One last thing, and sorry for my previous brick. I have seen a cpan module which may be you could interested to develop new rules. It's a perl module which should be installable with cpan and it seems like a NIST/NVD database. If you could query it, you could get info about http vulnerabilities or specific applications as joomlas, wordpress and similars.

The reference link is here: http://search.cpan.org/~cjcollier/NIST-NVD-Store-SQLite3-1.00.00/lib/NIST/NVD/Store/SQLite3.pm

I will take a look in future to complete my script :D (in a far far away future :p)

Kind regards


2014-03-12 15:50 GMT+01:00 Jose Pablo Valcárcel Lázaro <pablo.valcarcel1980@gmail.com>:
Ryan, simply, I hate you :p (it's a joke) 

But in suricata rule files, there are much more than only content fields. How should I proceed? Should I create a file which all content values from suricata rules? then, how could I know which content match with right suricata rule I'm parsing at the moment of the script execution? 

My idea initially was read each suricata rule, and store each field with field separator ; as a index array value. In this way I have only one array at the moment of reading each suricata rule (line) and then just only ask for the field of each array index content:


./suricata_ruleparser.sh
POLICY VALUE Content-Disposition|3A| attachment|3b|
PARSED_STRING Content-Disposition:attachment;
EXTENSION 
LAST_CHARACTER ;
PRIMER_CHARACTER C
=========================================================================================================================================================
POLICY VALUE filename=|22|USPS_Document.zip
PARSED_STRING filename="USPS_Document.zip
EXTENSION
LAST_CHARACTER p
PRIMER_CHARACTER f
=========================================================================================================================================================
Contador de contents = 2
###################################################################################
Siguiente regla /next tule
###################################################################################


I have just only considerer at this moment if the field cut for the first field (which field separator should be :) is content

If I'm reading content field, then I should parse content value doesn't matter if it's hexadecimal, ascii or whatever.

I have print aditional fields as EXTENSION (for file type extensions), LAST_CHARACTER and FIRST_CHARACTER (in spanish PRIMER_CHARACTER) because I have seen suricata rules which I analyze vulnerability and I saw there were content fields which was one next to next content field value, like we could see in this rule:

rules/emerging-web_specific_apps.rules:alert http $EXTERNAL_NET any -> $HTTP_SERVERS any
(msg:"ET WEB_SPECIFIC_APPS Joomla com_videogallery controller parameter Local File Inclusion Attempt"; 
flow:established,to_server; 
content:"/index.php?";
http_uri; 
nocase; 
content:"option=com_videogallery";
http_uri; 
nocase;
content:"controller=";
http_uri;
nocase;
content:"|2e 2e 2f|";
http_raw_uri;
reference:url,packetstormsecurity.org/files/112161/Joomla-Video-Gallery-Local-File-Inclusion-SQL-Injection.html;
classtype:web-application-attack; 
sid:2014654;
rev:4;
)

So this is what my array stores. If you see vulnerability one of them could be: http://www.zilog.com/index.php?option=com_videogallery&Itemid=68%27

So, how can my software be intelligent to know where needs to put togheter several contents? What I have made is to use LAST and FIRST characters from a parser script which is call from main program:
if [ "$LAST_CHARACTER" = "_" ] || [ "$LAST_CHARACTER" = "?" ] || [ "$LAST_CHARACTER" = "=" ]  ; then
                           content_old="$PARSED_STRING"
                           unir_siguiente="true"
                           elif  [ "$PRIMER_CHARACTER" = "&" ] ; then
                           content_new="$PARSED_STRING"
                           unir_anterior="true"
                           else
                           PARSED_STRING_ANTERIOR="$PARSED_STRING"
                           fi

What I tell the software is that if last character is equal to _ or ? or = then  I change values of variables which makes the code act different and put in the same content several contents:
                           if [ "$unir_siguiente" = "true" ] ; then
                           content="$content_old$PARSED_STRING"
                           echo "CONTENT = $content"
                           unir_siguiente="false"
                           fi
                           if [ "$unir_anterior" = "true" ] ; then
                           content="$PARSED_STRING_ANTERIOR$PARSED_STRING"
                           echo "CONTENT = $content"
                           unir_siguiente="false"
                           fi


The problem is that as I'm not a web or rfc developer, I'm not pretty sure what characters should I take care to mix one content with next one or last content read with previous content value. 

Another vulnerability of joomla videgallery could be http://[Target]/&controller=../../../../../../../../../../../../[LFI]%00

If I create a mod_security rule, how can I know how many ../ should I put in mod_security rule in this case? should I match &controller=../?

So making a script which parses suricata rules it's not easy to do :D. I was trying to get extra rules and share with all mod_security members but I need more time to see how can solve some problems.

Another issue I have seeing is that I don't know how many suricata directives I will find. In the above sample rule, should I create a mod_security rule which deals with all http directives in just one mod_security rule? 

I was thinking it was very difficult to perform so I find another very mod_security directive chain

With chain I can read suricata fields until a directive as http_method. When I read a directive like that, I just only need to create a mod_security rule (making a random number to use as id) and chain this rule with next content and directive, something like this:
SecRule REQUEST_METHOD "^GET$" chain,setenv:var1=true,deny
SecRule REMOTE_HOST "^127\.0\.0\.1" chain,setenv:var2=true
SecRule REQUEST_URI "/denied.html" setenv:var3=true

but instead to create variables I just use pass but logging in order to create no disruptive rules where everyone could try in their non production environments.

SecRule REQUEST_METHOD "^GET$" chain,,pass, log, msg:' \"ET WEB_SPECIFIC_APPS Joomla com_videogallery controller parameter Local File Inclusion Attempt\"' 
SecRule REMOTE_HOST "^127\.0\.0\.1" chain,pass, log, msg:' ' 
SecRule REQUEST_URI "/denied.html" pass, log, msg:' ' 

In conclusion, thanks to Josh and Ryan for their directives. I have a lot of work to do until I can say I have developed something people could use and works. (if finally I don't give up)

Kind regards






2014-03-12 13:44 GMT+01:00 Ryan Barnett <RBarnett@trustwave.com>:

FYI – both the @pm and @pmFromFile operators support Snort/Suricata hex content - 


Ryan Barnett

Lead Security Researcher, SpiderLabs

 

Trustwave | SMART SECURITY ON DEMAND

www.trustwave.com


From: Jose Pablo Valcárcel Lázaro <pablo.valcarcel1980@gmail.com>
Reply-To: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourceforge.net>
Date: Wednesday, March 12, 2014 8:38 AM
To: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourceforge.net>
Subject: Re: [mod-security-users] Question about attack types

So I guess mod_security should be able to detect a feed line character which has been included on a request with transformation function? 

Thanks for your reference.

Kind regards,


2014-03-12 9:36 GMT+01:00 Josh Amishav-Zlatin <josh@wafsec.com>:
On Tue, Mar 11, 2014 at 04:46:11PM +0100, Jose Pablo Valcárcel Lázaro wrote:
> patterns. Some suricata rules has hexadecimal content in field.
>
> Some of them I'm able to ascii parsing but with some hexadecimal values are
> ascii non-printable characters. My question is, should I care or should I
> ignore those hexadecimals non printable values?

Hi Jose,

The ModSecurity way would be to use transformations:

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-Transformation_functions

--
 - Josh

>
> A list of conversions could it be:
>
> Content:                                                              After
> conversion:
> "|2e 2e 2f|"                                                           ../
> "|2e/2e/2f|"                                                           ../
> "|2e\2e\2f|"                                                           ../
> "|2e|2e|2f|"                                                            ../
> "|2e|2e|2f|root"
> ../root
> "|2e|2e|2f|root.php"
> ../root.php
> "|2e|2e|root|2f|"
> ..root/
> "|2e 2e 2f|"                                                             ../
> "|2e 2e 2fe|"                                                           ../e
> "|2e|2f|sogou"
> ./sogou
> "2e2f sogou"
>  ./sogou
> "|2E|2F|sogou"                                                       ./sogou
> "|00 00 00 04|ftp|3a|//"                                              ftp://
> "2A02"                                                                    *
> "|2A02|"                                                                   *
> "/etc/prueba/inetd\.conf"
>  /etc/prueba/inetd.conf
> "|esto es una prueba|"                                               esto
> es una prueba
> "http|3a|2f|2f"
> http://
> "3a|2f|2f|http"
> ://http
> "http 3a 2f 2f"
> http://
> "esto es una prueba"                                                  esto
> es una prueba
> "http 3a 2f 2f"
> http://
> "http|3a|2f|2f"
>  http://
> "Burp proxy error|3A 20|"                                             Burp
> proxy error:
> "%72%65%70%6c%61%63%65%28"                          replace(
> "Burp proxy error|3A 20|"                                             Burp
> proxy error:
>
> My problem is with some hex patterns wich has values between 00 and 1F.
> These values are ascii no printable, so if I try to convert I will get
> strange outputs and if I ignore, I will handle content field as string and
> it will happen the same for extended ascii codes,. I have seen suricata
> content fields as follows: "/%E0%B4%8C%E1%82%AB"
>
> If I decide to parse as a hexadecimal values to ascii I will get this
> response: ŕ´á«
>
> Should I convert non printable and extended ascii characters from
> hexadecimal?
>
> I have seen too several directives which match with mod_security rules so I
> was thinking to read each content field with http directive and create
> mod_security rule and chain with following directives until I finally ends
> to read that suricata rule.
>
> I have tried to develop a mod_security rule with random high id and when I
> restart apache then I got a id duplicate error. Do you know why is it
> happening this?
>
> Kind regards

> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/13534_NeoTech

> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/


--
Josh Amishav-Zlatin
CTO | Wafsec

The WAF is free, your time isn't

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech_______________________________________________ mod-security-users mailing list mod-security-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/