mod-security-rules — Discuss rule ideas, problems and false positives

[Mod-security-rules] modsecurity rule

[Prakash K. <pra...@ne...>]

I have following rule in my /usr/local/apache/conf/modsec2.user.conf file:

SecGeoLookupDb /usr/share/geoip/GeoLiteCity.dat
SecRule REMOTE_ADDR "@geoLookup"
"phase:1,id:'11111',t:none,pass,log,noauditlog"

I think this is right but when I see /usr/local/apache/logs/error_log I see
following error:

[Sat Feb 20 02:04:23.469432 2016] [:error] [pid 15993] [client
93.189.102.202] ModSecurity: Warning. Geo lookup for "93.189.102.202"
succeeded. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "13"]
[id "11111"] [hostname "somesite.com"] [uri "/css/bootstrap.min.css"]
[unique_id "Vsd4y55FgooAAD55TBcAAAAK"]

Anyone know what I am doing wrong here?

PS: I have disabled full modsec logging.

[Mod-security-rules] Second community meeting - minutes

[Felipe C. <FC...@tr...>]

Hi,

Thank you all that participated in our second community meeting.

The meeting minutes is available here:
https://www.modsecurity.org/developers/meetings/modsecurity.2016-01-27-15.08.html


Please let me know if something is missing.


Br.,
Felipe “Zimmerle” Costa
Security Researcher, Lead Developer ModSecurity.

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>



________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-rules] Required Recommended configuration

[sai k. <dsk...@gm...>]

Hi community ,

We have installed Modsecurity in our environment. We have couple of
questions in configuring.

   1. What is the recommended file size(Industry standard) for :
   SecRequestBodyLimit
   SecRequestBodyNoFilesLimit
   2. Could you please send us any Manual book for reference

Please let us know, if you require anything.
-- 
Thanks & Regards,
Sai kiran

[Mod-security-rules] ModSecurity version 2.9.1-rc1 announcement

[Felipe C. <FC...@tr...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

It is a pleasure to announce the first release candidate for ModSecurity
version 2.9.1. The version 2.9.1-RC1 contains fixes and new features.
The new features list includes audit logs in JSON format.

I would like to thank you all, that participate in the construction of
this release. A special thanks to the ones who sent patches and the ones
who participated on the community meetings, which helped to increase the
quality of our releases. Thank you.

The documentation of the new features is already available on our wiki
page: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual

The source and binaries (and the respective hashes) are available at:
https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.1-RC1

The most important changes are listed bellow:

* New features

 - Added support to generate audit logs in JSON format.
   [Issue #914, #897, #656 - Robert Paprocki]
 - Extended Lua support to include version 5.3
   [Issue #837, #762, #814 - Athmane Madjoudj and ModSecurity team]
 - mlogc: Allows user to choose between TLS versions (TLSProtocol option
   introduced).
   [Issue #881 - Ishwor Gurung]
 - Allows mod_proxy's "nocanon" behavior to be specified in proxy actions.
   [Issue #1031, #961, #763 - Mario D. Santana and ModSecurity team]

* Bug fixes

 - Creating AuditLog serial file (or parallel index) respecting the
   permission configured with SecAuditLogFileMode. Previously, it was
   used only to save the transactions while in parallel mode.
   [Issue #852 - @littlecho and ModSecurity team]
 - Checking for hashing injection response, to report in case of failure.
   [Issue #1041 - ModSecurity team]
 - Stop buffering when the request is larger than SecRequestBodyLimit
   in ProcessPartial mode
   [Issue #709, #705, #728 - Justin Gerace and ModSecurity team]
 - Refactoring conditional #if/#defs directives.
   [Issue #996 - Wesley M and ModSecurity team]
 - mlogc-batch-load.pl.in: fix searching SecAuditLogStorageDir
   files with Apache 2.4
   [Issue #775 - Elia Pinto]
 - Understands IIS 10 as compatible on Windows installer.
   [Issue #931 - Anton Serbulov, Pavel Vasilevich and ModSecurity team]
 - Fix apache logging limitation by using correct Apache call.
   [Issue #840 - Christian Folini]
 - Fix apr_crypto.h check on 32-bit Linux platform
   [Issue #882, #883 - Kurt Newman]
 - Fix variable resolution duration (Content of the DURATION variable).
   [Issue #662 - Andrew Elble]
 - Fix crash while adding empty keys to persistent collections.
   [Issue #927 - Eugene Alekseev, Marc Stern and ModSecurity team]
 - Remove misguided call to srand()
   [Issues #778, #781 and #836 - Michael Bunk, @gilperon]
 - Fix compilation problem while ssdeep is installed in non-standard
   location.
   [Issue #872 - Kurt Newman]
 - Fix invalid storage reference by apr_psprintf at msc_crypt.c
   [Issue #609 - Jeff Trawick]

