Re: [mod-security-users] Fwd: 2.7.0: regression in blocking non-numeric value
Brought to you by:
victorhora,
zimmerletw
From: Breno S. <bre...@gm...> - 2013-01-10 12:06:50
|
Reindl Harald I also test your rules: SecDefaultAction "phase:2,deny,log" SecRule ARGS "!^\d{1,7}$" "id:'84',chain,phase:2,capture,logdata:'%{matched_var}',block,msg:'out of range'" SecRule MATCHED_VARS_NAMES "@pmFromFile modsecurity_99_protected_vars.data" "chain,capture" SecRule MATCHED_VAR "*@contains* %{tx.0}" -> Please change it to @contains Then i sent http://192.168.0.103/index.html?num=12345678901233333 [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][9] Target value: "123456789012333333344" [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][4] Operator completed in 14 usec. [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][4] Rule returned 1. [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][9] Match -> mode NEXT_RULE. [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][4] Recipe: Invoking rule 217e3c88; [file "/etc/apache2/modsecurity/modsecurity_crs_15_customrules.conf"] [line "584"]. [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][5] Rule 217e3c88: SecRule "MATCHED_VARS_NAMES" "@pmFromFile modsecurity_99_protected_vars.data" "chain,capture" [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][9] Set variable "ARGS:gs_rnd_tn_enable" size 21 to collection. [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][4] Transformation completed in 1 usec. [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][4] Executing operator "pmFromFile" with param "modsecurity_99_protected_vars.data" against ARGS:gs_rnd_tn_enable. [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][9] Target value: "ARGS:gs_rnd_tn_enable" [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][9] Added phrase match to TX.0: gs_rnd_tn_enable [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][4] Operator completed in 21 usec. [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][4] Rule returned 1. [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][9] Match -> mode NEXT_RULE. [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][4] Recipe: Invoking rule 217e4128; [file "/etc/apache2/modsecurity/modsecurity_crs_15_customrules.conf"] [line "585"]. [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][5] Rule 217e4128: SecRule "MATCHED_VAR" "@contains %{tx.0}" [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][4] Transformation completed in 1 usec. [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][4] Executing operator "contains" with param "%{tx.0}" against MATCHED_VAR. [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][9] Target value: "ARGS:gs_rnd_tn_enable" [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][9] Resolved macro %{tx.0} to: gs_rnd_tn_enable [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][4] Operator completed in 31 usec. [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][4] Rule returned 1. [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][9] Match, intercepted -> returning. [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][9] Resolved macro %{matched_var} to: ARGS:gs_rnd_tn_enable [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][9] Match, intercepted -> returning. [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][9] Resolved macro %{matched_var} to: ARGS:gs_rnd_tn_enable [07/Jan/2013:20:15:21 --0400] [ 192.168.0.103/sid#218323c8][rid#2184b128][/index.html][1] Access denied with code 403 (phase 2). String match "gs_rnd_tn_enable" at MATCHED_VAR. [file "/etc/apache2/modsecurity/modsecurity_crs_15_customrules.conf"] [line "583"] [id "84"] [msg "out of range"] [data "ARGS:gs_rnd_tn_enable"] Abs Breno On Thu, Jan 10, 2013 at 9:57 AM, Reindl Harald <h.r...@th...>wrote: > > > Am 10.01.2013 12:51, schrieb Christian Folini: > > Hello, > > > > I think you are overreacting, Harald. > > > > In my case the double rule IDs were just part of > > an untidy configuration and 2.7.0/1 is forcing me > > to clean things up (and assign ids where they are missing). > > As this is a fairly time-consuming task, the > > necessary update has been pushed back several times. > > in my case they were tidy > > > All in all, 2.7.0 was a very cool release with very > > interesting new feature. I am happy the development > > took up some speed. But the number of regressions > > seemed bigger to me than with prior releases. > > yes, the regression no longer can block non-numeric values > for specific variables which is topic of this thread > and reported 2012-10 by me as example > > how can i trust that any other existing rule is still working? > > > On Thu, January 10, 2013 11:34 am, Reindl Harald wrote: > >> mod_security 2.7.1 has the same problem > >> as i also confirmed before the release > >> > >> all in all 2.7.x makes me VERY unhappy > >> > >> why the hell does every rule need a id and why the > >> hell has it to be UNIQUE - thank you for killing > >> a lot of handmade rules which had VERY good reasons > >> to have the same ID because they was supposed to > >> be disabled for specific locations and new rules > >> which was supposed to be also disabled got the > >> same to not need creep around in each and every > >> vhost-configuration > >> > >> > >> -------- Original-Nachricht -------- > >> Betreff: Re: [mod-security-users] 2.7.0: regression in blocking > >> non-numeric value > >> Datum: Tue, 30 Oct 2012 17:21:50 +0100 > >> Von: Reindl Harald <h.r...@th...> > >> Organisation: the lounge interactive design > >> An: Breno Silva <bre...@gm...> > >> Kopie (CC): Mailing-List mod_security > >> <mod...@li...> > >> > >> hi > >> > >> yes, please give me a realier test > >> in production i stay with 2.6 until 2.7.2/3 > >> > >> so this is only a test-vm where i added a lot of rule-id's > >> and cleaned up duplicate-id's which is not funny because > >> the duplicates were intented to make RemoveById simpler > >> > >> Am 30.10.2012 17:10, schrieb Breno Silva: > >>> Hello Reindl, > >>> > >>> We had a mistake in the code during the integration with the new ports > >>> and the "block" action was disabled by mistake. > >>> I will be releaseing 2.7.1 this week and set it back. > >>> > >>> I you want i can send you a tarball of 2.7.1 earlier to test and check > >>> it this is the issue in your case. > >>> > >>> Thanks > >>> > >>> On Tue, Oct 30, 2012 at 10:59 AM, Reindl Harald < > h.r...@th... > >>> <mailto:h.r...@th...>> wrote: > >>> > >>> why does the following rules no longer work? > >>> > >>> goal is/was to block any request with the listed parameters > >>> which contains non-numeric chars or numeric values with > >>> more than 7 characters........... > >>> __________________________________________ > >>> > >>> [root@testserver:/etc/httpd/modsecurity.d]$ cat > >>> modsecurity_99_protected_vars.conf > >>> SecDefaultAction "log,auditlog,deny,status:400,phase:1" > >>> > >>> SecRule ARGS "!^\d{1,7}$" > >>> "id:'83',chain,phase:1,capture,logdata:'%{matched_var}',block,msg:'out > >>> of range'" > >>> SecRule MATCHED_VARS_NAMES "@pmFromFile > >>> modsecurity_99_protected_vars.data" "chain,capture" > >>> SecRule MATCHED_VAR "@streq %{tx.0}" > >>> > >>> SecRule ARGS "!^\d{1,7}$" > >>> "id:'84',chain,phase:2,capture,logdata:'%{matched_var}',block,msg:'out > >>> of range'" > >>> SecRule MATCHED_VARS_NAMES "@pmFromFile > >>> modsecurity_99_protected_vars.data" "chain,capture" > >>> SecRule MATCHED_VAR "@streq %{tx.0}" > >>> __________________________________________ > >>> > >>> [root@testserver:/etc/httpd/modsecurity.d]$ cat > >>> modsecurity_99_protected_vars.data > >>> blog_comment_refid > >>> blog_id > >>> blog_showpage > >>> cfg_id > >>> cms_remember_login > >>> dbid > >>> detail_id > >>> ds_id > >>> ext_group > >>> ext_id > >>> fo_board_id > >>> gh_id > >>> gid > >>> gi_id > >>> gi_sid > >>> gs_hid > >>> gs_id > >>> gs_lightbox > >>> gs_rnd_hr_enable > >>> gs_rnd_tn_enable > >>> gs_show_title > >>> gs_tn_lupe > >>> gs_zoom > >>> hid > >>> item_id > >>> k2sid > >>> kid > >>> ksid > >>> lock_id > >>> lock_key > >>> od_id > >>> pal_id > >>> pc_entry_group_id > >>> pc_entry_id > >>> pc_group_id > >>> pers_id > >>> portal_gruppe > >>> portal_id > >>> portal_kategorie > >>> ps_id > >>> pvc_id > >>> pvi_id > >>> s2id > >>> s2sid > >>> shid > >>> show_item > >>> show_thread > >>> sid > >>> vgid > >>> vugid > >>> vuid > >>> vvid > >>> vvuid > >>> yc_aktiv > >>> yc_id > >>> yc_page > >>> yi_cid > >>> yi_id > >>> yi_page > >>> yk_aktiv > >>> yk_id > >>> yk_item > >>> > >> > >> > >> > ------------------------------------------------------------------------------ > >> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, > >> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current > >> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft > >> MVPs and experts. ON SALE this month only -- learn more at: > >> > http://p.sf.net/sfu/learnmore_122712_______________________________________________ > >> mod-security-users mailing list > >> mod...@li... > >> https://lists.sourceforge.net/lists/listinfo/mod-security-users > >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > >> http://www.modsecurity.org/projects/commercial/rules/ > >> http://www.modsecurity.org/projects/commercial/support/ > >> > > > > > > > > > ------------------------------------------------------------------------------ > > Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, > > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current > > with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft > > MVPs and experts. ON SALE this month only -- learn more at: > > http://p.sf.net/sfu/learnmore_122712 > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > -- > > Reindl Harald > the lounge interactive design GmbH > A-1060 Vienna, Hofmühlgasse 17 > CTO / CISO / Software-Development > p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40 > icq: 154546673, http://www.thelounge.net/ > > http://www.thelounge.net/signature.asc.what.htm > > > > ------------------------------------------------------------------------------ > Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current > with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft > MVPs and experts. ON SALE this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122712 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |