Thread: [mod-security-users] Does ctl:ruleUpdateTargetById work when in ANOMALY MODE
Brought to you by:
victorhora,
zimmerletw
From: kwenu <uz...@ya...> - 2011-09-13 11:31:25
|
Apache 2.2.20 [notice] ModSecurity for Apache/2.6.1 (http://www.modsecurity.org/) configured. [notice] ModSecurity: APR compiled version="1.4.5"; loaded version="1.4.5" [notice] ModSecurity: PCRE compiled version="8.12"; loaded version="8.12 2011-01-15" [notice] ModSecurity: LIBXML compiled version="2.6.23" I am using crs 2.2.2 revision 1837 I have an unusual problem here - the following rule does not do what i expect it to do SecRule REQUEST_HEADERS:Host "@streq xxxxxxxxxxx" \ "phase:1,t:none,nolog,pass,ctl:ruleUpdateTargetById=981318;!REQUEST_COOKIES:x_xxxx" In modsecs audit file it outputs the following SecRule "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|*!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_pers*" "@rx (^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" "phase:2,log,rev:2.2.2,capture,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack: Common Injection Testing Detected',id:981318,logdata:%{TX.0},severity:2,tag:WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" So for some reason this rule is creating multiple !REQUEST_COOKIES within the rule i am updating - im quite sure this is a bug as this was working well in 2.2.0 I have used different builds of apache also usign different version of apr and pcre but to no avail The rule is not doing what i hoped it would - does such rules work in anomaly mode since http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html would seem to suggest they do not |
From: Breno S. <bre...@gm...> - 2011-09-13 13:29:29
|
Hi kwenu, Yes.. it is appending multiple times because there is no check if the variable already exists. I already fixed it for 2.6.2. The 2.6.2-rc1 will be release this week. So if you want to help me testing it. Feel free to clone the current svn code to test it. thanks Breno On Tue, Sep 13, 2011 at 6:31 AM, kwenu <uz...@ya...> wrote: > Apache 2.2.20 > [notice] ModSecurity for Apache/2.6.1 (http://www.modsecurity.org/) > configured. > [notice] ModSecurity: APR compiled version="1.4.5"; loaded version="1.4.5" > [notice] ModSecurity: PCRE compiled version="8.12"; loaded version="8.12 > 2011-01-15" > [notice] ModSecurity: LIBXML compiled version="2.6.23" > > I am using crs 2.2.2 revision 1837 > > I have an unusual problem here - the following rule does not do what i > expect it to do > > SecRule REQUEST_HEADERS:Host "@streq xxxxxxxxxxx" \ > > "phase:1,t:none,nolog,pass,ctl:ruleUpdateTargetById=981318;!REQUEST_COOKIES:x_xxxx" > > In modsecs audit file it outputs the following > > SecRule > "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*| > *!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_pers*" "@rx > (^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" > "phase:2,log,rev:2.2.2,capture,t:none,t:urlDecodeUni,block,msg:'SQL > Injection Attack: Common Injection Testing > Detected',id:981318,logdata:%{TX.0},severity:2,tag:WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{ > rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" > > So for some reason this rule is creating multiple !REQUEST_COOKIES within > the rule i am updating - im quite sure this is a bug as this was working > well in 2.2.0 > > I have used different builds of apache also usign different version of apr > and pcre but to no avail > > The rule is not doing what i hoped it would - does such rules work in > anomaly mode since > http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.htmlwould seem to suggest they do not > > > > > ------------------------------------------------------------------------------ > BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA > Learn about the latest advances in developing for the > BlackBerry® mobile platform with sessions, labs & more. > See new tools and technologies. Register for BlackBerry® DevCon today! > http://p.sf.net/sfu/rim-devcon-copy1 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/application-security.php > > |
From: kwenu <uz...@ya...> - 2011-09-13 14:17:50
|
If its available ill use it as we are already behind our schedule - is their a list of changes available for the next release - On 13/09/11 14:29, Breno Silva wrote: > Hi kwenu, > > Yes.. it is appending multiple times because there is no check if the > variable already exists. I already fixed it for 2.6.2. > The 2.6.2-rc1 will be release this week. So if you want to help me > testing it. > > Feel free to clone the current svn code to test it. > > thanks > > Breno > > On Tue, Sep 13, 2011 at 6:31 AM, kwenu <uz...@ya... > <mailto:uz...@ya...>> wrote: > > Apache 2.2.20 > [notice] ModSecurity for Apache/2.6.1 > (http://www..modsecurity.org/ <http://www.modsecurity.org/>) > configured. > [notice] ModSecurity: APR compiled version="1.4.5"; loaded > version="1.4.5" > [notice] ModSecurity: PCRE compiled version="8.12"; loaded > version="8.12 2011-01-15" > [notice] ModSecurity: LIBXML compiled version="2.6.23" > > I am using crs 2.2.2 revision 1837 > > I have an unusual problem here - the following rule does not do > what i expect it to do > > SecRule REQUEST_HEADERS:Host "@streq xxxxxxxxxxx" \ > > "phase:1,t:none,nolog,pass,ctl:ruleUpdateTargetById=981318;!REQUEST_COOKIES:x_xxxx" > > In modsecs audit file it outputs the following > > SecRule > "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|*!