Re: [mod-security-users] Proxy access attempt rule
Brought to you by:
victorhora,
zimmerletw
From: Michael S. <mi...@go...> - 2011-02-15 23:42:20
|
Thank you Ryan. For future reference, if you are using ASL, ASL will set this to On or Off depending on what role(s) the system is set for, in most cases its set to Off for control panels likes Plesk, Cpanel, etc. which also set it to Off for the virtual hosts they manage. So be careful you follow their guidance on this setting if you use a control panel, they will override the setting when its appropriate and may overriding your setting too. As an aside, (and please forgive me Ryan, I know what you meant!) in case anyone does need to set this to On, the directive is UseCanonicalName as opposed to UseCononicalName as it says in the comments in the CRS rules. As Ryan suggested, if you have issues with our rules please contact us directly, we'd be happy to help you. Specific instructions on reporting false positives is provided here: https://www.atomicorp.com/wiki/index.php/Reporting_False_Positives#Reporting_False_Positives_when_not_running_ASL If you are using ASL, just click the Report False Positive button which will send us everything we need and will automatically open a case in the support portal. All False positives are fixed the same day they are reported (via either means), its as simple as that! On Tue, 2011-02-15 at 07:33 -0600, Ryan Barnett wrote: > On 2/14/11 9:22 AM, "Peter Tesone" <pt...@gm...> wrote: > > >Hi, > > > >I receive a 403 error in my hosting because a mod_security rule is > >triggered, > >any one can suggest me how to change this rule to not raise a 403 error? > > Peter, > This rule is from the GotRoot application protections file - > http://updates.atomicorp.com/channels/rules/delayed/modsec/10_asl_rules.con > f > > If you have issues with this rule, they have their own user > mail-list/forum. We (Trustwave) maintain the OWASP ModSecurity Core Rule > Set (CRS) Project. > > That being said - here is the rule that is triggering - > > SecRule REQUEST_URI_RAW "^\w+:/" \ > "chain,phase:2,t:lowercase,capture,deny,log,auditlog,msg:'Atomicorp.com - > FREE UNSUPPORTED DELAYED FEED - WAF Rules: Unauthorized Proxy access > attempt',severity:'2',id:'340012',rev:2,logdata:'%{TX.0}'" > SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}/" > > > I believe that GotRoot took this rule from the CRS and added it to their > own. Note that in our version, we have some comments related to its > effectiveness (specifically that you have to have Apache configured with > UseCononicalName for it to work correctly). Due to this reliance, we > opted to comment out this rule - > > # > # Proxy access attempt > # NOTE Apache blocks such access by default if not set as a proxy. The > rule is > # included in case Apache proxy is misconfigured. > # NOTE There are some clients (mobile devices) that will send a full URI > even when connecting to > # your local application and this rule allows it. > # NOTE Need to have UseCononicalName On in Apache config to properly set > the SERVER_NAME variable. > # If you have set UseCononicalName, the you can uncomment this rule. > # > # -=[ Rule Logic ]=- > # This chained rule first inspects the URI to see if a full domain name is > specified. > # If it is, then this data is compared against the Cononical SERVER_NAME. > If it does > # not match, then the client is making a request for an off-site location. > # > #SecRule REQUEST_URI_RAW ^\w+:/ > "chain,phase:2,rev:'2.1.1',t:none,block,msg:'Proxy access attempt', > severity:'2',id:'960014',tag:'PROTOCOL_VIOLATION/PROXY_ACCESS',tag:'WASC > TC/WASC-14',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.10'" > # SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}" > "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_s > core},setvar:tx.protocol_violati > on_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATIO > N/PROXY_ACCESS-%{matched_var_name}=%{matched_var}" > > > So, have you set UseCononicalName in your apache configs? > > -Ryan > > > > > >Error Log: > > > >access attempt"] [data "http:] [severity "CRITICAL"] [hostname > >"www.lawyers-etc.com"] [uri "] [unique_id "TU7PyK54BYIAAF4zFz8AAAEI"] > >[Sun Feb 06 10:44:01 2011] [error] [client 76.114.227.80] ModSecurity: > >Access > >denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME} > >against "MATCHED_VAR" required. [file > >"/opt/mod_security/10_asl_rules.conf"] > >[line "102"] [id "340012"] [rev "2"] [msg "Atomicorp.com WAF Rules: > >Unauthorized > >Proxy access attempt"] [data "http:] [severity "CRITICAL"] [hostname > >"www.lawyers-etc.com"] [uri "] [unique_id "TU7P0a54BYIAABcix24AAACc"] > > > >Regards, > >Peter > > > > > >-------------------------------------------------------------------------- > >---- > >The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > >Pinpoint memory and threading errors before they happen. > >Find and fix more than 250 security defects in the development cycle. > >Locate bottlenecks in serial and parallel code that limit performance. > >http://p.sf.net/sfu/intel-dev2devfeb > >_______________________________________________ > >mod-security-users mailing list > >mod...@li... > >https://lists.sourceforge.net/lists/listinfo/mod-security-users > >Commercial ModSecurity Appliances, Rule Sets and Support: > >http://www.modsecurity.org/breach/index.html > > > > > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. > > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html |