Support

 I am suspecting there may be a problem in the WAF reporting. My site regularly (like most others I suspect) gets its fair share of accesses from undesirables (for want of a better word.) Since upgrading to v3.0.0 the contents of the WAF exception reports have changed significantly. This may be a coincidence but I do not really like coincidences.

Prior to 3.0.0 I was regularly seeing DFI, Bad Word Detection,etc. attempts which were all reported in the log. Since that time all I am seeing are 'Login errors' and 'Admin access' reports. I have not seen any adverse effect on the site, so if these attacks are still occuring (which I suspect they probably are), then they are not getting through, which makes me think it may well be a 'reporting' type problem with the entries not being placed in the log.

No settings have changed since the upgrade, which was just under a week ago, hence this report.

I have been watching the WAF log for the past week and I am still only seeing 'Login errors' and 'Admin query string errors'being reported.

Your previous reply mentioned that I might have turned off reporting for specific attacks, but I have double checked and as I originally said and suspected the reporting is indeed turned on.

I have also tried manually entering some of the 'old' pre -3.0.0 Admin tools releases detected URL strings into my live site running 3.0.0 and a dev site running 2.6.2 Admin Tools. One thing that I have noticed is that the previous DFI Shield errors now result in a screen error 'ALERTNOTAUTH' message.

However where I have a 'Bad Word Detected' error it is not being recorded in the log on the 3.0.0 site, but is still recorded in the log upon the 2.6.2 site.

I could provide an invalid URl with bad words detected if you require, but it would probably be best not to add it into the ticket.

Given the number of 'invalid' URL strings I am still seeing in my 'redirect manager' log, and the previous number of reported spam attempts, I am finding it difficult to believe that the 'spam kiddies' have seen the 'light' and have given up trying to enter spam etc upon my site. Your suggested scenario would be nice it if were only more believable.

I have added a language overridefor the ALERTNOTAUTH string, but the entry is still not logged in the Security log. The URL formally raised a DFI Shield error, and I accept that Admin tools is blocking the attempt, but the ticket is about the logging of the attempt.

Revisited the WAF logging options and turned on the setting ' Also block suspicious IPs, not just confirmed spammers' and I immediately see entries 'Spammer (Via HTTP:BL)'. Has this replaced the previous 'antispam' result? I didn't formally have this specifically set even in 2.6.2.

I can't see any thing to specifically control logging of 'DFI Shield' or 'Bad Word filtering', just the general 'Log Security Exceptions'. The only item specifically blocked from logging is 'Geo Block'.

I have just installed 3.0.2 and can report that I am again starting to see the attack vectors that I was seeing prior to the installation of 3.0.0, and which suddenly ceased when I installed 3.0.0.

I do not think I need to say anything more.

Regards
Geoff

This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.