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_pers*" > "@rx > (^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" > "phase:2,log,rev:2.2.2,capture,t:none,t:urlDecodeUni,block,msg:'SQL Injection > Attack: Common Injection Testing > Detected',id:981318,logdata:%{TX.0},severity:2,tag:WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id > <http://rule.id>}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" > > So for some reason this rule is creating multiple !REQUEST_COOKIES > within the rule i am updating - im quite sure this is a bug as > this was working well in 2.2.0 > > I have used different builds of apache also usign different > version of apr and pcre but to no avail > > The rule is not doing what i hoped it would - does such rules work > in anomaly mode since > http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html > would seem to suggest they do not > > > > ------------------------------------------------------------------------------ > BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA > Learn about the latest advances in developing for the > BlackBerry® mobile platform with sessions, labs & more. > See new tools and technologies. Register for BlackBerry® DevCon today! > http://p..sf.net/sfu/rim-devcon-copy1 > <http://p.sf.net/sfu/rim-devcon-copy1> > _______________________________________________ > mod-security-users mailing list > mod...@li... > <mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/application-security.php > > > > > ------------------------------------------------------------------------------ > BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA > Learn about the latest advances in developing for the > BlackBerry® mobile platform with sessions, labs& more. > See new tools and technologies. Register for BlackBerry® DevCon today! > http://p.sf.net/sfu/rim-devcon-copy1 > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/application-security.php |
From: kwenu <uz...@ya...> - 2011-09-14 14:17:30
|
Wohooo !! Everything is working again - excellent stuff modsec 2.6.2-rc1 and apache 2.2.20 On 13/09/11 15:17, kwenu wrote: > If its available ill use it as we are already behind our schedule - > is their a list of changes available for the next release - > > > > On 13/09/11 14:29, Breno Silva wrote: >> Hi kwenu, >> >> Yes.. it is appending multiple times because there is no check if the >> variable already exists. I already fixed it for 2.6.2. >> The 2.6.2-rc1 will be release this week. So if you want to help me >> testing it. >> >> Feel free to clone the current svn code to test it. >> >> thanks >> >> Breno >> >> On Tue, Sep 13, 2011 at 6:31 AM, kwenu <uz...@ya... >> <mailto:uz...@ya...>> wrote: >> >> Apache 2.2.20 >> [notice] ModSecurity for Apache/2.6.1 >> (http://www..modsecurity.org/ <http://www.modsecurity.org/>) >> configured. >> [notice] ModSecurity: APR compiled version="1.4.5"; loaded >> version="1.4.5" >> [notice] ModSecurity: PCRE compiled version="8.12"; loaded >> version="8.12 2011-01-15" >> [notice] ModSecurity: LIBXML compiled version="2.6.23" >> >> I am using crs 2.2.2 revision 1837 >> >> I have an unusual problem here - the following rule does not do >> what i expect it to do >> >> SecRule REQUEST_HEADERS:Host "@streq xxxxxxxxxxx" \ >> >> "phase:1,t:none,nolog,pass,ctl:ruleUpdateTargetById=981318;!REQUEST_COOKIES:x_xxxx" >> >> In modsecs audit file it outputs the following >> >> SecRule >> "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|*!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_pers*" >> "@rx >> (^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" >> "phase:2,log,rev:2.2.2,capture,t:none,t:urlDecodeUni,block,msg:'SQL >> Injection Attack: Common Injection Testing >> Detected',id:981318,logdata:%{TX.0},severity:2,tag:WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id >> <http://rule.id>}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" >> >> So for some reason this rule is creating multiple >> !REQUEST_COOKIES within the rule i am updating - im quite sure >> this is a bug as this was working well in 2.2.0 >> >> I have used different builds of apache also usign different >> version of apr and pcre but to no avail >> >> The rule is not doing what i hoped it would - does such rules >> work in anomaly mode since >> http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html >> would seem to suggest they do not >> >> >> >> ------------------------------------------------------------------------------ >> BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA >> Learn about the latest advances in developing for the >> BlackBerry® mobile platform with sessions, labs & more. >> See new tools and technologies. Register for BlackBerry® DevCon >> today! >> http://p..sf.net/sfu/rim-devcon-copy1 >> <http://p.sf.net/sfu/rim-devcon-copy1> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> <mailto:mod...@li...> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> ModSecurity Services from Trustwave's SpiderLabs: >> https://www.trustwave.com/application-security.php >> >> >> >> >> ------------------------------------------------------------------------------ >> BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA >> Learn about the latest advances in developing for the >> BlackBerry® mobile platform with sessions, labs& more. >> See new tools and technologies. Register for BlackBerry® DevCon today! >> http://p.sf.net/sfu/rim-devcon-copy1 >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> ModSecurity Services from Trustwave's SpiderLabs: >> https://www.trustwave.com/application-security.php > > > > ------------------------------------------------------------------------------ > BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA > Learn about the latest advances in developing for the > BlackBerry® mobile platform with sessions, labs& more. > See new tools and technologies. Register for BlackBerry® DevCon today! > http://p.sf.net/sfu/rim-devcon-copy1 > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/application-security.php |