Thread: [mod-security-users] Rule exception for specific hosts
Brought to you by:
victorhora,
zimmerletw
From: Jan P. G. <jg...@so...> - 2013-05-24 12:40:22
|
Hi there, I'm relatively new to mod_security, so sorry for maybe dumb questions. I've built and installed mod_security2 2.7.3 on my webserver, included it with the OWASP CRS 2.2.7. So far no problems, it is running with the recommended configuration on "DETECTION_ONLY". Now i try to correct false positives, so as the following one: My nagios-server (Service observation) is checking if my robots.txt is readable. This gives an audit-warning because of missing Accept Header. (Audit-Log on the bottom) I tried to create a rule especially for this host, which deactivates the problem-rule: SecRule REMOTE_ADDR "@ipMatch 10.0.0.2" "chain,phase:2,id:'1001',t:none,pass,nolog" SecRule REQUEST_HEADERS:User-Agent "^check_http.*\(nagios-plugins.*\)$" "t:none,ctl:ruleRemoveById=960015" Unfortunately it doesn't work. :( Maybe some experienced user could help me with this, thanks! Best regards, Jan Phillip Greimann ----------------------------------------------------------- --1e454857-A-- [24/May/2013:13:38:20 +0200] UZ9RLH8AAQEAAHWYQmUAAAAT 10.0.0.2 48846 10.0.3.100 443 --1e454857-B-- GET /robots.txt HTTP/1.1 User-Agent: check_http/v1.4.15 (nagios-plugins 1.4.15) Connection: close Host: test.domain.invalid --1e454857-E-- User-agent: * Allow: / --1e454857-F-- HTTP/1.1 200 OK Last-Modified: Mon, 29 Aug 2011 12:38:46 GMT Accept-Ranges: bytes Content-Length: 70 Vary: Accept-Encoding Connection: close Content-Type: text/plain; charset=utf-8 --1e454857-H-- Message: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] Message: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/modsecurity.d/modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 2, SQLi=0, XSS=0): Request Missing an Accept Header"] Stopwatch: 1369395500250834 2204 (- - -) Stopwatch2: 1369395500250834 2204; combined=1203, p1=323, p2=571, p3=14, p4=137, p5=147, sr=84, sw=11, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.7. Server: Apache Engine-Mode: "DETECTION_ONLY" --1e454857-Z-- |
From: Ryan B. <RBa...@tr...> - 2013-05-24 13:01:06
|
Move it to phase:1 an make sure it is in a rules file before the one with that rule. -- Ryan Barnett On May 24, 2013, at 8:45 AM, "Jan Phillip Greimann" <jg...@so...> wrote: > Hi there, > > I'm relatively new to mod_security, so sorry for maybe dumb questions. > I've built and installed mod_security2 2.7.3 on my webserver, included > it with the OWASP CRS 2.2.7. So far no problems, it is running with the > recommended configuration on "DETECTION_ONLY". > > Now i try to correct false positives, so as the following one: > > My nagios-server (Service observation) is checking if my robots.txt is > readable. This gives an audit-warning because of missing Accept Header. > (Audit-Log on the bottom) > > I tried to create a rule especially for this host, which deactivates the > problem-rule: > > SecRule REMOTE_ADDR "@ipMatch 10.0.0.2" > "chain,phase:2,id:'1001',t:none,pass,nolog" > SecRule REQUEST_HEADERS:User-Agent "^check_http.*\(nagios-plugins.*\)$" > "t:none,ctl:ruleRemoveById=960015" > > > Unfortunately it doesn't work. :( > Maybe some experienced user could help me with this, thanks! > > Best regards, > Jan Phillip Greimann > > > ----------------------------------------------------------- > > > --1e454857-A-- > [24/May/2013:13:38:20 +0200] UZ9RLH8AAQEAAHWYQmUAAAAT 10.0.0.2 48846 > 10.0.3.100 443 > --1e454857-B-- > GET /robots.txt HTTP/1.1 > User-Agent: check_http/v1.4.15 (nagios-plugins 1.4.15) > Connection: close > Host: test.domain.invalid > > --1e454857-E-- > User-agent: * > Allow: / > > --1e454857-F-- > HTTP/1.1 200 OK > Last-Modified: Mon, 29 Aug 2011 12:38:46 GMT > Accept-Ranges: bytes > Content-Length: 70 > Vary: Accept-Encoding > Connection: close > Content-Type: text/plain; charset=utf-8 > > --1e454857-H-- > Message: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file > "/etc/apache2/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] > [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept > Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] > [accuracy "9"] [tag > "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag > "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] > Message: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. > [file "/etc/apache2/modsecurity.d/modsecurity_crs_60_correlation.conf"] > [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound > Score: 2, SQLi=0, XSS=0): Request Missing an Accept Header"] > Stopwatch: 1369395500250834 2204 (- - -) > Stopwatch2: 1369395500250834 2204; combined=1203, p1=323, p2=571, p3=14, > p4=137, p5=147, sr=84, sw=11, l=0, gc=0 > Response-Body-Transformed: Dechunked > Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); > OWASP_CRS/2.2.7. > Server: Apache > Engine-Mode: "DETECTION_ONLY" > > --1e454857-Z-- > > > ------------------------------------------------------------------------------ > Try New Relic Now & We'll Send You this Cool Shirt > New Relic is the only SaaS-based application performance monitoring service > that delivers powerful full stack analytics. Optimize and monitor your > browser, app, & servers with just a few lines of code. Try New Relic > and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Jan P. G. <jg...@so...> - 2013-05-24 14:08:06
|
I didn't understand this, how can the rule get removed when this rule is before rule 960015? But I will try it out, thank you very much. Am 24.05.2013 15:00, schrieb Ryan Barnett: > Move it to phase:1 an make sure it is in a rules file before the one with that rule. > > -- > Ryan Barnett > > > On May 24, 2013, at 8:45 AM, "Jan Phillip Greimann" <jg...@so...> wrote: > >> Hi there, >> >> I'm relatively new to mod_security, so sorry for maybe dumb questions. >> I've built and installed mod_security2 2.7.3 on my webserver, included >> it with the OWASP CRS 2.2.7. So far no problems, it is running with the >> recommended configuration on "DETECTION_ONLY". >> >> Now i try to correct false positives, so as the following one: >> >> My nagios-server (Service observation) is checking if my robots.txt is >> readable. This gives an audit-warning because of missing Accept Header. >> (Audit-Log on the bottom) >> >> I tried to create a rule especially for this host, which deactivates the >> problem-rule: >> >> SecRule REMOTE_ADDR "@ipMatch 10.0.0.2" >> "chain,phase:2,id:'1001',t:none,pass,nolog" >> SecRule REQUEST_HEADERS:User-Agent "^check_http.*\(nagios-plugins.*\)$" >> "t:none,ctl:ruleRemoveById=960015" >> >> >> Unfortunately it doesn't work. :( >> Maybe some experienced user could help me with this, thanks! >> >> Best regards, >> Jan Phillip Greimann >> >> >> ----------------------------------------------------------- >> >> >> --1e454857-A-- >> [24/May/2013:13:38:20 +0200] UZ9RLH8AAQEAAHWYQmUAAAAT 10.0.0.2 48846 >> 10.0.3.100 443 >> --1e454857-B-- >> GET /robots.txt HTTP/1.1 >> User-Agent: check_http/v1.4.15 (nagios-plugins 1.4.15) >> Connection: close >> Host: test.domain.invalid >> >> --1e454857-E-- >> User-agent: * >> Allow: / >> >> --1e454857-F-- >> HTTP/1.1 200 OK >> Last-Modified: Mon, 29 Aug 2011 12:38:46 GMT >> Accept-Ranges: bytes >> Content-Length: 70 >> Vary: Accept-Encoding >> Connection: close >> Content-Type: text/plain; charset=utf-8 >> >> --1e454857-H-- >> Message: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file >> "/etc/apache2/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] >> [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept >> Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] >> [accuracy "9"] [tag >> "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag >> "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] >> Message: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. >> [file "/etc/apache2/modsecurity.d/modsecurity_crs_60_correlation.conf"] >> [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound >> Score: 2, SQLi=0, XSS=0): Request Missing an Accept Header"] >> Stopwatch: 1369395500250834 2204 (- - -) >> Stopwatch2: 1369395500250834 2204; combined=1203, p1=323, p2=571, p3=14, >> p4=137, p5=147, sr=84, sw=11, l=0, gc=0 >> Response-Body-Transformed: Dechunked >> Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); >> OWASP_CRS/2.2.7. >> Server: Apache >> Engine-Mode: "DETECTION_ONLY" >> >> --1e454857-Z-- |