Re: [mod-security-users] Filter Rule...
Brought to you by:
victorhora,
zimmerletw
From: Christian B. <ch...@jw...> - 2007-03-26 20:08:40
|
Am 26.03.2007 um 20:54 schrieb Russ Lavoie: > This brings up another question=85 The below rule=85 > > > > "![a-zA-Z0-9\:;,\.\$\%]{1,13}" > > > > Checks for all English type characters right? > > > > How about other languages like german, Chinese etc? How could you =20 > check for those? Good question. Since modsecurity uses PCRE (perl compatible regular =20 expressions) I guess the best source of information is here: http://perldoc.perl.org/=20 perlre.html I would restrict the regexp to all characters supported by your =20 application. If your application supports all of the languages you mentioned, it would probably the =20 easiest to start by restricting the value of the password-field to a given length by using SecFilterSelective ARG_Lpassword "!(.){1,13}" An advanded issue would be to filter based on the User-Agents language. @Ryan: Probably a nice thing for your cool-rules-project "Locale-based rules" ;-) SecRule HTTP_HEADER:Accept-Language "en-en" "chain" SecRule ARGS:Lpassword "![a-zA-Z0-9\;\%\-\_]{1,13}" "skip:=20 1,log,auditlog,drop,phase:2" SecRule HTTP_HEADER:Accept-Language "^jp.*$" "chain" SecRule ARGS:Lpassword "!(.){1,13}" "log,auditlog,drop,phase:2" Regards, Chris > > > Thanks > > > > > > From: Ryan Barnett [mailto:Rya...@Br...] > Sent: Monday, March 26, 2007 1:02 PM > To: Russ Lavoie; Ofer Shezaf; mod...@li... > Subject: RE: [mod-security-users] Filter Rule... > > > > There are some semantic differences between the v1.9 and v2.0 =20 > rulesets that everyone should be aware of. Please refer to my =20 > recent Blog post - http://www.modsecurity.org/blog/archives/=20 > 2007/03/2x1x_rule_diffe.html as it outlines a similar issue. > > > > In this case, the following rule means 2 separate things - > > > > SecFilterSelective ARG_Lpassword "![a-zA-Z0-9\:;,\.\$\%]{1,13}" > > > > First, it means =96 if the request does not have the =93Lpassword=94 =20= > argument with the following data then deny. This matches when the =20 > Lpassword arg isn=92t even present. > > Second, it means =96 if the request does have the =93Lpassword=94 =20 > argument, and it doesn=92t have the authorized characters or is too =20= > large/small then deny. > > > > Actually, after testing, there seems to be a bug in the syntax of =20 > the rule. The entire RegEx should be surrounded by parentheses in =20 > order to have the Inverted rule applied on both the allowed =20 > character class and the size limitation. Otherwise, the invert was =20= > only being applied to the character class. This means that you =20 > could send a request with 100 =93a=94 characters and it would be =20 > allowed through. The rule should be this =96 > > > > SecFilterSelective ARG_Lpassword "!^([a-zA-Z0-9\:;,\.\$\%]{1,13})$" > > > > That being said, the easiest way to correct this is to include a =20 > Scope context to the rule. The following ruleset uses the Apache =20 > Location directive to only apply the Mod rule if the URL is the =20 > =93script.php=94 script. This is assuming that the script.php script =20= > is the one that legitimately has the Lpassword argument. > > > > <Location =93/cgi-bin/script.php=94> > > SecFilterSelective ARG_Lpassword "!^([a-zA-Z0-9\:;,\.\$\%]{1,13})$" > > </Location> > > > > If you want to use ModSecurity only directives, you could do one of =20= > the following =96 > > > > 1) Create a chained rule that first checks the URI =96 > > > > SecFilterSelective REQUEST_URI =93^/cgi-bin/script\.php$ =20 > =93chain,log,deny,msg:=92Lpassword Argument has illegal data.=92=94 > > SecFilterSelective ARG_Lpassword "!^([a-zA-Z0-9\:;,\.\$\%]{1,13})$" > > > > 2) Create a chained rule that first checks to see if the Lpassword =20 > arg is present, if so, then check the format/size, etc=85 > > > > SecFilterSelective ARG_Lpassword =93!^$=94 =20 > =93chain,log,deny,msg:=92Lpassword Argument has illegal data.=92=94 > > SecFilterSelective ARG_Lpassword "!^([a-zA-Z0-9\:;,\.\$\%]{1,13})$" > > > > I hope this helps. Let me know if you run into any more issues. > > > > --=20 > Ryan C. Barnett > ModSecurity Community Manager > > Breach Security: Director of Application Security Training > Web Application Security Consortium (WASC) Member > Author: Preventing Web Attacks with Apache > > > > -------------- > > Web Security Threat Report Webinar on May 9, 2007 (12 pm EST) > > Learn More About the Breach Webinar Series: > > http://www.breach.com/webinars.asp > > -------------- > > > > From: mod...@li... [mailto:mod-=20 > sec...@li...] On Behalf Of Russ Lavoie > Sent: Monday, March 26, 2007 11:51 AM > To: Ofer Shezaf; mod...@li... > Subject: Re: [mod-security-users] Filter Rule... > > > > Hmm=85 > > > > I used the following and it alerts on every page of the site on my =20 > dev box even though the Lpassword variable is not present on those =20 > pages. > > > > SecFilterSelective ARG_Lpassword "![a-zA-Z0-9\:;,\.\$\%]{1,13}" > > SecFilterSelective ARGS|!ARG_Lpassword ";[[:space:]]*(ls|id|pwd|wget)" > > > > It isn=92t working for me=85 > > > > mod_security: Access denied with code 403. Pattern match "![a-zA-=20 > Z0-9\\\\:;,\\\\.\\\\$\\\\%]{1,13}" at ARG("Lpassword") [msg =20 > "Command execution attack"] [severity "EMERGENCY"] [hostname =20 > "devbox"] [uri "/cgi-bin/script.pl"] [unique_id "RgfpZawfFgMAADTcAVA"] > > > > I just browse to the front page of the site and bang=85 I get this =20= > error=85 the uri will be different every time though. > > > > Not sure what the issue is here L > > > Russ > > > > > > > > From: Ofer Shezaf [mailto:Of...@Br...] > Sent: Monday, March 26, 2007 9:06 AM > To: Russ Lavoie; mod...@li... > Subject: RE: [mod-security-users] Filter Rule... > > > > Well it seems the Chris (in another e-mail) paid more attention to =20 > your exact problem, so white listing the password field would be =20 > your solution > > > > =46rom Chris e-mail > > SecFilterSelective ARG_passwd "![a-zA-Z0-9\:;,\.\$\%]{1,10}" > > SecFilterSelective ARGS|!ARG_passwd ";[[:space:]]*(ls|id|pwd|wget)" > > > > If Chris rule for the password field was too limited, you may want =20 > to keep only the length limitation as it would be hard to squeeze a =20= > whole command injection attack in 10 characters. > > > > ~ Ofer > > > > From: Russ Lavoie [mailto:rl...@nc...] > Sent: Monday, March 26, 2007 3:58 PM > To: Ofer Shezaf; mod...@li... > Subject: RE: [mod-security-users] Filter Rule... > > > > I would love to upgrade=85 But we would have to upgrade apache =20 > first=85 These are the last set of servers that are running apache =20= > 1.3.x releases. > > > > I want to have free reign for password creations, but want to still =20= > have some security in it. How does \b help out in this instance? =20 > I don=92t fully understand. > > > > Thanks > > > > From: Ofer Shezaf [mailto:Of...@Br...] > Sent: Monday, March 26, 2007 4:05 AM > To: Russ Lavoie; mod...@li... > Subject: RE: [mod-security-users] Filter Rule... > > > > Well, you could use ModSecurity 2.x and the Core Rule Set=85. > > > > But if you insist not to upgrade than the following will help: > > > > SecFilterSelective ARGS_VALUES ";[[:space:]]*(ls|id|pwd|wget)\b" > > > > The additional \b at the end of the regular expression ensures that =20= > a word boundary, so any white space, symbol or the end of the =20 > string would be accepted but not a letter or a digit. > > > > ~ Ofer Shezaf > > ModSecurity Core Rule Set project leader. > > > > > > > > From: mod...@li... [mailto:mod-=20 > sec...@li...] On Behalf Of Russ Lavoie > Sent: Saturday, March 24, 2007 8:51 PM > To: mod...@li... > Subject: [mod-security-users] Filter Rule... > > > > I have the below filter rule for modsecurity 1.9 > > > > SecFilterSelective ARGS_VALUES ";[[:space:]]*(ls|id|pwd|wget)" > > > > I am having a problem with valid attempts are coming through.. Say =20= > a password with a semi colon followe by a space then an ls(some =20 > random characters). > > > > How can I make this a working rule that will not block these types =20 > of comments in a password field of a web page? > > > > Thanks > > ----------------------------------------------------------------------=20= > --- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to =20 > share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?=20 > page=3Djoin.php&p=3Dsourceforge&CID=3DDEVDEV____________________________= ____=20 > _______________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |