Re: [mod-security-users] Mod Sec 2 fails to block empty user agent, no matter what!
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <rya...@br...> - 2009-08-23 19:03:11
|
On Sunday 23 August 2009 12:54:19 pm Steve Warwick wrote: > I have been using modsec 1 for several years and am using modsec 2 on a new > server. While switching over I have found some very odd behavior.... > > Example: To block an empty user agent the regex should be ^$ -- my rule > is: > > SecRule REQUEST_HEADERS:User-Agent "^$" \ > "t:none,log,deny,status:411,t:compressWhiteSpace, t:replaceNulls, msg:'null > UA'" > > * The rule is as close to the beginning of the ruleset as possible > * If I make the rule phase1 it gets skipped all together in the debug > output. > > Default rule is: > SecDefaultAction > "phase:2,deny,log,status:406,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" > > > > Trying a simple script against this server (file_get_contents + setting a > blank UA) I get this in the logs: > > IP-ADDRESS - - [22/Aug/2009:17:14:24 -0500] "GET /tools/modsectest9x.php > HTTP/1.0" 200 60 "-" "-" > > So a blank referer and blank UA - and yet modsec lets the connection sail > thru, plus if I debug modsec (level 9) I can see the rule being eval'd and > ignored. (output below is trimmed of the dat/ip/rid) > > [4] Recipe: Invoking rule 95510e8; [file > "/usr/local/apache/conf/modsec2.user.conf"] [line "33"]. [5] Rule 95510e8: > SecRule "REQUEST_HEADERS:User-Agent" "@rx ^$" > "phase:2,status:411,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:none,lo >g,deny,t:compressWhiteSpace,t:replaceNulls,msg:'null UA'" [4] Rule returned > 0. > [9] No match, not chained -> mode NEXT_RULE. > > > > > I have ensured my IP is not whitelisted and run the script from several > locations just in case I have tried every variation of regex I can think of > and then some but still nothing I have tried every variation of the rule > but no joy > > > > * Linux s 2.6.18-128.1.10.el5PAE #1 SMP Thu May 7 11:14:31 EDT 2009 i686 > i686 i386 GNU/Linux * Apache 2.2.11 > * webserver bult by theplanet for hostgator > * Modsec 2.5.9 > Steve, check out this blog post on this topic - http://blog.modsecurity.org/2007/03/211x-rule-diffe.html. Basically, the older Mod rule syntax you are using will identify two separate issues - if a header is missing *or* if it is present but empty. In the new rules syntax, there are different methods for handling either of those cases. > On top of this, modsec will not catch ARGS | ARGS_POST which I use to trap > comment spam keywords, or obey nolog! :( > Please provide an example of where it is nor working as you expect. These variables re still there in Mod 2.5.x. http://www.modsecurity.org/documentation/modsecurity- apache/2.5.9/modsecurity2-apache-reference.html#N10DA7 > I am seriously thinking of downgrading to apache 1.3 and modsec 1.9x so I > can just move on and get some work done! > > > Any suggestions or ideas of where to look? > > > > > Steve > > Note: This email is CONFIDENTIAL and contains information intended only for > the party to whom it is addressed. No reproduction of this email may be > made without the written consent of the original sender. |