Re: [mod-security-users] Making custom rules that use request headerand method
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-10-04 22:42:23
|
Ideally you should keep audit logs of all transactions (especially those that are blocked) however I realize that this is not feasible for many organizations. This is most probably also an issue if you are attempting to use the open source, free ModSecurity Console as it was not designed for heavy use. The commercial ModSecurity Management Appliance (http://www.breach.com/products/modsecurity-management.html) doesn't have these issues. =20 =20 You really have two different aspects to consider - audit logging for historical purposes vs. real-time alert management. A possible middle-ground you could use would be to update the "Automatic Stale Alert Removal" settings under the Administration -> Alert Management page. If you decrease the "Stale Alert Interval" setting to something like 600 seconds and the "Maximal stale severity" level to "5 - Notice" the net result would be that you could still capture these audit logs however the lower severity items such as this would be auto-archived to the database every 10 minutes so they won't clutter up the Alert viewer page. =20 If that doesn't work for you, then you could update your custom rules a bit. It looks as though there are a few issues (case-sensitivity, variable name). It is a good idea to make sure that you specify all of the proper actions on your individual rules so that they don't inherit and unintended settings. Try these rules - =20 SecRule REQUEST_METHOD "^PROPFIND$" "phase:1,t:none,deny,nolog" SecRule REQUEST_HEADERS:translate "^f$" "phase:1,t:none,deny,nolog" =20 --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache =20 =20 ________________________________ From: mod...@li... [mailto:mod...@li...] On Behalf Of Vince Sent: Thursday, October 04, 2007 6:18 PM To: mod...@li... Subject: Re: [mod-security-users] Making custom rules that use request headerand method =20 Hi Ryan, Yes it is my intention to just block this silently. I have identified that any requests using PROPFIND or translate: f (mostly webdav/webfolder enabled browsers) are not needed by our services. We are doing this to try to trim down the amount of alerts that are showing up in the console. Blocking unwanted behavior silently is a good way to do this no? I did not want to disable the rules that are being triggered as they also alert other types of requests and I did not want to create my own modified rule as I am not a pro with the regex just yet. =20 Thank you for the quick response, Vince | Michael Smith Laboratories Systems Network Manager | University of British Columbia Ryan Barnett wrote:=20 Can you please clarify - is your intention to have rules that will "silently" block requests with the PROPFIND Request Method and/or the "Translate: f" Request Header? By silent, I mean that you want to "deny" the request however you do NOT want to trigger an alert. Is this correct? =20 First recommendation that you give is to selectively increase the debug log level (to perhaps just your source IP or something) then make a request with PROPFIND and then review the debug log to see what is happening. See the relevant sections from my Blog post - http://www.modsecurity.org/blog/archives/2007/02/handling_false.html =20 --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache =20 =20 ________________________________ From: mod...@li... [mailto:mod...@li...] On Behalf Of Vince Sent: Thursday, October 04, 2007 5:43 PM To: mod...@li... Subject: [mod-security-users] Making custom rules that use request headerand method =20 Hi Everyone, I'm having problems creating deny rules for the following kind of requests: PROPFIND / HTTP/1.1 Depth: 0 translate: f User-Agent: Microsoft-WebDAV-MiniRedir/5.1.2600 I want to create rules to deny and block anything with PROPFIND as the method or "translate: f" in the headers. This is what I have currently in my modsecurity_crs_15_customrules.conf but its not working: SecRule REQUEST_METHOD propfind "phase:1,deny,nolog" SecRule REQUEST_HEADERS_NAMES:translate ^f$ "phase:1,deny,nolog" I've tried variations like capitalizing PROPFIND, putting it in quotes "PROPFIND", using the start and end characters ^propfind$. These rules still keep getting triggered and I get alerts in my console. =20 Any ideas? =20 Thanks! --=20 =20 Vince | Michael Smith Laboratories Systems Network Manager | University of British Columbia |