mod-security-rules Mailing List for ModSecurity
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-rules — Discuss rule ideas, problems and false positives
You can subscribe to this list here.
| 2005 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
| 2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
(2) |
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(1) |
Aug
|
Sep
(1) |
Oct
(1) |
Nov
(1) |
Dec
|
| 2014 |
Jan
|
Feb
(1) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
(1) |
Oct
(2) |
Nov
|
Dec
|
| 2015 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2016 |
Jan
|
Feb
(4) |
Mar
(1) |
Apr
(1) |
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
|
Nov
|
Dec
|
| 2017 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
(2) |
| 2018 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2020 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
(5) |
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
|
From: <ma...@ev...> - 2024-12-02 09:47:17
|
Hi Community Is it somehow possible to log a rule in a different logfile than \var\log\modsec_audit.log ? I have these lines in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf # Disable these rules but keep logging SecRuleUpdateActionById 932236 "allow,log,auditlog" SecRuleUpdateActionById 932239 "allow,log,auditlog" I would like to log 932236 into than \var\log\modsec_audit_ignore.log Thanks! |
|
From: Steve H. <ham...@gm...> - 2024-07-06 15:13:20
|
If you want a pure Lua method you are going to have to install a Lua library that will handle that like https://lunarmodules.github.io/md5/manual.html However, based on what it sounds like you are doing I think it might be easiest to create a separate shell script that will get the md5 and from within your Lua script execute the bash script passing it the file path as an argument. So your modSecurity rule would trigger your Lua Script and your Lua script would trigger you bash script. Something like: —— Lua Script — — os.execute(“/path/to/bash/script /path/to/infected/file”) —— Bash Script — — #!/bin/bash virus_md5=$(md5sum $1 | cut -d ' ' -f1) echo $virus_md5 # Then handle whatever you want to do with the md5 sum from within the bash script. > On Jul 5, 2024, at 10:43 AM, Rakesh Bare <rak...@gm...> wrote: > > Hi There, > I am using modsecurity in my apache web server. In modsecurity we have one rule to block malicious file. Below is the rule. We are detect malware file using antivirus.lua script.Now we are successfully getting Virus name and file name of malicious file. Our requirement is to get md5 hash value of same malicious file > > ---------Modsecurity Rule-------------- > > SecRule FILES_TMPNAMES "@inspectFile antivirus.lua" "id:9502120,phase:2,deny,setvar:tx.swrule=1,setvar:tx.msgrule=%{rule.msg},setvar:tx.idrule=%{rule.id <http://rule.id/>},setvar:tx.severityrule=%{rule.severity},t:none,msg:'Malicious File Upload',logdata:'Virus %{tx.antivirus-plugin_virus_name} found in uploaded file %{tx.antivirus-plugin_file_name}.',tag:'Virus %{tx.antivirus-plugin_virus_name} found in uploaded file %{tx.antivirus-plugin_file_name}.',ver:'antivirus-plugin/1.0.0',severity:'CRITICAL',chain" > SecRule TX:ANTIVIRUS-PLUGIN_VIRUS_NAME "@streq %{tx.antivirus-plugin_virus_name}" > > ---------Modsecurity Rule-------------- > > Attached is the lua script which we are using currently. > > > > Thanks, > > Rakesh > > > > > > <antivirus.lua>_______________________________________________ > Mod-security-rules mailing list > Mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-rules |
|
From: Rakesh B. <rak...@gm...> - 2024-07-05 14:43:41
|
Hi There,
I am using modsecurity in my apache web server. In modsecurity we have one
rule to block malicious file. Below is the rule. We are detect malware file
using antivirus.lua script.Now we are successfully getting Virus name and
file name of malicious file. Our requirement is to get md5 hash value of
same malicious file
---------Modsecurity Rule--------------
SecRule FILES_TMPNAMES "@inspectFile antivirus.lua"
"id:9502120,phase:2,deny,setvar:tx.swrule=1,setvar:tx.msgrule=%{rule.msg},setvar:tx.idrule=%{
rule.id},setvar:tx.severityrule=%{rule.severity},t:none,msg:'Malicious File
Upload',logdata:'Virus %{tx.antivirus-plugin_virus_name} found in uploaded
file %{tx.antivirus-plugin_file_name}.',tag:'Virus
%{tx.antivirus-plugin_virus_name} found in uploaded file
%{tx.antivirus-plugin_file_name}.',ver:'antivirus-plugin/1.0.0',severity:'CRITICAL',chain"
SecRule TX:ANTIVIRUS-PLUGIN_VIRUS_NAME "@streq
%{tx.antivirus-plugin_virus_name}"
---------Modsecurity Rule--------------
Attached is the lua script which we are using currently.
Thanks,
Rakesh
|
|
From: Yago PB <yag...@gm...> - 2020-10-30 22:11:47
|
Hello, We have many custom rules in our servers, mostly nolog. since we use apache error_log to block IPs. Also we add to a DDBB some rules using auditlog with nolog,auditlog. So, if we want to check if a quequest was intercepted by a nolog rule we only can do this with SecDebuLogLevel 9 using ctl: and REQUEST_URI domain.com But we would like to have a customlog with modsec logs to avoid using debug log. But it seems there isn't any variable to capture the last rule.id, we have %{matched_var} and %{matched_var_name} but not something like %{matched_rule_id}. I tried with: SecDefaultAction "deny,nolog,phase:1,setvar:tx.varname=%{RULE.id},status:406' LogFormat ".... LASTRULE:%{TX.VARNAME}M" modsec But even if it works, setvar is executed in every chain and maybe it is not the best way to accomplish this. I know I can use setvar:tx.varname=%{RULE.id} in the last chain rule to avoid it, but we update rules every week from multiple sources.. So... - There is any variable like %{matched_rule_id} ? - Using setvar:tx.varname=%{RULE.id} in SecDefaultAction will negatively impact performance ? - Any other way to accomplish what I'm trying to do ? Kind Regards. |
|
From: Maik L. <mai...@pr...> - 2020-06-15 11:45:53
|
Hi and thanks, that does not work either. What i found at developer.mozilla.org is that only a http 303 code can be response to a put request for redirection. But that also doesnt work when i send status 303!? https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections Von: Steve Hambling <ham...@gm...> Gesendet: Mittwoch, 10. Juni 2020 22:00 An: Maik Linnemann <mai...@pr...> Cc: mod...@li... Betreff: Re: [Mod-security-rules] Redirect if REQ Method is PUT and Content Type is Word I think it would probably be easier to do a redirect in your web server configuration - like in your Apache Virtual Host The rules you wrote look like they would be ok then. They would have to go at the end of the modsecurity.conf file with the SecDefaultAction first. I don’t think you even need to add a SecDefaultAction for what you are doing since you only want one rule. Try putting this at the very end of your modsecurity.conf ------------------------------------------------------------------------------------------------------------------------------ SecRule REQUEST_HEADERS:Content-Type “@contains application/msword" \ "id:110,\ phase:1,\ redirect:'http://mydomain/error.html',\ status:302,\ log,\ chain" SecRule REQUEST_METHOD “^PUT$ ------------------------------------------------------------------------------------------------------------------------------ Could you try that and post what you get in your audit.log with sensitive data redacted? I’d also set "SecResponseBodyAccess Off" in the config file to save resources if you aren’t using it. On Jun 10, 2020, at 2:34 PM, Maik Linnemann <mai...@pr...<mailto:mai...@pr...>> wrote: Hi, thanks. I dont use Core set or anomaly score. The only Goal is to have redirection to error Page when someone uploads (put) a msword file. Am 10.06.2020 um 15:43 schrieb Steve Hambling <ham...@gm...<mailto:ham...@gm...>>: Hi Maik, Are you using Core Rule Set and if so which version? Are you using the default scoring method of “Anomaly Scoring Mode”? In Anomaly Scoring you have to change the default action at the very end of all the rules. So you need to set that in the file RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf Make sure to remove the “.example” on that file. You will also want to check the example that is in there because the rule id# you use is going to be specific to your version of CRS. Essentially, in the default Anomaly mode you have to update the action to the blocking rules that trigger once all the anomalies are added up. In the example below that is rules 949110 and 959100. I also think that if you are redirecting you do not need to change the "status:302” as ModSecurity should default to that. But if you wanted a different HTML code you would put that in the rule id: 100 that I made below. Allowed codes for a redirect are: 301, 302, 303, or 307 Try adding this to RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf # Redirect to another URL on blocking # SecRuleUpdateActionById 949110 "t:none,redirect:'http://mydomain/error.html'" SecRuleUpdateActionById 959100 "t:none,redirect:'http://mydomain/error.html'" Then in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf you would add: # Block all requests for application/msword # SecRule REQUEST_HEADERS:Content-Type “@contains application/msword" \ "id:100,\ phase:2,\ block,\ t:none,\ pass,\ log,\ chain’" SecRule REQUEST_METHOD “^PUT$” Then restart your web server. The audit.log should show you how it processed so I’d check that after testing your rule. On Jun 10, 2020, at 4:31 AM, Maik Linnemann <mai...@pr...<mailto:mai...@pr...>> wrote: Dear List, i have a rule: SecRule REQUEST_HEADERS:Content-Type "@contains application/msword" "chain,id:1,block,log,auditlog" SecRule REQUEST_METHOD "PUT" And i have a default Action: SecDefaultAction phase:1,status:302,redirect:/error.html,log,auditlog But the redirection never happens when i upload a word document. It is blocked but no redirection. The browser log says: PUT https://my.domain.com/error.html net::ERR_TOO_MANY_REDIRECTS jquery.js:8630 I tried douzens of things, it never redirects. Can someone please help. Thanks, With kind of regards, Maik ________________________________ .::provIT::. Maik Linnemann Brahmsstrasse 4a 48291 Telgte +49 177 3251429 mai...@pr...<mailto:mai...@pr...> _______________________________________________ Mod-security-rules mailing list Mod...@li...<mailto:Mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-rules ________________________________ .::provIT::. Maik Linnemann Brahmsstrasse 4a 48291 Telgte +49 177 3251429 mai...@pr...<mailto:mai...@pr...> ________________________________ .::provIT::. Maik Linnemann Brahmsstrasse 4a 48291 Telgte +49 177 3251429 mai...@pr... |
|
From: Steve H. <ham...@gm...> - 2020-06-10 20:00:12
|
I think it would probably be easier to do a redirect in your web server configuration - like in your Apache Virtual Host
The rules you wrote look like they would be ok then.
They would have to go at the end of the modsecurity.conf file with the SecDefaultAction first.
I don’t think you even need to add a SecDefaultAction for what you are doing since you only want one rule.
Try putting this at the very end of your modsecurity.conf
------------------------------------------------------------------------------------------------------------------------------
SecRule REQUEST_HEADERS:Content-Type “@contains application/msword" \
"id:110,\
phase:1,\
redirect:'http://mydomain/error.html',\
status:302,\
log,\
chain"
SecRule REQUEST_METHOD “^PUT$
------------------------------------------------------------------------------------------------------------------------------
Could you try that and post what you get in your audit.log with sensitive data redacted?
I’d also set "SecResponseBodyAccess Off" in the config file to save resources if you aren’t using it.
> On Jun 10, 2020, at 2:34 PM, Maik Linnemann <mai...@pr...> wrote:
>
> Hi,
>
> thanks. I dont use Core set or anomaly score. The only Goal is to have redirection to error Page when someone uploads (put) a msword file.
>
>> Am 10.06.2020 um 15:43 schrieb Steve Hambling <ham...@gm... <mailto:ham...@gm...>>:
>>
>> Hi Maik,
>> Are you using Core Rule Set and if so which version?
>> Are you using the default scoring method of “Anomaly Scoring Mode”?
>>
>> In Anomaly Scoring you have to change the default action at the very end of all the rules. So you need to set that in the file RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
>> Make sure to remove the “.example” on that file. You will also want to check the example that is in there because the rule id# you use is going to be specific to your version of CRS.
>> Essentially, in the default Anomaly mode you have to update the action to the blocking rules that trigger once all the anomalies are added up. In the example below that is rules 949110 and 959100.
>> I also think that if you are redirecting you do not need to change the "status:302” as ModSecurity should default to that. But if you wanted a different HTML code you would put that in the rule id: 100 that I made below. Allowed codes for a redirect are: 301, 302, 303, or 307
>>
>>
>> Try adding this to RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
>>
>> # Redirect to another URL on blocking
>> #
>> SecRuleUpdateActionById 949110 "t:none,redirect:'http://mydomain/error.html <http://mydomain/error.html>'"
>> SecRuleUpdateActionById 959100 "t:none,redirect:'http://mydomain/error.html <http://mydomain/error.html>'"
>>
>>
>> Then in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf you would add:
>>
>> # Block all requests for application/msword
>> #
>> SecRule REQUEST_HEADERS:Content-Type “@contains application/msword" \
>> "id:100,\
>> phase:2,\
>> block,\
>> t:none,\
>> pass,\
>> log,\
>> chain’"
>> SecRule REQUEST_METHOD “^PUT$”
>>
>>
>> Then restart your web server.
>> The audit.log should show you how it processed so I’d check that after testing your rule.
>>
>>
>>
>>
>>
>>
>>
>>> On Jun 10, 2020, at 4:31 AM, Maik Linnemann <mai...@pr... <mailto:mai...@pr...>> wrote:
>>>
>>> Dear List,
>>>
>>> i have a rule:
>>>
>>> SecRule REQUEST_HEADERS:Content-Type "@contains application/msword" "chain,id:1,block,log,auditlog"
>>> SecRule REQUEST_METHOD "PUT"
>>>
>>> And i have a default Action:
>>>
>>> SecDefaultAction phase:1,status:302,redirect:/error.html,log,auditlog
>>>
>>> But the redirection never happens when i upload a word document. It is blocked but no redirection.
>>>
>>> The browser log says:
>>>
>>> PUT https://my.domain.com/error.html <https://my.domain.com/error.html> net::ERR_TOO_MANY_REDIRECTS jquery.js:8630
>>>
>>> I tried douzens of things, it never redirects. Can someone please help.
>>>
>>> Thanks,
>>>
>>> With kind of regards,
>>>
>>> Maik
>>> .::provIT::.
>>>
>>> Maik Linnemann
>>>
>>> Brahmsstrasse 4a
>>>
>>> 48291 Telgte
>>>
>>> +49 177 3251429
>>>
>>> mai...@pr... <mailto:mai...@pr...>_______________________________________________
>>> Mod-security-rules mailing list
>>> Mod...@li... <mailto:Mod...@li...>
>>> https://lists.sourceforge.net/lists/listinfo/mod-security-rules <https://lists.sourceforge.net/lists/listinfo/mod-security-rules>
>
> .::provIT::.
>
> Maik Linnemann
>
> Brahmsstrasse 4a
>
> 48291 Telgte
>
> +49 177 3251429
>
> mai...@pr... <mailto:mai...@pr...>
|
|
From: Maik L. <mai...@pr...> - 2020-06-10 18:50:54
|
Hi,
thanks. I dont use Core set or anomaly score. The only Goal is to have redirection to error Page when someone uploads (put) a msword file.
Am 10.06.2020 um 15:43 schrieb Steve Hambling <ham...@gm...>:
Hi Maik,
Are you using Core Rule Set and if so which version?
Are you using the default scoring method of “Anomaly Scoring Mode”?
In Anomaly Scoring you have to change the default action at the very end of all the rules. So you need to set that in the file RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
Make sure to remove the “.example” on that file. You will also want to check the example that is in there because the rule id# you use is going to be specific to your version of CRS.
Essentially, in the default Anomaly mode you have to update the action to the blocking rules that trigger once all the anomalies are added up. In the example below that is rules 949110 and 959100.
I also think that if you are redirecting you do not need to change the "status:302” as ModSecurity should default to that. But if you wanted a different HTML code you would put that in the rule id: 100 that I made below. Allowed codes for a redirect are: 301, 302, 303, or 307
Try adding this to RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
# Redirect to another URL on blocking
#
SecRuleUpdateActionById 949110 "t:none,redirect:'http://mydomain/error.html'"
SecRuleUpdateActionById 959100 "t:none,redirect:'http://mydomain/error.html'"
Then in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf you would add:
# Block all requests for application/msword
#
SecRule REQUEST_HEADERS:Content-Type “@contains application/msword" \
"id:100,\
phase:2,\
block,\
t:none,\
pass,\
log,\
chain’"
SecRule REQUEST_METHOD “^PUT$”
Then restart your web server.
The audit.log should show you how it processed so I’d check that after testing your rule.
On Jun 10, 2020, at 4:31 AM, Maik Linnemann <mai...@pr...<mailto:mai...@pr...>> wrote:
Dear List,
i have a rule:
SecRule REQUEST_HEADERS:Content-Type "@contains application/msword" "chain,id:1,block,log,auditlog"
SecRule REQUEST_METHOD "PUT"
And i have a default Action:
SecDefaultAction phase:1,status:302,redirect:/error.html,log,auditlog
But the redirection never happens when i upload a word document. It is blocked but no redirection.
The browser log says:
PUT https://my.domain.com/error.html net::ERR_TOO_MANY_REDIRECTS jquery.js:8630
I tried douzens of things, it never redirects. Can someone please help.
Thanks,
With kind of regards,
Maik
________________________________
.::provIT::.
Maik Linnemann
Brahmsstrasse 4a
48291 Telgte
+49 177 3251429
mai...@pr...<mailto:mai...@pr...>
_______________________________________________
Mod-security-rules mailing list
Mod...@li...<mailto:Mod...@li...>
https://lists.sourceforge.net/lists/listinfo/mod-security-rules
________________________________
.::provIT::.
Maik Linnemann
Brahmsstrasse 4a
48291 Telgte
+49 177 3251429
mai...@pr...
|
|
From: Steve H. <ham...@gm...> - 2020-06-10 13:43:44
|
Hi Maik,
Are you using Core Rule Set and if so which version?
Are you using the default scoring method of “Anomaly Scoring Mode”?
In Anomaly Scoring you have to change the default action at the very end of all the rules. So you need to set that in the file RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
Make sure to remove the “.example” on that file. You will also want to check the example that is in there because the rule id# you use is going to be specific to your version of CRS.
Essentially, in the default Anomaly mode you have to update the action to the blocking rules that trigger once all the anomalies are added up. In the example below that is rules 949110 and 959100.
I also think that if you are redirecting you do not need to change the "status:302” as ModSecurity should default to that. But if you wanted a different HTML code you would put that in the rule id: 100 that I made below. Allowed codes for a redirect are: 301, 302, 303, or 307
Try adding this to RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
# Redirect to another URL on blocking
#
SecRuleUpdateActionById 949110 "t:none,redirect:'http://mydomain/error.html'"
SecRuleUpdateActionById 959100 "t:none,redirect:'http://mydomain/error.html'"
Then in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf you would add:
# Block all requests for application/msword
#
SecRule REQUEST_HEADERS:Content-Type “@contains application/msword" \
"id:100,\
phase:2,\
block,\
t:none,\
pass,\
log,\
chain’"
SecRule REQUEST_METHOD “^PUT$”
Then restart your web server.
The audit.log should show you how it processed so I’d check that after testing your rule.
> On Jun 10, 2020, at 4:31 AM, Maik Linnemann <mai...@pr...> wrote:
>
> Dear List,
>
> i have a rule:
>
> SecRule REQUEST_HEADERS:Content-Type "@contains application/msword" "chain,id:1,block,log,auditlog"
> SecRule REQUEST_METHOD "PUT"
>
> And i have a default Action:
>
> SecDefaultAction phase:1,status:302,redirect:/error.html,log,auditlog
>
> But the redirection never happens when i upload a word document. It is blocked but no redirection.
>
> The browser log says:
>
> PUT https://my.domain.com/error.html <https://my.domain.com/error.html> net::ERR_TOO_MANY_REDIRECTS jquery.js:8630
>
> I tried douzens of things, it never redirects. Can someone please help.
>
> Thanks,
>
> With kind of regards,
>
> Maik
> .::provIT::.
>
> Maik Linnemann
>
> Brahmsstrasse 4a
>
> 48291 Telgte
>
> +49 177 3251429
>
> mai...@pr... <mailto:mai...@pr...>_______________________________________________
> Mod-security-rules mailing list
> Mod...@li... <mailto:Mod...@li...>
> https://lists.sourceforge.net/lists/listinfo/mod-security-rules <https://lists.sourceforge.net/lists/listinfo/mod-security-rules>
|
|
From: Maik L. <mai...@pr...> - 2020-06-10 09:07:02
|
Dear List,
i have a rule:
SecRule REQUEST_HEADERS:Content-Type "@contains application/msword" "chain,id:1,block,log,auditlog"
SecRule REQUEST_METHOD "PUT"
And i have a default Action:
SecDefaultAction phase:1,status:302,redirect:/error.html,log,auditlog
But the redirection never happens when i upload a word document. It is blocked but no redirection.
The browser log says:
PUT https://my.domain.com/error.html net::ERR_TOO_MANY_REDIRECTS jquery.js:8630
I tried douzens of things, it never redirects. Can someone please help.
Thanks,
With kind of regards,
Maik
________________________________
.::provIT::.
Maik Linnemann
Brahmsstrasse 4a
48291 Telgte
+49 177 3251429
mai...@pr...
|
|
From: Steve H. <ham...@gm...> - 2020-04-29 14:14:41
|
Is there a way to use a rule to change the regex for the Main config option:
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
For instance, if I wanted to send 400 and 500 status codes to the audit log for all requests except those matching a certain IP address for which I wanted to catch only 500 codes:
SecRule REMOTE_ADDR "@ipMatch xxx.xxx.xxx.xxx" \
"id:100,\
phase:1,\
pass,\
nolog,\
ctl:auditLogRelevantStatus=‘^5’”
Thanks for any help.
|
|
From: arjun v. <arj...@gm...> - 2019-10-24 10:21:46
|
Hello, We are using mod_security to blacklist/whitelist IP's in out project. As part of some testing we found that some functionality is not working as expected. We have rules specified in in main_setup.conf as below. SecRule REMOTE_ADDR "@ipMatchFromFile /etc/opt/cpf/conf/modsecurity_whitelist" "id:250000004,phase:1,nolog,allow" SecRule REMOTE_ADDR "@ipMatchFromFile /etc/opt/cpf/conf/modsecurity_whitelist" "id:250000005,phase:5,nolog,skipAfter:WHITELIST_NOLOG" This should read the file and white list the ip's in them. Issue: When we provide IPV6 IP's in the file in expanded format (example :fc00:0008:0000:6613:0000:0000:0000:003e), if the source is the same IPV6 adrress but in short format, then the rules do not take effect. But if we have a rule like SecRule REMOTE_ADDR "@ipMatch ::1,fc00:0008:0000:6613:0000:0000:0000:003e , then irrespective of the source ipv6 format, the whitelisting works. Is this an issue? We have ModSecurity for Apache/2.7.3 Regards! Arjun |
|
From: Bártfai C. <bar...@ra...> - 2019-06-24 13:23:49
|
Hello,
We have experienced issues with the latest update of rules.
Our clients reported that they could not sign into their wp-admin,
Joomla admin pages, webmail, or fill out any kind of form really.
One rule seemed to be the most destructive: 211290
The rule's description:
SecRule
REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query|!ARGS:keyword|!ARGS_POST:wpEditToken
"@rx (?:'\xbf?\x22|\x22\xbf?'|^\\+?$)" \
"id:211290,msg:'COMODO WAF: XSS and SQLi
vulnerability||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeWhitespace,rev:3,severity:2,tag:'CWAF',tag:'Generic'"
And a sample for an error.log:
[Sun Jun 23 16:04:50.957689 2019] [:error] [pid /PID/] [client /IP
address/] [client /IP address/] ModSecurity: Access denied with code 403
(phase 2). Pattern match
"(?:'\\\\xbf?\\\\x22|\\\\x22\\\\xbf?'|^\\\\+?$)" at ARGS_POST:content.
[file "/opt/cwaf/rules/02_Global_Generic.conf"] [line "199"] [id
"211290"] [rev "3"] [msg "COMODO WAF: XSS and SQLi
vulnerability||/domain.com/|F|2"] [severity "CRITICAL"] [tag "CWAF"]
[tag "Generic"] [hostname "/domain.com/"] [uri "/wp-admin/post.php"]
[unique_id "/unique id/"], referer:
https:///domain.com//wp-admin/post.php?post=69&action=edit
We have turned off the rule on the server because it have blocked almost
every form on our servers.
Did anyone else experienced similar problems?
--
Best regards,
Csaba Bartfai
|
|
From: Ahmed L. <hum...@ho...> - 2019-05-15 15:08:17
|
After investigation i found the problem within Litespeed Thanks for all ________________________________ From: Ahmed Linux <hum...@ho...> Sent: Tuesday, May 14, 2019 2:06 PM To: mod...@li... Subject: Re: Having problem with prevent uploading ELF within http Any solutions for my problem ?? why it works from shell but doesnt work from http upload ? any help will be appreciated ________________________________ From: Ahmed Linux Sent: Monday, May 13, 2019 11:28 PM To: mod...@li... Subject: Having problem with prevent uploading ELF within http Hello I using Modsecurity on WHM/Cpanel server I am trying to prevent uploading executable ELF files i used the following bash code within modsecurity upload scritp : elup=`file $upfile | egrep -w "LSB executable" | wc -l` if [ elup -gt 0 ] then echo "Executable file was found" exit fi If i tried to upload ELF it didnt detected while if i run bash script against ELF uploaded it output "Executable file was found" Why it doesnt work within http upload ?? Here are my modsecurity configurations : SecTmpSaveUploadedFiles On SecUploadKeepFiles RelevantOnly SecRequestBodyAccess On SecDebugLog /var/log/modsecurity-debug.log SecDebugLogLevel 6 SecUploadDir /home/modsec_tmp SecTmpDir /home/modsec_tmp SecDataDir /home/modsec_tmp SecRule FILES_TMPNAMES "@inspectFile \ /path/to/modsecurity/filescan.sh" "phase:2,deny,redirect:http://domain.com/suspicious_activity.html,id:1" What is wrong in my configuration ?? why it doesnt reject uploaded ELF from http ? instead it works from server ssh ?? Any help will be appretiated |
|
From: Ahmed L. <hum...@ho...> - 2019-05-14 12:06:24
|
Any solutions for my problem ?? why it works from shell but doesnt work from http upload ? any help will be appreciated ________________________________ From: Ahmed Linux Sent: Monday, May 13, 2019 11:28 PM To: mod...@li... Subject: Having problem with prevent uploading ELF within http Hello I using Modsecurity on WHM/Cpanel server I am trying to prevent uploading executable ELF files i used the following bash code within modsecurity upload scritp : elup=`file $upfile | egrep -w "LSB executable" | wc -l` if [ elup -gt 0 ] then echo "Executable file was found" exit fi If i tried to upload ELF it didnt detected while if i run bash script against ELF uploaded it output "Executable file was found" Why it doesnt work within http upload ?? Here are my modsecurity configurations : SecTmpSaveUploadedFiles On SecUploadKeepFiles RelevantOnly SecRequestBodyAccess On SecDebugLog /var/log/modsecurity-debug.log SecDebugLogLevel 6 SecUploadDir /home/modsec_tmp SecTmpDir /home/modsec_tmp SecDataDir /home/modsec_tmp SecRule FILES_TMPNAMES "@inspectFile \ /path/to/modsecurity/filescan.sh" "phase:2,deny,redirect:http://domain.com/suspicious_activity.html,id:1" What is wrong in my configuration ?? why it doesnt reject uploaded ELF from http ? instead it works from server ssh ?? Any help will be appretiated |
|
From: Ahmed L. <hum...@ho...> - 2019-05-13 21:29:00
|
Hello I using Modsecurity on WHM/Cpanel server I am trying to prevent uploading executable ELF files i used the following bash code within modsecurity upload scritp : elup=`file $upfile | egrep -w "LSB executable" | wc -l` if [ elup -gt 0 ] then echo "Executable file was found" exit fi If i tried to upload ELF it didnt detected while if i run bash script against ELF uploaded it output "Executable file was found" Why it doesnt work within http upload ?? Here are my modsecurity configurations : SecTmpSaveUploadedFiles On SecUploadKeepFiles RelevantOnly SecRequestBodyAccess On SecDebugLog /var/log/modsecurity-debug.log SecDebugLogLevel 6 SecUploadDir /home/modsec_tmp SecTmpDir /home/modsec_tmp SecDataDir /home/modsec_tmp SecRule FILES_TMPNAMES "@inspectFile \ /path/to/modsecurity/filescan.sh" "phase:2,deny,redirect:http://domain.com/suspicious_activity.html,id:1" What is wrong in my configuration ?? why it doesnt reject uploaded ELF from http ? instead it works from server ssh ?? Any help will be appretiated |
|
From: Davide M. <da...@ms...> - 2018-02-05 15:01:03
|
Hi Friends, I'm using on my VPS, UPM (Universal Password Manager: http://upm.sourceforge.net/), all works fine (upload, sync, delete, etc) except on Android. Adrian, the UPM developer has made two php script to put on the same directory: https://github.com/adrian/upm-swing/tree/master/server/http. The problem is that enabling ModSecurity version: libapache2-modsecurity 2.8.0-3 modsecurity-crs 2.2.9-1 itstoptheuploadscript (upload.php), here the log: [Sun Feb 04 13:12:05.641064 2018] [:error] [pid 27440] [client 1.2.3.4] ModSecurity: Multipart parsing error (init): Multipart: Invalid boundary in C-T (characters). [hostname "www.mydomain.org"] [uri "/xyz/upload.php"] [unique_id "GAKgHkFRgJKOhHIjHUHgffhh"] [Sun Feb 04 13:12:06.153142 2018] [:error] [pid 27440] [client 1.2.3.4] ModSecurity: Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required. [file "/etc/modsecurity/modsecurity.conf"] [line "61"] [id "200002"] [msg "Failed to parse request body."] [data "Multipart: Invalid boundary in C-T (characters)."] [severity "CRITICAL"] [hostname "www.mydomain.org"] [uri "/xyz/upload.php"] [unique_id "GAKgHkFRgJKOhHIjHUHgffhh"] Obviously I've absolutely no intention to disable ModSecurity, so I wondered though how permit *only* the *upload.php* execution, in short, the safest way. The first way I've found was to insert on .htaccess, where I've set the Apache2 Password Authentication too: SecRuleRemoveById 200002 or: <LocationMatch "/(deletefile\.php|upload\.php)"> SecRuleRemoveById 200002 SecRequestBodyAccess Off </LocationMatch> or: <IfModule security2_module> SecRuleRemoveById 200002 </IfModule> but but in each of these modes all upload process are blocked. So I've added on my specific domain VirtualHost config file: <LocationMatch /xyz/upload.php> SecRuleEngine Off </LocationMatch> Finally, so I'm able to sync from desktop and from Android too. My question is (since we are talking about a password management software): *Is such an approach safe enough?* Many many thanks! Davide Italy -- n o p r o v a r e n o f a r e o n o n f a r e n o n c e p r o v a r e |
|
From: Felipe C. <FC...@tr...> - 2017-12-20 19:02:40
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It is a pleasure to announce the release of ModSecurity nginx connector, version 1.0.0. This is the first version for the nginx connector. This connector is meant to work together with ModSecurity version 3. The version 1.0.0 can be downloaded straight from GitHub: https://github.com/SpiderLabs/ModSecurity-nginx/releases/tag/v1.0.0/ The list of open issues is available on GitHub: https://github.com/SpiderLabs/ModSecurity-nginx/issues?q=is%3Aissue+is%3Aopen Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches and so on. Special thanks to Andrei Belov and nginx. Further details on the compilation process can be found on the project README: - https://github.com/SpiderLabs/ModSecurity-nginx/#compilation Complementary documentation on ModSecurity version 3 can be found here: - https://github.com/SpiderLabs/ModSecurity/tree/v3/master Br., Felipe "Zimmerle" Costa Security Researcher, Lead Developer ModSecurity. Trustwave | SMART SECURITY ON DEMAND www.trustwave.com -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iF0EARECAB0WIQQZDvrMoen6RmqOzZzm37CM6LESdwUCWjqznQAKCRDm37CM6LES dzrOAJ9vkq75BATo+pH4jmRccOOf83fMpQCeIkF3CApuOzaBx8/5RdIumhqtr8I= =0Gj3 -----END PGP SIGNATURE----- |
|
From: Felipe C. <FC...@tr...> - 2017-12-14 22:26:28
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It is a pleasure to announce the release of ModSecurity version 3.0.0, aka libModSecurity. This version contains fixes on top of v3.0.0-rc1 and improvements on some features. The most important addition of this release was the full support for some missing pieces such as: Lua, SecRuleRemoveByTag and the @fuzzyHash operator. At this point ModSecurity version 3 is considerable to be feature complete. Any missing piece may not be suitable for version 3 family. At least not before discussion. The list with the full changes can be found on the project CHANGES file, available here: - https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.0/CHANGES The version 3.0.0 can be downloaded straight from GitHub: - https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.0/ The list of open issues is also available on GitHub: - https://github.com/SpiderLabs/ModSecurity/issues?q=is%3Aissue+is%3Aopen+label%3Alibmodsecurity Notice that differently from version 2, ModSecurity v3 does not target any specific web server or web server version. The version 3 is about a library. The connectors are the ones responsible to create the link between the web server and libModSecurity. Each web server should have its own connector. Currently we support the Nginx connector and there is a Apache connector available for test (not yet released). IMPORTANT: ModSecurity version 2 will be available and maintained parallel to version 3. There is no ETA to deprecate the version 2.x. New features and major improvements will be implemented on version 3.x. Security or major bugs are planned to be back ported. Version 2 and version 3 has a completely independent development/release cycle. Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches and so on. Further details on the compilation process for ModSecurity v3, can be found on the project README: - https://github.com/SpiderLabs/ModSecurity/tree/v3/master#compilation Complementary documentation for the connectors are available here: - nginx: https://github.com/SpiderLabs/ModSecurity-nginx/#compilation - Apache: https://github.com/SpiderLabs/ModSecurity-apache/#compilation Br., Felipe "Zimmerle" Costa Security Researcher, Lead Developer ModSecurity. Trustwave | SMART SECURITY ON DEMAND www.trustwave.com -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iF0EARECAB0WIQQZDvrMoen6RmqOzZzm37CM6LESdwUCWjL5gQAKCRDm37CM6LES d+I9AJ0W6S2jXBFSXcAPBQD/qhs4W0SOwQCgoeKBpOOSAcAZXsAqQOA4oUFV+yY= =BrVr -----END PGP SIGNATURE----- |
|
From: Felipe C. <FC...@tr...> - 2017-08-28 12:00:02
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It is a great pleasure the announce the first official release candidate for ModSecurity version 3. For those who are not familiar with ModSecurity version 3 yet, the version 3 was an `re-architecturization' of ModSecurity version 2. The goal was to turn ModSecurity into a library, that could be used seamlessly: Regardless of web server or platform. The motivations for ModSecurity version 3 was summarized in details here: [1] This release candidate marks the end of the first development cycle of ModSecurity version 3. It is now considerable stable to work with both: Trustwave Commercial Rules [2] and OWASP CRS [3]. Notice that differently from version 2, ModSecurity v3 does not target any specific web server or web server version. The version 3 is about a library. The connectors are the ones responsible to create this link between the web server and libModSecurity. Each web server should have its own connector. Currently we support the Nginx connector and there is a Apache connector available for test (not yet released). IMPORTANT: ModSecurity version 2 will be available and maintained parallel to version 3. There is not EAT to deprecate the version 2.x. Version 2 and version 3 has a completely independent development/release cycle. This release does not contains a changelog as it aims to implement the core capabilities and most widely used functionalities of version 2, with a different architecture. Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches and so on. Further information about this release is available here: [4]. * A word about stability ModSecurity version 3 is new and it may not be vastly tested as version 2, however, the testability of version 3 had a very good improvement on the top of version 2. Further details on our QA can be checked here: Fuzzing ModSecurity version 3 as part of the QA [5] * Are you having an issue? We will be glad to fix it! If you find something out of order, make sure you open an issue on GitHub, it will be a pleasure to help you. Direct contributions in the form of pull requests for fixes or new features are always also greatly appreciated. * Compilation Further details on the compilation process for ModSecurity v3, can be found on the project README: - https://github.com/SpiderLabs/ModSecurity/tree/v3/master#compilation Complementary documentation for the connectors are available here: - nginx: https://github.com/SpiderLabs/ModSecurity-nginx/#compilation - Apache: https://github.com/SpiderLabs/ModSecurity-apache/#compilation * libModSecurity training (AppSec USA) If you want to hangout and talk about ModSecurity, meet Victor and Felipe on APPSec USA, we will be there for the entire event. Not to mention that there will be a hands on training [6] using ModSecurity version 3 and nginx. [1] https://www.trustwave.com/Resources/SpiderLabs-Blog/An-Overview-of-the-Upcoming-libModSecurity/ [2] https://modsecurity.org/commercial-rules.html [3] https://github.com/SpiderLabs/owasp-modsecurity-crs [4] https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-version-3-RC1 [5] https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-version-3--Fuzzing-as-part-of-the-QA [6] https://appsecusa2017.sched.com/event/B2VV -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iF0EARECAB0WIQQZDvrMoen6RmqOzZzm37CM6LESdwUCWaQFIQAKCRDm37CM6LES dwHUAJ9APAGlY2HIOo0iHsmpbwwW90u/hACfdCFWOLfCxVb5blO0yMrMsgxbLp8= =T/Pj -----END PGP SIGNATURE----- |
|
From: Felipe C. <FC...@tr...> - 2017-07-19 14:09:23
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am very proud to announce ModSecurity version 2.9.2. In 2.9.2 we have some new features and bug fixes as well as two _security issues_ fixed. This release, like all releases of 2.9 family, is a combined release for all bindings/versions that we support: Apache, Nginx, and IIS. Although Nginx users preferably wants to use libModSecurity [1] with the ModSecurity-nginx connector [2]. This is the last release of 2.9.2 family which is likely to have new features as this version is being slowly deprecated in favor of ModSecurity version 3. In this release we’ve got two security issues fixed: - Allan Boll reported an uninitialized variable that may lead to a crash on Windows platform. - Brian Adeloye reported an infinite loop on the version of libInjection used on ModSecurity 2.9.1. Thanks for Allan Boll, and Brian Adeloye for the security reports ;) The complete list of changes is available on our change logs: https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.2 The source and binaries (and the respective hashes/signatures) are available at: - - https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.2 Thanks to everybody who participate with bug reports, comments and code, including: @victorhora, @defanator, @client9, @bjdijk, @hideaki, @parthasarathi204, Daniel Stelter-Gliese, @LukeP21, @mturk, Coty Sutherland, Robert Bost, Marc Stern, @bazzadp, Sander Hoentjen, Robert Paprocki, @Rendername, @emphazer, Chaim Sanders, Thomas Deutschmann, Michael Kjeldsen, Armin Abfalterer, Robert Culyer, Ephraim Vider, @charlymps, Christian Folini, Alexey Sintsov. [1] https://github.com/SpiderLabs/ModSecurity/tree/v3/master [2] http://www.github.com/SpiderLabs/ModSecurity-nginx/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - https://gpgtools.org iEYEARECAAYFAllufKgACgkQ5t+wjOixEndelgCghnMYdBQ26AXeRjmc1c8zNTbX EE0AoJRqbAgSVJAjQus479ZopLKzNkJn =oONS -----END PGP SIGNATURE----- |
|
From: Z D <za...@et...> - 2016-09-12 22:59:30
|
Hi all, are there any rules for protecting Bugzilla, specifically blocking certain email address from creation a bug. thanks Zarko |
|
From: Tom M. <to...@do...> - 2016-09-12 09:37:12
|
Hi all, I’m having an issue with a Mod Security rule that I have written and can’t figure out the problem. I have multiple domains on our server running Wordpress and want to block access to any of the Wordpress login scripts (wp-login.php) for any non-UK IP address. One of my sites (we’ll call this test.org.uk) is accessed from overseas so I’m trying to skip that domain. Here’s the rule; SecRule REQUEST_FILENAME "@streq /wp-login.php" "chain,id:1,phase:1,t:none,log,drop,msg:'Client IP not from UK'" SecRule SERVER_NAME “!test\.org\.uk$" "chain" SecRule REMOTE_ADDR "@geoLookup" "chain" SecRule GEO:COUNTRY_CODE "!@streq GB" "t:none" This rule works except that it seems to completely ignore line 2; SecRule SERVER_NAME “!test\.org\.uk$" “chain" Can anyone offer a solution? Kindest regards, Tom |
|
From: IQ E. <no...@iq...> - 2016-05-07 15:28:50
|
Bonjour, Votre ami Jean-raymond vous a envoyé un message il y a 36h jours, mais vous ne l'avez toujours pas lu. Le message sera supprimé dans 24 heures. Pour savoir ce que Jean-raymond vous a écrit, cliquez ici : a.iqelite.com/entry/new_message/2e8c5aa0520aa51fe0c04beccc62120c61fc2d3fda9e1f544b80bfb/2fe0bbd3e27c5b83620e22f503e2135f6c626c2f6e2282f2645280c3620b7c5cd0c20d3c44504c62c/?hg=TAdiwUl9tH Cordialement, L'équipe IQ Elite --------------------------------------------------------------------------- Ce message est destiné à mod...@li.... Si vous ne souhaitez pas recevoir d'autres messages de la part de IQ Elite, veuillez cliquer sur ce lien : a.iqelite.com/common/unsubscribe/?code=ff1339fa&email=mod...@li....&hg=TAdiwUl9tH IQ Elite est un service de IQ Elite S.L., dont le siège se trouve à : C/ Gran De Gràcia 15, 1a 1a, 08012 Barcelone, Espagne. --------------------------------------------------------------------------- |
|
From: Jean-Raymond F. <no...@iq...> - 2016-04-30 11:02:07
|
Bonjour mod-security-rules, Jean-Raymond Ferrer vous a laissé un message sur IQ Elite Cliquez ici a.iqelite.com/j/EdpYF2/szq/?hg=guI5pDoweH pour lire votre message L'équipe d'IQ Elite --------------------------------------------------------------------------- Ce message est destiné à mod...@li.... Si vous ne souhaitez pas recevoir d'autres messages de la part de IQ Elite, veuillez cliquer sur ce lien : a.iqelite.com/common/unsubscribe/?code=ff1339fa&email=mod...@li....&hg=guI5pDoweH IQ Elite est un service de IQ Elite S.L., dont le siège se trouve à : C/ Gran De Gràcia 15, 1a 1a, 08012 Barcelone, Espagne. --------------------------------------------------------------------------- |
|
From: Felipe C. <FC...@tr...> - 2016-03-09 20:16:28
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, It is a pleasure to announce the release of ModSecurity version 2.9.1. This version does not differ in anything from its release candidate. For the differences between the version 2.9.0 and 2.9.1, please check the release notes of the version 2.9.1-rc1: https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.1-rc1 The documentation for this release is available at: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual The version 2.9.1 can be downloaded straight from GitHub: https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.1 Thanks to all members of the community who participated and helped in the construction of this release. * Known issues - - Depending upon your Apache configuration you may have two "client" entries on the logs. The extended description of this issue can be found at: #840. Br., Felipe "Zimmerle" Costa Lead Developer for ModSecurity Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com <http://www.trustwave.com/> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - https://gpgtools.org iEYEARECAAYFAlbghCkACgkQ5t+wjOixEnerwgCggNJnVOoG9NSk4FVYfE3TZeZ1 SdcAoJRYmWHvwOQrmFZo0iYiPH5t0ysO =wvl+ -----END PGP SIGNATURE----- ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
