Re: [mod-security-users] dav_svn forbidden fix

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Ryan,

     I think this will be the best approach for my environment.

     Thanks again!

~Jeremy

--

Jeremy Brock

XtremeServices.Net
Xtreme Services, LLC

On 2/19/2013 1:01 PM, Ryan Barnett wrote:
>
>
>
> From: Jeremy Brock <jb...@xt... 
> <mailto:jb...@xt...>>
> Date: Tuesday, February 19, 2013 3:54 PM
> To: Ryan Barnett <rba...@tr... <mailto:rba...@tr...>>
> Cc: "mod...@li... 
> <mailto:mod...@li...>" 
> <mod...@li... 
> <mailto:mod...@li...>>
> Subject: Re: [mod-security-users] dav_svn forbidden fix
>
>     Hello Ryan,
>
>         You are correct :
>
>
>
>
>         I had the following methods blocked : OPTIONS, CHECKOUT,
>     PROPPATCH, PUT
>
>         Thank you for pointing me to the proper place to make the
>     changes : modsecurity_crs_10_setup.conf !
>
>          Is it possible to only allow these extra Methods with respect
>     to a directory location such as /svn using the
>     modsecurity_crs_10_setup.conf ?
>
>
> You bet.   You could leave the default tx.allowed_methods in the 10 
> setup conf file and then add this to your 15 custom rules conf file -
>
> SecRule REQUEST_FILNAME "@beginsWith /svn" 
> "id:111114,phase:1,t:none,nolog,pass,setvar:'tx.allowed_methods=GET 
> HEAD POST OPTIONS PROPFIND PROPPATH PROPPATCH REPORT OPTIONS 
> MKACTIVITY CHECKOUT PUT DELETE MERGE MKCOL'"
>
> This will reset the tx.allowed_methods variable data to a new value 
> before being inspected in the 30 file.
>
> -Ryan
>
>
>
>     ~Jeremy
>
>     --
>
>     Jeremy Brock
>
>     XtremeServices.Net
>     Xtreme Services, LLC
>
>     On 2/19/2013 12:39 PM, Ryan Barnett wrote:
>>     On 2/19/13 3:26 PM, "Jeremy Brock"<jb...@xt...>  wrote:
>>
>>>     Hi All,
>>>
>>>          I had a client experiencing issues with the dav_svn / tortoise svn
>>>     and I was unable to get around the modsecurity rules with locationmatch
>>>     in the directives.  I ended up using the following as a custom rule
>>>     based on something I found while googling and it appears to have worked
>>>     like a charm after slight modifications.
>>>
>>>          I am not sure if a fix like this should be sent to the list, but I
>>>     figured why not, it hopefully will be helpful for others googling.
>>     First of all, thank you for sending this to the list.  I have a feeling
>>     that most people internally add exceptions to handle issues rather than
>>     sharing with the group.  This, in turn, make is impossible for us to know
>>     what changes we could make to have the rule be more accurate.
>>
>>>          For anyone else experiencing forbidden issues with modsecurity and
>>>     dav_svn the following placed in modsecurity_crs_15_custom_rules.conf
>>>     seems to have fixed the issues :
>>     What were the errors you were getting?  Were they from the OWASP
>>     ModSecurity CRS?  Was it this rule?
>>
>>     # allow request methods
>>     #
>>     # TODO Most applications only use GET, HEAD, and POST request
>>     #      methods. If that is not the case with your environment, you are
>>     advised
>>     #      to edit the line or uncomment it.
>>     #
>>     SecRule REQUEST_METHOD"!@within %{tx.allowed_methods}"
>>     "phase:1,t:none,block,msg:'Method is not allowed by
>>     policy',logdata:'%{matched_var}',severity:'2',rev:'2',ver:'OWASP_CRS/2.2.7'
>>     ,maturity:'9',accuracy:'9',id:'960032',tag:'OWASP_CRS/POLICY/METHOD_NOT_ALL
>>     OWED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'OWASP_AppSensor/RE1',
>>     tag:'PCI/12.1',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:
>>     tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CR
>>     S/POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
>>
>>
>>
>>     If so, then you can easly adjust your local "allowed HTTP request methods"
>>     by editing -
>>     https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/modsecurity
>>     _crs_10_setup.conf.example
>>
>>
>>     Change the following setvar for tx.allowed_methods to include those needed
>>     for SVN.
>>
>>     #
>>     # Set the following policy settings here and they will be propagated to
>>     the 30 rules
>>     # file (modsecurity_crs_30_http_policy.conf) by using macro expansion.
>>     # If you run into false positves, you can adjust the settings here.
>>     #
>>     SecAction \
>>        "id:'900012', \
>>        phase:1, \
>>        t:none, \
>>        setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
>>
>>     setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|m
>>     ultipart/form-data|text/xml|application/xml|application/x-amf|application/j
>>     son', \
>>        setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
>>        setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/
>>     .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/
>>     .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/
>>     .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/
>>     .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/
>>     .webinfo/ .xsd/ .xsx/', \
>>        setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/
>>     /Content-Range/ /Translate/ /via/ /if/', \
>>        nolog, \
>>        pass"
>>
>>
>>
>>     You can also adjust the tx.allowd_request_content_type regex as well.
>>
>>     -Ryan
>>
>>>     # Modsecurity 2.7.2
>>>     # Core ModSecurity Rule Set ver.2.2.7
>>>     # Allow SVN through
>>>     SecRule REQUEST_METHOD "@within PROPFIND PROPPATH PROPPATCH REPORT
>>>     OPTIONS MKACTIVITY CHECKOUT PUT DELETE MERGE MKCOL"
>>>     "chain,phase:1,id:111114,t:none,nolog,pass"
>>>         SecRule REQUEST_HEADERS:User-Agent "@beginsWith SVN"
>>>     "ctl:'ruleRemoveById=960010,960015,960032,960904'"
>>>     ~Jeremy
>>>
>>>     --
>>>     --
>>>
>>>     Jeremy Brock
>>>
>>>     XtremeServices.Net
>>>     Xtreme Services, LLC
>>>
>>>
>>>     --------------------------------------------------------------------------
>>>     ----
>>>     Everyone hates slow websites. So do we.
>>>     Make your web apps faster with AppDynamics
>>>     Download AppDynamics Lite for free today:
>>>     http://p.sf.net/sfu/appdyn_d2d_feb
>>>     _______________________________________________
>>>     mod-security-users mailing list
>>>     mod...@li...://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>     Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>>     http://www.modsecurity.org/projects/commercial/rules/http://www.modsecurity.org/projects/commercial/support/
>>     ________________________________
>>
>>     This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
>>
>
>
> ------------------------------------------------------------------------
>
> This transmission may contain information that is privileged, 
> confidential, and/or exempt from disclosure under applicable law. If 
> you are not the intended recipient, you are hereby notified that any 
> disclosure, copying, distribution, or use of the information contained 
> herein (including any reliance thereon) is STRICTLY PROHIBITED. If you 
> received this transmission in error, please immediately contact the 
> sender and destroy the material in its entirety, whether in electronic 
> or hard copy format.