mod-security-rules Mailing List for ModSecurity (Page 3)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-rules — Discuss rule ideas, problems and false positives
You can subscribe to this list here.
| 2005 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
| 2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
(2) |
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(1) |
Aug
|
Sep
(1) |
Oct
(1) |
Nov
(1) |
Dec
|
| 2014 |
Jan
|
Feb
(1) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
(1) |
Oct
(2) |
Nov
|
Dec
|
| 2015 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2016 |
Jan
|
Feb
(4) |
Mar
(1) |
Apr
(1) |
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
|
Nov
|
Dec
|
| 2017 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
(2) |
| 2018 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2020 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
(5) |
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
|
From: ro c. <chr...@gm...> - 2012-06-27 06:40:45
|
Hi, There are two issues about Mod-security-rules. 1.Rules of modsecurity_crs_20_protocol_violations.conf and modsecurity_crs_21_protocol_anomalies.conf,modsecurity_crs_60_correlation.conf,those three rules will block google chrome,Internet explorer,firefox to download PDF files when those three rules are enabled.Can you fix this issue to download PDF files when rules are enabled? 2.Some automatic robots such as telport pro,httrack can't be blocked by Mod-security-rules.Is there any rule can stop that kind of rude site copier robots?Or you can create rule to stop it? best regards. |
|
From: Ryan B. <RBa...@tr...> - 2011-08-23 19:58:46
|
I just updated the 35 scanners.data file for the CRS v2.2.2 in SVN to include Arachni and a bunch of other User-Agent strings - http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/base_rules/modsecurity_35_scanners.data?revision=1829&view=markup -- Ryan Barnett Senior Security Researcher Trustwave – SpiderLabs From: Benjamin Flament <ben...@ya...<mailto:ben...@ya...>> Reply-To: Benjamin Flament <ben...@ya...<mailto:ben...@ya...>> Date: Tue, 23 Aug 2011 12:12:57 -0500 To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Subject: [Mod-security-rules] Bad robot addition Hi Would it be possible to add arachni to the bad_robots/scanners list? I noticed it hasn't been added yet. Regards Benjamin ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
|
From: Benjamin F. <ben...@ya...> - 2011-08-23 17:13:03
|
Hi Would it be possible to add arachni to the bad_robots/scanners list? I noticed it hasn't been added yet. Regards Benjamin |
|
From: Ryan B. <RBa...@tr...> - 2011-07-20 17:48:07
|
Benjamin, You will be happy to know that we just released CRS v2.2.1 and we have updated this SQL Injection Tautaology rule 950901 to be more accurate both from a false positive and negative perspective. Please test out the new CRS and let me know if it is working better for you. -Ryan On 7/2/11 8:14 PM, "Benjamin Flament" <ben...@ya...> wrote: >Hi > >I've been having some trouble with rule 950901, because it essentialy >matches any single sentence that includes an "and" or "or". The rule's >regex is currently as follows: > >\b(\d+) ?(?:=|<>|<=>|<|>|!=) ?\1\b|[\'\"\`\´\¹\Œ](\d+)[\'\"\`\´\¹\Œ] >?(?:=|<>|<=>|<|>|!=) ?[\'\"\`\´\¹\Œ]\2\b|[\'\"\`\´\Œ](\w+)[\'\"\`\´\¹\Œ] >?(?:=|<>|<=>|<|>|!=) >?[\'\"\`\´\¹\Œ]\3\b|([\'\"\;\`\´\¹\Œ]*)?\s+(and|or)\s+([\s\'\"\`\´\¹\Œ]*)? >\w+([\s\'\"\`\´\¹\Œ]*)?[=<>!]+([\s\'\"\`\´\¹\Œ]*)?\w+([\s\'\"\`\´\¹\Œ]*)? > > >I suggest changing the rule to: > >\b(\d+) ?(?:=|<>|<=>|<|>|!=) >?\1\b|[\'\"\`\´\¹\Œ](\d+)[\'\"\`\´\¹\Œ] >?(?:=|<>|<=>|<|>|!=) >?[\'\"\`\´\¹\Œ]\2\b|[\'\"\`\´\Œ](\w+)[\'\"\`\´\¹\Œ] >?(?:=|<>|<=>|<|>|!=) >?[\'\"\`\´\¹\Œ]\3\b|([\'\"\;\`\´\¹\Œ]*)?\s+(and|or)\s+([\s\'\"\`\´\¹\Œ]*)? >\w+([\s\'\"\`\´\¹\Œ]*)?(?:=|<>|<=>|<|>|!=)([\s\'\"\`\´\¹\Œ]*)?\w+([\s\'\"\ >`\´\¹\Œ]*)? > >As the operator list is not specific enough and matches any "and|or" >preceded with a space and followed by anything. > >Regards >Benjamin > > >-------------------------------------------------------------------------- >---- >All of the data generated in your IT infrastructure is seriously valuable. >Why? It contains a definitive record of application performance, security >threats, fraudulent activity, and more. Splunk takes this data and makes >sense of it. IT sense. And common sense. >http://p.sf.net/sfu/splunk-d2d-c2 >_______________________________________________ >Mod-security-rules mailing list >Mod...@li... >https://lists.sourceforge.net/lists/listinfo/mod-security-rules This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
|
From: Benjamin F. <ben...@ya...> - 2011-07-03 00:14:37
|
Hi I've been having some trouble with rule 950901, because it essentialy matches any single sentence that includes an "and" or "or". The rule's regex is currently as follows: \b(\d+) ?(?:=|<>|<=>|<|>|!=) ?\1\b|[\'\"\`\´\’\‘](\d+)[\'\"\`\´\’\‘] ?(?:=|<>|<=>|<|>|!=) ?[\'\"\`\´\’\‘]\2\b|[\'\"\`\´\‘](\w+)[\'\"\`\´\’\‘] ?(?:=|<>|<=>|<|>|!=) ?[\'\"\`\´\’\‘]\3\b|([\'\"\;\`\´\’\‘]*)?\s+(and|or)\s+([\s\'\"\`\´\’\‘]*)?\w+([\s\'\"\`\´\’\‘]*)?[=<>!]+([\s\'\"\`\´\’\‘]*)?\w+([\s\'\"\`\´\’\‘]*)? I suggest changing the rule to: \b(\d+) ?(?:=|<>|<=>|<|>|!=) ?\1\b|[\'\"\`\´\’\‘](\d+)[\'\"\`\´\’\‘] ?(?:=|<>|<=>|<|>|!=) ?[\'\"\`\´\’\‘]\2\b|[\'\"\`\´\‘](\w+)[\'\"\`\´\’\‘] ?(?:=|<>|<=>|<|>|!=) ?[\'\"\`\´\’\‘]\3\b|([\'\"\;\`\´\’\‘]*)?\s+(and|or)\s+([\s\'\"\`\´\’\‘]*)?\w+([\s\'\"\`\´\’\‘]*)?(?:=|<>|<=>|<|>|!=)([\s\'\"\`\´\’\‘]*)?\w+([\s\'\"\`\´\’\‘]*)? As the operator list is not specific enough and matches any "and|or" preceded with a space and followed by anything. Regards Benjamin |
|
From: Serkan <du...@gm...> - 2011-05-21 14:23:16
|
--23bf125d-B-- GET /test.php HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: tr User-Agent: Mozilla/4.0 (compatible; ) Host: example.net Connection: Keep-Alive --23bf125d-F-- HTTP/1.1 404 Not Found Last-Modified: Thu, 19 May 2011 09:28:26 GMT ETag: "22c034-3bf-4a39da092a280" Accept-Ranges: bytes Content-Length: 959 Vary: Accept-Encoding Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html --23bf125d-H-- Message: Exec: Execution failed while reading output: /tmp/test.sh (End of file found) Message: Failed to execute: /tmp/test.sh Message: Warning. Pattern match "/test\.php" at REQUEST_URI. [file "/etc/apache2/test/mod-security.conf"] [line "24"] Stopwatch: 1305987060640023 3860 (218 3512 -) Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/). Server: Apache --23bf125d-Z-- --- mod-security.conf line "24" SecRule REQUEST_URI "/test\.php" "phase:2,t:none,t:lowercase,t:normalisePath,log,exec:/tmp/test.sh" -- root@example:/tmp# ls -lah /tmp/test.sh -rwxrwxrwx 1 www-data www-data 38 May 21 17:10 /tmp/test.sh -- root@example:/tmp# cat test.sh #!/bin/sh echo "test" > /tmp/test.txt -- root@example:/tmp# apache2 -v Server version: Apache/2.2.16 (Debian) Server built: Mar 22 2011 20:56:31 -- root@example:/tmp# uname -a Linux example 2.6.32-5-686 #1 SMP Tue Mar 8 21:36:00 UTC 2011 i686 GNU/Linux What should I do for solution? |
|
From: Ranjit J. <ran...@gm...> - 2008-12-07 05:00:33
|
Is there any link available were I can get in depth meaning of mod-security rules. and detail explaination how it works |
|
From: ranjeet j. <ran...@gm...> - 2005-12-05 16:52:06
|
Kindly provide me list of rules that can be used in mod security to secure php application Thanks |
