|
From: Saverio <smi...@ti...> - 2015-03-27 19:57:34
|
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Yes, it's actually a PCRE problem.<br>
<br>
A troublesome request (regular in itself - is has the parameter
"utf8=✓") triggers the OWASP rule 981318, which causes a 404.<br>
<br>
Adding "t:utf8toUnicode" between "t:none" and "t:urlDecodeUni"
solves the problem, but we have other requests around, which
trigger similar problems.<br>
<br>
Now, I certainly could review them one by one (assuming this is
the best approach), but the core issue is that ModSecurity does
definitely impact the traffic.<br>
<br>
Saverio<br>
<br>
On 27.03.2015 15:02, Chaim Sanders wrote:<br>
</div>
<blockquote
cite="mid:F68...@SK..."
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Saverio,<o:p></o:p></p>
<p class="MsoNormal">I have occasionally (once) seen such weird
behavior when unexpected PCRE errors arise. Can you check your
error log and see if anything is firing during this time
frame? To quell your fears, DetectionOnly mode is not supposed
to block ANYTHING.<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#008FC5">Chaim
Sanders
</span></b><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#008FC5"><o:p></o:p></span></b></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#6A6A6A">Security
Researcher, SpiderLabs</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#58595B"> </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#58595B"><o:p></o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#008FC5">Trustwave</span></b><b><span
style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#58595B">
</span></b><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#58595B">| SMART
SECURITY ON DEMAND</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#58595B"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><a
moz-do-not-send="true" href="http://www.trustwave.com/"><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#58595B">www.trustwave.com</span></a></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#58595B"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Saverio [<a class="moz-txt-link-freetext" href="mailto:smi...@ti...">mailto:smi...@ti...</a>]
<br>
<b>Sent:</b> Thursday, March 26, 2015 11:43 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:mod...@li...">mod...@li...</a><br>
<b>Subject:</b> [mod-security-users] Traffic affected in
spite of SecRuleEngine DetectionOnly<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hello,<br>
<br>
I've recently setup ModSecurity, as Nginx (1.6.2) module, with
the pretty much standard configuration
(modsecurity.conf-recommended and OWASP
modsecurity_crs_10_setup.conf.example).<br>
<br>
I wanted to set it up only for detection; I've checked the
built configuration file, and it contains "SecRuleEngine
DetectionOnly", which, as far as I understand, should cause
ModSecurity to inspect the traffic, but not interfere with it.<br>
<br>
Unexpectedly (to me), this caused 404s on some requests. Is
this actually expected? Is there anything else I should
configure in order to be completely sure that the traffic is
not affected in any way?<br>
<br>
Thanks,<br>
Saverio<o:p></o:p></p>
</div>
<br>
<hr>
<font color="Gray" face="Arial" size="1"><br>
This transmission may contain information that is privileged,
confidential, and/or exempt from disclosure under applicable
law. If you are not the intended recipient, you are hereby
notified that any disclosure, copying, distribution, or use of
the information contained herein (including any reliance
thereon) is strictly prohibited. If you received this
transmission in error, please immediately contact the sender and
destroy the material in its entirety, whether in electronic or
hard copy format.<br>
</font>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. <a class="moz-txt-link-freetext" href="http://goparallel.sourceforge.net/">http://goparallel.sourceforge.net/</a></pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
mod-security-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:mod...@li...">mod...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/mod-security-users">https://lists.sourceforge.net/lists/listinfo/mod-security-users</a>
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
<a class="moz-txt-link-freetext" href="http://www.modsecurity.org/projects/commercial/rules/">http://www.modsecurity.org/projects/commercial/rules/</a>
<a class="moz-txt-link-freetext" href="http://www.modsecurity.org/projects/commercial/support/">http://www.modsecurity.org/projects/commercial/support/</a>
</pre>
</blockquote>
<br>
</body>
</html>
|
