2018:08:14-17:02:49 rocjvkr-sop01 httpd[37913]: [url_hardening:error] [pid 37913:tid 4113025904] [client -HOME IP-:11659] Hostname in HTTP request (cloud.DOMAIN.COM) does not match the server name (webmail.DOMAIN.COM)
2018:08:14-17:02:49 rocjvkr-sop01 httpd: id="0299" srcip="-HOME IP-" localip="192.168.10.10" size="770" user="-" host="-HOME IP-" method="SSTP_DUPLEX_POST" statuscode="413" reason="-" extra="-" exceptions="-" time="620" url="/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/" server="webmail.DOMAIN.COM" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhCcCoCgoAAJQZvg4AAAAC"
2018:08:14-17:02:55 rocjvkr-sop01 httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="218" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="237" url="/lb-status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhD8CoCgoAAJQZvg8AAAAV"
2018:08:14-17:03:03 rocjvkr-sop01 httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="218" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="657" url="/lb-status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhF8CoCgoAAJQZvhAAAAAo"
2018:08:14-17:03:04 rocjvkr-sop01 httpd[37913]: [url_hardening:error] [pid 37913:tid 3777317744] [client -HOME IP-:60496] Hostname in HTTP request (cloud.DOMAIN.COM) does not match the server name (webmail.DOMAIN.COM)
2018:08:14-17:03:04 rocjvkr-sop01 httpd: id="0299" srcip="-HOME IP-" localip="192.168.10.10" size="770" user="-" host="-HOME IP-" method="SSTP_DUPLEX_POST" statuscode="413" reason="-" extra="-" exceptions="-" time="603" url="/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/" server="webmail.DOMAIN.COM" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhGMCoCgoAAJQZvhEAAAAq"
2018:08:14-17:03:19 rocjvkr-sop01 httpd[37913]: [url_hardening:error] [pid 37913:tid 3718568816] [client -HOME IP-:54653] Hostname in HTTP request (cloud.DOMAIN.COM) does not match the server name (webmail.DOMAIN.COM)
2018:08:14-17:03:19 rocjvkr-sop01 httpd: id="0299" srcip="-HOME IP-" localip="192.168.10.10" size="770" user="-" host="-HOME IP-" method="SSTP_DUPLEX_POST" statuscode="413" reason="-" extra="-" exceptions="-" time="580" url="/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/" server="webmail.DOMAIN.COM" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhJ8CoCgoAAJQZvhIAAAAx"
2018:08:14-17:03:34 rocjvkr-sop01 httpd[37913]: [url_hardening:error] [pid 37913:tid 3760532336] [client -HOME IP-:51079] Hostname in HTTP request (cloud.DOMAIN.COM) does not match the server name (webmail.DOMAIN.COM)
2018:08:14-17:03:34 rocjvkr-sop01 httpd: id="0299" srcip="-HOME IP-" localip="192.168.10.10" size="770" user="-" host="-HOME IP-" method="SSTP_DUPLEX_POST" statuscode="413" reason="-" extra="-" exceptions="-" time="589" url="/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/" server="webmail.DOMAIN.COM" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhNsCoCgoAAJQZvhMAAAAs"
2018:08:14-17:03:49 rocjvkr-sop01 httpd[37913]: [url_hardening:error] [pid 37913:tid 3869637488] [client -HOME IP-:46501] Hostname in HTTP request (cloud.DOMAIN.COM) does not match the server name (webmail.DOMAIN.COM)
2018:08:14-17:03:49 rocjvkr-sop01 httpd: id="0299" srcip="-HOME IP-" localip="192.168.10.10" size="770" user="-" host="-HOME IP-" method="SSTP_DUPLEX_POST" statuscode="413" reason="-" extra="-" exceptions="-" time="572" url="/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/" server="webmail.DOMAIN.COM" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhRcCoCgoAAJQZvhQAAAAf"
2018:08:14-17:03:54 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3819281264] [client -REMOTE IP-] ModSecurity: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "52"] [id "960911"] [rev "2"] [msg "Invalid HTTP Request Line"] [data "RDG_OUT_DATA /remoteDesktopGateway/ HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] [hostname "hello.DOMAIN.COM"] [uri "/remoteDesktopGateway/"] [unique_id "W3LhSsCoCgoAAJQZvhUAAAAl"]
2018:08:14-17:03:54 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3819281264] [client -REMOTE IP-] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "RDG_OUT_DATA"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "hello.DOMAIN.COM"] [uri "/remoteDesktopGateway/"] [unique_id "W3LhSsCoCgoAAJQZvhUAAAAl"]
2018:08:14-17:03:55 rocjvkr-sop01 httpd[37913]: [url_hardening:error] [pid 37913:tid 3819281264] [client -REMOTE IP-:26258] No signature found, URI: https://hello.DOMAIN.COM/remoteDesktopGateway/
2018:08:14-17:03:55 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3819281264] [client -REMOTE IP-] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960911-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-REQUEST_LINE. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5, SQLi=, XSS=): Last Matched Message: Method is not allowed by policy"] [data "Last Matched Data: RDG_OUT_DATA /remoteDesktopGateway/ HTTP/1.1"] [hostname "hello.DOMAIN.COM"] [uri "/remoteDesktopGateway/"] [unique_id "W3LhSsCoCgoAAJQZvhUAAAAl"]
2018:08:14-17:03:55 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3819281264] [client -REMOTE IP-] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5, SQLi=, XSS=): Method is not allowed by policy"] [hostname "hello.DOMAIN.COM"] [uri "/remoteDesktopGateway/"] [unique_id "W3LhSsCoCgoAAJQZvhUAAAAl"]
