Nevermind, sometimes u just got blind.

** Forgot to Include my CRS.conf in the right place **


Att,

Stephan Gomes Higuti


On 26 March 2014 14:10, Stephan Gomes Higuti <higuti.sam@gmail.com> wrote:
Well, i kind of noticed whats happening.
Here's the log:

--6d322303-A--
[26/Mar/2014:13:38:05 --0300] UzMCbawQD8oAAAYqzQMAAAAA 172.16.15.230 56571 172.16.15.202 80
--6d322303-B--
GET /index.htm?cmd=../../../bin/bash HTTP/1.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Pragma: no-cache
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.152 Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: __utma=241360528.1964874999.1394711819.1395837679.1395851219.42; __utmb=241360528.1.10.1395851219; __utmc=241360528; __utmz=241360528.1394711819.1.1.utmcsr=(direc
t)|utmccn=(direct)|utmcmd=(none)
Via: 1.1 swntpx.xxx.yyy:3128 (squid/2.7.STABLE6)
Cache-Control: no-cache, max-age=0
Connection: keep-alive
X-Forwarded-For: aaa.bbb.ccc.ddd

--6d322303-F--
HTTP/1.1 200 OK
Last-Modified: Wed, 19 Feb 2014 14:13:49 GMT
ETag: "d81ac-0-4f2c2ff62f80a"
Accept-Ranges: bytes
Content-Length: 0
Content-Type: text/html
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive

--6d322303-E--

--6d322303-H--
Message: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/apache2/owasp-crs/base_rules/modsecurity_crs_30_http_policy.conf"
] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"]
Message: Warning. Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/etc/apache2/owasp-crs/base_rules/modsecurity_crs_30_http_policy.conf"] [line "78"] [id "960034"] [rev "2"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/1.0"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.10"]
Message: Warning. Pattern match "\\W{4,}" at ARGS:cmd. [file "/etc/apache2/owasp-crs/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data "Matched Data: ../../../ found within ARGS:cmd: ../../../bin/bash"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"]
Message: Warning. Pattern match "(?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)| ..." at REQUEST_URI. [file "/etc/apache2/owasp-crs/base_rules/modsecurity_crs_42_tight_security.conf"] [line "20"] [id "950103"] [rev "2"] [msg "Path Traversal Attack"] [data "Matched Data: /../ found within REQUEST_URI: /index.htm?cmd=../../../bin/bash"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "7"] [tag "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"]
Apache-Handler: proxy-server
Stopwatch: 1395851885242220 40342 (- - -)
Stopwatch2: 1395851885242220 40342; combined=4703, p1=1035, p2=3467, p3=1, p4=158, p5=42, sr=0, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/).
Server: Apache/2.4.6 (Linux/SUSE)
Engine-Mode: "ENABLED"

--6d322303-Z--


Well, for what I saw, the modes of operation will depend in what you configured in your crs.conf file.
My default action is deny.

SecDefaultAction "phase:1,deny,log"
SecDefaultAction "phase:2,deny,log"

Even with this sets, I still got the warning messages when I was supposed to get the "Access Denied".

Regards,

Stephan Gomes Higuti


On 26 March 2014 11:11, Stephan Gomes Higuti <higuti.sam@gmail.com> wrote:
Hi Josh.

I did compile the newest version of ModSecurity, it is working now, however, it detects the "attacks" but is not blocking, and I've got "SecRuleEngine On".

[Wed Mar 26 11:06:14.579020 2014] [:error] [pid 32447] [client 172.xxx.yyy.zzz] ModSecurity: Warning. Pattern match "(?i)(?:\\\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v
|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\\\.){2}(?:\\\\x5c|(?:%(?:2(?:5(?:2
f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)| ..." at REQUEST_URI. [file "/etc/apache2/owasp-crs/base_rules/modsecurity_crs_42_tight_security.conf"] [line "20"] [id "950103"] [rev 
"2"] [msg "Path Traversal Attack"] [data "Matched Data: /../ found within REQUEST_URI: /README.html?cmd=../../../bin/bash"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] 
[maturity "9"] [accuracy "7"] [tag "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"] [hostname "test.domain.com"] [uri "/README.html"] [unique_id "UzLe1qwQD8oAAH6-LbUAAAAE"]

This rule is supposed to block the access isn't?
Any idea?

Thank you.


Regards,

Stephan Gomes Higuti


On 26 March 2014 08:22, Josh Amishav-Zlatin <josh@wafsec.com> wrote:
On Wed, Mar 26, 2014 at 08:10:20AM -0300, Stephan Gomes Higuti wrote:
>
> But "ver" its not an action, so, I thinking that it may have some issues
> about using this version of ModSecurity with the newest version of CRS,
> Anyone knows if this should work or its really expected to happen this
> issue?


Hi Stephan,

Take a look at:
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#ver

The ver action is only supported from ModSec v2.7 and later.

Are you able to compile the latest version of ModSec? There have been
several improvements since 2.6.7.

--
Josh Amishav-Zlatin
CTO | Wafsec

The WAF is free, your time isn't

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/