Activity for ModSecurity

  • Harikisan Harikisan posted a comment on discussion Open Discussion

    Hi All, We are using the Apache server in our production environment. We want to upgrade modsecurity to latest version(old ModSecurity (v2.x.x)) but ModSecurity (v2.x.x) release the last version (v2.9.7) in Jan 5, 2023 from then there is not any release for v2.x.x. ModSecurity (V2.9.7) has vulnerabilities. We want to know When will v2.9.8 be released with security fixes?

  • Harikisan Harikisan posted a comment on discussion Open Discussion

    Hi All, We are using the Apache server in our production environment. To use ModSecurity V3 (libmodsecurity), we need to use the ModSecurity-apache connector. This project is under development and not production-ready. The functionality is not complete, so we cannot use use with Apache HTTP Server. When can we expect it to be complete?

  • Lorenzo Corgnati Lorenzo Corgnati posted a comment on discussion Rules

    Hi everybody, I have installed ModSecurity on a XUbuntu 22.04 virtual machine running ERDDAP and ncWMS for data distribution. I installed ModSecurity via apt install libapache2-mod-security2 and then I enabled it via a2enmod security2 I have then installedOWASP Core ùruel Set v3.3.0. While running ERDDAP I noticed that the queries for requesting data were blocked if containing '(' or ')' characters. Is this a bug or should I set a rule for this? If the latter is the case, how the rule should be set?...

  • sunny lin sunny lin posted a comment on discussion Help

    Hi I can't find the" CSRF rule" in OWASP® ModSecurity Core Rule Set (CRS) version 3.2.0, but I find it in version 2.2.9. I wonder can I use both the rule of version 3.2.0 and version 2.2.9 in the same time? Best Regards

  • sunny lin sunny lin posted a comment on discussion Help

    I can't find the" CSRF rule" in OWASP® ModSecurity Core Rule Set (CRS) version 3.3.2, but I find it in version 2.2.9. I wonder is "Cross-site request forgery" still could be protected against by OWASP® ModSecurity Core Rule Set (CRS) 3.3.2 version? If no, can I use both the rule of version 3.3.2 and version 2.2.9 in the same time? Best Regards

  • Franklin Weng Franklin Weng posted a comment on discussion Installation and Configuration

    Hi, A problem has bothered us for several weeks and would like to get help here. We installed a fresh Windows 2019 (Datacenter) server with a whole new IIS server. Then we installed ModSecurity 2.9.5 WIndows version. It was installed successfully, but when we then connect to http://localhost what we got is 503 error. And the log in IIS showed "Can not load C:\Windows\System32\inetsrv\ModSecurityIIS.dll, data is the error" (translated back from Chinese). I've searched plenty of pages including issues...

  • Paul Ashby Paul Ashby posted a comment on discussion Installation and Configuration

    I'm having a problem with cookies set by the Metorik WordPress plugin triggering Comodo rule 218500. It's a known issue, but I'd obviously prefer not to disable the rule across the board. Is there some directive I can use to whitelist just the cookies that cause the issue? I tried the solution detailed here with this directive: secRuleUpdateTargetById 218500 !REQUEST_COOKIES:/^ sbjs_first/ but that gave the following error message Error to update target - [\x80\xd3\xed\x90-V] is not valid target...

  • Karthik Sirimalla Karthik Sirimalla posted a comment on discussion Rules

    Hi Taylor, Thanks for the response. Please see attached 'modsecurity - simplified.log' or 'modsecurity.log'. Simplified log has REQUEST_BODY content trimmed as the actual 'modsecurity.log' is huge.

  • Taylor Taylor posted a comment on discussion Rules

    Show your data of REQUEST_BODY please,so maybe I can write rules to help you. On 4/5/2021 16:27,Karthik Sirimallakarthik1@users.sourceforge.net wrote: We are using ModSecurity CRS 3.0.2 and need to exclude rule 930110 which blocks requests if it contains patterns '../' and '..\'(Path Traversal Attack). If we attach a file while submitting the request, this pattern gets matched frequently and request is blocked which we want to avoid. I was able to exclude the REQUEST_BODY using below: SecRuleUpdateTargetById...

  • Karthik Sirimalla Karthik Sirimalla posted a comment on discussion Rules

    We are using ModSecurity CRS 3.0.2 and need to exclude rule 930110 which blocks requests if it contains patterns '../' and '..\'(Path Traversal Attack). If we attach a file while submitting the request, this pattern gets matched frequently and request is blocked which we want to avoid. I was able to exclude the REQUEST_BODY using below: SecRuleUpdateTargetById 930110 "!REQUEST_BODY" Is there a way to exclude just the attachment and scan rest of the REQUEST_BODY? If not, can we identify if REQUEST_BODY...

  • Alexey Efremov Alexey Efremov modified a comment on discussion Help

    Dear Sirs, We are designing an application that will process incoming connections using the FIX protocol (https://www.fixtrading.org/standards). Can ModSecurity be used to protect the back-end application from potential attacks, validating incoming FIX messages? Can ModSecurity be configured to parse FIX messages with low latency ? Thx! FIX Trading Community (https://www.fixtrading.org/standards/) FIX Standards • FIX Trading Community

  • Alexey Efremov Alexey Efremov posted a comment on discussion Help

    Hello! We are designing an application that will process incoming connections using the FIX protocol (https://www.fixtrading.org/standards). Can ModSecurity be used to protect the back-end application from potential attacks, validating incoming FIX messages? Can ModSecurity be configured to parse FIX messages with low latency ? Thx! FIX Trading Community (https://www.fixtrading.org/standards/) FIX Standards • FIX Trading Community

  • Carlos Carlos posted a comment on discussion Rules

    Hi guys, I am new to using mod_security, I installed a LAMP server and wanted to secure it with mod_security, but it is giving me problems with Owncloud application. I've been reading the instructions for use, but I can't get mod_security to block Owncloud syncing. I have seen that there are specific rules for some applications including a very similar Nextcloud, but as I have commented, I can't get it to work. I tried different solutions that I had seen on the internet and different forums, but...

  • Dario Vanin Dario Vanin posted a comment on discussion Installation and Configuration

    I also noticed that I have an issue when I try Curl and I wonder if the issue could be HTTP2 with modsecurity... curl --insecure https://devfe:443 curl: (92) HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1)

  • Dario Vanin Dario Vanin posted a comment on discussion Installation and Configuration

    Hi guys, I have installed modsecurity and it works great on Chrome and Firefox on my Mac. Unfortunately when I the website on Mac/Safari I get the following error message: Safari can’t open the page “REMOVED”. The error is: “cannot parse response” (NSURLErrorDomain:-1017) On my Iphone, when I open it on Chrome I get the following error: This site can’t be reachedThe web page at REMOVED might be temporarily down or it may have moved permanently to a new web address. ERR_INVALID_RESPONSE Everything...

  • Amin El-Zein Amin El-Zein posted a comment on discussion Installation and Configuration

    Hello, i installed apache2.4 with modsecurity under freebsd , when i add rule files that is contain for example: <LocationMatch /wp-admin/user-new.php> SecRuleRemoveById 390703 </LocationMatch> <LocationMatch /wp-admin/options-permalink.php> SecRuleRemoveById 390703 </LocationMatch> <LocationMatch /shop/remote.php> SecRuleRemoveById 390703 </LocationMatch> the apache give me invalid input error. so where is the problem ?

  • Anders Rosvall Anders Rosvall posted a comment on discussion Installation and Configuration

    I found out what caused the problem, (SSL) handshake timeout. I needed to increase the timeout in reqtimeout.conf like this: RequestReadTimeout header=20-50,minrate=400 body=20-50,MinRate=400 Now problem gone.

  • Anders Rosvall Anders Rosvall modified a comment on discussion Installation and Configuration

    I have a issue with modsecurity. In the error log I get a lot of - ModSecurity: Error reading request body: Software caused connection abort My setup: Debian 10 (buster) Apache 2.4.38 Modsecurity 2.9.3 Owasp-modsecurity-crs 3.3.0 Internet --> Firewall --> WAF(debian/apache/modsecurity proxy) --> webshop server(Prestashop webshop) I've searched and found very little info. I've tried to increase these variables, now they are four times the original but no difference: SecRequestBodyLimit 52428800 SecRequestBodyNoFilesLimit...

  • Anders Rosvall Anders Rosvall posted a comment on discussion Installation and Configuration

    I have a issue with modsecurity. In the error log I get a lot of - ModSecurity: Error reading request body: Software caused connection abort My setup: Debian 10 (buster) Apache 2.4.38 Modsecurity 2.9.3 Owasp-modsecurity-crs 3.3.0 Internet --> Firewall --> WAF(debian/apache/modsecurity proxy) --> webshop server(Prestashop webshop) I've searched and found very little info. I've tried to increase these variables, now they are four times the original but no difference: SecRequestBodyLimit 52428800 SecRequestBodyNoFilesLimit...

  • Ian Ace Macaraeg Ian Ace Macaraeg posted a comment on discussion Help

    Hi, I have activated the modsecurity but still detect the SQL injection and File Inclusion. Is there any configuration need to be updated? Thanks!

  • Nesamani Nesamani posted a comment on discussion Help

    Hi All, I want to do URI based rate limiting in modsecurity. There are two rates that have to be kept track of, one is the overall rate and the other is the site specific rate. Can someone please translate the below pseudocode into modsecurity code? I am new to modsecurity. Pseudocode: when HTTP_REQUEST { if { HTTP_URI starts_with "/ms/site/" } { $site = get_third_field_from_HTTP-URI #if HTTP_URI = /ms/site/abcorp/123, then get "abcorp" $overall_rate = some_number $overall_limit = some_number $per_site_rate...

  • Simon Simon posted a comment on discussion Installation and Configuration

    Hi First time user of mod security, just installed ModSecurity v2.9.3 for IIS MSI Installer - 64bits on a Windows Server 2012 High traffic website I log into the site, refresh the page, its fast refresh the page, slow loading refresht the page, fast refresh the page, total stall, wont even load, completely stuck refresh the page, slow loading refresh the page, fast again.... if I disable modsecurity in the web config to turn it off for the site, its back to super fast again I really want to use this...

  • Taylor Taylor posted a comment on discussion Rules

    You can add this rule to the rule file which name is 'REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf': SecRule SERVER_NAME "lync-external.mydomain.com$" "id:1000,phase:1,pass,nolog,ctl:ruleRemoveTargetById=980130". This means if the hostname is 'lync-external.mydomain.com',then disable the rule which id is 980130. At 2020-02-18 23:48:22, "End User" geico234@users.sourceforge.net wrote: I searched google and was unable to find anything with this, appears to be blocked due to sql injection. [Tue Feb 18...

  • Taylor Taylor posted a comment on discussion Rules

    No matter where the files come from,when a file is uploaded through HTTP, only the file name and contents will be included in the data package,unless you modify your program,take the dir of the file as one of the parameters and pass it to the background. At 2020-02-18 16:50:45, "rres-admin" rres-admin@users.sourceforge.net wrote: Taylor, thanks for the reply. I should have mentioned that Apache is used as reverse proxy to several target servers.....In fact the upload/download of files is from/to...

  • End User End User modified a comment on discussion Rules

    I searched google and was unable to find anything with this, appears to be blocked due to sql injection. [Tue Feb 18 09:41:44.305146 2020] [:error] [pid 24930] [client x.x.x.x:55593] [client x.x.x.x] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Request content...