2018:08:14-17:03:55 rocjvkr-sop01 httpd: id="0299" srcip="-REMOTE IP-" localip="192.168.10.10" size="230" user="-" host="-REMOTE IP-" method="RDG_OUT_DATA" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 5, SQLi=, XSS=): Last Matched Message: Method is not allowed by policy" exceptions="-" time="969796" url="/remoteDesktopGateway/" server="hello.DOMAIN.COM" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhSsCoCgoAAJQZvhUAAAAl"
2018:08:14-17:03:55 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3768925040] [client -REMOTE IP-] ModSecurity: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "52"] [id "960911"] [rev "2"] [msg "Invalid HTTP Request Line"] [data "RPC_IN_DATA /rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhS8CoCgoAAJQZvhYAAAAr"]
2018:08:14-17:03:55 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3768925040] [client -REMOTE IP-] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "RPC_IN_DATA"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhS8CoCgoAAJQZvhYAAAAr"]
2018:08:14-17:03:55 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3768925040] [client -REMOTE IP-] ModSecurity: Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "88"] [id "960035"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".dll"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhS8CoCgoAAJQZvhYAAAAr"]
2018:08:14-17:03:55 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3768925040] [client -REMOTE IP-] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960911-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-REQUEST_LINE. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy"] [data "Last Matched Data: RPC_IN_DATA /rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhS8CoCgoAAJQZvhYAAAAr"]
2018:08:14-17:03:55 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3768925040] [client -REMOTE IP-] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8, SQLi=, XSS=): URL file extension is restricted by policy"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhS8CoCgoAAJQZvhYAAAAr"]
2018:08:14-17:03:55 rocjvkr-sop01 httpd: id="0299" srcip="-REMOTE IP-" localip="192.168.10.10" size="225" user="-" host="-REMOTE IP-" method="RPC_IN_DATA" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy" exceptions="-" time="71750" url="/rpc/rpcproxy.dll" server="hello.DOMAIN.COM" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" uid="W3LhS8CoCgoAAJQZvhYAAAAr"
2018:08:14-17:03:56 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3928386416] [client -REMOTE IP-] ModSecurity: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "52"] [id "960911"] [rev "2"] [msg "Invalid HTTP Request Line"] [data "RPC_OUT_DATA /rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhTMCoCgoAAJQZvhcAAAAY"]
2018:08:14-17:03:56 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3928386416] [client -REMOTE IP-] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "RPC_OUT_DATA"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhTMCoCgoAAJQZvhcAAAAY"]
2018:08:14-17:03:56 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3928386416] [client -REMOTE IP-] ModSecurity: Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "88"] [id "960035"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".dll"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhTMCoCgoAAJQZvhcAAAAY"]
2018:08:14-17:03:56 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3928386416] [client -REMOTE IP-] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960911-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-REQUEST_LINE. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy"] [data "Last Matched Data: RPC_OUT_DATA /rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhTMCoCgoAAJQZvhcAAAAY"]
2018:08:14-17:03:56 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3928386416] [client -REMOTE IP-] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8, SQLi=, XSS=): URL file extension is restricted by policy"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhTMCoCgoAAJQZvhcAAAAY"]
2018:08:14-17:03:56 rocjvkr-sop01 httpd: id="0299" srcip="-REMOTE IP-" localip="192.168.10.10" size="225" user="-" host="-REMOTE IP-" method="RPC_OUT_DATA" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy" exceptions="-" time="72024" url="/rpc/rpcproxy.dll" server="hello.DOMAIN.COM" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" uid="W3LhTMCoCgoAAJQZvhcAAAAY"
2018:08:14-17:04:05 rocjvkr-sop01 httpd[37913]: [url_hardening:error] [pid 37913:tid 3919993712] [client -HOME IP-:13570] Hostname in HTTP request (cloud.DOMAIN.COM) does not match the server name (webmail.DOMAIN.COM)
2018:08:14-17:04:05 rocjvkr-sop01 httpd: id="0299" srcip="-HOME IP-" localip="192.168.10.10" size="770" user="-" host="-HOME IP-" method="SSTP_DUPLEX_POST" statuscode="413" reason="-" extra="-" exceptions="-" time="705" url="/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/" server="webmail.DOMAIN.COM" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhVcCoCgoAAJQZvhgAAAAZ"