mod-security-users — General discussion about mod_security

Re: [mod-security-users] Help configuring mod security

[Ervin H. <ai...@gm...>]

Hi Joshua,

On Tue, Nov 24, 2020 at 12:48:02PM +0000, Joshua Jenner wrote:
> 
> I am using mod security with apache 2. It's working fine but I want to disable  one element of the rule MULTIPART_STRICT_ERROR. I want to just disable the Invalid quoting check. I've tried doing this by just deleting the line in my mod_security.conf file.

I'm afraid you can't do this - I mean, you can't "exclude" any
item from the list below.

If you check the source, MULTIPART_STRICT_ERROR is a "cumulated"
variable:

https://github.com/SpiderLabs/ModSecurity/blob/v2/master/apache2/re_variables.c#L1582-L1596

if any variable from that list is set, the MULTIPART_STRICT_ERROR
is also has a non-zero value.
 
> So just deleting the IQ line from here and restarting apache:
> 
> SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
> "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
> failed strict validation:
> PE %{REQBODY_PROCESSOR_ERROR}, \
> BQ %{MULTIPART_BOUNDARY_QUOTED}, \
> BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
> DB %{MULTIPART_DATA_BEFORE}, \
> DA %{MULTIPART_DATA_AFTER}, \
> HF %{MULTIPART_HEADER_FOLDING}, \
> LF %{MULTIPART_LF_LINE}, \
> SM %{MULTIPART_MISSING_SEMICOLON}, \
> IQ %{MULTIPART_INVALID_QUOTING}, \
> IP %{MULTIPART_INVALID_PART}, \
> IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
> FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

you can do that make a list of rules with all variables what you
want to check. Eg:

SecRule REQBODY_PROCESSOR_ERROR|MULTIPART_BOUNDARY_QUOTED|MULTIPART_BOUNDARY_WHITESPACE|...|MULTIPART_FILE_LIMIT_EXCEEDED "!@eq 0" \
    "id:200002,\
    phase:2,\
    t:none,\
    log,\
    deny,\
    msg:'Multipart request body failed:
    PE %{REQBODY_PROCESSOR_ERROR}, \
    ....
    FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

and DO NOT put the MULTIPART_INVALID_QUOTING into the list of
variables. (And don't forget to make a comment for original rule
200002, or add a unique id.)
 

Let me know if you have any question.



a.
 

[mod-security-users] Help configuring mod security

[Joshua J. <Jos...@uk...>]

Hi there,

Hope this is the right place to get help - please let me know if I should go somewhere different.

I am using mod security with apache 2. It's working fine but I want to disable  one element of the rule MULTIPART_STRICT_ERROR. I want to just disable the Invalid quoting check. I've tried doing this by just deleting the line in my mod_security.conf file.

So just deleting the IQ line from here and restarting apache:

SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
failed strict validation:
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

This doesn't seem to disable that and I can only disable this check by commenting out the entire rule which I don't want to do.

Hope this is clear



This e-mail and any attachment are confidential and contain proprietary information, some or all of which may be legally privileged. It is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient, please notify the author immediately by telephone or by replying to this e-mail, and then delete all copies of the e-mail on your system. If you are not the intended recipient, you must not use, disclose, distribute, copy, print or rely on this e- mail.

Whilst we have taken reasonable precautions to ensure that this e-mail and any attachment has been checked for viruses, we cannot guarantee that they are virus free and we cannot accept liability for any damage sustained as a result of software viruses. We would advise that you carry out your own virus checks, especially before opening an attachment.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.

The UK firm Ernst & Young LLP is a limited liability partnership registered in England and Wales with registered number OC300001 and is a member firm of Ernst & Young Global Limited. A list of members' names is available for inspection at 1 More London Place, London, SE1 2AF, the firm's principal place of business and its registered office. Associate Partners are not members of Ernst & Young LLP. Ernst & Young LLP is a multi-disciplinary practice and is authorised and regulated by the Institute of Chartered Accountants in England and Wales, the Solicitors Regulation Authority (authorisation number 614947), the Financial Conduct Authority (registration number 196203) and other regulators. Further details can be found at https://www.ey.com/en_uk/legal-statement

Re: [mod-security-users] Fwd: How to use modsec in nginx include

[Ervin H. <ai...@gm...>]

Hi Gábor,

On Thu, Nov 19, 2020 at 07:28:22PM +0100, Frank Gábor wrote:
> Hello,
> 
> i have an NGINX setup with many locations. I tried to clean up a bit and
> wanted to move each location to an include file.
> 
> nginx.conf file:
> 
>     load_module modules/ngx_http_modsecurity_module.so;    http {
> 
>     server {
> 
>             location / {                modsecurity on;
> modsecurity_rules_file /nginx/conf/modsecurity.conf;
> 
>                 ...            }
>         }
> 
>     }
> 
> Now if i try to move the location block to a separate file, lets say
> "loacationA.conf", and include it in the nginx.conf like nginx.conf file:

if "locationA.conf" is in same directory like "nginx.conf", it
will be loaded earlier. But nginx loads the module later.

Just an idea...



a.
 

[mod-security-users] Fwd: How to use modsec in nginx include

[Frank G. <fra...@gm...>]

Hello,

i have an NGINX setup with many locations. I tried to clean up a bit and
wanted to move each location to an include file.

nginx.conf file:

    load_module modules/ngx_http_modsecurity_module.so;    http {

    server {

            location / {                modsecurity on;
modsecurity_rules_file /nginx/conf/modsecurity.conf;

                ...            }
        }

    }

Now if i try to move the location block to a separate file, lets say
"loacationA.conf", and include it in the nginx.conf like nginx.conf file:

    load_module modules/ngx_http_modsecurity_module.so;
    http {

        server {
           include locationA.conf

        }

    }

nginx -t gives me the error: nginx: [emerg] unknown directive "modsecurity"
in /nginx/conf/locationA.conf:1 Thank you,

Franky


-- 
Frank Gábor

Re: [mod-security-users] Custom Headers

[Robert P. <rpa...@fe...>]

With Nginx, there is no way to have modsec expose any environment variable
into the process, so the Apache hack won't work.

Is there any reason you couldn't write a no-op modsec rule that matches on
that header values and writes the match value as part of the log msg?

On Wed, Nov 18, 2020 at 9:21 AM Alexandre Schaff <ale...@gm...>
wrote:

> Bonjour,
> ( Same, no nginx good knowledge, no modsecv3 usage. )
> There is a less dirty trick for apache/modsecv2.
> Playing with apache hook mechanisms.
> Consider testing around that sample:
> # set header in early hook: before modsec phase:2
> RequestHeader set  "X-CLIENT-I-DN-CN" "%{SSL_CLIENT_I_DN_CN}s" early
> # remove if null
> RequestHeader edit "X-CLIENT-I-DN-CN" "\(null\)" "" early
> # use in modsec phase:2 hook. If ok, maybe do some ctl combo, skipafter,
> setvar, deny if not the one desired...
> # debug on : SecAction
> "id:1234,phase:2,nolog,noauditlog,ctl:debuglogLevel=9,pass"
> SecRule REQUEST_HEADERS:X-CLIENT-I-DN-CN "@rx .*" \
> "id:666,\
> phase:2,\
> pass,\
> log,noauditlog,\
> msg:'found X-CLIENT-I-DN-CN is %{MATCHED_VAR}',\
> setenv:DNCN=%{MATCHED_VAR}"
> # debug off:  SecAction "id:4321,phase:2,ctl:debuglogLevel=0,pass"
> # header is no more needed
> RequestHeader unset "X-CLIENT-I-DN-CN"
> LogFormat "[whatever your logformat is] [%{DNCN}e]" vhost_common
>
> br,
> Alexandre.
>
>
>
>
>
> On Wed, Nov 18, 2020 at 9:25 AM Christian Folini <
> chr...@ne...> wrote:
>
>> Hey Matt,
>>
>> I am not very well versed in things NGINX. But it is not as obvious as it
>> seems.
>>
>> Conceptually, there are at least two ways here:
>> (1) Have ModSec access the SSL variable and write it into the msg /
>> logdata
>>     of a rule
>> (2) Have ModSec access the HTTP request variable and write it into the
>>     msg / logdata of a rule
>> (3) Dirty hack
>>
>> Now (2) is blocked as new headers added by the webserver itself are not
>> accessible from ModSec. At least this is what the situation is on
>> Apache/ModSec2. It might be different on NGINX, but you ought to try it.
>>
>> (1) on the other hand is tricky as ModSec needs a way to access the
>> mod_ssl
>> variables. But as far as I know, this is not implemented.
>>
>> (3) There is a dirty hack that I sometimes use on Apache: I add stuff via
>> mod_headers, then I proxy onto the same Apache (different port) and there,
>> the new header becomes available, then I'm ready to proxy to the backend.
>>
>> Cheers,
>>
>> Christian
>>
>>
>> On Tue, Nov 17, 2020 at 02:04:10PM +0000, Matt Ward wrote:
>> > I am hoping this is a relatively straight forward question, but I have
>> been struggling with it for some time and cannot find any examples online.
>> >
>> > We are using ModSecurity 3.04 with NGINX and trying to get a custom
>> header written to the audit log with every transaction. Essentially, we
>> want to write the $ssl_client_s_dn_cn variable to the audit log which is
>> populated by the users PKI certificate when they login through a reverse
>> proxy. This info is set in a header to available to applications so if you
>> had something similar to:
>> >
>> > proxy_set_header ClientUsername $ssl_client_s_dn_cn.
>> >
>> > How would you craft a modsec rule to write client username to the audit
>> log?
>> >
>> > Thanks in advance,
>> >
>> > Matt
>> >
>> >
>>
>>
>> > _______________________________________________
>> > mod-security-users mailing list
>> > mod...@li...
>> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> > http://www.modsecurity.org/projects/commercial/rules/
>> > http://www.modsecurity.org/projects/commercial/support/
>>
>>
>>
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>

Re: [mod-security-users] Custom Headers

[Alexandre S. <ale...@gm...>]

Bonjour,
( Same, no nginx good knowledge, no modsecv3 usage. )
There is a less dirty trick for apache/modsecv2.
Playing with apache hook mechanisms.
Consider testing around that sample:
# set header in early hook: before modsec phase:2
RequestHeader set  "X-CLIENT-I-DN-CN" "%{SSL_CLIENT_I_DN_CN}s" early
# remove if null
RequestHeader edit "X-CLIENT-I-DN-CN" "\(null\)" "" early
# use in modsec phase:2 hook. If ok, maybe do some ctl combo, skipafter,
setvar, deny if not the one desired...
# debug on : SecAction
"id:1234,phase:2,nolog,noauditlog,ctl:debuglogLevel=9,pass"
SecRule REQUEST_HEADERS:X-CLIENT-I-DN-CN "@rx .*" \
"id:666,\
phase:2,\
pass,\
log,noauditlog,\
msg:'found X-CLIENT-I-DN-CN is %{MATCHED_VAR}',\
setenv:DNCN=%{MATCHED_VAR}"
# debug off:  SecAction "id:4321,phase:2,ctl:debuglogLevel=0,pass"
# header is no more needed
RequestHeader unset "X-CLIENT-I-DN-CN"
LogFormat "[whatever your logformat is] [%{DNCN}e]" vhost_common

br,
Alexandre.





On Wed, Nov 18, 2020 at 9:25 AM Christian Folini <
chr...@ne...> wrote:

> Hey Matt,
>
> I am not very well versed in things NGINX. But it is not as obvious as it
> seems.
>
> Conceptually, there are at least two ways here:
> (1) Have ModSec access the SSL variable and write it into the msg / logdata
>     of a rule
> (2) Have ModSec access the HTTP request variable and write it into the
>     msg / logdata of a rule
> (3) Dirty hack
>
> Now (2) is blocked as new headers added by the webserver itself are not
> accessible from ModSec. At least this is what the situation is on
> Apache/ModSec2. It might be different on NGINX, but you ought to try it.
>
> (1) on the other hand is tricky as ModSec needs a way to access the mod_ssl
> variables. But as far as I know, this is not implemented.
>
> (3) There is a dirty hack that I sometimes use on Apache: I add stuff via
> mod_headers, then I proxy onto the same Apache (different port) and there,
> the new header becomes available, then I'm ready to proxy to the backend.
>
> Cheers,
>
> Christian
>
>
> On Tue, Nov 17, 2020 at 02:04:10PM +0000, Matt Ward wrote:
> > I am hoping this is a relatively straight forward question, but I have
> been struggling with it for some time and cannot find any examples online.
> >
> > We are using ModSecurity 3.04 with NGINX and trying to get a custom
> header written to the audit log with every transaction. Essentially, we
> want to write the $ssl_client_s_dn_cn variable to the audit log which is
> populated by the users PKI certificate when they login through a reverse
> proxy. This info is set in a header to available to applications so if you
> had something similar to:
> >
> > proxy_set_header ClientUsername $ssl_client_s_dn_cn.
> >
> > How would you craft a modsec rule to write client username to the audit
> log?
> >
> > Thanks in advance,
> >
> > Matt
> >
> >
>
>
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>

Re: [mod-security-users] Custom Headers

[Christian F. <chr...@ne...>]

Hey Matt,

I am not very well versed in things NGINX. But it is not as obvious as it 
seems. 

Conceptually, there are at least two ways here:
(1) Have ModSec access the SSL variable and write it into the msg / logdata
    of a rule
(2) Have ModSec access the HTTP request variable and write it into the 
    msg / logdata of a rule
(3) Dirty hack

Now (2) is blocked as new headers added by the webserver itself are not
accessible from ModSec. At least this is what the situation is on
Apache/ModSec2. It might be different on NGINX, but you ought to try it.

(1) on the other hand is tricky as ModSec needs a way to access the mod_ssl
variables. But as far as I know, this is not implemented.

(3) There is a dirty hack that I sometimes use on Apache: I add stuff via
mod_headers, then I proxy onto the same Apache (different port) and there,
the new header becomes available, then I'm ready to proxy to the backend.

Cheers,

Christian


On Tue, Nov 17, 2020 at 02:04:10PM +0000, Matt Ward wrote:
> I am hoping this is a relatively straight forward question, but I have been struggling with it for some time and cannot find any examples online.
> 
> We are using ModSecurity 3.04 with NGINX and trying to get a custom header written to the audit log with every transaction. Essentially, we want to write the $ssl_client_s_dn_cn variable to the audit log which is populated by the users PKI certificate when they login through a reverse proxy. This info is set in a header to available to applications so if you had something similar to:
> 
> proxy_set_header ClientUsername $ssl_client_s_dn_cn.
> 
> How would you craft a modsec rule to write client username to the audit log?
> 
> Thanks in advance,
> 
> Matt
> 
> 


> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

[mod-security-users] Custom Headers

[Matt W. <mat...@ho...>]

I am hoping this is a relatively straight forward question, but I have been struggling with it for some time and cannot find any examples online.

We are using ModSecurity 3.04 with NGINX and trying to get a custom header written to the audit log with every transaction. Essentially, we want to write the $ssl_client_s_dn_cn variable to the audit log which is populated by the users PKI certificate when they login through a reverse proxy. This info is set in a header to available to applications so if you had something similar to:

proxy_set_header ClientUsername $ssl_client_s_dn_cn.

How would you craft a modsec rule to write client username to the audit log?

Thanks in advance,

Matt

Re: [mod-security-users] log X-Forwarded-For Ip in modsecurity3

[Christian F. <chr...@ne...>]

Hey Henrik,

I get the feeling you never got a response for this.

ModSec3 on Apache is not stable. The connector is in beta. It's better you run
ModSec2 on Apache, which is also the reference platform for the Core Rule Set.

I am not entirely sure, but I would not be surprised if your problem would go
away with the downgrade too.

Ahoj,

Christian

On Wed, Nov 04, 2020 at 11:48:42AM +0100, Henrik Rosenke wrote:
> Hello,
> 
> i am new to modsecurity and just started with modsecurity3 and apache on
> FreeBSD.
> 
> i want to log the X-Forwarded-For Ip if a rule matches, but remote.addr ist
> only returning the IP of our revere Proxy. Apache is configured wit
> mod_remoteip and shows the right client ip. In modsecurity 2 there seems to
> be "useragent_ip" to access these adress but this isnt working in
> modsecurity3. What is the right approach to log the right client ip with
> modsecurity3?
> 
> Greetings, Henrik Rosenke
> 
> 
> 
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

[mod-security-users] log X-Forwarded-For Ip in modsecurity3

[Henrik R. <ro...@ds...>]

Hello,

i am new to modsecurity and just started with modsecurity3 and apache on 
FreeBSD.

i want to log the X-Forwarded-For Ip if a rule matches, but remote.addr 
ist only returning the IP of our revere Proxy. Apache is configured wit 
mod_remoteip and shows the right client ip. In modsecurity 2 there seems 
to be "useragent_ip" to access these adress but this isnt working in 
modsecurity3. What is the right approach to log the right client ip with 
modsecurity3?

Greetings, Henrik Rosenke

[mod-security-users] Writing a ctl:ruleRemoveTargetById rule

[micah a. <mi...@ri...>]

Hi,

I'd like to make the following a bit better:

SecRuleUpdateTargetById 942260 !ARGS:password
SecRuleUpdateTargetById 942430 !ARGS:password
SecRuleUpdateTargetById 941310 !ARGS:password

To override those rules for passwords submitted to my application, which
are incorrectly triggering those rules (see below).

However, I wanted to scope it more narrowly by doing something like:

SecRule REQUEST_URI "@strEq /session" "phase:2,log,pass,id:442200,ctl:ruleRemoveTargetById=942260;ARGS:password"
SecRule REQUEST_URI "@strEq /session" "phase:2,log,pass,id:442201,ctl:ruleRemoveTargetById=942430;ARGS:password"
SecRule REQUEST_URI "@strEq /session" "phase:2,log,pass,id:442202,ctl:ruleRemoveTargetById=941310;ARGS:password"

but when I put these into place, they do not seem to work.

This is the log from when its caught (i've replaced sensitive things
with xxx):

--2722c108-A--
[02/Nov/2020:12:54:08 --0800] X6Bx8Mb8mfcAAAeXNtcAAAAO 127.0.0.1 52022 127.0.0.1 80
--2722c108-B--
POST /session HTTP/1.1
Host: xxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://xxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 388
Origin: http://xxx
Connection: keep-alive
Cookie: nest_session=xxx
Upgrade-Insecure-Requests: 1

--2722c108-C--
utf8=%E2%9C%93&authenticity_token=xxx&username=yyy&password=asdasdasd&button=
--2722c108-F--
HTTP/1.1 403 Forbidden
Content-Length: 327
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--2722c108-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.25 (Debian) Server at xxx Port 80</address>
</body></html>

--2722c108-H--
Message: Pattern match "xxx" at ARGS:password. [file "/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "552"] [id "941310"] [msg "US-ASCII Malformed Encoding XSS Filter - Attack Detected"] [data "Matched Data: xxx found within ARGS:password: xxx"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-tomcat"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"]
Message: Access denied with code 403 (phase 2). [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Action: Intercepted (phase 2)
Stopwatch: 1604350448184704 14273 (- - -)
Stopwatch2: 1604350448184704 14273; combined=12511, p1=1103, p2=10834, p3=0, p4=0, p5=573, sr=94, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.3.0.
Server: Apache/2.4.25 (Debian)
Engine-Mode: "ENABLED"

-- 
        micah

Re: [mod-security-users] Create rule to manually manipulate a collection

[Christian F. <chr...@ne...>]

Thanks for that link Paul.

The idea seems to be that you ban / unban IPs based on a curl request from
localhost and then the IP collection. That is quite neat and I had not thought
of that. If you can then trigger these requests instead from localhost from
the twin server, then this is likely to work - unless you are under a DoS.

Best,

Christian

On Wed, Oct 21, 2020 at 02:38:39PM +0000, Paul Beckett wrote:
> Christian,
> Many thanks for your comments, really appreciate it.
> 
> I agree with your suggestion that for DOS protection moving this upstream and using Fail2Ban / network firewall makes more sense.
> 
> I have some other use cases which aren't suited to outright banning though. After about a day of searching and trying several different things (trying to reinitialise IP which I've discovered is impossible, or trying to find a way to modify it from lua..... none of which worked).... I stumbled across this: https://www.codeproject.com/Articles/574935/BlockplusIPplususingplusModSecurity . Essentially it's putting a SecRule before everything else that will conditionally initcol IP to be ARGS:ip. As long as that doesn't match it gets initialised by a later rule to REMOTE_IP. Some quick testing seems to suggest it works, and can be easily adapted to my needs.
> 
> Can you see any problems with this approach?
> 
> Thanks,
> Paul
> 
> ________________________________
> From: Christian Folini <chr...@ne...>
> Sent: 21 October 2020 07:30
> To: mod...@li... <mod...@li...>
> Subject: Re: [mod-security-users] Create rule to manually manipulate a collection
> 
> Hey Paul,
> 
> The code that handles the collections stored on disk is known to be fairly
> brittle. I am quite sure you can manipulate the collections via script - but
> I would be surprised if Apache / ModSec could handle the results without
> segfaults or other bumps. I mean this is stored in memory and casually writing
> to disk. So if you change the disk, it's either overwritten, or Apache bumps
> into you locking the file, whatever. I do not think it is going to read the
> file anew during normal operation.
> 
> As this is about IP blacklisting, it's probably performance relevant. If it's
> not, then branch out to a lua routine and have lua + db handle the stuff.
> If it is performance relevant, I think you should handle it in front of
> ModSec.
> 
> What I have built before is ModSec->Log->Fail2Ban. But it is relatively simple
> to do ModSec->Log->TransferLogTo2ndHost->Fail2Ban. Alternatively, do
> ModSec->Log->TransferLogToNetworkFirewall->BanOnFirewall.
> 
> Just my 2 cents,
> 
> Christian
> 
> 
> On Tue, Oct 20, 2020 at 01:02:21PM +0000, Paul Beckett wrote:
> > I'm currently trying to work out if there is a way I can manually manipulate
> > a collection, and also use this to enable two or more Apache servers to
> > interact with each other, so that IP deny lists could be synchronised with
> > each other.
> >
> > I'm starting from looking at the CRS Denial-of-service rule. I'd like to be
> > able to manually add or remove an IP from the list.
> >
> > My current thoughts were to use some administrative URL's (appropriately
> > authenticated / protected): <protocol://<host>/ip/block/<ip>
> > <protocol://<host>/ip/unblock/<ip>
> >
> > And have Modsecurty rules capture the IP out of the URL (or from a POST
> > parameter), and use this to manipulate the IP collection.
> >
> > I've been trying unsucesfully to find any examples of doing something like
> > this. There seems to be two main challenges, which I'm not sure if there's a
> > way to achieve: 1) Using ModSecurity (or other apache module) capture the IP
> > from the URL (or another element eg. POST parameter of the request) 2) Use
> > captured IP value to manipulate ip.dos_block - (using captured value rather
> > than the requesting IP)
> >
> >
> > I'm assuming that to create the syncrhonisation between two or more servers
> > I'd then have to create a rule using lua to GET/POST request to the other
> > servers.
> >
> > Any help would be greatly appreciated.  Thanks, Paul
> 
> 
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
> 
> 
> 
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/


> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

Re: [mod-security-users] Create rule to manually manipulate a collection

[Paul B. <pau...@ou...>]

Christian,
Many thanks for your comments, really appreciate it.

I agree with your suggestion that for DOS protection moving this upstream and using Fail2Ban / network firewall makes more sense.

I have some other use cases which aren't suited to outright banning though. After about a day of searching and trying several different things (trying to reinitialise IP which I've discovered is impossible, or trying to find a way to modify it from lua..... none of which worked).... I stumbled across this: https://www.codeproject.com/Articles/574935/BlockplusIPplususingplusModSecurity . Essentially it's putting a SecRule before everything else that will conditionally initcol IP to be ARGS:ip. As long as that doesn't match it gets initialised by a later rule to REMOTE_IP. Some quick testing seems to suggest it works, and can be easily adapted to my needs.

Can you see any problems with this approach?

Thanks,
Paul

________________________________
From: Christian Folini <chr...@ne...>
Sent: 21 October 2020 07:30
To: mod...@li... <mod...@li...>
Subject: Re: [mod-security-users] Create rule to manually manipulate a collection

Hey Paul,

The code that handles the collections stored on disk is known to be fairly
brittle. I am quite sure you can manipulate the collections via script - but
I would be surprised if Apache / ModSec could handle the results without
segfaults or other bumps. I mean this is stored in memory and casually writing
to disk. So if you change the disk, it's either overwritten, or Apache bumps
into you locking the file, whatever. I do not think it is going to read the
file anew during normal operation.

As this is about IP blacklisting, it's probably performance relevant. If it's
not, then branch out to a lua routine and have lua + db handle the stuff.
If it is performance relevant, I think you should handle it in front of
ModSec.

What I have built before is ModSec->Log->Fail2Ban. But it is relatively simple
to do ModSec->Log->TransferLogTo2ndHost->Fail2Ban. Alternatively, do
ModSec->Log->TransferLogToNetworkFirewall->BanOnFirewall.

Just my 2 cents,

Christian


On Tue, Oct 20, 2020 at 01:02:21PM +0000, Paul Beckett wrote:
> I'm currently trying to work out if there is a way I can manually manipulate
> a collection, and also use this to enable two or more Apache servers to
> interact with each other, so that IP deny lists could be synchronised with
> each other.
>
> I'm starting from looking at the CRS Denial-of-service rule. I'd like to be
> able to manually add or remove an IP from the list.
>
> My current thoughts were to use some administrative URL's (appropriately
> authenticated / protected): <protocol://<host>/ip/block/<ip>
> <protocol://<host>/ip/unblock/<ip>
>
> And have Modsecurty rules capture the IP out of the URL (or from a POST
> parameter), and use this to manipulate the IP collection.
>
> I've been trying unsucesfully to find any examples of doing something like
> this. There seems to be two main challenges, which I'm not sure if there's a
> way to achieve: 1) Using ModSecurity (or other apache module) capture the IP
> from the URL (or another element eg. POST parameter of the request) 2) Use
> captured IP value to manipulate ip.dos_block - (using captured value rather
> than the requesting IP)
>
>
> I'm assuming that to create the syncrhonisation between two or more servers
> I'd then have to create a rule using lua to GET/POST request to the other
> servers.
>
> Any help would be greatly appreciated.  Thanks, Paul


> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/



_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: [mod-security-users] Create rule to manually manipulate a collection

[Christian F. <chr...@ne...>]

Hey Paul,

The code that handles the collections stored on disk is known to be fairly
brittle. I am quite sure you can manipulate the collections via script - but 
I would be surprised if Apache / ModSec could handle the results without 
segfaults or other bumps. I mean this is stored in memory and casually writing
to disk. So if you change the disk, it's either overwritten, or Apache bumps
into you locking the file, whatever. I do not think it is going to read the
file anew during normal operation.

As this is about IP blacklisting, it's probably performance relevant. If it's
not, then branch out to a lua routine and have lua + db handle the stuff.
If it is performance relevant, I think you should handle it in front of
ModSec.

What I have built before is ModSec->Log->Fail2Ban. But it is relatively simple
to do ModSec->Log->TransferLogTo2ndHost->Fail2Ban. Alternatively, do
ModSec->Log->TransferLogToNetworkFirewall->BanOnFirewall.

Just my 2 cents,

Christian


On Tue, Oct 20, 2020 at 01:02:21PM +0000, Paul Beckett wrote:
> I'm currently trying to work out if there is a way I can manually manipulate
> a collection, and also use this to enable two or more Apache servers to
> interact with each other, so that IP deny lists could be synchronised with
> each other.
> 
> I'm starting from looking at the CRS Denial-of-service rule. I'd like to be
> able to manually add or remove an IP from the list.
> 
> My current thoughts were to use some administrative URL's (appropriately
> authenticated / protected): <protocol://<host>/ip/block/<ip>
> <protocol://<host>/ip/unblock/<ip>
> 
> And have Modsecurty rules capture the IP out of the URL (or from a POST
> parameter), and use this to manipulate the IP collection.
> 
> I've been trying unsucesfully to find any examples of doing something like
> this. There seems to be two main challenges, which I'm not sure if there's a
> way to achieve: 1) Using ModSecurity (or other apache module) capture the IP
> from the URL (or another element eg. POST parameter of the request) 2) Use
> captured IP value to manipulate ip.dos_block - (using captured value rather
> than the requesting IP)
> 
> 
> I'm assuming that to create the syncrhonisation between two or more servers
> I'd then have to create a rule using lua to GET/POST request to the other
> servers.
> 
> Any help would be greatly appreciated.  Thanks, Paul


> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

[mod-security-users] Create rule to manually manipulate a collection

[Paul B. <pau...@ou...>]

I'm currently trying to work out if there is a way I can manually manipulate a collection, and also use this to enable two or more Apache servers to interact with each other, so that IP deny lists could be synchronised with each other.

I'm starting from looking at the CRS Denial-of-service rule. I'd like to be able to manually add or remove an IP from the list.

My current thoughts were to use some administrative URL's (appropriately authenticated / protected):
  <protocol://<host>/ip/block/<ip>
  <protocol://<host>/ip/unblock/<ip>

And have Modsecurty rules capture the IP out of the URL (or from a POST parameter), and use this to manipulate the IP collection.

I've been trying unsucesfully to find any examples of doing something like this. There seems to be two main challenges, which I'm not sure if there's a way to achieve:
  1) Using ModSecurity (or other apache module) capture the IP from the URL (or another element eg. POST parameter of the request)
  2) Use captured IP value to manipulate ip.dos_block - (using captured value rather than the requesting IP)


I'm assuming that to create the syncrhonisation between two or more servers I'd then have to create a rule using lua to GET/POST request to the other servers.

Any help would be greatly appreciated.
Thanks,
Paul

Re: [mod-security-users] Logging request body of denied request?

[Jasper W. <ja...@po...>]

On Sun, 11 Oct 2020, Manuel Spartan wrote:

> Hi, what is your SecAuditLogParts configuration?

It's:

SecAuditLogParts ABIJDFHKZ


-- 
[http://pointless.net/]                          [0x416333590FC0E569]

Re: [mod-security-users] Logging request body of denied request?

[Manuel S. <spa...@gm...>]

Hi, what is your SecAuditLogParts configuration?

Cheers!

Sent from my iPhone

> On Oct 10, 2020, at 11:15 PM, Jasper Wallace <ja...@po...> wrote:
> 
> 
> Hi,
> 
> I'm using apache 2.4.10 (from Debian) and mod_security 2.8.0-3.
> 
> I've got someone POST'ing annoying things to a particular URI, luckily 
> with a consistent user-agent, I've blocked them with (inside 
> <VirtualHost/>):
> 
> SetEnvIfNoCase User-Agent "^badua/" bad_bot
> 
> <Directory "/usr/lib/cgi-bin/thing/">
>    Options FollowSymLinks
>    AllowOverride None
>    Order allow,deny  
>    Allow from all
>    Deny from env=bad_bot
> </Directory>
> 
> I'd like to see what it is they are POST'ing andI'm trying to config 
> mod_security to grab them.
> 
> Then in the mod_security config I've got:
> 
> SecRequestBodyAccess On 
> SecDefaultAction "nolog,noauditlog,allow,phase:2"
> 
> SecAuditEngine RelevantOnly
> SecAuditLogRelevantStatus "^(?:5|4(?!04))"
> 
> # Log everything we know about a transaction.
> SecAuditLogParts ABIJDFHKZ
> SecAuditLogType Serial
> SecAuditLog /var/log/apache2/modsec_audit.log
> 
> SecRule REQUEST_METHOD "^POST$" "chain,allow,phase:2,nolog,auditlog,id:123,msg:'POST request log'"
> SecRule REQUEST_URI "^/path/.*" "ctl:auditEngine=On,nolog,auditlog"
> 
> 
> But That dosen't log the request body, and only logs cos the deny triggers 
> a response with a 403 result code which hits the 
> SecAuditLogRelevantStatus.
> 
> The rules only work for 200 ok responses.
> 
> Looking at the debug logs I can see that the blocked requests don't get a
> "phase REQUEST_BODY", So I guess apache rejects the request before it 
> reads the request body.
> 
> I guess to fix this I have to remove the Deny rule in the apache config 
> and do the matching on the user-agent in the mod_security rules?
> 
> With something like:
> 
> SecRule REQUEST_METHOD "^POST$" "chain,deny,status:403,phase:2,log,auditlog,id:123,msg:'POST request log'"
> SecRule REQUEST_URI "^/path/.*" "chain,id:124,ctl:auditEngine=On,nolog,auditlog"
> SecRule REQUEST_HEADERS:User-Agent "^badua/" "id:125,ctl:auditEngine=On,nolog,auditlog"
> 
> (I'm not clear on where the deny, auditlog and / or ctl:auditEngine=On go)
> 
> Is that the best way to handle it?
> 
> How does blocking things in the request body phase work with cgi's - Is 
> the script already running at that point?
> 
> -- 
> [http://pointless.net/]                          [0x416333590FC0E569]
> 
> 
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

[mod-security-users] Logging request body of denied request?

[Jasper W. <ja...@po...>]

Hi,

I'm using apache 2.4.10 (from Debian) and mod_security 2.8.0-3.

I've got someone POST'ing annoying things to a particular URI, luckily 
with a consistent user-agent, I've blocked them with (inside 
<VirtualHost/>):

SetEnvIfNoCase User-Agent "^badua/" bad_bot

<Directory "/usr/lib/cgi-bin/thing/">
    Options FollowSymLinks
    AllowOverride None
    Order allow,deny  
    Allow from all
    Deny from env=bad_bot
</Directory>

I'd like to see what it is they are POST'ing andI'm trying to config 
mod_security to grab them.

Then in the mod_security config I've got:

SecRequestBodyAccess On 
SecDefaultAction "nolog,noauditlog,allow,phase:2"

SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"

# Log everything we know about a transaction.
SecAuditLogParts ABIJDFHKZ
SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log

SecRule REQUEST_METHOD "^POST$" "chain,allow,phase:2,nolog,auditlog,id:123,msg:'POST request log'"
SecRule REQUEST_URI "^/path/.*" "ctl:auditEngine=On,nolog,auditlog"


But That dosen't log the request body, and only logs cos the deny triggers 
a response with a 403 result code which hits the 
SecAuditLogRelevantStatus.

The rules only work for 200 ok responses.

Looking at the debug logs I can see that the blocked requests don't get a 
"phase REQUEST_BODY", So I guess apache rejects the request before it 
reads the request body.

I guess to fix this I have to remove the Deny rule in the apache config 
and do the matching on the user-agent in the mod_security rules?

With something like:

SecRule REQUEST_METHOD "^POST$" "chain,deny,status:403,phase:2,log,auditlog,id:123,msg:'POST request log'"
SecRule REQUEST_URI "^/path/.*" "chain,id:124,ctl:auditEngine=On,nolog,auditlog"
SecRule REQUEST_HEADERS:User-Agent "^badua/" "id:125,ctl:auditEngine=On,nolog,auditlog"

(I'm not clear on where the deny, auditlog and / or ctl:auditEngine=On go)

Is that the best way to handle it?

How does blocking things in the request body phase work with cgi's - Is 
the script already running at that point?

-- 
[http://pointless.net/]                          [0x416333590FC0E569]

Re: [mod-security-users] Rotating Concurrent Log Files

[Chuck N. <chu...@gm...>]

It's starting to make sense to me now that I've read the replies. I did see
that you could use * in logrotate but wasn't sure what to do with the
leftover directories. I can just have a cron job delete them like Homesh
recommended.

I originally had set up a cron job to gzip the entire day's directory and
have logrotate operate on that every so often.

Thanks for the help!

Chuck

On Mon, Oct 5, 2020 at 1:48 PM Robert Paprocki <
rpa...@fe...> wrote:

> Hi Chuck,
>
> On Mon, Oct 5, 2020 at 7:34 AM Chuck Nemeth <chu...@gm...> wrote:
>
>>
>> logrotate does not operate on directories, it only works on files (but I
>> haven't tested to verify). Since the directories are nested when using
>> Concurrent logging, I wasn't sure if logrotate would be able to rotate
>> the whole directory or if there was a recommended approach
>>
>
> You can configure logrotate to use glob matching to match all files in a
> directory. See https://unix.stackexchange.com/a/83859
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>

Re: [mod-security-users] Rotating Concurrent Log Files

[Robert P. <rpa...@fe...>]

Hi Chuck,

On Mon, Oct 5, 2020 at 7:34 AM Chuck Nemeth <chu...@gm...> wrote:

>
> logrotate does not operate on directories, it only works on files (but I
> haven't tested to verify). Since the directories are nested when using
> Concurrent logging, I wasn't sure if logrotate would be able to rotate
> the whole directory or if there was a recommended approach
>

You can configure logrotate to use glob matching to match all files in a
directory. See https://unix.stackexchange.com/a/83859

Re: [mod-security-users] Rotating Concurrent Log Files

[homesh j. <ho...@gm...>]

Hi,

Since it is concurrent logs, new logs will go in a separate directory e.g
20201005. Post gzip of logs to a separate directory. You may delete the old
directories completely. I run script everyday that keep last 2 days
directories and remove older ones.

Thanks,
Homesh

Thanks,
Homesh

On Mon 5 Oct, 2020, 7:10 PM Chuck Nemeth, <chu...@gm...> wrote:

> Hello!
>
> I'm in the process of implementing modsecurity on my website and am
> wondering if there's a best practice in regards to rotating the
> concurrent logs.
>
> My current idea is to have a cron job that will run a script to gzip the
> daily directories and then use logrotate on them.
>
> If anyone has any other suggestions I would really appreciate it.
>
> Thanks in advance!
>
> Chuck
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>

Re: [mod-security-users] Rotating Concurrent Log Files

[Chuck N. <chu...@gm...>]

Thanks for the reply!

 From the information I've gathered while researching possible solutions 
logrotate does not operate on directories, it only works on files (but I 
haven't tested to verify). Since the directories are nested when using 
Concurrent logging, I wasn't sure if logrotate would be able to rotate 
the whole directory or if there was a recommended approach. I've read 
through the netnea tutorial and purchased the modsecurity handbook from 
feistyduck but didn't see any mention in either resource as to rotating 
the logs.

On 10/5/20 9:48 AM, Christian Varas via mod-security-users wrote:
> Hi, using logrotate is the way to go.
>
> Cheers.
>
>> El 05-10-2020, a la(s) 10:39, Chuck Nemeth <chu...@gm...> escribió:
>> Hello!
>>
>> I'm in the process of implementing modsecurity on my website and am wondering if there's a best practice in regards to rotating the concurrent logs.
>>
>> My current idea is to have a cron job that will run a script to gzip the daily directories and then use logrotate on them.
>>
>> If anyone has any other suggestions I would really appreciate it.
>>
>> Thanks in advance!
>>
>> Chuck
>>
>>
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

Re: [mod-security-users] Rotating Concurrent Log Files

[Christian V. <cv...@it...>]

Hi, using logrotate is the way to go.

Cheers.

> El 05-10-2020, a la(s) 10:39, Chuck Nemeth <chu...@gm...> escribió:
> Hello!
> 
> I'm in the process of implementing modsecurity on my website and am wondering if there's a best practice in regards to rotating the concurrent logs.
> 
> My current idea is to have a cron job that will run a script to gzip the daily directories and then use logrotate on them.
> 
> If anyone has any other suggestions I would really appreciate it.
> 
> Thanks in advance!
> 
> Chuck
> 
> 
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

[mod-security-users] Rotating Concurrent Log Files

[Chuck N. <chu...@gm...>]

Hello!

I'm in the process of implementing modsecurity on my website and am 
wondering if there's a best practice in regards to rotating the 
concurrent logs.

My current idea is to have a cron job that will run a script to gzip the 
daily directories and then use logrotate on them.

If anyone has any other suggestions I would really appreciate it.

Thanks in advance!

Chuck

Re: [mod-security-users] initcol:global=global : what does it mean?

[Christian F. <chr...@ne...>]

Hi Mikaël,

On Sun, Oct 04, 2020 at 06:22:16PM +0200, Mikaël Pirio wrote:
> I see this in OWASP rule but i don't understand it: initcol:global=global
> When I Want to init a collection, I use initcol:ip=%{...}. Why not use %{
> ... } here?

The IP collection and the global collection are two different kinds of
persistent ModSec storage collections (also see USER, SESSION and RESOURCE).
And each of these collections has a specific method to be initalized.
This is the way you initialize the global collection.

The next question is, why CRS would initalize the global collection in the
first place. We're not using actively after all. Need to check with the
team.

Cheers,

Christian


> 
> Thanks,


> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/