Re: [mod-security-users] Cookie tripping modsec
Brought to you by:
victorhora,
zimmerletw
From: kwenu <uz...@ya...> - 2011-08-26 15:30:45
|
The rule you want to use i beleive is 973020 I think rule 981173 cannot be used to identify a specific target but keeps a score of the times a suspicious character was (as identified by the rules below 973020) found - so the below rule stops those rules from being run against that named cookie SecRule REQUEST_HEADERS:Host "!@rx (^$)" \ "phase:1,t:none,nolog,pass,ctl:ruleUpdateTargetById=973020;!REQUEST_COOKIES:tracker" On 26/08/11 16:00, Organic Spider wrote: > Changed but it is still being hit. Looking in the audit log it has: > > --2aac4c11-A-- > [26/Aug/2011:10:55:48 --0400] Tlez838eCIcAAFhaAg0AAAAD 123.123.123.123 3371 234.234.234.234 80 > --2aac4c11-B-- > GET /js/ HTTP/1.1 > Host: www.somesite.com > User-Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip, deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Connection: keep-alive > Referer: http://www.somesite.com/content/ > Cookie: last_visit=1314356268; last_activity=1314370547; tracker=a%3A5%3A%7Bi%3A0%3Bs%3A6%3A%22people%22%3Bi%3A1%3Bs%3A7%3A%22content%22%3Bi%3A2%3Bs%3A11%3A%22pages%2Fabout%22%3Bi%3A3%3Bs%3A14%3A%22pages%2Fservices%22%3Bi%3A4%3Bs%3A11%3A%22pages%2Fabout%22%3B%7D; > If-Modified-Since: Fri, 26 Aug 2011 14:55:12 GMT > Authorization: Basic aGtzdHJhdGVnaWVzOklMNXRyYXQ= > > --2aac4c11-F-- > HTTP/1.1 200 OK > X-Powered-By: PHP/5.3.6 > Expires: Sat, 26 Jul 1997 05:00:00 GMT > Last-Modified: Fri, 26 Aug 2011 14:55:48 GMT > Pragma: no-cache > Content-Type: text/javascript > Set-Cookie: last_activity=1314370547; expires=Sat, 25-Aug-2012 14:55:47 GMT; path=/ > Set-Cookie: tracker=a%3A5%3A%7Bi%3A0%3Bs%3A2%3A%22js%22%3Bi%3A1%3Bs%3A6%3A%22people%22%3Bi%3A2%3Bs%3A7%3A%22content%22%3Bi%3A3%3Bs%3A11%3A%22pages%2Fabout%22%3Bi%3A4%3Bs%3A14%3A%22pages%2Fservices%22%3B%7D; path=/ > Set-Cookie: tracker=a%3A4%3A%7Bi%3A0%3Bs%3A6%3A%22people%22%3Bi%3A1%3Bs%3A7%3A%22content%22%3Bi%3A2%3Bs%3A11%3A%22pages%2Fabout%22%3Bi%3A3%3Bs%3A14%3A%22pages%2Fservices%22%3B%7D; path=/ > Connection: close > Transfer-Encoding: chunked > > --2aac4c11-H-- > Message: Warning. Operator GE matched 4 at TX:restricted_sqli_char_count. [file "/usr/local/httpd-2.2.19/modsecurity/rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "551"] [id "981173"] [rev "2.2.1"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "5"] > > > To me it is the setting of the tracker cookie which is causing the warning to be thrown. Am I reading it correctly ? > > > ------------------------------------------------------------------------------ > EMC VNX: the world's simplest storage, starting under $10K > The only unified storage solution that offers unified management > Up to 160% more powerful than alternatives and 25% more efficient. > Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/application-security.php |