Re: [mod-security-users] Proxy access attempt rule
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <RBa...@tr...> - 2011-02-15 13:33:53
|
On 2/14/11 9:22 AM, "Peter Tesone" <pt...@gm...> wrote: >Hi, > >I receive a 403 error in my hosting because a mod_security rule is >triggered, >any one can suggest me how to change this rule to not raise a 403 error? Peter, This rule is from the GotRoot application protections file - http://updates.atomicorp.com/channels/rules/delayed/modsec/10_asl_rules.con f If you have issues with this rule, they have their own user mail-list/forum. We (Trustwave) maintain the OWASP ModSecurity Core Rule Set (CRS) Project. That being said - here is the rule that is triggering - SecRule REQUEST_URI_RAW "^\w+:/" \ "chain,phase:2,t:lowercase,capture,deny,log,auditlog,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Unauthorized Proxy access attempt',severity:'2',id:'340012',rev:2,logdata:'%{TX.0}'" SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" I believe that GotRoot took this rule from the CRS and added it to their own. Note that in our version, we have some comments related to its effectiveness (specifically that you have to have Apache configured with UseCononicalName for it to work correctly). Due to this reliance, we opted to comment out this rule - # # Proxy access attempt # NOTE Apache blocks such access by default if not set as a proxy. The rule is # included in case Apache proxy is misconfigured. # NOTE There are some clients (mobile devices) that will send a full URI even when connecting to # your local application and this rule allows it. # NOTE Need to have UseCononicalName On in Apache config to properly set the SERVER_NAME variable. # If you have set UseCononicalName, the you can uncomment this rule. # # -=[ Rule Logic ]=- # This chained rule first inspects the URI to see if a full domain name is specified. # If it is, then this data is compared against the Cononical SERVER_NAME. If it does # not match, then the client is making a request for an off-site location. # #SecRule REQUEST_URI_RAW ^\w+:/ "chain,phase:2,rev:'2.1.1',t:none,block,msg:'Proxy access attempt', severity:'2',id:'960014',tag:'PROTOCOL_VIOLATION/PROXY_ACCESS',tag:'WASC TC/WASC-14',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.10'" # SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_s core},setvar:tx.protocol_violati on_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATIO N/PROXY_ACCESS-%{matched_var_name}=%{matched_var}" So, have you set UseCononicalName in your apache configs? -Ryan > >Error Log: > >access attempt"] [data "http:] [severity "CRITICAL"] [hostname >"www.lawyers-etc.com"] [uri "] [unique_id "TU7PyK54BYIAAF4zFz8AAAEI"] >[Sun Feb 06 10:44:01 2011] [error] [client 76.114.227.80] ModSecurity: >Access >denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME} >against "MATCHED_VAR" required. [file >"/opt/mod_security/10_asl_rules.conf"] >[line "102"] [id "340012"] [rev "2"] [msg "Atomicorp.com WAF Rules: >Unauthorized >Proxy access attempt"] [data "http:] [severity "CRITICAL"] [hostname >"www.lawyers-etc.com"] [uri "] [unique_id "TU7P0a54BYIAABcix24AAACc"] > >Regards, >Peter > > >-------------------------------------------------------------------------- >---- >The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: >Pinpoint memory and threading errors before they happen. >Find and fix more than 250 security defects in the development cycle. >Locate bottlenecks in serial and parallel code that limit performance. >http://p.sf.net/sfu/intel-dev2devfeb >_______________________________________________ >mod-security-users mailing list >mod...@li... >https://lists.sourceforge.net/lists/listinfo/mod-security-users >Commercial ModSecurity Appliances, Rule Sets and Support: >http://www.modsecurity.org/breach/index.html > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |