[mod-security-users] mod security rule for anomaly scoring
Brought to you by:
victorhora,
zimmerletw
From: Gil V. <gv...@gm...> - 2012-02-28 16:02:26
|
Mod security is blocking my users that are attempting to use the tiny mce editor inside joomla. I successfully created this rule to alleviate this condition: SecRule REQUEST_URI "/index\.php\?.*&task=edit" phase:2,nolog,auditlog,block,setvar:tx.anomaly_score=-8 However, I was never successful in getting the recommended rule or method to work: SecRule REQUEST_URI "/index\.php\?.*&task=edit" "chain,phase:2,t:none,log,pass,msg:'Adjusting score by GV'" SecRule TX:'/XSS/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-8" Please explain what TX\:(.*) is doing, and more importantly, what is the recommended method offering that my simpler "kludge" rule isn't doing. The rules that are producing false positives are 973300 and 973333, both XSS related: modsecurity_crs_41_xss_attacks.conf: "phase:2,rev:'2.2.0',id:'973300',capture,t:none,t:jsDecode,t:lowercase,pass,nolog,auditlog,msg:'Possible XSS Attack Detected - HTML Tag Handler',logdata:'%{TX.0}',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{ rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i:[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?(([.].+?)|([\[].*?[\]].*?))=)" "phase:2,rev:'2.2.0',id:'973333',capture,logdata:'%{TX.0}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{ rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" -- Gil Vidals, VCP gv...@vm... www.vmracks.com - VMware Hosting Service Provider t. 760.705.4022 Skype: gvidals HIPAA Compliant Hosting VMware Hosting CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, please contact the sender by reply email and permanently delete the original message. |