On Wed, Oct 30, 2013 at 8:16 PM, Macks, Aaron <amacks@harvardbusiness.org> wrote:

Josh, I tried your suggestion: SecRuleUpdateTargetById 990012 "!REQUEST_FILENAME:/thumbnail\.gif/"
and the same result, a triggering on the thumbnail requests.  I did a double check by commenting out the original rule and appending that REQUEST_FILENAME to a copy of the original rule, and it triggered a syntax error:

Rule - SecRule REQUEST_HEADERS:User-Agent|!REQUEST_FILENAME:/thumbnail\.gif/ "@pmFromFile…….
Error - Error creating rule: Variable !REQUEST_FILENAME does not support parameters.


Hi Aaron,

What file did you place the exception in? Can you send me an auditlog for the event (specifically I want to see sections H and K)?

--
 - Josh
 
thanks all
A
On Oct 30, 2013, at 1:26 PM, Jose Pablo Valcárcel Lázaro
 wrote:

I understand this rule SecRule REQUEST_FILENAME "@endsWith thumbnail.gif" "nolog,pass,ctl:RuleRemoveById=990012" makes no difference against any user-agent, I mean, any web browser should not be blocked with this rule except you have other rules which blocks specifics agents I guess.

Can you paste /etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_35_bad_robots.conf id rule 990012? is this rule SecRule REQUEST_FILENAME "@endsWith thumbnail.gif" "nolog,pass,ctl:RuleRemoveById=990012"? 

Have you any user-agent block near that rule which blocks jakarta user-agent? Have you tried to comment it to test this rule SecRule REQUEST_FILENAME "@endsWith thumbnail.gif" "nolog,pass,ctl:RuleRemoveById=990012"?

I understand new rule you have set up should be not blocking when a client try to reach thumbnail.gif except a other rule should be blocking it.


Kind regards,


2013/10/30 Macks, Aaron <amacks@harvardbusiness.org>
It's triggering off of the User-Agent, the full form of that rule is includes "(?:jakart|vi)a|microsoft url|user-Agent)" which is triggering on "Jakarta Commons-HttpClient/3.1" (Accurately).  The problem is that a 3rd party needs to be able to use Jakarta to access these thumbnails

A


On Oct 30, 2013, at 11:12 AM, Jose Pablo Valcárcel Lázaro
 wrote:

Excuse me, but it looks like rule 990012 triggered but not for your access: Pattern match "(?i:(?:c(?:o(?:n( (icon..so user-agent is trying to reach i?c?o?n but does not seem thumbnail.gif)

Have you checked that warning with your ip address access? Have you test to reach that resource and keeps blocking connection?

Kind regards,


2013/10/30 Macks, Aaron <amacks@harvardbusiness.org>
hmmm, taking that suggestion I replaced the Regex with an endsWith operator
SecRule REQUEST_FILENAME "@endsWith thumbnail.gif" "nolog,pass,ctl:RuleRemoveById=990012"

but I'm still seeing log entries against the rule

HEAD /products/200039-PDF-ENG/thumbnail/thumbnail.gif HTTP/1.1
User-Agent: Jakarta Commons-HttpClient/3.1

Message: Warning. Pattern match "(?i:(?:c(?:o(?:n(?:t(?:entsmartz|actbot/)|cealed defense|veracrawler)|mpatible(?: ;(?: msie|\\.)|-)|py(?:rightcheck|guard)|re-project/1.0)|h(?:ina(?: local browse 2\\.|claw)|e(?:rrypicker|esebot))|rescent internet toolpak)|w(?:e(?:b(?: (?:downloader|by ..." at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_35_bad_robots.conf"] [line "27"] [id "990012"] [rev "2.2.5"] [msg "Rogue web site crawler"] [data "Jakarta"] [severity "WARNING"] [tag "AUTOMATION/MALICIOUS"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]

Thoughts on where to look next?  I do note that ALL the tagged requests are of the HEAD type, that's the nature of the traffic.  I don't think that matters, but..

A
On Oct 30, 2013, at 6:35 AM, Jose Pablo Valcárcel Lázaro
 wrote:

I guess is not a http method issue  but a regular expresion could it be.

Your rule:
SecRule REQUEST_FILENAME "^/products/.*thumbnail.gif$" "nolog,pass,ctl:RuleRemoveById=990012"
File accesed: /products/6789H-HTM-ENG/thumbnail/thumbnail.gif HTTP/1.1

Why don´t you try to block all *.gif files as a test?  In that way you should view if there is a problem with regular expression or by the other hand is a regular expression issues.

Here is a example against file injection with some files and extensions:

# file injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "@pm .www_acl .htpasswd .htaccess boot.ini httpd.conf /etc/ .htgroup global.asa .wwwacl" \
        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1,id:1234123403"



SecRule REQUEST_FILENAME "@streq /path/to/file.php" \
"phase:1,t:none,nolog,pass,ctl:ruleUpdateTargetById=958895;!ARGS:email"

Have you tried with @streq?

I guess your rule is not matching correctly the file access but I could be wrong.

Kind regards,


2013/10/29 Macks, Aaron <amacks@harvardbusiness.org>
I'm trying to skip a rule based on a filename, and thought this config should achieve that:

SecRule REQUEST_FILENAME "^/products/.*thumbnail.gif$" "nolog,pass,ctl:RuleRemoveById=990012"

The thing is, I'm still seeing hits for that rule in the log with filenames that match

HEAD /products/6789H-HTM-ENG/thumbnail/thumbnail.gif HTTP/1.1
User-Agent: Jakarta Commons-HttpClient/3.1
….
Message: Warning. Pattern match "(?i:(?:c(?:o(?:n(?:t(?:entsmartz|actbot/)|cealed defense|veracrawler)|mpatible(?: ;(?: msie|\\.)|-)|py(?:rightcheck|guard)|re-project/1.0)|h(?:ina(?: local browse 2\\.|claw)|e(?:rrypicker|esebot))|rescent internet toolpak)|w(?:e(?:b(?: (?:downloader|by ..." at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_35_bad_robots.conf"] [line "27"] [id "990012"] [rev "2.2.5"] [msg "Rogue web site crawler"] [data "Jakarta"] [severity "WARNING"] [tag "AUTOMATION/MALICIOUS"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]

Is it because the request is HEAD and not GET?

A
--
Aaron Macks


------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/


------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

--
Aaron Macks
Systems Architect

Harvard Business Publishing
300 North Beacon St.    |   Watertown, MA 02472
(617) 783-7461                |   Fax: (617) 783-7467


------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/


------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

--
Aaron Macks
Systems Architect

Harvard Business Publishing
300 North Beacon St.    |   Watertown, MA 02472
(617) 783-7461                |   Fax: (617) 783-7467


------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/


------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

--
Aaron Macks
Systems Architect

Harvard Business Publishing
300 North Beacon St.    |   Watertown, MA 02472
(617) 783-7461                |   Fax: (617) 783-7467


------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/