|
From: Stefan P. - P. AG <s.p...@pr...> - 2018-01-29 15:29:43
|
HI,
Am 29.01.2018 um 15:23 schrieb Christian Folini:
> Hi Stefan,
>
> Welcome to the ModSecurity mailinglist. It's nice to see familiar faces from
> Apache Dev on this list too.
>
> This rings a bell, but I can't find the issue / pull request in question
> on the quick. There was a rule that did not log properly.
>
> Not sure if this made it into 3.0.2 (-> 3.0/master). Could you try the
> request in question on 3.1/dev and see if you have the proper alert?
git master is already 3.0.2 but i think i found my issue but may be you
can confirm it.
I had a rule chained into to SecRule commands.
I had
SecRule C D ..chain,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}..
SecRule A B ...
it seemed all requests which matched Rule "C D" already got the anomaly
score. I believed this only happens in case A B matches as well as
they're chained.
Greets,
Stefan
>
> Best,
>
> Christian
>
>
> On Mon, Jan 29, 2018 at 02:22:58PM +0100, Stefan Priebe - Profihost AG wrote:
>> Hello,
>>
>> i'm running mod_security 2.9.2 with current crs git master
>> (v3.0/master). I've some requests where no matching rule is logged to
>> the audit log except Operator GE matched 5 at TX:anomaly_score ... and
>> Operator GE matched 5 at TX:inbound_anomaly_score. Any ideas how to find
>> out why the anomaly score is > 0
>>
>> Full log:
>> --2add8d70-A--
>> [29/Jan/2018:13:53:21 +0100] Wm8ZQY0z4w0DYRA6xm2k3QAAAA8 1.2.3.4 41438
>> 1.2.3.5 443
>> --2add8d70-B--
>> GET
>> /wp-login.php?redirect_to=https%3A%2F%2Fwww.mydomain.de%2Fwp-admin%2F&reauth=1
>> HTTP/2.0
>> Pragma: no-cache
>> Cache-Control: no-cache
>> User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
>> like Gecko) Ubuntu Chromium/63.0.3239.132 Chrome/63.0.3239.132 Safari/537.36
>> Upgrade-Insecure-Requests: 1
>> Accept:
>> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
>> Accept-Encoding: gzip, deflate, br
>> Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
>> Cookie: PHPSESSID=u4o0fs52l0j3bot1m8j4pjgsd3
>> Host: www.mydomain.de
>>
>> --2add8d70-F--
>> HTTP/1.1 409 Conflict
>> Content-Length: 505
>> Content-Type: text/html; charset=iso-8859-1
>>
>> --2add8d70-E--
>>
>> --2add8d70-H--
>> Message: Access denied with code 409 (phase 2). Operator GE matched 5 at
>> TX:anomaly_score. [file
>> "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"]
>> [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total
>> Score: 10)"] [severity "CRITICAL"] [tag "application-multi"] [tag
>> "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
>> Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score.
>> [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"]
>> [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total
>> Inbound Score: 10 -
>> SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): "] [tag
>> "event-correlation"]
>> Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client
>> 1.2.3.4] ModSecurity: Access denied with code 409 (phase 2). Operator GE
>> matched 5 at TX:anomaly_score. [file
>> "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"]
>> [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total
>> Score: 10)"] [severity "CRITICAL"] [tag "application-multi"] [tag
>> "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
>> [hostname "www.mydomain.de"] [uri "/wp-login.php"] [unique_id
>> "Wm8ZQY0z4w0DYRA6xm2k3QAAAA8"]
>> Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client
>> 1.2.3.4] ModSecurity: Warning. Operator GE matched 5 at
>> TX:inbound_anomaly_score. [file
>> "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line
>> "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound
>> Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): "]
>> [tag "event-correlation"] [hostname "www.mydomain.de"] [uri
>> "/wp-login.php"] [unique_id "Wm8ZQY0z4w0DYRA6xm2k3QAAAA8"]
>> Action: Intercepted (phase 2)
>> Apache-Handler: php-fastcgi5.6
>> Stopwatch: 1517230401011338 4605 (- - -)
>> Stopwatch2: 1517230401011338 4605; combined=3476, p1=296, p2=3080, p3=0,
>> p4=0, p5=100, sr=57, sw=0, l=0, gc=0
>> Response-Body-Transformed: Dechunked
>> Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/);
>> OWASP_CRS/3.0.2.
>> Server: Apache
>> Engine-Mode: "ENABLED"
>>
>> --2add8d70-Z--
>>
>>
>> Greets,
>> Stefan
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>
|
