Thread: [mod-security-users] Password Sanitization in Request Body
Brought to you by:
victorhora,
zimmerletw
From: Steve S. <ste...@gm...> - 2013-10-08 17:10:52
|
I am unable to sanitize a password in the request body. --2a688459-C-- {"username":"someuser","password":"somepassword"} What i've tried: SecAction "phase:2,id:131,nolog,pass,sanitiseArg:password" SecAction "phase:5,id:131,nolog,pass,sanitiseArg:password" SecRule ARGS_NAMES password nolog,pass,id:132,sanitiseMatched Any suggestions? |
From: Steve S. <ste...@gm...> - 2013-10-09 12:28:50
|
I'll answer my own question. The body has JSON which is not processed by sanitiseArg. On Tue, Oct 8, 2013 at 12:10 PM, Steve Stonebraker < ste...@gm...> wrote: > I am unable to sanitize a password in the request body. > > --2a688459-C-- {"username":"someuser","password":"somepassword"} > > > What i've tried: > SecAction "phase:2,id:131,nolog,pass,sanitiseArg:password" > SecAction "phase:5,id:131,nolog,pass,sanitiseArg:password" > SecRule ARGS_NAMES password nolog,pass,id:132,sanitiseMatched > > Any suggestions? > |
From: Josh Amishav-Z. <ja...@ow...> - 2013-10-09 13:06:16
|
On Wed, Oct 9, 2013 at 2:28 PM, Steve Stonebraker < ste...@gm...> wrote: > I'll answer my own question. The body has JSON which is not processed by > sanitiseArg. > > Hi Steve, Not sure how stable this is yet, but take a look at: https://www.modsecurity.org/tracker/browse/MODSEC-253 Perhaps with the patch you could use santiseMatched. -- - Josh > > On Tue, Oct 8, 2013 at 12:10 PM, Steve Stonebraker < > ste...@gm...> wrote: > >> I am unable to sanitize a password in the request body. >> >> --2a688459-C-- {"username":"someuser","password":"somepassword"} >> >> >> What i've tried: >> SecAction "phase:2,id:131,nolog,pass,sanitiseArg:password" >> SecAction "phase:5,id:131,nolog,pass,sanitiseArg:password" >> SecRule ARGS_NAMES password nolog,pass,id:132,sanitiseMatched >> >> Any suggestions? >> > > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
From: Steve S. <ste...@gm...> - 2013-10-09 14:03:07
|
Thanks I saw that and it looks great but I can't implement it on a prod environment. Right now I'm toying with: SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" But i'm not sure how to replace the matched value with the character * On Wed, Oct 9, 2013 at 8:06 AM, Josh Amishav-Zlatin <ja...@ow...>wrote: > On Wed, Oct 9, 2013 at 2:28 PM, Steve Stonebraker < > ste...@gm...> wrote: > >> I'll answer my own question. The body has JSON which is not processed by >> sanitiseArg. >> >> > Hi Steve, > > Not sure how stable this is yet, but take a look at: > https://www.modsecurity.org/tracker/browse/MODSEC-253 > Perhaps with the patch you could use santiseMatched. > > -- > - Josh > > >> >> On Tue, Oct 8, 2013 at 12:10 PM, Steve Stonebraker < >> ste...@gm...> wrote: >> >>> I am unable to sanitize a password in the request body. >>> >>> --2a688459-C-- {"username":"someuser","password":"somepassword"} >>> >>> >>> What i've tried: >>> SecAction "phase:2,id:131,nolog,pass,sanitiseArg:password" >>> SecAction "phase:5,id:131,nolog,pass,sanitiseArg:password" >>> SecRule ARGS_NAMES password nolog,pass,id:132,sanitiseMatched >>> >>> Any suggestions? >>> >> >> >> >> ------------------------------------------------------------------------------ >> October Webinars: Code for Performance >> Free Intel webinars can help you accelerate application performance. >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >> from >> the latest Intel processors and coprocessors. See abstracts and register > >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
From: Josh Amishav-Z. <ja...@ow...> - 2013-10-09 14:58:35
|
On Wed, Oct 9, 2013 at 4:02 PM, Steve Stonebraker < ste...@gm...> wrote: > Thanks I saw that and it looks great but I can't implement it on a prod > environment. > > Right now I'm toying with: > SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" > > But i'm not sure how to replace the matched value with the character * > > Hi Steve, I think the only current solution is to use the ctl action to remove logging the request body entirely if it holds sensitive data. Kind of an all or nothing approach until the patch makes its way into the stable branch. -- - Josh > > On Wed, Oct 9, 2013 at 8:06 AM, Josh Amishav-Zlatin <ja...@ow...>wrote: > >> On Wed, Oct 9, 2013 at 2:28 PM, Steve Stonebraker < >> ste...@gm...> wrote: >> >>> I'll answer my own question. The body has JSON which is not processed >>> by sanitiseArg. >>> >>> >> Hi Steve, >> >> Not sure how stable this is yet, but take a look at: >> https://www.modsecurity.org/tracker/browse/MODSEC-253 >> Perhaps with the patch you could use santiseMatched. >> >> -- >> - Josh >> >> >>> >>> On Tue, Oct 8, 2013 at 12:10 PM, Steve Stonebraker < >>> ste...@gm...> wrote: >>> >>>> I am unable to sanitize a password in the request body. >>>> >>>> --2a688459-C-- {"username":"someuser","password":"somepassword"} >>>> >>>> >>>> What i've tried: >>>> SecAction "phase:2,id:131,nolog,pass,sanitiseArg:password" >>>> SecAction "phase:5,id:131,nolog,pass,sanitiseArg:password" >>>> SecRule ARGS_NAMES password nolog,pass,id:132,sanitiseMatched >>>> >>>> Any suggestions? >>>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> October Webinars: Code for Performance >>> Free Intel webinars can help you accelerate application performance. >>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >>> from >>> the latest Intel processors and coprocessors. See abstracts and register >>> > >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> >> >> >> ------------------------------------------------------------------------------ >> October Webinars: Code for Performance >> Free Intel webinars can help you accelerate application performance. >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >> from >> the latest Intel processors and coprocessors. See abstracts and register > >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
From: Steve S. <ste...@gm...> - 2013-10-09 16:47:58
|
If I do that will the other rules still run (in case someone does attacks with "password" in the body)? On Wed, Oct 9, 2013 at 9:58 AM, Josh Amishav-Zlatin <ja...@ow...>wrote: > On Wed, Oct 9, 2013 at 4:02 PM, Steve Stonebraker < > ste...@gm...> wrote: > >> Thanks I saw that and it looks great but I can't implement it on a prod >> environment. >> >> Right now I'm toying with: >> SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" >> >> But i'm not sure how to replace the matched value with the character * >> >> > Hi Steve, > > I think the only current solution is to use the ctl action to remove > logging the request body entirely if it holds sensitive data. Kind of an > all or nothing approach until the patch makes its way into the stable > branch. > > -- > - Josh > > >> >> On Wed, Oct 9, 2013 at 8:06 AM, Josh Amishav-Zlatin <ja...@ow...>wrote: >> >>> On Wed, Oct 9, 2013 at 2:28 PM, Steve Stonebraker < >>> ste...@gm...> wrote: >>> >>>> I'll answer my own question. The body has JSON which is not processed >>>> by sanitiseArg. >>>> >>>> >>> Hi Steve, >>> >>> Not sure how stable this is yet, but take a look at: >>> https://www.modsecurity.org/tracker/browse/MODSEC-253 >>> Perhaps with the patch you could use santiseMatched. >>> >>> -- >>> - Josh >>> >>> >>>> >>>> On Tue, Oct 8, 2013 at 12:10 PM, Steve Stonebraker < >>>> ste...@gm...> wrote: >>>> >>>>> I am unable to sanitize a password in the request body. >>>>> >>>>> --2a688459-C-- {"username":"someuser","password":"somepassword"} >>>>> >>>>> >>>>> What i've tried: >>>>> SecAction "phase:2,id:131,nolog,pass,sanitiseArg:password" >>>>> SecAction "phase:5,id:131,nolog,pass,sanitiseArg:password" >>>>> SecRule ARGS_NAMES password nolog,pass,id:132,sanitiseMatched >>>>> >>>>> Any suggestions? >>>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> October Webinars: Code for Performance >>>> Free Intel webinars can help you accelerate application performance. >>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>> most from >>>> the latest Intel processors and coprocessors. See abstracts and >>>> register > >>>> >>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> October Webinars: Code for Performance >>> Free Intel webinars can help you accelerate application performance. >>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >>> from >>> the latest Intel processors and coprocessors. See abstracts and register >>> > >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> >> >> >> ------------------------------------------------------------------------------ >> October Webinars: Code for Performance >> Free Intel webinars can help you accelerate application performance. >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >> from >> the latest Intel processors and coprocessors. See abstracts and register > >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
From: Josh Amishav-Z. <ja...@ow...> - 2013-10-09 17:03:53
|
On Wed, Oct 9, 2013 at 6:47 PM, Steve Stonebraker < ste...@gm...> wrote: > If I do that will the other rules still run (in case someone does attacks > with "password" in the body)? > > Hi Steve, As long as the rules engine is enabled the rules will still run. I was refering to the audit engine which controls logging. -- - Josh > > On Wed, Oct 9, 2013 at 9:58 AM, Josh Amishav-Zlatin <ja...@ow...>wrote: > >> On Wed, Oct 9, 2013 at 4:02 PM, Steve Stonebraker < >> ste...@gm...> wrote: >> >>> Thanks I saw that and it looks great but I can't implement it on a prod >>> environment. >>> >>> Right now I'm toying with: >>> SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" >>> >>> But i'm not sure how to replace the matched value with the character * >>> >>> >> Hi Steve, >> >> I think the only current solution is to use the ctl action to remove >> logging the request body entirely if it holds sensitive data. Kind of an >> all or nothing approach until the patch makes its way into the stable >> branch. >> >> -- >> - Josh >> >> >>> >>> On Wed, Oct 9, 2013 at 8:06 AM, Josh Amishav-Zlatin <ja...@ow...>wrote: >>> >>>> On Wed, Oct 9, 2013 at 2:28 PM, Steve Stonebraker < >>>> ste...@gm...> wrote: >>>> >>>>> I'll answer my own question. The body has JSON which is not processed >>>>> by sanitiseArg. >>>>> >>>>> >>>> Hi Steve, >>>> >>>> Not sure how stable this is yet, but take a look at: >>>> https://www.modsecurity.org/tracker/browse/MODSEC-253 >>>> Perhaps with the patch you could use santiseMatched. >>>> >>>> -- >>>> - Josh >>>> >>>> >>>>> >>>>> On Tue, Oct 8, 2013 at 12:10 PM, Steve Stonebraker < >>>>> ste...@gm...> wrote: >>>>> >>>>>> I am unable to sanitize a password in the request body. >>>>>> >>>>>> --2a688459-C-- {"username":"someuser","password":"somepassword"} >>>>>> >>>>>> >>>>>> What i've tried: >>>>>> SecAction "phase:2,id:131,nolog,pass,sanitiseArg:password" >>>>>> SecAction "phase:5,id:131,nolog,pass,sanitiseArg:password" >>>>>> SecRule ARGS_NAMES password nolog,pass,id:132,sanitiseMatched >>>>>> >>>>>> Any suggestions? >>>>>> >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> October Webinars: Code for Performance >>>>> Free Intel webinars can help you accelerate application performance. >>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>> most from >>>>> the latest Intel processors and coprocessors. See abstracts and >>>>> register > >>>>> >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>> _______________________________________________ >>>>> mod-security-users mailing list >>>>> mod...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>> >>>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> October Webinars: Code for Performance >>>> Free Intel webinars can help you accelerate application performance. >>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>> most from >>>> the latest Intel processors and coprocessors. See abstracts and >>>> register > >>>> >>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> October Webinars: Code for Performance >>> Free Intel webinars can help you accelerate application performance. >>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >>> from >>> the latest Intel processors and coprocessors. See abstracts and register >>> > >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> >> >> >> ------------------------------------------------------------------------------ >> October Webinars: Code for Performance >> Free Intel webinars can help you accelerate application performance. >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >> from >> the latest Intel processors and coprocessors. See abstracts and register > >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
From: Steve S. <ste...@gm...> - 2013-10-09 19:10:49
|
Thanks! I came up with this rule: SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" "phase:2,id:'1001',nolog,pass,ctl:auditLogParts=-C,msg:'User sent password'" But am receiving this error: Syntax error on line 14 of /opt/modsecurity/etc/rules-first.conf: SecRule takes two or three arguments, rule target, operator and optional action list On Wed, Oct 9, 2013 at 9:58 AM, Josh Amishav-Zlatin <ja...@ow...>wrote: > On Wed, Oct 9, 2013 at 4:02 PM, Steve Stonebraker < > ste...@gm...> wrote: > >> Thanks I saw that and it looks great but I can't implement it on a prod >> environment. >> >> Right now I'm toying with: >> SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" >> >> But i'm not sure how to replace the matched value with the character * >> >> > Hi Steve, > > I think the only current solution is to use the ctl action to remove > logging the request body entirely if it holds sensitive data. Kind of an > all or nothing approach until the patch makes its way into the stable > branch. > > -- > - Josh > > >> >> On Wed, Oct 9, 2013 at 8:06 AM, Josh Amishav-Zlatin <ja...@ow...>wrote: >> >>> On Wed, Oct 9, 2013 at 2:28 PM, Steve Stonebraker < >>> ste...@gm...> wrote: >>> >>>> I'll answer my own question. The body has JSON which is not processed >>>> by sanitiseArg. >>>> >>>> >>> Hi Steve, >>> >>> Not sure how stable this is yet, but take a look at: >>> https://www.modsecurity.org/tracker/browse/MODSEC-253 >>> Perhaps with the patch you could use santiseMatched. >>> >>> -- >>> - Josh >>> >>> >>>> >>>> On Tue, Oct 8, 2013 at 12:10 PM, Steve Stonebraker < >>>> ste...@gm...> wrote: >>>> >>>>> I am unable to sanitize a password in the request body. >>>>> >>>>> --2a688459-C-- {"username":"someuser","password":"somepassword"} >>>>> >>>>> >>>>> What i've tried: >>>>> SecAction "phase:2,id:131,nolog,pass,sanitiseArg:password" >>>>> SecAction "phase:5,id:131,nolog,pass,sanitiseArg:password" >>>>> SecRule ARGS_NAMES password nolog,pass,id:132,sanitiseMatched >>>>> >>>>> Any suggestions? >>>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> October Webinars: Code for Performance >>>> Free Intel webinars can help you accelerate application performance. >>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>> most from >>>> the latest Intel processors and coprocessors. See abstracts and >>>> register > >>>> >>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> October Webinars: Code for Performance >>> Free Intel webinars can help you accelerate application performance. >>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >>> from >>> the latest Intel processors and coprocessors. See abstracts and register >>> > >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> >> >> >> ------------------------------------------------------------------------------ >> October Webinars: Code for Performance >> Free Intel webinars can help you accelerate application performance. >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >> from >> the latest Intel processors and coprocessors. See abstracts and register > >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
From: Steve S. <ste...@gm...> - 2013-10-09 19:18:47
|
This seems to work (from a Syntax perspective): SecRule REQUEST_BODY ^\{(?:.*)"password":"(.*?)\"\}$ "phase:2,id:'1001',nolog,pass,ctl:auditLogParts=-C" On Wed, Oct 9, 2013 at 2:10 PM, Steve Stonebraker < ste...@gm...> wrote: > Thanks! > > I came up with this rule: > SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" > "phase:2,id:'1001',nolog,pass,ctl:auditLogParts=-C,msg:'User sent password'" > > But am receiving this error: > Syntax error on line 14 of /opt/modsecurity/etc/rules-first.conf: > SecRule takes two or three arguments, rule target, operator and optional > action list > > > On Wed, Oct 9, 2013 at 9:58 AM, Josh Amishav-Zlatin <ja...@ow...>wrote: > >> On Wed, Oct 9, 2013 at 4:02 PM, Steve Stonebraker < >> ste...@gm...> wrote: >> >>> Thanks I saw that and it looks great but I can't implement it on a prod >>> environment. >>> >>> Right now I'm toying with: >>> SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" >>> >>> But i'm not sure how to replace the matched value with the character * >>> >>> >> Hi Steve, >> >> I think the only current solution is to use the ctl action to remove >> logging the request body entirely if it holds sensitive data. Kind of an >> all or nothing approach until the patch makes its way into the stable >> branch. >> >> -- >> - Josh >> >> >>> >>> On Wed, Oct 9, 2013 at 8:06 AM, Josh Amishav-Zlatin <ja...@ow...>wrote: >>> >>>> On Wed, Oct 9, 2013 at 2:28 PM, Steve Stonebraker < >>>> ste...@gm...> wrote: >>>> >>>>> I'll answer my own question. The body has JSON which is not processed >>>>> by sanitiseArg. >>>>> >>>>> >>>> Hi Steve, >>>> >>>> Not sure how stable this is yet, but take a look at: >>>> https://www.modsecurity.org/tracker/browse/MODSEC-253 >>>> Perhaps with the patch you could use santiseMatched. >>>> >>>> -- >>>> - Josh >>>> >>>> >>>>> >>>>> On Tue, Oct 8, 2013 at 12:10 PM, Steve Stonebraker < >>>>> ste...@gm...> wrote: >>>>> >>>>>> I am unable to sanitize a password in the request body. >>>>>> >>>>>> --2a688459-C-- {"username":"someuser","password":"somepassword"} >>>>>> >>>>>> >>>>>> What i've tried: >>>>>> SecAction "phase:2,id:131,nolog,pass,sanitiseArg:password" >>>>>> SecAction "phase:5,id:131,nolog,pass,sanitiseArg:password" >>>>>> SecRule ARGS_NAMES password nolog,pass,id:132,sanitiseMatched >>>>>> >>>>>> Any suggestions? >>>>>> >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> October Webinars: Code for Performance >>>>> Free Intel webinars can help you accelerate application performance. >>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>> most from >>>>> the latest Intel processors and coprocessors. See abstracts and >>>>> register > >>>>> >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>> _______________________________________________ >>>>> mod-security-users mailing list >>>>> mod...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>> >>>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> October Webinars: Code for Performance >>>> Free Intel webinars can help you accelerate application performance. >>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>> most from >>>> the latest Intel processors and coprocessors. See abstracts and >>>> register > >>>> >>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> October Webinars: Code for Performance >>> Free Intel webinars can help you accelerate application performance. >>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >>> from >>> the latest Intel processors and coprocessors. See abstracts and register >>> > >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> >> >> >> ------------------------------------------------------------------------------ >> October Webinars: Code for Performance >> Free Intel webinars can help you accelerate application performance. >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >> from >> the latest Intel processors and coprocessors. See abstracts and register > >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> > |
From: Steve S. <ste...@gm...> - 2013-10-09 19:24:26
|
It doesn't seem to be doing anything though.. i still see the body being recorded =( On Wed, Oct 9, 2013 at 2:18 PM, Steve Stonebraker < ste...@gm...> wrote: > This seems to work (from a Syntax perspective): > > SecRule REQUEST_BODY ^\{(?:.*)"password":"(.*?)\"\}$ > "phase:2,id:'1001',nolog,pass,ctl:auditLogParts=-C" > > > On Wed, Oct 9, 2013 at 2:10 PM, Steve Stonebraker < > ste...@gm...> wrote: > >> Thanks! >> >> I came up with this rule: >> SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" >> "phase:2,id:'1001',nolog,pass,ctl:auditLogParts=-C,msg:'User sent password'" >> >> But am receiving this error: >> Syntax error on line 14 of /opt/modsecurity/etc/rules-first.conf: >> SecRule takes two or three arguments, rule target, operator and optional >> action list >> >> >> On Wed, Oct 9, 2013 at 9:58 AM, Josh Amishav-Zlatin <ja...@ow...>wrote: >> >>> On Wed, Oct 9, 2013 at 4:02 PM, Steve Stonebraker < >>> ste...@gm...> wrote: >>> >>>> Thanks I saw that and it looks great but I can't implement it on a prod >>>> environment. >>>> >>>> Right now I'm toying with: >>>> SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" >>>> >>>> But i'm not sure how to replace the matched value with the character * >>>> >>>> >>> Hi Steve, >>> >>> I think the only current solution is to use the ctl action to remove >>> logging the request body entirely if it holds sensitive data. Kind of an >>> all or nothing approach until the patch makes its way into the stable >>> branch. >>> >>> -- >>> - Josh >>> >>> >>>> >>>> On Wed, Oct 9, 2013 at 8:06 AM, Josh Amishav-Zlatin <ja...@ow...>wrote: >>>> >>>>> On Wed, Oct 9, 2013 at 2:28 PM, Steve Stonebraker < >>>>> ste...@gm...> wrote: >>>>> >>>>>> I'll answer my own question. The body has JSON which is not >>>>>> processed by sanitiseArg. >>>>>> >>>>>> >>>>> Hi Steve, >>>>> >>>>> Not sure how stable this is yet, but take a look at: >>>>> https://www.modsecurity.org/tracker/browse/MODSEC-253 >>>>> Perhaps with the patch you could use santiseMatched. >>>>> >>>>> -- >>>>> - Josh >>>>> >>>>> >>>>>> >>>>>> On Tue, Oct 8, 2013 at 12:10 PM, Steve Stonebraker < >>>>>> ste...@gm...> wrote: >>>>>> >>>>>>> I am unable to sanitize a password in the request body. >>>>>>> >>>>>>> --2a688459-C-- {"username":"someuser","password":"somepassword"} >>>>>>> >>>>>>> >>>>>>> What i've tried: >>>>>>> SecAction "phase:2,id:131,nolog,pass,sanitiseArg:password" >>>>>>> SecAction "phase:5,id:131,nolog,pass,sanitiseArg:password" >>>>>>> SecRule ARGS_NAMES password nolog,pass,id:132,sanitiseMatched >>>>>>> >>>>>>> Any suggestions? >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> October Webinars: Code for Performance >>>>>> Free Intel webinars can help you accelerate application performance. >>>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>>> most from >>>>>> the latest Intel processors and coprocessors. See abstracts and >>>>>> register > >>>>>> >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>>> _______________________________________________ >>>>>> mod-security-users mailing list >>>>>> mod...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>> >>>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> October Webinars: Code for Performance >>>>> Free Intel webinars can help you accelerate application performance. >>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>> most from >>>>> the latest Intel processors and coprocessors. See abstracts and >>>>> register > >>>>> >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>> _______________________________________________ >>>>> mod-security-users mailing list >>>>> mod...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>> >>>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> October Webinars: Code for Performance >>>> Free Intel webinars can help you accelerate application performance. >>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>> most from >>>> the latest Intel processors and coprocessors. See abstracts and >>>> register > >>>> >>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> October Webinars: Code for Performance >>> Free Intel webinars can help you accelerate application performance. >>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >>> from >>> the latest Intel processors and coprocessors. See abstracts and register >>> > >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> >> > |
From: Josh Amishav-Z. <ja...@ow...> - 2013-10-09 20:24:39
|
On Wed, Oct 9, 2013 at 9:10 PM, Steve Stonebraker < ste...@gm...> wrote: > Thanks! > > I came up with this rule: > SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" > "phase:2,id:'1001',nolog,pass,ctl:auditLogParts=-C,msg:'User sent password'" > > Hi Steve, A couple thoughts: 1. REQUEST_BODY wont have the JSON request in it unless you enable forceRequestBodyVariable beforehand in phase 1. 2. Your rule can only have two or three arguments. You can group your arguments together using quotes, but if your regex includes quotes you need to escape them. 3. If all you want to do is is check if the JSON body contains the string password then you can simplify your rule as follows: # Force the Requst_Body collection to contain the JSON body based on the content-type header SecRule REQUEST_HEADERS:Content-Type "jsonrequest" phase:1,id:1001,nolog,t:none,pass,ctl:forceRequestBodyVariable=On # Search for the string 'password' in the request body and disable audit log parts C and I SecRule REQUEST_BODY "password" "phase:2,id:'1002',nolog,pass,ctl:auditLogParts=-CI,msg:'User sent password'" -- - Josh > But am receiving this error: > Syntax error on line 14 of /opt/modsecurity/etc/rules-first.conf: > SecRule takes two or three arguments, rule target, operator and optional > action list > > > On Wed, Oct 9, 2013 at 9:58 AM, Josh Amishav-Zlatin <ja...@ow...>wrote: > >> On Wed, Oct 9, 2013 at 4:02 PM, Steve Stonebraker < >> ste...@gm...> wrote: >> >>> Thanks I saw that and it looks great but I can't implement it on a prod >>> environment. >>> >>> Right now I'm toying with: >>> SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" >>> >>> But i'm not sure how to replace the matched value with the character * >>> >>> >> Hi Steve, >> >> I think the only current solution is to use the ctl action to remove >> logging the request body entirely if it holds sensitive data. Kind of an >> all or nothing approach until the patch makes its way into the stable >> branch. >> >> -- >> - Josh >> >> >>> >>> On Wed, Oct 9, 2013 at 8:06 AM, Josh Amishav-Zlatin <ja...@ow...>wrote: >>> >>>> On Wed, Oct 9, 2013 at 2:28 PM, Steve Stonebraker < >>>> ste...@gm...> wrote: >>>> >>>>> I'll answer my own question. The body has JSON which is not processed >>>>> by sanitiseArg. >>>>> >>>>> >>>> Hi Steve, >>>> >>>> Not sure how stable this is yet, but take a look at: >>>> https://www.modsecurity.org/tracker/browse/MODSEC-253 >>>> Perhaps with the patch you could use santiseMatched. >>>> >>>> -- >>>> - Josh >>>> >>>> >>>>> >>>>> On Tue, Oct 8, 2013 at 12:10 PM, Steve Stonebraker < >>>>> ste...@gm...> wrote: >>>>> >>>>>> I am unable to sanitize a password in the request body. >>>>>> >>>>>> --2a688459-C-- {"username":"someuser","password":"somepassword"} >>>>>> >>>>>> >>>>>> What i've tried: >>>>>> SecAction "phase:2,id:131,nolog,pass,sanitiseArg:password" >>>>>> SecAction "phase:5,id:131,nolog,pass,sanitiseArg:password" >>>>>> SecRule ARGS_NAMES password nolog,pass,id:132,sanitiseMatched >>>>>> >>>>>> Any suggestions? >>>>>> >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> October Webinars: Code for Performance >>>>> Free Intel webinars can help you accelerate application performance. >>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>> most from >>>>> the latest Intel processors and coprocessors. See abstracts and >>>>> register > >>>>> >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>> _______________________________________________ >>>>> mod-security-users mailing list >>>>> mod...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>> >>>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> October Webinars: Code for Performance >>>> Free Intel webinars can help you accelerate application performance. >>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>> most from >>>> the latest Intel processors and coprocessors. See abstracts and >>>> register > >>>> >>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> October Webinars: Code for Performance >>> Free Intel webinars can help you accelerate application performance. >>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >>> from >>> the latest Intel processors and coprocessors. See abstracts and register >>> > >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> >> >> >> ------------------------------------------------------------------------------ >> October Webinars: Code for Performance >> Free Intel webinars can help you accelerate application performance. >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >> from >> the latest Intel processors and coprocessors. See abstracts and register > >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
From: Steve S. <ste...@gm...> - 2013-10-10 13:38:37
|
Thank you Josh for your help. I think your rule should work but I'm still seeing the password picked up in my jwall logs. I think it is because of my next three rules: # Force the Requst_Body collection to contain the JSON body based on the content-type header SecRule REQUEST_HEADERS:Content-Type "jsonrequest" phase:1,id:1001,nolog,t:none,pass,ctl:forceRequestBodyVariable=On # Search for the string 'password' in the request body and disable audit log parts C and I SecRule REQUEST_BODY "password" "phase:2,id:'1002',nolog,pass,ctl:auditLogParts=-CI,msg:'User sent password'" #IP Address Tracking SecAction "id:'500001',phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR}" #Start logging everything coming from an IP address after a single #rule match. To achieve that, we set the flag IP.logflag for up to one hour (3600 seconds): SecRule HIGHEST_SEVERITY "@gt 0" \ id:'500003',phase:5,nolog,pass,setvar:IP.logflag=1,expirevar:ip.logflag=3600,setvar:ip.logflag_hash=%{unique_id} #Detect the flag and force logging: SecRule IP:logflag "@gt 0" \ "id:'500005',phase:5,log,msg:'Transaction Logged Due to Previous Rule Match.',logdata:'%{ip.logflag_hash}',pass,ctl:auditEngine=On" How can I incorporate the rules you suggested with rules 500001-50005? On Wed, Oct 9, 2013 at 3:24 PM, Josh Amishav-Zlatin <ja...@ow...>wrote: > On Wed, Oct 9, 2013 at 9:10 PM, Steve Stonebraker < > ste...@gm...> wrote: > >> Thanks! >> >> I came up with this rule: >> SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" >> "phase:2,id:'1001',nolog,pass,ctl:auditLogParts=-C,msg:'User sent password'" >> >> > Hi Steve, > > A couple thoughts: > > 1. REQUEST_BODY wont have the JSON request in it unless you > enable forceRequestBodyVariable beforehand in phase 1. > > 2. Your rule can only have two or three arguments. You can group your > arguments together using quotes, but if your regex includes quotes you need > to escape them. > > 3. If all you want to do is is check if the JSON body contains the string > password then you can simplify your rule as follows: > > # Force the Requst_Body collection to contain the JSON body based on the > content-type header > SecRule REQUEST_HEADERS:Content-Type "jsonrequest" > phase:1,id:1001,nolog,t:none,pass,ctl:forceRequestBodyVariable=On > > # Search for the string 'password' in the request body and disable audit > log parts C and I > SecRule REQUEST_BODY "password" > "phase:2,id:'1002',nolog,pass,ctl:auditLogParts=-CI,msg:'User sent > password'" > > -- > - Josh > > >> But am receiving this error: >> Syntax error on line 14 of /opt/modsecurity/etc/rules-first.conf: >> SecRule takes two or three arguments, rule target, operator and optional >> action list >> >> >> On Wed, Oct 9, 2013 at 9:58 AM, Josh Amishav-Zlatin <ja...@ow...>wrote: >> >>> On Wed, Oct 9, 2013 at 4:02 PM, Steve Stonebraker < >>> ste...@gm...> wrote: >>> >>>> Thanks I saw that and it looks great but I can't implement it on a prod >>>> environment. >>>> >>>> Right now I'm toying with: >>>> SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" >>>> >>>> But i'm not sure how to replace the matched value with the character * >>>> >>>> >>> Hi Steve, >>> >>> I think the only current solution is to use the ctl action to remove >>> logging the request body entirely if it holds sensitive data. Kind of an >>> all or nothing approach until the patch makes its way into the stable >>> branch. >>> >>> -- >>> - Josh >>> >>> >>>> >>>> On Wed, Oct 9, 2013 at 8:06 AM, Josh Amishav-Zlatin <ja...@ow...>wrote: >>>> >>>>> On Wed, Oct 9, 2013 at 2:28 PM, Steve Stonebraker < >>>>> ste...@gm...> wrote: >>>>> >>>>>> I'll answer my own question. The body has JSON which is not >>>>>> processed by sanitiseArg. >>>>>> >>>>>> >>>>> Hi Steve, >>>>> >>>>> Not sure how stable this is yet, but take a look at: >>>>> https://www.modsecurity.org/tracker/browse/MODSEC-253 >>>>> Perhaps with the patch you could use santiseMatched. >>>>> >>>>> -- >>>>> - Josh >>>>> >>>>> >>>>>> >>>>>> On Tue, Oct 8, 2013 at 12:10 PM, Steve Stonebraker < >>>>>> ste...@gm...> wrote: >>>>>> >>>>>>> I am unable to sanitize a password in the request body. >>>>>>> >>>>>>> --2a688459-C-- {"username":"someuser","password":"somepassword"} >>>>>>> >>>>>>> >>>>>>> What i've tried: >>>>>>> SecAction "phase:2,id:131,nolog,pass,sanitiseArg:password" >>>>>>> SecAction "phase:5,id:131,nolog,pass,sanitiseArg:password" >>>>>>> SecRule ARGS_NAMES password nolog,pass,id:132,sanitiseMatched >>>>>>> >>>>>>> Any suggestions? >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> October Webinars: Code for Performance >>>>>> Free Intel webinars can help you accelerate application performance. >>>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>>> most from >>>>>> the latest Intel processors and coprocessors. See abstracts and >>>>>> register > >>>>>> >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>>> _______________________________________________ >>>>>> mod-security-users mailing list >>>>>> mod...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>> >>>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> October Webinars: Code for Performance >>>>> Free Intel webinars can help you accelerate application performance. >>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>> most from >>>>> the latest Intel processors and coprocessors. See abstracts and >>>>> register > >>>>> >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>> _______________________________________________ >>>>> mod-security-users mailing list >>>>> mod...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>> >>>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> October Webinars: Code for Performance >>>> Free Intel webinars can help you accelerate application performance. >>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>> most from >>>> the latest Intel processors and coprocessors. See abstracts and >>>> register > >>>> >>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> October Webinars: Code for Performance >>> Free Intel webinars can help you accelerate application performance. >>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >>> from >>> the latest Intel processors and coprocessors. See abstracts and register >>> > >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> >> >> >> ------------------------------------------------------------------------------ >> October Webinars: Code for Performance >> Free Intel webinars can help you accelerate application performance. >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >> from >> the latest Intel processors and coprocessors. See abstracts and register > >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
From: Josh Amishav-Z. <ja...@ow...> - 2013-10-10 15:58:47
|
On Thu, Oct 10, 2013 at 4:38 PM, Steve Stonebraker < ste...@gm...> wrote: > > > How can I incorporate the rules you suggested with rules 500001-50005? > > Hi Steve, I just tested (only) the rules above and did not see the password in the audit log. Can you send me section K of an audit log using these rules that contain the password? Thanks, -- - Josh > > > On Wed, Oct 9, 2013 at 3:24 PM, Josh Amishav-Zlatin <ja...@ow...>wrote: > >> On Wed, Oct 9, 2013 at 9:10 PM, Steve Stonebraker < >> ste...@gm...> wrote: >> >>> Thanks! >>> >>> I came up with this rule: >>> SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" >>> "phase:2,id:'1001',nolog,pass,ctl:auditLogParts=-C,msg:'User sent password'" >>> >>> >> Hi Steve, >> >> A couple thoughts: >> >> 1. REQUEST_BODY wont have the JSON request in it unless you >> enable forceRequestBodyVariable beforehand in phase 1. >> >> 2. Your rule can only have two or three arguments. You can group your >> arguments together using quotes, but if your regex includes quotes you need >> to escape them. >> >> 3. If all you want to do is is check if the JSON body contains the string >> password then you can simplify your rule as follows: >> >> # Force the Requst_Body collection to contain the JSON body based on the >> content-type header >> SecRule REQUEST_HEADERS:Content-Type "jsonrequest" >> phase:1,id:1001,nolog,t:none,pass,ctl:forceRequestBodyVariable=On >> >> # Search for the string 'password' in the request body and disable audit >> log parts C and I >> SecRule REQUEST_BODY "password" >> "phase:2,id:'1002',nolog,pass,ctl:auditLogParts=-CI,msg:'User sent >> password'" >> >> -- >> - Josh >> >> >>> But am receiving this error: >>> Syntax error on line 14 of /opt/modsecurity/etc/rules-first.conf: >>> SecRule takes two or three arguments, rule target, operator and optional >>> action list >>> >>> >>> On Wed, Oct 9, 2013 at 9:58 AM, Josh Amishav-Zlatin <ja...@ow...>wrote: >>> >>>> On Wed, Oct 9, 2013 at 4:02 PM, Steve Stonebraker < >>>> ste...@gm...> wrote: >>>> >>>>> Thanks I saw that and it looks great but I can't implement it on a >>>>> prod environment. >>>>> >>>>> Right now I'm toying with: >>>>> SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" >>>>> >>>>> But i'm not sure how to replace the matched value with the character * >>>>> >>>>> >>>> Hi Steve, >>>> >>>> I think the only current solution is to use the ctl action to remove >>>> logging the request body entirely if it holds sensitive data. Kind of an >>>> all or nothing approach until the patch makes its way into the stable >>>> branch. >>>> >>>> -- >>>> - Josh >>>> >>>> >>>>> >>>>> On Wed, Oct 9, 2013 at 8:06 AM, Josh Amishav-Zlatin <ja...@ow...>wrote: >>>>> >>>>>> On Wed, Oct 9, 2013 at 2:28 PM, Steve Stonebraker < >>>>>> ste...@gm...> wrote: >>>>>> >>>>>>> I'll answer my own question. The body has JSON which is not >>>>>>> processed by sanitiseArg. >>>>>>> >>>>>>> >>>>>> Hi Steve, >>>>>> >>>>>> Not sure how stable this is yet, but take a look at: >>>>>> https://www.modsecurity.org/tracker/browse/MODSEC-253 >>>>>> Perhaps with the patch you could use santiseMatched. >>>>>> >>>>>> -- >>>>>> - Josh >>>>>> >>>>>> >>>>>>> >>>>>>> On Tue, Oct 8, 2013 at 12:10 PM, Steve Stonebraker < >>>>>>> ste...@gm...> wrote: >>>>>>> >>>>>>>> I am unable to sanitize a password in the request body. >>>>>>>> >>>>>>>> --2a688459-C-- {"username":"someuser","password":"somepassword"} >>>>>>>> >>>>>>>> >>>>>>>> What i've tried: >>>>>>>> SecAction "phase:2,id:131,nolog,pass,sanitiseArg:password" >>>>>>>> SecAction "phase:5,id:131,nolog,pass,sanitiseArg:password" >>>>>>>> SecRule ARGS_NAMES password nolog,pass,id:132,sanitiseMatched >>>>>>>> >>>>>>>> Any suggestions? >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> October Webinars: Code for Performance >>>>>>> Free Intel webinars can help you accelerate application performance. >>>>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>>>> most from >>>>>>> the latest Intel processors and coprocessors. See abstracts and >>>>>>> register > >>>>>>> >>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>>>> _______________________________________________ >>>>>>> mod-security-users mailing list >>>>>>> mod...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> October Webinars: Code for Performance >>>>>> Free Intel webinars can help you accelerate application performance. >>>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>>> most from >>>>>> the latest Intel processors and coprocessors. See abstracts and >>>>>> register > >>>>>> >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>>> _______________________________________________ >>>>>> mod-security-users mailing list >>>>>> mod...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>> >>>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> October Webinars: Code for Performance >>>>> Free Intel webinars can help you accelerate application performance. >>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>> most from >>>>> the latest Intel processors and coprocessors. See abstracts and >>>>> register > >>>>> >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>> _______________________________________________ >>>>> mod-security-users mailing list >>>>> mod...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>> >>>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> October Webinars: Code for Performance >>>> Free Intel webinars can help you accelerate application performance. >>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>> most from >>>> the latest Intel processors and coprocessors. See abstracts and >>>> register > >>>> >>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> October Webinars: Code for Performance >>> Free Intel webinars can help you accelerate application performance. >>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >>> from >>> the latest Intel processors and coprocessors. See abstracts and register >>> > >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> >> >> >> ------------------------------------------------------------------------------ >> October Webinars: Code for Performance >> Free Intel webinars can help you accelerate application performance. >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >> from >> the latest Intel processors and coprocessors. See abstracts and register > >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
From: Steve S. <ste...@gm...> - 2013-10-10 17:29:09
|
I appreciate your help Josh. Here are the logs: --983ddd49-C-- {"username":"redacted","password":"redacted"} --983ddd49-F-- HTTP/1.1 201 Created Strict-Transport-Security: max-age=31536000; includeSubDomains Via: 1.1 example.com () X-CorrelationID: Id-f18210815256b42216000004 0 Content-Type: application/json Set-Cookie: rememberMe=deleteMe; Path=/redacted; Max-Age=0; Expires=Wed, 09-Oct-2013 14:04:01 GMT X-Frame-Options: SAMEORIGIN Connection: close Transfer-Encoding: chunked --983ddd49-H-- Message: Warning. Operator GT matched 0 at IP:logflag. [file "/opt/modsecurity/etc/rules-first.conf"] [line "37"] [id "500005"] [msg "Transaction Logged Due to Previous Rule Match."] [data "Ula0RH8AAAEAAGt2CZ0AAABG"] Apache-Handler: proxy-server Stopwatch: 1381413956023795 74449 (- - -) Stopwatch2: 1381413956023795 74449; combined=3306, p1=671, p2=1984, p3=2, p4=106, p5=369, sr=168, sw=174, l=0, gc=0 Producer: ModSecurity for Apache/2.7.5 (http://www.modsecurity.org/); OWASP_CRS/2.2.8. Server: Apache Engine-Mode: "ENABLED" --983ddd49-K-- SecAction "phase:1,auditlog,id:500001,nolog,pass,initcol:ip=%{REMOTE_ADDR}" SecAction "phase:1,auditlog,id:900001,t:none,setvar:tx.critical_anomaly_score=5,setvar:tx.error_anomaly_score=4,setvar:tx.warning_anomaly_score=3,setvar:tx.notice_anomaly_score=2,nolog,pass" SecAction "phase:1,auditlog,id:900002,t:none,setvar:tx.anomaly_score=0,setvar:tx.sql_injection_score=0,setvar:tx.xss_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_score=0,nolog,pass" SecAction "phase:1,auditlog,id:900003,t:none,setvar:tx.inbound_anomaly_score_level=5,setvar:tx.outbound_anomaly_score_level=4,nolog,pass" SecAction "phase:1,auditlog,id:900006,t:none,setvar:tx.max_num_args=255,nolog,pass" SecAction "phase:1,auditlog,id:900012,t:none,setvar:'tx.allowed_methods=GET HEAD POST OPTIONS DELETE',setvar:tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json,setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1',setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/',setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/',nolog,pass" SecRule "REQUEST_HEADERS:User-Agent" "@rx ^(.*)$" "phase:1,auditlog,id:900018,t:none,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var},nolog,pass" SecRule "&TX:REAL_IP" "@eq 0" "phase:1,auditlog,id:900021,t:none,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr},nolog,pass" SecRule "REQUEST_METHOD" "@rx ^POST$" "phase:1,nolog,auditlog,msg:'POST request missing Content-Length Header.',severity:4,id:960012,ver:OWASP_CRS/2.2.8,rev:1,maturity:9,accuracy:9,block,logdata:%{matched_var},t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,tag:CAPEC-272,chain" #SecRule "&REQUEST_HEADERS:Content-Length" "@eq 0" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_METHOD" "!@rx ^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:1,nolog,auditlog,chain,t:none,block,msg:'Request content type is not allowed by policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960010,tag:OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED,tag:WASCTC/WASC-20,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/EE2,tag:PCI/12.1,severity:2,logdata:%{matched_var}" SecRule "REQUEST_HEADERS:Content-Type" "@rx ^([^;\\s]+)" "chain,capture" #SecRule "TX:0" "!@rx ^%{tx.allowed_request_content_type}$" "t:none,ctl:forceRequestBodyVariable=On,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,nolog,auditlog,chain,rev:1,ver:OWASP_CRS/2.2.8,maturity:6,accuracy:8,t:none,block,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:960020,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ" #SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain" #SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" "phase:2,nolog,auditlog,chain,rev:1,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,t:none,block,msg:'Request Missing an Accept Header',severity:5,id:960015,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10" #SecRule "&REQUEST_HEADERS:Accept" "@eq 0" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" "phase:2,nolog,auditlog,chain,rev:1,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,t:none,block,msg:'Request Has an Empty Accept Header',severity:5,id:960021,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT" #SecRule "REQUEST_HEADERS:Accept" "@rx ^$" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" SecRule "&TX:MAX_NUM_ARGS" "@eq 1" "phase:2,nolog,auditlog,chain,t:none,block,msg:'Too many arguments in request',id:960335,severity:4,rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT" #SecRule "&ARGS" "@gt %{tx.max_num_args}" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@pmFromFile modsecurity_40_generic_attacks.data" "phase:2,auditlog,id:981133,rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1" SecRule "&TX:PM_XSS_SCORE" "@eq 0" "phase:2,auditlog,id:981018,t:none,skipAfter:END_XSS_CHECK,nolog" SecRule "REQUEST_METHOD" "@streq POST" "phase:2,auditlog,chain,id:981022,t:none,pass,nolog" #SecRule "REQUEST_HEADERS:User-Agent" "@contains Adobe Flash Player" "chain,t:none" #SecRule "REQUEST_HEADERS:X-Flash-Version" "@rx .*" "chain,t:none" #SecRule "REQUEST_HEADERS:Content-Type" "@contains application/x-amf" "chain,t:none" #SecRule "TX:'/PROTOCOL_VIOLATION\\\\/MISSING_HEADER/'" "@rx .*" "chain,setvar:tx.missing_header=+1,setvar:tx.missing_header_%{tx.missing_header}=%{matched_var_name}" SecRule "REQUEST_METHOD" "@streq POST" "phase:2,auditlog,chain,t:none,log,block,id:2100000,msg:'SLR: Possible Elevation of Privilege Attack against .Net.',tag: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3416,tag:http://technet.microsoft.com/en-us/security/bulletin/ms11-100 " #SecRule "REQUEST_FILENAME" "@contains /Membership/CreatingUserAccounts.aspx" "chain" #SecRule "ARGS:/\\$CreateUserStepContainer\\$UserName$/" "@validateByteRange 1-255" "t:urlDecodeUni" SecRule "RESPONSE_BODY" "!@pm iframe" "phase:4,auditlog,rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:6,id:981177,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,skipAfter:END_IFRAME_CHECK" SecRule "RESPONSE_BODY" "!@pmFromFile modsecurity_50_outbound.data" "phase:4,auditlog,rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:981178,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,nolog,skipAfter:END_OUTBOUND_CHECK" SecRule "HIGHEST_SEVERITY" "@gt 0" "phase:5,auditlog,id:500003,nolog,pass,setvar:IP.logflag=1,expirevar:ip.logflag=3600,setvar:ip.logflag_hash=%{unique_id}" SecRule "IP:logflag" "@gt 0" "phase:5,auditlog,id:500005,log,msg:'Transaction Logged Due to Previous Rule Match.',logdata:%{ip.logflag_hash},pass,ctl:auditEngine=On" --983ddd49-Z-- On Thu, Oct 10, 2013 at 10:58 AM, Josh Amishav-Zlatin <ja...@ow...>wrote: > On Thu, Oct 10, 2013 at 4:38 PM, Steve Stonebraker < > ste...@gm...> wrote: > >> >> >> How can I incorporate the rules you suggested with rules 500001-50005? >> >> > Hi Steve, > > I just tested (only) the rules above and did not see the password in the > audit log. Can you send me section K of an audit log using these rules that > contain the password? > > Thanks, > > -- > - Josh > > >> >> >> On Wed, Oct 9, 2013 at 3:24 PM, Josh Amishav-Zlatin <ja...@ow...>wrote: >> >>> On Wed, Oct 9, 2013 at 9:10 PM, Steve Stonebraker < >>> ste...@gm...> wrote: >>> >>>> Thanks! >>>> >>>> I came up with this rule: >>>> SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" >>>> "phase:2,id:'1001',nolog,pass,ctl:auditLogParts=-C,msg:'User sent password'" >>>> >>>> >>> Hi Steve, >>> >>> A couple thoughts: >>> >>> 1. REQUEST_BODY wont have the JSON request in it unless you >>> enable forceRequestBodyVariable beforehand in phase 1. >>> >>> 2. Your rule can only have two or three arguments. You can group your >>> arguments together using quotes, but if your regex includes quotes you need >>> to escape them. >>> >>> 3. If all you want to do is is check if the JSON body contains the >>> string password then you can simplify your rule as follows: >>> >>> # Force the Requst_Body collection to contain the JSON body based on the >>> content-type header >>> SecRule REQUEST_HEADERS:Content-Type "jsonrequest" >>> phase:1,id:1001,nolog,t:none,pass,ctl:forceRequestBodyVariable=On >>> >>> # Search for the string 'password' in the request body and disable audit >>> log parts C and I >>> SecRule REQUEST_BODY "password" >>> "phase:2,id:'1002',nolog,pass,ctl:auditLogParts=-CI,msg:'User sent >>> password'" >>> >>> -- >>> - Josh >>> >>> >>>> But am receiving this error: >>>> Syntax error on line 14 of /opt/modsecurity/etc/rules-first.conf: >>>> SecRule takes two or three arguments, rule target, operator and >>>> optional action list >>>> >>>> >>>> On Wed, Oct 9, 2013 at 9:58 AM, Josh Amishav-Zlatin <ja...@ow...>wrote: >>>> >>>>> On Wed, Oct 9, 2013 at 4:02 PM, Steve Stonebraker < >>>>> ste...@gm...> wrote: >>>>> >>>>>> Thanks I saw that and it looks great but I can't implement it on a >>>>>> prod environment. >>>>>> >>>>>> Right now I'm toying with: >>>>>> SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" >>>>>> >>>>>> But i'm not sure how to replace the matched value with the character * >>>>>> >>>>>> >>>>> Hi Steve, >>>>> >>>>> I think the only current solution is to use the ctl action to remove >>>>> logging the request body entirely if it holds sensitive data. Kind of an >>>>> all or nothing approach until the patch makes its way into the stable >>>>> branch. >>>>> >>>>> -- >>>>> - Josh >>>>> >>>>> >>>>>> >>>>>> On Wed, Oct 9, 2013 at 8:06 AM, Josh Amishav-Zlatin <ja...@ow... >>>>>> > wrote: >>>>>> >>>>>>> On Wed, Oct 9, 2013 at 2:28 PM, Steve Stonebraker < >>>>>>> ste...@gm...> wrote: >>>>>>> >>>>>>>> I'll answer my own question. The body has JSON which is not >>>>>>>> processed by sanitiseArg. >>>>>>>> >>>>>>>> >>>>>>> Hi Steve, >>>>>>> >>>>>>> Not sure how stable this is yet, but take a look at: >>>>>>> https://www.modsecurity.org/tracker/browse/MODSEC-253 >>>>>>> Perhaps with the patch you could use santiseMatched. >>>>>>> >>>>>>> -- >>>>>>> - Josh >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> On Tue, Oct 8, 2013 at 12:10 PM, Steve Stonebraker < >>>>>>>> ste...@gm...> wrote: >>>>>>>> >>>>>>>>> I am unable to sanitize a password in the request body. >>>>>>>>> >>>>>>>>> --2a688459-C-- {"username":"someuser","password":"somepassword"} >>>>>>>>> >>>>>>>>> >>>>>>>>> What i've tried: >>>>>>>>> SecAction "phase:2,id:131,nolog,pass,sanitiseArg:password" >>>>>>>>> SecAction "phase:5,id:131,nolog,pass,sanitiseArg:password" >>>>>>>>> SecRule ARGS_NAMES password nolog,pass,id:132,sanitiseMatched >>>>>>>>> >>>>>>>>> Any suggestions? >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> October Webinars: Code for Performance >>>>>>>> Free Intel webinars can help you accelerate application performance. >>>>>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>>>>> most from >>>>>>>> the latest Intel processors and coprocessors. See abstracts and >>>>>>>> register > >>>>>>>> >>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>>>>> _______________________________________________ >>>>>>>> mod-security-users mailing list >>>>>>>> mod...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>>> Commercial ModSecurity Rules and Support from Trustwave's >>>>>>>> SpiderLabs: >>>>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> October Webinars: Code for Performance >>>>>>> Free Intel webinars can help you accelerate application performance. >>>>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>>>> most from >>>>>>> the latest Intel processors and coprocessors. See abstracts and >>>>>>> register > >>>>>>> >>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>>>> _______________________________________________ >>>>>>> mod-security-users mailing list >>>>>>> mod...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> October Webinars: Code for Performance >>>>>> Free Intel webinars can help you accelerate application performance. >>>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>>> most from >>>>>> the latest Intel processors and coprocessors. See abstracts and >>>>>> register > >>>>>> >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>>> _______________________________________________ >>>>>> mod-security-users mailing list >>>>>> mod...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>> >>>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> October Webinars: Code for Performance >>>>> Free Intel webinars can help you accelerate application performance. >>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>> most from >>>>> the latest Intel processors and coprocessors. See abstracts and >>>>> register > >>>>> >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>> _______________________________________________ >>>>> mod-security-users mailing list >>>>> mod...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>> >>>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> October Webinars: Code for Performance >>>> Free Intel webinars can help you accelerate application performance. >>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>> most from >>>> the latest Intel processors and coprocessors. See abstracts and >>>> register > >>>> >>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> October Webinars: Code for Performance >>> Free Intel webinars can help you accelerate application performance. >>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >>> from >>> the latest Intel processors and coprocessors. See abstracts and register >>> > >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> >> >> >> ------------------------------------------------------------------------------ >> October Webinars: Code for Performance >> Free Intel webinars can help you accelerate application performance. >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >> from >> the latest Intel processors and coprocessors. See abstracts and register > >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
From: Josh Amishav-Z. <ja...@ow...> - 2013-10-10 20:32:53
|
On Thu, Oct 10, 2013 at 8:28 PM, Steve Stonebraker < ste...@gm...> wrote: > > --983ddd49-K-- > Hi Steve. I don't see rules 1001 and 1002 in section K. Can you increase the debug log to 9, rerun the JSON request and verify that those rules are run? Thanks, -- - Josh > SecAction "phase:1,auditlog,id:500001,nolog,pass,initcol:ip=%{REMOTE_ADDR}" > > SecAction > "phase:1,auditlog,id:900001,t:none,setvar:tx.critical_anomaly_score=5,setvar:tx.error_anomaly_score=4,setvar:tx.warning_anomaly_score=3,setvar:tx.notice_anomaly_score=2,nolog,pass" > > SecAction > "phase:1,auditlog,id:900002,t:none,setvar:tx.anomaly_score=0,setvar:tx.sql_injection_score=0,setvar:tx.xss_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_score=0,nolog,pass" > > SecAction > "phase:1,auditlog,id:900003,t:none,setvar:tx.inbound_anomaly_score_level=5,setvar:tx.outbound_anomaly_score_level=4,nolog,pass" > > SecAction > "phase:1,auditlog,id:900006,t:none,setvar:tx.max_num_args=255,nolog,pass" > > SecAction > "phase:1,auditlog,id:900012,t:none,setvar:'tx.allowed_methods=GET HEAD POST > OPTIONS > DELETE',setvar:tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json,setvar:'tx.allowed_http_versions=HTTP/0.9 > HTTP/1.0 HTTP/1.1',setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ > .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ > .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ > .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ > .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ > .vsdisco/ .webinfo/ .xsd/ > .xsx/',setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ > /Content-Range/ /Translate/ /via/ /if/',nolog,pass" > > SecRule "REQUEST_HEADERS:User-Agent" "@rx ^(.*)$" > "phase:1,auditlog,id:900018,t:none,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var},nolog,pass" > > SecRule "&TX:REAL_IP" "@eq 0" > "phase:1,auditlog,id:900021,t:none,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr},nolog,pass" > > SecRule "REQUEST_METHOD" "@rx ^POST$" "phase:1,nolog,auditlog,msg:'POST > request missing Content-Length > Header.',severity:4,id:960012,ver:OWASP_CRS/2.2.8,rev:1,maturity:9,accuracy:9,block,logdata:%{matched_var},t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,tag:CAPEC-272,chain" > #SecRule "&REQUEST_HEADERS:Content-Length" "@eq 0" > "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ > rule.id > }-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" > > SecRule "REQUEST_METHOD" "!@rx ^(?:GET|HEAD|PROPFIND|OPTIONS)$" > "phase:1,nolog,auditlog,chain,t:none,block,msg:'Request content type is not > allowed by > policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960010,tag:OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED,tag:WASCTC/WASC-20,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/EE2,tag:PCI/12.1,severity:2,logdata:%{matched_var}" > SecRule "REQUEST_HEADERS:Content-Type" "@rx ^([^;\\s]+)" "chain,capture" > #SecRule "TX:0" "!@rx ^%{tx.allowed_request_content_type}$" > "t:none,ctl:forceRequestBodyVariable=On,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{ > rule.id > }-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" > > SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" > "phase:2,nolog,auditlog,chain,rev:1,ver:OWASP_CRS/2.2.8,maturity:6,accuracy:8,t:none,block,msg:'Pragma > Header requires Cache-Control Header for HTTP/1.1 > requests.',severity:5,id:960020,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ" > #SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain" > #SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" > "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ > rule.id > }-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" > > SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" > "phase:2,nolog,auditlog,chain,rev:1,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,t:none,block,msg:'Request > Missing an Accept > Header',severity:5,id:960015,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10" > #SecRule "&REQUEST_HEADERS:Accept" "@eq 0" > "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ > rule.id > }-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" > > SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" > "phase:2,nolog,auditlog,chain,rev:1,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,t:none,block,msg:'Request > Has an Empty Accept > Header',severity:5,id:960021,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT" > #SecRule "REQUEST_HEADERS:Accept" "@rx ^$" > "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ > rule.id > }-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" > > SecRule "&TX:MAX_NUM_ARGS" "@eq 1" > "phase:2,nolog,auditlog,chain,t:none,block,msg:'Too many arguments in > request',id:960335,severity:4,rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT" > #SecRule "&ARGS" "@gt %{tx.max_num_args}" > "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ > rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" > > SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" > "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted > by > policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" > #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" > "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ > rule.id > }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" > > SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" > "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted > by > policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" > #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" > "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ > rule.id > }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" > > SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" > "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted > by > policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" > #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" > "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ > rule.id > }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" > > SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" > "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted > by > policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" > #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" > "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ > rule.id > }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" > > SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" > "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted > by > policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" > #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" > "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ > rule.id > }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" > > SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" > "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted > by > policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" > #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" > "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ > rule.id > }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" > > SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" > "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted > by > policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" > #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" > "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ > rule.id > }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" > > SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" > "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted > by > policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" > #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" > "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ > rule.id > }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" > > SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" > "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted > by > policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" > #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" > "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ > rule.id > }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" > > SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" > "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted > by > policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" > #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" > "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ > rule.id > }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" > > SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" > "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted > by > policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" > #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" > "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ > rule.id > }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" > > SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" > "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted > by > policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" > #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" > "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ > rule.id > }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" > > SecRule > "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" > "@pmFromFile modsecurity_40_generic_attacks.data" > "phase:2,auditlog,id:981133,rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1" > > SecRule "&TX:PM_XSS_SCORE" "@eq 0" > "phase:2,auditlog,id:981018,t:none,skipAfter:END_XSS_CHECK,nolog" > > SecRule "REQUEST_METHOD" "@streq POST" > "phase:2,auditlog,chain,id:981022,t:none,pass,nolog" > #SecRule "REQUEST_HEADERS:User-Agent" "@contains Adobe Flash Player" > "chain,t:none" > #SecRule "REQUEST_HEADERS:X-Flash-Version" "@rx .*" "chain,t:none" > #SecRule "REQUEST_HEADERS:Content-Type" "@contains application/x-amf" > "chain,t:none" > #SecRule "TX:'/PROTOCOL_VIOLATION\\\\/MISSING_HEADER/'" "@rx .*" > "chain,setvar:tx.missing_header=+1,setvar:tx.missing_header_%{tx.missing_header}=%{matched_var_name}" > > SecRule "REQUEST_METHOD" "@streq POST" > "phase:2,auditlog,chain,t:none,log,block,id:2100000,msg:'SLR: Possible > Elevation of Privilege Attack against .Net.',tag: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3416,tag:http://technet.microsoft.com/en-us/security/bulletin/ms11-100 > " > #SecRule "REQUEST_FILENAME" "@contains > /Membership/CreatingUserAccounts.aspx" "chain" > #SecRule "ARGS:/\\$CreateUserStepContainer\\$UserName$/" > "@validateByteRange 1-255" "t:urlDecodeUni" > > SecRule "RESPONSE_BODY" "!@pm iframe" > "phase:4,auditlog,rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:6,id:981177,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,skipAfter:END_IFRAME_CHECK" > > SecRule "RESPONSE_BODY" "!@pmFromFile modsecurity_50_outbound.data" > "phase:4,auditlog,rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:981178,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,nolog,skipAfter:END_OUTBOUND_CHECK" > > SecRule "HIGHEST_SEVERITY" "@gt 0" > "phase:5,auditlog,id:500003,nolog,pass,setvar:IP.logflag=1,expirevar:ip.logflag=3600,setvar:ip.logflag_hash=%{unique_id}" > > SecRule "IP:logflag" "@gt 0" > "phase:5,auditlog,id:500005,log,msg:'Transaction Logged Due to Previous > Rule Match.',logdata:%{ip.logflag_hash},pass,ctl:auditEngine=On" > > > --983ddd49-Z-- > > > > > On Thu, Oct 10, 2013 at 10:58 AM, Josh Amishav-Zlatin <ja...@ow...>wrote: > >> On Thu, Oct 10, 2013 at 4:38 PM, Steve Stonebraker < >> ste...@gm...> wrote: >> >>> >>> >>> How can I incorporate the rules you suggested with rules 500001-50005? >>> >>> >> Hi Steve, >> >> I just tested (only) the rules above and did not see the password in the >> audit log. Can you send me section K of an audit log using these rules that >> contain the password? >> >> Thanks, >> >> -- >> - Josh >> >> >>> >>> >>> On Wed, Oct 9, 2013 at 3:24 PM, Josh Amishav-Zlatin <ja...@ow...>wrote: >>> >>>> On Wed, Oct 9, 2013 at 9:10 PM, Steve Stonebraker < >>>> ste...@gm...> wrote: >>>> >>>>> Thanks! >>>>> >>>>> I came up with this rule: >>>>> SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" >>>>> "phase:2,id:'1001',nolog,pass,ctl:auditLogParts=-C,msg:'User sent password'" >>>>> >>>>> >>>> Hi Steve, >>>> >>>> A couple thoughts: >>>> >>>> 1. REQUEST_BODY wont have the JSON request in it unless you >>>> enable forceRequestBodyVariable beforehand in phase 1. >>>> >>>> 2. Your rule can only have two or three arguments. You can group your >>>> arguments together using quotes, but if your regex includes quotes you need >>>> to escape them. >>>> >>>> 3. If all you want to do is is check if the JSON body contains the >>>> string password then you can simplify your rule as follows: >>>> >>>> # Force the Requst_Body collection to contain the JSON body based on >>>> the content-type header >>>> SecRule REQUEST_HEADERS:Content-Type "jsonrequest" >>>> phase:1,id:1001,nolog,t:none,pass,ctl:forceRequestBodyVariable=On >>>> >>>> # Search for the string 'password' in the request body and disable >>>> audit log parts C and I >>>> SecRule REQUEST_BODY "password" >>>> "phase:2,id:'1002',nolog,pass,ctl:auditLogParts=-CI,msg:'User sent >>>> password'" >>>> >>>> -- >>>> - Josh >>>> >>>> >>>>> But am receiving this error: >>>>> Syntax error on line 14 of /opt/modsecurity/etc/rules-first.conf: >>>>> SecRule takes two or three arguments, rule target, operator and >>>>> optional action list >>>>> >>>>> >>>>> On Wed, Oct 9, 2013 at 9:58 AM, Josh Amishav-Zlatin <ja...@ow...>wrote: >>>>> >>>>>> On Wed, Oct 9, 2013 at 4:02 PM, Steve Stonebraker < >>>>>> ste...@gm...> wrote: >>>>>> >>>>>>> Thanks I saw that and it looks great but I can't implement it on a >>>>>>> prod environment. >>>>>>> >>>>>>> Right now I'm toying with: >>>>>>> SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" >>>>>>> >>>>>>> But i'm not sure how to replace the matched value with the character >>>>>>> * >>>>>>> >>>>>>> >>>>>> Hi Steve, >>>>>> >>>>>> I think the only current solution is to use the ctl action to remove >>>>>> logging the request body entirely if it holds sensitive data. Kind of an >>>>>> all or nothing approach until the patch makes its way into the stable >>>>>> branch. >>>>>> >>>>>> -- >>>>>> - Josh >>>>>> >>>>>> >>>>>>> >>>>>>> On Wed, Oct 9, 2013 at 8:06 AM, Josh Amishav-Zlatin < >>>>>>> ja...@ow...> wrote: >>>>>>> >>>>>>>> On Wed, Oct 9, 2013 at 2:28 PM, Steve Stonebraker < >>>>>>>> ste...@gm...> wrote: >>>>>>>> >>>>>>>>> I'll answer my own question. The body has JSON which is not >>>>>>>>> processed by sanitiseArg. >>>>>>>>> >>>>>>>>> >>>>>>>> Hi Steve, >>>>>>>> >>>>>>>> Not sure how stable this is yet, but take a look at: >>>>>>>> https://www.modsecurity.org/tracker/browse/MODSEC-253 >>>>>>>> Perhaps with the patch you could use santiseMatched. >>>>>>>> >>>>>>>> -- >>>>>>>> - Josh >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> On Tue, Oct 8, 2013 at 12:10 PM, Steve Stonebraker < >>>>>>>>> ste...@gm...> wrote: >>>>>>>>> >>>>>>>>>> I am unable to sanitize a password in the request body. >>>>>>>>>> >>>>>>>>>> --2a688459-C-- {"username":"someuser","password":"somepassword"} >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> What i've tried: >>>>>>>>>> SecAction "phase:2,id:131,nolog,pass,sanitiseArg:password" >>>>>>>>>> SecAction "phase:5,id:131,nolog,pass,sanitiseArg:password" >>>>>>>>>> SecRule ARGS_NAMES password nolog,pass,id:132,sanitiseMatched >>>>>>>>>> >>>>>>>>>> Any suggestions? >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>> October Webinars: Code for Performance >>>>>>>>> Free Intel webinars can help you accelerate application >>>>>>>>> performance. >>>>>>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get >>>>>>>>> the most from >>>>>>>>> the latest Intel processors and coprocessors. See abstracts and >>>>>>>>> register > >>>>>>>>> >>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>>>>>> _______________________________________________ >>>>>>>>> mod-security-users mailing list >>>>>>>>> mod...@li... >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>>>> Commercial ModSecurity Rules and Support from Trustwave's >>>>>>>>> SpiderLabs: >>>>>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> October Webinars: Code for Performance >>>>>>>> Free Intel webinars can help you accelerate application performance. >>>>>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>>>>> most from >>>>>>>> the latest Intel processors and coprocessors. See abstracts and >>>>>>>> register > >>>>>>>> >>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>>>>> _______________________________________________ >>>>>>>> mod-security-users mailing list >>>>>>>> mod...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>>> Commercial ModSecurity Rules and Support from Trustwave's >>>>>>>> SpiderLabs: >>>>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> October Webinars: Code for Performance >>>>>>> Free Intel webinars can help you accelerate application performance. >>>>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>>>> most from >>>>>>> the latest Intel processors and coprocessors. See abstracts and >>>>>>> register > >>>>>>> >>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>>>> _______________________________________________ >>>>>>> mod-security-users mailing list >>>>>>> mod...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> October Webinars: Code for Performance >>>>>> Free Intel webinars can help you accelerate application performance. >>>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>>> most from >>>>>> the latest Intel processors and coprocessors. See abstracts and >>>>>> register > >>>>>> >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>>> _______________________________________________ >>>>>> mod-security-users mailing list >>>>>> mod...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>> >>>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> October Webinars: Code for Performance >>>>> Free Intel webinars can help you accelerate application performance. >>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>> most from >>>>> the latest Intel processors and coprocessors. See abstracts and >>>>> register > >>>>> >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>> _______________________________________________ >>>>> mod-security-users mailing list >>>>> mod...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>> >>>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> October Webinars: Code for Performance >>>> Free Intel webinars can help you accelerate application performance. >>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>> most from >>>> the latest Intel processors and coprocessors. See abstracts and >>>> register > >>>> >>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> October Webinars: Code for Performance >>> Free Intel webinars can help you accelerate application performance. >>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >>> from >>> the latest Intel processors and coprocessors. See abstracts and register >>> > >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> >> >> >> ------------------------------------------------------------------------------ >> October Webinars: Code for Performance >> Free Intel webinars can help you accelerate application performance. >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >> from >> the latest Intel processors and coprocessors. See abstracts and register > >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
From: Steve S. <ste...@gm...> - 2013-10-11 15:39:11
|
I made some progress... If i just run these rules, the request body is only recorded when a POST request results in ERROR 400 (meaning only incorrect login/passwords are logged): # Do not log any GET or HEAD requets SecRule REQUEST_METHOD "@pm GET HEAD" "id:'999001',chain,phase:1,t:none,nolog,pass" SecRule REQUEST_URI "!@contains ?" "chain" SecRule &ARGS "@eq 0" "chain" SecRule &REQUEST_HEADERS:Content-Length|&REQUEST_HEADERS:Content-Type "@eq 0" "ctl:ruleEngine=Off,ctl:auditEngine=Of$ # Ignore apache dummy connections SecRule REQUEST_LINE "@streq OPTIONS * HTTP/1.0" "id:'999002',phase:1,chain,t:none,nolog,pass" SecRule REMOTE_ADDR "^(::1|127\.0\.0\.1)$" "chain" SecRule REQUEST_HEADERS:User-Agent "^Apache \(internal dummy connection\)$" "t:none" SecRule &REQUEST_HEADERS:Host "@eq 0" "deny,log,status:400,id:08,severity:4,msg:'Missing a Host Header'" SecRule &REQUEST_HEADERS:Accept "@eq 0" "log,deny,log,status:400,id:15,msg:'Request Missing an Accept Header'" # Force the Requst_Body collection to contain the JSON body based on the content-type header SecRule REQUEST_HEADERS:Content-Type "jsonrequest" phase:1,id:1001,nolog,t:none,pass,ctl:forceRequestBodyVariable=On # Remove audit log part C if password found in response SecRule REQUEST_BODY ^\{(?:.*)"password":"(.*?)\"\}$ "phase:2,id:'1002',nolog,pass,ctl:auditLogParts=-C" However If i also include these rules, POST request bodies containing passwords are logged because when my page loads it always has an error 400 (due to the js making a request for a session variable that isn't assigned yet.... which makes IP.logflag=1): IP Address Tracking SecAction "id:'500001',phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR}" #Start logging everything coming from an IP address after a single #rule match. To achieve that, we set the flag IP.logflag for up to one hour (3600 seconds): SecRule HIGHEST_SEVERITY "@gt 0" \ id:'500003',phase:5,nolog,pass,setvar:IP.logflag=1,expirevar:ip.logflag=3600,setvar:ip.logflag_hash=%{unique_id} #Detect the flag and force logging: SecRule IP:logflag "@gt 0" \ "id:'500005',phase:5,log,msg:'Transaction Logged Due to Previous Rule Match.',logdata:'%{ip.logflag_hash}',pass,ctl:auditEngine=On" Do I need to chain the IP address tracking rules with the ignore password rule or something? On Thu, Oct 10, 2013 at 3:32 PM, Josh Amishav-Zlatin <ja...@ow...>wrote: > On Thu, Oct 10, 2013 at 8:28 PM, Steve Stonebraker < > ste...@gm...> wrote: > >> >> --983ddd49-K-- >> > > Hi Steve. > > I don't see rules 1001 and 1002 in section K. Can you increase the debug > log to 9, rerun the JSON request and verify that those rules are run? > > Thanks, > > -- > - Josh > > >> SecAction >> "phase:1,auditlog,id:500001,nolog,pass,initcol:ip=%{REMOTE_ADDR}" >> >> SecAction >> "phase:1,auditlog,id:900001,t:none,setvar:tx.critical_anomaly_score=5,setvar:tx.error_anomaly_score=4,setvar:tx.warning_anomaly_score=3,setvar:tx.notice_anomaly_score=2,nolog,pass" >> >> SecAction >> "phase:1,auditlog,id:900002,t:none,setvar:tx.anomaly_score=0,setvar:tx.sql_injection_score=0,setvar:tx.xss_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_score=0,nolog,pass" >> >> SecAction >> "phase:1,auditlog,id:900003,t:none,setvar:tx.inbound_anomaly_score_level=5,setvar:tx.outbound_anomaly_score_level=4,nolog,pass" >> >> SecAction >> "phase:1,auditlog,id:900006,t:none,setvar:tx.max_num_args=255,nolog,pass" >> >> SecAction >> "phase:1,auditlog,id:900012,t:none,setvar:'tx.allowed_methods=GET HEAD POST >> OPTIONS >> DELETE',setvar:tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json,setvar:'tx.allowed_http_versions=HTTP/0.9 >> HTTP/1.0 HTTP/1.1',setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ >> .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ >> .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ >> .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ >> .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ >> .vsdisco/ .webinfo/ .xsd/ >> .xsx/',setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ >> /Content-Range/ /Translate/ /via/ /if/',nolog,pass" >> >> SecRule "REQUEST_HEADERS:User-Agent" "@rx ^(.*)$" >> "phase:1,auditlog,id:900018,t:none,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var},nolog,pass" >> >> SecRule "&TX:REAL_IP" "@eq 0" >> "phase:1,auditlog,id:900021,t:none,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr},nolog,pass" >> >> SecRule "REQUEST_METHOD" "@rx ^POST$" "phase:1,nolog,auditlog,msg:'POST >> request missing Content-Length >> Header.',severity:4,id:960012,ver:OWASP_CRS/2.2.8,rev:1,maturity:9,accuracy:9,block,logdata:%{matched_var},t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,tag:CAPEC-272,chain" >> #SecRule "&REQUEST_HEADERS:Content-Length" "@eq 0" >> "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ >> rule.id >> }-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" >> >> SecRule "REQUEST_METHOD" "!@rx ^(?:GET|HEAD|PROPFIND|OPTIONS)$" >> "phase:1,nolog,auditlog,chain,t:none,block,msg:'Request content type is not >> allowed by >> policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960010,tag:OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED,tag:WASCTC/WASC-20,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/EE2,tag:PCI/12.1,severity:2,logdata:%{matched_var}" >> SecRule "REQUEST_HEADERS:Content-Type" "@rx ^([^;\\s]+)" "chain,capture" >> #SecRule "TX:0" "!@rx ^%{tx.allowed_request_content_type}$" >> "t:none,ctl:forceRequestBodyVariable=On,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{ >> rule.id >> }-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" >> >> SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" >> "phase:2,nolog,auditlog,chain,rev:1,ver:OWASP_CRS/2.2.8,maturity:6,accuracy:8,t:none,block,msg:'Pragma >> Header requires Cache-Control Header for HTTP/1.1 >> requests.',severity:5,id:960020,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ" >> #SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain" >> #SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" >> "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ >> rule.id >> }-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" >> >> SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" >> "phase:2,nolog,auditlog,chain,rev:1,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,t:none,block,msg:'Request >> Missing an Accept >> Header',severity:5,id:960015,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10" >> #SecRule "&REQUEST_HEADERS:Accept" "@eq 0" >> "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ >> rule.id >> }-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" >> >> SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" >> "phase:2,nolog,auditlog,chain,rev:1,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,t:none,block,msg:'Request >> Has an Empty Accept >> Header',severity:5,id:960021,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT" >> #SecRule "REQUEST_HEADERS:Accept" "@rx ^$" >> "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ >> rule.id >> }-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" >> >> SecRule "&TX:MAX_NUM_ARGS" "@eq 1" >> "phase:2,nolog,auditlog,chain,t:none,block,msg:'Too many arguments in >> request',id:960335,severity:4,rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT" >> #SecRule "&ARGS" "@gt %{tx.max_num_args}" >> "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ >> rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" >> >> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" >> "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted >> by >> policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" >> #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" >> "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ >> rule.id >> }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" >> >> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" >> "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted >> by >> policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" >> #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" >> "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ >> rule.id >> }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" >> >> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" >> "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted >> by >> policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" >> #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" >> "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ >> rule.id >> }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" >> >> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" >> "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted >> by >> policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" >> #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" >> "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ >> rule.id >> }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" >> >> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" >> "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted >> by >> policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" >> #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" >> "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ >> rule.id >> }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" >> >> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" >> "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted >> by >> policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" >> #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" >> "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ >> rule.id >> }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" >> >> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" >> "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted >> by >> policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" >> #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" >> "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ >> rule.id >> }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" >> >> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" >> "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted >> by >> policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" >> #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" >> "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ >> rule.id >> }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" >> >> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" >> "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted >> by >> policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" >> #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" >> "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ >> rule.id >> }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" >> >> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" >> "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted >> by >> policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" >> #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" >> "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ >> rule.id >> }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" >> >> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" >> "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted >> by >> policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" >> #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" >> "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ >> rule.id >> }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" >> >> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" >> "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted >> by >> policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" >> #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" >> "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ >> rule.id >> }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" >> >> SecRule >> "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" >> "@pmFromFile modsecurity_40_generic_attacks.data" >> "phase:2,auditlog,id:981133,rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1" >> >> SecRule "&TX:PM_XSS_SCORE" "@eq 0" >> "phase:2,auditlog,id:981018,t:none,skipAfter:END_XSS_CHECK,nolog" >> >> SecRule "REQUEST_METHOD" "@streq POST" >> "phase:2,auditlog,chain,id:981022,t:none,pass,nolog" >> #SecRule "REQUEST_HEADERS:User-Agent" "@contains Adobe Flash Player" >> "chain,t:none" >> #SecRule "REQUEST_HEADERS:X-Flash-Version" "@rx .*" "chain,t:none" >> #SecRule "REQUEST_HEADERS:Content-Type" "@contains application/x-amf" >> "chain,t:none" >> #SecRule "TX:'/PROTOCOL_VIOLATION\\\\/MISSING_HEADER/'" "@rx .*" >> "chain,setvar:tx.missing_header=+1,setvar:tx.missing_header_%{tx.missing_header}=%{matched_var_name}" >> >> SecRule "REQUEST_METHOD" "@streq POST" >> "phase:2,auditlog,chain,t:none,log,block,id:2100000,msg:'SLR: Possible >> Elevation of Privilege Attack against .Net.',tag: >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3416,tag:http://technet.microsoft.com/en-us/security/bulletin/ms11-100 >> " >> #SecRule "REQUEST_FILENAME" "@contains >> /Membership/CreatingUserAccounts.aspx" "chain" >> #SecRule "ARGS:/\\$CreateUserStepContainer\\$UserName$/" >> "@validateByteRange 1-255" "t:urlDecodeUni" >> >> SecRule "RESPONSE_BODY" "!@pm iframe" >> "phase:4,auditlog,rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:6,id:981177,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,skipAfter:END_IFRAME_CHECK" >> >> SecRule "RESPONSE_BODY" "!@pmFromFile modsecurity_50_outbound.data" >> "phase:4,auditlog,rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:981178,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,nolog,skipAfter:END_OUTBOUND_CHECK" >> >> SecRule "HIGHEST_SEVERITY" "@gt 0" >> "phase:5,auditlog,id:500003,nolog,pass,setvar:IP.logflag=1,expirevar:ip.logflag=3600,setvar:ip.logflag_hash=%{unique_id}" >> >> SecRule "IP:logflag" "@gt 0" >> "phase:5,auditlog,id:500005,log,msg:'Transaction Logged Due to Previous >> Rule Match.',logdata:%{ip.logflag_hash},pass,ctl:auditEngine=On" >> >> >> --983ddd49-Z-- >> >> >> >> >> On Thu, Oct 10, 2013 at 10:58 AM, Josh Amishav-Zlatin <ja...@ow...>wrote: >> >>> On Thu, Oct 10, 2013 at 4:38 PM, Steve Stonebraker < >>> ste...@gm...> wrote: >>> >>>> >>>> >>>> How can I incorporate the rules you suggested with rules 500001-50005? >>>> >>>> >>> Hi Steve, >>> >>> I just tested (only) the rules above and did not see the password in the >>> audit log. Can you send me section K of an audit log using these rules that >>> contain the password? >>> >>> Thanks, >>> >>> -- >>> - Josh >>> >>> >>>> >>>> >>>> On Wed, Oct 9, 2013 at 3:24 PM, Josh Amishav-Zlatin <ja...@ow...>wrote: >>>> >>>>> On Wed, Oct 9, 2013 at 9:10 PM, Steve Stonebraker < >>>>> ste...@gm...> wrote: >>>>> >>>>>> Thanks! >>>>>> >>>>>> I came up with this rule: >>>>>> SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" >>>>>> "phase:2,id:'1001',nolog,pass,ctl:auditLogParts=-C,msg:'User sent password'" >>>>>> >>>>>> >>>>> Hi Steve, >>>>> >>>>> A couple thoughts: >>>>> >>>>> 1. REQUEST_BODY wont have the JSON request in it unless you >>>>> enable forceRequestBodyVariable beforehand in phase 1. >>>>> >>>>> 2. Your rule can only have two or three arguments. You can group your >>>>> arguments together using quotes, but if your regex includes quotes you need >>>>> to escape them. >>>>> >>>>> 3. If all you want to do is is check if the JSON body contains the >>>>> string password then you can simplify your rule as follows: >>>>> >>>>> # Force the Requst_Body collection to contain the JSON body based on >>>>> the content-type header >>>>> SecRule REQUEST_HEADERS:Content-Type "jsonrequest" >>>>> phase:1,id:1001,nolog,t:none,pass,ctl:forceRequestBodyVariable=On >>>>> >>>>> # Search for the string 'password' in the request body and disable >>>>> audit log parts C and I >>>>> SecRule REQUEST_BODY "password" >>>>> "phase:2,id:'1002',nolog,pass,ctl:auditLogParts=-CI,msg:'User sent >>>>> password'" >>>>> >>>>> -- >>>>> - Josh >>>>> >>>>> >>>>>> But am receiving this error: >>>>>> Syntax error on line 14 of /opt/modsecurity/etc/rules-first.conf: >>>>>> SecRule takes two or three arguments, rule target, operator and >>>>>> optional action list >>>>>> >>>>>> >>>>>> On Wed, Oct 9, 2013 at 9:58 AM, Josh Amishav-Zlatin <ja...@ow... >>>>>> > wrote: >>>>>> >>>>>>> On Wed, Oct 9, 2013 at 4:02 PM, Steve Stonebraker < >>>>>>> ste...@gm...> wrote: >>>>>>> >>>>>>>> Thanks I saw that and it looks great but I can't implement it on a >>>>>>>> prod environment. >>>>>>>> >>>>>>>> Right now I'm toying with: >>>>>>>> SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" >>>>>>>> >>>>>>>> But i'm not sure how to replace the matched value with the >>>>>>>> character * >>>>>>>> >>>>>>>> >>>>>>> Hi Steve, >>>>>>> >>>>>>> I think the only current solution is to use the ctl action to remove >>>>>>> logging the request body entirely if it holds sensitive data. Kind of an >>>>>>> all or nothing approach until the patch makes its way into the stable >>>>>>> branch. >>>>>>> >>>>>>> -- >>>>>>> - Josh >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> On Wed, Oct 9, 2013 at 8:06 AM, Josh Amishav-Zlatin < >>>>>>>> ja...@ow...> wrote: >>>>>>>> >>>>>>>>> On Wed, Oct 9, 2013 at 2:28 PM, Steve Stonebraker < >>>>>>>>> ste...@gm...> wrote: >>>>>>>>> >>>>>>>>>> I'll answer my own question. The body has JSON which is not >>>>>>>>>> processed by sanitiseArg. >>>>>>>>>> >>>>>>>>>> >>>>>>>>> Hi Steve, >>>>>>>>> >>>>>>>>> Not sure how stable this is yet, but take a look at: >>>>>>>>> https://www.modsecurity.org/tracker/browse/MODSEC-253 >>>>>>>>> Perhaps with the patch you could use santiseMatched. >>>>>>>>> >>>>>>>>> -- >>>>>>>>> - Josh >>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Tue, Oct 8, 2013 at 12:10 PM, Steve Stonebraker < >>>>>>>>>> ste...@gm...> wrote: >>>>>>>>>> >>>>>>>>>>> I am unable to sanitize a password in the request body. >>>>>>>>>>> >>>>>>>>>>> --2a688459-C-- {"username":"someuser","password":"somepassword"} >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> What i've tried: >>>>>>>>>>> SecAction "phase:2,id:131,nolog,pass,sanitiseArg:password" >>>>>>>>>>> SecAction "phase:5,id:131,nolog,pass,sanitiseArg:password" >>>>>>>>>>> SecRule ARGS_NAMES password nolog,pass,id:132,sanitiseMatched >>>>>>>>>>> >>>>>>>>>>> Any suggestions? >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>> October Webinars: Code for Performance >>>>>>>>>> Free Intel webinars can help you accelerate application >>>>>>>>>> performance. >>>>>>>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get >>>>>>>>>> the most from >>>>>>>>>> the latest Intel processors and coprocessors. See abstracts and >>>>>>>>>> register > >>>>>>>>>> >>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>>>>>>> _______________________________________________ >>>>>>>>>> mod-security-users mailing list >>>>>>>>>> mod...@li... >>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>>>>> Commercial ModSecurity Rules and Support from Trustwave's >>>>>>>>>> SpiderLabs: >>>>>>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>> October Webinars: Code for Performance >>>>>>>>> Free Intel webinars can help you accelerate application >>>>>>>>> performance. >>>>>>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get >>>>>>>>> the most from >>>>>>>>> the latest Intel processors and coprocessors. See abstracts and >>>>>>>>> register > >>>>>>>>> >>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>>>>>> _______________________________________________ >>>>>>>>> mod-security-users mailing list >>>>>>>>> mod...@li... >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>>>> Commercial ModSecurity Rules and Support from Trustwave's >>>>>>>>> SpiderLabs: >>>>>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> October Webinars: Code for Performance >>>>>>>> Free Intel webinars can help you accelerate application performance. >>>>>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>>>>> most from >>>>>>>> the latest Intel processors and coprocessors. See abstracts and >>>>>>>> register > >>>>>>>> >>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>>>>> _______________________________________________ >>>>>>>> mod-security-users mailing list >>>>>>>> mod...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>>> Commercial ModSecurity Rules and Support from Trustwave's >>>>>>>> SpiderLabs: >>>>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> October Webinars: Code for Performance >>>>>>> Free Intel webinars can help you accelerate application performance. >>>>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>>>> most from >>>>>>> the latest Intel processors and coprocessors. See abstracts and >>>>>>> register > >>>>>>> >>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>>>> _______________________________________________ >>>>>>> mod-security-users mailing list >>>>>>> mod...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> October Webinars: Code for Performance >>>>>> Free Intel webinars can help you accelerate application performance. >>>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>>> most from >>>>>> the latest Intel processors and coprocessors. See abstracts and >>>>>> register > >>>>>> >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>>> _______________________________________________ >>>>>> mod-security-users mailing list >>>>>> mod...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>> >>>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> October Webinars: Code for Performance >>>>> Free Intel webinars can help you accelerate application performance. >>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>> most from >>>>> the latest Intel processors and coprocessors. See abstracts and >>>>> register > >>>>> >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>> _______________________________________________ >>>>> mod-security-users mailing list >>>>> mod...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>> >>>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> October Webinars: Code for Performance >>>> Free Intel webinars can help you accelerate application performance. >>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>> most from >>>> the latest Intel processors and coprocessors. See abstracts and >>>> register > >>>> >>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> October Webinars: Code for Performance >>> Free Intel webinars can help you accelerate application performance. >>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >>> from >>> the latest Intel processors and coprocessors. See abstracts and register >>> > >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> >> >> >> ------------------------------------------------------------------------------ >> October Webinars: Code for Performance >> Free Intel webinars can help you accelerate application performance. >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >> from >> the latest Intel processors and coprocessors. See abstracts and register > >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
From: Josh Amishav-Z. <ja...@ow...> - 2013-10-13 09:40:21
|
On Fri, Oct 11, 2013 at 6:38 PM, Steve Stonebraker < ste...@gm...> wrote: > > #Detect the flag and force logging: > SecRule IP:logflag "@gt 0" \ > "id:'500005',phase:5,log,msg:'Transaction Logged Due to Previous Rule > Match.',logdata:'%{ip.logflag_hash}',pass,ctl:auditEngine=On" > > > Do I need to chain the IP address tracking rules with the ignore password > rule or something? > > Hi Steve, The above rule reenables the auditEngine. Based on your ruleset it sounds like you need to use the allow action when initally disabling the auditEngine for requests containing passwords. Otherwise the request will be logged due to your rule above. Another option might be to create an exception to ensure that the JS request which results in the 400 request does not increase the HIGHEST_SEVERITY variable, but I don't fully understand your login process to be certain that that approach will work. -- - Josh > > > On Thu, Oct 10, 2013 at 3:32 PM, Josh Amishav-Zlatin <ja...@ow...>wrote: > >> On Thu, Oct 10, 2013 at 8:28 PM, Steve Stonebraker < >> ste...@gm...> wrote: >> >>> >>> --983ddd49-K-- >>> >> >> Hi Steve. >> >> I don't see rules 1001 and 1002 in section K. Can you increase the debug >> log to 9, rerun the JSON request and verify that those rules are run? >> >> Thanks, >> >> -- >> - Josh >> >> >>> SecAction >>> "phase:1,auditlog,id:500001,nolog,pass,initcol:ip=%{REMOTE_ADDR}" >>> >>> SecAction >>> "phase:1,auditlog,id:900001,t:none,setvar:tx.critical_anomaly_score=5,setvar:tx.error_anomaly_score=4,setvar:tx.warning_anomaly_score=3,setvar:tx.notice_anomaly_score=2,nolog,pass" >>> >>> SecAction >>> "phase:1,auditlog,id:900002,t:none,setvar:tx.anomaly_score=0,setvar:tx.sql_injection_score=0,setvar:tx.xss_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_score=0,nolog,pass" >>> >>> SecAction >>> "phase:1,auditlog,id:900003,t:none,setvar:tx.inbound_anomaly_score_level=5,setvar:tx.outbound_anomaly_score_level=4,nolog,pass" >>> >>> SecAction >>> "phase:1,auditlog,id:900006,t:none,setvar:tx.max_num_args=255,nolog,pass" >>> >>> SecAction >>> "phase:1,auditlog,id:900012,t:none,setvar:'tx.allowed_methods=GET HEAD POST >>> OPTIONS >>> DELETE',setvar:tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json,setvar:'tx.allowed_http_versions=HTTP/0.9 >>> HTTP/1.0 HTTP/1.1',setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ >>> .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ >>> .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ >>> .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ >>> .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ >>> .vsdisco/ .webinfo/ .xsd/ >>> .xsx/',setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ >>> /Content-Range/ /Translate/ /via/ /if/',nolog,pass" >>> >>> SecRule "REQUEST_HEADERS:User-Agent" "@rx ^(.*)$" >>> "phase:1,auditlog,id:900018,t:none,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var},nolog,pass" >>> >>> SecRule "&TX:REAL_IP" "@eq 0" >>> "phase:1,auditlog,id:900021,t:none,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr},nolog,pass" >>> >>> SecRule "REQUEST_METHOD" "@rx ^POST$" >>> "phase:1,nolog,auditlog,msg:'POST request missing Content-Length >>> Header.',severity:4,id:960012,ver:OWASP_CRS/2.2.8,rev:1,maturity:9,accuracy:9,block,logdata:%{matched_var},t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,tag:CAPEC-272,chain" >>> #SecRule "&REQUEST_HEADERS:Content-Length" "@eq 0" >>> "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ >>> rule.id >>> }-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" >>> >>> SecRule "REQUEST_METHOD" "!@rx ^(?:GET|HEAD|PROPFIND|OPTIONS)$" >>> "phase:1,nolog,auditlog,chain,t:none,block,msg:'Request content type is not >>> allowed by >>> policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960010,tag:OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED,tag:WASCTC/WASC-20,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/EE2,tag:PCI/12.1,severity:2,logdata:%{matched_var}" >>> SecRule "REQUEST_HEADERS:Content-Type" "@rx ^([^;\\s]+)" "chain,capture" >>> #SecRule "TX:0" "!@rx ^%{tx.allowed_request_content_type}$" >>> "t:none,ctl:forceRequestBodyVariable=On,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{ >>> rule.id >>> }-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" >>> >>> SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" >>> "phase:2,nolog,auditlog,chain,rev:1,ver:OWASP_CRS/2.2.8,maturity:6,accuracy:8,t:none,block,msg:'Pragma >>> Header requires Cache-Control Header for HTTP/1.1 >>> requests.',severity:5,id:960020,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ" >>> #SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain" >>> #SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" >>> "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ >>> rule.id >>> }-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" >>> >>> SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" >>> "phase:2,nolog,auditlog,chain,rev:1,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,t:none,block,msg:'Request >>> Missing an Accept >>> Header',severity:5,id:960015,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10" >>> #SecRule "&REQUEST_HEADERS:Accept" "@eq 0" >>> "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ >>> rule.id >>> }-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" >>> >>> SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" >>> "phase:2,nolog,auditlog,chain,rev:1,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,t:none,block,msg:'Request >>> Has an Empty Accept >>> Header',severity:5,id:960021,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT" >>> #SecRule "REQUEST_HEADERS:Accept" "@rx ^$" >>> "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ >>> rule.id >>> }-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" >>> >>> SecRule "&TX:MAX_NUM_ARGS" "@eq 1" >>> "phase:2,nolog,auditlog,chain,t:none,block,msg:'Too many arguments in >>> request',id:960335,severity:4,rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT" >>> #SecRule "&ARGS" "@gt %{tx.max_num_args}" >>> "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ >>> rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" >>> >>> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" >>> "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted >>> by >>> policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" >>> #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" >>> "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ >>> rule.id >>> }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" >>> >>> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" >>> "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted >>> by >>> policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" >>> #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" >>> "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ >>> rule.id >>> }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" >>> >>> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" >>> "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted >>> by >>> policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" >>> #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" >>> "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ >>> rule.id >>> }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" >>> >>> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" >>> "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted >>> by >>> policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" >>> #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" >>> "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ >>> rule.id >>> }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" >>> >>> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" >>> "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted >>> by >>> policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" >>> #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" >>> "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ >>> rule.id >>> }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" >>> >>> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" >>> "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted >>> by >>> policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" >>> #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" >>> "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ >>> rule.id >>> }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" >>> >>> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" >>> "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted >>> by >>> policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" >>> #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" >>> "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ >>> rule.id >>> }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" >>> >>> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" >>> "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted >>> by >>> policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" >>> #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" >>> "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ >>> rule.id >>> }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" >>> >>> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" >>> "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted >>> by >>> policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" >>> #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" >>> "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ >>> rule.id >>> }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" >>> >>> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" >>> "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted >>> by >>> policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" >>> #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" >>> "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ >>> rule.id >>> }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" >>> >>> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" >>> "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted >>> by >>> policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" >>> #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" >>> "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ >>> rule.id >>> }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" >>> >>> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" >>> "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted >>> by >>> policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" >>> #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" >>> "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ >>> rule.id >>> }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" >>> >>> SecRule >>> "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" >>> "@pmFromFile modsecurity_40_generic_attacks.data" >>> "phase:2,auditlog,id:981133,rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1" >>> >>> SecRule "&TX:PM_XSS_SCORE" "@eq 0" >>> "phase:2,auditlog,id:981018,t:none,skipAfter:END_XSS_CHECK,nolog" >>> >>> SecRule "REQUEST_METHOD" "@streq POST" >>> "phase:2,auditlog,chain,id:981022,t:none,pass,nolog" >>> #SecRule "REQUEST_HEADERS:User-Agent" "@contains Adobe Flash Player" >>> "chain,t:none" >>> #SecRule "REQUEST_HEADERS:X-Flash-Version" "@rx .*" "chain,t:none" >>> #SecRule "REQUEST_HEADERS:Content-Type" "@contains application/x-amf" >>> "chain,t:none" >>> #SecRule "TX:'/PROTOCOL_VIOLATION\\\\/MISSING_HEADER/'" "@rx .*" >>> "chain,setvar:tx.missing_header=+1,setvar:tx.missing_header_%{tx.missing_header}=%{matched_var_name}" >>> >>> SecRule "REQUEST_METHOD" "@streq POST" >>> "phase:2,auditlog,chain,t:none,log,block,id:2100000,msg:'SLR: Possible >>> Elevation of Privilege Attack against .Net.',tag: >>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3416,tag:http://technet.microsoft.com/en-us/security/bulletin/ms11-100 >>> " >>> #SecRule "REQUEST_FILENAME" "@contains >>> /Membership/CreatingUserAccounts.aspx" "chain" >>> #SecRule "ARGS:/\\$CreateUserStepContainer\\$UserName$/" >>> "@validateByteRange 1-255" "t:urlDecodeUni" >>> >>> SecRule "RESPONSE_BODY" "!@pm iframe" >>> "phase:4,auditlog,rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:6,id:981177,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,skipAfter:END_IFRAME_CHECK" >>> >>> SecRule "RESPONSE_BODY" "!@pmFromFile modsecurity_50_outbound.data" >>> "phase:4,auditlog,rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:981178,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,nolog,skipAfter:END_OUTBOUND_CHECK" >>> >>> SecRule "HIGHEST_SEVERITY" "@gt 0" >>> "phase:5,auditlog,id:500003,nolog,pass,setvar:IP.logflag=1,expirevar:ip.logflag=3600,setvar:ip.logflag_hash=%{unique_id}" >>> >>> SecRule "IP:logflag" "@gt 0" >>> "phase:5,auditlog,id:500005,log,msg:'Transaction Logged Due to Previous >>> Rule Match.',logdata:%{ip.logflag_hash},pass,ctl:auditEngine=On" >>> >>> >>> --983ddd49-Z-- >>> >>> >>> >>> >>> On Thu, Oct 10, 2013 at 10:58 AM, Josh Amishav-Zlatin <ja...@ow...>wrote: >>> >>>> On Thu, Oct 10, 2013 at 4:38 PM, Steve Stonebraker < >>>> ste...@gm...> wrote: >>>> >>>>> >>>>> >>>>> How can I incorporate the rules you suggested with rules 500001-50005? >>>>> >>>>> >>>> Hi Steve, >>>> >>>> I just tested (only) the rules above and did not see the password in >>>> the audit log. Can you send me section K of an audit log using these rules >>>> that contain the password? >>>> >>>> Thanks, >>>> >>>> -- >>>> - Josh >>>> >>>> >>>>> >>>>> >>>>> On Wed, Oct 9, 2013 at 3:24 PM, Josh Amishav-Zlatin <ja...@ow...>wrote: >>>>> >>>>>> On Wed, Oct 9, 2013 at 9:10 PM, Steve Stonebraker < >>>>>> ste...@gm...> wrote: >>>>>> >>>>>>> Thanks! >>>>>>> >>>>>>> I came up with this rule: >>>>>>> SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" >>>>>>> "phase:2,id:'1001',nolog,pass,ctl:auditLogParts=-C,msg:'User sent password'" >>>>>>> >>>>>>> >>>>>> Hi Steve, >>>>>> >>>>>> A couple thoughts: >>>>>> >>>>>> 1. REQUEST_BODY wont have the JSON request in it unless you >>>>>> enable forceRequestBodyVariable beforehand in phase 1. >>>>>> >>>>>> 2. Your rule can only have two or three arguments. You can group your >>>>>> arguments together using quotes, but if your regex includes quotes you need >>>>>> to escape them. >>>>>> >>>>>> 3. If all you want to do is is check if the JSON body contains the >>>>>> string password then you can simplify your rule as follows: >>>>>> >>>>>> # Force the Requst_Body collection to contain the JSON body based on >>>>>> the content-type header >>>>>> SecRule REQUEST_HEADERS:Content-Type "jsonrequest" >>>>>> phase:1,id:1001,nolog,t:none,pass,ctl:forceRequestBodyVariable=On >>>>>> >>>>>> # Search for the string 'password' in the request body and disable >>>>>> audit log parts C and I >>>>>> SecRule REQUEST_BODY "password" >>>>>> "phase:2,id:'1002',nolog,pass,ctl:auditLogParts=-CI,msg:'User sent >>>>>> password'" >>>>>> >>>>>> -- >>>>>> - Josh >>>>>> >>>>>> >>>>>>> But am receiving this error: >>>>>>> Syntax error on line 14 of /opt/modsecurity/etc/rules-first.conf: >>>>>>> SecRule takes two or three arguments, rule target, operator and >>>>>>> optional action list >>>>>>> >>>>>>> >>>>>>> On Wed, Oct 9, 2013 at 9:58 AM, Josh Amishav-Zlatin < >>>>>>> ja...@ow...> wrote: >>>>>>> >>>>>>>> On Wed, Oct 9, 2013 at 4:02 PM, Steve Stonebraker < >>>>>>>> ste...@gm...> wrote: >>>>>>>> >>>>>>>>> Thanks I saw that and it looks great but I can't implement it on a >>>>>>>>> prod environment. >>>>>>>>> >>>>>>>>> Right now I'm toying with: >>>>>>>>> SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" >>>>>>>>> >>>>>>>>> But i'm not sure how to replace the matched value with the >>>>>>>>> character * >>>>>>>>> >>>>>>>>> >>>>>>>> Hi Steve, >>>>>>>> >>>>>>>> I think the only current solution is to use the ctl action to >>>>>>>> remove logging the request body entirely if it holds sensitive data. Kind >>>>>>>> of an all or nothing approach until the patch makes its way into the stable >>>>>>>> branch. >>>>>>>> >>>>>>>> -- >>>>>>>> - Josh >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> On Wed, Oct 9, 2013 at 8:06 AM, Josh Amishav-Zlatin < >>>>>>>>> ja...@ow...> wrote: >>>>>>>>> >>>>>>>>>> On Wed, Oct 9, 2013 at 2:28 PM, Steve Stonebraker < >>>>>>>>>> ste...@gm...> wrote: >>>>>>>>>> >>>>>>>>>>> I'll answer my own question. The body has JSON which is not >>>>>>>>>>> processed by sanitiseArg. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> Hi Steve, >>>>>>>>>> >>>>>>>>>> Not sure how stable this is yet, but take a look at: >>>>>>>>>> https://www.modsecurity.org/tracker/browse/MODSEC-253 >>>>>>>>>> Perhaps with the patch you could use santiseMatched. >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> - Josh >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Tue, Oct 8, 2013 at 12:10 PM, Steve Stonebraker < >>>>>>>>>>> ste...@gm...> wrote: >>>>>>>>>>> >>>>>>>>>>>> I am unable to sanitize a password in the request body. >>>>>>>>>>>> >>>>>>>>>>>> --2a688459-C-- {"username":"someuser","password":"somepassword"} >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> What i've tried: >>>>>>>>>>>> SecAction "phase:2,id:131,nolog,pass,sanitiseArg:password" >>>>>>>>>>>> SecAction "phase:5,id:131,nolog,pass,sanitiseArg:password" >>>>>>>>>>>> SecRule ARGS_NAMES password nolog,pass,id:132,sanitiseMatched >>>>>>>>>>>> >>>>>>>>>>>> Any suggestions? >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>>> October Webinars: Code for Performance >>>>>>>>>>> Free Intel webinars can help you accelerate application >>>>>>>>>>> performance. >>>>>>>>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get >>>>>>>>>>> the most from >>>>>>>>>>> the latest Intel processors and coprocessors. See abstracts and >>>>>>>>>>> register > >>>>>>>>>>> >>>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> mod-security-users mailing list >>>>>>>>>>> mod...@li... >>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>>>>>> Commercial ModSecurity Rules and Support from Trustwave's >>>>>>>>>>> SpiderLabs: >>>>>>>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>>>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>> October Webinars: Code for Performance >>>>>>>>>> Free Intel webinars can help you accelerate application >>>>>>>>>> performance. >>>>>>>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get >>>>>>>>>> the most from >>>>>>>>>> the latest Intel processors and coprocessors. See abstracts and >>>>>>>>>> register > >>>>>>>>>> >>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>>>>>>> _______________________________________________ >>>>>>>>>> mod-security-users mailing list >>>>>>>>>> mod...@li... >>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>>>>> Commercial ModSecurity Rules and Support from Trustwave's >>>>>>>>>> SpiderLabs: >>>>>>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>> October Webinars: Code for Performance >>>>>>>>> Free Intel webinars can help you accelerate application >>>>>>>>> performance. >>>>>>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get >>>>>>>>> the most from >>>>>>>>> the latest Intel processors and coprocessors. See abstracts and >>>>>>>>> register > >>>>>>>>> >>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>>>>>> _______________________________________________ >>>>>>>>> mod-security-users mailing list >>>>>>>>> mod...@li... >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>>>> Commercial ModSecurity Rules and Support from Trustwave's >>>>>>>>> SpiderLabs: >>>>>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> October Webinars: Code for Performance >>>>>>>> Free Intel webinars can help you accelerate application performance. >>>>>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>>>>> most from >>>>>>>> the latest Intel processors and coprocessors. See abstracts and >>>>>>>> register > >>>>>>>> >>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>>>>> _______________________________________________ >>>>>>>> mod-security-users mailing list >>>>>>>> mod...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>>> Commercial ModSecurity Rules and Support from Trustwave's >>>>>>>> SpiderLabs: >>>>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> October Webinars: Code for Performance >>>>>>> Free Intel webinars can help you accelerate application performance. >>>>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>>>> most from >>>>>>> the latest Intel processors and coprocessors. See abstracts and >>>>>>> register > >>>>>>> >>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>>>> _______________________________________________ >>>>>>> mod-security-users mailing list >>>>>>> mod...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> October Webinars: Code for Performance >>>>>> Free Intel webinars can help you accelerate application performance. >>>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>>> most from >>>>>> the latest Intel processors and coprocessors. See abstracts and >>>>>> register > >>>>>> >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>>> _______________________________________________ >>>>>> mod-security-users mailing list >>>>>> mod...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>> >>>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> October Webinars: Code for Performance >>>>> Free Intel webinars can help you accelerate application performance. >>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>> most from >>>>> the latest Intel processors and coprocessors. See abstracts and >>>>> register > >>>>> >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>>> _______________________________________________ >>>>> mod-security-users mailing list >>>>> mod...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>> >>>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> October Webinars: Code for Performance >>>> Free Intel webinars can help you accelerate application performance. >>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>> most from >>>> the latest Intel processors and coprocessors. See abstracts and >>>> register > >>>> >>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> October Webinars: Code for Performance >>> Free Intel webinars can help you accelerate application performance. >>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >>> from >>> the latest Intel processors and coprocessors. See abstracts and register >>> > >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> >> >> >> ------------------------------------------------------------------------------ >> October Webinars: Code for Performance >> Free Intel webinars can help you accelerate application performance. >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >> from >> the latest Intel processors and coprocessors. See abstracts and register > >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |