ModSecurity

Your documentation is lousy.

How exactly do you make an exception for a specific script and arg?

Do you people even know?  Is that why you refuse to answer?

SecRule REQUEST_FILENAME "^/myscripts/script\.php$" "nolog,allow"
SecRule ARGS:message

??

this list is for what purpose?!?

come on people

-- 
Best regards,
 donnydark                            mailto:donnydark@...

Gratitude is a key element in Open Source and badgering is a sure way to
get no help at all.

-----Original Message-----
From: mod-security-users-bounces@...
[mailto:mod-security-users-bounces@...] On Behalf Of
donnydark
Sent: Friday, August 31, 2007 9:14 AM
To: mod-security-users@...
Subject: [mod-security-users] how to except a url

Your documentation is lousy.

How exactly do you make an exception for a specific script and arg?

Do you people even know?  Is that why you refuse to answer?

SecRule REQUEST_FILENAME "^/myscripts/script\.php$" "nolog,allow"
SecRule ARGS:message

??

this list is for what purpose?!?

come on people

-- =

Best regards,
 donnydark                            mailto:donnydark@...


------------------------------------------------------------------------
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
mod-security-users mailing list
mod-security-users@...
https://lists.sourceforge.net/lists/listinfo/mod-security-users


                           Email Policy
____________________________________________________________________
The information in this email, including any attachments, is
confidential to the intended recipient and may be legally privileged.
If you are not the intended recipient of this message you may not
copy, distribute, disclose or rely on the information contained in it
nor use it's contents in any way. Please contact the sender
immediately and delete this message, together with any attachments,
from your system. The unauthorized use, dissemination, distribution
or reproduction of this e-mail, including attachments is prohibited
and may be unlawful.
We do not accept any liability or responsibility for changes made to
this e-mail after it was sent, or viruses transmitted through this
e-mail or any attachment. You should take full responsibility for
virus checking.

Verbal jabs are not necessary.  This list offers "best effort" support
meaning that we (Breach) will respond as soon as possible.  If you are
not satisfied with this level of service, perhaps you might want to
consider  purchasing commercial support for Mod from Breach.

Additionally, this is an open list meaning that other people can and
often do respond.  To be honest with you, the low mail-list traffic this
week may be due in part to the upcoming Labor Day week-end where many US
folks have Monday off and are taking their last vacations of the summer.

Comments inline below.

--=20
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache=20

> -----Original Message-----
> From: mod-security-users-bounces@... [mailto:mod-
> security-users-bounces@...] On Behalf Of donnydark
> Sent: Friday, August 31, 2007 11:14 AM
> To: mod-security-users@...
> Subject: [mod-security-users] how to except a url
>=20
> Your documentation is lousy.
>=20
> How exactly do you make an exception for a specific script and arg?
>=20
> Do you people even know?  Is that why you refuse to answer?
>=20
> SecRule REQUEST_FILENAME "^/myscripts/script\.php$" "nolog,allow"
> SecRule ARGS:message
[Ryan Barnett] What version of ModSecurity are you using?  From your use
of SecRule, I am assuming v2.x.  So, is your intent to disable rule
processing entirely for the /myscripts/script.php file or for any
argument whose name is "message" or a combination of both where you just
want to exclude the message parameter on that one page?

>> How exactly do you make an exception for a specific script and arg?
>> SecRule REQUEST_FILENAME "^/myscripts/script\.php$" "nolog,allow"
>> SecRule ARGS:message
>[Ryan Barnett] What version of ModSecurity are you using?  From your use
>of SecRule, I am assuming v2.x.  So, is your intent to disable rule
>processing entirely for the /myscripts/script.php file or for any
>argument whose name is "message" or a combination of both where you just
>want to exclude the message parameter on that one page?

2.1.2

I am interested in the solutions to all three examples you name.

However what I intended to ask for was the third.  "a combination of
both where you just want to exclude the message parameter on that
one page".

Can you provide an example please?

-- 
Best regards,
 donnydark                            mailto:donnydark@...

Disabling Mod based on a specific URI -

=20

If you do not have any rules running in phase:1, then you can use Apache
scope directives to disable Mod based on the URI location -

=20

<Location "/myscripts/script.php">

SecRuleEngine Off

</Location>

=20

If you do have phase:1 rules, then you will need to use only Mod rules -

=20

SecRule REQUEST_FILENAME "^/myscripts/script\.php$"
"phase:1,t:none,nolog,allow,ctl:ruleEngine=3DOff"

=20

Excluding the ARGS:message variable from inspection -

=20

If you want to exclude the ARGS:message variable since there are too
many false positives, you first need to figure out exactly which
rulesets are causing the FPs.  I would guess that this is mostly
contained to the modsecurity_crs_40_generic_attacks.conf file.  What you
will need to do is to update each rule with "!ARGS:message" variable
exclusion like this -

=20

# Session fixation

SecRule
REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Refere
r|!ARGS:message
"(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=3D|\bhttp-equiv\W+set-cookie=
\
b)" \

        "capture,ctl:auditLogParts=3D+E,log,auditlog,msg:'Session
Fixation. Matched signature <%{TX.0}>',,id:'950009',severity:'2'"

=20

Excluding the ARGS:message variable only if it is part of the
"/myscripts/script.php" script -

=20

Combine the two previous concepts. =20

=20

<Location "/myscripts/script.php">

# Session fixation

SecRule
REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Refere
r|!ARGS:message
"(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=3D|\bhttp-equiv\W+set-cookie=
\
b)" \

        "capture,ctl:auditLogParts=3D+E,log,auditlog,msg:'Session
Fixation. Matched signature <%{TX.0}>',,id:'950009',severity:'2'"

</Location>

=20

You could also have these new rules in separate files and then call them
up with Apache Includes -

=20

<Location "/myscripts/script.php">

Include conf/rules/custom_rules.conf

</Location>

=20

FYI - we are working on some ModSecurity enhancements that will help
with exclusions such as have SecRuleRemoveById and skipto actions.
These will help with controlling when and where to apply exceptions.

=20

Hope this helps.

=20

--=20

Ryan C. Barnett

ModSecurity Community Manager

Breach Security: Director of Training

Web Application Security Consortium (WASC) Member

CIS Apache Benchmark Project Lead

SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

Author: Preventing Web Attacks with Apache

=20

=20

=20

> -----Original Message-----

> From: donnydark [mailto:donnydark@...]

> Sent: Saturday, September 01, 2007 9:37 AM

> To: Ryan Barnett

> Cc: mod-security-users@...

> Subject: Re[2]: [mod-security-users] how to except a url

>=20

> >> How exactly do you make an exception for a specific script and arg?

> >> SecRule REQUEST_FILENAME "^/myscripts/script\.php$" "nolog,allow"

> >> SecRule ARGS:message

> >[Ryan Barnett] What version of ModSecurity are you using?  From your
use

> >of SecRule, I am assuming v2.x.  So, is your intent to disable rule

> >processing entirely for the /myscripts/script.php file or for any

> >argument whose name is "message" or a combination of both where you
just

> >want to exclude the message parameter on that one page?

>=20

> 2.1.2

>=20

> I am interested in the solutions to all three examples you name.

>=20

> However what I intended to ask for was the third.  "a combination of

> both where you just want to exclude the message parameter on that

> one page".

>=20

> Can you provide an example please?

>=20

> --

> Best regards,

>  donnydark                            mailto:donnydark@...

=20

The reason that your example rule didn't work as you expected is that
the "pass" action only applies to the current rule.  You probably wanted
to use "allow" however that would not achieve your goals either as you
don't want to implicitly allow a request past the remainder of your
rules.  Speaking of that, what rules are you currently using that are
causing the false positives? =20

=20

>From your example short alert message, I wouldn't necessarily classify
that as a FP as there are real issues where a file uploads could cause
that message and they are often due to connections problems, etc...  Can
you confirm that this is causing a problem from the client's
perspective?

=20

If you want to disable POST payload scanning for a specific URL
location, this should work -

=20

<Location /myapp/compose.attachments.php>
SecFilterScanPOST Off
</Location>

=20

As stated previously, though, turning off filtering entirely for
locations such as this is not the ideal approach. =20

=20

-Ryan

________________________________

From: mod-security-users-bounces@... on behalf of
Steve West
Sent: Fri 8/31/2007 12:00 AM
To: mod-security-users@...
Subject: [mod-security-users] Can't seem to exclude ScanPost on certain
URLs

Mod_Security: 1.9.4

Hi,

I'm trying to allow a certain app to be exempt from ScanPost filtering
which seems to cause many false-positives:

mod_security-message: Access denied with code 500. Error processing
request body: Multipart: final boundary missing [severity "EMERGENCY"]

So, I added a rule like so which I thought would exclude it:

<Location /myapp/compose.attachments.php>
SecFilterSelective HTTP_Content-Type
"^$|^application/x-www-form-urlencoded$|^multipart/form-data,|^multipart
/form-data;"
nolog,pass
</Location>

But mod_security is still blocking. Any ideas how to stop ScanPost
filtering for the above path without disabling ScanPost completely?

thx,

SW


------------------------------------------------------------------------
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
mod-security-users mailing list
mod-security-users@...
https://lists.sourceforge.net/lists/listinfo/mod-security-users