Re: [mod-security-users] Filter Rule...
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Filter Rule...
|
From: Christian B. <ch...@jw...> - 2007-03-26 20:08:40
|
Am 26.03.2007 um 20:54 schrieb Russ Lavoie:
> This brings up another question=85 The below rule=85
>
>
>
> "![a-zA-Z0-9\:;,\.\$\%]{1,13}"
>
>
>
> Checks for all English type characters right?
>
>
>
> How about other languages like german, Chinese etc? How could you =20
> check for those?
Good question. Since modsecurity uses PCRE (perl compatible regular =20
expressions) I guess the
best source of information is here: http://perldoc.perl.org/=20
perlre.html
I would restrict the regexp to all characters supported by your =20
application. If your application
supports all of the languages you mentioned, it would probably the =20
easiest to start by restricting
the value of the password-field to a given length by using
SecFilterSelective ARG_Lpassword "!(.){1,13}"
An advanded issue would be to filter based on the User-Agents language.
@Ryan: Probably a nice thing for your cool-rules-project
"Locale-based rules" ;-)
SecRule HTTP_HEADER:Accept-Language "en-en" "chain"
SecRule ARGS:Lpassword "![a-zA-Z0-9\;\%\-\_]{1,13}" "skip:=20
1,log,auditlog,drop,phase:2"
SecRule HTTP_HEADER:Accept-Language "^jp.*$" "chain"
SecRule ARGS:Lpassword "!(.){1,13}" "log,auditlog,drop,phase:2"
Regards,
Chris
>
>
> Thanks
>
>
>
>
>
> From: Ryan Barnett [mailto:Rya...@Br...]
> Sent: Monday, March 26, 2007 1:02 PM
> To: Russ Lavoie; Ofer Shezaf; mod...@li...
> Subject: RE: [mod-security-users] Filter Rule...
>
>
>
> There are some semantic differences between the v1.9 and v2.0 =20
> rulesets that everyone should be aware of. Please refer to my =20
> recent Blog post - http://www.modsecurity.org/blog/archives/=20
> 2007/03/2x1x_rule_diffe.html as it outlines a similar issue.
>
>
>
> In this case, the following rule means 2 separate things -
>
>
>
> SecFilterSelective ARG_Lpassword "![a-zA-Z0-9\:;,\.\$\%]{1,13}"
>
>
>
> First, it means =96 if the request does not have the =93Lpassword=94 =20=
> argument with the following data then deny. This matches when the =20
> Lpassword arg isn=92t even present.
>
> Second, it means =96 if the request does have the =93Lpassword=94 =20
> argument, and it doesn=92t have the authorized characters or is too =20=
> large/small then deny.
>
>
>
> Actually, after testing, there seems to be a bug in the syntax of =20
> the rule. The entire RegEx should be surrounded by parentheses in =20
> order to have the Inverted rule applied on both the allowed =20
> character class and the size limitation. Otherwise, the invert was =20=
> only being applied to the character class. This means that you =20
> could send a request with 100 =93a=94 characters and it would be =20
> allowed through. The rule should be this =96
>
>
>
> SecFilterSelective ARG_Lpassword "!^([a-zA-Z0-9\:;,\.\$\%]{1,13})$"
>
>
>
> That being said, the easiest way to correct this is to include a =20
> Scope context to the rule. The following ruleset uses the Apache =20
> Location directive to only apply the Mod rule if the URL is the =20
> =93script.php=94 script. This is assuming that the script.php script =20=
> is the one that legitimately has the Lpassword argument.
>
>
>
> <Location =93/cgi-bin/script.php=94>
>
> SecFilterSelective ARG_Lpassword "!^([a-zA-Z0-9\:;,\.\$\%]{1,13})$"
>
> </Location>
>
>
>
> If you want to use ModSecurity only directives, you could do one of =20=
> the following =96
>
>
>
> 1) Create a chained rule that first checks the URI =96
>
>
>
> SecFilterSelective REQUEST_URI =93^/cgi-bin/script\.php$ =20
> =93chain,log,deny,msg:=92Lpassword Argument has illegal data.=92=94
>
> SecFilterSelective ARG_Lpassword "!^([a-zA-Z0-9\:;,\.\$\%]{1,13})$"
>
>
>
> 2) Create a chained rule that first checks to see if the Lpassword =20
> arg is present, if so, then check the format/size, etc=85
>
>
>
> SecFilterSelective ARG_Lpassword =93!^$=94 =20
> =93chain,log,deny,msg:=92Lpassword Argument has illegal data.=92=94
>
> SecFilterSelective ARG_Lpassword "!^([a-zA-Z0-9\:;,\.\$\%]{1,13})$"
>
>
>
> I hope this helps. Let me know if you run into any more issues.
>
>
>
> --=20
> Ryan C. Barnett
> ModSecurity Community Manager
>
> Breach Security: Director of Application Security Training
> Web Application Security Consortium (WASC) Member
> Author: Preventing Web Attacks with Apache
>
>
>
> --------------
>
> Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
>
> Learn More About the Breach Webinar Series:
>
> http://www.breach.com/webinars.asp
>
> --------------
>
>
>
> From: mod...@li... [mailto:mod-=20
> sec...@li...] On Behalf Of Russ Lavoie
> Sent: Monday, March 26, 2007 11:51 AM
> To: Ofer Shezaf; mod...@li...
> Subject: Re: [mod-security-users] Filter Rule...
>
>
>
> Hmm=85
>
>
>
> I used the following and it alerts on every page of the site on my =20
> dev box even though the Lpassword variable is not present on those =20
> pages.
>
>
>
> SecFilterSelective ARG_Lpassword "![a-zA-Z0-9\:;,\.\$\%]{1,13}"
>
> SecFilterSelective ARGS|!ARG_Lpassword ";[[:space:]]*(ls|id|pwd|wget)"
>
>
>
> It isn=92t working for me=85
>
>
>
> mod_security: Access denied with code 403. Pattern match "![a-zA-=20
> Z0-9\\\\:;,\\\\.\\\\$\\\\%]{1,13}" at ARG("Lpassword") [msg =20
> "Command execution attack"] [severity "EMERGENCY"] [hostname =20
> "devbox"] [uri "/cgi-bin/script.pl"] [unique_id "RgfpZawfFgMAADTcAVA"]
>
>
>
> I just browse to the front page of the site and bang=85 I get this =20=
> error=85 the uri will be different every time though.
>
>
>
> Not sure what the issue is here L
>
>
> Russ
>
>
>
>
>
>
>
> From: Ofer Shezaf [mailto:Of...@Br...]
> Sent: Monday, March 26, 2007 9:06 AM
> To: Russ Lavoie; mod...@li...
> Subject: RE: [mod-security-users] Filter Rule...
>
>
>
> Well it seems the Chris (in another e-mail) paid more attention to =20
> your exact problem, so white listing the password field would be =20
> your solution
>
>
>
> =46rom Chris e-mail
>
> SecFilterSelective ARG_passwd "![a-zA-Z0-9\:;,\.\$\%]{1,10}"
>
> SecFilterSelective ARGS|!ARG_passwd ";[[:space:]]*(ls|id|pwd|wget)"
>
>
>
> If Chris rule for the password field was too limited, you may want =20
> to keep only the length limitation as it would be hard to squeeze a =20=
> whole command injection attack in 10 characters.
>
>
>
> ~ Ofer
>
>
>
> From: Russ Lavoie [mailto:rl...@nc...]
> Sent: Monday, March 26, 2007 3:58 PM
> To: Ofer Shezaf; mod...@li...
> Subject: RE: [mod-security-users] Filter Rule...
>
>
>
> I would love to upgrade=85 But we would have to upgrade apache =20
> first=85 These are the last set of servers that are running apache =20=
> 1.3.x releases.
>
>
>
> I want to have free reign for password creations, but want to still =20=
> have some security in it. How does \b help out in this instance? =20
> I don=92t fully understand.
>
>
>
> Thanks
>
>
>
> From: Ofer Shezaf [mailto:Of...@Br...]
> Sent: Monday, March 26, 2007 4:05 AM
> To: Russ Lavoie; mod...@li...
> Subject: RE: [mod-security-users] Filter Rule...
>
>
>
> Well, you could use ModSecurity 2.x and the Core Rule Set=85.
>
>
>
> But if you insist not to upgrade than the following will help:
>
>
>
> SecFilterSelective ARGS_VALUES ";[[:space:]]*(ls|id|pwd|wget)\b"
>
>
>
> The additional \b at the end of the regular expression ensures that =20=
> a word boundary, so any white space, symbol or the end of the =20
> string would be accepted but not a letter or a digit.
>
>
>
> ~ Ofer Shezaf
>
> ModSecurity Core Rule Set project leader.
>
>
>
>
>
>
>
> From: mod...@li... [mailto:mod-=20
> sec...@li...] On Behalf Of Russ Lavoie
> Sent: Saturday, March 24, 2007 8:51 PM
> To: mod...@li...
> Subject: [mod-security-users] Filter Rule...
>
>
>
> I have the below filter rule for modsecurity 1.9
>
>
>
> SecFilterSelective ARGS_VALUES ";[[:space:]]*(ls|id|pwd|wget)"
>
>
>
> I am having a problem with valid attempts are coming through.. Say =20=
> a password with a semi colon followe by a space then an ls(some =20
> random characters).
>
>
>
> How can I make this a working rule that will not block these types =20
> of comments in a password field of a web page?
>
>
>
> Thanks
>
> ----------------------------------------------------------------------=20=
> ---
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to =20
> share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?=20
> page=3Djoin.php&p=3Dsourceforge&CID=3DDEVDEV____________________________=
____=20
> _______________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
|
