Re: [mod-security-users] Whitelisting Google and other bots
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Whitelisting Google and other bots
|
From: TGWM <tg...@gm...> - 2013-11-10 04:18:37
|
Thank you Ryan
I dont want to use too much resources and slow down the server by doing
remote host lookups.
As User-Agent and Accept-Headers can be faked, this leaves only the list of
known IP of legitimate bots to use as verification.
Supposing I can work out such a list, I would need a rule that allows
checking several possible allowed IPs.
Reading here and there, I found its apparently possible to use regex to
match a range of IPs.
n I also saw <mailto:n%20I%20also%20saw%20@pm> @pm, which apparently
allows to include a list of arguments to a rule which will trigger if any
one of the arguments matches. Is that correct?
So in order for a rule to match any one of the specified IP range regex, I
thought the following might work:
SecRule REMOTE_ADDR "pm@
^192\.168\.[0-1]{1}\.[0-9]{1,3}$|^193\.168\.[0-1]{1}\.[0-9]{1,3}$|^194\.168\
.[0-1]{1}\.[0-9]{1,3}$
Is that correct?
Von: Ryan Barnett [mailto:RBa...@tr...]
Gesendet: Samstag, 9. November 2013 22:28
An: mod...@li...
Betreff: Re: [mod-security-users] Whitelisting Google and other bots
On 11/9/13 9:36 AM, "TGWM" <tg...@gm...> wrote:
Ok, thanks for your help harald :)
-----Ursprüngliche Nachricht-----
Von: Reindl Harald [mailto:h.r...@th...]
Gesendet: Samstag, 9. November 2013 21:35
An: mod...@li...
Betreff: Re: [mod-security-users] Whitelisting Google and other bots
a missing user-agent or accept-header is not an attack think what a rule
gains you and the answer if it is safe to disable it becomes logically
in our infrastructure hosting some hundret domains and regulary security
audited internally and from third parties they are years ago
Wow, lots of items here to comment on -
1) The rules in the
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/m
odsecurity_crs_21_protocol_anomalies.conf are mainly geared towards identify
non-browser related requests as all real browsers send the following headers
-
- Host
- User-Agent
- Accept
The usefulness of these rules are for -
A) Tagging clients as scripts/bots - in the IP persistent collection and
then treating them differently, or
B) Using these signatures to contribute to a transactional/session anomaly
score rather then blocking on them themselves.
2) Consider using Anomaly Scoring Mode vs. Traditional Mode -
http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-traditional-vs
-anomaly-scoring-detection-modes.html
The benefit here is that those 21 Protocol Anomalies will not block on their
own but still get to contribute to a transactional anomaly score. The other
benefit is the you can adjust the Inbound Blocking Threshold to a setting
that is tolarable for your site. Some sites are more risk adversed and have
a much lower setting than others. Also note that you can adjust the Logging
aspect of these rules -
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/modsecurity_
crs_10_setup.conf.example#L42-66
If you want these individual rules to contribute to the anomaly score, but
you do not want them to clutter up the Apache Error Log, then use this
setting -
SecDefaultAction "phase:1,pass,nolog,auditlog"
This will have the individual rules only log to the Audit log file. These
are considered "Reference Events" and can be reviewed if a transaction is
blocked. In this mode, only 1 or 2 alerts would show up in the Apache Error
Log - these are the Correlated Event alerts.
3) Back to your specific use-case - if you want to disable certain
signatures from legit Search Engine bots, then you do need to correlate a
few items as you stated. A few items to consider -
A) In order to use REMOTE_HOST - Apache must have HostnameLookups
directive enabled -
http://httpd.apache.org/docs/2.2/mod/core.html#hostnamelookups. Most sites
don't do this for performance reasons. What you could do is to check the
User-Agent header field and if it says something like "googlebot" then you
can fire off a Lua script that can do nslookups and verify that the IP
address does resolve to Google. See this past mail-list thread -
http://marc.info/?l=mod-security-users&m=132794762123753
B) If you decide that the client is a real search engine bot, then you can
use - ctl:ruleRemoveById=960015 to remove that rule only for the current
transaction.
4) As Reindl mentioned - you don't want to blindly whitelist Search Engine
bots as they could in fact be being tricked into sending actual attacks -
http://arstechnica.com/security/2013/11/google-crawler-tricked-into-performi
ng-sql-injection-attacks-using-decade-old-technique/
Hope this info helps.
--
Ryan Barnett
Trustwave SpiderLabs
ModSecurity Project Leader
OWASP ModSecurity CRS Project Leader
_____
This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the
intended recipient, you are hereby notified that any disclosure, copying,
distribution, or use of the information contained herein (including any
reliance thereon) is strictly prohibited. If you received this transmission
in error, please immediately contact the sender and destroy the material in
its entirety, whether in electronic or hard copy format.
|