Re: [mod-security-users] SecRuleUpdateActionById not working as expected
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <RBa...@tr...> - 2013-09-09 15:00:20
|
On 9/9/13 10:49 AM, "Claudio ML" <cla...@me...> wrote: >Il 09/09/2013 16:41, Ryan Barnett ha scritto: >> On 9/9/13 10:35 AM, "Claudio ML" <cla...@me...> wrote: >> >>> Il 09/09/2013 16:20, Ryan Barnett ha scritto: >>>> On 9/9/13 9:18 AM, "Claudio ML" <cla...@me...> wrote: >>>> >>>> >>>>> Hello all, >>>>> >>>>> I am using ModSecurity 2.7.1 on Linux Apache system. All works >>>>> correctly, but now i am trying to use SecRuleUpdateActionById to use >>>>> the >>>>> default action as block to all with a score more than 5, and use some >>>>> rules only with detection, and logging. I have added a line into the >>>>> configuration file like this: >>>>> >>>>> SecRuleUpdateActionById 950005 "pass,status:200" >>>>> >>>>> Then i make a test, but the rule continue to block.... What i am >>>>> missing? >>>>> >>>>> Cordially, >>>>> >>>>> Claudio. >>>> What file did you add the directive to? In this case, you are >>>>modifying >>>> an existing rule ID, so you need to define this directive *after* the >>>> rule >>>> you are modifying. I suggest you create a >>>> modsecurity_crs_60_custom.conf >>>> file and put your modifications there. >>>> >>>> -Ryan >>>> >>> I have now tried to create a file "modsecurity_crs_60_custom.conf" with >>> the following line inside: >>> >>> SecRuleUpdateActionById 950005 "pass,status:200" >> How are you activating the rule files? Are you sure that this new file >>is >> being activated? >Yes, the file is in a include (into modsecurity2.conf there is a line >like Include /etc/apache2/conf.d/mod_security2/*.conf , so it is active >i think...) >>> But nothing changed, if i try to access to that page, and try a remote >>> file access attempt, modsecurity gives to me a forbidden 403, here is >>>the >>> log: >>> >>> www.XXXXXXXXX.net xx.xx.xx.xx - - [09/Sep/2013:16:32:10 +0200] "GET >>> /index.php?f=/etc/passwd HTTP/1.1" 403 1011 "-" "-" >>> Ui3b6tX@FAIAADOBCfwAAAAH "-" >>> /20130909/20130909-1632/20130909-163210-Ui3b6tX@FAIAADOBCfwAAAAH 0 2471 >>> md5:1af55ac8ad2c0d72d689b88629 >> >> That line does not help to troubleshoot. You need to look at that audit >> log file contents to verify which rules are triggering the 403 deny. > >Here is the debug audit log: > >[09/Sep/2013:16:46:20 +0200] >[www.XXX.net/sid#7fba541b69d8][rid#7fba558430a0][/index.php][2] Warning. >Pattern match >"(?:\\b(?:\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\.asa|httpd\\.c >onf|boot\\.ini)\\b|\\/etc\\/)" >at ARGS:f. [file >"/etc/apache2/conf.d/mod_security2/base_rules/modsecurity_crs_40_generic_a >ttacks.conf"] >[line "193"] [id "950005"] [rev "2"] [msg "Remote File Access Attempt"] >[data "Matched Data: /etc/ found within ARGS:f: /etc/passwd"] [severity >"CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "9"] [tag >"OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag >"OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] >[09/Sep/2013:16:46:20 +0200] >[www.XXX.net/sid#7fba541b69d8][rid#7fba558430a0][/index.php][1] Access >denied with code 403 (phase 2). Pattern match "(.*)" at TX:0. [file >"/etc/apache2/conf.d/mod_security2/base_rules/modsecurity_crs_49_inbound_b >locking.conf"] >[line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total >Score: 5, SQLi=, XSS=): Last Matched Message: Remote File Access >Attempt"] [data "Last Matched Data: /etc/"] >[09/Sep/2013:16:46:20 +0200] >[www.XXX.net/sid#7fba541b69d8][rid#7fba55827a48][/error/HTTP_FORBIDDEN.htm >l.var][2] >Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file >"/etc/apache2/conf.d/mod_security2/base_rules/modsecurity_crs_60_correlati >on.conf"] >[line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total >Inbound Score: 5, SQLi=, XSS=): Remote File Access Attempt"] > >The id as you can see is correct (950005), but it blocks anyway.... See Michael Haas' response. Rule ID 950005 is not blocking (is says Warning. Pattern match). The rules that is blocking is the anomaly scoring rule in the 49 inbound blocking file. Since you are using anomaly scoring, your exception needs to adjust the anomaly score value - SecRuleUpdateActionById 950005 "pass,setvar:tx.anomaly_score=-5" ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |