Re: [mod-security-users] inspectFile w/ reverse Proxy

[Gary W. <we...@le...>]

Hello.

Does anyone expect ModSecurity to be able to 'intercept' an app file upload
at the reverse proxy server?

Thanks.

On Fri, Feb 24, 2012 at 4:20 PM, Gary Webster <we...@le...> wrote:

> Thanks for the info.
>
> I am mostly using  modsecurity_crs_46_av_scanning.conf  from the
> modsecurity-crs_2.2.3 package:
>
> SecRule FILES_TMPNAMES "@inspectFile /etc/httpd/modsecurity.util/runav.pl"
> \
>        "phase:2,t:none,block,msg:'Virus found in uploaded
> file',id:'950115',tag:'MALICIOUS_SOFTWARE/VIRUS',tag:
> 'PCI/5.1',severity:'2',setvar:tx.anomaly_score=+%{tx.
> critical_anomaly_score},setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/VIRUS-%{
> matched_var_name}=%{tx.0}"
>
>
> & the instructions here:
>
> http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#inspectFile
>
>
> On Fri, Feb 24, 2012 at 3:33 PM, Ryan Barnett <RBa...@tr...>wrote:
>
>>   It looks like ModSecurity is extracting the multipart form-data
>> attachment and saving to a /tmp file.  I don't see any rule processing
>> though.  What is the rule you using with @inspectFile and how are you
>> activating it?
>>
>>  --
>> Ryan Barnett
>>
>>   From: Gary Webster <we...@le...>
>> Date: Fri, 24 Feb 2012 14:25:29 -0600
>> To: Ryan Barnett <rba...@tr...>
>> Cc: "mod...@li..." <
>> mod...@li...>
>> Subject: Re: [mod-security-users] inspectFile w/ reverse Proxy
>>
>>  Hello.
>> Thanks for the reply.
>>
>>  Yes, I've looked at the debug log, but I guess I don't know what I'm
>> looking for.
>> With SecDebugLogLevel at 3 (default), I don't see much at all.  Raising
>> it to 5 gives a boatload of output. I also can't make much of all the
>> chatter in audit log.  Below is relevant part of debug log.
>>
>>  You expect ModSecurity to be able to 'intercept' an app file upload at
>> the reverse proxy server?
>>
>>
>>  [24/Feb/2012:12:14:00 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Initialising transaction (txid 4wHjR6wWIcYAAA7QIJsAAAAI).
>> [24/Feb/2012:12:14:00 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Transaction context created (dcfg 2ab2acae5128).
>> [24/Feb/2012:12:14:00 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> First phase starting (dcfg 2ab2acae5128).
>> [24/Feb/2012:12:14:00 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Starting phase REQUEST_HEADERS.
>> [24/Feb/2012:12:14:00 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Second phase starting (dcfg 2ab2acae5128).
>> [24/Feb/2012:12:14:00 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Input filter: Reading request body.
>> [24/Feb/2012:12:14:00 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Input filter: Request too large to store in memory, switching to disk.
>> [24/Feb/2012:12:14:00 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Input filter: Created temporary file to store request body:
>> /tmp//20120224-121400-4wHjR6wWIcYAAA7QIJsAAAAI-request_body-qNVvFU
>> [24/Feb/2012:12:14:00 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Input filter: Wrote 131066 bytes from memory to disk.
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Request body no files length: 0
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Input filter: Completed receiving request body (length 702026).
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Starting phase REQUEST_BODY.
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Hook insert_filter: Adding input forwarding filter (r 2ab2b8662c20).
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Hook insert_filter: Adding output filter (r 2ab2b8662c20).
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Input filter: Forwarding input: mode=0, block=0, nbytes=8186 (f
>> 2ab2b91d3178, r 2ab2b8662c20).
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Input filter: Forwarded 8186 bytes.
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Input filter: Forwarding input: mode=0, block=0, nbytes=8186 (f
>> 2ab2b91d3178, r 2ab2b8662c20).
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Input filter: Forwarded 8186 bytes.
>> .
>> .
>> lot of these
>> .
>>