* Known issues

 - Instabilities of nginx add-on are still expected. Please use the "nginx
   refactoring" branch and stay tuned for the ModSecurity version 3.

Br.,
Felipe "Zimmerle" Costa
Lead Developer for ModSecurity
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - https://gpgtools.org

iEYEARECAAYFAlayNO4ACgkQ5t+wjOixEneGyQCeJtAPhLk9EXRg7/GviovZQ2i5
bwMAn3SSrlzFC+g3zdlOU4Yug3kiRpAp
=Prxb
-----END PGP SIGNATURE-----

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-rules] Learning mod-security

[Abdul A. <abd...@gm...>]

Hi Community,

I'm new to mod-security but really wanted to learn it so i have installed
mod-security on my server but really don't know how to write or read a
mod-security crs rules could any one please help how to get started with
modsecurity?

Configuration:
a. Ubuntu 14.04 Server
b. Mod security
c.Tomcat and Apache http server

Please help in the following aspects:

1.Resources link to learning and writing a mod security rules.
2.Reading an existing rule from mod-security crs.
3.And do i need to learn regex to get started with mod-security and how to
test whether the rules are working or not?

Thank you,
Abdul Adil.

[Mod-security-rules] Possible issue/false positive situation with CRS ID:973337

[William - U. <wi...@ub...>]

Not sure if this is the right place to send this, but here goes.

 

Had an issue with Rule ID: 973337 that picked up on a cookie value.

 

(?​i)([\\s\"'`;\\/​0-9\\=​\\x0B​\\x09​\\x0C​\\x3B​\\x2C​\\x28​\\x3B​]+on​\\w+[\\s\\x0B​\\x09​\\x0C​\\x3B​\\x2C​\\x28​\\x3B​]*?​=​)

 

As best I can tell, this rule is looking for dodgy usage of the HTML on*= attributes for execution of unexpected JavaScript such as onload, onresize etc.

Great; except it doesn’t appear to care how many characters are between “on” and “=” so long as there is more than 1 (w+ bit).

 

Assuming what I’ve said so far is remotely correct, I think the rate of false positives could be reduced by looking for a limited number of characters so that it won’t match non-existent attributes such as “on1=”, “onuiysfuiyegsfuygsfgdjsh=” and so on.

 

Regards,

William

 

wi...@ub...

 

Re: [Mod-security-rules] mod sec rule to execute lua script

[Ryan B. <RBa...@tr...>]

You can have a look at some other existing Lua scripts that interact with OS commands and use the REMOTE_ADDR data.

https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/lua/gather_ip_data.lua

Ryan Barnett
Senior Lead Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>

From: kinomakino <kin...@ho...<mailto:kin...@ho...>>
Date: Friday, October 10, 2014 7:33 AM
To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Subject: [Mod-security-rules] mod sec rule to execute lua script

As always,thanks for the help.
I'm playing with a lua script from mod security (exec: /var/scripts/script.lua)
the target is ip ban in iptables source that triggers the rule.

I get receive the REMOTE_ADDR variable,but I mod_secalert appears:
Message: Lua: Script execution failed: attempt to call anil value

The variable takes the script, because towrite a testlog.
The lua scriptis as follows:
Local remote_addr = m.getvar ("REMOTE_ADDR");
Local log_file = "/tmp/lua_tmp.log"
file = io.open (log_file, "a")
file: write (remote_addr)
file: write ("\ n")
file: close ()
print ("0")

you have information about thiserror?
Thank you !!!

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-rules] mod sec rule to execute lua script

[kinomakino <kin...@ho...>]

As always, thanks for the help. 
I'm playing with a lua script from mod security (exec:
/var/scripts/script.lua) 
the target is ip ban in iptables source that triggers the rule. 

I get receive the REMOTE_ADDR variable, but I mod_sec alert appears: 
Message: Lua: Script execution failed: attempt to call a nil value 

The variable takes the script, because to write a test log. 
The lua script is as follows: 
Local remote_addr = m.getvar ("REMOTE_ADDR"); 
Local log_file = "/tmp/lua_tmp.log" 
file = io.open (log_file, "a") 
file: write (remote_addr) 
file: write ("\ n") 
file: close () 
print ("0") 

you have information about this error? 
Thank you !!!

[Mod-security-rules] use modsec variables in a shell script

[kinomakino <kin...@ho...>]

 

First, thanks for everything. 
I have a question. 
I am running a bash modsec rule from a script by exec. 
I wonder if I can use the "variables" of modsecurity in the script, such as
URL or remote IP. 

I've seen that in LUA if I can do it, but my knowledge of LUA are zero. 

I´m only want send e-mail with a few variables.



Thanks before hand.

 

Re: [Mod-security-rules] Show GEO DAT in modsec logs

[Marc C. V. <mar...@gm...>]

Hi, 


 I think you can add the country code in the request header and then you can log header in apache.




Best,




Marc
—
Sent from Mailbox

On Wed, Aug 13, 2014 at 9:32 AM, kinomakino <kin...@ho...>
wrote:

> Thank you very much sir !! 
> Not exactly what I need, perhaps the google translator xD I failed. 
> Right now I have 20,000 rules. I have configured it NOT alert modsec with
> error codes 500 or 200. 
> I use this rule if you've happened to me, shows me ALL codes 200. 
> This is not about me because I joined modsec with fail2ban, then this rule,
> bans ALL legitimate connections (200). 
> I hope I explained. 
> What I need is that my alerts 403, as I have now, show a field with country
> code 
> Thank you !!!
>  
> ////
> Siendo de Barcelona... en Español también xD.
>  
> Si hago esa regla que me has indicado, me empieza a mostrar todos los
> códigos 200, y como comprenderás, eso no funciona bien.
>  
> Gracias Marc !!!
>  
>  
>   _____  
> De: Marc Cortinas Val [mailto:mar...@gm...] 
> Enviado el: miércoles, 13 de agosto de 2014 0:19
> Para: kinomakino
> CC: mod...@li...
> Asunto: Re: [Mod-security-rules] Show GEO DAT in modsec logs
>  
> Hello,
>  
>  I think you can logging it with audit log from mod security.
>  Logging directives:
> {code}
>     SecAuditEngine On
>     SecAuditLogParts ABIJDEFHZ
>     SecAuditLogType Serial
>     SecAuditLog /var/log/httpd/modsec_audit.log
> {code}
>  
>  Rule:
> {code}
> SecRule REQUEST_HEADERS:X-Forwarded-For "@geoLookup"
> "id:'999015',phase:1,t:none,pass,log,auditlog,msg:'IP Country is:
> %{geo.country_code} and X-Forwarded-For is: %{matched_var}'"
> {code}
>  
> My apache is rear varnish and I evaluate remote IP from header
> :X-Forwarded-For, but you can use REMOTE_ADDR instead of
> REQUEST_HEADERS:X-Forwarded-Fo
>  
> King regards,
> Marc
>  
> On 12 August 2014 20:33, kinomakino <kin...@ho...> wrote:
> First, thanks for everything. sorry for my English. 
> I wonder if there is any way to use IP Geolocation in ModSec logs. 
> That is, I wish for all my active rules, show me the country code in the
> logs. 
> Thanks for everything. 
> now if I do this: 
> SecGeoLookupDb /home/jmolina/GeoLiteCity.dat 
> #SecRule REMOTE_ADDR "geoLookup" "phase: 1, id: 13102, t: none, pass, log,
> msg: '% {GEO.COUNTRY_CODE}'" 
> geolocation to show me ALL connections, including HTTP 200 usually does not
> show me.
> ----------------------------------------------------------------------------
> --
> _______________________________________________
> Mod-security-rules mailing list
> Mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-rules
>  
> -- 
> Marc Cortinas Val
> 600604388
> mar...@gm...

