecurity /usr/local/apache/logs/error_log |grep -E "${Domain}"| grep -oE 'id "[[:digit:]]+"'| sed 's/[(id ")(")]//g'| sort -u
[root@cpanel ~]# Domain="ramseywonderland.com"; grep -i ModSecurity /usr/local/apache/logs/error_log |grep -E "${Domain}"| grep -oE 'id "[[:digit:]]+"'| sed 's/[(id ")(")]//g'| sort -u
33308
33339
77134464
77135155
77140164
77140735
77140739
77140740
77140742
77140761
77140770
77140853
77140878
77210350
77210492
77210831
77211210
77211630
77211650
77211710
77211750
77211820
77218530
77222050
77222212
77232920
77311938
[root@cpanel ~]#

See all unique modsec rules hit by domain today

Domain="example.com"; sudo grep -E "$(date +"%b %d")|$(date '+%Y-%m-%d')" /usr/local/apache/logs/error_log|grep -i ModSecurity|grep -E "${Domain}"| grep -oE 'id "[[:digit:]]+"'| sed 's/[(id ")(")]//g'| sort -u
[root@cpanel ~]# Domain="ramseywonderland.com"; sudo grep -E "$(date +"%b %d")|$(date '+%Y-%m-%d')" /usr/local/apache/logs/error_log|grep -i ModSecurity|grep -E "${Domain}"| grep -oE 'id "[[:digit:]]+"'| sed 's/[(id ")(")]//g'| sort -u
77140740
[root@cpanel ~]#

See all unique modsec rules hit by domain yesterday

Domain="example.com"; sudo grep -E "$(date --date='1 day ago' +"%b %d")|$(date --date='1 day ago' "+%Y-%m-%d")" /usr/local/apache/logs/error_log| grep -i ModSecurity|grep -E "${Domain}"| grep -oE 'id "[[:digit:]]+"'| sed 's/[(id ")(")]//g'| sort -u
[root@cpanel ~]# Domain="ramseywonderland.com"; sudo grep -E "$(date --date='1 day ago' +"%b %d")|$(date --date='1 day ago' "+%Y-%m-%d")" /usr/local/apache/logs/error_log| grep -i ModSecurity|grep -E "${Domain}"| grep -oE 'id "[[:digit:]]+"'| sed 's/[(id ")(")]//g'| sort -u
33339
[root@cpanel ~]#

I hope you enjoyed the post and found the oneliners helpful in your sysadmin or other duties. Check back for more sysadmin related posts