The issue is solved. It was my mistake because I forgot to switch it to deny mode and it was runing in detect mode. All I had to do was to add SecDefaultAction to the config file. 


On Mon, Aug 27, 2012 at 2:27 PM, <mod-security-users-request@lists.sourceforge.net> wrote:
Send mod-security-users mailing list submissions to
        mod-security-users@lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/mod-security-users
or, via email, send a message with subject or body 'help' to
        mod-security-users-request@lists.sourceforge.net

You can reach the person managing the list at
        mod-security-users-owner@lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of mod-security-users digest..."


Today's Topics:

   1. Re: why does # bypass most rules? (Ryan Barnett)
   2. Re: why does # bypass most rules? (Reindl Harald)
   3. Re: why does # bypass most rules? (Marc Stern)
   4. NGINX and Mod_security (Hekuran Doli)
   5. Re: NGINX and Mod_security (yorkng zhuo)


----------------------------------------------------------------------

Message: 1
Date: Sat, 25 Aug 2012 06:50:31 -0500
From: Ryan Barnett <RBarnett@trustwave.com>
Subject: Re: [mod-security-users] why does # bypass most rules?
To: Reindl Harald <h.reindl@thelounge.net>
Cc: Mailing-List mod_security
        <mod-security-users@lists.sourceforge.net>
Message-ID: <D7DFF93F-EB71-4227-9876-BB5C7B270612@trustwave.com>
Content-Type: text/plain; charset="us-ascii"

Are you testing with a web browser and putting that in the URL window?  If so, then the browser is treating that as a page anchor and does not send that part to the server. Check your apache access logs to see what the request looks like when it gets there.

You could test with wget or curl to send that full payload and test the rules.

--
Ryan Barnett
Researcher Lead
Trustwave - SpiderLabs


On Aug 25, 2012, at 5:29 AM, "Reindl Harald" <h.reindl@thelounge.net> wrote:

> some tests showing that use of # is bypassing most rules
>
> http://local.rhsoft.net/?term=j&#X61vascript:alert%28218%29
> BYPASS
>
> http://local.rhsoft.net/?term=j&X61vascript:alert%28218%29
>
> [Sat Aug 25 11:25:11 2012] [error] [client 192.168.2.2] ModSecurity: Access denied with code 400 (phase 2). Pattern
> match "(?i:alert\\\\()" at REQUEST_URI. [file "/etc/httpd/modsecurity.d/modsecurity_99_local_rules.conf"] [line
> "100"] [id "63"] [msg "XSS attack rh-rule"] [data "alert("] [hostname "local.rhsoft.net"] [uri "/"] [unique_id
> "UDiZ98CoAgIAAAxEDDIAAAAA"]
>
> _________________________________
>
> http://local.rhsoft.net/local.rhsoft.net/?test=/win.ini
>
> [Sat Aug 25 11:21:44 2012] [error] [client 192.168.2.2] ModSecurity: Access denied with code 400 (phase 1). Pattern
> match "\\\\/etc\\\\/|\\\\\\\\|\\\\/win.ini|\\\\/boot.ini|..\\\\/..\\\\/..\\\\/|\\\\'\\\\'\\\\'\\\\'" at
> REQUEST_URI. [file "/etc/httpd/modsecurity.d/modsecurity_99_local_rules.conf"] [line "189"] [id "77"] [msg "Remote
> File Access Attempt"] [data "/win.ini"] [hostname "local.rhsoft.net"] [uri "/local.rhsoft.net/"] [unique_id
> "UDiZKMCoAgIAAAxEDCsAAAAA"]
>
> http://local.rhsoft.net/?test=#/win.ini
>
> BYPASS
> _________________________________
>
>
>
> <signature.asc>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.




------------------------------

Message: 2
Date: Sat, 25 Aug 2012 14:40:34 +0200
From: Reindl Harald <h.reindl@thelounge.net>
Subject: Re: [mod-security-users] why does # bypass most rules?
Cc: Mailing-List mod_security
        <mod-security-users@lists.sourceforge.net>
Message-ID: <5038C7C2.4040308@thelounge.net>
Content-Type: text/plain; charset="iso-8859-1"

if found this in the access-log from a nessus-scan
with code 200, but maybe after really woke up i
realize this may be caused by pahse:2 and whitelisting
of the scanner-ip which only makes phase:1 actibe


Am 25.08.2012 13:50, schrieb Ryan Barnett:
> Are you testing with a web browser and putting that in the URL window?  If so, then the browser is treating that as a page anchor and does not send that part to the server. Check your apache access logs to see what the request looks like when it gets there.
>
> You could test with wget or curl to send that full payload and test the rules.
>
> On Aug 25, 2012, at 5:29 AM, "Reindl Harald" <h.reindl@thelounge.net> wrote:
>
>> some tests showing that use of # is bypassing most rules
>>
>> http://local.rhsoft.net/?term=j&#X61vascript:alert%28218%29
>> BYPASS
>>
>> http://local.rhsoft.net/?term=j&X61vascript:alert%28218%29
>>
>> [Sat Aug 25 11:25:11 2012] [error] [client 192.168.2.2] ModSecurity: Access denied with code 400 (phase 2). Pattern
>> match "(?i:alert\\\\()" at REQUEST_URI. [file "/etc/httpd/modsecurity.d/modsecurity_99_local_rules.conf"] [line
>> "100"] [id "63"] [msg "XSS attack rh-rule"] [data "alert("] [hostname "local.rhsoft.net"] [uri "/"] [unique_id
>> "UDiZ98CoAgIAAAxEDDIAAAAA"]
>>
>> _________________________________
>>
>> http://local.rhsoft.net/local.rhsoft.net/?test=/win.ini
>>
>> [Sat Aug 25 11:21:44 2012] [error] [client 192.168.2.2] ModSecurity: Access denied with code 400 (phase 1). Pattern
>> match "\\\\/etc\\\\/|\\\\\\\\|\\\\/win.ini|\\\\/boot.ini|..\\\\/..\\\\/..\\\\/|\\\\'\\\\'\\\\'\\\\'" at
>> REQUEST_URI. [file "/etc/httpd/modsecurity.d/modsecurity_99_local_rules.conf"] [line "189"] [id "77"] [msg "Remote
>> File Access Attempt"] [data "/win.ini"] [hostname "local.rhsoft.net"] [uri "/local.rhsoft.net/"] [unique_id
>> "UDiZKMCoAgIAAAxEDCsAAAAA"]
>>
>> http://local.rhsoft.net/?test=#/win.ini
>>
>> BYPASS
>> _________________________________

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature

------------------------------

Message: 3
Date: Mon, 27 Aug 2012 13:05:30 +0200
From: Marc Stern <marc.stern@approach.be>
Subject: Re: [mod-security-users] why does # bypass most rules?
To: mod-security-users@lists.sourceforge.net
Message-ID: <503B547A.8060804@approach.be>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Everything from the '#' is considered by the browser as an internal
bookmark and is never sent to the server.

Marc

On 25-08-2012 11:25, Reindl Harald wrote:
> some tests showing that use of # is bypassing most rules
>
> http://local.rhsoft.net/?term=j&#X61vascript:alert%28218%29
> BYPASS
>
> http://local.rhsoft.net/?term=j&X61vascript:alert%28218%29
>
> [Sat Aug 25 11:25:11 2012] [error] [client 192.168.2.2] ModSecurity: Access denied with code 400 (phase 2). Pattern
> match "(?i:alert\\\\()" at REQUEST_URI. [file "/etc/httpd/modsecurity.d/modsecurity_99_local_rules.conf"] [line
> "100"] [id "63"] [msg "XSS attack rh-rule"] [data "alert("] [hostname "local.rhsoft.net"] [uri "/"] [unique_id
> "UDiZ98CoAgIAAAxEDDIAAAAA"]
>
> _________________________________
>
> http://local.rhsoft.net/local.rhsoft.net/?test=/win.ini
>
> [Sat Aug 25 11:21:44 2012] [error] [client 192.168.2.2] ModSecurity: Access denied with code 400 (phase 1). Pattern
> match "\\\\/etc\\\\/|\\\\\\\\|\\\\/win.ini|\\\\/boot.ini|..\\\\/..\\\\/..\\\\/|\\\\'\\\\'\\\\'\\\\'" at
> REQUEST_URI. [file "/etc/httpd/modsecurity.d/modsecurity_99_local_rules.conf"] [line "189"] [id "77"] [msg "Remote
> File Access Attempt"] [data "/win.ini"] [hostname "local.rhsoft.net"] [uri "/local.rhsoft.net/"] [unique_id
> "UDiZKMCoAgIAAAxEDCsAAAAA"]
>
> http://local.rhsoft.net/?test=#/win.ini
>
> BYPASS
> _________________________________
>
>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
>
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/




------------------------------

Message: 4
Date: Mon, 27 Aug 2012 14:02:00 +0200
From: Hekuran Doli <hekuran.doli@gmail.com>
Subject: [mod-security-users] NGINX and Mod_security
To: mod-security-users@lists.sourceforge.net
Message-ID:
        <CANC4PXi5q1wVCCqyJHJ_EpyvMgmaM0UcC2FNzAKSFojD8YMjPQ@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

I have compiled nginx with mod_security support. In error log I can see the
support for mod_security

2012/08/27 11:13:11 [info] 602096#0: ModSecurity for nginx/2.7.0-rc2 (
http://www.modsecurity.org/) configured.
2012/08/27 11:13:11 [info] 602096#0: ModSecurity: APR compiled
version="1.4.2"; loaded version="1.4.2"
2012/08/27 11:13:11 [info] 602096#0: ModSecurity: PCRE compiled
version="8.2 "; loaded version="8.02 2010-03-19"
2012/08/27 11:13:11 [info] 602096#0: ModSecurity: Loaded PCRE do not match
with compiled!
2012/08/27 11:13:11 [info] 602096#0: ModSecurity: LIBXML compiled
version="2.7.8"

I have loaded the ModSecurityConfig and  ModSecurityEnabled
ModSecurityConfig
/usr/local/nginx/conf/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf;
ModSecurityEnabled On;

But I cant make mod_security work.

Attacks can get through and I get no error in log file.

Do i need to add any extra configuration to enable mod_security for ngix?

Note: Im using nginx as reverse proxy

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 5
Date: Mon, 27 Aug 2012 20:27:04 +0800
From: yorkng zhuo <yorkng.zhuo@gmail.com>
Subject: Re: [mod-security-users] NGINX and Mod_security
To: Hekuran Doli <hekuran.doli@gmail.com>
Cc: mod-security-users@lists.sourceforge.net
Message-ID:
        <CAKV5U6=aryb+qEONhxYpNPWutLN0tcgNTek4N9LA8nxq38bixw@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

hello,  Hekuran,
you may  need set "SecRuleEngine on"
 in the front of file:/usr/local/nginx/conf/
modsecurity/modsecurity_crs_41_sql_injection_attacks.conf


On Mon, Aug 27, 2012 at 8:02 PM, Hekuran Doli <hekuran.doli@gmail.com>wrote:

> I have compiled nginx with mod_security support. In error log I can see
> the support for mod_security
>
> 2012/08/27 11:13:11 [info] 602096#0: ModSecurity for nginx/2.7.0-rc2 (
> http://www.modsecurity.org/) configured.
> 2012/08/27 11:13:11 [info] 602096#0: ModSecurity: APR compiled
> version="1.4.2"; loaded version="1.4.2"
> 2012/08/27 11:13:11 [info] 602096#0: ModSecurity: PCRE compiled
> version="8.2 "; loaded version="8.02 2010-03-19"
> 2012/08/27 11:13:11 [info] 602096#0: ModSecurity: Loaded PCRE do not match
> with compiled!
> 2012/08/27 11:13:11 [info] 602096#0: ModSecurity: LIBXML compiled
> version="2.7.8"
>
> I have loaded the ModSecurityConfig and  ModSecurityEnabled
> ModSecurityConfig
> /usr/local/nginx/conf/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf;
> ModSecurityEnabled On;
>
> But I cant make mod_security work.
>
> Attacks can get through and I get no error in log file.
>
> Do i need to add any extra configuration to enable mod_security for ngix?
>
> Note: Im using nginx as reverse proxy
>
> Thanks
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
>


--
Regards,

Yorkng
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

------------------------------

_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users


End of mod-security-users Digest, Vol 75, Issue 10
**************************************************



--
Hekuran Doli

Senior Software Engineer
Yjet e Erenikut 14/2, Gjakova, Kosova
+386 49 40 40 50