Re: [mod-security-users] How to Change the Anomaly Score for a Rule
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] How to Change the Anomaly Score for a Rule
|
From: kwenu <uz...@ya...> - 2011-08-09 11:34:23
|
Just figured it out
I dont believe i have the logic worked out yet since the documentation
says nothing about how such rules are processed. The documentation
should explain how these rules are processed since putting rules in
modsecurity_crs_48_general_exceptions.conf does not appear to run rules
multiple times but the once only - i could be wrong here
So this rules appears to match once only and not (as i beleived) against
every match of a rule against this one request
Since the URL is matched 8 times i simply used 3 multiplied by 8 which
gives 24 -
So when this real is used it will subtract 24 before blocking actions
are invoked
What i originally thought was that the regex will take care of every
rule match against this URL and substract 5 every time (if
setvar:tx.anomaly_score=-5). That is not the case
What i would like is a way of specifying multiple rules against a
particular URL and setting anomaly score to -5 - that would in my mind
be much better
SecRule REQUEST_FILENAME ".*/navlid_div\.gif$"
"chain,phase:2,t:none,log,pass,msg:'Adjusting FP Score'"
SecRule
&TX:'/98124[248]-Detects.*[12]/[1-3]-WEB_ATTACK/(ID|SQLI|LFI)-REQUEST_FILENAME/'
"@ge 0" "setvar:tx.anomaly_score=-24"
On 08/08/11 16:37, kwenu wrote:
> Hi
>
> Im trying to change the anomaly score for a rule that its fired when a
> file name is triggered within the URL
>
> Looking at the rule below I know that i have not included a VARIABLE
> that "@ge 0" can be applied to - I realise this and have trawled thru
> the debug logs but cannot identify the correct variable to use here
>
> SecRule REQUEST_FILENAME "@streq /navlid_div.gif"
> "chain,phase:2,t:none,log,pass,msg:'Adjusting FP Score'"
> SecRule
> &TX:'/981244-Detects.*basic.*SQL.*authentication.*bypass.*attempts.*1/3-WEB_ATTACK/SQLI-REQUEST_FILENAME/'
> "@ge 0" "setvar:tx.anomaly_score=-5"
>
> The rule above has been put in modsecurity_crs_48_local_exceptions.conf
>
> Heres a snippet of the debug log where i was hoping to snag the
> correct @TX line from
>
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Target value: "/theme/common/image/navlid_div.gif"
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Added regex subexpression to TX.0: div
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][4]
> Operator completed in 85 usec.
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Setting variable: tx.msg=%{rule.id}-%{rule.msg}
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{rule.id} to: 981244
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{rule.msg} to: Detects basic SQL authentication bypass
> attempts 1/3
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Set variable "tx.msg" to "981244-Detects basic SQL authentication
> bypass attempts 1/3".
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Setting variable: tx.anomaly_score=+7
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Original collection variable: tx.anomaly_score = "13"
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Relative change: anomaly_score=13+7
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Set variable "tx.anomaly_score" to "20".
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Setting variable: tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{tx.msg} to: 981244-Detects basic SQL authentication
> bypass attempts 1/3
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{matched_var_name} to: REQUEST_FILENAME
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{tx.0} to: div
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Set variable "tx.981244-Detects basic SQL authentication bypass
> attempts 1/3-WEB_ATTACK/SQLI-REQUEST_FILENAME" to "div".
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Setting variable: tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Set variable "tx.981244-Detects basic SQL authentication bypass
> attempts 1/3-WEB_ATTACK/SQLI-REQUEST_FILENAME" to "div".
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Setting variable: tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{tx.msg} to: 981244-Detects basic SQL authentication
> bypass attempts 1/3
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{matched_var_name} to: REQUEST_FILENAME
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{tx.0} to: div
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Set variable "tx.981244-Detects basic SQL authentication bypass
> attempts 1/3-WEB_ATTACK/ID-REQUEST_FILENAME" to "div".
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Setting variable: tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{tx.msg} to: 981244-Detects basic SQL authentication
> bypass attempts 1/3
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{matched_var_name} to: REQUEST_FILENAME
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{tx.0} to: div
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Set variable "tx.981244-Detects basic SQL authentication bypass
> attempts 1/3-WEB_ATTACK/LFI-REQUEST_FILENAME" to "div".
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{TX.0} to: div
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{TX.0} to: div
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][4]
> Warning. Pattern match
> "(?i:(?:\\d(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s+(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s+\\d)|(?:^admin\\s*(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)|(\\/\\*)+(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)+\\s?(?:--|#|\\/\\*|{)?)|(?:(\"|'|
> ..." at REQUEST_FILENAME. [file
> "/pxy/shared/conf/modsecurity.d/crs_2.2.1/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
> [line "560"] [id "981244"] [msg "Detects basic SQL authentication
> bypass attempts 1/3"] [data "div"] [severity "CRITICAL"] [tag
> "WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> T (1) urlDecodeUni: "/theme/common/image/navlid_div.gif"
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> T (1) replaceComments: "/theme/common/image/navlid_div.gif"
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][4]
> Rule returned 1.
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Match -> mode NEXT_RULE.
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][4]
> Recipe: Invoking rule 952efa8; [file
> "/pxy/shared/conf/modsecurity.d/crs_2.2.1/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
> [line "562"] [id "981255"].8:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{TX.0} to: div
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][5]
> Rule 952efa8: SecRule
> "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*"
> "@rx
> (?i:(?:\\sexec\\s+xp_cmdshell)|(?:(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s*!\\s*[(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\w])|(?:from\\W+information_schema\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\s*\\([^\\)]*)|(?:(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98);?\\s*(?:select|union|having)\\s*[^\\s])|(?:\\wiif\\s*\\()|(?:exec\\s+master\\.)|(?:union
> select
> @)|(?:union[\\w(\\s]*select)|(?:select.*\\w?user\\()|(?:into[\\s+]+(?:dump|out)file\\s*(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)))"
> "phase:2,nolog,auditlog,capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,block,msg:'Detects
> MSSQL code execution and information gathering
> attempts',id:981255,tag:WEB_ATTACK/SQLI,tag:WEB_ATTACK/ID,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0},setvar:tx.%{tx.msg}-WEB_ATTACK/ID-%{m
>
>
> ------------------------------------------------------------------------------
> BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
> The must-attend event for mobile developers. Connect with experts.
> Get tools for creating Super Apps. See the latest technologies.
> Sessions, hands-on labs, demos& much more. Register early& save!
> http://p.sf.net/sfu/rim-blackberry-1
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
|
