Re: [mod-security-users] Basic question regarding usage
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Basic question regarding usage
|
From: Thomas E. <tho...@gm...> - 2013-05-22 07:47:28
|
Hi Josh,
> It sounds to me like rule 981176 isn't being executed, perhaps because
you enabled anomaly_score_blocking too late in the processing.
Indeed, that rule was missing. I added it but the system would still not
block the attacks. In my configuration rule 981176 came after 900004 and
after all SecActions specifying the anomaly scores, e.g.
SecAction
"phase:1,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=20,id:'10001'"
but before all attack specific rules and I think that was exactly the
problem.
Once I put rule 981176 as the very last rule overall mod_security started
blocking the attacks and the log contains all matched rules. Is this the
correct way of setting it up ? Do I really have to put rule 981176 as the
very last rule specific to inbound requests ?
Cheers,
Thomas
On Tue, May 21, 2013 at 8:17 PM, Josh Amishav-Zlatin <ja...@ow...>wrote:
> On Tue, May 21, 2013 at 5:52 PM, Thomas Eckert <
> tho...@gm...> wrote:
>
>> Hi Josh,
>>
>> My setup is kind of hard to explain because there are so many external
>> components involved. Safe to say it's a non-standard setup but I am using
>> the OWASP CRS, though only parts of it. Due to this setup I have no
>> "modsecurity_crs_10_setup.conf" file but my equivalent (general
>> mod_security config file) contains
>> SecDefaultAction "phase:2,pass
>>
>> I checked the rule with id=900004 and interestingly I found no equivalent
>> in my configuration, at least nothing with "anomaly_score_blocking=on" in
>> it. So I added the rule in my general config, exactly as shipped with the
>> v2.2.7 owasp-crs. No change in behaviour though.
>>
>
> Hi Thomas,
>
> I suggest increasing your debug log level to 9 for you to better
> understand what is happening. It sounds to me like rule 981176 isn't being
> executed, perhaps because you enabled anomaly_score_blocking too late in
> the processing.
>
>
>> Looking at owasp-crs/modsecurity_crs_10_setup.conf I saw
>> SecDefaultAction "phase:1,deny,log"
>> so I changed my default action from pass to deny. It started blocking and
>> the log only contains one message by mod_security about the matched rule
>> before apache logs a 403. I *think* this matches the behaviour described by
>> the documention in modsecurity_crs_10_setup.conf.example under "[[
>> Self-Contained Mode ]]" (line 86 in v2.2.7) where it states "The first rule
>> that matches will block".
>> Still, simply changing a value is not gonna cut it, I'm afraid. I need to
>> understand why this helps (if it does?).
>>
>>
> When you set the default action to deny then the moment the first rule
> matches the rule inherits the default action and denies with a 403 response
> code. If you use anomaly mode then after a match the anomaly score is
> increased and ModSecurity continues processing the rest of the rules. Using
> the "classic" configuration, ModSecurity then makes a decision to block
> with a 403 response code or not based on the 49 config file (for inbound
> requests), assuming that that file is enabled and that the
> anomaly_score_blocking variable is set before rule 981176 is executed. Does
> that make sense?
>
>
>> Is there something specific I can look for in the audit log myself ? I'm
>> hesitant to post the complete audit log
>>
>
> Section K is what you want to look at. Feel free to send me a sanitized
> version of the audit log privately if you want and I'll try to help.
>
> --
> - Josh
>
>
>> .
>>
>>
>> On Tue, May 21, 2013 at 3:48 PM, Josh Amishav-Zlatin <ja...@ow...>wrote:
>>
>>> On Tue, May 21, 2013 at 4:36 PM, Thomas Eckert <
>>> tho...@gm...> wrote:
>>>
>>>>
>>>>
>>>> This "worked" before (meaning it got blocked correctly), so I guess I
>>>> forgot to adapt some configuration to match the upgrade to 2.7.3. Likely
>>>> some variables/config data are not initialized propperly - maybe some
>>>> threshold concerning the anomaly score ?
>>>>
>>>>
>>> Hi Thomas,
>>>
>>> Take a look at your modsecurity_crs_10_setup.conf config file, what is
>>> your SecDefaultAction directive set to? If your using anomaly scoring is
>>> rule 900004 enabled? If you provide us with an audit log (specifically
>>> section H and K) that would probably shed some light as to what the
>>> configuration error is exactly.
>>>
>>> --
>>> - Josh
>>>
>>>
>>>> Would someone please point me at the right place to read about this
>>>> stuff ? As stated, I'm new to this and don't know where to start.
>>>>
>>>> Thanks in advance!
>>>>
>>>> Cheers,
>>>> Thomas
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Try New Relic Now & We'll Send You this Cool Shirt
>>>> New Relic is the only SaaS-based application performance monitoring
>>>> service
>>>> that delivers powerful full stack analytics. Optimize and monitor your
>>>> browser, app, & servers with just a few lines of code. Try New Relic
>>>> and get this awesome Nerd Life shirt!
>>>> http://p.sf.net/sfu/newrelic_d2d_may
>>>> _______________________________________________
>>>> mod-security-users mailing list
>>>> mod...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>>> http://www.modsecurity.org/projects/commercial/rules/
>>>> http://www.modsecurity.org/projects/commercial/support/
>>>>
>>>>
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Try New Relic Now & We'll Send You this Cool Shirt
>> New Relic is the only SaaS-based application performance monitoring
>> service
>> that delivers powerful full stack analytics. Optimize and monitor your
>> browser, app, & servers with just a few lines of code. Try New Relic
>> and get this awesome Nerd Life shirt!
>> http://p.sf.net/sfu/newrelic_d2d_may
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>>
>>
>
|
