unsubscribe


On Thu, Oct 10, 2013 at 5:08 PM, <mod-security-users-request@lists.sourceforge.net> wrote:
Send mod-security-users mailing list submissions to
        mod-security-users@lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/mod-security-users
or, via email, send a message with subject or body 'help' to
        mod-security-users-request@lists.sourceforge.net

You can reach the person managing the list at
        mod-security-users-owner@lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of mod-security-users digest..."


Today's Topics:

   1. Re: Password Sanitization in Request Body (Josh Amishav-Zlatin)
   2. Fixing False Positives on IIS 7 (Costas Antoniou)
   3. Re: Password Sanitization in Request Body (Steve Stonebraker)


----------------------------------------------------------------------

Message: 1
Date: Wed, 9 Oct 2013 22:24:32 +0200
From: Josh Amishav-Zlatin <jamuse@owasp.org>
Subject: Re: [mod-security-users] Password Sanitization in Request
        Body
To: "mod-security-users@lists.sourceforge.net"
        <mod-security-users@lists.sourceforge.net>
Message-ID:
        <CAC+O4mFnMMgfAfUEwRShJX2FBQu__H6Os5C_7ivue0bA01qzbw@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

On Wed, Oct 9, 2013 at 9:10 PM, Steve Stonebraker <
steve.stonebraker@gmail.com> wrote:

> Thanks!
>
> I came up with this rule:
> SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$"
> "phase:2,id:'1001',nolog,pass,ctl:auditLogParts=-C,msg:'User sent password'"
>
>
Hi Steve,

A couple thoughts:

1. REQUEST_BODY wont have the JSON request in it unless you
enable forceRequestBodyVariable beforehand in phase 1.

2. Your rule can only have two or three arguments. You can group your
arguments together using quotes, but if your regex includes quotes you need
to escape them.

3. If all you want to do is is check if the JSON body contains the string
password then you can simplify your rule as follows:

# Force the Requst_Body collection to contain the JSON body based on the
content-type header
SecRule REQUEST_HEADERS:Content-Type "jsonrequest"
phase:1,id:1001,nolog,t:none,pass,ctl:forceRequestBodyVariable=On

# Search for the string 'password' in the request body and disable audit
log parts C and I
SecRule REQUEST_BODY "password"
"phase:2,id:'1002',nolog,pass,ctl:auditLogParts=-CI,msg:'User sent
password'"

--
 - Josh


> But am receiving this error:
> Syntax error on line 14 of /opt/modsecurity/etc/rules-first.conf:
> SecRule takes two or three arguments, rule target, operator and optional
> action list
>
>
> On Wed, Oct 9, 2013 at 9:58 AM, Josh Amishav-Zlatin <jamuse@owasp.org>wrote:
>
>> On Wed, Oct 9, 2013 at 4:02 PM, Steve Stonebraker <
>> steve.stonebraker@gmail.com> wrote:
>>
>>> Thanks I saw that and it looks great but I can't implement it on a prod
>>> environment.
>>>
>>> Right now I'm toying with:
>>> SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$"
>>>
>>> But i'm not sure how to replace the matched value with the character *
>>>
>>>
>> Hi Steve,
>>
>> I think the only current solution is to use the ctl action to remove
>> logging the request body entirely if it holds sensitive data. Kind of an
>> all or nothing approach until the patch makes its way into the stable
>> branch.
>>
>> --
>>  - Josh
>>
>>
>>>
>>> On Wed, Oct 9, 2013 at 8:06 AM, Josh Amishav-Zlatin <jamuse@owasp.org>wrote:
>>>
>>>> On Wed, Oct 9, 2013 at 2:28 PM, Steve Stonebraker <
>>>> steve.stonebraker@gmail.com> wrote:
>>>>
>>>>> I'll answer my own question.  The body has JSON which is not processed
>>>>> by sanitiseArg.
>>>>>
>>>>>
>>>> Hi Steve,
>>>>
>>>> Not sure how stable this is yet, but take a look at:
>>>> https://www.modsecurity.org/tracker/browse/MODSEC-253
>>>> Perhaps with the patch you could use santiseMatched.
>>>>
>>>> --
>>>>  - Josh
>>>>
>>>>
>>>>>
>>>>> On Tue, Oct 8, 2013 at 12:10 PM, Steve Stonebraker <
>>>>> steve.stonebraker@gmail.com> wrote:
>>>>>
>>>>>> I am unable to sanitize a password in the request body.
>>>>>>
>>>>>> --2a688459-C-- {"username":"someuser","password":"somepassword"}
>>>>>>
>>>>>>
>>>>>> What i've tried:
>>>>>> SecAction "phase:2,id:131,nolog,pass,sanitiseArg:password"
>>>>>> SecAction "phase:5,id:131,nolog,pass,sanitiseArg:password"
>>>>>> SecRule ARGS_NAMES password nolog,pass,id:132,sanitiseMatched
>>>>>>
>>>>>> Any suggestions?
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> October Webinars: Code for Performance
>>>>> Free Intel webinars can help you accelerate application performance.
>>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the
>>>>> most from
>>>>> the latest Intel processors and coprocessors. See abstracts and
>>>>> register >
>>>>>
>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
>>>>> _______________________________________________
>>>>> mod-security-users mailing list
>>>>> mod-security-users@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>>>> http://www.modsecurity.org/projects/commercial/rules/
>>>>> http://www.modsecurity.org/projects/commercial/support/
>>>>>
>>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> October Webinars: Code for Performance
>>>> Free Intel webinars can help you accelerate application performance.
>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the
>>>> most from
>>>> the latest Intel processors and coprocessors. See abstracts and
>>>> register >
>>>>
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
>>>> _______________________________________________
>>>> mod-security-users mailing list
>>>> mod-security-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>>> http://www.modsecurity.org/projects/commercial/rules/
>>>> http://www.modsecurity.org/projects/commercial/support/
>>>>
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> October Webinars: Code for Performance
>>> Free Intel webinars can help you accelerate application performance.
>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
>>> from
>>> the latest Intel processors and coprocessors. See abstracts and register
>>> >
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> mod-security-users mailing list
>>> mod-security-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>> http://www.modsecurity.org/projects/commercial/rules/
>>> http://www.modsecurity.org/projects/commercial/support/
>>>
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> October Webinars: Code for Performance
>> Free Intel webinars can help you accelerate application performance.
>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
>> from
>> the latest Intel processors and coprocessors. See abstracts and register >
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
>> _______________________________________________
>> mod-security-users mailing list
>> mod-security-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>>
>>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 2
Date: Thu, 10 Oct 2013 13:03:11 +0300
From: Costas Antoniou <antoniou.costas@gmail.com>
Subject: [mod-security-users] Fixing False Positives on IIS 7
To: mod-security-users@lists.sourceforge.net
Message-ID:
        <CABGkhjSqyOZY9ENaTEiouo6_-Ve2ED4qzyygW-Wh4YdXCoKacA@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hello I have installed modsecurity 2.7.5 on IIS 7 and I have logged many
false positives that I would like to exclude can I use the directive
SecRuleRemove somehow or is there another way for IIS.

Thank you
Costas
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 3
Date: Thu, 10 Oct 2013 08:38:10 -0500
From: Steve Stonebraker <steve.stonebraker@gmail.com>
Subject: Re: [mod-security-users] Password Sanitization in Request
        Body
To: mod-security-users@lists.sourceforge.net
Message-ID:
        <CAGF2JeJ9_AGkH8n3b=gLAdqNZ6JGgXXaG7AMAxssh=eNW3trug@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Thank you Josh for your help.

I think your rule should work but I'm still seeing the password picked up
in my jwall logs.  I think it is because of my next three rules:

# Force the Requst_Body collection to contain the JSON body based on the
content-type header
SecRule REQUEST_HEADERS:Content-Type "jsonrequest"
phase:1,id:1001,nolog,t:none,pass,ctl:forceRequestBodyVariable=On

# Search for the string 'password' in the request body and disable audit
log parts C and I
SecRule REQUEST_BODY "password"
"phase:2,id:'1002',nolog,pass,ctl:auditLogParts=-CI,msg:'User sent
password'"


#IP Address Tracking
SecAction "id:'500001',phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR}"

#Start logging everything coming from an IP address after a single
#rule match. To achieve that, we set the flag IP.logflag for up to one hour
(3600 seconds):
SecRule HIGHEST_SEVERITY "@gt 0" \
id:'500003',phase:5,nolog,pass,setvar:IP.logflag=1,expirevar:ip.logflag=3600,setvar:ip.logflag_hash=%{unique_id}

#Detect the flag and force logging:
SecRule IP:logflag "@gt 0" \
"id:'500005',phase:5,log,msg:'Transaction Logged Due to Previous Rule
Match.',logdata:'%{ip.logflag_hash}',pass,ctl:auditEngine=On"


How can I incorporate the rules you suggested with rules 500001-50005?



On Wed, Oct 9, 2013 at 3:24 PM, Josh Amishav-Zlatin <jamuse@owasp.org>wrote:

> On Wed, Oct 9, 2013 at 9:10 PM, Steve Stonebraker <
> steve.stonebraker@gmail.com> wrote:
>
>> Thanks!
>>
>> I came up with this rule:
>> SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$"
>> "phase:2,id:'1001',nolog,pass,ctl:auditLogParts=-C,msg:'User sent password'"
>>
>>
> Hi Steve,
>
> A couple thoughts:
>
> 1. REQUEST_BODY wont have the JSON request in it unless you
> enable forceRequestBodyVariable beforehand in phase 1.
>
> 2. Your rule can only have two or three arguments. You can group your
> arguments together using quotes, but if your regex includes quotes you need
> to escape them.
>
> 3. If all you want to do is is check if the JSON body contains the string
> password then you can simplify your rule as follows:
>
> # Force the Requst_Body collection to contain the JSON body based on the
> content-type header
> SecRule REQUEST_HEADERS:Content-Type "jsonrequest"
> phase:1,id:1001,nolog,t:none,pass,ctl:forceRequestBodyVariable=On
>
> # Search for the string 'password' in the request body and disable audit
> log parts C and I
> SecRule REQUEST_BODY "password"
> "phase:2,id:'1002',nolog,pass,ctl:auditLogParts=-CI,msg:'User sent
> password'"
>
> --
>  - Josh
>
>
>> But am receiving this error:
>> Syntax error on line 14 of /opt/modsecurity/etc/rules-first.conf:
>> SecRule takes two or three arguments, rule target, operator and optional
>> action list
>>
>>
>> On Wed, Oct 9, 2013 at 9:58 AM, Josh Amishav-Zlatin <jamuse@owasp.org>wrote:
>>
>>> On Wed, Oct 9, 2013 at 4:02 PM, Steve Stonebraker <
>>> steve.stonebraker@gmail.com> wrote:
>>>
>>>> Thanks I saw that and it looks great but I can't implement it on a prod
>>>> environment.
>>>>
>>>> Right now I'm toying with:
>>>> SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$"
>>>>
>>>> But i'm not sure how to replace the matched value with the character *
>>>>
>>>>
>>> Hi Steve,
>>>
>>> I think the only current solution is to use the ctl action to remove
>>> logging the request body entirely if it holds sensitive data. Kind of an
>>> all or nothing approach until the patch makes its way into the stable
>>> branch.
>>>
>>> --
>>>  - Josh
>>>
>>>
>>>>
>>>> On Wed, Oct 9, 2013 at 8:06 AM, Josh Amishav-Zlatin <jamuse@owasp.org>wrote:
>>>>
>>>>> On Wed, Oct 9, 2013 at 2:28 PM, Steve Stonebraker <
>>>>> steve.stonebraker@gmail.com> wrote:
>>>>>
>>>>>> I'll answer my own question.  The body has JSON which is not
>>>>>> processed by sanitiseArg.
>>>>>>
>>>>>>
>>>>> Hi Steve,
>>>>>
>>>>> Not sure how stable this is yet, but take a look at:
>>>>> https://www.modsecurity.org/tracker/browse/MODSEC-253
>>>>> Perhaps with the patch you could use santiseMatched.
>>>>>
>>>>> --
>>>>>  - Josh
>>>>>
>>>>>
>>>>>>
>>>>>> On Tue, Oct 8, 2013 at 12:10 PM, Steve Stonebraker <
>>>>>> steve.stonebraker@gmail.com> wrote:
>>>>>>
>>>>>>> I am unable to sanitize a password in the request body.
>>>>>>>
>>>>>>> --2a688459-C-- {"username":"someuser","password":"somepassword"}
>>>>>>>
>>>>>>>
>>>>>>> What i've tried:
>>>>>>> SecAction "phase:2,id:131,nolog,pass,sanitiseArg:password"
>>>>>>> SecAction "phase:5,id:131,nolog,pass,sanitiseArg:password"
>>>>>>> SecRule ARGS_NAMES password nolog,pass,id:132,sanitiseMatched
>>>>>>>
>>>>>>> Any suggestions?
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> October Webinars: Code for Performance
>>>>>> Free Intel webinars can help you accelerate application performance.
>>>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the
>>>>>> most from
>>>>>> the latest Intel processors and coprocessors. See abstracts and
>>>>>> register >
>>>>>>
>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
>>>>>> _______________________________________________
>>>>>> mod-security-users mailing list
>>>>>> mod-security-users@lists.sourceforge.net
>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>>>>> http://www.modsecurity.org/projects/commercial/rules/
>>>>>> http://www.modsecurity.org/projects/commercial/support/
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> October Webinars: Code for Performance
>>>>> Free Intel webinars can help you accelerate application performance.
>>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the
>>>>> most from
>>>>> the latest Intel processors and coprocessors. See abstracts and
>>>>> register >
>>>>>
>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
>>>>> _______________________________________________
>>>>> mod-security-users mailing list
>>>>> mod-security-users@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>>>> http://www.modsecurity.org/projects/commercial/rules/
>>>>> http://www.modsecurity.org/projects/commercial/support/
>>>>>
>>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> October Webinars: Code for Performance
>>>> Free Intel webinars can help you accelerate application performance.
>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the
>>>> most from
>>>> the latest Intel processors and coprocessors. See abstracts and
>>>> register >
>>>>
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
>>>> _______________________________________________
>>>> mod-security-users mailing list
>>>> mod-security-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>>> http://www.modsecurity.org/projects/commercial/rules/
>>>> http://www.modsecurity.org/projects/commercial/support/
>>>>
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> October Webinars: Code for Performance
>>> Free Intel webinars can help you accelerate application performance.
>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
>>> from
>>> the latest Intel processors and coprocessors. See abstracts and register
>>> >
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> mod-security-users mailing list
>>> mod-security-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>> http://www.modsecurity.org/projects/commercial/rules/
>>> http://www.modsecurity.org/projects/commercial/support/
>>>
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> October Webinars: Code for Performance
>> Free Intel webinars can help you accelerate application performance.
>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
>> from
>> the latest Intel processors and coprocessors. See abstracts and register >
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
>> _______________________________________________
>> mod-security-users mailing list
>> mod-security-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>>
>>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk

------------------------------

_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users


End of mod-security-users Digest, Vol 89, Issue 6
*************************************************