Thread: [mod-security-users] ARGS:@pmFromFile
Brought to you by:
victorhora,
zimmerletw
From: Reindl H. <h.r...@th...> - 2012-01-24 11:07:47
Attachments:
signature.asc
|
hi i would like to replace the two commented sample-rules below where corently exists hundrtes of them that the arg-names which must be numeric can be feeded from "modsecurity_99_protected_vars.data" below but i have no idea how to do this :-( the var-list is growing all the time....... SecRule ARGS:"@pmFromFile modsecurity_99_protected_vars.data" !^\d{1,7}$ "phase:1,id:'150',capture,logdata:'%{matched_var}',block,msg:'out of range'" SecRule ARGS:"@pmFromFile modsecurity_99_protected_vars.data" !^\d{1,7}$ "phase:2,id:'151',capture,logdata:'%{matched_var}',block,msg:'out of range'" #SecRule ARGS:hid !^\d{1,7}$ "phase:1,id:'150',capture,logdata:'%{matched_var}',block,msg:'out of range'" #SecRule ARGS:hid !^\d{1,7}$ "phase:2,id:'151',capture,logdata:'%{matched_var}',block,msg:'out of range'" _________________ [root@rh:~/modsecurity.d]$ cat modsecurity_99_protected_vars.data blog_comment_refid blog_id blog_showpage cfg_id cms_remember_login dbid detail_id ds_id ext_group ext_id filter_jahr filter_monat filter_tag fo_board_id gh_id gid gi_id gi_sid gs_hid gs_id gs_lightbox gs_rnd_hr_enable gs_rnd_tn_enable gs_show_title gs_tn_lupe gs_zoom hid item_id k2sid kid ksid lock_id lock_key od_id pal_id pc_entry_group_id pc_entry_id pc_group_id pers_id portal_gruppe portal_id portal_kategorie ps_id s2id s2sid shid show_item show_thread sid vgid vugid vuid vvid vvuid yc_aktiv yc_id yc_page yi_cid yi_id yi_page yk_aktiv yk_id yk_item |
From: Ryan B. <RBa...@tr...> - 2012-01-24 13:47:53
|
You could try something like this using MATCHED_VARS_NAMES- SecRule ARGS "!^\d{1,7}$" "chain,phase:2,id:'151',capture,logdata:'%{matched_var}',block,msg:'out of range'" SecRule MATCHED_VARS_NAMES "@pmFromFile modsecurity_99_protected_vars.data" The rule generically checks all ARGS payloads against your positive security regex. If they payload does not match, then the name of the parameter is checked against your list of protected var names. It worked for me. I sent this request with two params that violate your regex (blog_id includes a ' and cfg_id is too long) - $ curl "http://localhost/cgi-bin/printenv?blog_id=1234'&cfg_id=8764531232323545" The rule generated these two alerts - [Tue Jan 24 08:40:07 2012] [error] [client 127.0.0.1] ModSecurity: Warning. Matched phrase "blog_id" at MATCHED_VARS_NAMES:blog_id. [file "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_15_custom.conf"] [line "1"] [id "151"] [msg "out of range"] [data "blog_id"] [hostname "localhost"] [uri "/cgi-bin/printenv"] [unique_id "Tx60t8CoqAEAAMThIWkAAAAA"] [Tue Jan 24 08:40:07 2012] [error] [client 127.0.0.1] ModSecurity: Warning. Matched phrase "cfg_id" at MATCHED_VARS_NAMES:cfg_id. [file "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_15_custom.conf"] [line "1"] [id "151"] [msg "out of range"] [data "cfg_id"] [hostname "localhost"] [uri "/cgi-bin/printenv"] [unique_id "Tx60t8CoqAEAAMThIWkAAAAA"] The only piece of meta-data you are missing with these rules is the logdata info won't hold the param payload but rather the name of the parameter that violated the regex rule. -Ryan On 1/24/12 6:07 AM, "Reindl Harald" <h.r...@th...> wrote: >hi > >i would like to replace the two commented sample-rules below >where corently exists hundrtes of them that the arg-names which >must be numeric can be feeded from "modsecurity_99_protected_vars.data" >below but i have no idea how to do this :-( > >the var-list is growing all the time....... > >SecRule ARGS:"@pmFromFile modsecurity_99_protected_vars.data" !^\d{1,7}$ >"phase:1,id:'150',capture,logdata:'%{matched_var}',block,msg:'out of >range'" >SecRule ARGS:"@pmFromFile modsecurity_99_protected_vars.data" !^\d{1,7}$ >"phase:2,id:'151',capture,logdata:'%{matched_var}',block,msg:'out of >range'" > >#SecRule ARGS:hid !^\d{1,7}$ >"phase:1,id:'150',capture,logdata:'%{matched_var}',block,msg:'out of >range'" >#SecRule ARGS:hid !^\d{1,7}$ >"phase:2,id:'151',capture,logdata:'%{matched_var}',block,msg:'out of >range'" >_________________ > >[root@rh:~/modsecurity.d]$ cat modsecurity_99_protected_vars.data >blog_comment_refid >blog_id >blog_showpage >cfg_id >cms_remember_login >dbid >detail_id >ds_id >ext_group >ext_id >filter_jahr >filter_monat >filter_tag >fo_board_id >gh_id >gid >gi_id >gi_sid >gs_hid >gs_id >gs_lightbox >gs_rnd_hr_enable >gs_rnd_tn_enable >gs_show_title >gs_tn_lupe >gs_zoom >hid >item_id >k2sid >kid >ksid >lock_id >lock_key >od_id >pal_id >pc_entry_group_id >pc_entry_id >pc_group_id >pers_id >portal_gruppe >portal_id >portal_kategorie >ps_id >s2id >s2sid >shid >show_item >show_thread >sid >vgid >vugid >vuid >vvid >vvuid >yc_aktiv >yc_id >yc_page >yi_cid >yi_id >yi_page >yk_aktiv >yk_id >yk_item > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Ryan B. <RBa...@tr...> - 2012-01-24 14:03:20
|
Oh, I almost forgot, you could also use the new request profiling Lua rules - http://blog.spiderlabs.com/2011/08/implementing-appsensor-detection-points- in-modsecurity.html These rules use Lua to profile the request data and then same the info in RESOURCE persistent storage. The main benefit is that you will get the same protection (actually better) as your current rules, however without the need to manually create rules for each resource/parameter. Currently, the rules can learn the following request attributes - * Request Method(s) * Number of Parameters (min/max range) * Parameter Names * Parameter Lengths (min/max range) * Parameter Types * Flag (e.g. - /path/to/foo.php?param) * Digits (e.g. - /path/to/foo.php?param=1234) * Alpha (e.g. - /path/to/foo.php?param=abcd) * AlphaNumeric (e.g. - /path/to/foo.php?param=abcd1234) * Email (e.g. - /path/to/foo.php?param=fo...@ba...) * Path (e.g. - /path/to/foo.php?param=/dir/somefile.txt) * URL (e.g. - /path/to/foo.php?param=http://somehost/dir/file.txt) * SafeText (e.g. - /path/to/foo.php?param=some_data-12) I would love to hear any feedback on people using these Lua rules. -Ryan On 1/24/12 8:47 AM, "Ryan Barnett" <RBa...@tr...> wrote: >You could try something like this using MATCHED_VARS_NAMES- > > >SecRule ARGS "!^\d{1,7}$" >"chain,phase:2,id:'151',capture,logdata:'%{matched_var}',block,msg:'out of >range'" > SecRule MATCHED_VARS_NAMES "@pmFromFile >modsecurity_99_protected_vars.data" > > >The rule generically checks all ARGS payloads against your positive >security regex. If they payload does not match, then the name of the >parameter is checked against your list of protected var names. It worked >for me. I sent this request with two params that violate your regex >(blog_id includes a ' and cfg_id is too long) - > >$ curl >"http://localhost/cgi-bin/printenv?blog_id=1234'&cfg_id=8764531232323545" > >The rule generated these two alerts - > >[Tue Jan 24 08:40:07 2012] [error] [client 127.0.0.1] ModSecurity: >Warning. Matched phrase "blog_id" at MATCHED_VARS_NAMES:blog_id. [file >"/usr/local/apache/conf/crs/base_rules/modsecurity_crs_15_custom.conf"] >[line "1"] [id "151"] [msg "out of range"] [data "blog_id"] [hostname >"localhost"] [uri "/cgi-bin/printenv"] [unique_id >"Tx60t8CoqAEAAMThIWkAAAAA"] >[Tue Jan 24 08:40:07 2012] [error] [client 127.0.0.1] ModSecurity: >Warning. Matched phrase "cfg_id" at MATCHED_VARS_NAMES:cfg_id. [file >"/usr/local/apache/conf/crs/base_rules/modsecurity_crs_15_custom.conf"] >[line "1"] [id "151"] [msg "out of range"] [data "cfg_id"] [hostname >"localhost"] [uri "/cgi-bin/printenv"] [unique_id >"Tx60t8CoqAEAAMThIWkAAAAA"] > >The only piece of meta-data you are missing with these rules is the >logdata info won't hold the param payload but rather the name of the >parameter that violated the regex rule. > >-Ryan > > > > > >On 1/24/12 6:07 AM, "Reindl Harald" <h.r...@th...> wrote: > >>hi >> >>i would like to replace the two commented sample-rules below >>where corently exists hundrtes of them that the arg-names which >>must be numeric can be feeded from "modsecurity_99_protected_vars.data" >>below but i have no idea how to do this :-( >> >>the var-list is growing all the time....... >> >>SecRule ARGS:"@pmFromFile modsecurity_99_protected_vars.data" !^\d{1,7}$ >>"phase:1,id:'150',capture,logdata:'%{matched_var}',block,msg:'out of >>range'" >>SecRule ARGS:"@pmFromFile modsecurity_99_protected_vars.data" !^\d{1,7}$ >>"phase:2,id:'151',capture,logdata:'%{matched_var}',block,msg:'out of >>range'" >> >>#SecRule ARGS:hid !^\d{1,7}$ >>"phase:1,id:'150',capture,logdata:'%{matched_var}',block,msg:'out of >>range'" >>#SecRule ARGS:hid !^\d{1,7}$ >>"phase:2,id:'151',capture,logdata:'%{matched_var}',block,msg:'out of >>range'" >>_________________ >> >>[root@rh:~/modsecurity.d]$ cat modsecurity_99_protected_vars.data >>blog_comment_refid >>blog_id >>blog_showpage >>cfg_id >>cms_remember_login >>dbid >>detail_id >>ds_id >>ext_group >>ext_id >>filter_jahr >>filter_monat >>filter_tag >>fo_board_id >>gh_id >>gid >>gi_id >>gi_sid >>gs_hid >>gs_id >>gs_lightbox >>gs_rnd_hr_enable >>gs_rnd_tn_enable >>gs_show_title >>gs_tn_lupe >>gs_zoom >>hid >>item_id >>k2sid >>kid >>ksid >>lock_id >>lock_key >>od_id >>pal_id >>pc_entry_group_id >>pc_entry_id >>pc_group_id >>pers_id >>portal_gruppe >>portal_id >>portal_kategorie >>ps_id >>s2id >>s2sid >>shid >>show_item >>show_thread >>sid >>vgid >>vugid >>vuid >>vvid >>vvuid >>yc_aktiv >>yc_id >>yc_page >>yi_cid >>yi_id >>yi_page >>yk_aktiv >>yk_id >>yk_item >> > > >This transmission may contain information that is privileged, >confidential, and/or exempt from disclosure under applicable law. If you >are not the intended recipient, you are hereby notified that any >disclosure, copying, distribution, or use of the information contained >herein (including any reliance thereon) is STRICTLY PROHIBITED. If you >received this transmission in error, please immediately contact the >sender and destroy the material in its entirety, whether in electronic or >hard copy format. > > >-------------------------------------------------------------------------- >---- >Keep Your Developer Skills Current with LearnDevNow! >The most comprehensive online learning library for Microsoft developers >is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, >Metro Style Apps, more. Free future releases when you subscribe now! >http://p.sf.net/sfu/learndevnow-d2d >_______________________________________________ >mod-security-users mailing list >mod...@li... >https://lists.sourceforge.net/lists/listinfo/mod-security-users >Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >http://www.modsecurity.org/projects/commercial/rules/ >http://www.modsecurity.org/projects/commercial/support/ > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Reindl H. <h.r...@th...> - 2012-01-25 11:30:23
Attachments:
signature.asc
|
Wonderful! works exactly how i want would be nice to see the submitted value, but not so important phase 1 AND phase 2 because we have whitelisted some security-auditor ip's since we would kill the scans from nessus with "bad agents" and i like to proctect some known vars per GET in each case, phase 2 is needed to protect from POST SecRule ARGS "!^\d{1,7}$" "chain,phase:1,id:'151',capture,logdata:'%{matched_var}',block,msg:'out of range'" SecRule MATCHED_VARS_NAMES "@pmFromFile modsecurity_99_protected_vars.data" SecRule ARGS "!^\d{1,7}$" "chain,phase:2,id:'152',capture,logdata:'%{matched_var}',block,msg:'out of range'" SecRule MATCHED_VARS_NAMES "@pmFromFile modsecurity_99_protected_vars.data" thank you very much! Am 24.01.2012 14:47, schrieb Ryan Barnett: > You could try something like this using MATCHED_VARS_NAMES- > > SecRule ARGS "!^\d{1,7}$" > "chain,phase:2,id:'151',capture,logdata:'%{matched_var}',block,msg:'out of > range'" > SecRule MATCHED_VARS_NAMES "@pmFromFile > modsecurity_99_protected_vars.data" > > > The rule generically checks all ARGS payloads against your positive > security regex. If they payload does not match, then the name of the > parameter is checked against your list of protected var names. It worked > for me. I sent this request with two params that violate your regex > (blog_id includes a ' and cfg_id is too long) - > > $ curl > "http://localhost/cgi-bin/printenv?blog_id=1234'&cfg_id=8764531232323545" > > The rule generated these two alerts - > > [Tue Jan 24 08:40:07 2012] [error] [client 127.0.0.1] ModSecurity: > Warning. Matched phrase "blog_id" at MATCHED_VARS_NAMES:blog_id. [file > "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_15_custom.conf"] > [line "1"] [id "151"] [msg "out of range"] [data "blog_id"] [hostname > "localhost"] [uri "/cgi-bin/printenv"] [unique_id > "Tx60t8CoqAEAAMThIWkAAAAA"] > [Tue Jan 24 08:40:07 2012] [error] [client 127.0.0.1] ModSecurity: > Warning. Matched phrase "cfg_id" at MATCHED_VARS_NAMES:cfg_id. [file > "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_15_custom.conf"] > [line "1"] [id "151"] [msg "out of range"] [data "cfg_id"] [hostname > "localhost"] [uri "/cgi-bin/printenv"] [unique_id > "Tx60t8CoqAEAAMThIWkAAAAA"] > > The only piece of meta-data you are missing with these rules is the > logdata info won't hold the param payload but rather the name of the > parameter that violated the regex rule. > > -Ryan > > On 1/24/12 6:07 AM, "Reindl Harald" <h.r...@th...> wrote: > >> hi >> >> i would like to replace the two commented sample-rules below >> where corently exists hundrtes of them that the arg-names which >> must be numeric can be feeded from "modsecurity_99_protected_vars.data" >> below but i have no idea how to do this :-( >> >> the var-list is growing all the time....... >> >> SecRule ARGS:"@pmFromFile modsecurity_99_protected_vars.data" !^\d{1,7}$ >> "phase:1,id:'150',capture,logdata:'%{matched_var}',block,msg:'out of >> range'" >> SecRule ARGS:"@pmFromFile modsecurity_99_protected_vars.data" !^\d{1,7}$ >> "phase:2,id:'151',capture,logdata:'%{matched_var}',block,msg:'out of >> range'" >> >> #SecRule ARGS:hid !^\d{1,7}$ >> "phase:1,id:'150',capture,logdata:'%{matched_var}',block,msg:'out of >> range'" >> #SecRule ARGS:hid !^\d{1,7}$ >> "phase:2,id:'151',capture,logdata:'%{matched_var}',block,msg:'out of >> range'" >> _________________ >> >> [root@rh:~/modsecurity.d]$ cat modsecurity_99_protected_vars.data >> blog_comment_refid >> blog_id >> blog_showpage >> cfg_id >> cms_remember_login >> dbid >> detail_id >> ds_id >> ext_group >> ext_id >> filter_jahr >> filter_monat >> filter_tag >> fo_board_id >> gh_id >> gid >> gi_id >> gi_sid >> gs_hid >> gs_id >> gs_lightbox >> gs_rnd_hr_enable >> gs_rnd_tn_enable >> gs_show_title >> gs_tn_lupe >> gs_zoom >> hid >> item_id >> k2sid >> kid >> ksid >> lock_id >> lock_key >> od_id >> pal_id >> pc_entry_group_id >> pc_entry_id >> pc_group_id >> pers_id >> portal_gruppe >> portal_id >> portal_kategorie >> ps_id >> s2id >> s2sid >> shid >> show_item >> show_thread >> sid >> vgid >> vugid >> vuid >> vvid >> vvuid >> yc_aktiv >> yc_id >> yc_page >> yi_cid >> yi_id >> yi_page >> yk_aktiv >> yk_id >> yk_item >> > > > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. > -- Mit besten Grüßen, Reindl Harald the lounge interactive design GmbH A-1060 Vienna, Hofmühlgasse 17 CTO / software-development / cms-solutions p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40 icq: 154546673, http://www.thelounge.net/ http://www.thelounge.net/signature.asc.what.htm |