Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 11939 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF crash (Segmentation fault)

jamesharper

I have an XG system running 16.05.1 MR-1 that is crashing multiple times per day like this in reverseproxy.log:
[Wed Mar 01 10:18:23.038084 2017] [core:notice] [pid 27556:tid 4147414848] AH00052: child pid 23923 exit signal Segmentation fault (11)

In the most recent two cases the error right before the crash has been this (hostname redacted):

[Wed Mar 01 15:06:05.290637 2017] [form_hardening:error] [pid 17275:tid 3758963520] [client 92.63.91.81:55104] Failed to validate form: Received unhardened form data (1)
[Wed Mar 01 15:06:05.290818 2017] [security2:error] [pid 17275:tid 3758963520] [client 92.63.91.81] ModSecurity: Warning. Match of "eq 0" against "REQBODY_ERROR" required. [file "/content/waf/2.7.3/modsecurity_crs_protocol_violations.conf"] [line "151"] [id "960912"] [rev "1"] [msg "Failed to parse request body."] [data "Multipart parsing error: Multipart: Final boundary missing."] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag] [tag] [hostname "hostnameredacted.com"] [uri "/wp-admin/admin-ajax.php"] [unique_id "WLZIrH8AAAEAAEN7DMUAAAAs"]
[Wed Mar 01 15:06:05.291425 2017] [security2:error] [pid 17275:tid 3758963520] [client 92.63.91.81] ModSecurity: Warning. Pattern match "(.*)" at TX:960912-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-REQBODY_ERROR. [file "/content/waf/2.7.3/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5, SQLi=, XSS=): Last Matched Message: Failed to parse request body."] [data "Last Matched Data: 1"] [hostname "uim.net.au"] [uri "/wp-admin/admin-ajax.php"] [unique_id "WLZIrH8AAAEAAEN7DMUAAAAs"]

In both cases the source IP is the same, but the hostname is different (completely different websites).

I'm wondering if I can turn that particular protection rule off, but that seems like a pretty crap workaround, and also with only two occurrences logged it's hard to know if this crash was just a coincidence that it happened to land on that particular rule.

I have a ticket open with Sophos Support but haven't heard back since I last emailed on the 23rd, despite this being a high priority issue for us.

Is anyone else seeing such a thing or could offer a suggestion for a workaround?

thanks

James



This thread was automatically locked due to age.
Parents
  • 0

    Hi James,

    Provide me the case# in Support, I will check what actions are taken on this issues. Meanwhile, looking at the log file I can see ModSecurity is enabled. This is observed when Rigid filtering is enabled. This option tightens up the security of rules in the Common Threats Filter section. However, this can lead to false positives. To overcome the false positives add the logged ids in the Skip Filter rules box Editing the protection policy defined in the Web Server Protection rule. 

    Alongside, I need to check the segmentation faults internally if that's been observed recently.

    Hope that helps.

Reply
  • 0

    Hi James,

    Provide me the case# in Support, I will check what actions are taken on this issues. Meanwhile, looking at the log file I can see ModSecurity is enabled. This is observed when Rigid filtering is enabled. This option tightens up the security of rules in the Common Threats Filter section. However, this can lead to false positives. To overcome the false positives add the logged ids in the Skip Filter rules box Editing the protection policy defined in the Web Server Protection rule. 

    Alongside, I need to check the segmentation faults internally if that's been observed recently.

    Hope that helps.

Children
No Data