Re: [Mod-security-rules] Show GEO DAT in modsec logs

[kinomakino <kin...@ho...>]

Thank you very much sir !! 
Not exactly what I need, perhaps the google translator xD I failed. 

Right now I have 20,000 rules. I have configured it NOT alert modsec with
error codes 500 or 200. 

I use this rule if you've happened to me, shows me ALL codes 200. 

This is not about me because I joined modsec with fail2ban, then this rule,
bans ALL legitimate connections (200). 

I hope I explained. 

What I need is that my alerts 403, as I have now, show a field with country
code 

Thank you !!!

 

////

Siendo de Barcelona... en Español también xD.

 

Si hago esa regla que me has indicado, me empieza a mostrar todos los
códigos 200, y como comprenderás, eso no funciona bien.

 

Gracias Marc !!!

 

 

  _____  

De: Marc Cortinas Val [mailto:mar...@gm...] 
Enviado el: miércoles, 13 de agosto de 2014 0:19
Para: kinomakino
CC: mod...@li...
Asunto: Re: [Mod-security-rules] Show GEO DAT in modsec logs

 

Hello,

 

 I think you can logging it with audit log from mod security.

 Logging directives:

{code}

    SecAuditEngine On

    SecAuditLogParts ABIJDEFHZ

    SecAuditLogType Serial

    SecAuditLog /var/log/httpd/modsec_audit.log

{code}

 

 Rule:

{code}

SecRule REQUEST_HEADERS:X-Forwarded-For "@geoLookup"
"id:'999015',phase:1,t:none,pass,log,auditlog,msg:'IP Country is:
%{geo.country_code} and X-Forwarded-For is: %{matched_var}'"

{code}

 

My apache is rear varnish and I evaluate remote IP from header
:X-Forwarded-For, but you can use REMOTE_ADDR instead of
REQUEST_HEADERS:X-Forwarded-Fo

 

King regards,

Marc

 

On 12 August 2014 20:33, kinomakino <kin...@ho...> wrote:

First, thanks for everything. sorry for my English. 
I wonder if there is any way to use IP Geolocation in ModSec logs. 
That is, I wish for all my active rules, show me the country code in the
logs. 

Thanks for everything. 
now if I do this: 
SecGeoLookupDb /home/jmolina/GeoLiteCity.dat 
#SecRule REMOTE_ADDR "geoLookup" "phase: 1, id: 13102, t: none, pass, log,
msg: '% {GEO.COUNTRY_CODE}'" 

geolocation to show me ALL connections, including HTTP 200 usually does not
show me.


----------------------------------------------------------------------------
--

_______________________________________________
Mod-security-rules mailing list
Mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-rules





 

-- 
Marc Cortinas Val
600604388
mar...@gm...

Re: [Mod-security-rules] Show GEO DAT in modsec logs

[Marc C. V. <mar...@gm...>]

Hello,

 I think you can logging it with audit log from mod security.
 Logging directives:
{code}
    SecAuditEngine On
    SecAuditLogParts ABIJDEFHZ
    SecAuditLogType Serial
    SecAuditLog /var/log/httpd/modsec_audit.log
{code}

 Rule:
{code}
SecRule REQUEST_HEADERS:X-Forwarded-For "@geoLookup"
"id:'999015',phase:1,t:none,pass,log,auditlog,msg:'IP Country is:
%{geo.country_code} and X-Forwarded-For is: %{matched_var}'"
{code}

My apache is rear varnish and I evaluate remote IP from header
:X-Forwarded-For, but you can use REMOTE_ADDR instead of
REQUEST_HEADERS:X-Forwarded-Fo

King regards,
Marc


On 12 August 2014 20:33, kinomakino <kin...@ho...> wrote:

>  First, thanks for everything. sorry for my English.
> I wonder if there is any way to use IP Geolocation in ModSec logs.
> That is, I wish for all my active rules, show me the country code in the
> logs.
>
> Thanks for everything.
> now if I do this:
> SecGeoLookupDb /home/jmolina/GeoLiteCity.dat
> #SecRule REMOTE_ADDR "geoLookup" "phase: 1, id: 13102, t: none, pass, log,
> msg: '% {GEO.COUNTRY_CODE}'"
>
> geolocation to show me ALL connections, including HTTP 200 usually does
> not show me.
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Mod-security-rules mailing list
> Mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-rules
>
>


-- 
Marc Cortinas Val
600604388
mar...@gm...

[Mod-security-rules] Show GEO DAT in modsec logs

[kinomakino <kin...@ho...>]

First, thanks for everything. sorry for my English. 
I wonder if there is any way to use IP Geolocation in ModSec logs. 
That is, I wish for all my active rules, show me the country code in the
logs. 

Thanks for everything. 
now if I do this: 
SecGeoLookupDb /home/jmolina/GeoLiteCity.dat 
#SecRule REMOTE_ADDR "geoLookup" "phase: 1, id: 13102, t: none, pass, log,
msg: '% {GEO.COUNTRY_CODE}'" 

geolocation to show me ALL connections, including HTTP 200 usually does not
show me.

[Mod-security-rules] Fwd: POST body is not inspected by modsecurity

[Jean-Raymond F. <jea...@gm...>]

Hello,

I posted following issue on Github

https://github.com/SpiderLabs/ModSecurity/issues/684#issuecomment-38191745

 *Hi,*









*We are suffering an issue related to POST inspection. We are running
modsecurity 2.7.7 on apache 2.5.3 Backend application is running on Jetty
2.9. The application presents a login form to the end user. When filling in
the login fields with crafted data, like sql strings, the call is accepted
and sent to the backend application. But adding sql strings in the URL
blocks the call. Backend application is at risk as modsecurity is the only
security control in place. I've been suggested to enable
SecStreamInBodyInspection, but it doesn't work. Any help is welcome.*

*Kind regards*,

However I have no comment and our issue is still there.
Any help will be welcome

Kind regards,

Jean-Raymond

Re: [Mod-security-rules] Rules version

[Ryan B. <RBa...@tr...>]

That is a very old version (current is v2.7.7). Can you upgrade?

OWASP CRS rules are here - https://github.com/SpiderLabs/owasp-modsecurity-crs however they most likely use newer features than what you have. We don't back port all new rules to old versions. If you want to use them, you need to upgrade.

Ryan Barnett
Lead Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>

On Mar 14, 2014, at 7:42 AM, "Imre Csaba" <imi...@gm...<mailto:imi...@gm...>> wrote:

Greetings.

My mod-security version is 2.5.12. My question is, where can i download a newest rules for this version?

Thanks. Have a nice day :)
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Mod-security-rules mailing list
Mod...@li...<mailto:Mod...@li...>
https://lists.sourceforge.net/lists/listinfo/mod-security-rules

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-rules] Rules version

[Imre C. <imi...@gm...>]

Greetings.

My mod-security version is 2.5.12. My question is, where can i download a
newest rules for this version?

Thanks. Have a nice day :)

[Mod-security-rules] GeoLocation Rule

[Rishi N. <ia...@pw...>]

Hey,

I have configured the following rules and would like to know if there is
any issue with them as I am not getting the intended results,

SecGeoLookupDb /etc/modsecurity/GeoLiteCity.dat
> SecRule REMOTE_ADDR "@geoLookup" "phase:1,id:13102,t:none,pass,log"


I have the GeoLiteCity.dat file in the working directory. And here is the
log snippet,

Executing operator "geoLookup" with param "" against REMOTE_ADDR.
> Operator completed in 114 usec.
> Warning. Geo lookup for "119.82.124.222" succeeded. [file
> "/etc/modsecurity/modsecurity.conf"] [line "14"] [id "13102"]
> Rule returned 1.


Kindly excuse me if I missed something.

Regards,
Rishi Narang

[Mod-security-rules] Unicode characters and false positives

[Faris Al-S. <fa...@gm...>]

Hi.
We have a form in which users post text, that contains non-English characters (e.g. "ā" etc.). Sometimes these characters, especially in combination with quotes and other special symbols, produce false positives. For example a simple string "ābc" (quotes including) gets processed as "\x22\xc4\x81bc\x22" by modsecurity, and matched by, for example, rule 981245 (among others) producing a false positive.
It's a bit frustrating to disable rules, which cause these false positives one-by-one - is there any other way besides that to work around this issue, for example, exclude a subset of unicode characters from filtering?

[Mod-security-rules] Nginx-Modsecurity proxypass 500 error with POST

[Dhr. P.A. P. <pi...@hu...>]

Modsecurity on my Nginx reverse proxy server gives 500 errors when I try to
log in or click on a button.
I see nothing in the nginx error log, nor in the modsecurity audit log. In
the access log I see that the problem occurs after a POST command.

This goes well:

82.161.137.226 - - [22/Oct/2013:15:37:55 +0200] "GET
/proefwerk/prog/images/rightArrow.gif HTTP/1.1" 304 0 "
http://test.huygenscollege.nl/proefwerk/prog/index.php" "Mozilla/4.0
(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727;
.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"

But with the following (after clicking a button in the web page) Nginx
gives a 500 error:

82.161.137.226 - - [22/Oct/2013:15:38:03 +0200] "POST
/proefwerk/prog/index.php?day=21&month=10&year=2013&klas=1 HTTP/1.1" 500
594 "http://test.huygenscollege.nl/proefwerk/prog/index.php" "Mozilla/4.0
(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727;
.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"

The problem occurs with many proxypassed sites, mostly when I try to log in.

This is my configuration.

server {
        listen       80;
        server_name  test.huygenscollege.nl;
        location / {
         ModSecurityEnabled on;
         ModSecurityConfig modsecurity.conf;
        proxy_pass         http://88.159.13.153/;
        proxy_read_timeout 150s;
        }
}

After changing ModSecurityEnabled on to off, the problem is gone.

Any help will be appreciated.

Piet Pijnacker,
Eindhoven, Netherlands

[Mod-security-rules] Append Error

[Rishi N. <ia...@pw...>]

Friends,

This is my first post to the mailing list. Excuse any typo(s) or brevity.

*Problem Statement* - I am trying to "append" a pattern with the rule(s)
but is not working -

SecRule RESPONSE_CONTENT_TYPE "^text/html"
"id:'6',nolog,pass,append:'<hr>Footer'"
SecRule REQUEST_FILENAME "@streq /robots.txt"
"id:'7',phase:4,t:none,log,pass,append:'Disallow: /sql_backup'"


But the *append* rule is not working as it should. I am receiving a log for
this rule, but still no text is being appended. I am working on modsecurity
2.7.4 with apache2 on Ubuntu Server.

Here is a sample of the log file,

[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Recipe: Invoking rule
b7033bb8; [file "/etc/apache2/conf.d/mod.conf"] [line "46"] [id "7"].
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][5] Rule b7033bb8: SecRule
"RESPONSE_CONTENT_TYPE" "@rx ^text/html"
"phase:2,auditlog,id:7,nolog,pass,append:<hr>Footer"
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Transformation
completed in 0 usec.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Executing operator "rx"
with param "^text/html" against RESPONSE_CONTENT_TYPE.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Operator completed in 2
usec.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Rule returned 0.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Hook insert_filter:
Adding output filter (r b717b058).
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Starting phase
RESPONSE_HEADERS.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Output filter: Response
body buffering is not enabled.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Output filter:
Completed receiving response body (non-buffering).
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Starting phase
RESPONSE_BODY.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Recipe: Invoking rule
b7033160; [file "/etc/apache2/conf.d/mod.conf"] [line "43"] [id "6"].
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][5] Rule b7033160: SecRule
"REQUEST_FILENAME" "@streq /robots.txt"
"phase:4,auditlog,id:6,t:none,log,pass,append:'Disallow:
/db_backup.%{time_epoch}/# Old DB crash data'"
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Transformation
completed in 1 usec.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Executing operator
"streq" with param "/robots.txt" against REQUEST_FILENAME.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Operator completed in 3
usec.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][2] Warning. String match
"/robots.txt" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/mod.conf"]
[line "43"] [id "6"]
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Rule returned 1.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Output filter: Output
forwarding complete.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Initialising logging.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Starting phase LOGGING.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Recording persistent
data took 0 microseconds.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Audit log: Not
configured to run for this request.


Count my 2¢.

--
Rishi Narang
Researcher | Consultant | Writer
Connect: Blog <http://www.wtfuzz.com/> /
LinkedIn<http://linkedin.com/in/rishinarang>
 / Twitter <http://twitter.com/rnarang>
*
*
*... being anonymous is a myth, but none knows who coined it.*

Re: [Mod-security-rules] Arabic and Kurdish Characters triggers false positives

[Muhammed M. <ze...@gm...>]

I tried what you suggested but its still the same

On Sun, Jun 30, 2013 at 5:03 PM, Ryan Barnett <RBa...@tr...> wrote:
> Try swapping the order of these two directives -
>
> SecUnicodeMapFile /etc/modsecurity/unicode.mapping
>
> SecUnicodeCodePage 1256
>
>
> --
> Ryan Barnett
> Lead Security Researcher
> Trustwave - SpiderLabs
>
> On Jun 30, 2013, at 7:19 AM, "Muhammed Munther" <ze...@gm...> wrote:
>
> SecUnicodeCodePage 1256
> SecUnicodeMapFile /etc/modsecurity/unicode.mapping
>
>
> ________________________________
>
> This transmission may contain information that is privileged, confidential,
> and/or exempt from disclosure under applicable law. If you are not the
> intended recipient, you are hereby notified that any disclosure, copying,
> distribution, or use of the information contained herein (including any
> reliance thereon) is STRICTLY PROHIBITED. If you received this transmission
> in error, please immediately contact the sender and destroy the material in
> its entirety, whether in electronic or hard copy format.

Re: [Mod-security-rules] Arabic and Kurdish Characters triggers false positives

[Ryan B. <RBa...@tr...>]

Try swapping the order of these two directives -

SecUnicodeMapFile /etc/modsecurity/unicode.mapping

SecUnicodeCodePage 1256


--
Ryan Barnett
Lead Security Researcher
Trustwave - SpiderLabs

On Jun 30, 2013, at 7:19 AM, "Muhammed Munther" <ze...@gm...<mailto:ze...@gm...>> wrote:

SecUnicodeCodePage 1256
SecUnicodeMapFile /etc/modsecurity/unicode.mapping

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-rules] Arabic and Kurdish Characters triggers false positives

[Muhammed M. <ze...@gm...>]

Hello,

I installed Mod_Security *v2.7.4 *with the latest owasp crs and activated
all of them. i am using modsecurity to protect a web application that have
sql query's that contains Arabic and Kurdish characters. This is
causing mod-security to trigger false positives:


--------------------------
Apache's error_log
---------------------------
[Sun Jun 30 13:45:43 2013] [error] [client 192.168.11.143] ModSecurity:
Access denied with code 403 (phase 2). Pattern match
"(^[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+|[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+$)"
at ARGS:DocCopyList. [file
"/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "66"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common
Injection Testing Detected"] [data "Matched Data: \\xb4 found within
ARGS:DocCopyList:
 \\xd9\\x8a\\xd8\\xb4\\xd9\\x8a\\xd8\\xb4\\xd8\\xb3\\xd9\\x8a\\xd8\\xb4"]
[severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"]
[tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname
"192.168.11.60"] [uri "/DMS-V2/doc_out/doc_out_new.php"] [unique_id
"UdAMV8CoCzwAAHRHMhYAAAAB"]
[Sun Jun 30 13:45:47 2013] [error] [client 192.168.11.146] PHP Notice:
 Trying to get property of non-object in
/var/www/html/DMS-V2/class/db_class.php on line 89, referer:
http://192.168.11.60/DMS-V2/box.php?docType=2



[Sun Jun 30 13:33:56 2013] [error] [client 192.168.11.143] ModSecurity:
Access denied with code 403 (phase 2). Pattern match
"([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){4,}"
at ARGS:DepFromName. [file
"/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "164"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly
Detection Alert - Total # of special characters exceeded"] [data "Matched
Data: \\x80 found within ARGS:DepFromName:
\\xda\\xaf\\xd8\\xb4\\xd8\\xaa\\xd8\\xa8\\xd9\\x87\\xe2\\x80\\x8c\\xd8\\xb1\\xdb\\x8e\\xd9\\x88\\xd9\\x87\\xe2\\x80\\x8c\\xd8\\xa8\\xd9\\x87\\xe2\\x80\\x8c\\xd8\\xb1\\xd8\\xa7\\xdb\\x8c\\xd9\\x87\\xe2\\x80\\x8c
\\xd8\\xaa\\xdb\\x8c\\xd9\\x87\\xe2\\x80\\x8c\\xd9\\x83\\xd8\\xa7\\xd9\\x86\\xdb\\x8c
\\xd9\\x88\\xd9\\x87\\xe2\\x80\\x8c\\xd8\\xb2\\xd8\\xa7\\xd8\\xb1\\xd9\\x87\\xe2\\x80\\x8c\\xd8\\xaa"]
[ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "192.168.11.60"] [uri
"/DMS-V2/doc_out/doc_out_new.php"] [unique_id "UdAJlMCoCzwAAG8IO@YAAAAH"]


----------------------------------------------------------------------------------------------------------------------------------
Line 66 of
/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf
----------------------------------------------------------------------------------------------------------------------------------

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*
"(^[\"'`´’‘;]+|[\"'`´’‘;]+$)"
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.7',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,block,msg:'SQL
Injection Attack: Common Injection Testing
Detected',id:'981318',logdata:'Matched Data: %{TX.0} found within
%{MATCHED_VAR_NAME}:
%{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"



-----------------------------------------------------------------------------------------------------------------------------------
Line 164  of
/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf
-----------------------------------------------------------------------------------------------------------------------------------

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES
"([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){8,}"
"phase:2,t:none,t:urlDecodeUni,block,id:'981172',rev:'2',ver:'OWASP_CRS/2.2.7',maturity:'9',accuracy:'8',msg:'Restricted
SQL Character Anomaly Detection Alert - Total # of special characters
exceeded',capture,logdata:'Matched Data: %{TX.1} found within
%{MATCHED_VAR_NAME}:
%{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"

SecRule ARGS_NAMES|ARGS|XML:/*
"([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){4,}"
"phase:2,t:none,t:urlDecodeUni,block,id:'981173',rev:'2',ver:'OWASP_CRS/2.2.7',maturity:'9',accuracy:'8',msg:'Restricted
SQL Character Anomaly Detection Alert - Total # of special characters
exceeded',capture,logdata:'Matched Data: %{TX.1} found within
%{MATCHED_VAR_NAME}:
%{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"


I tried execluding the DocCopyList and DepFormName variables by adding
!ARGS:variablename to the rules but it did not help since all the variables
have Arabic and Kurdish characters.
I also added:
SecUnicodeCodePage 1256
SecUnicodeMapFile /etc/modsecurity/unicode.mapping

To the modsecurity.conf file and the
/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf
but it does not seem to be changing anything.

How can i stop mod-security from detecting Arabic characters as sql
injection attacks ?

Best regards,
ZerTux

Re: [Mod-security-rules] modsecurity_50_outbound_malware.data not being referenced

[Ryan B. <RBa...@tr...>]

Since this pertains to the OWASP ModSecurity CRS, I am cc'ing that list as well.  In the future, please sign-up for and send OWASP CRS question to that list.

That malware.data file is old and should be removed.  At one point, we were testing some outbound rules to detect known malicious URLs that were captured by Snort/VRT team and were listed on their labs site here - http://labs.snort.org/iplists/

We discontinued it as the lists would need to be updated daily so they wouldn't be stale and SourceFire has stopped posting these files.

FYI – we have different commercial rules that look at outbound HTTP data looking for know malware links, etc… in our commercial rules feed - https://www.trustwave.com/modsecurity-rules-support.php

--
Ryan Barnett
Trustwave SpiderLabs
ModSecurity Project Leader
OWASP ModSecurity CRS Project Leader

From: Rolling Stone <jz...@ho...<mailto:jz...@ho...>>
Date: Friday, January 4, 2013 2:34 PM
To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Subject: [Mod-security-rules] modsecurity_50_outbound_malware.data not being referenced

In OWASP_CRS/2.7.7, cannot find any .conf file referencing modsecurity_50_outbound_malware.data
I would like to know the rationale behind the scene, and how this file should be used to be useful.

Thanks,


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-rules] modsecurity_50_outbound_malware.data not being referenced

[Rolling S. <jz...@ho...>]

In OWASP_CRS/2.7.7, cannot find any .conf file referencing
modsecurity_50_outbound_malware.data

I would like to know the rationale behind the scene, and how this file
should be used to be useful.

 

Thanks,