Re: [mod-security-users] POST value to allow but limit number of caracters
Brought to you by:
victorhora,
zimmerletw
From: Josh Amishav-Z. <ja...@ow...> - 2013-09-12 12:29:15
|
On Thu, Sep 12, 2013 at 3:12 PM, David R <re...@li...> wrote: > > > Below are the logs from the server... > Do you have any idea ? > Hi David, Where did you place the SecRuleUpdateTargetByTag directives? They need to be set after the initial rules are included, e.g. in the 48 local exceptions file. Regarding the length rule, I forgot to invert the regex. The correct syntax is: SecRule ARGS:password "!^.{8,20}$" "phase:2,id:1,t:none,deny,msg:'Password value does not meet predefined length criteria'" -- - Josh > Kind regards, > > [Thu Sep 12 11:53:57 2013] [error] [client 195.70.13.237] ModSecurity: > [file > > "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_a > ttacks.conf"] [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection > Attack: SQL Tautology Detected."] [data "Matched Data: x>djdskjfd0L* found > within ARGS:password: x>djdskjfd0L*"] [severity "CRITICAL"] [ver > "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] [tag > "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag > "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] Warning. > Pattern match "(?i:([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\ > (\\\\)]*?)([\\\\d\\\\w]++) > ([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)(?:(?:=| > <=>|r?like|sounds\\\\s+like|regexp) > ([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)\\\\2| > (?:!=|<=|>=|<>|<|>|\\\\^|is\\\\s+not|not\\\\ ..." at ARGS:password. > [hostname "OBFUSCATED"] [uri "/login.pl"] [unique_id > "UjGPNX8AAAEAABjrI48AAAAD"] > [Thu Sep 12 11:53:57 2013] [error] [client XXXXXXXXXXX] ModSecurity: [file > "/etc/httpd/conf.d/obfuscated.conf"] [line "113"] [id "1"] [msg "Password > value does not meet predefined length criteria"] Access denied with code > 403 > (phase 2). Pattern match "^.{8,20}$" at ARGS:password. [hostname > "obfuscated"] [uri "/login.pl"] [unique_id "UjGPNX8AAAEAABjrI48AAAAD"] > [Thu Sep 12 11:53:57 2013] [error] [client XXXXXXXX] ModSecurity: [file > > "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_60_correlation.con > f"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound > Score: 5, SQLi=5, XSS=): SQL Injection Attack: SQL Tautology Detected."] > Warning. Operator LT matched 15 at TX:inbound_anomaly_score. [hostname > "obfuscated"] [uri "/login.pl"] [unique_id "UjGPNX8AAAEAABjrI48AAAAD"] > > > > > > > ------------------------------------------------------------------------------ > How ServiceNow helps IT people transform IT departments: > 1. Consolidate legacy IT systems to a single system of record for IT > 2. Standardize and globalize service processes across IT > 3. Implement zero-touch automation to replace manual, redundant tasks > http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |