Re: [mod-security-users] rules match multiple times - is this expected?
Brought to you by:
victorhora,
zimmerletw
From: Earl F. <ear...@us...> - 2012-06-18 20:09:50
|
Hmm yes, I see that, but I don't think that's the problem. Here's another example that doesn't have any repeated parameters, but that triggers rule #950901 "SQL Injection Attack" three times, all matching the "and where etc" part of the "message" post parameter. --af539d5f-A-- [14/Jun/2012:14:23:25 --0600] T9pIPYDpxpYAAASNjhsAAABv 67.225.28.188 55818 128.233.198.133 80 --af539d5f-B-- POST /contact-us.php HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: http://miles4smiles.usask.ca/contact-us.php Accept-Language: en-CA User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; FunWebProducts) Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Host: miles4smiles.usask.ca Content-Length: 127 Connection: Keep-Alive Cache-Control: no-cache --af539d5f-C-- op=request&name=Jan&email=ja...@ex...&message=Will+there+be+an+event+this+year+2012%3F++When+and+where+etc%3F&submit=Send --af539d5f-F-- HTTP/1.1 403 Forbidden Content-Length: 291 Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 --af539d5f-E-- --af539d5f-H-- Message: Warning. Pattern match "\\b(\\d+) ?(?:=|<>|<=>|<|>|!=) ?\\1\\b|[\\'\"\\`\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98](\\d+)[\\'\"\\`\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98] ?(?:=|<>|<=>|<|>|!=) ?[\\'\"\\`\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98]\\2\\b|[\\'\"\\`\\\xc2\xb4\\\xe2\x80\x98 ..." at ARGS:message. [file "/etc/httpd/conf/mod_security/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "425"] [id "950901"] [rev "2.1.2"] [msg "SQL Injection Attack"] [data " and where etc"] [severity "CRITICAL"] Message: Warning. Pattern match "\\b(\\d+) ?(?:=|<>|<=>|<|>|!=) ?\\1\\b|[\\'\"\\`\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98](\\d+)[\\'\"\\`\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98] ?(?:=|<>|<=>|<|>|!=) ?[\\'\"\\`\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98]\\2\\b|[\\'\"\\`\\\xc2\xb4\\\xe2\x80\x98 ..." at ARGS:message. [file "/etc/httpd/conf/mod_security/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "425"] [id "950901"] [rev "2.1.2"] [msg "SQL Injection Attack"] [data " and where etc"] [severity "CRITICAL"] Message: Warning. Pattern match "\\b(\\d+) ?(?:=|<>|<=>|<|>|!=) ?\\1\\b|[\\'\"\\`\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98](\\d+)[\\'\"\\`\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98] ?(?:=|<>|<=>|<|>|!=) ?[\\'\"\\`\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98]\\2\\b|[\\'\"\\`\\\xc2\xb4\\\xe2\x80\x98 ..." at ARGS:message. [file "/etc/httpd/conf/mod_security/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "425"] [id "950901"] [rev "2.1.2"] [msg "SQL Injection Attack"] [data " and where etc"] [severity "CRITICAL"] Message: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:950901-WEB_ATTACK/SQL_INJECTION-ARGS:message. [file "/etc/httpd/conf/mod_security/base_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "18"] [msg "Inbound Anomaly Score Exceeded (Total Score: 6, SQLi=15, XSS=): Last Matched Message: SQL Injection Attack"] [data "Last Matched Data: and where etc"] Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/conf/mod_security/base_rules/modsecurity_crs_60_correlation.conf"] [line "36"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 6, SQLi=15, XSS=): SQL Injection Attack"] Action: Intercepted (phase 2) Apache-Handler: php5-script Stopwatch: 1339705405195115 11572 (- - -) Stopwatch2: 1339705405195115 11572; combined=9140, p1=393, p2=8359, p3=0, p4=0, p5=387, sr=186, sw=1, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.6.5 (http://www.modsecurity.org/); core ruleset/2.1.2. Server: Apache/2.2 --af539d5f-Z-- Earl - On Mon, 18 Jun 2012, Breno Silva <bre...@gm...> wrote: >Looks related to the multiple parameters cal%5B%5D you have in your request. >On Mon, Jun 18, 2012 at 11:30 AM, Earl Fogel <ear...@us...> wrote: > Hi, > > I've noticed that occasionally rules match several times on the same > request. I'm not sure if this is a bug in ModSecurity, or the core rules, > or if it's just normal behavior that I didn't expect. > > For example, core rule #950109 "Multiple URL Encoding Detected" increases > the anomaly score by 2, but when it matches more than once, it increments > the anomaly score several times as well. > > Here's a sample from our ModSecurity audit log: > > --6b64a246-A-- > [17/Jun/2012:21:57:32 --0600] T96nLIDpxpYAAE35ufUAAAAj 4.79.204.36 34105 > 128.233.198.150 80 > --6b64a246-B-- > GET/events/month.php?getdate=20111127&cpath=&cal%255B%255D=&cal%255B%255D=College%252Bof >%252BPharmacy%252Band%252BNutrition&cal%255B%255D=Graduate%252BStudies%252Band%252BRe > search&cal%255B%255D=Holiday%252BSchedule HTTP/1.1 > Accept: text/html; q=1.0, text/*; q=0.8 > Accept-Encoding: gzip,deflate > Accept-Language: en-us; q=1.0, en; q=0.8 > Accept-Charset: iso-8859-1,utf-8; q=1.0, *; q=0.1 > User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:10.0.1) > Gecko/20100101 Firefox/10.0.1 > Host: www.usask.ca > Connection: keep-alive > > --6b64a246-F-- > HTTP/1.1 403 Forbidden > Content-Length: 284 > Keep-Alive: timeout=2, max=100 > Connection: Keep-Alive > Content-Type: text/html; charset=iso-8859-1 > > --6b64a246-H-- > Message: Pattern match "\\%((?!$|\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at > ARGS:cal%5B%5D. [file"/etc/httpd/conf/mod_security/base_rules/modsecurity_crs_20_protocol_violations.conf" > ] [line "185"] [id "950109"] [rev "2.1.2"] [msg "Multiple URL Encoding > Detected"] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/EVASION"] > Message: Pattern match "\\%((?!$|\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at > ARGS:cal%5B%5D. [file"/etc/httpd/conf/mod_security/base_rules/modsecurity_crs_20_protocol_violations.conf" > ] [line "185"] [id "950109"] [rev "2.1.2"] [msg "Multiple URL Encoding > Detected"] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/EVASION"] > Message: Pattern match "\\%((?!$|\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at > ARGS:cal%5B%5D. [file"/etc/httpd/conf/mod_security/base_rules/modsecurity_crs_20_protocol_violations.conf" > ] [line "185"] [id "950109"] [rev "2.1.2"] [msg "Multiple URL Encoding > Detected"] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/EVASION"] > Message: Access denied with code 403 (phase 2). Pattern match "(.*)" at > TX:950109-PROTOCOL_VIOLATION/EVASION-ARGS:cal%5B%5D. [file > "/etc/httpd/conf/mod_security/base_rules/modsecurity_crs_49_inbound_blocking.conf"] > [line "18"] [msg "Inbound Anomaly Score Exceeded (Total Score: 6, SQLi=, > XSS=): Last Matched Message: Multiple URL Encoding Detected"] [data "Last > Matched Data: Holiday%2BSchedule"] > Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file > "/etc/httpd/conf/mod_security/base_rules/modsecurity_crs_60_correlation.conf"] > [line "36"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 6, > SQLi=, XSS=): Multiple URL Encoding Detected"] > Action: Intercepted (phase 2) > Apache-Handler: php5-script > Stopwatch: 1339991852732867 11145 (- - -) > Stopwatch2: 1339991852732867 11145; combined=10211, p1=226, p2=9838, p3=0, > p4=0, p5=147, sr=114, sw=0, l=0, gc=0 > Producer: ModSecurity for Apache/2.6.5 (http://www.modsecurity.org/); core > ruleset/2.1.2. > Server: Apache/2.2 > > --6b64a246-Z-- > > > Thanks, > > Earl Fogel > Information and Communications Technology > University of Saskatchewan > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > > |