Re: [mod-security-users] [Owasp-modsecurity-core-rule-set] OWASP ModSecurity CRS v2.2.5 Available

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Good point. You need at least ModSecurity v2.6.2.  Per the CHANGES File -

5 Sep 2011 - 2.6.2-rc1
-------------------

 * Added support to macro expansion for rx operator.

--
Ryan Barnett
Trustwave SpiderLabs
ModSecurity Project Leader
OWASP ModSecurity CRS Project Leader

On 8/8/12 9:16 PM, "Paul McGarry" <pa...@pa...> wrote:

>On Sat, Jun 16, 2012 at 12:21 AM, Ryan Barnett <RBa...@tr...>
>wrote:
>> OWASP ModSecurity CRS v2.2.5 Available
>>
>> CHANGES:
>>
>> Improvements:
>>
>> Updated Content-Type check to fix possible evasion with @within
>>(Identified
>> by Qualys Vulnerability & Malware Research Labs (VMRL))
>
>Firstly, does this change require a particular version of Modsecurity
>to work correctly?
>(I note the README says "The rules are compatible with ModSecurity 2.5").
>
>After deploying this ruleset I am seeing messages like:
>
>Message: Warning. Match of "rx ^%{tx.allowed_request_content_type}$"
>against "TX:0" required. [file
>"/etc/httpd/conf.d/modsecurity-crs_2.2.5/base_rules/modsecurity_crs_30_htt
>p_policy.conf"]
>[line "64"] [id "960010"] [msg "Request content type is not allowed by
>policy"] [data "application/x-www-form-urlencoded"] [severity
>"WARNING"] [tag "POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"]
>[tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"]
>
>I am loading the config like:
>        Include conf.d/modsecurity-crs_2.2.5/*.conf
>        Include conf.d/modsecurity-crs_2.2.5/base_rules/*.conf
>
>modsecurity-crs_2.2.5/modsecurity_crs_10_config.conf
>contains
>======
>SecAction \
>  "id:'900012', \
>  phase:1, \
>  t:none, \
>  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
>
>setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|
>multipart/form-data|text/xml|application/xml|application/x-amf',
>\
>  setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
>  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/
>.bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/
>.csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/
>.idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/
>.pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/
>.vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
>  setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/
>/Content-Range/ /Translate/ /via/ /if/', \
>  nolog, \
>  pass"
>=======
>
>and 960010 in
>modsecurity-crs_2.2.5/base_rules/modsecurity_crs_30_http_policy.conf
>looks like
>=======
>SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$"
>"phase:1,chain,t:none,block,msg:'Request content type is not allowed
>by
>policy',id:'960010',tag:'POLICY/ENCODING_NOT_ALLOWED',tag:'WASCTC/WASC-20'
>,tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/12.1',severity:'
>4',logdata:'%{matched_var}'"
>        SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "chain,capture"
>                SecRule TX:0 "!^%{tx.allowed_request_content_type}$"
>"t:none,ctl:forceRequestBodyVariable=On,setvar:'tx.msg=%{rule.msg}',setvar
>:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{t
>x.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/CONTENT_TYPE_NOT_ALLO
>WED-%{matched_var_name}=%{matched_var}"
>
>=======
>
>
>Secondly, is there something odd with the svn repo (or Sourceforge)?
>This change doesn't seems to occur on the checkin with the changelog
>message:
>http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=revision&
>revision=1937
>but on another revision:
>http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=revision&
>revision=1922
>with the message "- Added Arachni Scanner Integration Lua script/rules
>files"
>
>
>Paul
>

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.