Hi there,
I put it in the modsecurity_crs_10_config.conf at the end of the file - I'm not sure where the crs include statement is in order to put it before or after.
Is there anywhere that shows the excitation of the configuration files - Its hard to understand.
Should I put this in the virtual host configuration - Is that the last place of execution?
Thanks
Joe.
-----Original Message-----
From: Christian Folini <chr...@ne...>
Sent: 10 October 2019 09:03
To: Madden, Joe via mod-security-users <mod...@li...>
Subject: Re: [mod-security-users] Rule breaks access to website
Joe,
Did you put that rule 131 before the CRS include in the configuration?
It may be that you try to sanitize after the alert has been written.
Christian
On Thu, Oct 10, 2019 at 07:53:58AM +0000, Madden, Joe via mod-security-users wrote:
> Hi All,
>
> So adding pass workds but it doesn't work as expected.
>
> For example, I have a login page and I use ''''select * fromusers '''' to trigger the SQL injection rule 942190
>
> With this in place:
>
> # Never log passwords
> SecAction "nolog,pass,phase:2,id:131,sanitiseArg:password,sanitiseArg:newPassword,sanitiseArg:oldPassword"
>
> The website is accessible, but the log entry Is not sanitised:
>
> Message: Warning. Pattern match "(?i:(?:[\"'`](?:;?\\s*?(?:having|select|union)\\b\\s*?[^\\s]|\\s*?!\\s*?[\"'`\\w])|(?:c(?:onnection_id|urrent_user)|database)\\s*?\\([^\\)]*?|u(?:nion(?:[\\w(\\s]*?select| select @)|ser\\s*?\\([^\\)]*?)|s(?:chema\\s*?\\([^\\)]*?|elect.*?\\w?user\\()|in ..." at ARGS:password. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "190"] [id "942190"] [msg "Detects MSSQL code execution and information gathering attempts"] [data "Matched Data: 'select* found within ARGS:password: ''''select* fromusers''''"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
>
> Am I missing something in order to blank out the matched data fields?
>
> Thanks
>
> Joe.
>
> -----Original Message-----
> From: Madden, Joe via mod-security-users <mod...@li...>
> Sent: 10 October 2019 08:21
> To: mod...@li...
> Cc: Madden, Joe <Joe...@mo...>
> Subject: Re: [mod-security-users] Rule breaks access to website
>
> Thank you all - I'll give it a try today!
>
> Joe.
>
> -----Original Message-----
> From: Reindl Harald <h.r...@th...>
> Sent: 09 October 2019 15:53
> To: mod...@li...
> Subject: Re: [mod-security-users] Rule breaks access to website
>
>
>
> Am 09.10.19 um 16:28 schrieb Madden, Joe via mod-security-users:
> > Hi there,
> >
> > I was kinda following this example here:
> >
> > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FSpiderLabs%2FModSecurity%2Fwiki%2FReference-Manual-(v2.x&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca150a1ca53474126e20608d74d58759a%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=KrWjJgm%2BHfcXNwe9X2rC2zVRmmaDIhd1wStvjPFl8Z8%3D&reserved=0)
> >
> > Where would the pass go just after nolog,?
>
> it don't matter
>
> ,phase:1,pass,nolog,
> ,phase:1,nolog,pass,
> ,pass,phase:1,nolog,
>
> it's all the same
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fmod-security-users&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca150a1ca53474126e20608d74d58759a%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=sve64hxQhst0nOADJ6H2d6hwwHGRgtH8rrnidhIbo%2Fo%3D&reserved=0
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Frules%2F&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca150a1ca53474126e20608d74d58759a%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=MToW3lFKXqmX3vGc9dzAvEex4QT67ci1CiSu9GqAS2Q%3D&reserved=0
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Fsupport%2F&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca150a1ca53474126e20608d74d58759a%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=WdsnLMLiOSNZyoFenKEhKqoKNHsn7kTNfwn1j0gZAQE%3D&reserved=0
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fmod-security-users&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca150a1ca53474126e20608d74d58759a%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=sve64hxQhst0nOADJ6H2d6hwwHGRgtH8rrnidhIbo%2Fo%3D&reserved=0
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Frules%2F&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca150a1ca53474126e20608d74d58759a%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=MToW3lFKXqmX3vGc9dzAvEex4QT67ci1CiSu9GqAS2Q%3D&reserved=0
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Fsupport%2F&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca150a1ca53474126e20608d74d58759a%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=WdsnLMLiOSNZyoFenKEhKqoKNHsn7kTNfwn1j0gZAQE%3D&reserved=0
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fmod-security-users&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca150a1ca53474126e20608d74d58759a%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=sve64hxQhst0nOADJ6H2d6hwwHGRgtH8rrnidhIbo%2Fo%3D&reserved=0
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Frules%2F&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca150a1ca53474126e20608d74d58759a%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=MToW3lFKXqmX3vGc9dzAvEex4QT67ci1CiSu9GqAS2Q%3D&reserved=0
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Fsupport%2F&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca150a1ca53474126e20608d74d58759a%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=WdsnLMLiOSNZyoFenKEhKqoKNHsn7kTNfwn1j0gZAQE%3D&reserved=0
_______________________________________________
mod-security-users mailing list
mod...@li...
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fmod-security-users&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca150a1ca53474126e20608d74d58759a%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=sve64hxQhst0nOADJ6H2d6hwwHGRgtH8rrnidhIbo%2Fo%3D&reserved=0
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Frules%2F&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca150a1ca53474126e20608d74d58759a%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=MToW3lFKXqmX3vGc9dzAvEex4QT67ci1CiSu9GqAS2Q%3D&reserved=0
https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Fsupport%2F&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca150a1ca53474126e20608d74d58759a%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=WdsnLMLiOSNZyoFenKEhKqoKNHsn7kTNfwn1j0gZAQE%3D&reserved=0
|
