Hi Ryan,

    For you and the List, here is the final custom rules that allowed dav_svn to work without globally allowing the new methods or removing any rules :

SecRule REQUEST_FILENAME "@beginsWith /svn" "id:111114,phase:1,t:none,nolog,pass,setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PROPFIND PROPPATH PROPPATCH REPORT OPTIONS MKACTIVITY CHECKOUT PUT DELETE MERGE MKCOL',setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|application/vnd.svn-svndiff'"

~Jeremy
--

Jeremy Brock

XtremeServices.Net
Xtreme Services, LLC
On 2/19/2013 1:01 PM, Ryan Barnett wrote:



From: Jeremy Brock <jbrock@xtremeservices.net>
Date: Tuesday, February 19, 2013 3:54 PM
To: Ryan Barnett <rbarnett@trustwave.com>
Cc: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourceforge.net>
Subject: Re: [mod-security-users] dav_svn forbidden fix

Hello Ryan,

    You are correct :




    I had the following methods blocked : OPTIONS, CHECKOUT, PROPPATCH, PUT

    Thank you for pointing me to the proper place to make the changes : modsecurity_crs_10_setup.conf !

     Is it possible to only allow these extra Methods with respect to a directory location such as /svn using the modsecurity_crs_10_setup.conf ?

You bet.   You could leave the default tx.allowed_methods in the 10 setup conf file and then add this to your 15 custom rules conf file -

SecRule REQUEST_FILNAME "@beginsWith /svn" "id:111114,phase:1,t:none,nolog,pass,setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PROPFIND PROPPATH PROPPATCH REPORT OPTIONS MKACTIVITY CHECKOUT PUT DELETE MERGE MKCOL'"

This will reset the tx.allowed_methods variable data to a new value before being inspected in the 30 file.

-Ryan



~Jeremy
--

Jeremy Brock

XtremeServices.Net
Xtreme Services, LLC
On 2/19/2013 12:39 PM, Ryan Barnett wrote:
On 2/19/13 3:26 PM, "Jeremy Brock" <jbrock@xtremeservices.net> wrote:

Hi All,

    I had a client experiencing issues with the dav_svn / tortoise svn
and I was unable to get around the modsecurity rules with locationmatch
in the directives.  I ended up using the following as a custom rule
based on something I found while googling and it appears to have worked
like a charm after slight modifications.

    I am not sure if a fix like this should be sent to the list, but I
figured why not, it hopefully will be helpful for others googling.
First of all, thank you for sending this to the list.  I have a feeling
that most people internally add exceptions to handle issues rather than
sharing with the group.  This, in turn, make is impossible for us to know
what changes we could make to have the rule be more accurate.

    For anyone else experiencing forbidden issues with modsecurity and
dav_svn the following placed in modsecurity_crs_15_custom_rules.conf
seems to have fixed the issues :
What were the errors you were getting?  Were they from the OWASP
ModSecurity CRS?  Was it this rule?

# allow request methods
#
# TODO Most applications only use GET, HEAD, and POST request
#      methods. If that is not the case with your environment, you are
advised
#      to edit the line or uncomment it.
#
SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}"
"phase:1,t:none,block,msg:'Method is not allowed by
policy',logdata:'%{matched_var}',severity:'2',rev:'2',ver:'OWASP_CRS/2.2.7'
,maturity:'9',accuracy:'9',id:'960032',tag:'OWASP_CRS/POLICY/METHOD_NOT_ALL
OWED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'OWASP_AppSensor/RE1',
tag:'PCI/12.1',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:
tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CR
S/POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"



If so, then you can easly adjust your local "allowed HTTP request methods"
by editing -
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/modsecurity
_crs_10_setup.conf.example


Change the following setvar for tx.allowed_methods to include those needed
for SVN.

#
# Set the following policy settings here and they will be propagated to
the 30 rules
# file (modsecurity_crs_30_http_policy.conf) by using macro expansion.
# If you run into false positves, you can adjust the settings here.
#
SecAction \
  "id:'900012', \
  phase:1, \
  t:none, \
  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \

setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|m
ultipart/form-data|text/xml|application/xml|application/x-amf|application/j
son', \
  setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/
.bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/
.csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/
.ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/
.pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/
.webinfo/ .xsd/ .xsx/', \
  setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/
/Content-Range/ /Translate/ /via/ /if/', \
  nolog, \
  pass"



You can also adjust the tx.allowd_request_content_type regex as well.

-Ryan

# Modsecurity 2.7.2
# Core ModSecurity Rule Set ver.2.2.7
# Allow SVN through
SecRule REQUEST_METHOD "@within PROPFIND PROPPATH PROPPATCH REPORT
OPTIONS MKACTIVITY CHECKOUT PUT DELETE MERGE MKCOL"
"chain,phase:1,id:111114,t:none,nolog,pass"
   SecRule REQUEST_HEADERS:User-Agent "@beginsWith SVN"
"ctl:'ruleRemoveById=960010,960015,960032,960904'"
~Jeremy

--
--

Jeremy Brock

XtremeServices.Net
Xtreme Services, LLC


--------------------------------------------------------------------------
----
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/http://www.modsecurity.org/projects/commercial/support/
________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.





This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.