Re: [mod-security-users] inspectFile w/ reverse Proxy
Brought to you by:
victorhora,
zimmerletw
From: Gary W. <we...@le...> - 2012-02-28 14:16:11
|
Hello. Does anyone expect ModSecurity to be able to 'intercept' an app file upload at the reverse proxy server? Thanks. On Fri, Feb 24, 2012 at 4:20 PM, Gary Webster <we...@le...> wrote: > Thanks for the info. > > I am mostly using modsecurity_crs_46_av_scanning.conf from the > modsecurity-crs_2.2.3 package: > > SecRule FILES_TMPNAMES "@inspectFile /etc/httpd/modsecurity.util/runav.pl" > \ > "phase:2,t:none,block,msg:'Virus found in uploaded > file',id:'950115',tag:'MALICIOUS_SOFTWARE/VIRUS',tag: > 'PCI/5.1',severity:'2',setvar:tx.anomaly_score=+%{tx. > critical_anomaly_score},setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/VIRUS-%{ > matched_var_name}=%{tx.0}" > > > & the instructions here: > > http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#inspectFile > > > On Fri, Feb 24, 2012 at 3:33 PM, Ryan Barnett <RBa...@tr...>wrote: > >> It looks like ModSecurity is extracting the multipart form-data >> attachment and saving to a /tmp file. I don't see any rule processing >> though. What is the rule you using with @inspectFile and how are you >> activating it? >> >> -- >> Ryan Barnett >> >> From: Gary Webster <we...@le...> >> Date: Fri, 24 Feb 2012 14:25:29 -0600 >> To: Ryan Barnett <rba...@tr...> >> Cc: "mod...@li..." < >> mod...@li...> >> Subject: Re: [mod-security-users] inspectFile w/ reverse Proxy >> >> Hello. >> Thanks for the reply. >> >> Yes, I've looked at the debug log, but I guess I don't know what I'm >> looking for. >> With SecDebugLogLevel at 3 (default), I don't see much at all. Raising >> it to 5 gives a boatload of output. I also can't make much of all the >> chatter in audit log. Below is relevant part of debug log. >> >> You expect ModSecurity to be able to 'intercept' an app file upload at >> the reverse proxy server? >> >> >> [24/Feb/2012:12:14:00 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Initialising transaction (txid 4wHjR6wWIcYAAA7QIJsAAAAI). >> [24/Feb/2012:12:14:00 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Transaction context created (dcfg 2ab2acae5128). >> [24/Feb/2012:12:14:00 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> First phase starting (dcfg 2ab2acae5128). >> [24/Feb/2012:12:14:00 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Starting phase REQUEST_HEADERS. >> [24/Feb/2012:12:14:00 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Second phase starting (dcfg 2ab2acae5128). >> [24/Feb/2012:12:14:00 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Input filter: Reading request body. >> [24/Feb/2012:12:14:00 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Input filter: Request too large to store in memory, switching to disk. >> [24/Feb/2012:12:14:00 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Input filter: Created temporary file to store request body: >> /tmp//20120224-121400-4wHjR6wWIcYAAA7QIJsAAAAI-request_body-qNVvFU >> [24/Feb/2012:12:14:00 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Input filter: Wrote 131066 bytes from memory to disk. >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Request body no files length: 0 >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Input filter: Completed receiving request body (length 702026). >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Starting phase REQUEST_BODY. >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Hook insert_filter: Adding input forwarding filter (r 2ab2b8662c20). >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Hook insert_filter: Adding output filter (r 2ab2b8662c20). >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Input filter: Forwarding input: mode=0, block=0, nbytes=8186 (f >> 2ab2b91d3178, r 2ab2b8662c20). >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Input filter: Forwarded 8186 bytes. >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Input filter: Forwarding input: mode=0, block=0, nbytes=8186 (f >> 2ab2b91d3178, r 2ab2b8662c20). >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Input filter: Forwarded 8186 bytes. >> . >> . >> lot of these >> . >> >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Input filter: Forwarding input: mode=0, block=0, nbytes=8186 (f >> 2ab2b91d3178, r 2ab2b8662c20). >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Input filter: Forwarded 8186 bytes. >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Input filter: Forwarding input: mode=0, block=0, nbytes=8186 (f >> 2ab2b91d3178, r 2ab2b8662c20). >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Input filter: Forwarded 6216 bytes. >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Input filter: Forwarding input: mode=0, block=0, nbytes=8186 (f >> 2ab2b91d3178, r 2ab2b8662c20). >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Input filter: Forwarded 0 bytes. >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Input filter: Sent EOS. >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Input filter: Input forwarding complete. >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Starting phase RESPONSE_HEADERS. >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Output filter: Response body buffering is not enabled. >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Output filter: Completed receiving response body (non-buffering). >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Starting phase RESPONSE_BODY. >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Output filter: Output forwarding complete. >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Initialising logging. >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Starting phase LOGGING. >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Recording persistent data took 0 microseconds. >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Audit log: Ignoring a non-relevant request. >> [24/Feb/2012:12:14:01 --0500] [ >> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>] >> Input filter: Removed temporary file: /tmp//20120224-121400- >> 4wHjR6wWIcYAAA7QIJsAAAAI-request_body-qNVvFU >> >> >> On Fri, Feb 24, 2012 at 2:47 PM, Ryan Barnett <RBa...@tr...>wrote: >> >>> Did you look in the debug log? >>> >>> -Ryan >>> >>> From: Gary Webster <we...@le...> >>> Date: Fri, 24 Feb 2012 13:40:13 -0600 >>> To: "mod...@li..." < >>> mod...@li...> >>> Subject: [mod-security-users] inspectFile w/ reverse Proxy >>> >>> Hello. >>> >>> I am trying to use ModSecurity's inspectFile on my Apache ReverseProxy >>> server, to catch file uploads with malware. >>> >>> It appears that ModSecurity is not seeing this action as a file >>> upload. I can't see that the /util/runav.pl operator is ever running, >>> & there are no files in my SecUploadDir with "SecUploadKeepFiles On" . >>> >>> I'm guessing this is because I am [reverse] proxying the application: >>> The 'upload' URL is: >>> http://proxy.mystuf.com/app/endpoint/uploadDocument/... >>> & I am proxying /app to http://server1.internal.net/app >>> >>> So, is the proxy my problem here? >>> If so, is there any practical way to catch a malware upload at the proxy? >>> >>> Thanks. >>> >>> >>> ------------------------------ >>> This transmission may contain information that is privileged, >>> confidential, and/or exempt from disclosure under applicable law. If you >>> are not the intended recipient, you are hereby notified that any >>> disclosure, copying, distribution, or use of the information contained >>> herein (including any reliance thereon) is STRICTLY PROHIBITED. If you >>> received this transmission in error, please immediately contact the sender >>> and destroy the material in its entirety, whether in electronic or hard >>> copy format. >>> >> >> >> ------------------------------ >> This transmission may contain information that is privileged, >> confidential, and/or exempt from disclosure under applicable law. If you >> are not the intended recipient, you are hereby notified that any >> disclosure, copying, distribution, or use of the information contained >> herein (including any reliance thereon) is STRICTLY PROHIBITED. If you >> received this transmission in error, please immediately contact the sender >> and destroy the material in its entirety, whether in electronic or hard >> copy format. >> > > |