Re: [mod-security-users] Cookie tripping modsec
Brought to you by:
victorhora,
zimmerletw
From: Organic S. <web...@or...> - 2011-08-30 14:53:29
|
Based on another recent post I have tried changing the rules to be: SecRuleUpdateTargetById 981243 !REQUEST_COOKIES:/tracker/ SecRuleUpdateTargetById 981245 !REQUEST_COOKIES:/tracker/ and they are still being triggered :( -- Thanks, OS ----- Original Message ----- From: "Organic Spider" <web...@or...> To: mod...@li... Sent: Tuesday, 30 August, 2011 3:07:33 PM Subject: Re: [mod-security-users] Cookie tripping modsec It would appear that this cookie is also tripping 981243 and 981245. I have attempted to apply the same logic by adding to the custom_15 rule set: SecRule REQUEST_HEADERS:Host "!@rx (^$)" \ "phase:1,t:none,nolog,pass,ctl:ruleUpdateTargetById=981243;!REQUEST_COOKIES:tracker" SecRule REQUEST_HEADERS:Host "!@rx (^$)" \ "phase:1,t:none,nolog,pass,ctl:ruleUpdateTargetById=981245;!REQUEST_COOKIES:tracker" though they still are being triggered. Attempting to simplify the rules even further by using: SecRuleUpdateTargetById 981243 !REQUEST_COOKIES:'/tracker/' SecRuleUpdateTargetById 981245 !REQUEST_COOKIES:'/tracker/' has the same result in that they still hit. Am I not understanding how to override rules correctly ? -- Thank you, OS ----- Original Message ----- From: "Organic Spider" <web...@or...> To: "kwenu" <uz...@ya...> Cc: "Ryan Barnett" <RBa...@tr...>, mod...@li... Sent: Friday, 26 August, 2011 4:38:23 PM Subject: Re: [mod-security-users] Cookie tripping modsec Brilliant! that worked perfectly and makes sense; plus I was not using REQUEST_HEADERS correctly. -- Thank you, OS ----- Original Message ----- From: "kwenu" <uz...@ya...> To: "Organic Spider" <web...@or...> Cc: "Ryan Barnett" <RBa...@tr...>, mod...@li... Sent: Friday, 26 August, 2011 4:30:35 PM Subject: Re: Cookie tripping modsec The rule you want to use i beleive is 973020 I think rule 981173 cannot be used to identify a specific target but keeps a score of the times a suspicious character was (as identified by the rules below 973020) found - so the below rule stops those rules from being run against that named cookie SecRule REQUEST_HEADERS:Host "!@rx (^$)" \ "phase:1,t:none,nolog,pass,ctl:ruleUpdateTargetById=973020;!REQUEST_COOKIES:tracker" On 26/08/11 16:00, Organic Spider wrote: Changed but it is still being hit. Looking in the audit log it has: --2aac4c11-A-- [26/Aug/2011:10:55:48 --0400] Tlez838eCIcAAFhaAg0AAAAD 123.123.123.123 3371 234.234.234.234 80 --2aac4c11-B-- GET /js/ HTTP/1.1 Host: www.somesite.com User-Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Connection: keep-alive Referer: http://www.somesite.com/content/ Cookie: last_visit=1314356268; last_activity=1314370547; tracker=a%3A5%3A%7Bi%3A0%3Bs%3A6%3A%22people%22%3Bi%3A1%3Bs%3A7%3A%22content%22%3Bi%3A2%3Bs%3A11%3A%22pages%2Fabout%22%3Bi%3A3%3Bs%3A14%3A%22pages%2Fservices%22%3Bi%3A4%3Bs%3A11%3A%22pages%2Fabout%22%3B%7D; If-Modified-Since: Fri, 26 Aug 2011 14:55:12 GMT Authorization: Basic aGtzdHJhdGVnaWVzOklMNXRyYXQ= --2aac4c11-F-- HTTP/1.1 200 OK X-Powered-By: PHP/5.3.6 Expires: Sat, 26 Jul 1997 05:00:00 GMT Last-Modified: Fri, 26 Aug 2011 14:55:48 GMT Pragma: no-cache Content-Type: text/javascript Set-Cookie: last_activity=1314370547; expires=Sat, 25-Aug-2012 14:55:47 GMT; path=/ Set-Cookie: tracker=a%3A5%3A%7Bi%3A0%3Bs%3A2%3A%22js%22%3Bi%3A1%3Bs%3A6%3A%22people%22%3Bi%3A2%3Bs%3A7%3A%22content%22%3Bi%3A3%3Bs%3A11%3A%22pages%2Fabout%22%3Bi%3A4%3Bs%3A14%3A%22pages%2Fservices%22%3B%7D; path=/ Set-Cookie: tracker=a%3A4%3A%7Bi%3A0%3Bs%3A6%3A%22people%22%3Bi%3A1%3Bs%3A7%3A%22content%22%3Bi%3A2%3Bs%3A11%3A%22pages%2Fabout%22%3Bi%3A3%3Bs%3A14%3A%22pages%2Fservices%22%3B%7D; path=/ Connection: close Transfer-Encoding: chunked --2aac4c11-H-- Message: Warning. Operator GE matched 4 at TX:restricted_sqli_char_count. [file "/usr/local/httpd-2.2.19/modsecurity/rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "551"] [id "981173"] [rev "2.2.1"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "5"] To me it is the setting of the tracker cookie which is causing the warning to be thrown. Am I reading it correctly ? ------------------------------------------------------------------------------ EMC VNX: the world's simplest storage, starting under $10K The only unified storage solution that offers unified management Up to 160% more powerful than alternatives and 25% more efficient. Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/application-security.php ------------------------------------------------------------------------------ EMC VNX: the world's simplest storage, starting under $10K The only unified storage solution that offers unified management Up to 160% more powerful than alternatives and 25% more efficient. Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/application-security.php ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/application-security.php |