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Input filter: Forwarding input: mode=0, block=0, nbytes=8186 (f
>> 2ab2b91d3178, r 2ab2b8662c20).
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Input filter: Forwarded 8186 bytes.
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Input filter: Forwarding input: mode=0, block=0, nbytes=8186 (f
>> 2ab2b91d3178, r 2ab2b8662c20).
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Input filter: Forwarded 6216 bytes.
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Input filter: Forwarding input: mode=0, block=0, nbytes=8186 (f
>> 2ab2b91d3178, r 2ab2b8662c20).
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Input filter: Forwarded 0 bytes.
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Input filter: Sent EOS.
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Input filter: Input forwarding complete.
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Starting phase RESPONSE_HEADERS.
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Output filter: Response body buffering is not enabled.
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Output filter: Completed receiving response body (non-buffering).
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Starting phase RESPONSE_BODY.
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Output filter: Output forwarding complete.
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Initialising logging.
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Starting phase LOGGING.
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Recording persistent data took 0 microseconds.
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Audit log: Ignoring a non-relevant request.
>> [24/Feb/2012:12:14:01 --0500] [
>> proxy.mystuf.com/sid#2ab2acb483f8][rid#2ab2b8662c20][/app/endpoint/uploadDocument/][4<http://proxy.mystuf.com/sid#2ab2acb483f8][rid%232ab2b8662c20][/app/endpoint/uploadDocument/][4>]
>> Input filter: Removed temporary file: /tmp//20120224-121400-
>> 4wHjR6wWIcYAAA7QIJsAAAAI-request_body-qNVvFU
>>
>>
>> On Fri, Feb 24, 2012 at 2:47 PM, Ryan Barnett <RBa...@tr...>wrote:
>>
>>>   Did you look in the debug log?
>>>
>>>  -Ryan
>>>
>>>   From: Gary Webster <we...@le...>
>>> Date: Fri, 24 Feb 2012 13:40:13 -0600
>>> To: "mod...@li..." <
>>> mod...@li...>
>>> Subject: [mod-security-users] inspectFile w/ reverse Proxy
>>>
>>>  Hello.
>>>
>>>  I am trying to use ModSecurity's inspectFile on my Apache ReverseProxy
>>> server, to catch file uploads with malware.
>>>
>>>  It appears that ModSecurity is not seeing this action as a file
>>> upload.  I can't see that the /util/runav.pl  operator is ever running,
>>> & there are no files in my SecUploadDir with "SecUploadKeepFiles On"  .
>>>
>>>  I'm guessing this is because I am [reverse] proxying the application:
>>> The 'upload' URL is:
>>> http://proxy.mystuf.com/app/endpoint/uploadDocument/...
>>> & I am proxying  /app  to  http://server1.internal.net/app
>>>
>>>  So, is the proxy my problem here?
>>> If so, is there any practical way to catch a malware upload at the proxy?
>>>
>>>  Thanks.
>>>
>>>
>>> ------------------------------
>>> This transmission may contain information that is privileged,
>>> confidential, and/or exempt from disclosure under applicable law. If you
>>> are not the intended recipient, you are hereby notified that any
>>> disclosure, copying, distribution, or use of the information contained
>>> herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
>>> received this transmission in error, please immediately contact the sender
>>> and destroy the material in its entirety, whether in electronic or hard
>>> copy format.
>>>
>>
>>
>> ------------------------------
>> This transmission may contain information that is privileged,
>> confidential, and/or exempt from disclosure under applicable law. If you
>> are not the intended recipient, you are hereby notified that any
>> disclosure, copying, distribution, or use of the information contained
>> herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
>> received this transmission in error, please immediately contact the sender
>> and destroy the material in its entirety, whether in electronic or hard
>> copy format.
>>
>
>