mod-security-users Mailing List for ModSecurity (Page 4)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users — General discussion about mod_security
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(17) |
Aug
(7) |
Sep
(8) |
Oct
(11) |
Nov
(14) |
Dec
(19) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(46) |
Feb
(14) |
Mar
(20) |
Apr
(48) |
May
(15) |
Jun
(20) |
Jul
(36) |
Aug
(24) |
Sep
(31) |
Oct
(28) |
Nov
(23) |
Dec
(12) |
| 2005 |
Jan
(69) |
Feb
(61) |
Mar
(82) |
Apr
(53) |
May
(26) |
Jun
(71) |
Jul
(27) |
Aug
(52) |
Sep
(28) |
Oct
(49) |
Nov
(104) |
Dec
(74) |
| 2006 |
Jan
(61) |
Feb
(148) |
Mar
(82) |
Apr
(139) |
May
(65) |
Jun
(116) |
Jul
(92) |
Aug
(101) |
Sep
(84) |
Oct
(103) |
Nov
(174) |
Dec
(102) |
| 2007 |
Jan
(166) |
Feb
(161) |
Mar
(181) |
Apr
(152) |
May
(192) |
Jun
(250) |
Jul
(127) |
Aug
(165) |
Sep
(97) |
Oct
(135) |
Nov
(206) |
Dec
(56) |
| 2008 |
Jan
(160) |
Feb
(135) |
Mar
(98) |
Apr
(89) |
May
(115) |
Jun
(95) |
Jul
(188) |
Aug
(167) |
Sep
(153) |
Oct
(84) |
Nov
(82) |
Dec
(85) |
| 2009 |
Jan
(139) |
Feb
(133) |
Mar
(128) |
Apr
(105) |
May
(135) |
Jun
(79) |
Jul
(92) |
Aug
(134) |
Sep
(73) |
Oct
(112) |
Nov
(159) |
Dec
(80) |
| 2010 |
Jan
(100) |
Feb
(116) |
Mar
(130) |
Apr
(59) |
May
(88) |
Jun
(59) |
Jul
(69) |
Aug
(67) |
Sep
(82) |
Oct
(76) |
Nov
(59) |
Dec
(34) |
| 2011 |
Jan
(84) |
Feb
(74) |
Mar
(81) |
Apr
(94) |
May
(188) |
Jun
(72) |
Jul
(118) |
Aug
(109) |
Sep
(111) |
Oct
(80) |
Nov
(51) |
Dec
(44) |
| 2012 |
Jan
(80) |
Feb
(123) |
Mar
(46) |
Apr
(12) |
May
(40) |
Jun
(62) |
Jul
(95) |
Aug
(66) |
Sep
(65) |
Oct
(53) |
Nov
(42) |
Dec
(60) |
| 2013 |
Jan
(96) |
Feb
(96) |
Mar
(108) |
Apr
(72) |
May
(115) |
Jun
(111) |
Jul
(114) |
Aug
(87) |
Sep
(93) |
Oct
(97) |
Nov
(104) |
Dec
(82) |
| 2014 |
Jan
(96) |
Feb
(77) |
Mar
(71) |
Apr
(40) |
May
(48) |
Jun
(78) |
Jul
(54) |
Aug
(44) |
Sep
(58) |
Oct
(79) |
Nov
(51) |
Dec
(52) |
| 2015 |
Jan
(55) |
Feb
(59) |
Mar
(48) |
Apr
(40) |
May
(45) |
Jun
(63) |
Jul
(36) |
Aug
(49) |
Sep
(35) |
Oct
(58) |
Nov
(21) |
Dec
(47) |
| 2016 |
Jan
(35) |
Feb
(81) |
Mar
(43) |
Apr
(41) |
May
(77) |
Jun
(52) |
Jul
(39) |
Aug
(34) |
Sep
(107) |
Oct
(67) |
Nov
(54) |
Dec
(20) |
| 2017 |
Jan
(99) |
Feb
(37) |
Mar
(86) |
Apr
(47) |
May
(57) |
Jun
(55) |
Jul
(34) |
Aug
(31) |
Sep
(16) |
Oct
(49) |
Nov
(53) |
Dec
(33) |
| 2018 |
Jan
(25) |
Feb
(11) |
Mar
(79) |
Apr
(77) |
May
(5) |
Jun
(19) |
Jul
(17) |
Aug
(7) |
Sep
(13) |
Oct
(22) |
Nov
(13) |
Dec
(68) |
| 2019 |
Jan
(44) |
Feb
(17) |
Mar
(40) |
Apr
(39) |
May
(18) |
Jun
(14) |
Jul
(20) |
Aug
(31) |
Sep
(11) |
Oct
(35) |
Nov
(3) |
Dec
(10) |
| 2020 |
Jan
(32) |
Feb
(16) |
Mar
(10) |
Apr
(22) |
May
(2) |
Jun
(34) |
Jul
(1) |
Aug
(8) |
Sep
(36) |
Oct
(16) |
Nov
(13) |
Dec
(10) |
| 2021 |
Jan
(16) |
Feb
(23) |
Mar
(45) |
Apr
(28) |
May
(6) |
Jun
(17) |
Jul
(8) |
Aug
(1) |
Sep
(2) |
Oct
(35) |
Nov
|
Dec
(5) |
| 2022 |
Jan
|
Feb
(17) |
Mar
(23) |
Apr
(23) |
May
(9) |
Jun
(8) |
Jul
|
Aug
|
Sep
(7) |
Oct
(5) |
Nov
(16) |
Dec
(4) |
| 2023 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
(1) |
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
(7) |
Feb
(13) |
Mar
(18) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(1) |
Nov
(5) |
Dec
(3) |
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
(12) |
May
(12) |
Jun
(2) |
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Christian F. <chr...@ne...> - 2024-01-29 07:44:41
|
Hey Homesh, This is very much an Apache question. Please address it to the Apache user's mailinglist or some other Apache forum. With that being said, it's a very odd behavior, I have never see. Best, Christian On Mon, Jan 29, 2024 at 12:31:13PM +0530, homesh joshi wrote: > Hi All, > > I am not sure if this is a modsec issue as I have tested it by disabling > the modsec still I face this issue. > I have apache setup in reverse proxy configuration with proxy timeout set > as 20 sec. > for one website request for /favicon.ico takes 20 sec. if I reduce the > proxy timeout to 2 sec then request for favicon.ico takes 2 sec. I put the > proxy module log level to trace 8 and apache log level to debug. but still > i am not able to find why apache waits for timeout. Attached are the logs > for your reference. > > Thanks in advance. > Homesh > [Thu Jan 25 15:47:22.967833 2024] [socache_shmcb:debug] [pid 5731:tid 140199434626624] mod_socache_shmcb.c(508): AH00831: socache_shmcb_store (0x61 -> subcache 1) > [Thu Jan 25 15:47:22.967900 2024] [socache_shmcb:debug] [pid 5731:tid 140199434626624] mod_socache_shmcb.c(862): AH00847: insert happened at idx=29, data=(6525:6557) > [Thu Jan 25 15:47:22.967923 2024] [socache_shmcb:debug] [pid 5731:tid 140199434626624] mod_socache_shmcb.c(865): AH00848: finished insert, subcache: idx_pos/idx_used=25/5, > data_pos/data_used=5638/1084 > [Thu Jan 25 15:47:22.967927 2024] [socache_shmcb:debug] [pid 5731:tid 140199434626624] mod_socache_shmcb.c(530): AH00834: leaving socache_shmcb_store successfully > [Thu Jan 25 15:47:22.968048 2024] [socache_shmcb:debug] [pid 5731:tid 140199434626624] mod_socache_shmcb.c(508): AH00831: socache_shmcb_store (0xab -> subcache 11) > [Thu Jan 25 15:47:22.968062 2024] [socache_shmcb:debug] [pid 5731:tid 140199434626624] mod_socache_shmcb.c(862): AH00847: insert happened at idx=26, data=(5857:5889) > [Thu Jan 25 15:47:22.968067 2024] [socache_shmcb:debug] [pid 5731:tid 140199434626624] mod_socache_shmcb.c(865): AH00848: finished insert, subcache: idx_pos/idx_used=22/5, > data_pos/data_used=4954/1099 > [Thu Jan 25 15:47:22.968071 2024] [socache_shmcb:debug] [pid 5731:tid 140199434626624] mod_socache_shmcb.c(530): AH00834: leaving socache_shmcb_store successfully > [Thu Jan 25 15:47:22.969591 2024] [ssl:debug] [pid 5731:tid 140200633919040] ssl_engine_kernel.c(415): [remote 1.2.3.4:58139] AH02034: Subsequent (No.2) HTTPS request > received for child 5394 (server play.lvu:443) > [Thu Jan 25 15:47:22.971124 2024] [proxy:trace2] [pid 5731:tid 140200633919040] mod_proxy.c(881): [remote 1.2.3.4:58139] AH03461: attempting to match URI path '/favic > on.ico' against prefix '/error/' for proxying > [Thu Jan 25 15:47:22.971161 2024] [proxy:trace2] [pid 5731:tid 140200633919040] mod_proxy.c(881): [remote 1.2.3.4:58139] AH03461: attempting to match URI path '/favic > on.ico' against prefix '/' for proxying > [Thu Jan 25 15:47:22.971167 2024] [proxy:trace1] [pid 5731:tid 140200633919040] mod_proxy.c(998): [remote 1.2.3.4:58139] AH03464: URI path '/favicon.ico' matches prox > y handler 'proxy:https://play-lvu-205133111.ap-south-1.elb.amazonaws.com:443/favicon.ico' > [Thu Jan 25 15:47:22.971190 2024] [authz_core:debug] [pid 5731:tid 140200633919040] mod_authz_core.c(843): [remote 1.2.3.4:58139] AH01628: authorization result: grant > ed (no directives) > [Thu Jan 25 15:47:22.975603 2024] [proxy:trace2] [pid 5731:tid 140200633919040] proxy_util.c(2335): [remote 1.2.3.4:58139] https: found worker https://play-lvu-20510 > 2675.ap-south-1.elb.amazonaws.com/ for https://play-lvu-205133111.ap-south-1.elb.amazonaws.com/favicon.ico > [Thu Jan 25 15:47:22.975651 2024] [proxy:debug] [pid 5731:tid 140200633919040] mod_proxy.c(1503): [remote 1.2.3.4:58139] AH01143: Running scheme https handler (attemp > t 0) > [Thu Jan 25 15:47:22.975660 2024] [proxy_fcgi:debug] [pid 5731:tid 140200633919040] mod_proxy_fcgi.c(1054): [remote 1.2.3.4:58139] AH01076: url: https://play-lvu-205 > 102675.ap-south-1.elb.amazonaws.com/favicon.ico proxyname: (null) proxyport: 0 > [Thu Jan 25 15:47:22.975666 2024] [proxy_fcgi:debug] [pid 5731:tid 140200633919040] mod_proxy_fcgi.c(1059): [remote 1.2.3.4:58139] AH01077: declining URL https://play > -lvu-205133111.ap-south-1.elb.amazonaws.com/favicon.ico > [Thu Jan 25 15:47:22.975682 2024] [proxy:debug] [pid 5731:tid 140200633919040] proxy_util.c(2531): AH00942: https: has acquired connection for (play-lvu-205133111.ap-south > -1.elb.amazonaws.com) > [Thu Jan 25 15:47:22.975694 2024] [proxy:debug] [pid 5731:tid 140200633919040] proxy_util.c(2587): [remote 1.2.3.4:58139] AH00944: connecting https://play-lvu-205102 > 675.ap-south-1.elb.amazonaws.com/favicon.ico to play-lvu-205133111.ap-south-1.elb.amazonaws.com:443 > [Thu Jan 25 15:47:23.019184 2024] [proxy:debug] [pid 5731:tid 140200633919040] proxy_util.c(2810): [remote 1.2.3.4:58139] AH00947: connected /favicon.ico to play-lvu > -205133111.ap-south-1.elb.amazonaws.com:443 > [Thu Jan 25 15:47:23.019277 2024] [proxy:trace2] [pid 5731:tid 140200633919040] proxy_util.c(3244): https: fam 2 socket created to connect to play-lvu-205133111.ap-south-1 > .elb.amazonaws.com > [Thu Jan 25 15:47:43.039441 2024] [proxy:debug] [pid 5731:tid 140200633919040] proxy_util.c(3267): (70007)The timeout specified has expired: AH00957: https: attempt to conn > ect to 3.111.227.162:443 (play-lvu-205133111.ap-south-1.elb.amazonaws.com) failed > [Thu Jan 25 15:47:43.039558 2024] [proxy:trace2] [pid 5731:tid 140200633919040] proxy_util.c(3244): https: fam 2 socket created to connect to play-lvu-205133111.ap-south-1 > .elb.amazonaws.com > [Thu Jan 25 15:47:43.057570 2024] [proxy:debug] [pid 5731:tid 140200633919040] proxy_util.c(3276): AH02824: https: connection established with 3.109.6.57:443 (play-lvu-205 > 102675.ap-south-1.elb.amazonaws.com) > [Thu Jan 25 15:47:43.057649 2024] [proxy:trace1] [pid 5731:tid 140200633919040] proxy_util.c(3450): [remote 3.109.6.57:443] https: set SNI to play.lvu for (play-lvu-20510 > 2675.ap-south-1.elb.amazonaws.com) > [Thu Jan 25 15:47:43.057655 2024] [proxy:debug] [pid 5731:tid 140200633919040] proxy_util.c(3462): AH00962: https: connection complete to 3.111.227.162:443 (play-lvu-20510 > 2675.ap-south-1.elb.amazonaws.com) > [Thu Jan 25 15:47:43.057663 2024] [qos:debug] [pid 5731:tid 140200633919040] apache2/mod_qos.c(8587): mod_qos(): skip processing of outgoing connection 3.109.6.57<->165.232 > .187.180 > [Thu Jan 25 15:47:43.057669 2024] [ssl:info] [pid 5731:tid 140200633919040] [remote 3.109.6.57:443] AH01964: Connection to child 0 established (server play.lvu:443) > [Thu Jan 25 15:47:43.078549 2024] [ssl:debug] [pid 5731:tid 140200633919040] ssl_engine_kernel.c(1764): [remote 3.109.6.57:443] AH02275: Certificate Verification, depth 3, > CRL checking mode: none (0) [subject: CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\\, Inc.,L=Scottsdale,ST=Arizona,C=US / issuer: OU=Starf > ield Class 2 Certification Authority,O=Starfield Technologies\\, Inc.,C=US / serial: A70E4A4C3482B77F / notbefore: Sep 2 00:00:00 2009 GMT / notafter: Jun 28 17:39:16 2034 > GMT] > [Thu Jan 25 15:47:43.078695 2024] [ssl:debug] [pid 5731:tid 140200633919040] ssl_engine_kernel.c(1764): [remote 3.109.6.57:443] AH02275: Certificate Verification, depth 2, > CRL checking mode: none (0) [subject: CN=Amazon Root CA 1,O=Amazon,C=US / issuer: CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\\, Inc.,L=S > cottsdale,ST=Arizona,C=US / serial: 067F944A2A27CDF3FAC2AE2B01F908EEB9C4C6 / notbefore: May 25 12:00:00 2015 GMT / notafter: Dec 31 01:00:00 2037 GMT] > [Thu Jan 25 15:47:43.078779 2024] [ssl:debug] [pid 5731:tid 140200633919040] ssl_engine_kernel.c(1764): [remote 3.109.6.57:443] AH02275: Certificate Verification, depth 1, > CRL checking mode: none (0) [subject: CN=Amazon RSA 2048 M01,O=Amazon,C=US / issuer: CN=Amazon Root CA 1,O=Amazon,C=US / serial: 077312380B9D6688A33B1ED9BF9CCDA68E0E0F / no > tbefore: Aug 23 22:21:28 2022 GMT / notafter: Aug 23 22:21:28 2030 GMT] > [Thu Jan 25 15:47:43.078863 2024] [ssl:debug] [pid 5731:tid 140200633919040] ssl_engine_kernel.c(1764): [remote 3.109.6.57:443] AH02275: Certificate Verification, depth 0, > CRL checking mode: none (0) [subject: CN=play.lvu / issuer: CN=Amazon RSA 2048 M01,O=Amazon,C=US / serial: 088DB8B2694138D3A4624BF0EEFF3856 / notbefore: Oct 11 00:00:00 20 > 23 GMT / notafter: Nov 8 23:59:59 2024 GMT] > [Thu Jan 25 15:47:43.079137 2024] [ssl:debug] [pid 5731:tid 140200633919040] ssl_engine_kernel.c(2254): [remote 3.109.6.57:443] AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_ > 128_GCM_SHA256 (128/128 bits) > [Thu Jan 25 15:47:43.079199 2024] [ssl:debug] [pid 5731:tid 140200633919040] ssl_util_ssl.c(451): AH02412: [play.lvu:443] Cert matches for name 'play.lvu' [subject: CN=kl > ay.lvu / issuer: CN=Amazon RSA 2048 M01,O=Amazon,C=US / serial: 088DB8B2694138D3A4624BF0EEFF3856 / notbefore: Oct 11 00:00:00 2023 GMT / notafter: Nov 8 23:59:59 2024 GMT > ] > [Thu Jan 25 15:47:43.100903 2024] [proxy:debug] [pid 5731:tid 140200633919040] proxy_util.c(2546): AH00943: https: has released connection for (play-lvu-205133111.ap-south > -1.elb.amazonaws.com) > [Thu Jan 25 15:47:43.100989 2024] [ssl:debug] [pid 5731:tid 140200633919040] ssl_engine_io.c(1147): [remote 3.109.6.57:443] AH02001: Connection closed to child 0 with stand > ard shutdown (server play.lvu:443) > [Thu Jan 25 15:47:43.101088 2024] [proxy:debug] [pid 5731:tid 140200633919040] proxy_util.c(3386): [remote 3.109.6.57:443] AH02642: proxy: connection shutdown > [Thu Jan 25 15:47:43.863505 2024] [ssl:debug] [pid 5731:tid 140200650737216] ssl_engine_kernel.c(415): [remote 1.2.3.4:58139] AH02034: Subsequent (No.2) HTTPS request > received for child 1808 (server play.lvu:443), referer: https://play.lvu/favicon.ico > [Thu Jan 25 15:47:43.865077 2024] [proxy:trace2] [pid 5731:tid 140200650737216] mod_proxy.c(881): [remote 1.2.3.4:58139] AH03461: attempting to match URI path '/favic > on.ico' against prefix '/error/' for proxying, referer: https://play.lvu/favicon.ico > [Thu Jan 25 15:47:43.865165 2024] [proxy:trace2] [pid 5731:tid 140200650737216] mod_proxy.c(881): [remote 1.2.3.4:58139] AH03461: attempting to match URI path '/favic > on.ico' against prefix '/' for proxying, referer: https://play.lvu/favicon.ico > [Thu Jan 25 15:47:43.865192 2024] [proxy:trace1] [pid 5731:tid 140200650737216] mod_proxy.c(998): [remote 1.2.3.4:58139] AH03464: URI path '/favicon.ico' matches prox > y handler 'proxy:https://play-lvu-205133111.ap-south-1.elb.amazonaws.com:443/favicon.ico', referer: https://play.lvu/favicon.ico > [Thu Jan 25 15:47:43.865231 2024] [authz_core:debug] [pid 5731:tid 140200650737216] mod_authz_core.c(843): [remote 1.2.3.4:58139] AH01628: authorization result: grant > ed (no directives), referer: https://play.lvu/favicon.ico > [Thu Jan 25 15:47:43.868082 2024] [proxy:trace2] [pid 5731:tid 140200650737216] proxy_util.c(2335): [remote 1.2.3.4:58139] https: found worker https://play-lvu-20510 > 2675.ap-south-1.elb.amazonaws.com/ for https://play-lvu-205133111.ap-south-1.elb.amazonaws.com/favicon.ico, referer: https://play.lvu/favicon.ico > [Thu Jan 25 15:47:43.868164 2024] [proxy:debug] [pid 5731:tid 140200650737216] mod_proxy.c(1503): [remote 1.2.3.4:58139] AH01143: Running scheme https handler (attemp > t 0), referer: https://play.lvu/favicon.ico > [Thu Jan 25 15:47:43.868198 2024] [proxy_fcgi:debug] [pid 5731:tid 140200650737216] mod_proxy_fcgi.c(1054): [remote 1.2.3.4:58139] AH01076: url: https://play-lvu-205 > 102675.ap-south-1.elb.amazonaws.com/favicon.ico proxyname: (null) proxyport: 0, referer: https://play.lvu/favicon.ico > [Thu Jan 25 15:47:43.868223 2024] [proxy_fcgi:debug] [pid 5731:tid 140200650737216] mod_proxy_fcgi.c(1059): [remote 1.2.3.4:58139] AH01077: declining URL https://play > -lvu-205133111.ap-south-1.elb.amazonaws.com/favicon.ico, referer: https://play.lvu/favicon.ico > [Thu Jan 25 15:47:43.868248 2024] [proxy:debug] [pid 5731:tid 140200650737216] proxy_util.c(2531): AH00942: https: has acquired connection for (play-lvu-205133111.ap-south > -1.elb.amazonaws.com) > [Thu Jan 25 15:47:43.868273 2024] [proxy:debug] [pid 5731:tid 140200650737216] proxy_util.c(2587): [remote 1.2.3.4:58139] AH00944: connecting https://play-lvu-205102 > 675.ap-south-1.elb.amazonaws.com/favicon.ico to play-lvu-205133111.ap-south-1.elb.amazonaws.com:443, referer: https://play.lvu/favicon.ico > [Thu Jan 25 15:47:43.868630 2024] [proxy:debug] [pid 5731:tid 140200650737216] proxy_util.c(2810): [remote 1.2.3.4:58139] AH00947: connected /favicon.ico to play-lvu > -205133111.ap-south-1.elb.amazonaws.com:443, referer: https://play.lvu/favicon.ico > [Thu Jan 25 15:47:43.868704 2024] [proxy:trace2] [pid 5731:tid 140200650737216] proxy_util.c(3244): https: fam 2 socket created to connect to play-lvu-205133111.ap-south-1 > .elb.amazonaws.com > [Thu Jan 25 15:47:43.894557 2024] [proxy:debug] [pid 5731:tid 140200650737216] proxy_util.c(3276): AH02824: https: connection established with 3.109.172.68:443 (play-lvu-2 > 05102675.ap-south-1.elb.amazonaws.com) > [Thu Jan 25 15:47:43.894681 2024] [proxy:trace1] [pid 5731:tid 140200650737216] proxy_util.c(3450): [remote 3.109.172.68:443] https: set SNI to play.lvu for (play-lvu-205 > 102675.ap-south-1.elb.amazonaws.com) > [Thu Jan 25 15:47:43.894708 2024] [proxy:debug] [pid 5731:tid 140200650737216] proxy_util.c(3462): AH00962: https: connection complete to 3.109.172.68:443 (play-lvu-205102 > 675.ap-south-1.elb.amazonaws.com) > [Thu Jan 25 15:47:43.894748 2024] [qos:debug] [pid 5731:tid 140200650737216] apache2/mod_qos.c(8587): mod_qos(): skip processing of outgoing connection 3.109.172.68<->165.2 > 32.187.180 > [Thu Jan 25 15:47:43.894770 2024] [ssl:info] [pid 5731:tid 140200650737216] [remote 3.109.172.68:443] AH01964: Connection to child 0 established (server play.lvu:443) > [Thu Jan 25 15:47:43.923819 2024] [ssl:debug] [pid 5731:tid 140200650737216] ssl_engine_kernel.c(1764): [remote 3.109.172.68:443] AH02275: Certificate Verification, depth 3 > , CRL checking mode: none (0) [subject: CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\\, Inc.,L=Scottsdale,ST=Arizona,C=US / issuer: OU=Sta > rfield Class 2 Certification Authority,O=Starfield Technologies\\, Inc.,C=US / serial: A70E4A4C3482B77F / notbefore: Sep 2 00:00:00 2009 GMT / notafter: Jun 28 17:39:16 20 > 34 GMT] > [Thu Jan 25 15:47:43.924033 2024] [ssl:debug] [pid 5731:tid 140200650737216] ssl_engine_kernel.c(1764): [remote 3.109.172.68:443] AH02275: Certificate Verification, depth 2 > , CRL checking mode: none (0) [subject: CN=Amazon Root CA 1,O=Amazon,C=US / issuer: CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\\, Inc.,L > =Scottsdale,ST=Arizona,C=US / serial: 067F944A2A27CDF3FAC2AE2B01F908EEB9C4C6 / notbefore: May 25 12:00:00 2015 GMT / notafter: Dec 31 01:00:00 2037 GMT] > [Thu Jan 25 15:47:43.924124 2024] [ssl:debug] [pid 5731:tid 140200650737216] ssl_engine_kernel.c(1764): [remote 3.109.172.68:443] AH02275: Certificate Verification, depth 1 > , CRL checking mode: none (0) [subject: CN=Amazon RSA 2048 M01,O=Amazon,C=US / issuer: CN=Amazon Root CA 1,O=Amazon,C=US / serial: 077312380B9D6688A33B1ED9BF9CCDA68E0E0F / > notbefore: Aug 23 22:21:28 2022 GMT / notafter: Aug 23 22:21:28 2030 GMT] > [Thu Jan 25 15:47:43.924208 2024] [ssl:debug] [pid 5731:tid 140200650737216] ssl_engine_kernel.c(1764): [remote 3.109.172.68:443] AH02275: Certificate Verification, depth 0 > , CRL checking mode: none (0) [subject: CN=play.lvu / issuer: CN=Amazon RSA 2048 M01,O=Amazon,C=US / serial: 088DB8B2694138D3A4624BF0EEFF3856 / notbefore: Oct 11 00:00:00 > 2023 GMT / notafter: Nov 8 23:59:59 2024 GMT] > [Thu Jan 25 15:47:43.924468 2024] [ssl:debug] [pid 5731:tid 140200650737216] ssl_engine_kernel.c(2254): [remote 3.109.172.68:443] AH02041: Protocol: TLSv1.3, Cipher: TLS_AE > S_128_GCM_SHA256 (128/128 bits) > [Thu Jan 25 15:47:43.924535 2024] [ssl:debug] [pid 5731:tid 140200650737216] ssl_util_ssl.c(451): AH02412: [play.lvu:443] Cert matches for name 'play.lvu' [subject: CN=kl > ay.lvu / issuer: CN=Amazon RSA 2048 M01,O=Amazon,C=US / serial: 088DB8B2694138D3A4624BF0EEFF3856 / notbefore: Oct 11 00:00:00 2023 GMT / notafter: Nov 8 23:59:59 2024 GMT > ] > [Thu Jan 25 15:47:43.959108 2024] [proxy:debug] [pid 5731:tid 140200650737216] proxy_util.c(2546): AH00943: https: has released connection for (play-lvu-205133111.ap-south > -1.elb.amazonaws.com) > [Thu Jan 25 15:47:43.959261 2024] [ssl:debug] [pid 5731:tid 140200650737216] ssl_engine_io.c(1147): [remote 3.109.172.68:443] AH02001: Connection closed to child 0 with sta > ndard shutdown (server play.lvu:443) > [Thu Jan 25 15:47:43.959361 2024] [proxy:debug] [pid 5731:tid 140200650737216] proxy_util.c(3386): [remote 3.109.172.68:443] AH02642: proxy: connection shutdown > [Thu Jan 25 15:47:48.965114 2024] [ssl:debug] [pid 5731:tid 140199476590144] ssl_engine_io.c(1147): [client 1.2.3.4:58139] AH02001: Connection closed to child 16 with > standard shutdown (server play.lvu:443) > > > > ▸ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: homesh j. <ho...@gm...> - 2024-01-29 07:01:33
|
Hi All, I am not sure if this is a modsec issue as I have tested it by disabling the modsec still I face this issue. I have apache setup in reverse proxy configuration with proxy timeout set as 20 sec. for one website request for /favicon.ico takes 20 sec. if I reduce the proxy timeout to 2 sec then request for favicon.ico takes 2 sec. I put the proxy module log level to trace 8 and apache log level to debug. but still i am not able to find why apache waits for timeout. Attached are the logs for your reference. Thanks in advance. Homesh |
|
From: Ervin H. <ai...@gm...> - 2024-01-11 13:48:10
|
Hi all, (sorry for the crosspost). Perhaps most users read the news: Trustwave transfers ModSecurity custodianship to the OWASP (Open Worldwide Application Security Project). This means the development of ModSecurity (mod_security2 Apache module, libmodsecurit3 library and libnginx-mod-http-modsecurity Nginx module) will continue under the umbrella of OWASP. Here are the announcements: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trustwave-transfers-modsecurity-custodianship-to-the-open-worldwide-application-security-project/ https://owasp.org/blog/2024/01/09/ModSecurity.html There is a public channel on OWASP's Slack workspace, called #project-modsecurity. You can join the workspace here: https://owasp.org/slack/invite. Feel free to join that channel if you have any questions/ideas, or want to participate in the development of any component. Regards, a. |
|
From: Andrew H. <and...@ow...> - 2023-10-26 21:34:37
|
The OWASP ModSecurity Core Rule Set (CRS) team is proud to announce the availability of release candidate 2 (RC2) of the upcoming CRS v4.0.0 release. The release candidate is available for download as a 'release' from our GitHub repository: * https://github.com/coreruleset/coreruleset/releases/tag/v4.0.0-rc2 This new release candidate includes over 230 changes. Some of the important changes include: * Add new rule 920620 to explicitly detect multiple Content-Type abuse (CVE-2023-38199) (Andrea Menin) * Extend definition of restricted headers to include Content-Encoding and Accept-Charset by default (Walter Hop) * Migrate application exclusions and less-used functionality to plugins (Christian Folini, Max Leske, Jozef Sudolský, Andrew Howe) * Add support for HTTP/3 (Jozef Sudolský) * Add enable_default_collections flag to not initialize collections by default (Matteo Pace) * Switch to using wordnet instead of spell for finding English words in spell.sh utility (Max Leske) Refer to the CHANGES.md file in the release for the full list of changes. It is important to note that this new release candidate is *significantly different to the first release candidate* which was announced and made available[1] back in April 2022. Two days after the v4.0.0 RC1 release, the CRS project participated in a bug bounty program[2] in April-May 2022 which resulted in 175 security findings being reported. The decision was made to fix the findings in full for the v4.0.0 release, rather than release a half-baked version 4.0 with many newly discovered holes. The fixes required a *significant* amount of work over many months. It was sometimes the case that adding the required new detection would cause unforeseen problems, such as introducing new false positives which then needed to be addressed. Fixing all of the security findings in full required the development of new tooling, new rules, new tests, and new approaches. This all took a lot of time to complete to the high standard expected from the CRS project, resulting in an unfortunate delay to v4.0.0. As a result of fixing the security findings, the RC2 release features *a lot of new detection capability*. It is highly likely that *new false positives will continue to appear* as a result, so it is very important for this new release candidate to be tested as widely as possible. *Please test this new release candidate* and report any false positives encountered via GitHub (https://github.com/coreruleset/coreruleset/). All feedback and reports are gratefully received and will help to make the final v4.0.0 release the best and most comprehensive CRS release ever! Sincerely, Andrew Howe on behalf of the Core Rule Set development team --- [1]: https://coreruleset.org/20220428/coreruleset-v4-rc1-available [2]: https://coreruleset.org/20230509/what-we-learnt-from-our-bug-bounty-program-its-not-for-the-faint-of-heart |
|
From: <az...@po...> - 2023-09-26 11:00:33
|
Hi, try CRS but you will need few exclusion rules to make it work properly. Citát 현 <co...@gm...>: > I'm looking for a RuleSet that can defend Magento. |
|
From: 현 <co...@gm...> - 2023-09-26 07:01:44
|
I'm looking for a RuleSet that can defend Magento. |
|
From: Andrew H. <rub...@gm...> - 2023-07-24 19:12:59
|
The OWASP ModSecurity Core Rule Set (CRS) team is pleased to announce the release of CRS v3.3.5. For downloads and installation instructions, please refer to the Installation page (https://coreruleset.org/installation/). This is a security release which fixes the recently announced CVE-2023-38199, whereby it is possible to cause an impedance mismatch on some platforms running CRS v3.3.4 and earlier by submitting a request with multiple Content-Type headers. See: https://coreruleset.org/20230717/cve-2023-38199-multiple-content-type-headers/ Aside from the security fix, a few other minor, non-breaking changes and improvements are also included in this release. The full changes are as follows: * Backport fix for CVE-2023-38199 from CRS v4 via new rule 920620 (Andrea Menin, Felipe Zipitría) * Fix paranoia level-related scoring issue in rule 921422 (Walter Hop) * Move auditLogParts actions to the end of chained rules where used (Ervin Hegedus) * Clean up redundant paranoia level tags (Ervin Hegedus) * Clean up YAML test files to support go-ftw testing framework (Felipe Zipitría) * Move testing framework from ftw to go-ftw (Felipe Zipitría) * Update sponsors list and copyright notices (Felipe Zipitría) As noted above, the fix for CVE-2023-38199 has already been merged[1] into the CRS v4 branch[2]: our upcoming milestone release which we hope to publish in the near future. Please feel free to contact us with any questions or concerns about this release via the usual channels: directly via the CRS GitHub repository, in our Slack channel (#coreruleset on owasp.slack.com), or via the mailing list. Sincerely, Andrew Howe on behalf of the Core Rule Set development team --- [1]: https://github.com/coreruleset/coreruleset/pull/3237 [2]: https://github.com/coreruleset/coreruleset/tree/v4.0/dev |
|
From: Christian F. <chr...@ne...> - 2023-06-21 12:29:10
|
Hey Homesh, Yes, it's the same it's just that the deny does not happen, so rule execution continues. Good luck! Christian On Wed, Jun 21, 2023 at 05:45:42PM +0530, homesh joshi wrote: > Hi Christian, > > Thanks for the quick reply. OK so in detectonly mode also modsecurity rule > evaluation works the same. > Debug is a good idea. I have UAT so I can test. Will let you know. > > Thanks, > Homesh > > On Wed, Jun 21, 2023 at 3:03 PM Christian Folini < > chr...@ne...> wrote: > > > Hey Homesh, > > > > Evaluation does indeed stop after a drop and there is a chance > > your rules only set the variables in question in a later phase. > > Really depends on your configuration. > > > > You can follow rule execution with the ModSecurity debug log, but beware > > it is very verbose. > > > > Generally, it is best to set variables for display in the access log only > > in phase 5, which is also executed for requests that have been denied > > in an earlier phase. > > > > Best regards, > > > > Christian > > > > > > > > > > On Wed, Jun 21, 2023 at 01:14:04PM +0530, homesh joshi wrote: > > > Hi All, > > > > > > With regards to my approach for logging the modsec variables in apache > > log > > > has worked for me for almost a year now. > > > However, today when I enabled "SecRuleEngine DetectionOnly" for one of my > > > websites. What I notice is that the apache logs are missing the right > > > variable data. > > > e.g I tested SQL injection and i was not able to see the relevant > > > information in apache log which I typically get when "SecRuleEngine On" > > > sample log for "SecRuleEngine DetectionOnly" > > > 49.36.106.185 - - [21/Jun/2023:06:39:53 +0000] 200 23125 GET "-" > > > "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 > > > Firefox/114.0" 3154 443 example.com ZJKbOUfg7dWT82qCkvNySAAAAEU TLSv1.3 > > > TLS_AES_128_GCM_SHA256 0 4 L; "/" 15.24.15.205 39735 "" "" "" "/" 333762 > > > "/?k=1%20or%201=1" > > > > > > here rule id log is 333762 which is not the signature for SQL injection > > > > > > So my conclusion is, in "SecRuleEngine On" rule evaluation stops when the > > > first rule matches with the final action drop/block. Hence I am able to > > get > > > the right rule ID and other variable data. But when "SecRuleEngine > > > DetectionOnly" rule evaluation continues till the last rule and due to > > > which my variable data gets changed as per the rules getting evaluated. > > Can > > > I change this behaviour of modsecurity in Detectonly mode ? that it > > should > > > stop the evaluation when it matches the first rule with final action of > > > drop/block ( and not block/drop the transaction) ? > > > > > > Please suggest. > > > > > > Thanks, > > > Homesh > > > > > > > > > On Fri, Mar 25, 2022 at 4:08 PM Christian Folini < > > > chr...@ne...> wrote: > > > > > > > Thanks for the updates. I do not immediately see why it's not working > > > > completely. But glad you have a working solution. > > > > > > > > Best, > > > > > > > > Christian > > > > > > > > On Fri, Mar 25, 2022 at 01:59:38PM +0530, homesh joshi wrote: > > > > > Dear Christian, > > > > > > > > > > I added setvar:tx.rule=1 in each rule and then added the following > > rule, > > > > > post which I am able to get 1 written in access logs ( via the > > %{waf} ) > > > > for > > > > > the transactions which got blocked by Modsec. for other transactions > > it > > > > is > > > > > missing and hence getting - in the logs. I was not able to directly > > set > > > > the > > > > > WAF=1 in the rules via setenv:waf=1 > > > > > > > > > > SecRule TX:rule "@eq 1" "phase:5,pass,setenv:waf=1,id:'9001'" > > > > > > > > > > Will test this any update incase I face any challenge. > > > > > > > > > > Thanks, > > > > > Homesh > > > > > > > > > > > > > > > On Thu, Mar 24, 2022 at 6:35 PM Christian Folini < > > > > > chr...@ne...> wrote: > > > > > > > > > > > I suggest you add this to every rule that detects / blocks > > something. > > > > > > Thus not a SecAction, but attach the setenv to your existing > > SecRules > > > > > > where you want to see the flag. > > > > > > > > > > > > Alternatively, you can do a SecRule in phase 5 where you test the > > > > > > HTTP status and if it's 403, then you set the env. > > > > > > > > > > > > Good luck! > > > > > > > > > > > > Christian > > > > > > > > > > > > On Thu, Mar 24, 2022 at 05:02:20PM +0530, homesh joshi wrote: > > > > > > > Dear Christian, > > > > > > > > > > > > > > Thanks. I think this will work for me. However, can you please > > > > explain > > > > > > it a > > > > > > > bit more on how this works. > > > > > > > from your tutorial if i set up following rule > > > > > > > > > > > > > > # === ModSec performance calculations and variable export (ids: > > > > 90100 - > > > > > > 90199) > > > > > > > > > > > > > > SecAction "id:90100,phase:5,pass,nolog,setenv:modsec=1" > > > > > > > > > > > > > > then for every access I see "1" in the access log. > > > > > > > > > > > > > > I think I will need to understand it more in order to use it. > > > > > > > > > > > > > > Kindly explain > > > > > > > 1) the configuration required for setenv by modifying each rule > > > > > > > > > > > > > > 2) the configuration required for more complicated scheme which > > you > > > > > > > are referring to > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > Homesh > > > > > > > > > > > > > > > > > > > > > On Thu, Mar 24, 2022 at 11:52 AM Christian Folini < > > > > > > > chr...@ne...> wrote: > > > > > > > > > > > > > > > Hi there, > > > > > > > > > > > > > > > > On Thu, Mar 24, 2022 at 08:37:51AM +0530, homesh joshi wrote: > > > > > > > > > Thanks for the clarification. > > > > > > > > > I have already gone through excellent netnea.com tutorials. > > I > > > > have > > > > > > > > already > > > > > > > > > used some of the configuration from tutorial.I do not use > > crs. > > > > > > > > > > > > > > > > Thank you very much. > > > > > > > > > > > > > > > > > My objective here is that I want to get a flag in access log > > > > line if > > > > > > > > modsec > > > > > > > > > has taken any action on the transaction say simply it can be > > a > > > > field > > > > > > like > > > > > > > > > modsec=1 or modsec=0. This wi help me in separating > > transactions > > > > > > which > > > > > > > > are > > > > > > > > > allowed.(modsec=0) So then it is easy to show these > > transactions > > > > in > > > > > > the > > > > > > > > > reporting system. > > > > > > > > > > > > > > > > I'd do a setenv then in the rules. > > > > > > > > > > > > > > > > ... "setenv:modsec=1" > > > > > > > > > > > > > > > > Similar to the way I set th various env variables in phase 5. > > You > > > > can > > > > > > > > simply > > > > > > > > add this to every rule you have. Or you set up a more > > complicated > > > > > > scheme > > > > > > > > and do it in the end in phase 5. > > > > > > > > > > > > > > > > Best, > > > > > > > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > > > > > > > > > > Kindly suggest. > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > Homesh > > > > > > > > > > > > > > > > > > On Thu, 24 Mar, 2022, 12:04 am Christian Folini, < > > > > > > > > > chr...@ne...> wrote: > > > > > > > > > > > > > > > > > > > HelloHomesh, > > > > > > > > > > > > > > > > > > > > Unfortunately, this is not how this works. > > > > > > > > > > > > > > > > > > > > A ModSecuriy variable is not automatically an environment > > > > variable. > > > > > > > > > > And on top, the ModSec variable "rule" is only available > > > > during the > > > > > > > > > > execution of the very rule (and there might be many, many > > > > rules). > > > > > > > > > > > > > > > > > > > > I suggest you read up on my free tutorials published at > > > > netnea.com > > > > > > . > > > > > > > > > > The one on logging and the ones on the Core Rule Set are > > > > proposing > > > > > > > > > > ways to achieve something along these lines. > > > > > > > > > > > > > > > > > > > > Best, > > > > > > > > > > > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Mar 23, 2022 at 11:12:58PM +0530, homesh joshi > > wrote: > > > > > > > > > > > Hi All, > > > > > > > > > > > > > > > > > > > > > > Hope you all are well. > > > > > > > > > > > > > > > > > > > > > > I want to add the modsecurity variable e.g "rule.id"in > > the > > > > > > apache > > > > > > > > access > > > > > > > > > > > log via the extended format. > > > > > > > > > > > I set the following line in /etc/apache2/apache.conf > > > > > > > > > > > > > > > > > > > > > > LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" > > > > > > > > \"%{User-Agent}i\" > > > > > > > > > > > %{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended > > > > > > > > > > > > > > > > > > > > > > However I am not getting the rule.id value in the > > access log > > > > > > line. > > > > > > > > > > > > > > > > > > > > > > Kindly suggest. > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > Homesh > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > mod-security-users mailing list > > > > > > > > > > > mod...@li... > > > > > > > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > > > SpiderLabs: > > > > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > mod-security-users mailing list > > > > > > > > > > mod...@li... > > > > > > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > > > SpiderLabs: > > > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > mod-security-users mailing list > > > > > > > > > mod...@li... > > > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > SpiderLabs: > > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > mod-security-users mailing list > > > > > > > > mod...@li... > > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > SpiderLabs: > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > mod-security-users mailing list > > > > > > > mod...@li... > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > SpiderLabs: > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > mod-security-users mailing list > > > > > > mod...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > SpiderLabs: > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: homesh j. <ho...@gm...> - 2023-06-21 12:16:03
|
Hi Christian, Thanks for the quick reply. OK so in detectonly mode also modsecurity rule evaluation works the same. Debug is a good idea. I have UAT so I can test. Will let you know. Thanks, Homesh On Wed, Jun 21, 2023 at 3:03 PM Christian Folini < chr...@ne...> wrote: > Hey Homesh, > > Evaluation does indeed stop after a drop and there is a chance > your rules only set the variables in question in a later phase. > Really depends on your configuration. > > You can follow rule execution with the ModSecurity debug log, but beware > it is very verbose. > > Generally, it is best to set variables for display in the access log only > in phase 5, which is also executed for requests that have been denied > in an earlier phase. > > Best regards, > > Christian > > > > > On Wed, Jun 21, 2023 at 01:14:04PM +0530, homesh joshi wrote: > > Hi All, > > > > With regards to my approach for logging the modsec variables in apache > log > > has worked for me for almost a year now. > > However, today when I enabled "SecRuleEngine DetectionOnly" for one of my > > websites. What I notice is that the apache logs are missing the right > > variable data. > > e.g I tested SQL injection and i was not able to see the relevant > > information in apache log which I typically get when "SecRuleEngine On" > > sample log for "SecRuleEngine DetectionOnly" > > 49.36.106.185 - - [21/Jun/2023:06:39:53 +0000] 200 23125 GET "-" > > "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 > > Firefox/114.0" 3154 443 example.com ZJKbOUfg7dWT82qCkvNySAAAAEU TLSv1.3 > > TLS_AES_128_GCM_SHA256 0 4 L; "/" 15.24.15.205 39735 "" "" "" "/" 333762 > > "/?k=1%20or%201=1" > > > > here rule id log is 333762 which is not the signature for SQL injection > > > > So my conclusion is, in "SecRuleEngine On" rule evaluation stops when the > > first rule matches with the final action drop/block. Hence I am able to > get > > the right rule ID and other variable data. But when "SecRuleEngine > > DetectionOnly" rule evaluation continues till the last rule and due to > > which my variable data gets changed as per the rules getting evaluated. > Can > > I change this behaviour of modsecurity in Detectonly mode ? that it > should > > stop the evaluation when it matches the first rule with final action of > > drop/block ( and not block/drop the transaction) ? > > > > Please suggest. > > > > Thanks, > > Homesh > > > > > > On Fri, Mar 25, 2022 at 4:08 PM Christian Folini < > > chr...@ne...> wrote: > > > > > Thanks for the updates. I do not immediately see why it's not working > > > completely. But glad you have a working solution. > > > > > > Best, > > > > > > Christian > > > > > > On Fri, Mar 25, 2022 at 01:59:38PM +0530, homesh joshi wrote: > > > > Dear Christian, > > > > > > > > I added setvar:tx.rule=1 in each rule and then added the following > rule, > > > > post which I am able to get 1 written in access logs ( via the > %{waf} ) > > > for > > > > the transactions which got blocked by Modsec. for other transactions > it > > > is > > > > missing and hence getting - in the logs. I was not able to directly > set > > > the > > > > WAF=1 in the rules via setenv:waf=1 > > > > > > > > SecRule TX:rule "@eq 1" "phase:5,pass,setenv:waf=1,id:'9001'" > > > > > > > > Will test this any update incase I face any challenge. > > > > > > > > Thanks, > > > > Homesh > > > > > > > > > > > > On Thu, Mar 24, 2022 at 6:35 PM Christian Folini < > > > > chr...@ne...> wrote: > > > > > > > > > I suggest you add this to every rule that detects / blocks > something. > > > > > Thus not a SecAction, but attach the setenv to your existing > SecRules > > > > > where you want to see the flag. > > > > > > > > > > Alternatively, you can do a SecRule in phase 5 where you test the > > > > > HTTP status and if it's 403, then you set the env. > > > > > > > > > > Good luck! > > > > > > > > > > Christian > > > > > > > > > > On Thu, Mar 24, 2022 at 05:02:20PM +0530, homesh joshi wrote: > > > > > > Dear Christian, > > > > > > > > > > > > Thanks. I think this will work for me. However, can you please > > > explain > > > > > it a > > > > > > bit more on how this works. > > > > > > from your tutorial if i set up following rule > > > > > > > > > > > > # === ModSec performance calculations and variable export (ids: > > > 90100 - > > > > > 90199) > > > > > > > > > > > > SecAction "id:90100,phase:5,pass,nolog,setenv:modsec=1" > > > > > > > > > > > > then for every access I see "1" in the access log. > > > > > > > > > > > > I think I will need to understand it more in order to use it. > > > > > > > > > > > > Kindly explain > > > > > > 1) the configuration required for setenv by modifying each rule > > > > > > > > > > > > 2) the configuration required for more complicated scheme which > you > > > > > > are referring to > > > > > > > > > > > > Thanks, > > > > > > > > > > > > Homesh > > > > > > > > > > > > > > > > > > On Thu, Mar 24, 2022 at 11:52 AM Christian Folini < > > > > > > chr...@ne...> wrote: > > > > > > > > > > > > > Hi there, > > > > > > > > > > > > > > On Thu, Mar 24, 2022 at 08:37:51AM +0530, homesh joshi wrote: > > > > > > > > Thanks for the clarification. > > > > > > > > I have already gone through excellent netnea.com tutorials. > I > > > have > > > > > > > already > > > > > > > > used some of the configuration from tutorial.I do not use > crs. > > > > > > > > > > > > > > Thank you very much. > > > > > > > > > > > > > > > My objective here is that I want to get a flag in access log > > > line if > > > > > > > modsec > > > > > > > > has taken any action on the transaction say simply it can be > a > > > field > > > > > like > > > > > > > > modsec=1 or modsec=0. This wi help me in separating > transactions > > > > > which > > > > > > > are > > > > > > > > allowed.