Thread: [Mod-security-developers] CRS 2.1.2 only phase:5 is shown in the log
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-developers
|
From: Oleg G. <ole...@ya...> - 2011-04-11 21:59:58
|
I'm trying to make dos_protection working in CRS 2.1.2 and it seems to me that something is grossly wrong with this version. It looks like the only rules that are executed are the ones in "phase:5", everything else is completely ignored.
I have debug level set to 9 and only rules that are shown in the log file are those that in phase 5 (see below). Please let me know what is wrong.
The collections and variables that are set in modsecurity_crs_10_config.conf are not defined (e.g. IP collection and dos_counter_threshold variable)
This is from modsecurity_crs_10_config.con:
-------------------------------------------
SecAction "phase:1,t:none,nolog,pass, \
setvar:'tx.dos_burst_time_slice=60', \
setvar:'tx.dos_counter_threshold=1', \
setvar:'tx.dos_block_timeout=600'"
...
SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash}"
...
This is from log file:
---------------------
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Initialising transaction (txid TaNTXH8AAAEAAFC-AdsAAABJ).
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Transaction context created (dcfg b78714e0).
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing disabled, skipping (hook request_early).
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] PdfProtect: Not enabled here.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing disabled, skipping (hook request_late).
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Hook insert_filter: Adding PDF XSS protection output filter (r b8c2bba8).
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Hook insert_filter: Processing disabled, skipping.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Initialising logging.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Starting phase LOGGING.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] This phase consists of 36 rule(s).
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b7ba1cb0; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection.conf"] [line "24"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba1cb0: SecRule "IP:DOS_BLOCK" "@eq 1" "phase:5,t:none,nolog,skipAfter:END_DOS_PROTECTION_CHECKS"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not chained -> mode NEXT_RULE.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b7ba2438; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection.conf"] [line "30"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba2438: SecRule "REQUEST_BASENAME" "!@rx \\.(jpe?g|png|gif|js|css|ico)$" "phase:5,t:none,log,pass,setvar:ip.dos_counter=+1,logdata:'THRESHOLD= %{tx.dos_counter_threshold}; COUNTER=%{ip.dos_counter}'"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation completed in 1 usec.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing operator "!rx" with param "\\.(jpe?g|png|gif|js|css|ico)$" against REQUEST_BASENAME.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: ""
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][6] Ignoring regex captures since "capture" action is not enabled.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator completed in 17 usec.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Setting variable: ip.dos_counter=+1
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][3] Could not set variable "ip.dos_counter" as the collection does not exist.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][2] Warning. Match of "rx \\.(jpe?g|png|gif|js|css|ico)$" against "REQUEST_BASENAME" required. [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection.conf"] [line "30"] [data "THRESHOLD= ; COUNTER="]
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 1.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Match -> mode NEXT_RULE.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b7ba30f8; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection.conf"] [line "37"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba30f8: SecRule "IP:DOS_COUNTER" "@gt %{tx.dos_counter_threshold}" "phase:5,t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not chained -> mode NEXT_RULE.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b7bca648; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection.conf"] [line "44"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7bca648: SecRule "IP:DOS_BURST_COUNTER" "@ge 1" "phase:5,t:none,log,pass,msg:'Potential Denial of Service (DoS) Attack from %{remote_addr} - # of Request Bursts: %{ip.dos_burst_counter}',setvar:ip.dos_block=1,expirevar:ip.dos_block=%{tx.dos_block_timeout}"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not chained -> mode NEXT_RULE.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b85598c8; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf"] [line "21"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b85598c8: SecRule "&TX:'/LEAKAGE\\\\/ERRORS/'" "@ge 1" "phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:0,msg:'Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack (%{tx.inbound_tx_msg} - Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation completed in 1 usec.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing operator "ge" with param "1" against &TX:/LEAKAGE\/ERRORS/.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: "0"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator completed in 2 usec.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained -> mode NEXT_CHAIN.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b8578910; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf"] [line "28"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8578910: SecRule "&TX:'/AVAILABILITY\\\\/APP_NOT_AVAIL/'" "@ge 1" "phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:1,msg:'Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack (%{tx.inbound_tx_msg} Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation completed in 1 usec.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing operator "ge" with param "1" against &TX:/AVAILABILITY\/APP_NOT_AVAIL/.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: "0"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator completed in 1 usec.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained -> mode NEXT_CHAIN.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b8574618; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf"] [line "32"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8574618: SecRule "TX:INBOUND_ANOMALY_SCORE" "@gt 0" "phase:5,chain,t:none,log,noauditlog,skipAfter:END_CORRELATION,msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained -> mode NEXT_CHAIN.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b8598b18; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf"] [line "36"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8598b18: SecRule "TX:INBOUND_ANOMALY_SCORE" "@ge %{tx.inbound_anomaly_score_level}" "phase:5,t:none,log,noauditlog,pass,msg:'Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not chained -> mode NEXT_RULE.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b8585558; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf"] [line "39"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8585558: SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@ge %{tx.outbound_anomaly_score_level}" "phase:5,t:none,log,noauditlog,pass,msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}'"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not chained -> mode NEXT_RULE.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Audit log: Not configured to run for this request.
|
|
From: Ryan B. <RBa...@tr...> - 2011-04-11 22:28:52
|
Oleg,
What Apache and ModSecurity versions are you using?
Can you try and sync from SVN and try the 2.1.3 version of CRS?
This does look add as it is essentially skipping phases 1-4 and then
picking up rules in phase:5. Can you send your
modsecurity_crs_10_config.conf file?
-Ryan
On 4/11/11 5:59 PM, "Oleg Gryb" <ole...@ya...> wrote:
>I'm trying to make dos_protection working in CRS 2.1.2 and it seems to me
>that something is grossly wrong with this version. It looks like the only
>rules that are executed are the ones in "phase:5", everything else is
>completely ignored.
>
>I have debug level set to 9 and only rules that are shown in the log file
>are those that in phase 5 (see below). Please let me know what is wrong.
>
>The collections and variables that are set in
>modsecurity_crs_10_config.conf are not defined (e.g. IP collection and
>dos_counter_threshold variable)
>
>This is from modsecurity_crs_10_config.con:
>-------------------------------------------
>SecAction "phase:1,t:none,nolog,pass, \
>setvar:'tx.dos_burst_time_slice=60', \
>setvar:'tx.dos_counter_threshold=1', \
>setvar:'tx.dos_block_timeout=600'"
>...
>SecAction
>"phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}
>_%{tx.ua_hash}"
>...
>
>This is from log file:
>---------------------
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Initialising transaction
>(txid TaNTXH8AAAEAAFC-AdsAAABJ).
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Transaction context created
>(dcfg b78714e0).
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing disabled,
>skipping (hook request_early).
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/][4] PdfProtect: Not enabled here.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing disabled,
>skipping (hook request_late).
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Hook
>insert_filter: Adding PDF XSS protection output filter (r b8c2bba8).
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Hook
>insert_filter: Processing disabled, skipping.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Initialising
>logging.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Starting phase
>LOGGING.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] This phase
>consists of 36 rule(s).
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>rule b7ba1cb0; [file
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>.conf"] [line "24"].
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba1cb0:
>SecRule "IP:DOS_BLOCK" "@eq 1"
>"phase:5,t:none,nolog,skipAfter:END_DOS_PROTECTION_CHECKS"
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not
>chained -> mode NEXT_RULE.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>rule b7ba2438; [file
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>.conf"] [line "30"].
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba2438:
>SecRule "REQUEST_BASENAME" "!@rx \\.(jpe?g|png|gif|js|css|ico)$"
>"phase:5,t:none,log,pass,setvar:ip.dos_counter=+1,logdata:'THRESHOLD=
>%{tx.dos_counter_threshold}; COUNTER=%{ip.dos_counter}'"
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation
>completed in 1 usec.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing operator
>"!rx" with param "\\.(jpe?g|png|gif|js|css|ico)$" against
>REQUEST_BASENAME.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: ""
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][6] Ignoring regex
>captures since "capture" action is not enabled.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator completed
>in 17 usec.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Setting variable:
>ip.dos_counter=+1
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][3] Could not set
>variable "ip.dos_counter" as the collection does not exist.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][2] Warning. Match of
>"rx \\.(jpe?g|png|gif|js|css|ico)$" against "REQUEST_BASENAME" required.
>[file
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>.conf"] [line "30"] [data "THRESHOLD= ; COUNTER="]
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 1.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Match -> mode
>NEXT_RULE.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>rule b7ba30f8; [file
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>.conf"] [line "37"].
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba30f8:
>SecRule "IP:DOS_COUNTER" "@gt %{tx.dos_counter_threshold}"
>"phase:5,t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar
>:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter"
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not
>chained -> mode NEXT_RULE.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>rule b7bca648; [file
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>.conf"] [line "44"].
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7bca648:
>SecRule "IP:DOS_BURST_COUNTER" "@ge 1"
>"phase:5,t:none,log,pass,msg:'Potential Denial of Service (DoS) Attack
>from %{remote_addr} - # of Request Bursts:
>%{ip.dos_burst_counter}',setvar:ip.dos_block=1,expirevar:ip.dos_block=%{tx
>.dos_block_timeout}"
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not
>chained -> mode NEXT_RULE.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>rule b85598c8; [file
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
>nf"] [line "21"].
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b85598c8:
>SecRule "&TX:'/LEAKAGE\\\\/ERRORS/'" "@ge 1"
>"phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:0,msg:'Correl
>ated Successful Attack Identified: (Total Score: %{tx.anomaly_score},
>SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack
>(%{tx.inbound_tx_msg} - Inbound Anomaly Score:
>%{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg} -
>Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'"
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation
>completed in 1 usec.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing operator
>"ge" with param "1" against &TX:/LEAKAGE\/ERRORS/.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: "0"
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator completed
>in 2 usec.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained
>-> mode NEXT_CHAIN.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>rule b8578910; [file
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
>nf"] [line "28"].
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8578910:
>SecRule "&TX:'/AVAILABILITY\\\\/APP_NOT_AVAIL/'" "@ge 1"
>"phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:1,msg:'Correl
>ated Attack Attempt Identified: (Total Score: %{tx.anomaly_score},
>SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack
>(%{tx.inbound_tx_msg} Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE})
>+ Outbound Application Error (%{tx.msg} - Outbound Anomaly Score:
>%{TX.OUTBOUND_ANOMALY_SCORE})'"
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation
>completed in 1 usec.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing operator
>"ge" with param "1" against &TX:/AVAILABILITY\/APP_NOT_AVAIL/.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: "0"
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator completed
>in 1 usec.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained
>-> mode NEXT_CHAIN.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>rule b8574618; [file
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
>nf"] [line "32"].
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8574618:
>SecRule "TX:INBOUND_ANOMALY_SCORE" "@gt 0"
>"phase:5,chain,t:none,log,noauditlog,skipAfter:END_CORRELATION,msg:'Inboun
>d Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE},
>SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}):
>%{tx.inbound_tx_msg}'"
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained
>-> mode NEXT_CHAIN.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>rule b8598b18; [file
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
>nf"] [line "36"].
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8598b18:
>SecRule "TX:INBOUND_ANOMALY_SCORE" "@ge
>%{tx.inbound_anomaly_score_level}"
>"phase:5,t:none,log,noauditlog,pass,msg:'Inbound Anomaly Score Exceeded
>(Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE},
>SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}):
>%{tx.inbound_tx_msg}'"
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not
>chained -> mode NEXT_RULE.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>rule b8585558; [file
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
>nf"] [line "39"].
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8585558:
>SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@ge
>%{tx.outbound_anomaly_score_level}"
>"phase:5,t:none,log,noauditlog,pass,msg:'Outbound Anomaly Score Exceeded
>(score %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}'"
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not
>chained -> mode NEXT_RULE.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Audit log: Not
>configured to run for this request.
>
>
>
>--------------------------------------------------------------------------
>----
>Forrester Wave Report - Recovery time is now measured in hours and minutes
>not days. Key insights are discussed in the 2010 Forrester Wave Report as
>part of an in-depth evaluation of disaster recovery service providers.
>Forrester found the best-in-class provider in terms of services and
>vision.
>Read this report now! http://p.sf.net/sfu/ibm-webcastpromo
>_______________________________________________
>mod-security-developers mailing list
>mod...@li...
>https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>ModSecurity Services from Trustave's SpiderLabs:
>https://www.trustwave.com/spiderLabs.php
>
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
|
|
From: Oleg G. <ole...@ya...> - 2011-04-11 22:54:52
|
Ryan,
Thank you for the quick response. Here is the information that you've requested:
Apache/2.2.17 (Debian)
modsecurity-apache_2.5.13
The *.conf files are attached as well. I'll try CRS 2.1.3 and let you know if it
works.
Please let me know if you have a fix,
Oleg.
----- Original Message ----
> From: Ryan Barnett <RBa...@tr...>
> To: "ol...@gr..." <ol...@gr...>;
>"mod...@li..."
><mod...@li...>
> Sent: Mon, April 11, 2011 3:28:38 PM
> Subject: Re: [Mod-security-developers] CRS 2.1.2 only phase:5 is shown in the
>log
>
> Oleg,
>
> What Apache and ModSecurity versions are you using?
>
> Can you try and sync from SVN and try the 2.1.3 version of CRS?
>
> This does look add as it is essentially skipping phases 1-4 and then
> picking up rules in phase:5. Can you send your
> modsecurity_crs_10_config.conf file?
>
> -Ryan
>
> On 4/11/11 5:59 PM, "Oleg Gryb" <ole...@ya...> wrote:
>
> >I'm trying to make dos_protection working in CRS 2.1.2 and it seems to me
> >that something is grossly wrong with this version. It looks like the only
> >rules that are executed are the ones in "phase:5", everything else is
> >completely ignored.
> >
> >I have debug level set to 9 and only rules that are shown in the log file
> >are those that in phase 5 (see below). Please let me know what is wrong.
> >
> >The collections and variables that are set in
> >modsecurity_crs_10_config.conf are not defined (e.g. IP collection and
> >dos_counter_threshold variable)
> >
> >This is from modsecurity_crs_10_config.con:
> >-------------------------------------------
> >SecAction "phase:1,t:none,nolog,pass, \
> >setvar:'tx.dos_burst_time_slice=60', \
> >setvar:'tx.dos_counter_threshold=1', \
> >setvar:'tx.dos_block_timeout=600'"
> >...
> >SecAction
> >"phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}
> >_%{tx.ua_hash}"
> >...
> >
> >This is from log file:
> >---------------------
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Initialising transaction
> >(txid TaNTXH8AAAEAAFC-AdsAAABJ).
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Transaction context created
> >(dcfg b78714e0).
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing disabled,
> >skipping (hook request_early).
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/][4] PdfProtect: Not enabled here.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing disabled,
> >skipping (hook request_late).
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Hook
> >insert_filter: Adding PDF XSS protection output filter (r b8c2bba8).
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Hook
> >insert_filter: Processing disabled, skipping.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Initialising
> >logging.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Starting phase
> >LOGGING.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] This phase
> >consists of 36 rule(s).
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
> >rule b7ba1cb0; [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
> >.conf"] [line "24"].
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba1cb0:
> >SecRule "IP:DOS_BLOCK" "@eq 1"
> >"phase:5,t:none,nolog,skipAfter:END_DOS_PROTECTION_CHECKS"
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not
> >chained -> mode NEXT_RULE.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
> >rule b7ba2438; [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
> >.conf"] [line "30"].
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba2438:
> >SecRule "REQUEST_BASENAME" "!@rx \\.(jpe?g|png|gif|js|css|ico)$"
> >"phase:5,t:none,log,pass,setvar:ip.dos_counter=+1,logdata:'THRESHOLD=
> >%{tx.dos_counter_threshold}; COUNTER=%{ip.dos_counter}'"
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation
> >completed in 1 usec.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing operator
> >"!rx" with param "\\.(jpe?g|png|gif|js|css|ico)$" against
> >REQUEST_BASENAME.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: ""
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][6] Ignoring regex
> >captures since "capture" action is not enabled.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator completed
> >in 17 usec.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Setting variable:
> >ip.dos_counter=+1
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][3] Could not set
> >variable "ip.dos_counter" as the collection does not exist.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][2] Warning. Match of
> >"rx \\.(jpe?g|png|gif|js|css|ico)$" against "REQUEST_BASENAME" required.
> >[file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
> >.conf"] [line "30"] [data "THRESHOLD= ; COUNTER="]
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 1.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Match -> mode
> >NEXT_RULE.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
> >rule b7ba30f8; [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
> >.conf"] [line "37"].
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba30f8:
> >SecRule "IP:DOS_COUNTER" "@gt %{tx.dos_counter_threshold}"
> >"phase:5,t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar
> >:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter"
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not
> >chained -> mode NEXT_RULE.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
> >rule b7bca648; [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
> >.conf"] [line "44"].
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7bca648:
> >SecRule "IP:DOS_BURST_COUNTER" "@ge 1"
> >"phase:5,t:none,log,pass,msg:'Potential Denial of Service (DoS) Attack
> >from %{remote_addr} - # of Request Bursts:
> >%{ip.dos_burst_counter}',setvar:ip.dos_block=1,expirevar:ip.dos_block=%{tx
> >.dos_block_timeout}"
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not
> >chained -> mode NEXT_RULE.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
> >rule b85598c8; [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
> >nf"] [line "21"].
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b85598c8:
> >SecRule "&TX:'/LEAKAGE\\\\/ERRORS/'" "@ge 1"
> >"phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:0,msg:'Correl
> >ated Successful Attack Identified: (Total Score: %{tx.anomaly_score},
> >SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack
> >(%{tx.inbound_tx_msg} - Inbound Anomaly Score:
> >%{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg} -
> >Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'"
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation
> >completed in 1 usec.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing operator
> >"ge" with param "1" against &TX:/LEAKAGE\/ERRORS/.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: "0"
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator completed
> >in 2 usec.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained
> >-> mode NEXT_CHAIN.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
> >rule b8578910; [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
> >nf"] [line "28"].
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8578910:
> >SecRule "&TX:'/AVAILABILITY\\\\/APP_NOT_AVAIL/'" "@ge 1"
> >"phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:1,msg:'Correl
> >ated Attack Attempt Identified: (Total Score: %{tx.anomaly_score},
> >SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack
> >(%{tx.inbound_tx_msg} Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE})
> >+ Outbound Application Error (%{tx.msg} - Outbound Anomaly Score:
> >%{TX.OUTBOUND_ANOMALY_SCORE})'"
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation
> >completed in 1 usec.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing operator
> >"ge" with param "1" against &TX:/AVAILABILITY\/APP_NOT_AVAIL/.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: "0"
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator completed
> >in 1 usec.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained
> >-> mode NEXT_CHAIN.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
> >rule b8574618; [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
> >nf"] [line "32"].
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8574618:
> >SecRule "TX:INBOUND_ANOMALY_SCORE" "@gt 0"
> >"phase:5,chain,t:none,log,noauditlog,skipAfter:END_CORRELATION,msg:'Inboun
> >d Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE},
> >SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}):
> >%{tx.inbound_tx_msg}'"
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained
> >-> mode NEXT_CHAIN.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
> >rule b8598b18; [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
> >nf"] [line "36"].
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8598b18:
> >SecRule "TX:INBOUND_ANOMALY_SCORE" "@ge
> >%{tx.inbound_anomaly_score_level}"
> >"phase:5,t:none,log,noauditlog,pass,msg:'Inbound Anomaly Score Exceeded
> >(Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE},
> >SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}):
> >%{tx.inbound_tx_msg}'"
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not
> >chained -> mode NEXT_RULE.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
> >rule b8585558; [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
> >nf"] [line "39"].
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8585558:
> >SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@ge
> >%{tx.outbound_anomaly_score_level}"
> >"phase:5,t:none,log,noauditlog,pass,msg:'Outbound Anomaly Score Exceeded
> >(score %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}'"
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not
> >chained -> mode NEXT_RULE.
> >[11/Apr/2011:12:15:40 --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Audit log: Not
> >configured to run for this request.
> >
> >
> >
> >--------------------------------------------------------------------------
> >----
> >Forrester Wave Report - Recovery time is now measured in hours and minutes
> >not days. Key insights are discussed in the 2010 Forrester Wave Report as
> >part of an in-depth evaluation of disaster recovery service providers.
> >Forrester found the best-in-class provider in terms of services and
> >vision.
> >Read this report now! http://p.sf.net/sfu/ibm-webcastpromo
> >_______________________________________________
> >mod-security-developers mailing list
> >mod...@li...
> >https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> >ModSecurity Services from Trustave's SpiderLabs:
> >https://www.trustwave.com/spiderLabs.php
> >
>
>
> This transmission may contain information that is privileged, confidential,
>and/or exempt from disclosure under applicable law. If you are not the intended
>recipient, you are hereby notified that any disclosure, copying, distribution,
>or use of the information contained herein (including any reliance thereon) is
>STRICTLY PROHIBITED. If you received this transmission in error, please
>immediately contact the sender and destroy the material in its entirety, whether
>in electronic or hard copy format.
>
>
> ------------------------------------------------------------------------------
> Forrester Wave Report - Recovery time is now measured in hours and minutes
> not days. Key insights are discussed in the 2010 Forrester Wave Report as
> part of an in-depth evaluation of disaster recovery service providers.
> Forrester found the best-in-class provider in terms of services and vision.
> Read this report now! http://p.sf.net/sfu/ibm-webcastpromo
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
> |
|
From: Ryan B. <RBa...@tr...> - 2011-04-12 00:21:10
|
Can you also send your other main config file?
On Apr 11, 2011, at 6:55 PM, "Oleg Gryb" <ole...@ya...> wrote:
> Ryan,
> Thank you for the quick response. Here is the information that you've requested:
>
> Apache/2.2.17 (Debian)
> modsecurity-apache_2.5.13
>
>
> The *.conf files are attached as well. I'll try CRS 2.1.3 and let you know if it
> works.
>
> Please let me know if you have a fix,
> Oleg.
>
>
>
>
>
>
> ----- Original Message ----
>> From: Ryan Barnett <RBa...@tr...>
>> To: "ol...@gr..." <ol...@gr...>;
>> "mod...@li..."
>> <mod...@li...>
>> Sent: Mon, April 11, 2011 3:28:38 PM
>> Subject: Re: [Mod-security-developers] CRS 2.1.2 only phase:5 is shown in the
>> log
>>
>> Oleg,
>>
>> What Apache and ModSecurity versions are you using?
>>
>> Can you try and sync from SVN and try the 2.1.3 version of CRS?
>>
>> This does look add as it is essentially skipping phases 1-4 and then
>> picking up rules in phase:5. Can you send your
>> modsecurity_crs_10_config.conf file?
>>
>> -Ryan
>>
>> On 4/11/11 5:59 PM, "Oleg Gryb" <ole...@ya...> wrote:
>>
>>> I'm trying to make dos_protection working in CRS 2.1.2 and it seems to me
>>> that something is grossly wrong with this version. It looks like the only
>>> rules that are executed are the ones in "phase:5", everything else is
>>> completely ignored.
>>>
>>> I have debug level set to 9 and only rules that are shown in the log file
>>> are those that in phase 5 (see below). Please let me know what is wrong.
>>>
>>> The collections and variables that are set in
>>> modsecurity_crs_10_config.conf are not defined (e.g. IP collection and
>>> dos_counter_threshold variable)
>>>
>>> This is from modsecurity_crs_10_config.con:
>>> -------------------------------------------
>>> SecAction "phase:1,t:none,nolog,pass, \
>>> setvar:'tx.dos_burst_time_slice=60', \
>>> setvar:'tx.dos_counter_threshold=1', \
>>> setvar:'tx.dos_block_timeout=600'"
>>> ...
>>> SecAction
>>> "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}
>>> _%{tx.ua_hash}"
>>> ...
>>>
>>> This is from log file:
>>> ---------------------
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Initialising transaction
>>> (txid TaNTXH8AAAEAAFC-AdsAAABJ).
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Transaction context created
>>> (dcfg b78714e0).
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing disabled,
>>> skipping (hook request_early).
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] PdfProtect: Not enabled here.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing disabled,
>>> skipping (hook request_late).
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Hook
>>> insert_filter: Adding PDF XSS protection output filter (r b8c2bba8).
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Hook
>>> insert_filter: Processing disabled, skipping.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Initialising
>>> logging.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Starting phase
>>> LOGGING.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] This phase
>>> consists of 36 rule(s).
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>>> rule b7ba1cb0; [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>>> .conf"] [line "24"].
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba1cb0:
>>> SecRule "IP:DOS_BLOCK" "@eq 1"
>>> "phase:5,t:none,nolog,skipAfter:END_DOS_PROTECTION_CHECKS"
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not
>>> chained -> mode NEXT_RULE.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>>> rule b7ba2438; [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>>> .conf"] [line "30"].
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba2438:
>>> SecRule "REQUEST_BASENAME" "!@rx \\.(jpe?g|png|gif|js|css|ico)$"
>>> "phase:5,t:none,log,pass,setvar:ip.dos_counter=+1,logdata:'THRESHOLD=
>>> %{tx.dos_counter_threshold}; COUNTER=%{ip.dos_counter}'"
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation
>>> completed in 1 usec.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing operator
>>> "!rx" with param "\\.(jpe?g|png|gif|js|css|ico)$" against
>>> REQUEST_BASENAME.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: ""
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][6] Ignoring regex
>>> captures since "capture" action is not enabled.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator completed
>>> in 17 usec.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Setting variable:
>>> ip.dos_counter=+1
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][3] Could not set
>>> variable "ip.dos_counter" as the collection does not exist.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][2] Warning. Match of
>>> "rx \\.(jpe?g|png|gif|js|css|ico)$" against "REQUEST_BASENAME" required.
>>> [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>>> .conf"] [line "30"] [data "THRESHOLD= ; COUNTER="]
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 1.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Match -> mode
>>> NEXT_RULE.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>>> rule b7ba30f8; [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>>> .conf"] [line "37"].
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba30f8:
>>> SecRule "IP:DOS_COUNTER" "@gt %{tx.dos_counter_threshold}"
>>> "phase:5,t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar
>>> :ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter"
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not
>>> chained -> mode NEXT_RULE.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>>> rule b7bca648; [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>>> .conf"] [line "44"].
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7bca648:
>>> SecRule "IP:DOS_BURST_COUNTER" "@ge 1"
>>> "phase:5,t:none,log,pass,msg:'Potential Denial of Service (DoS) Attack
>>> from %{remote_addr} - # of Request Bursts:
>>> %{ip.dos_burst_counter}',setvar:ip.dos_block=1,expirevar:ip.dos_block=%{tx
>>> .dos_block_timeout}"
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not
>>> chained -> mode NEXT_RULE.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>>> rule b85598c8; [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
>>> nf"] [line "21"].
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b85598c8:
>>> SecRule "&TX:'/LEAKAGE\\\\/ERRORS/'" "@ge 1"
>>> "phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:0,msg:'Correl
>>> ated Successful Attack Identified: (Total Score: %{tx.anomaly_score},
>>> SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack
>>> (%{tx.inbound_tx_msg} - Inbound Anomaly Score:
>>> %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg} -
>>> Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'"
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation
>>> completed in 1 usec.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing operator
>>> "ge" with param "1" against &TX:/LEAKAGE\/ERRORS/.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: "0"
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator completed
>>> in 2 usec.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained
>>> -> mode NEXT_CHAIN.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>>> rule b8578910; [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
>>> nf"] [line "28"].
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8578910:
>>> SecRule "&TX:'/AVAILABILITY\\\\/APP_NOT_AVAIL/'" "@ge 1"
>>> "phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:1,msg:'Correl
>>> ated Attack Attempt Identified: (Total Score: %{tx.anomaly_score},
>>> SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack
>>> (%{tx.inbound_tx_msg} Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE})
>>> + Outbound Application Error (%{tx.msg} - Outbound Anomaly Score:
>>> %{TX.OUTBOUND_ANOMALY_SCORE})'"
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation
>>> completed in 1 usec.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing operator
>>> "ge" with param "1" against &TX:/AVAILABILITY\/APP_NOT_AVAIL/.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: "0"
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator completed
>>> in 1 usec.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained
>>> -> mode NEXT_CHAIN.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>>> rule b8574618; [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
>>> nf"] [line "32"].
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8574618:
>>> SecRule "TX:INBOUND_ANOMALY_SCORE" "@gt 0"
>>> "phase:5,chain,t:none,log,noauditlog,skipAfter:END_CORRELATION,msg:'Inboun
>>> d Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE},
>>> SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}):
>>> %{tx.inbound_tx_msg}'"
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained
>>> -> mode NEXT_CHAIN.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>>> rule b8598b18; [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
>>> nf"] [line "36"].
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8598b18:
>>> SecRule "TX:INBOUND_ANOMALY_SCORE" "@ge
>>> %{tx.inbound_anomaly_score_level}"
>>> "phase:5,t:none,log,noauditlog,pass,msg:'Inbound Anomaly Score Exceeded
>>> (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE},
>>> SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}):
>>> %{tx.inbound_tx_msg}'"
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not
>>> chained -> mode NEXT_RULE.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>>> rule b8585558; [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
>>> nf"] [line "39"].
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8585558:
>>> SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@ge
>>> %{tx.outbound_anomaly_score_level}"
>>> "phase:5,t:none,log,noauditlog,pass,msg:'Outbound Anomaly Score Exceeded
>>> (score %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}'"
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not
>>> chained -> mode NEXT_RULE.
>>> [11/Apr/2011:12:15:40 --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Audit log: Not
>>> configured to run for this request.
>>>
>>>
>>>
>>> --------------------------------------------------------------------------
>>> ----
>>> Forrester Wave Report - Recovery time is now measured in hours and minutes
>>> not days. Key insights are discussed in the 2010 Forrester Wave Report as
>>> part of an in-depth evaluation of disaster recovery service providers.
>>> Forrester found the best-in-class provider in terms of services and
>>> vision.
>>> Read this report now! http://p.sf.net/sfu/ibm-webcastpromo
>>> _______________________________________________
>>> mod-security-developers mailing list
>>> mod...@li...
>>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>>> ModSecurity Services from Trustave's SpiderLabs:
>>> https://www.trustwave.com/spiderLabs.php
>>>
>>
>>
>> This transmission may contain information that is privileged, confidential,
>> and/or exempt from disclosure under applicable law. If you are not the intended
>> recipient, you are hereby notified that any disclosure, copying, distribution,
>> or use of the information contained herein (including any reliance thereon) is
>> STRICTLY PROHIBITED. If you received this transmission in error, please
>> immediately contact the sender and destroy the material in its entirety, whether
>> in electronic or hard copy format.
>>
>>
>> ------------------------------------------------------------------------------
>> Forrester Wave Report - Recovery time is now measured in hours and minutes
>> not days. Key insights are discussed in the 2010 Forrester Wave Report as
>> part of an in-depth evaluation of disaster recovery service providers.
>> Forrester found the best-in-class provider in terms of services and vision.
>> Read this report now! http://p.sf.net/sfu/ibm-webcastpromo
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity Services from Trustave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
> <modsecurity_crs_10_config.conf>
> <modsecurity_crs_11_dos_protection.conf>
> ------------------------------------------------------------------------------
> Forrester Wave Report - Recovery time is now measured in hours and minutes
> not days. Key insights are discussed in the 2010 Forrester Wave Report as
> part of an in-depth evaluation of disaster recovery service providers.
> Forrester found the best-in-class provider in terms of services and vision.
> Read this report now! http://p.sf.net/sfu/ibm-webcastpromo
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
|
|
From: Ryan B. <RBa...@tr...> - 2011-04-12 01:13:32
|
You should have a separate file that handles your main config settings - http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#A_Recommended_Base_Configuration These are settings that you maintain for your local site. These should not be included within 3rd party rules such as the CRS. Ryan On Apr 11, 2011, at 9:07 PM, "Oleg Gryb" <ole...@ya...<mailto:ole...@ya...>> wrote: It helped, now I see other rules working. My SecRuleEngine setting was commented out (). It means that default behavior is "Off", right? Probably it's better to have it as DetectionOnly by default. Thanks for your help, Oleg. From: Breno Silva <bre...@gm...<mailto:bre...@gm...>> To: <mailto:mod...@li...> mod...@li...<mailto:mod...@li...> Cc: Ryan Barnett <RBa...@tr...<mailto:RBa...@tr...>>; Oleg Gryb <ol...@gr...<mailto:ol...@gr...>> Sent: Mon, April 11, 2011 5:57:52 PM Subject: Re: [Mod-security-developers] CRS 2.1.2 only phase:5 is shown in the log Oleg, I think your SecRuleEngine is set as Off. Please set it to SecRuleEngine DetectionOnly or SecRuleEngine On Thanks Breno On Mon, Apr 11, 2011 at 7:20 PM, Ryan Barnett <<mailto:RBa...@tr...>RBa...@tr...<mailto:RBa...@tr...>> wrote: Can you also send your other main config file? On Apr 11, 2011, at 6:55 PM, "Oleg Gryb" <<mailto:ole...@ya...>ole...@ya...<mailto:ole...@ya...>> wrote: > Ryan, > Thank you for the quick response. Here is the information that you've requested: > > Apache/2.2.17 (Debian) > modsecurity-apache_2.5.13 > > > The *.conf files are attached as well. I'll try CRS 2.1.3 and let you know if it > works. > > Please let me know if you have a fix, > Oleg. > > > > > > > ----- Original Message ---- >> From: Ryan Barnett <<mailto:RBa...@tr...>RBa...@tr...<mailto:RBa...@tr...>> >> To: "<mailto:ol...@gr...>ol...@gr...<mailto:ol...@gr...>" <<mailto:ol...@gr...>ol...@gr...<mailto:ol...@gr...>>; >> "<mailto:mod...@li...>mod...@li...<mailto:mod...@li...>" >> <<mailto:mod...@li...>mod...@li...<mailto:mod...@li...>> >> Sent: Mon, April 11, 2011 3:28:38 PM >> Subject: Re: [Mod-security-developers] CRS 2.1.2 only phase:5 is shown in the >> log >> >> Oleg, >> >> What Apache and ModSecurity versions are you using? >> >> Can you try and sync from SVN and try the 2.1.3 version of CRS? >> >> This does look add as it is essentially skipping phases 1-4 and then >> picking up rules in phase:5. Can you send your >> modsecurity_crs_10_config.conf file? >> >> -Ryan >> >> On 4/11/11 5:59 PM, "Oleg Gryb" <<mailto:ole...@ya...>ole...@ya...<mailto:ole...@ya...>> wrote: >> >>> I'm trying to make dos_protection working in CRS 2.1.2 and it seems to me >>> that something is grossly wrong with this version. It looks like the only >>> rules that are executed are the ones in "phase:5", everything else is >>> completely ignored. >>> >>> I have debug level set to 9 and only rules that are shown in the log file >>> are those that in phase 5 (see below). Please let me know what is wrong. >>> >>> The collections and variables that are set in >>> modsecurity_crs_10_config.conf are not defined (e.g. IP collection and >>> dos_counter_threshold variable) >>> >>> This is from modsecurity_crs_10_config.con: >>> ------------------------------------------- >>> SecAction "phase:1,t:none,nolog,pass, \ >>> setvar:'tx.dos_burst_time_slice=60', \ >>> setvar:'tx.dos_counter_threshold=1', \ >>> setvar:'tx.dos_block_timeout=600'" >>> ... >>> SecAction >>> "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr} >>> _%{tx.ua_hash}" >>> ... >>> >>> This is from log file: >>> --------------------- >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Initialising transaction >>> (txid TaNTXH8AAAEAAFC-AdsAAABJ). >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Transaction context created >>> (dcfg b78714e0). >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing disabled, >>> skipping (hook request_early). >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] PdfProtect: Not enabled here. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing disabled, >>> skipping (hook request_late). >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Hook >>> insert_filter: Adding PDF XSS protection output filter (r b8c2bba8). >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Hook >>> insert_filter: Processing disabled, skipping. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Initialising >>> logging. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Starting phase >>> LOGGING. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] This phase >>> consists of 36 rule(s). >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking >>> rule b7ba1cb0; [file >>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection >>> .conf"] [line "24"]. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba1cb0: >>> SecRule "IP:DOS_BLOCK" "@eq 1" >>> "phase:5,t:none,nolog,skipAfter:END_DOS_PROTECTION_CHECKS" >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not >>> chained -> mode NEXT_RULE. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking >>> rule b7ba2438; [file >>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection >>> .conf"] [line "30"]. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba2438: >>> SecRule "REQUEST_BASENAME" "!@rx \\.(jpe?g|png|gif|js|css|ico)$" >>> "phase:5,t:none,log,pass,setvar:ip.dos_counter=+1,logdata:'THRESHOLD= >>> %{tx.dos_counter_threshold}; COUNTER=%{ip.dos_counter}'" >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation >>> completed in 1 usec. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing operator >>> "!rx" with param "\\.(jpe?g|png|gif|js|css|ico)$" against >>> REQUEST_BASENAME. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: "" >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][6] Ignoring regex >>> captures since "capture" action is not enabled. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator completed >>> in 17 usec. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Setting variable: >>> ip.dos_counter=+1 >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][3] Could not set >>> variable "ip.dos_counter" as the collection does not exist. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][2] Warning. Match of >>> "rx \\.(jpe?g|png|gif|js|css|ico)$" against "REQUEST_BASENAME" required. >>> [file >>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection >>> .conf"] [line "30"] [data "THRESHOLD= ; COUNTER="] >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 1. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Match -> mode >>> NEXT_RULE. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking >>> rule b7ba30f8; [file >>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection >>> .conf"] [line "37"]. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba30f8: >>> SecRule "IP:DOS_COUNTER" "@gt %{tx.dos_counter_threshold}" >>> "phase:5,t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar >>> :ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter" >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not >>> chained -> mode NEXT_RULE. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking >>> rule b7bca648; [file >>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection >>> .conf"] [line "44"]. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7bca648: >>> SecRule "IP:DOS_BURST_COUNTER" "@ge 1" >>> "phase:5,t:none,log,pass,msg:'Potential Denial of Service (DoS) Attack >>> from %{remote_addr} - # of Request Bursts: >>> %{ip.dos_burst_counter}',setvar:ip.dos_block=1,expirevar:ip.dos_block=%{tx >>> .dos_block_timeout}" >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not >>> chained -> mode NEXT_RULE. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking >>> rule b85598c8; [file >>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co<http://modsecurity_crs_60_correlation.co> >>> nf"] [line "21"]. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b85598c8: >>> SecRule "&TX:'/LEAKAGE\\\\/ERRORS/'" "@ge 1" >>> "phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:0,msg:'Correl >>> ated Successful Attack Identified: (Total Score: %{tx.anomaly_score}, >>> SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack >>> (%{tx.inbound_tx_msg} - Inbound Anomaly Score: >>> %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg} - >>> Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'" >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation >>> completed in 1 usec. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing operator >>> "ge" with param "1" against &TX:/LEAKAGE\/ERRORS/. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: "0" >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator completed >>> in 2 usec. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained >>> -> mode NEXT_CHAIN. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking >>> rule b8578910; [file >>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co<http://modsecurity_crs_60_correlation.co> >>> nf"] [line "28"]. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8578910: >>> SecRule "&TX:'/AVAILABILITY\\\\/APP_NOT_AVAIL/'" "@ge 1" >>> "phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:1,msg:'Correl >>> ated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}, >>> SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack >>> (%{tx.inbound_tx_msg} Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) >>> + Outbound Application Error (%{tx.msg} - Outbound Anomaly Score: >>> %{TX.OUTBOUND_ANOMALY_SCORE})'" >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation >>> completed in 1 usec. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing operator >>> "ge" with param "1" against &TX:/AVAILABILITY\/APP_NOT_AVAIL/. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: "0" >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator completed >>> in 1 usec. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained >>> -> mode NEXT_CHAIN. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking >>> rule b8574618; [file >>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co<http://modsecurity_crs_60_correlation.co> >>> nf"] [line "32"]. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8574618: >>> SecRule "TX:INBOUND_ANOMALY_SCORE" "@gt 0" >>> "phase:5,chain,t:none,log,noauditlog,skipAfter:END_CORRELATION,msg:'Inboun >>> d Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, >>> SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): >>> %{tx.inbound_tx_msg}'" >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained >>> -> mode NEXT_CHAIN. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking >>> rule b8598b18; [file >>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co<http://modsecurity_crs_60_correlation.co> >>> nf"] [line "36"]. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8598b18: >>> SecRule "TX:INBOUND_ANOMALY_SCORE" "@ge >>> %{tx.inbound_anomaly_score_level}" >>> "phase:5,t:none,log,noauditlog,pass,msg:'Inbound Anomaly Score Exceeded >>> (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, >>> SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): >>> %{tx.inbound_tx_msg}'" >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not >>> chained -> mode NEXT_RULE. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking >>> rule b8585558; [file >>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co<http://modsecurity_crs_60_correlation.co> >>> nf"] [line "39"]. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8585558: >>> SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@ge >>> %{tx.outbound_anomaly_score_level}" >>> "phase:5,t:none,log,noauditlog,pass,msg:'Outbound Anomaly Score Exceeded >>> (score %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}'" >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not >>> chained -> mode NEXT_RULE. >>> [11/Apr/2011:12:15:40 --0700] >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Audit log: Not >>> configured to run for this request. >>> >>> >>> >>> -------------------------------------------------------------------------- >>> ---- >>> Forrester Wave Report - Recovery time is now measured in hours and minutes >>> not days. Key insights are discussed in the 2010 Forrester Wave Report as >>> part of an in-depth evaluation of disaster recovery service providers. >>> Forrester found the best-in-class provider in terms of services and >>> vision. >>> Read this report now! <http://p.sf.net/sfu/ibm-webcastpromo> http://p.sf.net/sfu/ibm-webcastpromo >>> _______________________________________________ >>> mod-security-developers mailing list >>> <mailto:mod...@li...> mod...@li...<mailto:mod...@li...> >>> <https://lists.sourceforge.net/lists/listinfo/mod-security-developers> https://lists.sourceforge.net/lists/listinfo/mod-security-developers >>> ModSecurity Services from Trustave's SpiderLabs: >>> <https://www.trustwave.com/spiderLabs.php> https://www.trustwave.com/spiderLabs.php >>> >> >> >> This transmission may contain information that is privileged, confidential, >> and/or exempt from disclosure under applicable law. If you are not the intended >> recipient, you are hereby notified that any disclosure, copying, distribution, >> or use of the information contained herein (including any reliance thereon) is >> STRICTLY PROHIBITED. If you received this transmission in error, please >> immediately contact the sender and destroy the material in its entirety, whether >> in electronic or hard copy format. >> >> >> ------------------------------------------------------------------------------ >> Forrester Wave Report - Recovery time is now measured in hours and minutes >> not days. Key insights are discussed in the 2010 Forrester Wave Report as >> part of an in-depth evaluation of disaster recovery service providers. >> Forrester found the best-in-class provider in terms of services and vision. >> Read this report now! <http://p.sf.net/sfu/ibm-webcastpromo> http://p.sf.net/sfu/ibm-webcastpromo >> _______________________________________________ >> mod-security-developers mailing list >> <mailto:mod...@li...> mod...@li...<mailto:mod...@li...> >> <https://lists.sourceforge.net/lists/listinfo/mod-security-developers> https://lists.sourceforge.net/lists/listinfo/mod-security-developers >> ModSecurity Services from Trustave's SpiderLabs: >> <https://www.trustwave.com/spiderLabs.php> https://www.trustwave.com/spiderLabs.php >> > <modsecurity_crs_10_config.conf> > <modsecurity_crs_11_dos_protection.conf> > ------------------------------------------------------------------------------ > Forrester Wave Report - Recovery time is now measured in hours and minutes > not days. Key insights are discussed in the 2010 Forrester Wave Report as > part of an in-depth evaluation of disaster recovery service providers. > Forrester found the best-in-class provider in terms of services and vision. > Read this report now! <http://p.sf.net/sfu/ibm-webcastpromo> http://p.sf.net/sfu/ibm-webcastpromo > _______________________________________________ > mod-security-developers mailing list > <mailto:mod...@li...> mod...@li...<mailto:mod...@li...> > <https://lists.sourceforge.net/lists/listinfo/mod-security-developers> https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustave's SpiderLabs: > <https://www.trustwave.com/spiderLabs.php> https://www.trustwave.com/spiderLabs.php This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! <http://p.sf.net/sfu/ibm-webcastpromo> http://p.sf.net/sfu/ibm-webcastpromo _______________________________________________ mod-security-developers mailing list <mailto:mod...@li...>mod...@li...<mailto:mod...@li...> <https://lists.sourceforge.net/lists/listinfo/mod-security-developers>https://lists.sourceforge.net/lists/listinfo/mod-security-developers ModSecurity Services from Trustave's SpiderLabs: <https://www.trustwave.com/spiderLabs.php>https://www.trustwave.com/spiderLabs.php ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
|
From: Oleg G. <ole...@ya...> - 2011-04-12 16:33:37
|
I've tried the suggested default and got error below. I've also checked mod-security docs and didn't find the option in question (they have SecResponseBodyLimitAction only) Error: Invalid command 'SecRequestBodyLimitAction', perhaps misspelled or defined by a module not included in the server configuration ----- Original Message ---- > From: Ryan Barnett <RBa...@tr...> > To: Oleg Gryb <ol...@gr...> > Cc: Oleg Gryb <ol...@gr...>; "mod...@li..." ><mod...@li...> > Sent: Mon, April 11, 2011 6:13:18 PM > Subject: Re: [Mod-security-developers] CRS 2.1.2 only phase:5 is shown in the >log > > You should have a separate file that handles your main config settings - >http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#A_Recommended_Base_Configuration >n > > These are settings that you maintain for your local site. These should not be >included within 3rd party rules such as the CRS. > > Ryan > > On Apr 11, 2011, at 9:07 PM, "Oleg Gryb" ><ole...@ya...<mailto:ole...@ya...>> wrote: > > It helped, now I see other rules working. > My SecRuleEngine setting was commented out (). It means that default behavior >is "Off", right? > > Probably it's better to have it as DetectionOnly by default. > > Thanks for your help, > Oleg. > > From: Breno Silva <bre...@gm...<mailto:bre...@gm...>> > To: <mailto:mod...@li...> >mod...@li...<mailto:mod...@li...> > > Cc: Ryan Barnett <RBa...@tr...<mailto:RBa...@tr...>>; Oleg >Gryb <ol...@gr...<mailto:ol...@gr...>> > Sent: Mon, April 11, 2011 5:57:52 PM > Subject: Re: [Mod-security-developers] CRS 2.1.2 only phase:5 is shown in the >log > > Oleg, > > I think your SecRuleEngine is set as Off. > > Please set it to SecRuleEngine DetectionOnly or SecRuleEngine On > > Thanks > > Breno > > On Mon, Apr 11, 2011 at 7:20 PM, Ryan Barnett ><<mailto:RBa...@tr...>RBa...@tr...<mailto:RBa...@tr...>> > wrote: > Can you also send your other main config file? > > On Apr 11, 2011, at 6:55 PM, "Oleg Gryb" ><<mailto:ole...@ya...>ole...@ya...<mailto:ole...@ya...>> >wrote: > > > Ryan, > > Thank you for the quick response. Here is the information that you've >requested: > > > > Apache/2.2.17 (Debian) > > modsecurity-apache_2.5.13 > > > > > > The *.conf files are attached as well. I'll try CRS 2.1.3 and let you know >if it > > works. > > > > Please let me know if you have a fix, > > Oleg. > > > > > > > > > > > > > > ----- Original Message ---- > >> From: Ryan Barnett ><<mailto:RBa...@tr...>RBa...@tr...<mailto:RBa...@tr...>> > > >> To: "<mailto:ol...@gr...>ol...@gr...<mailto:ol...@gr...>" ><<mailto:ol...@gr...>ol...@gr...<mailto:ol...@gr...>>; > >> >"<mailto:mod...@li...>mod...@li...<mailto:mod...@li...>" > > >> ><<mailto:mod...@li...>mod...@li...<mailto:mod...@li...>> > > >> Sent: Mon, April 11, 2011 3:28:38 PM > >> Subject: Re: [Mod-security-developers] CRS 2.1.2 only phase:5 is shown in >the > >> log > >> > >> Oleg, > >> > >> What Apache and ModSecurity versions are you using? > >> > >> Can you try and sync from SVN and try the 2.1.3 version of CRS? > >> > >> This does look add as it is essentially skipping phases 1-4 and then > >> picking up rules in phase:5. Can you send your > >> modsecurity_crs_10_config.conf file? > >> > >> -Ryan > >> > >> On 4/11/11 5:59 PM, "Oleg Gryb" ><<mailto:ole...@ya...>ole...@ya...<mailto:ole...@ya...>> >wrote: > >> > >>> I'm trying to make dos_protection working in CRS 2.1.2 and it seems to me > >>> that something is grossly wrong with this version. It looks like the only > >>> rules that are executed are the ones in "phase:5", everything else is > >>> completely ignored. > >>> > >>> I have debug level set to 9 and only rules that are shown in the log file > >>> are those that in phase 5 (see below). Please let me know what is wrong. > >>> > >>> The collections and variables that are set in > >>> modsecurity_crs_10_config.conf are not defined (e.g. IP collection and > >>> dos_counter_threshold variable) > >>> > >>> This is from modsecurity_crs_10_config.con: > >>> ------------------------------------------- > >>> SecAction "phase:1,t:none,nolog,pass, \ > >>> setvar:'tx.dos_burst_time_slice=60', \ > >>> setvar:'tx.dos_counter_threshold=1', \ > >>> setvar:'tx.dos_block_timeout=600'" > >>> ... > >>> SecAction > >>> "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr} > >>> _%{tx.ua_hash}" > >>> ... > >>> > >>> This is from log file: > >>> --------------------- > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Initialising transaction > >>> (txid TaNTXH8AAAEAAFC-AdsAAABJ). > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Transaction context created > >>> (dcfg b78714e0). > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing disabled, > >>> skipping (hook request_early). > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] PdfProtect: Not enabled >here. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing disabled, > >>> skipping (hook request_late). > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Hook > >>> insert_filter: Adding PDF XSS protection output filter (r b8c2bba8). > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Hook > >>> insert_filter: Processing disabled, skipping. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Initialising > >>> logging. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Starting phase > >>> LOGGING. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] This phase > >>> consists of 36 rule(s). > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking > >>> rule b7ba1cb0; [file > >>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection > >>> .conf"] [line "24"]. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba1cb0: > >>> SecRule "IP:DOS_BLOCK" "@eq 1" > >>> "phase:5,t:none,nolog,skipAfter:END_DOS_PROTECTION_CHECKS" > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not > >>> chained -> mode NEXT_RULE. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking > >>> rule b7ba2438; [file > >>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection > >>> .conf"] [line "30"]. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba2438: > >>> SecRule "REQUEST_BASENAME" "!@rx \\.(jpe?g|png|gif|js|css|ico)$" > >>> "phase:5,t:none,log,pass,setvar:ip.dos_counter=+1,logdata:'THRESHOLD= > >>> %{tx.dos_counter_threshold}; COUNTER=%{ip.dos_counter}'" > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation > >>> completed in 1 usec. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing >operator > >>> "!rx" with param "\\.(jpe?g|png|gif|js|css|ico)$" against > >>> REQUEST_BASENAME. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: "" > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][6] Ignoring regex > >>> captures since "capture" action is not enabled. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator >completed > >>> in 17 usec. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Setting variable: > >>> ip.dos_counter=+1 > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][3] Could not set > >>> variable "ip.dos_counter" as the collection does not exist. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][2] Warning. Match of > >>> "rx \\.(jpe?g|png|gif|js|css|ico)$" against "REQUEST_BASENAME" required. > >>> [file > >>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection > >>> .conf"] [line "30"] [data "THRESHOLD= ; COUNTER="] > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 1. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Match -> mode > >>> NEXT_RULE. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking > >>> rule b7ba30f8; [file > >>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection > >>> .conf"] [line "37"]. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba30f8: > >>> SecRule "IP:DOS_COUNTER" "@gt %{tx.dos_counter_threshold}" > >>> "phase:5,t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar > >>> :ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter" > >>> ; [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not > >>> chained -> mode NEXT_RULE. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking > >>> rule b7bca648; [file > >>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection > >>> .conf"] [line "44"]. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7bca648: > >>> SecRule "IP:DOS_BURST_COUNTER" "@ge 1" > >>> "phase:5,t:none,log,pass,msg:'Potential Denial of Service (DoS) Attack > >>> from %{remote_addr} - # of Request Bursts: > >>> %{ip.dos_burst_counter}',setvar:ip.dos_block=1,expirevar:ip.dos_block=%{tx > >>> .dos_block_timeout}" > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not > >>> chained -> mode NEXT_RULE. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking > >>> rule b85598c8; [file > >>> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co<http://modsecurity_crs_60_correlation.co> > > >>> nf"] [line "21"]. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b85598c8: > >>> SecRule "&TX:'/LEAKAGE\\\\/ERRORS/'" "@ge 1" > >>> "phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:0,msg:'Correl > >>> ated Successful Attack Identified: (Total Score: %{tx.anomaly_score}, > >>> SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack > >>> (%{tx.inbound_tx_msg} - Inbound Anomaly Score: > >>> %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg} - > >>> Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'" > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation > >>> completed in 1 usec. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing >operator > >>> "ge" with param "1" against &TX:/LEAKAGE\/ERRORS/. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: "0" > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator completed > >>> in 2 usec. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained > >>> -> mode NEXT_CHAIN. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking > >>> rule b8578910; [file > >>> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co<http://modsecurity_crs_60_correlation.co> > > >>> nf"] [line "28"]. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8578910: > >>> SecRule "&TX:'/AVAILABILITY\\\\/APP_NOT_AVAIL/'" "@ge 1" > >>> "phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:1,msg:'Correl > >>> ated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}, > >>> SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack > >>> (%{tx.inbound_tx_msg} Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) > >>> + Outbound Application Error (%{tx.msg} - Outbound Anomaly Score: > >>> %{TX.OUTBOUND_ANOMALY_SCORE})'" > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation > >>> completed in 1 usec. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing >operator > >>> "ge" with param "1" against &TX:/AVAILABILITY\/APP_NOT_AVAIL/. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: "0" > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator >completed > >>> in 1 usec. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained > >>> -> mode NEXT_CHAIN. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking > >>> rule b8574618; [file > >>> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co<http://modsecurity_crs_60_correlation.co> > > >>> nf"] [line "32"]. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8574618: > >>> SecRule "TX:INBOUND_ANOMALY_SCORE" "@gt 0" > >>> "phase:5,chain,t:none,log,noauditlog,skipAfter:END_CORRELATION,msg:'Inboun > >>> d Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, > >>> SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): > >>> %{tx.inbound_tx_msg}'" > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained > >>> -> mode NEXT_CHAIN. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking > >>> rule b8598b18; [file > >>> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co<http://modsecurity_crs_60_correlation.co> > > >>> nf"] [line "36"]. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8598b18: > >>> SecRule "TX:INBOUND_ANOMALY_SCORE" "@ge > >>> %{tx.inbound_anomaly_score_level}" > >>> "phase:5,t:none,log,noauditlog,pass,msg:'Inbound Anomaly Score Exceeded > >>> (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, > >>> SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): > >>> %{tx.inbound_tx_msg}'" > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not > >>> chained -> mode NEXT_RULE. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking > >>> rule b8585558; [file > >>> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co<http://modsecurity_crs_60_correlation.co> > > >>> nf"] [line "39"]. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8585558: > >>> SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@ge > >>> %{tx.outbound_anomaly_score_level}" > >>> "phase:5,t:none,log,noauditlog,pass,msg:'Outbound Anomaly Score Exceeded > >>> (score %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}'" > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not > >>> chained -> mode NEXT_RULE. > >>> [11/Apr/2011:12:15:40 --0700] > >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Audit log: Not > >>> configured to run for this request. > >>> > >>> > >>> > >>> -------------------------------------------------------------------------- > >>> ---- > >>> Forrester Wave Report - Recovery time is now measured in hours and >minutes > >>> not days. Key insights are discussed in the 2010 Forrester Wave Report >as > >>> part of an in-depth evaluation of disaster recovery service providers. > >>> Forrester found the best-in-class provider in terms of services and > >>> vision. > >>> Read this report now! <http://p.sf.net/sfu/ibm-webcastpromo> >http://p.sf.net/sfu/ibm-webcastpromo > >>> _______________________________________________ > >>> mod-security-developers mailing list > >>> <mailto:mod...@li...> >mod...@li...<mailto:mod...@li...> > > >>> <https://lists.sourceforge.net/lists/listinfo/mod-security-developers> >https://lists.sourceforge.net/lists/listinfo/mod-security-developers > >>> ModSecurity Services from Trustave's SpiderLabs: > >>> <https://www.trustwave.com/spiderLabs.php> >https://www.trustwave.com/spiderLabs.php > >>> > >> > >> > >> This transmission may contain information that is privileged, >confidential, > >> and/or exempt from disclosure under applicable law. If you are not the >intended > >> recipient, you are hereby notified that any disclosure, copying, >distribution, > >> or use of the information contained herein (including any reliance thereon) >is > >> STRICTLY PROHIBITED. If you received this transmission in error, please > >> immediately contact the sender and destroy the material in its entirety, >whether > >> in electronic or hard copy format. > >> > >> > >> >------------------------------------------------------------------------------ > >> Forrester Wave Report - Recovery time is now measured in hours and >minutes > >> not days. Key insights are discussed in the 2010 Forrester Wave Report as > >> part of an in-depth evaluation of disaster recovery service providers. > >> Forrester found the best-in-class provider in terms of services and >vision. > >> Read this report now! <http://p.sf.net/sfu/ibm-webcastpromo> >http://p.sf.net/sfu/ibm-webcastpromo > >> _______________________________________________ > >> mod-security-developers mailing list > >> <mailto:mod...@li...> >mod...@li...<mailto:mod...@li...> > > >> <https://lists.sourceforge.net/lists/listinfo/mod-security-developers> >https://lists.sourceforge.net/lists/listinfo/mod-security-developers > >> ModSecurity Services from Trustave's SpiderLabs: > >> <https://www.trustwave.com/spiderLabs.php> >https://www.trustwave.com/spiderLabs.php > >> > > <modsecurity_crs_10_config.conf> > > <modsecurity_crs_11_dos_protection.conf> > > >------------------------------------------------------------------------------ > > Forrester Wave Report - Recovery time is now measured in hours and minutes > > not days. Key insights are discussed in the 2010 Forrester Wave Report as > > part of an in-depth evaluation of disaster recovery service providers. > > Forrester found the best-in-class provider in terms of services and vision. > > Read this report now! <http://p.sf.net/sfu/ibm-webcastpromo> >http://p.sf.net/sfu/ibm-webcastpromo > > _______________________________________________ > > mod-security-developers mailing list > > <mailto:mod...@li...> >mod...@li...<mailto:mod...@li...> > > > <https://lists.sourceforge.net/lists/listinfo/mod-security-developers> >https://lists.sourceforge.net/lists/listinfo/mod-security-developers > > ModSecurity Services from Trustave's SpiderLabs: > > <https://www.trustwave.com/spiderLabs.php> >https://www.trustwave.com/spiderLabs.php > > This transmission may contain information that is privileged, confidential, >and/or exempt from disclosure under applicable law. If you are not the intended >recipient, you are hereby notified that any disclosure, copying, distribution, >or use of the information contained herein (including any reliance thereon) is >STRICTLY PROHIBITED. If you received this transmission in error, please >immediately contact the sender and destroy the material in its entirety, >whether in electronic or hard copy format. > > > ------------------------------------------------------------------------------ > Forrester Wave Report - Recovery time is now measured in hours and minutes > not days. Key insights are discussed in the 2010 Forrester Wave Report as > part of an in-depth evaluation of disaster recovery service providers. > Forrester found the best-in-class provider in terms of services and vision. > Read this report now! <http://p.sf.net/sfu/ibm-webcastpromo> >http://p.sf.net/sfu/ibm-webcastpromo > _______________________________________________ > mod-security-developers mailing list ><mailto:mod...@li...>mod...@li...<mailto:mod...@li...> >> ><https://lists.sourceforge.net/lists/listinfo/mod-security-developers>https://lists.sourceforge.net/lists/listinfo/mod-security-developers >s > ModSecurity Services from Trustave's SpiderLabs: ><https://www.trustwave.com/spiderLabs.php>https://www.trustwave.com/spiderLabs.php >p > > > ________________________________ > This transmission may contain information that is privileged, confidential, >and/or exempt from disclosure under applicable law. If you are not the intended >recipient, you are hereby notified that any disclosure, copying, distribution, >or use of the information contained herein (including any reliance thereon) is >STRICTLY PROHIBITED. If you received this transmission in error, please >immediately contact the sender and destroy the material in its entirety, whether >in electronic or hard copy format. > ------------------------------------------------------------------------------ > Forrester Wave Report - Recovery time is now measured in hours and minutes > not days. Key insights are discussed in the 2010 Forrester Wave Report as > part of an in-depth evaluation of disaster recovery service providers. > Forrester found the best-in-class provider in terms of services and vision. > Read this report now! http://p.sf.net/sfu/ibm-webcastpromo > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |
|
From: Ryan B. <RBa...@tr...> - 2011-04-12 16:35:46
|
On 4/12/11 12:33 PM, "Oleg Gryb" <ole...@ya...> wrote: >I've tried the suggested default and got error below. I've also checked >mod-security docs and didn't find the option in question (they have >SecResponseBodyLimitAction only) > >Error: >Invalid command 'SecRequestBodyLimitAction', perhaps misspelled or >defined by a >module not included in the server configuration See the reference manual - https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Referen ce_Manual#SecRequestBodyLimitAction This is only available in v2.6.0 which is still in trunk. We are working on the new Recommended Base Config as we will be bundling it with v2.6 when it is released. -Ryan > > > > >----- Original Message ---- >> From: Ryan Barnett <RBa...@tr...> >> To: Oleg Gryb <ol...@gr...> >> Cc: Oleg Gryb <ol...@gr...>; >>"mod...@li..." >><mod...@li...> >> Sent: Mon, April 11, 2011 6:13:18 PM >> Subject: Re: [Mod-security-developers] CRS 2.1.2 only phase:5 is shown >>in the >>log >> >> You should have a separate file that handles your main config settings >>- >>http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Refere >>nce_Manual#A_Recommended_Base_Configuration >>n >> >> These are settings that you maintain for your local site. These should >>not be >>included within 3rd party rules such as the CRS. >> >> Ryan >> >> On Apr 11, 2011, at 9:07 PM, "Oleg Gryb" >><ole...@ya...<mailto:ole...@ya...>> wrote: >> >> It helped, now I see other rules working. >> My SecRuleEngine setting was commented out (). It means that default >>behavior >>is "Off", right? >> >> Probably it's better to have it as DetectionOnly by default. >> >> Thanks for your help, >> Oleg. >> >> From: Breno Silva <bre...@gm...<mailto:bre...@gm...>> >> To: <mailto:mod...@li...> >>mod...@li...<mailto:mod-security-develop >>er...@li...> >> >> Cc: Ryan Barnett >><RBa...@tr...<mailto:RBa...@tr...>>; Oleg >>Gryb <ol...@gr...<mailto:ol...@gr...>> >> Sent: Mon, April 11, 2011 5:57:52 PM >> Subject: Re: [Mod-security-developers] CRS 2.1.2 only phase:5 is shown >>in the >>log >> >> Oleg, >> >> I think your SecRuleEngine is set as Off. >> >> Please set it to SecRuleEngine DetectionOnly or SecRuleEngine On >> >> Thanks >> >> Breno >> >> On Mon, Apr 11, 2011 at 7:20 PM, Ryan Barnett >><<mailto:RBa...@tr...>RBa...@tr...<mailto:RBarnett@tr >>ustwave.com>> >> wrote: >> Can you also send your other main config file? >> >> On Apr 11, 2011, at 6:55 PM, "Oleg Gryb" >><<mailto:ole...@ya...>ole...@ya...<mailto:oleg_gryb@yahoo.c >>om>> >>wrote: >> >> > Ryan, >> > Thank you for the quick response. Here is the information that you've >>requested: >> > >> > Apache/2.2.17 (Debian) >> > modsecurity-apache_2.5.13 >> > >> > >> > The *.conf files are attached as well. I'll try CRS 2.1.3 and let >>you know >>if it >> > works. >> > >> > Please let me know if you have a fix, >> > Oleg. >> > >> > >> > >> > >> > >> > >> > ----- Original Message ---- >> >> From: Ryan Barnett >><<mailto:RBa...@tr...>RBa...@tr...<mailto:RBarnett@tr >>ustwave.com>> >> >> >> To: "<mailto:ol...@gr...>ol...@gr...<mailto:ol...@gr...>" >><<mailto:ol...@gr...>ol...@gr...<mailto:ol...@gr...>>; >> >> >>"<mailto:mod...@li...>mod-security-devel >>op...@li...<mailto:mod...@li... >>rge.net>" >> >> >> >><<mailto:mod...@li...>mod-security-devel >>op...@li...<mailto:mod...@li... >>rge.net>> >> >> >> Sent: Mon, April 11, 2011 3:28:38 PM >> >> Subject: Re: [Mod-security-developers] CRS 2.1.2 only phase:5 is >>shown in >>the >> >> log >> >> >> >> Oleg, >> >> >> >> What Apache and ModSecurity versions are you using? >> >> >> >> Can you try and sync from SVN and try the 2.1.3 version of CRS? >> >> >> >> This does look add as it is essentially skipping phases 1-4 and >>then >> >> picking up rules in phase:5. Can you send your >> >> modsecurity_crs_10_config.conf file? >> >> >> >> -Ryan >> >> >> >> On 4/11/11 5:59 PM, "Oleg Gryb" >><<mailto:ole...@ya...>ole...@ya...<mailto:oleg_gryb@yahoo.c >>om>> >>wrote: >> >> >> >>> I'm trying to make dos_protection working in CRS 2.1.2 and it >>seems to >me >> >>> that something is grossly wrong with this version. It looks like >>the >only >> >>> rules that are executed are the ones in "phase:5", everything >>else is >> >>> completely ignored. >> >>> >> >>> I have debug level set to 9 and only rules that are shown in the >>log >file >> >>> are those that in phase 5 (see below). Please let me know what is >wrong. >> >>> >> >>> The collections and variables that are set in >> >>> modsecurity_crs_10_config.conf are not defined (e.g. IP >>collection and >> >>> dos_counter_threshold variable) >> >>> >> >>> This is from modsecurity_crs_10_config.con: >> >>> ------------------------------------------- >> >>> SecAction "phase:1,t:none,nolog,pass, \ >> >>> setvar:'tx.dos_burst_time_slice=60', \ >> >>> setvar:'tx.dos_counter_threshold=1', \ >> >>> setvar:'tx.dos_block_timeout=600'" >> >>> ... >> >>> SecAction >> >>> >"phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr} >> >>> _%{tx.ua_hash}" >> >>> ... >> >>> >> >>> This is from log file: >> >>> --------------------- >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Initialising >>transaction >> >>> (txid TaNTXH8AAAEAAFC-AdsAAABJ). >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Transaction context >created >> >>> (dcfg b78714e0). >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing disabled, >> >>> skipping (hook request_early). >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] PdfProtect: Not >>enabled >>here. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing disabled, >> >>> skipping (hook request_late). >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Hook >> >>> insert_filter: Adding PDF XSS protection output filter (r >>b8c2bba8). >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Hook >> >>> insert_filter: Processing disabled, skipping. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] >>Initialising >> >>> logging. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Starting >>phase >> >>> LOGGING. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] This phase >> >>> consists of 36 rule(s). >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: >>Invoking >> >>> rule b7ba1cb0; [file >> >>> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection >> >>> .conf"] [line "24"]. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule >>b7ba1cb0: >> >>> SecRule "IP:DOS_BLOCK" "@eq 1" >> >>> "phase:5,t:none,nolog,skipAfter:END_DOS_PROTECTION_CHECKS" >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule >>returned 0. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, >>not >> >>> chained -> mode NEXT_RULE. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: >>Invoking >> >>> rule b7ba2438; [file >> >>> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection >> >>> .conf"] [line "30"]. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule >>b7ba2438: >> >>> SecRule "REQUEST_BASENAME" "!@rx \\.(jpe?g|png|gif|js|css|ico)$" >> >>> >>"phase:5,t:none,log,pass,setvar:ip.dos_counter=+1,logdata:'THRESHOLD= >> >>> %{tx.dos_counter_threshold}; COUNTER=%{ip.dos_counter}'" >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] >>Transformation >> >>> completed in 1 usec. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing >>operator >> >>> "!rx" with param "\\.(jpe?g|png|gif|js|css|ico)$" against >> >>> REQUEST_BASENAME. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target >>value: "" >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][6] Ignoring >>regex >> >>> captures since "capture" action is not enabled. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator >>completed >> >>> in 17 usec. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Setting >variable: >> >>> ip.dos_counter=+1 >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][3] Could not >>set >> >>> variable "ip.dos_counter" as the collection does not exist. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][2] Warning. >>Match >of >> >>> "rx \\.(jpe?g|png|gif|js|css|ico)$" against "REQUEST_BASENAME" >>required. >> >>> [file >> >>> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection >> >>> .conf"] [line "30"] [data "THRESHOLD= ; COUNTER="] >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule >>returned 1. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Match -> >>mode >> >>> NEXT_RULE. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: >>Invoking >> >>> rule b7ba30f8; [file >> >>> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection >> >>> .conf"] [line "37"]. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule >>b7ba30f8: >> >>> SecRule "IP:DOS_COUNTER" "@gt %{tx.dos_counter_threshold}" >> >>> >"phase:5,t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar >> >>> >>:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter" >> >>> ; [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule >>returned 0. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, >>not >> >>> chained -> mode NEXT_RULE. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: >>Invoking >> >>> rule b7bca648; [file >> >>> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection >> >>> .conf"] [line "44"]. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule >>b7bca648: >> >>> SecRule "IP:DOS_BURST_COUNTER" "@ge 1" >> >>> "phase:5,t:none,log,pass,msg:'Potential Denial of Service (DoS) >>Attack >> >>> from %{remote_addr} - # of Request Bursts: >> >>> >%{ip.dos_burst_counter}',setvar:ip.dos_block=1,expirevar:ip.dos_block=%{tx >> >>> .dos_block_timeout}" >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule >>returned 0. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, >>not >> >>> chained -> mode NEXT_RULE. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: >>Invoking >> >>> rule b85598c8; [file >> >>> >>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.c >>o<http://modsecurity_crs_60_correlation.co> >> >> >>> nf"] [line "21"]. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule >>b85598c8: >> >>> SecRule "&TX:'/LEAKAGE\\\\/ERRORS/'" "@ge 1" >> >>> >"phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:0,msg:'Correl >> >>> ated Successful Attack Identified: (Total Score: >>%{tx.anomaly_score}, >> >>> SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound >>Attack >> >>> (%{tx.inbound_tx_msg} - Inbound Anomaly Score: >> >>> %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg} - >> >>> Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'" >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] >>Transformation >> >>> completed in 1 usec. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing >>operator >> >>> "ge" with param "1" against &TX:/LEAKAGE\/ERRORS/. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target >>value: "0" >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator >completed >> >>> in 2 usec. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule >>returned 0. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, >chained >> >>> -> mode NEXT_CHAIN. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: >>Invoking >> >>> rule b8578910; [file >> >>> >>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.c >>o<http://modsecurity_crs_60_correlation.co> >> >> >>> nf"] [line "28"]. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule >>b8578910: >> >>> SecRule "&TX:'/AVAILABILITY\\\\/APP_NOT_AVAIL/'" "@ge 1" >> >>> >"phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:1,msg:'Correl >> >>> ated Attack Attempt Identified: (Total Score: >>%{tx.anomaly_score}, >> >>> SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound >>Attack >> >>> (%{tx.inbound_tx_msg} Inbound Anomaly Score: >%{TX.INBOUND_ANOMALY_SCORE}) >> >>> + Outbound Application Error (%{tx.msg} - Outbound Anomaly >>Score: >> >>> %{TX.OUTBOUND_ANOMALY_SCORE})'" >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] >>Transformation >> >>> completed in 1 usec. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing >>operator >> >>> "ge" with param "1" against &TX:/AVAILABILITY\/APP_NOT_AVAIL/. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target >>value: >"0" >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator >>completed >> >>> in 1 usec. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule >>returned 0. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, >>chained >> >>> -> mode NEXT_CHAIN. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: >>Invoking >> >>> rule b8574618; [file >> >>> >>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.c >>o<http://modsecurity_crs_60_correlation.co> >> >> >>> nf"] [line "32"]. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule >>b8574618: >> >>> SecRule "TX:INBOUND_ANOMALY_SCORE" "@gt 0" >> >>> >"phase:5,chain,t:none,log,noauditlog,skipAfter:END_CORRELATION,msg:'Inboun >> >>> d Anomaly Score (Total Inbound Score: >>%{TX.INBOUND_ANOMALY_SCORE}, >> >>> SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): >> >>> %{tx.inbound_tx_msg}'" >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule >>returned 0. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, >>chained >> >>> -> mode NEXT_CHAIN. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: >>Invoking >> >>> rule b8598b18; [file >> >>> >>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.c >>o<http://modsecurity_crs_60_correlation.co> >> >> >>> nf"] [line "36"]. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule >>b8598b18: >> >>> SecRule "TX:INBOUND_ANOMALY_SCORE" "@ge >> >>> %{tx.inbound_anomaly_score_level}" >> >>> "phase:5,t:none,log,noauditlog,pass,msg:'Inbound Anomaly Score >>Exceeded >> >>> (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, >> >>> SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): >> >>> %{tx.inbound_tx_msg}'" >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule >>returned 0. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, >>not >> >>> chained -> mode NEXT_RULE. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: >>Invoking >> >>> rule b8585558; [file >> >>> >>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.c >>o<http://modsecurity_crs_60_correlation.co> >> >> >>> nf"] [line "39"]. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule >>b8585558: >> >>> SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@ge >> >>> %{tx.outbound_anomaly_score_level}" >> >>> "phase:5,t:none,log,noauditlog,pass,msg:'Outbound Anomaly Score >Exceeded >> >>> (score %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}'" >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule >>returned 0. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, >>not >> >>> chained -> mode NEXT_RULE. >> >>> [11/Apr/2011:12:15:40 --0700] >> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Audit log: >> Not >> >>> configured to run for this request. >> >>> >> >>> >> >>> >> >>> >-------------------------------------------------------------------------- >> >>> ---- >> >>> Forrester Wave Report - Recovery time is now measured in hours and >>minutes >> >>> not days. Key insights are discussed in the 2010 Forrester Wave >>Report >>as >> >>> part of an in-depth evaluation of disaster recovery service >>providers. >> >>> Forrester found the best-in-class provider in terms of services >>and >> >>> vision. >> >>> Read this report now! <http://p.sf.net/sfu/ibm-webcastpromo> >>http://p.sf.net/sfu/ibm-webcastpromo >> >>> _______________________________________________ >> >>> mod-security-developers mailing list >> >>> <mailto:mod...@li...> >>mod...@li...<mailto:mod-security-develop >>er...@li...> >> >> >>> >><https://lists.sourceforge.net/lists/listinfo/mod-security-developers> >>https://lists.sourceforge.net/lists/listinfo/mod-security-developers >> >>> ModSecurity Services from Trustave's SpiderLabs: >> >>> <https://www.trustwave.com/spiderLabs.php> >>https://www.trustwave.com/spiderLabs.php >> >>> >> >> >> >> >> >> This transmission may contain information that is privileged, >>confidential, >> >> and/or exempt from disclosure under applicable law. If you are not >>the >>intended >> >> recipient, you are hereby notified that any disclosure, copying, >>distribution, >> >> or use of the information contained herein (including any reliance >>thereon) >>is >> >> STRICTLY PROHIBITED. If you received this transmission in error, >>please >> >> immediately contact the sender and destroy the material in its >>entirety, >>whether >> >> in electronic or hard copy format. >> >> >> >> >> >> >>------------------------------------------------------------------------- >>----- >> >> Forrester Wave Report - Recovery time is now measured in hours and >>minutes >> >> not days. Key insights are discussed in the 2010 Forrester Wave >>Report as >> >> part of an in-depth evaluation of disaster recovery service >>providers. >> >> Forrester found the best-in-class provider in terms of services and >>vision. >> >> Read this report now! <http://p.sf.net/sfu/ibm-webcastpromo> >>http://p.sf.net/sfu/ibm-webcastpromo >> >> _______________________________________________ >> >> mod-security-developers mailing list >> >> <mailto:mod...@li...> >>mod...@li...<mailto:mod-security-develop >>er...@li...> >> >> >> >><https://lists.sourceforge.net/lists/listinfo/mod-security-developers> >>https://lists.sourceforge.net/lists/listinfo/mod-security-developers >> >> ModSecurity Services from Trustave's SpiderLabs: >> >> <https://www.trustwave.com/spiderLabs.php> >>https://www.trustwave.com/spiderLabs.php >> >> >> > <modsecurity_crs_10_config.conf> >> > <modsecurity_crs_11_dos_protection.conf> >> > >>------------------------------------------------------------------------- >>----- >> > Forrester Wave Report - Recovery time is now measured in hours and >>minutes >> > not days. Key insights are discussed in the 2010 Forrester Wave >>Report as >> > part of an in-depth evaluation of disaster recovery service >>providers. >> > Forrester found the best-in-class provider in terms of services and >>vision. >> > Read this report now! <http://p.sf.net/sfu/ibm-webcastpromo> >>http://p.sf.net/sfu/ibm-webcastpromo >> > _______________________________________________ >> > mod-security-developers mailing list >> > <mailto:mod...@li...> >>mod...@li...<mailto:mod-security-develop >>er...@li...> >> >> > >><https://lists.sourceforge.net/lists/listinfo/mod-security-developers> >>https://lists.sourceforge.net/lists/listinfo/mod-security-developers >> > ModSecurity Services from Trustave's SpiderLabs: >> > <https://www.trustwave.com/spiderLabs.php> >>https://www.trustwave.com/spiderLabs.php >> >> This transmission may contain information that is privileged, >>confidential, >>and/or exempt from disclosure under applicable law. If you are not the >>intended >>recipient, you are hereby notified that any disclosure, copying, >>distribution, >>or use of the information contained herein (including any reliance >>thereon) is >>STRICTLY PROHIBITED. If you received this transmission in error, please >>immediately contact the sender and destroy the material in its entirety, >>whether in electronic or hard copy format. >> >> >> >>------------------------------------------------------------------------- >>----- >> Forrester Wave Report - Recovery time is now measured in hours and >>minutes >> not days. Key insights are discussed in the 2010 Forrester Wave Report >>as >> part of an in-depth evaluation of disaster recovery service providers. >> Forrester found the best-in-class provider in terms of services and >>vision. >> Read this report now! <http://p.sf.net/sfu/ibm-webcastpromo> >>http://p.sf.net/sfu/ibm-webcastpromo >> _______________________________________________ >> mod-security-developers mailing list >><mailto:mod...@li...>mod-security-develo >>pe...@li...<mailto:mod...@li... >>ge.net> >>> >><https://lists.sourceforge.net/lists/listinfo/mod-security-developers>htt >>ps://lists.sourceforge.net/lists/listinfo/mod-security-developers >>s >> ModSecurity Services from Trustave's SpiderLabs: >><https://www.trustwave.com/spiderLabs.php>https://www.trustwave.com/spide >>rLabs.php >>p >> >> >> ________________________________ >> This transmission may contain information that is privileged, >>confidential, >>and/or exempt from disclosure under applicable law. If you are not the >>intended >>recipient, you are hereby notified that any disclosure, copying, >>distribution, >>or use of the information contained herein (including any reliance >>thereon) is >>STRICTLY PROHIBITED. If you received this transmission in error, please >>immediately contact the sender and destroy the material in its entirety, >>whether >>in electronic or hard copy format. >> >>------------------------------------------------------------------------- >>----- >> Forrester Wave Report - Recovery time is now measured in hours and >>minutes >> not days. Key insights are discussed in the 2010 Forrester Wave Report >>as >> part of an in-depth evaluation of disaster recovery service providers. >> Forrester found the best-in-class provider in terms of services and >>vision. >> Read this report now! http://p.sf.net/sfu/ibm-webcastpromo >> _______________________________________________ >> mod-security-developers mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-developers >> ModSecurity Services from Trustave's SpiderLabs: >> https://www.trustwave.com/spiderLabs.php >> > >-------------------------------------------------------------------------- >---- >Forrester Wave Report - Recovery time is now measured in hours and minutes >not days. Key insights are discussed in the 2010 Forrester Wave Report as >part of an in-depth evaluation of disaster recovery service providers. >Forrester found the best-in-class provider in terms of services and >vision. >Read this report now! http://p.sf.net/sfu/ibm-webcastpromo >_______________________________________________ >mod-security-developers mailing list >mod...@li... >https://lists.sourceforge.net/lists/listinfo/mod-security-developers >ModSecurity Services from Trustave's SpiderLabs: >https://www.trustwave.com/spiderLabs.php > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
Thanks for helping keep SourceForge clean.
X