[mod-security-users] mod security rule for anomaly scoring
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] mod security rule for anomaly scoring
|
From: Gil V. <gv...@gm...> - 2012-02-28 16:02:26
|
Mod security is blocking my users that are attempting to use the tiny mce
editor inside joomla. I successfully created this rule to alleviate this
condition:
SecRule REQUEST_URI "/index\.php\?.*&task=edit"
phase:2,nolog,auditlog,block,setvar:tx.anomaly_score=-8
However, I was never successful in getting the recommended rule or method
to work:
SecRule REQUEST_URI "/index\.php\?.*&task=edit"
"chain,phase:2,t:none,log,pass,msg:'Adjusting score by GV'"
SecRule TX:'/XSS/' "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-8"
Please explain what TX\:(.*) is doing, and more importantly, what is the
recommended method offering that my simpler "kludge" rule isn't doing.
The rules that are producing false positives are 973300 and 973333, both
XSS related:
modsecurity_crs_41_xss_attacks.conf:
"phase:2,rev:'2.2.0',id:'973300',capture,t:none,t:jsDecode,t:lowercase,pass,nolog,auditlog,msg:'Possible
XSS Attack Detected - HTML Tag
Handler',logdata:'%{TX.0}',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{
rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i:[\"\'][
]*(([^a-z0-9~_:\'\" ])|(in)).+?(([.].+?)|([\[].*?[\]].*?))=)"
"phase:2,rev:'2.2.0',id:'973333',capture,logdata:'%{TX.0}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,auditlog,msg:'IE
XSS Filters - Attack
Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{
rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
--
Gil Vidals, VCP
gv...@vm...
www.vmracks.com - VMware Hosting Service Provider
t. 760.705.4022 Skype: gvidals
HIPAA Compliant Hosting
VMware Hosting
CONFIDENTIALITY NOTICE: The information contained in this transmission may
contain privileged and confidential information. It is intended only for
the use of the person(s) named above. If you are not the intended
recipient, please contact the sender by reply email and permanently delete
the original message.
|