  • End User End User posted a comment on discussion Rules

    I searched google and was unable to find anything with this, appears to be blocked due to sql injection. [Tue Feb 18 09:41:44.305146 2020] [:error] [pid 24930] [client x.x.x.x:55593] [client x.x.x.x] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Request content...

  • rres-admin rres-admin posted a comment on discussion Rules

    Taylor, thanks for the reply. I should have mentioned that Apache is used as reverse proxy to several target servers.....In fact the upload/download of files is from/to the target proxied server and NOT from Apache local dir. I receive the 413 code, because Apache does not allow files larger than 12.5Mb from/to target server which is proxied through. '/mydir' resides on the target server and I would like to allow larger just to this specific server/dir whilst the other proxied servers remain with...

  • Taylor Taylor posted a comment on discussion Rules

    You mean the files come from local directory '/mydir'?That won't work because the local address of the source file is not transferred to the server when the file is uploaded,only the file name and contents will be delivered to the server. I suggest you change your mind and use ctl:requestBodyLimit by judging the login user in SESSION. At 2020-02-18 00:48:59, "ric greg" rres-admin@users.sourceforge.net wrote: Hi all, We have an Apache server 2.4.6 running md_security 2.9.2 on CentOS 7. /etc/httpd/conf.d/mod_security.confSecRuleEngineOnSecRequestBodyAccessOnSecRuleREQUEST_HEADERS:Content-Type"text/xml"\"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"SecRequestBodyLimit13107200"...

  • rres-admin rres-admin posted a comment on discussion Rules

    Hi all, We have an Apache server 2.4.6 running md_security 2.9.2 on CentOS 7. /etc/httpd/conf.d/mod_security.conf SecRuleEngine On SecRequestBodyAccess On SecRule REQUEST_HEADERS:Content-Type "text/xml" \ "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" SecRequestBodyLimit 13107200" I need to create a rule that overrides this 12.5Mb file limit when files come from directory '/mydir' For some reason I cannot make this work. I have tried the following on file: /etc/httpd/modsecurity.d/modsecurity_crs_15_customrules.conf...

  • Taylor Taylor posted a comment on discussion Installation and Configuration

    ModSecurity is just one module for web server(Apache,Nginx,IIS),the only thing you need worry about is the website traffic your server can support At 2019-12-23 18:38:52, "Thanh" jonny1304@users.sourceforge.net wrote: Hi guys, I need install mod_security on my server. So I have some question: + Minimum hardware requirements ( i have CPU: 1x Xeon 8C E5-2630 v3 85W 2.4GHz/1866MHz/20MB RAM: 1x16GB PC4-17000 DDR4 2133MHz), is it good enough ? Thanks for your help. Minimum hardware requirements (modsecurity)...

  • Jonny Jonny posted a comment on discussion Rules

    Hi, I need to know can modsecurity do all of these requirement: - Automated Learning of User and Application Behavior - Research-Driven Security Policies - Flexible Deployment Options - Deep Threat Intelligence - Virtual Patching - HTTP Protocol, Platform, and XML Protection - Granular Correlation Policies Reduce False Positives - Customizable Reports for Compliance and Forensics - Out-of-the-box SIEM Integration" Thanks for your help

  • Jonny Jonny posted a comment on discussion Installation and Configuration

    Hi guys, I need install mod_security on my server. So I have some question: + Minimum hardware requirements ( i have CPU: 1x Xeon 8C E5-2630 v3 85W 2.4GHz/1866MHz/20MB RAM: 1x16GB PC4-17000 DDR4 2133MHz), is it good enough ? Thanks for your help.

  • Ravi Yellaram Ravi Yellaram posted a comment on discussion Help

    Hi , We are facing Internal Server Error with below mentioned Multipart Strict error configuration parameters mentioned in modsecurity.conf file Message: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_STRICT_ERROR" required. [file "/XXXX/XXXX/XXXX/modsecurity.conf"] [line "82"] [id "3"] [msg "Multipart request body failed strict validation: PE 0, BQ 0, BW 0, DB 1, DA 0, HF 0, LF 0, SM , IQ 0, IH 0, IH 0"] Apache-Error: [file "http_request.c"] [line 107] [level 3] AH01579:...

  • Ahmed Ali Ahmed Ali posted a comment on discussion Installation and Configuration

    Hi, We've implemented ModSecurity commercial rules on our API gateway server, and during a POST request that upload a PDF file, the request was blocked by this rule: BOTNET: "SLR: Common IRC Botnet Attack Command String Identified" The request was showing the below error: ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Pm' with parameter !tum !zero !lfi !rfi !e107 !sql !osco !zen !adm !op !oscoo !sqle !whmz !cmdlfi !cmde107 !cmdxml' against variable `REQUEST_BODY' form-data;...

  • Sachin Deshpande Sachin Deshpande posted a comment on discussion Rules

    Hell All, I am new to modsecurity. I have a leagcy server solution using Nginx with no modsecurity. All the data is being recived on 443 port with self signed certificated with no authentication for https connection. Now I want to use modsecurity for this applicaion. I have installed modsecurity with Nginx. When I try to open the ssl connection with the same self signed certificates then the connecection is not opened and I am getting SSL connection failed with 600 as error. It seems that the error...

  • johan johan modified a comment on discussion Installation and Configuration

    Duplicate, sorry!

  • johan johan posted a comment on discussion Installation and Configuration

    Hello, I was wondering if someone has stumbled across a similar issue. I have a web applications running Modsec and the apache error log only logs IDS 949110, 980130. No other IDs are logged at all which makes evaluating false positives quite difficult. I feel as this is not related to the error log format since I have a second application working correctly with the same format. Any help is greatly appreciated. Thank you! 949110 980130 [Sun Sep 01 07:17:30.255322 2019] [:error] [pid 5029] [client...

  • johan johan posted a comment on discussion Installation and Configuration

    Hello, I was wondering if someone has stumbled across a similar issue. I have a web applications running Modsec and the apache error log only logs IDS 949110, 980130. No other IDs are logged at all which makes evaluating false positives quite difficult. I feel as this is not related to the error log format since I have a second application working correctly with the same format. Any help is greatly appreciated. Thank you! [Sun Sep 01 07:17:30.255322 2019] [:error] [pid 5029] [client ] [client ] ModSecurity:...

  • Chaim Sanders Chaim Sanders posted a comment on discussion Installation and Configuration

    These are Comodo's rules, you'll have to reach out to them for support. Thanks! On Tue, May 28, 2019 at 1:49 AM Ehsan Javidi javidi@users.sourceforge.net wrote: Hi There is a strange problem with the site that the mode Security plugin has blocked. The plugin recognizes the site's address as an injection! WAF error: http://oneclickpaste.com/9311/ domian: wordpress@amlakeparand.com Data has the following conditions: 1- has "<" first 2- has "and." somewhere after 1 3- has ">" somewhere after 2 regular...

  • Ehsan Javidi Ehsan Javidi posted a comment on discussion Installation and Configuration

    Hi There is a strange problem with the site that the mode Security plugin has blocked. The plugin recognizes the site's address as an injection! WAF error: http://oneclickpaste.com/9311/ domian: wordpress@amlakeparand.com Data has the following conditions: 1- has "<" first 2- has "and." somewhere after 1 3- has ">" somewhere after 2 regular expression detected! .<.and..*>

  • Chaim Sanders Chaim Sanders posted a comment on discussion Installation and Configuration

    Glad you got it working :) On Sun, Apr 14, 2019, 11:42 AM Escher Penrose penrose@users.sourceforge.net wrote: Great ! It work fine In crs-setup.conf i change SecDefaultAction "phase:1,log,auditlog,pass" SecDefaultAction "phase:2,log,auditlog,pass" by SecDefaultAction "phase:1,logdata:%{request_headers.host},log,auditlog,pass" SecDefaultAction "phase:2,logdata:%{request_headers.host},log,auditlog,pass" And i obtain: [client x.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched...

  • <REDACTED> posted a comment on discussion Installation and Configuration

    Great ! It work fine In crs-setup.conf i change SecDefaultAction "phase:1,log,auditlog,pass" SecDefaultAction "phase:2,log,auditlog,pass" by SecDefaultAction "phase:1,logdata:%{request_headers.host},log,auditlog,pass" SecDefaultAction "phase:2,logdata:%{request_headers.host},log,auditlog,pass" And i obtain: [client x.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "C:\/Program Files/ModSecurity IIS/owasp_crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"]...

  • <REDACTED> posted a comment on discussion Installation and Configuration

    Thanks Chaim. I had another answer that it was hard coded. I also asked my question in the issues of ModSecurity. I try your solution, I wait also for the third answer and I tell you where I'm :D Have a nice day Regards

  • Chaim Sanders Chaim Sanders posted a comment on discussion Installation and Configuration

    This can be done! You'd want to capture the value of REQUEST_HEADERS:Host and add it to one of the output areas https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#request_headers. I'd recommend something like "logdata:%{MY_HOST_HEADER}" ( https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#logdata ). Now the real key here is that since you're using CRS, you'll want to change the action of all those rules to include this logdata. The recommended approach is to...

  • <REDACTED> posted a comment on discussion Installation and Configuration

    Hello, I'm using Mod Security 2.9.3 with IIS 10. It works well but I can’t distinguish the impacted site in the message generated in the EventLog. Here an example: [client x.x.x.x] ModSecurity: Warning. detected XSS using libinjection. [file "C:\/Program Files/ModSecurity IIS/owasp_crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "64"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: <script>alert(\x22Hello! I am an alert box!\x22);</script> found...

  • OlympiaLady OlympiaLady posted a comment on discussion Installation and Configuration

    We have a nginx system that does very simple load balancing. Clients contact the proxy server, and are round robined to other systems. I would like to change this setup to a reverse proxy with nginx and ModSecurity. Is it possible to both install nginx integrated with modsecurity and use my same simple load balancing? If not, can I do this with the ModSecurity Apache reverse proxy using mod_proxy_balancer at the same time? The ngnix setup is somthing like: http { upstream myapp1 { server srv1.example.com;...

  • Alex Kyrlis Alex Kyrlis posted a comment on discussion Installation and Configuration

    Hello, We are filtering body POST data for certain strings. They are mostly Greek characters. When rules are triggered, the strings do not appear as UTF8. This is an example of what we get on logs: \xce\xb8\xce\xb1 \xce\xb4\xce\xb7 Is it possible to show them properly? Thanks Alex

  • Alex Kyrlis Alex Kyrlis posted a comment on discussion Installation and Configuration

    Hello, I'm using Mod Security with IIS 10. When a rule is triggered, mod security creates an event log on event viewer on Windows. This log contais the REMOTE_ADDR value, but since we are behind a proxy (Cloudflare) i would like it to log a custom header (HTTP_CF_Connecting_IP) so we get the real client IP. Is it possible to do that? Thanks Alex

  • Mat Mat posted a comment on discussion Help

    Hi, I was wondering if ModSecurity can re-write the REQUEST_BODY of an XML request (or RESPONSE_BODY for that fact)? If so, how can it be accomplished? Below are more details; I have an application who's manufacturer went out of business. In the outgoing (or incoming) XML SOAP request, I need to put one of the variables to lowercase. I am using IIS 7 I have found a post about processing text/xml request_body: https://serverfault.com/questions/727596/mod-security-how-to-process-text-xml-request-body...

  • Thomas Morgenstern-Jehia Thomas Morgenstern-Jehia modified a comment on discussion Installation and Configuration

    Information about the system environment: - Advanced ModSecurity rules from Atomicorp (Thorough) - Ubuntu 16.04.5 LTS - Plesk Onyx Version 17.8.11 Update # 30 - Nextcloud 14.03 I often have these or similar error messages in the logfile. But I can not find any ID that I can use to disable this rule. The entries [xxx] have been changed by me here. --5bf1b05a-A-- [15 / Nov / 2018: 19: 41: 35 +0100] W @ 2931Gp6DgAAC9PSpAAAAAB 95.90.239.156 58042 81.169.232.56 7081 --5bf1b05a-B-- OPTIONS /remote.php/dav/principals/users/[xxx]/...

  • Thomas Morgenstern-Jehia Thomas Morgenstern-Jehia modified a comment on discussion Installation and Configuration

    Information about the system environment: - Advanced ModSecurity rules from Atomicorp (Thorough) - Ubuntu 16.04.5 LTS - Plesk Onyx Version 17.8.11 Update # 30 I often have these or similar error messages in the logfile. But I can not find any ID that I can use to disable this rule. The entries [xxx] have been changed by me here. --5bf1b05a-A-- [15 / Nov / 2018: 19: 41: 35 +0100] W @ 2931Gp6DgAAC9PSpAAAAAB 95.90.239.156 58042 81.169.232.56 7081 --5bf1b05a-B-- OPTIONS /remote.php/dav/principals/users/[xxx]/...

  • Thomas Morgenstern-Jehia Thomas Morgenstern-Jehia posted a comment on discussion Installation and Configuration

    Information about the system environment: - Advanced ModSecurity rules from Atomicorp (Thorough) - Ubuntu 16.04.5 LTS - Plesk Onyx Version 17.8.11 Update # 30 I often have these or similar error messages in the logfile. But I can not find any ID that I can use to disable this rule. The entries [xxx] have been changed by me here. --5bf1b05a-A-- [15 / Nov / 2018: 19: 41: 35 +0100] W @ 2931Gp6DgAAC9PSpAAAAAB 95.90.239.156 58042 81.169.232.56 7081 --5bf1b05a-B-- OPTIONS /remote.php/dav/principals/users/[xxx]/...

  • widianto widianto posted a comment on discussion Help

    the default log will store on /var/log/modsec_audit.log, it will store everything to /var/log/modsec_audi.log and the issue is we hard to read every log one by one to check the false positive for every website. My question is, is there away to log modsec by Vhosts ? Thanks for your help.

  • Brad Brad posted a comment on discussion Rules

    Thanks Victor for the reply, I've now changed the behaviour to "traditional" and seeing the exptected results. Cheers

  • Victor Hora Victor Hora posted a comment on discussion Rules

    Hi, Make sure that your SecRuleEngine https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#SecRuleEngine directive is set to "on". If it's "DetectionOnly" or "off" you will only get warnings. I haven't gone through all of your logs, but the way that the OWASP CRS works by default is using the approach of "delayed blocking", meaning that a number of rules can match and only cause warnings, but each rule that match gets added to a score. After all the rules are evaluated the final...

  • Brad Brad posted a comment on discussion Rules

    anyone

  • Brad Brad modified a comment on discussion Rules

    Hi, I've setup a new cpanel server woth mod security enabled. I see some hits below, are these actually being "blocked" or only reported on? Usually I'd see ModSecurity: Access Denied in the log if it was blocked, however for the below I'm only seeing ModSecurity: Warning, would appreciate any help. Thanks [Wed Sep 19 08:18:05.298993 2018] [:error] [pid 82247:tid 139900061951744] [client 36.25.122.153:57249] [client 36.25.122.153] ModSecurity: Warning. Matched phrase "$_POST" at ARGS:0. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"]...

  • Brad Brad posted a comment on discussion Rules

    Hi, I've setup a new cpanel server woth mod security enabled. I see some hits below, are these actually being "blocked" or only reported on? Usually I'd see ModSecurity: Access Denied in the log if it was blocked, however fo rthe below I'm only seeing ModSecurity: Warning, would appreciate any help. Thanks [Wed Sep 19 08:18:05.298993 2018] [:error] [pid 82247:tid 139900061951744] [client 36.25.122.153:57249] [client 36.25.122.153] ModSecurity: Warning. Matched phrase "$_POST" at ARGS:0. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"]...

  • Amin El-Zein Amin El-Zein posted a comment on discussion Installation and Configuration

    i have some applications on behind server name app02 my server is working as reverse proxy+ mod sec name rp-srv some applications show an errors when request some pages that contain some information about system like c:\windows etc.... i want to block the pages that could contains this words if the client try to request it or the page show an error that contain c:\windows in other word: if any page will load and have a "c:\windows or eror" in content it will be blocked thanks.

  • Darryl Darryl posted a comment on discussion Installation and Configuration

    Thank you for your email. I am now out of the office until Monday 6th August If your email is urgent please contact support@adflex.co.uk I will respond to your message upon my return. Kind regards Darryl This email and any attachment(s) are confidential, may contain legal, professional or other privileged information and intended solely for the addressee. If you are not the intended recipient or have received this e-mail in error, please advise us immediately, delete all copies from your systems...

  • Darryl Darryl posted a comment on discussion Installation and Configuration

    Thank you for your email. I am now out of the office until Monday 6th August If your email is urgent please contact support@adflex.co.uk I will respond to your message upon my return. Kind regards Darryl This email and any attachment(s) are confidential, may contain legal, professional or other privileged information and intended solely for the addressee. If you are not the intended recipient or have received this e-mail in error, please advise us immediately, delete all copies from your systems...

  • Davy YG Davy YG posted a comment on discussion Installation and Configuration

    Hello All, I have two questions. 1) Is it possible to install ModSecurity on a laptop on a localhost and test sqlia and check the report? 2) Is it possible to install ModSecurity on a VPS and have the domain IP address pointing to the Mod Security WAF in the VPS? If so how to set up the domain IP address? Thanks.

  • hans mayer hans mayer posted a comment on discussion Rules

    You can set the limit for example with 10k with the following statement # set actual request size limit SecRequestBodyLimit 10000 # actually generate an HTTP error, instead of truncating SecRequestBodyLimitAction Reject

  • Kwak Kwak posted a comment on discussion Installation and Configuration

    i installed modsecurity 2.9.2 on iis 10 it works fine. if i apply ssl(https) on my website, modsecurity can analyze and block traffic matched with rules? Or is there another way? thanks~

  • hans mayer hans mayer posted a comment on discussion Rules

    Dear All, My environment: Apache/2.4 , engine mode: /modsecurity 2.7+ I want to achieve whenever any security rule is triggered a script should be executed for a specific directory. In the global apache security module settings I have this line: SecDefaultAction "phase:2,deny,log,status:406" which does it's job very well So my idea was I define a similar line for this specific directory. In my apache http.conf I have: <Directory "/some/directory/path"> SecDefaultAction "phase:2,deny,log,status:406,exec:/path/to/script"...

  • Nisari Nisari posted a comment on discussion Rules

    I was using the nginx refactoring branch with modsecurity 2.9, earlier. Now, I have recompiled modsecurity (3.0) with the nginx-modsecurity connector. I had added 2 custom rules that were working well in the old compilation. But, now I am getting an error as follows while trying to restart nginx: nginx[18002]: [120B blob data] nginx[18002]: nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed Should I modify anything in the custom rules to get the rules working with modsecurity...

  • Mike Parsons Mike Parsons posted a comment on discussion Rules

    I'm trying to disable an .axd match that comes from OWASP ruleset with id: 920440. I have the following in my custom conf file that is loaded after all other rules. Anybody have any suggestion why the .axd extension is still being flagged ? SecRuleUpdateTargetById 920440 !ARGS:.axd Log: ModSecurity: Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/...

  • Joseph Jozwik Joseph Jozwik modified a comment on discussion Rules

    Yes that is it :-)

  • Joseph Jozwik Joseph Jozwik posted a comment on discussion Rules

    Yes that is ie :-)

  • Joseph Jozwik Joseph Jozwik posted a comment on discussion Rules

    These rules seems to work SecRule ARGS_GET_NAMES "^(#.*)$" "id:193,log,deny,msg:'Block ARGS Name with hash GET'" SecRule ARGS_POST_NAMES "^(#.*)$" "id:192,log,deny,msg:'Block ARGS Name with hash POST',logdata:'%{tx.httpbl_msg}',setvar:tx.httpbl_msg=$" SecRule REQUEST_COOKIES_NAMES "^(#.*)$" "id:194,log,deny,msg:'Block ARGS Name with hash COOKIE'"

  • Chaim Sanders Chaim Sanders posted a comment on discussion Rules

    I see what you're going for. Check out the regex the OWASP Core Rule Set twitter (https://twitter.com/CoreRuleSet) just suggested: SecRule ARGS_NAMES|REQUEST_COOKIES_NAMES "@rx ^#|[(?:\'|\")?#.*]" "id:123,phase:2,deny,status:403,t:urldecodeuni,msg:'SA-CORE-2018-002'" On Thu, Mar 29, 2018 at 10:10 AM, Joseph Jozwik jjozwik@users.sourceforge.net wrote: Working on a rule to block traffic based on the starting character of ARGS_NAMES either cookie, get or post Example allow name=Joe Example block name=Joe...

  • Joseph Jozwik Joseph Jozwik modified a comment on discussion Rules

    Working on a rule to block traffic based on the starting character of ARGS_NAMES either cookie, get or post Example allow name=Joe Example block #name=Joe Test rule that is not working SecRule ARGS_NAMES "^(#.*)$" "phase:1,id:199,log,deny,msg:'Block Argname with hash'"

  • Joseph Jozwik Joseph Jozwik posted a comment on discussion Rules

    Working on a rule to block traffic based on the starting character of ARGS_NAMES either cookie, get or post Example allow name=Joe Example block name=Joe Test rule that is not working SecRule ARGS_NAMES "^(#.*)$" "phase:1,id:199,log,deny,msg:'Block Argname with hash'"

  • ayesha gupta ayesha gupta posted a comment on discussion Installation and Configuration

    The application has been around for lesser time than most different contenders yet it is now climbing the stepping stools of progress, and it just has the snappy updation of substance and auspicious updates with an ever increasing number of focused highlights to thank https://terrariumtv.co/

  • Andre Andre posted a comment on discussion Rules

    Hello, In the standard rules, I noticed there is not rule defined for big files except in the general configuration in modsecurity.conf but which does not give an alert to user. Does anybody know a detailed rule which can do this? I myself am a newbe to modsecurity and am surprised that this was in part of the standard set.

  • anupam narayan anupam narayan modified a comment on discussion Installation and Configuration

    Hi, We have configure modsecurity on CentOS 7.4 with no any OpenSource Rules ( apache 2.4 with mod security version 2.9.2 ) . later we purchased commercial rules and enable the lisence in apache configuration files. Now with this modsecurity is able to detect the attack but not it is not blocking any attack, Although SecRuleEngine On in configuration file but with all hit & trial we still didn't get what we are missing , your help will be highly appricaited. Thanks in advance. Regards Anupam Narayan...

  • anupam narayan anupam narayan posted a comment on discussion Installation and Configuration

    Hi, We have configure modsecurity on CentOS 7.4 with no any OpenSource Rules ( apache 2.4 with mod security version 2.9.2 ) . later we purchased commercial rules and enable the lisence in apache configuration files. Now with this modsecurity is able to detect the attack but not it is not blocking any attack, Although SecRuleEngine On in configuration file but with all hit & trial we still didn't get what we are missing , your help will be highly appricaited. Thanks in advance. Regards Anupam Narayan...

  • Bill Soranno Bill Soranno posted a comment on discussion Installation and Configuration

    I am trying to compile ModSecurity on Debian 9 with NGINX 1.13.9. I am following the steps in this article: https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/ it fails on the make command. here is the dump from running the command sudo make: Making all in others make[1]: Entering directory '/etc/ModSecurity/others' depbase=echo libinjection/src/libinjection_html5.lo | sed 's|[^/]$|.deps/&|;s|.lo$||'; /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H...

  • Nick Nick posted a comment on discussion Installation and Configuration

    Hi everyone, I am trying ModSecurity 3.0 with OWASP CRS in Nginx. The Nginx with ModSecurity is used as reverse proxy server to proxy requests to mutiple application servers behind Nginx. I would like to use separated modsecurity.conf to configure the following settings for each application. * SecRuleEngine (some application use block mode, some application use detection only) * crs-setup.conf (to configure different paranoid level and threshold score for each application) * include different OWASP...

  • Nisari Nisari modified a comment on discussion Rules

    I am using modsecurity with nginx(v1.13.6) on ubuntu 16.04. When I try to upload a zip files/single jpeg/mov files via an API to my web server, I get the following error in the modsecurity error log. 2018/02/28 05:14:04 [error] 1893#0: [client 103...*] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/local/nginx/conf/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "309"] [id "920180"] [rev "1"] [msg "POST request missing Content Length Header."]...

  • Nisari Nisari posted a comment on discussion Rules

    I am using modsecurity with nginx(v1.13.6) on ubuntu 16.04. When I try to upload a zip files/single jpeg/mov files via an API to my web server, I get the following error in the modsecurity error log. 2018/02/28 05:14:04 [error] 1893#0: [client 103...*] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/local/nginx/conf/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "309"] [id "920180"] [rev "1"] [msg "POST request missing Content Length Header."]...

  • Greg Williams Greg Williams posted a comment on discussion Rules

    Hi All, I have Modsecurity setup on IIS and have setup the Geo Lookup rule, I have downloaded the latest database and specified the following rule SecGeoLookupDb 'GeoDB\GeoLiteCity.dat' SecRule REMOTE_ADDR "@geoLookup" "chain,id:22,status:403,drop,msg:'Non-GB or IE IP address'" SecRule GEO:COUNTRY_CODE "!@pm GB IE" "t:none" However I always get the error - Geo lookup for "IP:port" failed: No such host is known. The server allows all traffic to pass. I have tried this for various different IP addresses...

  • Ramesh Patel Ramesh Patel posted a comment on discussion Installation and Configuration

    i have installed modsecurity 3 with nginx version nginx/1.12.2 and when we set modsecurity in dectectiononly mode we get a bunch of failures during our cucumber unit testing process. i have looked at nignx and the only error i see is the following, 2018/02/22 03:56:46 [info] 2256#2256: *1923 epoll_wait() reported that client prematurely closed connection, so upstream connection is closed too while connecting to upstream, client: 130.211.141.241, server: _, request: "POST /organization/javasdkorg1519270783471v276/event/questionnaire/type...

  • ayesha gupta ayesha gupta posted a comment on discussion Installation and Configuration

    Mistake code err_spdy_protocol_error may likewise emerge because of some issue in your antivirus. On the off chance that you are utilizing Avast Antivirus on your gadget then you can include the address of the site which is giving this mistake to the execution rundown of Avast Antivirus. Avast antivirus helps in settling this issue just by overlooking the pages which are demonstrating this mistake. For settling this mistake with the assistance of Avast Antivirus you can simply take after the means...

  • Leon Leon posted a comment on discussion Rules

    Despite a ton of Googling, reading the Modsecurity Handbook and trial and error I still can't figure out if I can adjust sensitivity to specific rules on specific cookies. Our false positives seem to be caused by rules 981260 and 981231 finding matches in the XSRF token cookies automatically made by our website's framework. I can disable the rules for the cookies, but I'd like to know if I can just make the existing ones less sensitive for specific cookie names so there's still some security in place....

  • Kent Peter Gaardmand Kent Peter Gaardmand posted a comment on discussion Help

    I have a 2016 with IIS10, i have installed the latest version of Mediawiki and Modsecurity. I hade a few base rules that created false positives, after removing them i was still not able to login and no further events where logged. i have tried removing all the rules, still i am unable to login. so far i can only uninstall modsecurity for my mediawiki to work. Happy new year and kind regards Kent

  • Chaim Sanders Chaim Sanders posted a comment on discussion Help

    This forum isn't supported anymore, please use github or IRC for support.

  • Thiagarajan Socrates Thiagarajan Socrates posted a comment on discussion Help

    We have added mod-security(2.9) plugin for input data filtering with malicious input with apache webserver and it was working fine. But then we are facing issue in the below scenario. During the application login, server will generate access token and also a refresh token (set the same as cookie) while sending back to the browser. When the access token expires, UI will send the refresh token to generate the new access token to the server. Application will use the refresh token as a authentication...

  • Mervin Govender Mervin Govender posted a comment on discussion Rules

    How to I open port 3306 for remote mysql connect ?

  • Chaim Sanders Chaim Sanders posted a comment on discussion Rules

    Hey @Daniel Kolar, This form isn't supported anymore. If you have any further questions please reach out on the ModSecurity Github page. Thanks!

  • Daniel Kolar Daniel Kolar posted a comment on discussion Rules

    Here is related issue and what worked is to edit mod security .conf file that is containing custom mod. sec. rules and add special rule. # Disable ModSecurity for certain file names SecRule REQUEST_URI "(ajax.php|editpost.php|newthread.php|newpost.php|otherfilename.php)" "id:945998,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off" Though it would be better to whitelist full path including domain, not just file name. But for that i am unsure how to do now.

  • Daniel Kolar Daniel Kolar modified a comment on discussion Rules

    Hello, when submitting new content via: mydomain.com/newarticle.php mydomain.com/newthread.php it triggers multiple "deny" mod security rules, i do not want to tweak these rules anyhow, instead i want to whitelist mentioned files from blocking by mod security i tried to 1. create new rule on the top of all rules in /usr/local/apache/conf/modsec2.user.conf SecRule REQUEST_URI "newarticle|newthread" "id:1045787,phase:1,nolog,noauditlog,allow,ctl:ruleEngine=Off" Does not work, other rules still trigger...

  • Vit Jan Vit Jan modified a comment on discussion Rules

    Hello, when submitting new content via: mydomain.com/newarticle.php mydomain.com/newthread.php it triggers multiple mod security rules, i do not want to tweak these rules anyhow, instead i want to whitelist mentioned files from blocking by mod security i tried to 1. create new rule on the top of all rules in /usr/local/apache/conf/modsec2.user.conf SecRule REQUEST_URI "newarticle|newthread" "id:1045787,phase:1,nolog,noauditlog,allow,ctl:ruleEngine=Off" Does not work, other rules still trigger 403....

  • Vit Jan Vit Jan posted a comment on discussion Rules

    Hello, when submitting new content via: mydomain.com/newarticle.php mydomain.com/newthread.php it triggers multiple mod security rules, i do not want to tweak these rules anyhow, instead i want to whitelist mentioned files from blocking by mod security i tried to 1. create new rule on the top of all rules in /usr/local/apache/conf/modsec2.user.conf SecRule REQUEST_URI "editpost|newreply|newthread" "id:1076487,phase:1,nolog,noauditlog,allow,ctl:ruleEngine=Off" Does not work, other rules still trigger...

  • Chaim Sanders Chaim Sanders posted a comment on discussion Rules

    Please open such issues on github to get assistance https://github.com/SpiderLabs/owasp-modsecurity-crs

  • Gary Gary posted a comment on discussion Rules

    I was hoping someone can assist us mitigating an ongoing attack. We use Opencart. We have several servers with a dozen or so installations on each. Recently there was a Python script released that can password attack the Opencart admin. It hits the admin page directly and from what I can work out from the code it recognizes it has been successful by checking for a cookie. Most of our domains are being hit. Opencart gives a HTTP/1.1" 200 on a failed login. The user-agent is always different and the...

  • Sascha Papini Sascha Papini posted a comment on discussion Rules

    Hi all, I want to block cross scripting in header Authorization Basic. For example, I have: POST /tr069/ HTTP/1.1 Host: carontetest.digitelitalia.com:8445 Content-Length: 1412 Accept-Encoding: gzip, deflate, compress SOAPAction: Accept: / User-Agent: python-requests/2.2.1 CPython/2.7.6 Linux/4.4.0-81-generic Authorization: Basic Ii8+PHNjcmlwdD5hbGVydCgieHNzIDspIik8L3NjcmlwdD46cGFzcw== Ii8+PHNjcmlwdD5hbGVydCgieHNzIDspIik8L3NjcmlwdD46cGFzcw== is "/><script>alert("xss ;)")</script>:pass I write SecRule...

  • jay jay posted a comment on discussion Installation and Configuration

    mod security config file as follows: <IfModule mod_security2.c> # Default recommended configuration SecRuleEngine On SecRuleInheritance On SecRequestBodyAccess On SecRule REQUEST_HEADERS:Content-Type "text/xml" \ "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" SecRequestBodyLimit 13107200 SecRequestBodyNoFilesLimit 131072 SecRequestBodyInMemoryLimit 131072 SecRequestBodyLimitAction Reject SecRule REQBODY_ERROR "!@eq 0" \ "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed...

  • jay jay posted a comment on discussion Installation and Configuration

    Please refer to the log below. Even though rule matches it does not block the request. Let me know if I am missing anything. Thanks --b8246541-A-- [02/May/2017:22:47:47 +0000] WQkMkn8AAAEAAEQeufQAAAAC 192.168.34.199 10787 192.168.34.202 80 --b8246541-B-- GET /index.php?action=&type=view&s=&id=-1%27%20union%20select%200,concat(char(85),char(115),char(101),char(114),char(110),char(97),char(109),char(101),char(58),name,char(32),char(124),char(124),char(32),char(80),char(97),char(115),char(115),char(119),char(111),char(114),char(100),char(58),pass),0,0,0,0,0%20from%20phpdesk_admin/*...

  • BJ van Dijk BJ van Dijk posted a comment on discussion Rules

    Q1: In REQUEST-912-DOS-PROTECTION.conf, the ip.dos_counter is increased for every request made to a none static resource, As soon as it hits the threshold, ip.dos_burst_counter is set/increased by 1, which expires after ip.dos_burst_time_slice. So when we have a threshold of 100, and over a couple of days we reach 100, ip.dos_burst_counter=1. If PL is set to 1, it will only trigger when the dos_burst_counter = 2. Normally there will be enough time for the dos_burst_counter to expire. But in PL 2,...

1 >
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.