Re: [mod-security-users] Excluding Hedaer Content
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-05-04 12:44:55
|
It looks like you missed Chris' comment about the lowercase transformation function. You either needs to use "t:none" to your rule or you need to rewrite your URL to use only lowercase - so change Echo to echo. =20 I good practice to use when rules aren't matching as you expect them to, or when you have false positive hits is to increase the debug logging level and review the log. It will show you items such as how the request data is being changed with transformation functions. =20 --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member Author: Preventing Web Attacks with Apache =20 -------------- Web Security Threat Report Webinar on May 9, 2007 (12 pm EST) Learn More About the Breach Webinar Series: http://www.breach.com/webinars.asp -------------- =20 ________________________________ From: mod...@li... [mailto:mod...@li...] On Behalf Of Russ Lavoie Sent: Thursday, May 03, 2007 7:51 PM To: Christian Bockermann Cc: mod...@li... Subject: Re: [mod-security-users] Excluding Hedaer Content =20 Hi All, =20 I am using the core rules as of right now. The alert is coming from modsecurity_crs_40_generic_attacks.conf. Below is how I have it setup. =20 SecDefaultAction "log,pass,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowerca se" =20 <MORE RULES ARE BETWEEN> =20 # Allow the http://domain.com/dir/Echo page SecRule REQUEST_HEADERS:Referer "^http://domain.com/dir/Echo$" "log,allow,skip:2,msg:'Echo Page'" =20 # Command injection SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer (?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo)| c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40 }?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp|c)|p(?:a sswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)? rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mo d|own|sh)|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)| (?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[ \'\"\|\;\`\-\s]|$))" \ = "capture,ctl:auditLogParts=3D+E,deny,log,auditlog,status:501,msg:'System Command Injection. Matched signature <%{TX.0}>',id:'950006',severity:'2'" SecRule "ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent" \ "\bwget\b" \ =20 "capture,ctl:auditLogParts=3D+E,deny,log,auditlog,status:501,msg:'System Command Injection. Matched signature <%{TX.0}>',id:'950907',severity:'2'" =20 What do you think the issue is? I can't get it to work :( =20 =20 =20 ________________________________ From: Christian Bockermann [mailto:ch...@jw...] Sent: Thu 5/3/2007 3:43 PM To: Russ Lavoie Cc: mod...@li... Subject: Re: [mod-security-users] Excluding Hedaer Content Hi Russ! Since you don't say much about your overall setup and the other=20 properties of your config (especially about the default-action) it's hard to say=20 what went wrong so the following is just a guess. I tried your rules in my own test-setup and it worked fine. Most=20 probably you have not changed the DefaultAction which includes the "t:lower"=20 transformation. If this is applied to the referer-value your expression will be=20 matched against "http://domain.com/dir/echo" which does not match "^http://domain.com/dir/Echo$" with the upper-case "E". You can thus either change your regexp to "^http://domain.com/dir/echo$" or add "t:none" to your actions. Regards, Chris Am 03.05.2007 um 19:33 schrieb Russ Lavoie: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > I am having issues getting this to work. > > There is a page that has a REQUEST_HEADER:Referer which has the=20 > command Echo in it, but it is a legitimate page. > > I would have thought the below would have let it pass. But it hasn't. > > SecRule REQUEST_HEADERS:Referer "^http://domain.com/dir/Echo$" \ > log,allow,skip:1,msg:'Echo Page'" > > But I don't even get the msg "Echo Page" so I tried the below: > > SecRule REQUEST_HEADERS:Referer "^http:\/\/domain\.com\/dir\/Echo$" \ > log,allow,skip:1,msg:'Echo Page'" > > Which gave me the same results. > > This one works, but that is for the entire site. > SecRule REQUEST_HEADERS:Referer ".*domain.com" "log,allow,msg:'Echo=20 > Page'" > > Can I not specify specific areas of the domain? > > I want to be able to allow this referer header data http:// > domain.com/dir/Echo without it alerting me. > > Thanks! > > -----BEGIN PGP SIGNATURE----- > Version: 9.5.3 (Build 5003) > > wsFVAwUBRjoc0hRxdnFypd4DAQgMeA//Zxh8SY1CGdQsyuE5pIHQhQqqYqaKpAxR > ZwIo+VfijRorZRSs2wAw81dxeUd5AS3Z4SjvXwu0MZuufOftd/TKfz98X9FPXb+8 > 3W8ffVF+DSs4jKyuQ7GbZEMW4vPm41r8saCpEmY+Im3iSKUyVboWVuUVOYYPorAV > CwRJY7KcSOzuOtTMPCeur7ljFfF4Yvgjo3w35SHXwY8WbBaEemVRafVSpoP/k26Y > 7lr6YDPH/2ITghb1nSCt9q77MXxaPav1px0uitmqTecSIFp2dJFpumOln+0zdIAP > iehiCoPgitfBe0JxGJDV66eI+gB58kEgX7pTGzrCBsRwhkF9xseYCaaVRzkJAdDq > iAdeT4ijDM9dpGVYKPLvy4XvBjR2nFwTeo5+UWlwQ+uy0b/X81E4ecVk23YRfZ8s > rKV6+O4o2Y4HXZ7oqZgy2oNH+yy7RZ5th3ifv3zwQzLpUqg0fIat+bm+3ILPM03h > Mjliq1OJkfySixJHmhcxjuILcpyLlGR/1yYE2UYZV8KTcvzG+4DcIFe7i2jZeDQI > GkLWDncLb+TXJteXAC5VdlIhKBjvc1igEU/nLfHdM/T6UFwv3l2f3eE7fGqgBOP7 > wE9hVC+ZoyUiXvrEGJq08aEqDL1QjOmUeZPPtAetDssXPHSFPYAo7UjJvwzMisAe > GhUodp9Zqgc=3D > =3DRhZq > -----END PGP SIGNATURE----- > > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |