mod-security-rules Mailing List for ModSecurity (Page 2)
Brought to you by:
victorhora,
zimmerletw
You can subscribe to this list here.
2005 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
|
Nov
|
Dec
|
2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2013 |
Jan
(2) |
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(1) |
Aug
|
Sep
(1) |
Oct
(1) |
Nov
(1) |
Dec
|
2014 |
Jan
|
Feb
(1) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
(1) |
Oct
(2) |
Nov
|
Dec
|
2015 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
2016 |
Jan
|
Feb
(4) |
Mar
(1) |
Apr
(1) |
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
|
Nov
|
Dec
|
2017 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
(2) |
2018 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2019 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
2020 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
(5) |
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
2024 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
From: Prakash K. <pra...@ne...> - 2016-02-24 05:40:19
|
I have following rule in my /usr/local/apache/conf/modsec2.user.conf file: SecGeoLookupDb /usr/share/geoip/GeoLiteCity.dat SecRule REMOTE_ADDR "@geoLookup" "phase:1,id:'11111',t:none,pass,log,noauditlog" I think this is right but when I see /usr/local/apache/logs/error_log I see following error: [Sat Feb 20 02:04:23.469432 2016] [:error] [pid 15993] [client 93.189.102.202] ModSecurity: Warning. Geo lookup for "93.189.102.202" succeeded. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "13"] [id "11111"] [hostname "somesite.com"] [uri "/css/bootstrap.min.css"] [unique_id "Vsd4y55FgooAAD55TBcAAAAK"] Anyone know what I am doing wrong here? PS: I have disabled full modsec logging. |
From: Felipe C. <FC...@tr...> - 2016-02-10 13:00:28
|
Hi, Thank you all that participated in our second community meeting. The meeting minutes is available here: https://www.modsecurity.org/developers/meetings/modsecurity.2016-01-27-15.08.html Please let me know if something is missing. Br., Felipe “Zimmerle” Costa Security Researcher, Lead Developer ModSecurity. Trustwave | SMART SECURITY ON DEMAND www.trustwave.com <http://www.trustwave.com/> ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: sai k. <dsk...@gm...> - 2016-02-10 08:13:23
|
Hi community , We have installed Modsecurity in our environment. We have couple of questions in configuring. 1. What is the recommended file size(Industry standard) for : SecRequestBodyLimit SecRequestBodyNoFilesLimit 2. Could you please send us any Manual book for reference Please let us know, if you require anything. -- Thanks & Regards, Sai kiran |
From: Felipe C. <FC...@tr...> - 2016-02-03 17:17:24
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, It is a pleasure to announce the first release candidate for ModSecurity version 2.9.1. The version 2.9.1-RC1 contains fixes and new features. The new features list includes audit logs in JSON format. I would like to thank you all, that participate in the construction of this release. A special thanks to the ones who sent patches and the ones who participated on the community meetings, which helped to increase the quality of our releases. Thank you. The documentation of the new features is already available on our wiki page: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual The source and binaries (and the respective hashes) are available at: https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.1-RC1 The most important changes are listed bellow: * New features - Added support to generate audit logs in JSON format. [Issue #914, #897, #656 - Robert Paprocki] - Extended Lua support to include version 5.3 [Issue #837, #762, #814 - Athmane Madjoudj and ModSecurity team] - mlogc: Allows user to choose between TLS versions (TLSProtocol option introduced). [Issue #881 - Ishwor Gurung] - Allows mod_proxy's "nocanon" behavior to be specified in proxy actions. [Issue #1031, #961, #763 - Mario D. Santana and ModSecurity team] * Bug fixes - Creating AuditLog serial file (or parallel index) respecting the permission configured with SecAuditLogFileMode. Previously, it was used only to save the transactions while in parallel mode. [Issue #852 - @littlecho and ModSecurity team] - Checking for hashing injection response, to report in case of failure. [Issue #1041 - ModSecurity team] - Stop buffering when the request is larger than SecRequestBodyLimit in ProcessPartial mode [Issue #709, #705, #728 - Justin Gerace and ModSecurity team] - Refactoring conditional #if/#defs directives. [Issue #996 - Wesley M and ModSecurity team] - mlogc-batch-load.pl.in: fix searching SecAuditLogStorageDir files with Apache 2.4 [Issue #775 - Elia Pinto] - Understands IIS 10 as compatible on Windows installer. [Issue #931 - Anton Serbulov, Pavel Vasilevich and ModSecurity team] - Fix apache logging limitation by using correct Apache call. [Issue #840 - Christian Folini] - Fix apr_crypto.h check on 32-bit Linux platform [Issue #882, #883 - Kurt Newman] - Fix variable resolution duration (Content of the DURATION variable). [Issue #662 - Andrew Elble] - Fix crash while adding empty keys to persistent collections. [Issue #927 - Eugene Alekseev, Marc Stern and ModSecurity team] - Remove misguided call to srand() [Issues #778, #781 and #836 - Michael Bunk, @gilperon] - Fix compilation problem while ssdeep is installed in non-standard location. [Issue #872 - Kurt Newman] - Fix invalid storage reference by apr_psprintf at msc_crypt.c [Issue #609 - Jeff Trawick] * Known issues - Instabilities of nginx add-on are still expected. Please use the "nginx refactoring" branch and stay tuned for the ModSecurity version 3. Br., Felipe "Zimmerle" Costa Lead Developer for ModSecurity Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com <http://www.trustwave.com/> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - https://gpgtools.org iEYEARECAAYFAlayNO4ACgkQ5t+wjOixEneGyQCeJtAPhLk9EXRg7/GviovZQ2i5 bwMAn3SSrlzFC+g3zdlOU4Yug3kiRpAp =Prxb -----END PGP SIGNATURE----- ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Abdul A. <abd...@gm...> - 2015-10-03 07:33:59
|
Hi Community, I'm new to mod-security but really wanted to learn it so i have installed mod-security on my server but really don't know how to write or read a mod-security crs rules could any one please help how to get started with modsecurity? Configuration: a. Ubuntu 14.04 Server b. Mod security c.Tomcat and Apache http server Please help in the following aspects: 1.Resources link to learning and writing a mod security rules. 2.Reading an existing rule from mod-security crs. 3.And do i need to learn regex to get started with mod-security and how to test whether the rules are working or not? Thank you, Abdul Adil. |
From: William - U. <wi...@ub...> - 2015-06-04 05:22:14
|
Not sure if this is the right place to send this, but here goes. Had an issue with Rule ID: 973337 that picked up on a cookie value. (?i)([\\s\"'`;\\/0-9\\=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]+on\\w+[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=) As best I can tell, this rule is looking for dodgy usage of the HTML on*= attributes for execution of unexpected JavaScript such as onload, onresize etc. Great; except it doesn’t appear to care how many characters are between “on” and “=” so long as there is more than 1 (w+ bit). Assuming what I’ve said so far is remotely correct, I think the rate of false positives could be reduced by looking for a limited number of characters so that it won’t match non-existent attributes such as “on1=”, “onuiysfuiyegsfuygsfgdjsh=” and so on. Regards, William wi...@ub... |
From: Ryan B. <RBa...@tr...> - 2014-10-10 12:57:47
|
You can have a look at some other existing Lua scripts that interact with OS commands and use the REMOTE_ADDR data. https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/lua/gather_ip_data.lua Ryan Barnett Senior Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: kinomakino <kin...@ho...<mailto:kin...@ho...>> Date: Friday, October 10, 2014 7:33 AM To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Subject: [Mod-security-rules] mod sec rule to execute lua script As always,thanks for the help. I'm playing with a lua script from mod security (exec: /var/scripts/script.lua) the target is ip ban in iptables source that triggers the rule. I get receive the REMOTE_ADDR variable,but I mod_secalert appears: Message: Lua: Script execution failed: attempt to call anil value The variable takes the script, because towrite a testlog. The lua scriptis as follows: Local remote_addr = m.getvar ("REMOTE_ADDR"); Local log_file = "/tmp/lua_tmp.log" file = io.open (log_file, "a") file: write (remote_addr) file: write ("\ n") file: close () print ("0") you have information about thiserror? Thank you !!! ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: kinomakino <kin...@ho...> - 2014-10-10 11:38:04
|
As always, thanks for the help. I'm playing with a lua script from mod security (exec: /var/scripts/script.lua) the target is ip ban in iptables source that triggers the rule. I get receive the REMOTE_ADDR variable, but I mod_sec alert appears: Message: Lua: Script execution failed: attempt to call a nil value The variable takes the script, because to write a test log. The lua script is as follows: Local remote_addr = m.getvar ("REMOTE_ADDR"); Local log_file = "/tmp/lua_tmp.log" file = io.open (log_file, "a") file: write (remote_addr) file: write ("\ n") file: close () print ("0") you have information about this error? Thank you !!! |
From: kinomakino <kin...@ho...> - 2014-09-03 12:01:21
|
First, thanks for everything. I have a question. I am running a bash modsec rule from a script by exec. I wonder if I can use the "variables" of modsecurity in the script, such as URL or remote IP. I've seen that in LUA if I can do it, but my knowledge of LUA are zero. I´m only want send e-mail with a few variables. Thanks before hand. |
From: Marc C. V. <mar...@gm...> - 2014-08-15 19:56:33
|
Hi, I think you can add the country code in the request header and then you can log header in apache. Best, Marc — Sent from Mailbox On Wed, Aug 13, 2014 at 9:32 AM, kinomakino <kin...@ho...> wrote: > Thank you very much sir !! > Not exactly what I need, perhaps the google translator xD I failed. > Right now I have 20,000 rules. I have configured it NOT alert modsec with > error codes 500 or 200. > I use this rule if you've happened to me, shows me ALL codes 200. > This is not about me because I joined modsec with fail2ban, then this rule, > bans ALL legitimate connections (200). > I hope I explained. > What I need is that my alerts 403, as I have now, show a field with country > code > Thank you !!! > > //// > Siendo de Barcelona... en Español también xD. > > Si hago esa regla que me has indicado, me empieza a mostrar todos los > códigos 200, y como comprenderás, eso no funciona bien. > > Gracias Marc !!! > > > _____ > De: Marc Cortinas Val [mailto:mar...@gm...] > Enviado el: miércoles, 13 de agosto de 2014 0:19 > Para: kinomakino > CC: mod...@li... > Asunto: Re: [Mod-security-rules] Show GEO DAT in modsec logs > > Hello, > > I think you can logging it with audit log from mod security. > Logging directives: > {code} > SecAuditEngine On > SecAuditLogParts ABIJDEFHZ > SecAuditLogType Serial > SecAuditLog /var/log/httpd/modsec_audit.log > {code} > > Rule: > {code} > SecRule REQUEST_HEADERS:X-Forwarded-For "@geoLookup" > "id:'999015',phase:1,t:none,pass,log,auditlog,msg:'IP Country is: > %{geo.country_code} and X-Forwarded-For is: %{matched_var}'" > {code} > > My apache is rear varnish and I evaluate remote IP from header > :X-Forwarded-For, but you can use REMOTE_ADDR instead of > REQUEST_HEADERS:X-Forwarded-Fo > > King regards, > Marc > > On 12 August 2014 20:33, kinomakino <kin...@ho...> wrote: > First, thanks for everything. sorry for my English. > I wonder if there is any way to use IP Geolocation in ModSec logs. > That is, I wish for all my active rules, show me the country code in the > logs. > Thanks for everything. > now if I do this: > SecGeoLookupDb /home/jmolina/GeoLiteCity.dat > #SecRule REMOTE_ADDR "geoLookup" "phase: 1, id: 13102, t: none, pass, log, > msg: '% {GEO.COUNTRY_CODE}'" > geolocation to show me ALL connections, including HTTP 200 usually does not > show me. > ---------------------------------------------------------------------------- > -- > _______________________________________________ > Mod-security-rules mailing list > Mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-rules > > -- > Marc Cortinas Val > 600604388 > mar...@gm... |
From: kinomakino <kin...@ho...> - 2014-08-13 07:32:05
|
Thank you very much sir !! Not exactly what I need, perhaps the google translator xD I failed. Right now I have 20,000 rules. I have configured it NOT alert modsec with error codes 500 or 200. I use this rule if you've happened to me, shows me ALL codes 200. This is not about me because I joined modsec with fail2ban, then this rule, bans ALL legitimate connections (200). I hope I explained. What I need is that my alerts 403, as I have now, show a field with country code Thank you !!! //// Siendo de Barcelona... en Español también xD. Si hago esa regla que me has indicado, me empieza a mostrar todos los códigos 200, y como comprenderás, eso no funciona bien. Gracias Marc !!! _____ De: Marc Cortinas Val [mailto:mar...@gm...] Enviado el: miércoles, 13 de agosto de 2014 0:19 Para: kinomakino CC: mod...@li... Asunto: Re: [Mod-security-rules] Show GEO DAT in modsec logs Hello, I think you can logging it with audit log from mod security. Logging directives: {code} SecAuditEngine On SecAuditLogParts ABIJDEFHZ SecAuditLogType Serial SecAuditLog /var/log/httpd/modsec_audit.log {code} Rule: {code} SecRule REQUEST_HEADERS:X-Forwarded-For "@geoLookup" "id:'999015',phase:1,t:none,pass,log,auditlog,msg:'IP Country is: %{geo.country_code} and X-Forwarded-For is: %{matched_var}'" {code} My apache is rear varnish and I evaluate remote IP from header :X-Forwarded-For, but you can use REMOTE_ADDR instead of REQUEST_HEADERS:X-Forwarded-Fo King regards, Marc On 12 August 2014 20:33, kinomakino <kin...@ho...> wrote: First, thanks for everything. sorry for my English. I wonder if there is any way to use IP Geolocation in ModSec logs. That is, I wish for all my active rules, show me the country code in the logs. Thanks for everything. now if I do this: SecGeoLookupDb /home/jmolina/GeoLiteCity.dat #SecRule REMOTE_ADDR "geoLookup" "phase: 1, id: 13102, t: none, pass, log, msg: '% {GEO.COUNTRY_CODE}'" geolocation to show me ALL connections, including HTTP 200 usually does not show me. ---------------------------------------------------------------------------- -- _______________________________________________ Mod-security-rules mailing list Mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-rules -- Marc Cortinas Val 600604388 mar...@gm... |
From: Marc C. V. <mar...@gm...> - 2014-08-12 22:19:27
|
Hello, I think you can logging it with audit log from mod security. Logging directives: {code} SecAuditEngine On SecAuditLogParts ABIJDEFHZ SecAuditLogType Serial SecAuditLog /var/log/httpd/modsec_audit.log {code} Rule: {code} SecRule REQUEST_HEADERS:X-Forwarded-For "@geoLookup" "id:'999015',phase:1,t:none,pass,log,auditlog,msg:'IP Country is: %{geo.country_code} and X-Forwarded-For is: %{matched_var}'" {code} My apache is rear varnish and I evaluate remote IP from header :X-Forwarded-For, but you can use REMOTE_ADDR instead of REQUEST_HEADERS:X-Forwarded-Fo King regards, Marc On 12 August 2014 20:33, kinomakino <kin...@ho...> wrote: > First, thanks for everything. sorry for my English. > I wonder if there is any way to use IP Geolocation in ModSec logs. > That is, I wish for all my active rules, show me the country code in the > logs. > > Thanks for everything. > now if I do this: > SecGeoLookupDb /home/jmolina/GeoLiteCity.dat > #SecRule REMOTE_ADDR "geoLookup" "phase: 1, id: 13102, t: none, pass, log, > msg: '% {GEO.COUNTRY_CODE}'" > > geolocation to show me ALL connections, including HTTP 200 usually does > not show me. > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Mod-security-rules mailing list > Mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-rules > > -- Marc Cortinas Val 600604388 mar...@gm... |
From: kinomakino <kin...@ho...> - 2014-08-12 18:37:19
|
First, thanks for everything. sorry for my English. I wonder if there is any way to use IP Geolocation in ModSec logs. That is, I wish for all my active rules, show me the country code in the logs. Thanks for everything. now if I do this: SecGeoLookupDb /home/jmolina/GeoLiteCity.dat #SecRule REMOTE_ADDR "geoLookup" "phase: 1, id: 13102, t: none, pass, log, msg: '% {GEO.COUNTRY_CODE}'" geolocation to show me ALL connections, including HTTP 200 usually does not show me. |
From: Jean-Raymond F. <jea...@gm...> - 2014-03-27 10:17:36
|
Hello, I posted following issue on Github https://github.com/SpiderLabs/ModSecurity/issues/684#issuecomment-38191745 *Hi,* *We are suffering an issue related to POST inspection. We are running modsecurity 2.7.7 on apache 2.5.3 Backend application is running on Jetty 2.9. The application presents a login form to the end user. When filling in the login fields with crafted data, like sql strings, the call is accepted and sent to the backend application. But adding sql strings in the URL blocks the call. Backend application is at risk as modsecurity is the only security control in place. I've been suggested to enable SecStreamInBodyInspection, but it doesn't work. Any help is welcome.* *Kind regards*, However I have no comment and our issue is still there. Any help will be welcome Kind regards, Jean-Raymond |
From: Ryan B. <RBa...@tr...> - 2014-03-14 12:22:07
|
That is a very old version (current is v2.7.7). Can you upgrade? OWASP CRS rules are here - https://github.com/SpiderLabs/owasp-modsecurity-crs however they most likely use newer features than what you have. We don't back port all new rules to old versions. If you want to use them, you need to upgrade. Ryan Barnett Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> On Mar 14, 2014, at 7:42 AM, "Imre Csaba" <imi...@gm...<mailto:imi...@gm...>> wrote: Greetings. My mod-security version is 2.5.12. My question is, where can i download a newest rules for this version? Thanks. Have a nice day :) ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech _______________________________________________ Mod-security-rules mailing list Mod...@li...<mailto:Mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-rules ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Imre C. <imi...@gm...> - 2014-03-14 11:42:27
|
Greetings. My mod-security version is 2.5.12. My question is, where can i download a newest rules for this version? Thanks. Have a nice day :) |
From: Rishi N. <ia...@pw...> - 2014-02-19 11:20:37
|
Hey, I have configured the following rules and would like to know if there is any issue with them as I am not getting the intended results, SecGeoLookupDb /etc/modsecurity/GeoLiteCity.dat > SecRule REMOTE_ADDR "@geoLookup" "phase:1,id:13102,t:none,pass,log" I have the GeoLiteCity.dat file in the working directory. And here is the log snippet, Executing operator "geoLookup" with param "" against REMOTE_ADDR. > Operator completed in 114 usec. > Warning. Geo lookup for "119.82.124.222" succeeded. [file > "/etc/modsecurity/modsecurity.conf"] [line "14"] [id "13102"] > Rule returned 1. Kindly excuse me if I missed something. Regards, Rishi Narang |
From: Faris Al-S. <fa...@gm...> - 2013-11-04 05:33:46
|
Hi. We have a form in which users post text, that contains non-English characters (e.g. "ā" etc.). Sometimes these characters, especially in combination with quotes and other special symbols, produce false positives. For example a simple string "ābc" (quotes including) gets processed as "\x22\xc4\x81bc\x22" by modsecurity, and matched by, for example, rule 981245 (among others) producing a false positive. It's a bit frustrating to disable rules, which cause these false positives one-by-one - is there any other way besides that to work around this issue, for example, exclude a subset of unicode characters from filtering? |
From: Dhr. P.A. P. <pi...@hu...> - 2013-10-22 14:24:23
|
Modsecurity on my Nginx reverse proxy server gives 500 errors when I try to log in or click on a button. I see nothing in the nginx error log, nor in the modsecurity audit log. In the access log I see that the problem occurs after a POST command. This goes well: 82.161.137.226 - - [22/Oct/2013:15:37:55 +0200] "GET /proefwerk/prog/images/rightArrow.gif HTTP/1.1" 304 0 " http://test.huygenscollege.nl/proefwerk/prog/index.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" But with the following (after clicking a button in the web page) Nginx gives a 500 error: 82.161.137.226 - - [22/Oct/2013:15:38:03 +0200] "POST /proefwerk/prog/index.php?day=21&month=10&year=2013&klas=1 HTTP/1.1" 500 594 "http://test.huygenscollege.nl/proefwerk/prog/index.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" The problem occurs with many proxypassed sites, mostly when I try to log in. This is my configuration. server { listen 80; server_name test.huygenscollege.nl; location / { ModSecurityEnabled on; ModSecurityConfig modsecurity.conf; proxy_pass http://88.159.13.153/; proxy_read_timeout 150s; } } After changing ModSecurityEnabled on to off, the problem is gone. Any help will be appreciated. Piet Pijnacker, Eindhoven, Netherlands |
From: Rishi N. <ia...@pw...> - 2013-09-10 09:25:07
|
Friends, This is my first post to the mailing list. Excuse any typo(s) or brevity. *Problem Statement* - I am trying to "append" a pattern with the rule(s) but is not working - SecRule RESPONSE_CONTENT_TYPE "^text/html" "id:'6',nolog,pass,append:'<hr>Footer'" SecRule REQUEST_FILENAME "@streq /robots.txt" "id:'7',phase:4,t:none,log,pass,append:'Disallow: /sql_backup'" But the *append* rule is not working as it should. I am receiving a log for this rule, but still no text is being appended. I am working on modsecurity 2.7.4 with apache2 on Ubuntu Server. Here is a sample of the log file, [09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Recipe: Invoking rule b7033bb8; [file "/etc/apache2/conf.d/mod.conf"] [line "46"] [id "7"]. [09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][5] Rule b7033bb8: SecRule "RESPONSE_CONTENT_TYPE" "@rx ^text/html" "phase:2,auditlog,id:7,nolog,pass,append:<hr>Footer" [09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Transformation completed in 0 usec. [09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Executing operator "rx" with param "^text/html" against RESPONSE_CONTENT_TYPE. [09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Operator completed in 2 usec. [09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Rule returned 0. [09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Hook insert_filter: Adding output filter (r b717b058). [09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Starting phase RESPONSE_HEADERS. [09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Output filter: Response body buffering is not enabled. [09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Output filter: Completed receiving response body (non-buffering). [09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Starting phase RESPONSE_BODY. [09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Recipe: Invoking rule b7033160; [file "/etc/apache2/conf.d/mod.conf"] [line "43"] [id "6"]. [09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][5] Rule b7033160: SecRule "REQUEST_FILENAME" "@streq /robots.txt" "phase:4,auditlog,id:6,t:none,log,pass,append:'Disallow: /db_backup.%{time_epoch}/# Old DB crash data'" [09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Transformation completed in 1 usec. [09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Executing operator "streq" with param "/robots.txt" against REQUEST_FILENAME. [09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Operator completed in 3 usec. [09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][2] Warning. String match "/robots.txt" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/mod.conf"] [line "43"] [id "6"] [09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Rule returned 1. [09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Output filter: Output forwarding complete. [09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Initialising logging. [09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Starting phase LOGGING. [09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Recording persistent data took 0 microseconds. [09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Audit log: Not configured to run for this request. Count my 2¢. -- Rishi Narang Researcher | Consultant | Writer Connect: Blog <http://www.wtfuzz.com/> / LinkedIn<http://linkedin.com/in/rishinarang> / Twitter <http://twitter.com/rnarang> * * *... being anonymous is a myth, but none knows who coined it.* |
From: Muhammed M. <ze...@gm...> - 2013-07-01 06:23:16
|
I tried what you suggested but its still the same On Sun, Jun 30, 2013 at 5:03 PM, Ryan Barnett <RBa...@tr...> wrote: > Try swapping the order of these two directives - > > SecUnicodeMapFile /etc/modsecurity/unicode.mapping > > SecUnicodeCodePage 1256 > > > -- > Ryan Barnett > Lead Security Researcher > Trustwave - SpiderLabs > > On Jun 30, 2013, at 7:19 AM, "Muhammed Munther" <ze...@gm...> wrote: > > SecUnicodeCodePage 1256 > SecUnicodeMapFile /etc/modsecurity/unicode.mapping > > > ________________________________ > > This transmission may contain information that is privileged, confidential, > and/or exempt from disclosure under applicable law. If you are not the > intended recipient, you are hereby notified that any disclosure, copying, > distribution, or use of the information contained herein (including any > reliance thereon) is STRICTLY PROHIBITED. If you received this transmission > in error, please immediately contact the sender and destroy the material in > its entirety, whether in electronic or hard copy format. |
From: Ryan B. <RBa...@tr...> - 2013-06-30 14:03:16
|
Try swapping the order of these two directives - SecUnicodeMapFile /etc/modsecurity/unicode.mapping SecUnicodeCodePage 1256 -- Ryan Barnett Lead Security Researcher Trustwave - SpiderLabs On Jun 30, 2013, at 7:19 AM, "Muhammed Munther" <ze...@gm...<mailto:ze...@gm...>> wrote: SecUnicodeCodePage 1256 SecUnicodeMapFile /etc/modsecurity/unicode.mapping ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Muhammed M. <ze...@gm...> - 2013-06-30 11:19:28
|
Hello, I installed Mod_Security *v2.7.4 *with the latest owasp crs and activated all of them. i am using modsecurity to protect a web application that have sql query's that contains Arabic and Kurdish characters. This is causing mod-security to trigger false positives: -------------------------- Apache's error_log --------------------------- [Sun Jun 30 13:45:43 2013] [error] [client 192.168.11.143] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(^[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+|[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+$)" at ARGS:DocCopyList. [file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "66"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common Injection Testing Detected"] [data "Matched Data: \\xb4 found within ARGS:DocCopyList: \\xd9\\x8a\\xd8\\xb4\\xd9\\x8a\\xd8\\xb4\\xd8\\xb3\\xd9\\x8a\\xd8\\xb4"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "192.168.11.60"] [uri "/DMS-V2/doc_out/doc_out_new.php"] [unique_id "UdAMV8CoCzwAAHRHMhYAAAAB"] [Sun Jun 30 13:45:47 2013] [error] [client 192.168.11.146] PHP Notice: Trying to get property of non-object in /var/www/html/DMS-V2/class/db_class.php on line 89, referer: http://192.168.11.60/DMS-V2/box.php?docType=2 [Sun Jun 30 13:33:56 2013] [error] [client 192.168.11.143] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){4,}" at ARGS:DepFromName. [file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "164"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: \\x80 found within ARGS:DepFromName: \\xda\\xaf\\xd8\\xb4\\xd8\\xaa\\xd8\\xa8\\xd9\\x87\\xe2\\x80\\x8c\\xd8\\xb1\\xdb\\x8e\\xd9\\x88\\xd9\\x87\\xe2\\x80\\x8c\\xd8\\xa8\\xd9\\x87\\xe2\\x80\\x8c\\xd8\\xb1\\xd8\\xa7\\xdb\\x8c\\xd9\\x87\\xe2\\x80\\x8c \\xd8\\xaa\\xdb\\x8c\\xd9\\x87\\xe2\\x80\\x8c\\xd9\\x83\\xd8\\xa7\\xd9\\x86\\xdb\\x8c \\xd9\\x88\\xd9\\x87\\xe2\\x80\\x8c\\xd8\\xb2\\xd8\\xa7\\xd8\\xb1\\xd9\\x87\\xe2\\x80\\x8c\\xd8\\xaa"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "192.168.11.60"] [uri "/DMS-V2/doc_out/doc_out_new.php"] [unique_id "UdAJlMCoCzwAAG8IO@YAAAAH"] ---------------------------------------------------------------------------------------------------------------------------------- Line 66 of /etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf ---------------------------------------------------------------------------------------------------------------------------------- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(^[\"'`´’‘;]+|[\"'`´’‘;]+$)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.7',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack: Common Injection Testing Detected',id:'981318',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" ----------------------------------------------------------------------------------------------------------------------------------- Line 164 of /etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf ----------------------------------------------------------------------------------------------------------------------------------- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){8,}" "phase:2,t:none,t:urlDecodeUni,block,id:'981172',rev:'2',ver:'OWASP_CRS/2.2.7',maturity:'9',accuracy:'8',msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',capture,logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}" SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){4,}" "phase:2,t:none,t:urlDecodeUni,block,id:'981173',rev:'2',ver:'OWASP_CRS/2.2.7',maturity:'9',accuracy:'8',msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',capture,logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}" I tried execluding the DocCopyList and DepFormName variables by adding !ARGS:variablename to the rules but it did not help since all the variables have Arabic and Kurdish characters. I also added: SecUnicodeCodePage 1256 SecUnicodeMapFile /etc/modsecurity/unicode.mapping To the modsecurity.conf file and the /etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf but it does not seem to be changing anything. How can i stop mod-security from detecting Arabic characters as sql injection attacks ? Best regards, ZerTux |
From: Ryan B. <RBa...@tr...> - 2013-01-04 19:44:37
|
Since this pertains to the OWASP ModSecurity CRS, I am cc'ing that list as well. In the future, please sign-up for and send OWASP CRS question to that list. That malware.data file is old and should be removed. At one point, we were testing some outbound rules to detect known malicious URLs that were captured by Snort/VRT team and were listed on their labs site here - http://labs.snort.org/iplists/ We discontinued it as the lists would need to be updated daily so they wouldn't be stale and SourceFire has stopped posting these files. FYI – we have different commercial rules that look at outbound HTTP data looking for know malware links, etc… in our commercial rules feed - https://www.trustwave.com/modsecurity-rules-support.php -- Ryan Barnett Trustwave SpiderLabs ModSecurity Project Leader OWASP ModSecurity CRS Project Leader From: Rolling Stone <jz...@ho...<mailto:jz...@ho...>> Date: Friday, January 4, 2013 2:34 PM To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Subject: [Mod-security-rules] modsecurity_50_outbound_malware.data not being referenced In OWASP_CRS/2.7.7, cannot find any .conf file referencing modsecurity_50_outbound_malware.data I would like to know the rationale behind the scene, and how this file should be used to be useful. Thanks, ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Rolling S. <jz...@ho...> - 2013-01-04 19:34:49
|
In OWASP_CRS/2.7.7, cannot find any .conf file referencing modsecurity_50_outbound_malware.data I would like to know the rationale behind the scene, and how this file should be used to be useful. Thanks, |