Re: [mod-security-users] Rule breaks access to website
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Rule breaks access to website
|
From: Christian F. <chr...@ne...> - 2019-10-10 09:28:54
|
You can enable the debug log and follow the rules there. Generally, the config files are executed top down in 5 iterations for all the phases. If can't get to solve this, I suggest you start to read up on my ModSec / CRS tutorials to get a decent understanding how this works. https://www.netnea.com/cms/apache-tutorials/ Good luck, Christian On Thu, Oct 10, 2019 at 09:16:00AM +0000, Madden, Joe via mod-security-users wrote: > Hi there, > > I put it in the modsecurity_crs_10_config.conf at the end of the file - I'm not sure where the crs include statement is in order to put it before or after. > > Is there anywhere that shows the excitation of the configuration files - Its hard to understand. > > Should I put this in the virtual host configuration - Is that the last place of execution? > > Thanks > > Joe. > > > -----Original Message----- > From: Christian Folini <chr...@ne...> > Sent: 10 October 2019 09:03 > To: Madden, Joe via mod-security-users <mod...@li...> > Subject: Re: [mod-security-users] Rule breaks access to website > > Joe, > > Did you put that rule 131 before the CRS include in the configuration? > > It may be that you try to sanitize after the alert has been written. > > Christian > > > On Thu, Oct 10, 2019 at 07:53:58AM +0000, Madden, Joe via mod-security-users wrote: > > Hi All, > > > > So adding pass workds but it doesn't work as expected. > > > > For example, I have a login page and I use ''''select * fromusers '''' to trigger the SQL injection rule 942190 > > > > With this in place: > > > > # Never log passwords > > SecAction "nolog,pass,phase:2,id:131,sanitiseArg:password,sanitiseArg:newPassword,sanitiseArg:oldPassword" > > > > The website is accessible, but the log entry Is not sanitised: > > > > Message: Warning. Pattern match "(?i:(?:[\"'`](?:;?\\s*?(?:having|select|union)\\b\\s*?[^\\s]|\\s*?!\\s*?[\"'`\\w])|(?:c(?:onnection_id|urrent_user)|database)\\s*?\\([^\\)]*?|u(?:nion(?:[\\w(\\s]*?select| select @)|ser\\s*?\\([^\\)]*?)|s(?:chema\\s*?\\([^\\)]*?|elect.*?\\w?user\\()|in ..." at ARGS:password. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "190"] [id "942190"] [msg "Detects MSSQL code execution and information gathering attempts"] [data "Matched Data: 'select* found within ARGS:password: ''''select* fromusers''''"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] > > > > Am I missing something in order to blank out the matched data fields? > > > > Thanks > > > > Joe. > > > > -----Original Message----- > > From: Madden, Joe via mod-security-users <mod...@li...> > > Sent: 10 October 2019 08:21 > > To: mod...@li... > > Cc: Madden, Joe <Joe...@mo...> > > Subject: Re: [mod-security-users] Rule breaks access to website > > > > Thank you all - I'll give it a try today! > > > > Joe. > > > > -----Original Message----- > > From: Reindl Harald <h.r...@th...> > > Sent: 09 October 2019 15:53 > > To: mod...@li... > > Subject: Re: [mod-security-users] Rule breaks access to website > > > > > > > > Am 09.10.19 um 16:28 schrieb Madden, Joe via mod-security-users: > > > Hi there, > > > > > > I was kinda following this example here: > > > > > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FSpiderLabs%2FModSecurity%2Fwiki%2FReference-Manual-(v2.x&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca150a1ca53474126e20608d74d58759a%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=KrWjJgm%2BHfcXNwe9X2rC2zVRmmaDIhd1wStvjPFl8Z8%3D&reserved=0) > > > > > > Where would the pass go just after nolog,? > > > > it don't matter > > > > ,phase:1,pass,nolog, > > ,phase:1,nolog,pass, > > ,pass,phase:1,nolog, > > > > it's all the same > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fmod-security-users&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca150a1ca53474126e20608d74d58759a%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=sve64hxQhst0nOADJ6H2d6hwwHGRgtH8rrnidhIbo%2Fo%3D&reserved=0 > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Frules%2F&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca150a1ca53474126e20608d74d58759a%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=MToW3lFKXqmX3vGc9dzAvEex4QT67ci1CiSu9GqAS2Q%3D&reserved=0 > > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Fsupport%2F&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca150a1ca53474126e20608d74d58759a%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=WdsnLMLiOSNZyoFenKEhKqoKNHsn7kTNfwn1j0gZAQE%3D&reserved=0 > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fmod-security-users&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca150a1ca53474126e20608d74d58759a%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=sve64hxQhst0nOADJ6H2d6hwwHGRgtH8rrnidhIbo%2Fo%3D&reserved=0 > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Frules%2F&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca150a1ca53474126e20608d74d58759a%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=MToW3lFKXqmX3vGc9dzAvEex4QT67ci1CiSu9GqAS2Q%3D&reserved=0 > > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Fsupport%2F&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca150a1ca53474126e20608d74d58759a%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=WdsnLMLiOSNZyoFenKEhKqoKNHsn7kTNfwn1j0gZAQE%3D&reserved=0 > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fmod-security-users&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca150a1ca53474126e20608d74d58759a%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=sve64hxQhst0nOADJ6H2d6hwwHGRgtH8rrnidhIbo%2Fo%3D&reserved=0 > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Frules%2F&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca150a1ca53474126e20608d74d58759a%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=MToW3lFKXqmX3vGc9dzAvEex4QT67ci1CiSu9GqAS2Q%3D&reserved=0 > > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Fsupport%2F&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca150a1ca53474126e20608d74d58759a%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=WdsnLMLiOSNZyoFenKEhKqoKNHsn7kTNfwn1j0gZAQE%3D&reserved=0 > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fmod-security-users&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca150a1ca53474126e20608d74d58759a%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=sve64hxQhst0nOADJ6H2d6hwwHGRgtH8rrnidhIbo%2Fo%3D&reserved=0 > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Frules%2F&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca150a1ca53474126e20608d74d58759a%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=MToW3lFKXqmX3vGc9dzAvEex4QT67ci1CiSu9GqAS2Q%3D&reserved=0 > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Fsupport%2F&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca150a1ca53474126e20608d74d58759a%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=WdsnLMLiOSNZyoFenKEhKqoKNHsn7kTNfwn1j0gZAQE%3D&reserved=0 > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