(modsec=0) So then it is easy to show these > transactions > > > in > > > > > the > > > > > > > > reporting system. > > > > > > > > > > > > > > I'd do a setenv then in the rules. > > > > > > > > > > > > > > ... "setenv:modsec=1" > > > > > > > > > > > > > > Similar to the way I set th various env variables in phase 5. > You > > > can > > > > > > > simply > > > > > > > add this to every rule you have. Or you set up a more > complicated > > > > > scheme > > > > > > > and do it in the end in phase 5. > > > > > > > > > > > > > > Best, > > > > > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > > > > > > > Kindly suggest. > > > > > > > > > > > > > > > > Thanks, > > > > > > > > Homesh > > > > > > > > > > > > > > > > On Thu, 24 Mar, 2022, 12:04 am Christian Folini, < > > > > > > > > chr...@ne...> wrote: > > > > > > > > > > > > > > > > > HelloHomesh, > > > > > > > > > > > > > > > > > > Unfortunately, this is not how this works. > > > > > > > > > > > > > > > > > > A ModSecuriy variable is not automatically an environment > > > variable. > > > > > > > > > And on top, the ModSec variable "rule" is only available > > > during the > > > > > > > > > execution of the very rule (and there might be many, many > > > rules). > > > > > > > > > > > > > > > > > > I suggest you read up on my free tutorials published at > > > netnea.com > > > > > . > > > > > > > > > The one on logging and the ones on the Core Rule Set are > > > proposing > > > > > > > > > ways to achieve something along these lines. > > > > > > > > > > > > > > > > > > Best, > > > > > > > > > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Mar 23, 2022 at 11:12:58PM +0530, homesh joshi > wrote: > > > > > > > > > > Hi All, > > > > > > > > > > > > > > > > > > > > Hope you all are well. > > > > > > > > > > > > > > > > > > > > I want to add the modsecurity variable e.g "rule.id"in > the > > > > > apache > > > > > > > access > > > > > > > > > > log via the extended format. > > > > > > > > > > I set the following line in /etc/apache2/apache.conf > > > > > > > > > > > > > > > > > > > > LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" > > > > > > > \"%{User-Agent}i\" > > > > > > > > > > %{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended > > > > > > > > > > > > > > > > > > > > However I am not getting the rule.id value in the > access log > > > > > line. > > > > > > > > > > > > > > > > > > > > Kindly suggest. > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > Homesh > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > mod-security-users mailing list > > > > > > > > > > mod...@li... > > > > > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > > SpiderLabs: > > > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > mod-security-users mailing list > > > > > > > > > mod...@li... > > > > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > > SpiderLabs: > > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > mod-security-users mailing list > > > > > > > > mod...@li... > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > SpiderLabs: > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > mod-security-users mailing list > > > > > > > mod...@li... > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > SpiderLabs: > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > mod-security-users mailing list > > > > > > mod...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Christian F. <chr...@ne...> - 2023-06-21 09:29:41
|
Hey Homesh, Evaluation does indeed stop after a drop and there is a chance your rules only set the variables in question in a later phase. Really depends on your configuration. You can follow rule execution with the ModSecurity debug log, but beware it is very verbose. Generally, it is best to set variables for display in the access log only in phase 5, which is also executed for requests that have been denied in an earlier phase. Best regards, Christian On Wed, Jun 21, 2023 at 01:14:04PM +0530, homesh joshi wrote: > Hi All, > > With regards to my approach for logging the modsec variables in apache log > has worked for me for almost a year now. > However, today when I enabled "SecRuleEngine DetectionOnly" for one of my > websites. What I notice is that the apache logs are missing the right > variable data. > e.g I tested SQL injection and i was not able to see the relevant > information in apache log which I typically get when "SecRuleEngine On" > sample log for "SecRuleEngine DetectionOnly" > 49.36.106.185 - - [21/Jun/2023:06:39:53 +0000] 200 23125 GET "-" > "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 > Firefox/114.0" 3154 443 example.com ZJKbOUfg7dWT82qCkvNySAAAAEU TLSv1.3 > TLS_AES_128_GCM_SHA256 0 4 L; "/" 15.24.15.205 39735 "" "" "" "/" 333762 > "/?k=1%20or%201=1" > > here rule id log is 333762 which is not the signature for SQL injection > > So my conclusion is, in "SecRuleEngine On" rule evaluation stops when the > first rule matches with the final action drop/block. Hence I am able to get > the right rule ID and other variable data. But when "SecRuleEngine > DetectionOnly" rule evaluation continues till the last rule and due to > which my variable data gets changed as per the rules getting evaluated. Can > I change this behaviour of modsecurity in Detectonly mode ? that it should > stop the evaluation when it matches the first rule with final action of > drop/block ( and not block/drop the transaction) ? > > Please suggest. > > Thanks, > Homesh > > > On Fri, Mar 25, 2022 at 4:08 PM Christian Folini < > chr...@ne...> wrote: > > > Thanks for the updates. I do not immediately see why it's not working > > completely. But glad you have a working solution. > > > > Best, > > > > Christian > > > > On Fri, Mar 25, 2022 at 01:59:38PM +0530, homesh joshi wrote: > > > Dear Christian, > > > > > > I added setvar:tx.rule=1 in each rule and then added the following rule, > > > post which I am able to get 1 written in access logs ( via the %{waf} ) > > for > > > the transactions which got blocked by Modsec. for other transactions it > > is > > > missing and hence getting - in the logs. I was not able to directly set > > the > > > WAF=1 in the rules via setenv:waf=1 > > > > > > SecRule TX:rule "@eq 1" "phase:5,pass,setenv:waf=1,id:'9001'" > > > > > > Will test this any update incase I face any challenge. > > > > > > Thanks, > > > Homesh > > > > > > > > > On Thu, Mar 24, 2022 at 6:35 PM Christian Folini < > > > chr...@ne...> wrote: > > > > > > > I suggest you add this to every rule that detects / blocks something. > > > > Thus not a SecAction, but attach the setenv to your existing SecRules > > > > where you want to see the flag. > > > > > > > > Alternatively, you can do a SecRule in phase 5 where you test the > > > > HTTP status and if it's 403, then you set the env. > > > > > > > > Good luck! > > > > > > > > Christian > > > > > > > > On Thu, Mar 24, 2022 at 05:02:20PM +0530, homesh joshi wrote: > > > > > Dear Christian, > > > > > > > > > > Thanks. I think this will work for me. However, can you please > > explain > > > > it a > > > > > bit more on how this works. > > > > > from your tutorial if i set up following rule > > > > > > > > > > # === ModSec performance calculations and variable export (ids: > > 90100 - > > > > 90199) > > > > > > > > > > SecAction "id:90100,phase:5,pass,nolog,setenv:modsec=1" > > > > > > > > > > then for every access I see "1" in the access log. > > > > > > > > > > I think I will need to understand it more in order to use it. > > > > > > > > > > Kindly explain > > > > > 1) the configuration required for setenv by modifying each rule > > > > > > > > > > 2) the configuration required for more complicated scheme which you > > > > > are referring to > > > > > > > > > > Thanks, > > > > > > > > > > Homesh > > > > > > > > > > > > > > > On Thu, Mar 24, 2022 at 11:52 AM Christian Folini < > > > > > chr...@ne...> wrote: > > > > > > > > > > > Hi there, > > > > > > > > > > > > On Thu, Mar 24, 2022 at 08:37:51AM +0530, homesh joshi wrote: > > > > > > > Thanks for the clarification. > > > > > > > I have already gone through excellent netnea.com tutorials. I > > have > > > > > > already > > > > > > > used some of the configuration from tutorial.I do not use crs. > > > > > > > > > > > > Thank you very much. > > > > > > > > > > > > > My objective here is that I want to get a flag in access log > > line if > > > > > > modsec > > > > > > > has taken any action on the transaction say simply it can be a > > field > > > > like > > > > > > > modsec=1 or modsec=0. This wi help me in separating transactions > > > > which > > > > > > are > > > > > > > allowed.(modsec=0) So then it is easy to show these transactions > > in > > > > the > > > > > > > reporting system. > > > > > > > > > > > > I'd do a setenv then in the rules. > > > > > > > > > > > > ... "setenv:modsec=1" > > > > > > > > > > > > Similar to the way I set th various env variables in phase 5. You > > can > > > > > > simply > > > > > > add this to every rule you have. Or you set up a more complicated > > > > scheme > > > > > > and do it in the end in phase 5. > > > > > > > > > > > > Best, > > > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > > > > Kindly suggest. > > > > > > > > > > > > > > Thanks, > > > > > > > Homesh > > > > > > > > > > > > > > On Thu, 24 Mar, 2022, 12:04 am Christian Folini, < > > > > > > > chr...@ne...> wrote: > > > > > > > > > > > > > > > HelloHomesh, > > > > > > > > > > > > > > > > Unfortunately, this is not how this works. > > > > > > > > > > > > > > > > A ModSecuriy variable is not automatically an environment > > variable. > > > > > > > > And on top, the ModSec variable "rule" is only available > > during the > > > > > > > > execution of the very rule (and there might be many, many > > rules). > > > > > > > > > > > > > > > > I suggest you read up on my free tutorials published at > > netnea.com > > > > . > > > > > > > > The one on logging and the ones on the Core Rule Set are > > proposing > > > > > > > > ways to achieve something along these lines. > > > > > > > > > > > > > > > > Best, > > > > > > > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Mar 23, 2022 at 11:12:58PM +0530, homesh joshi wrote: > > > > > > > > > Hi All, > > > > > > > > > > > > > > > > > > Hope you all are well. > > > > > > > > > > > > > > > > > > I want to add the modsecurity variable e.g "rule.id"in the > > > > apache > > > > > > access > > > > > > > > > log via the extended format. > > > > > > > > > I set the following line in /etc/apache2/apache.conf > > > > > > > > > > > > > > > > > > LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" > > > > > > \"%{User-Agent}i\" > > > > > > > > > %{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended > > > > > > > > > > > > > > > > > > However I am not getting the rule.id value in the access log > > > > line. > > > > > > > > > > > > > > > > > > Kindly suggest. > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > Homesh > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > mod-security-users mailing list > > > > > > > > > mod...@li... > > > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > SpiderLabs: > > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > mod-security-users mailing list > > > > > > > > mod...@li... > > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > SpiderLabs: > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > mod-security-users mailing list > > > > > > > mod...@li... > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > SpiderLabs: > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > mod-security-users mailing list > > > > > > mod...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > SpiderLabs: > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: homesh j. <ho...@gm...> - 2023-06-21 07:44:24
|
Hi All, With regards to my approach for logging the modsec variables in apache log has worked for me for almost a year now. However, today when I enabled "SecRuleEngine DetectionOnly" for one of my websites. What I notice is that the apache logs are missing the right variable data. e.g I tested SQL injection and i was not able to see the relevant information in apache log which I typically get when "SecRuleEngine On" sample log for "SecRuleEngine DetectionOnly" 49.36.106.185 - - [21/Jun/2023:06:39:53 +0000] 200 23125 GET "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0" 3154 443 example.com ZJKbOUfg7dWT82qCkvNySAAAAEU TLSv1.3 TLS_AES_128_GCM_SHA256 0 4 L; "/" 15.24.15.205 39735 "" "" "" "/" 333762 "/?k=1%20or%201=1" here rule id log is 333762 which is not the signature for SQL injection So my conclusion is, in "SecRuleEngine On" rule evaluation stops when the first rule matches with the final action drop/block. Hence I am able to get the right rule ID and other variable data. But when "SecRuleEngine DetectionOnly" rule evaluation continues till the last rule and due to which my variable data gets changed as per the rules getting evaluated. Can I change this behaviour of modsecurity in Detectonly mode ? that it should stop the evaluation when it matches the first rule with final action of drop/block ( and not block/drop the transaction) ? Please suggest. Thanks, Homesh On Fri, Mar 25, 2022 at 4:08 PM Christian Folini < chr...@ne...> wrote: > Thanks for the updates. I do not immediately see why it's not working > completely. But glad you have a working solution. > > Best, > > Christian > > On Fri, Mar 25, 2022 at 01:59:38PM +0530, homesh joshi wrote: > > Dear Christian, > > > > I added setvar:tx.rule=1 in each rule and then added the following rule, > > post which I am able to get 1 written in access logs ( via the %{waf} ) > for > > the transactions which got blocked by Modsec. for other transactions it > is > > missing and hence getting - in the logs. I was not able to directly set > the > > WAF=1 in the rules via setenv:waf=1 > > > > SecRule TX:rule "@eq 1" "phase:5,pass,setenv:waf=1,id:'9001'" > > > > Will test this any update incase I face any challenge. > > > > Thanks, > > Homesh > > > > > > On Thu, Mar 24, 2022 at 6:35 PM Christian Folini < > > chr...@ne...> wrote: > > > > > I suggest you add this to every rule that detects / blocks something. > > > Thus not a SecAction, but attach the setenv to your existing SecRules > > > where you want to see the flag. > > > > > > Alternatively, you can do a SecRule in phase 5 where you test the > > > HTTP status and if it's 403, then you set the env. > > > > > > Good luck! > > > > > > Christian > > > > > > On Thu, Mar 24, 2022 at 05:02:20PM +0530, homesh joshi wrote: > > > > Dear Christian, > > > > > > > > Thanks. I think this will work for me. However, can you please > explain > > > it a > > > > bit more on how this works. > > > > from your tutorial if i set up following rule > > > > > > > > # === ModSec performance calculations and variable export (ids: > 90100 - > > > 90199) > > > > > > > > SecAction "id:90100,phase:5,pass,nolog,setenv:modsec=1" > > > > > > > > then for every access I see "1" in the access log. > > > > > > > > I think I will need to understand it more in order to use it. > > > > > > > > Kindly explain > > > > 1) the configuration required for setenv by modifying each rule > > > > > > > > 2) the configuration required for more complicated scheme which you > > > > are referring to > > > > > > > > Thanks, > > > > > > > > Homesh > > > > > > > > > > > > On Thu, Mar 24, 2022 at 11:52 AM Christian Folini < > > > > chr...@ne...> wrote: > > > > > > > > > Hi there, > > > > > > > > > > On Thu, Mar 24, 2022 at 08:37:51AM +0530, homesh joshi wrote: > > > > > > Thanks for the clarification. > > > > > > I have already gone through excellent netnea.com tutorials. I > have > > > > > already > > > > > > used some of the configuration from tutorial.I do not use crs. > > > > > > > > > > Thank you very much. > > > > > > > > > > > My objective here is that I want to get a flag in access log > line if > > > > > modsec > > > > > > has taken any action on the transaction say simply it can be a > field > > > like > > > > > > modsec=1 or modsec=0. This wi help me in separating transactions > > > which > > > > > are > > > > > > allowed.(modsec=0) So then it is easy to show these transactions > in > > > the > > > > > > reporting system. > > > > > > > > > > I'd do a setenv then in the rules. > > > > > > > > > > ... "setenv:modsec=1" > > > > > > > > > > Similar to the way I set th various env variables in phase 5. You > can > > > > > simply > > > > > add this to every rule you have. Or you set up a more complicated > > > scheme > > > > > and do it in the end in phase 5. > > > > > > > > > > Best, > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > Kindly suggest. > > > > > > > > > > > > Thanks, > > > > > > Homesh > > > > > > > > > > > > On Thu, 24 Mar, 2022, 12:04 am Christian Folini, < > > > > > > chr...@ne...> wrote: > > > > > > > > > > > > > HelloHomesh, > > > > > > > > > > > > > > Unfortunately, this is not how this works. > > > > > > > > > > > > > > A ModSecuriy variable is not automatically an environment > variable. > > > > > > > And on top, the ModSec variable "rule" is only available > during the > > > > > > > execution of the very rule (and there might be many, many > rules). > > > > > > > > > > > > > > I suggest you read up on my free tutorials published at > netnea.com > > > . > > > > > > > The one on logging and the ones on the Core Rule Set are > proposing > > > > > > > ways to achieve something along these lines. > > > > > > > > > > > > > > Best, > > > > > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > > > > > On Wed, Mar 23, 2022 at 11:12:58PM +0530, homesh joshi wrote: > > > > > > > > Hi All, > > > > > > > > > > > > > > > > Hope you all are well. > > > > > > > > > > > > > > > > I want to add the modsecurity variable e.g "rule.id"in the > > > apache > > > > > access > > > > > > > > log via the extended format. > > > > > > > > I set the following line in /etc/apache2/apache.conf > > > > > > > > > > > > > > > > LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" > > > > > \"%{User-Agent}i\" > > > > > > > > %{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended > > > > > > > > > > > > > > > > However I am not getting the rule.id value in the access log > > > line. > > > > > > > > > > > > > > > > Kindly suggest. > > > > > > > > > > > > > > > > Thanks, > > > > > > > > Homesh > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > mod-security-users mailing list > > > > > > > > mod...@li... > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > SpiderLabs: > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > mod-security-users mailing list > > > > > > > mod...@li... > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > SpiderLabs: > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > mod-security-users mailing list > > > > > > mod...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Luke B. <lba...@gm...> - 2023-05-18 15:50:58
|
Javascript / Challenge page Good morning, I introduce myself, I'm new to the list. i'm a university student who has to take care of the security inside the campus. I have to set up a series of mod_security instances which, in addition to a series of basic rules, must be able to run a challenge page, in the event of a major DDoS attack, in order to filter all automatic traffic. Has anyone done something like this before or can point me to online resources to do it? Thanks Luke |
|
From: Monah B. <mon...@gm...> - 2023-03-27 14:40:57
|
Morning all,
I am trying to compile modsecurity on freebsd 12.4-release-p1
==========================
ModSecurity - v3.0.8-51-g1feaa7d2 for FreeBSD
Mandatory dependencies
+ libInjection ....v3.9.2-46-gbfba51f
+ SecLang tests ....a3d4405
Optional dependencies
+ GeoIP/MaxMind ....found
* (MaxMind) v1.6.0
-lmaxminddb , -DWITH_MAXMIND -I/usr/local/include
+ LibCURL ....found v7.87.0
-L/usr/local/lib -lcurl, -I/usr/local/include
-DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
+ YAJL ....found v2.1.0
-lyajl , -DWITH_YAJL -I/usr/local/include
+ LMDB ....disabled
+ LibXML2 ....found v2.10.3
-lxml2 , -I/usr/local/include/libxml2 -DWITH_LIBXML2
+ SSDEEP ....found
-lfuzzy -L/usr/local/lib/, -DWITH_SSDEEP -I/usr/local/include
+ LUA ....found
-llua-5.4 -lm -L/usr/local/lib , -DWITH_LUA -DWITH_LUA_5_4
-I/usr/local/include/lua54
+ PCRE2 ....disabled
Other Options
+ Test Utilities ....enabled
+ SecDebugLog ....enabled
+ afl fuzzer ....disabled
+ library examples ....enabled
+ Building parser ....disabled
+ Treating pm operations as critical section ....disabled
==================
However gmake returns the following error:
libtool: compile: g++ -DHAVE_CONFIG_H -I. -std=c++11 -I.. -g -I../others
-fPIC -O3 -I../headers -I/usr/local/include -DWITH_CURL_SSLVERSION_TLSv1_2
-DWITH_CURL -DWITH_YAJL -I/usr/local/include -I/usr/local/include
-I/usr/local/include -DPCRE_HAVE_JIT -I/usr/local/include -DWITH_SSDEEP
-I/usr/local/include -DWITH_MAXMIND -I/usr/local/include -DWITH_LUA
-DWITH_LUA_5_4 -I/usr/local/include/lua54 -I/usr/local/include/libxml2
-DWITH_LIBXML2 -g -O2 -MT actions/disruptive/libmodsecurity_la-deny.lo -MD
-MP -MF actions/disruptive/.deps/libmodsecurity_la-deny.Tpo -c
actions/disruptive/deny.cc -fPIC -DPIC -o
actions/disruptive/.libs/libmodsecurity_la-deny.o
libtool: compile: g++ -DHAVE_CONFIG_H -I. -std=c++11 -I.. -g -I../others
-fPIC -O3 -I../headers -I/usr/local/include -DWITH_CURL_SSLVERSION_TLSv1_2
-DWITH_CURL -DWITH_YAJL -I/usr/local/include -I/usr/local/include
-I/usr/local/include -DPCRE_HAVE_JIT -I/usr/local/include -DWITH_SSDEEP
-I/usr/local/include -DWITH_MAXMIND -I/usr/local/include -DWITH_LUA
-DWITH_LUA_5_4 -I/usr/local/include/lua54 -I/usr/local/include/libxml2
-DWITH_LIBXML2 -g -O2 -MT actions/disruptive/libmodsecurity_la-deny.lo -MD
-MP -MF actions/disruptive/.deps/libmodsecurity_la-deny.Tpo -c
actions/disruptive/deny.cc -o actions/disruptive/libmodsecurity_la-deny.o
>/dev/null 2>&1
mv -f actions/disruptive/.deps/libmodsecurity_la-deny.Tpo
actions/disruptive/.deps/libmodsecurity_la-deny.Plo
/bin/sh ../libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I.
-std=c++11 -I.. -g -I../others -fPIC -O3 -I../headers -I/usr/local/include
-DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL -DWITH_YAJL
-I/usr/local/include -I/usr/local/include -I/usr/local/include
-DPCRE_HAVE_JIT -I/usr/local/include -DWITH_SSDEEP -I/usr/local/include
-DWITH_MAXMIND -I/usr/local/include -DWITH_LUA -DWITH_LUA_5_4
-I/usr/local/include/lua54 -I/usr/local/include/libxml2 -DWITH_LIBXML2
-g -O2 -MT actions/disruptive/libmodsecurity_la-drop.lo -MD -MP -MF
actions/disruptive/.deps/libmodsecurity_la-drop.Tpo -c -o
actions/disruptive/libmodsecurity_la-drop.lo `test -f
'actions/disruptive/drop.cc' || echo './'`actions/disruptive/drop.cc
libtool: compile: g++ -DHAVE_CONFIG_H -I. -std=c++11 -I.. -g -I../others
-fPIC -O3 -I../headers -I/usr/local/include -DWITH_CURL_SSLVERSION_TLSv1_2
-DWITH_CURL -DWITH_YAJL -I/usr/local/include -I/usr/local/include
-I/usr/local/include -DPCRE_HAVE_JIT -I/usr/local/include -DWITH_SSDEEP
-I/usr/local/include -DWITH_MAXMIND -I/usr/local/include -DWITH_LUA
-DWITH_LUA_5_4 -I/usr/local/include/lua54 -I/usr/local/include/libxml2
-DWITH_LIBXML2 -g -O2 -MT actions/disruptive/libmodsecurity_la-drop.lo -MD
-MP -MF actions/disruptive/.deps/libmodsecurity_la-drop.Tpo -c
actions/disruptive/drop.cc -fPIC -DPIC -o
actions/disruptive/.libs/libmodsecurity_la-drop.o
libtool: compile: g++ -DHAVE_CONFIG_H -I. -std=c++11 -I.. -g -I../others
-fPIC -O3 -I../headers -I/usr/local/include -DWITH_CURL_SSLVERSION_TLSv1_2
-DWITH_CURL -DWITH_YAJL -I/usr/local/include -I/usr/local/include
-I/usr/local/include -DPCRE_HAVE_JIT -I/usr/local/include -DWITH_SSDEEP
-I/usr/local/include -DWITH_MAXMIND -I/usr/local/include -DWITH_LUA
-DWITH_LUA_5_4 -I/usr/local/include/lua54 -I/usr/local/include/libxml2
-DWITH_LIBXML2 -g -O2 -MT actions/disruptive/libmodsecurity_la-drop.lo -MD
-MP -MF actions/disruptive/.deps/libmodsecurity_la-drop.Tpo -c
actions/disruptive/drop.cc -o actions/disruptive/libmodsecurity_la-drop.o
>/dev/null 2>&1
gmake[3]: *** [Makefile:2427: actions/disruptive/libmodsecurity_la-drop.lo]
Error 1
gmake[3]: Leaving directory '/usr/home/mbaki/ModSecurity/src'
gmake[2]: *** [Makefile:3505: all-recursive] Error 1
gmake[2]: Leaving directory '/usr/home/mbaki/ModSecurity/src'
gmake[1]: *** [Makefile:1239: all] Error 2
gmake[1]: Leaving directory '/usr/home/mbaki/ModSecurity/src'
gmake: *** [Makefile:1049: all-recursive] Error 1
Thanks
Monah
|
|
From: Christian F. <chr...@ne...> - 2023-03-27 07:52:13
|
Hey Stephen, I am not familiar with HAProxy and this integration. But speaking from a general position, there is always a chance for a timeout, but the exact message (and the TON of them) is troubling. https://www.mail-archive.com/search?l=h...@fo...&q=subject:%22Re%5C%3A+doubt+how+to+compile+modsecurity+module+for+HAproxy%22&o=newest&f=1 discusses this, but I am none the wiser now. I am not sure wether HAProxy closes the connection now or there was a timeout and HAProxy concludes the client closed the connection. Or whatever. I would try and do two things: - Raise the timeout and monitor for a general reduction of the number of messages. - Try to reproduce the error message on separate machine. That way you will learn what really is the problem - and if it is one from an operating standpoint (users not getting what they want) - or just noise (everybody gets their responses OK, but HAProxy is unhappy about connection termination and regularly complains. Good luck, Christian On Fri, Mar 24, 2023 at 04:37:03PM -0400, Stephen Schor wrote: > Hi All > > I've inherited a project that uses modsecurity (wrapped in > jcmoraisjr/modsecurity-spoa <https://github.com/jcmoraisjr/modsecurity-spoa> > ). > Looking at the modsecurity logs...I see plenty of legitimate log messages > when a SecRule is matched, but also > a TON of lines like this: > > 1679689652.575012 [01] <223243> Peer closed connection: a timeout occurred > > There isn't any additional info around these log lines, I'd appreciate if > folks can help a newcomer out and > help give some context about what causes these messages. Does this indicate > a slow client attack? > The need to adjust some config? Is this normal / expected? > > Thanks for your time, > Stephen > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Stephen S. <beh...@gm...> - 2023-03-24 20:37:20
|
Hi All I've inherited a project that uses modsecurity (wrapped in jcmoraisjr/modsecurity-spoa <https://github.com/jcmoraisjr/modsecurity-spoa> ). Looking at the modsecurity logs...I see plenty of legitimate log messages when a SecRule is matched, but also a TON of lines like this: 1679689652.575012 [01] <223243> Peer closed connection: a timeout occurred There isn't any additional info around these log lines, I'd appreciate if folks can help a newcomer out and help give some context about what causes these messages. Does this indicate a slow client attack? The need to adjust some config? Is this normal / expected? Thanks for your time, Stephen |
|
From: homesh j. <ho...@gm...> - 2022-12-14 03:02:38
|
Thank you Christian. On Wed, 14 Dec, 2022, 3:46 am Christian Folini, <chr...@ne...> wrote: > Hi there, > > We looked at it from a CRS perspective. > > Detection is spotty at paranoia level 1, but CRS detects all the payloads > at PL2. There is pull request that aims to detect everything at PL1. > > https://github.com/coreruleset/coreruleset/pull/3055 > > Best, > > Christian > > On Tue, Dec 13, 2022 at 09:30:21PM +0530, homesh joshi wrote: > > Hi All, > > > > Has any one tested the new method mentioned here > > > https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf > > > > > > any successfully block the same with modsec ? > > > > Thanks, > > Homesh > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Christian F. <chr...@ne...> - 2022-12-13 22:11:26
|
Hi there, We looked at it from a CRS perspective. Detection is spotty at paranoia level 1, but CRS detects all the payloads at PL2. There is pull request that aims to detect everything at PL1. https://github.com/coreruleset/coreruleset/pull/3055 Best, Christian On Tue, Dec 13, 2022 at 09:30:21PM +0530, homesh joshi wrote: > Hi All, > > Has any one tested the new method mentioned here > https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf > > > any successfully block the same with modsec ? > > Thanks, > Homesh > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: homesh j. <ho...@gm...> - 2022-12-13 16:10:31
|
Hi All, for simplified version of the method refer https://www.imperva.com/blog/abusing-json-based-sql/ Thanks, Homesh On Tue, Dec 13, 2022 at 9:30 PM homesh joshi <ho...@gm...> wrote: > Hi All, > > Has any one tested the new method mentioned here https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf > > > any successfully block the same with modsec ? > > Thanks, > Homesh > > |
|
From: homesh j. <ho...@gm...> - 2022-12-13 16:00:43
|
Hi All, Has any one tested the new method mentioned here https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf any successfully block the same with modsec ? Thanks, Homesh |
|
From: Christian F. <chr...@ne...> - 2022-11-13 10:10:20
|
Yes, we do (-> tx.allowed_http_versions in crs-setup.conf), but 920280 triggers regardless of the HTTP version used. This is apparently not overly exact, but HTTP/1.0 is relatively rare and it's easy to do a rule exclusion. We could extend 920280 with a chained check for the version without too much cost, I guess. Best, Christian On Sun, Nov 13, 2022 at 09:59:09AM +0100, az...@po... wrote: > Is that correct behavior as HTTP/1.0 does not require Host header to be > present? Do we support HTTP/1.0 in CRS? > > > > Citát Ervin Hegedüs <ai...@gm...>: > > > hey, > > > > On Sat, Nov 12, 2022 at 06:33:02PM -0600, Arlen Walker wrote: > > > What’s the current paranoia level set to? Some levels require a Host > > > header to be present. > > > > just for my 2 cents: rule 920280 checks that Host header is > > present or not, 920290 checks that it's not empty. > > > > Furthermore, rule 920350 checks that Host header can't be > > numeric (eg. an IPv4 or IPv6 format address). > > > > All of them activated on *PL1*, so we can say PL settings do not > > play here. > > > > https://crsdoc.digitalwave.hu/?v=v3.3.2&f=1&_trg=107%2C106 > > > > (See the "Paranoia level" field in the tables) > > > > > > a. > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Ervin H. <ai...@gm...> - 2022-11-13 09:52:33
|
Hi, On Sun, Nov 13, 2022 at 09:59:09AM +0100, az...@po... wrote: > Is that correct behavior as HTTP/1.0 does not require Host header to be > present? No, I think it's not. (I just answered for PL-related part of the mail) > Do we support HTTP/1.0 in CRS? well, I think it's a "hard" question, because we allow it: https://github.com/coreruleset/coreruleset/blob/v3.3/master/rules/REQUEST-901-INITIALIZATION.conf#L204 but looks like we do not care the special cases, eg. HTTP/1.0 does not need the Host header. Look at the RFC: https://www.rfc-editor.org/rfc/rfc2616.html#page-128 https://www.rfc-editor.org/rfc/rfc2616.html#section-19.6.1 The RFC says: "The Host field value MUST represent the naming authority of the origin server or gateway given by the original URL. The Host field value MUST represent the naming authority of the origin server or gateway given by the original URL." It does not say that "Host" is NOT mandatory in case of HTTP/1.0, just says "Host" is mandatory in case of HTTP/1.1. The quoted part above from RFC means that if you use a hosted server, clients needs to send "Host" to identify the resource - so, is it mandatory? :) Furthermore: I don't remember when SNI came (for HTTPS - I mean was HTTP/1.0 still used then?), but I think in case of using SNI, "Host" header needs, no matter what HTTP version you use (correct me if I'm wrong). Furthermore+: I found one more reference about HTTP/2. Looks like "Host" header isn't mandatory there too, becase the ":authority" header can replace it: https://www.rfc-editor.org/rfc/rfc7540#section-8.1.2.3 May be we can fix this. A bit similar problem the checking of CL header in case of HTTP/2 (where CL isn't mandatory neither): https://github.com/coreruleset/coreruleset/blob/v3.3/master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L223-L245 First of all, it would be fine to open an issue on GH, and add it to the list of monthly chat topics. a. |
|
From: <az...@po...> - 2022-11-13 08:59:25
|
Is that correct behavior as HTTP/1.0 does not require Host header to be present? Do we support HTTP/1.0 in CRS? Citát Ervin Hegedüs <ai...@gm...>: > hey, > > On Sat, Nov 12, 2022 at 06:33:02PM -0600, Arlen Walker wrote: >> What’s the current paranoia level set to? Some levels require a >> Host header to be present. > > just for my 2 cents: rule 920280 checks that Host header is > present or not, 920290 checks that it's not empty. > > Furthermore, rule 920350 checks that Host header can't be > numeric (eg. an IPv4 or IPv6 format address). > > All of them activated on *PL1*, so we can say PL settings do not > play here. > > https://crsdoc.digitalwave.hu/?v=v3.3.2&f=1&_trg=107%2C106 > > (See the "Paranoia level" field in the tables) > > > a. > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Ervin H. <ai...@gm...> - 2022-11-13 08:44:47
|
hey, On Sat, Nov 12, 2022 at 06:33:02PM -0600, Arlen Walker wrote: > What’s the current paranoia level set to? Some levels require a Host header to be present. just for my 2 cents: rule 920280 checks that Host header is present or not, 920290 checks that it's not empty. Furthermore, rule 920350 checks that Host header can't be numeric (eg. an IPv4 or IPv6 format address). All of them activated on *PL1*, so we can say PL settings do not play here. https://crsdoc.digitalwave.hu/?v=v3.3.2&f=1&_trg=107%2C106 (See the "Paranoia level" field in the tables) a. |
|
From: Arlen W. <pu...@ar...> - 2022-11-13 00:49:31
|
What’s the current paranoia level set to? Some levels require a Host header to be present. Sent from my iPad > On Nov 11, 2022, at 6:43 PM, O Lányi via mod-security-users <mod...@li...> wrote: > > modsecurity.conf: https://pastebin.com/ZggGuyKG > crs-setup.conf: https://pastebin.com/s11sF0pj > > It seems to be logging any HTTP/1.0 HTTPS request that does not have a Host: header, for some reason > > testing with curl: > > HTTP/1.0 HTTPS with no host header = LOGGED > HTTP/1.0 HTTPS with host header = not logged > HTTP/1.0 HTTP with no host header = not logged > HTTP/1.0 HTTP with host header = not logged > HTTP/1.1 HTTPS with no host header = not logged > HTTP/1.1 HTTPS with host header = not logged > HTTP/1.1 HTTP with no host header = not logged > HTTP/1.1 HTTP with host header = not logged > > but why? > > > > > Sent with Proton Mail secure email. > > ------- Original Message ------- >> On Friday, November 11th, 2022 at 3:51 AM, <az...@po...> wrote: >> >> >> Can you upload your modsecurity.conf and crs-setup.conf somewhere? >> >> >> >> >> Citát O Lányi via mod-security-users >> mod...@li...: >> >>> It's already set like that. >>> >>> ------- Original Message ------- >>>> On Thursday, November 10th, 2022 at 4:39 AM, az...@po... wrote: >>> >>>> Try setting SecAuditEngine to RelevantOnly in modsecurity.conf, see: >>>> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditengine >>>> >>>> Citát O Lányi via mod-security-users >>>> mod...@li...: >>>> >>>>> The response was a 308. 99.999% of 308's are not put in the audit >>>>> log. Why was this specific one put in the audit log? >>>>> >>>>> Sent with Proton Mail secure email. >>>>> >>>>> ------- Original Message ------- >>>>> On Wednesday, November 9th, 2022 at 10:58 AM, az...@po... wrote: >>>>> >>>>>> This depends on the HTTP status code - logged are all requests with >>>>>> status code that matches regexp set in SecAuditLogRelevantStatus >>>>>> directive in modsecurity.conf (i.e. also requests that were NOT >>>>>> blocked may be logged). For more info, see: >>>> >>>> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus >>>> >>>>>> azurit >>>>>> >>>>>> Citát O Lányi via mod-security-users >>>>>> mod...@li...: >>>>>> >>>>>>> I understand the logging parts (I turned on additional parts to try >>>>>>> to understand why harmless requests are being placed in the audit >>>>>>> log), but why was this particular HTTP request put into the audit >>>>>>> log at all? What was "wrong" with it? >>>>>>> >>>>>>> Sent with Proton Mail secure email. >>>>>>> >>>>>>> ------- Original Message ------- >>>>>>> On Wednesday, November 9th, 2022 at 10:30 AM, az...@po... wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> what is logged depends on SecAuditLogParts directive in >>>>>>>> modsecurity.conf. For more info, see: >>>> >>>> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts >>>> >>>>>>>> azurit >>>>>>>> >>>>>>>> Citát O Lányi via mod-security-users >>>>>>>> mod...@li...: >>>>>>>> >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> I'm trying to learn to appreciate modsecurity but everything about >>>>>>>>> it is frustrating and confusing to me. I thought I'd try reaching >>>>>>>>> out in hopes someone could help -- this is my last hope before I >>>>>>>>> give up and turn it off. >>>>>>>>> >>>>>>>>> I am using DetectionOnly mode >>>>>>>>> >>>>>>>>> What was this put in the audit log? Why are there so many rules >>>>>>>>> listed? Why can't it just tell me simply what rule triggered the >>>>>>>>> inclusion in the log, rather than 75 lines of gibberish? Is this a >>>>>>>>> bug? >>>>>>>>> >>>>>>>>> --7337282c-A-- >>>>>>>>> [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc >>>>>>>>> (REMOTE_IP) 56866 (MY_IP) 443 >>>>>>>>> --7337282c-B-- >>>>>>>>> GET / HTTP/1.0 >>>>>>>>> >>>>>>>>> --7337282c-F-- >>>>>>>>> HTTP/1.1 308 Permanent Redirect >>>>>>>>> Expect-CT: max-age=604800, enforce, >>>>>> >>>>>> report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" >>>>>> >>>>>>>>> Referrer-Policy: unsafe-url >>>>>>>>> Strict-Transport-Security: max-age=31536000; >>>>>>>>> includeSubDomains; preload >>>>>>>>> X-Content-Type-Options: nosniff >>>>>>>>> X-Frame-Options: SAMEORIGIN >>>>>>>>> X-XSS-Protection: 1; mode=block >>>>>>>>> Location: https://othersite/ >>>>>>>>> Content-Length: 428 >>>>>>>>> Connection: close >>>>>>>>> Content-Type: text/html; charset=iso-8859-1 >>>>>>>>> >>>>>>>>> --7337282c-E-- >>>>>>>>> >>>>>>>>> --7337282c-H-- >>>>>>>>> Stopwatch: 1668000670057655 23939 (- - -) >>>>>>>>> Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, >>>>>>>>> p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 >>>>>>>>> Response-Body-Transformed: Dechunked >>>>>>>>> Producer: ModSecurity for Apache/2.9.5 >>>>>>>>> (http://www.modsecurity.org/); OWASP_CRS/3.3.2. >>>>>>>>> Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 >>>>>>>>> Engine-Mode: "DETECTION_ONLY" >>>>>>>>> >>>>>>>>> --7337282c-K-- >>>>>>>>> SecAction >>>> >>>> "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" >>>> >>>>>>>>> SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" >>>> >>>>>>>>> SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" >>>> >>>>>>>>> SecRule "&TX:paranoia_level" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" >>>> >>>>>>>>> SecRule "&TX:executing_paranoia_level" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" >>>> >>>>>>>>> SecRule "&TX:sampling_percentage" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" >>>> >>>>>>>>> SecRule "&TX:critical_anomaly_score" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" >>>> >>>>>>>>> SecRule "&TX:error_anomaly_score" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" >>>> >>>>>>>>> SecRule "&TX:warning_anomaly_score" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" >>>> >>>>>>>>> SecRule "&TX:notice_anomaly_score" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" >>>> >>>>>>>>> SecRule "&TX:do_reput_block" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" >>>> >>>>>>>>> SecRule "&TX:reput_block_duration" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" >>>> >>>>>>>>> SecRule "&TX:allowed_methods" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET >>>> >>>>>> HEAD >>>>>> >>>>>>>> POST >>>>>>>> >>>>>>>>> OPTIONS'" >>>>>>>>> >>>>>>>>> SecRule "&TX:allowed_request_content_type" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| >>>> |multipart/form-data| >>>> >>>>>> |multipart/related| >>>>>> >>>>>>>> |text/xml| >>>>>>>> >>>>>>>>> |application/x >>>>>>>>> ml| |application/soap+xml| |application/x-amf| |application/json| >>>>>>>>> |application/cloudevents+json| >>>>>>>>> |application/cloudevents-batch+json| >>>>>>>>> |application/octet-stream| |application/csp-report| >>>>>>>>> |application/xss-auditor-report| |text/plain|'" >>>>>>>>> >>>>>>>>> SecRule "&TX:allowed_request_content_type_charset" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" >>>> >>>>>>>>> SecRule "&TX:allowed_http_versions" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 >>>> >>>>>> HTTP/1.1 >>>>>> >>>>>>>> HTTP/2 >>>>>>>> >>>>>>>>> HTTP/2.0'" >>>>>>>>> >>>>>>>>> SecRule "&TX:restricted_extensions" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ >>>> .cs/ >>>> >>>>>> .csproj/ >>>>>> >>>>>>>> .csr/ >>>>>>>> >>>>>>>>> .dat >>>>>>>>> / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ >>>>>>>>> .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ >>>>>>>>> .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ >>>>>>>>> .vbs/ .vbproj/ >>>>>>>>> .vsdisco/ .webinfo/ .xsd/ .xsx/'" >>>>>>>>> >>>>>>>>> SecRule "&TX:restricted_headers" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ >>>> >>>>>> /lock-token/ >>>>>> >>>>>>>> /content-range/ >>>>>>>> >>>>>>>>> /if/'" >>>>>>>>> >>>>>>>>> SecRule "&TX:static_extensions" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ >>>> /.css/ >>>> >>>>>> /.ico/ >>>>>> >>>>>>>> /.svg/ >>>>>>>> >>>>>>>>> /.webp/'" >>>>>>>>> >>>>>>>>> SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" >>>> >>>>>>>>> SecAction >>>> >>>> "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 >>>> >>>> ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco >>>> >>>> re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" >>>> >>>>>>>>> SecAction >>>> >>>> "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" >>>> >>>>>>>>> SecRule "REQBODY_PROCESSOR" "!@rx >>>>>>>>> (?:URLENCODED|MULTIPART|XML|JSON)" >>>>>>>>> "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body >>>> >>>> inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" >>>> >>>>>>>>> SecRule "TX:sampling_percentage" "@eq 100" >>>> >>>> "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" >>>> >>>>>>>>> SecRule >>>>>>>>> "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" >>>> >>>> "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" >>>> >>>>>>>>> SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" >>>>>>>>> "@eq 0" >>>> >>>> "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" >>>> >>>>>>>>> SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" >>>>>>>>> "@eq 0" >>>> >>>> "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" >>>> >>>>>>>>> SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" >>>>>>>>> "@eq 0" >>>> >>>> "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" >>>> >>>>>>>>> SecRule >>>>>>>>> "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" >>>> >>>> "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" >>>> >>>>>>>>> SecRule >>>>>>>>> "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq >>>>>>>>> 0" >>>> >>>> "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" >>>> >>>>>>>>> SecRule "&TX:dos_burst_time_slice" "@eq 0" >>>> >>>> "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >>>> >>>>>>>>> SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >>>>>>>>> SecRule "&TX:dos_block_timeout" "@eq 0" >>>>>>>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >>>> >>>>>>>>> SecRule "RESPONSE_STATUS" "!@rx ^404$" >>>>>>>>> "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS >>>>>>>>> Information Leakage',logdata:'Matched Data: %{TX.0} found within >>>>>>>>> %{MATCHED_VAR_NAME}: >>>>>>>>> %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla >>>> >>>> tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" >>>> >>>>>>>>> #SecRule "RESPONSE_BODY" "@rx \\bServer Error >>>>>>>>> in.{0,50}?\\bApplication\\b" >>>> >>>> "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >>>> >>>>>>>>> SecRule "TX:PARANOIA_LEVEL" "@ge 1" >>>> >>>> "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >>>> >>>>>>>>> SecRule "&TX:dos_burst_time_slice" "@eq 0" >>>> >>>> "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >>>> >>>>>>>>> SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >>>>>>>>> SecRule "&TX:dos_block_timeout" "@eq 0" >>>>>>>>> >>>>>>>>> SecAction >>>> >>>> "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} >>>> >>>>>>>>> ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" >>>>>>>>> >>>>>>>>> SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt >>>>>>>>> %{tx.inbound_anomaly_score_threshold}" >>>>>>>>> "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly >>>>>>>>> Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - >>>>>>>>> SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score >>>> >>>> },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level >>>> scores: >>>> >>>>>> %{TX.ANOMALY_SCORE_PL1}, >>>>>> >>>>>>>> %{TX.ANOMALY_SCORE_PL2}, >>>>>>>> >>>>>>>>> %{TX.ANO >>>>>>>>> MALY_SCORE_PL3}, >>>> >>>> %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >>>> >>>>>>>>> #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >>>>>>>>> >>>>>>>>> SecAction >>>> >>>> "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. >>>> >>>> outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" >>>> >>>>>>>>> SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt >>>>>>>>> %{tx.outbound_anomaly_score_threshold}" >>>> >>>> "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly >>>> >>>>>>>>> Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): >>>>>>>>> individual paranoia level scores: %{TX.OUTBO >>>>>>>>> UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, >>>>>>>>> %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, >>>> >>>> %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >>>> >>>>>>>>> #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >>>>>>>>> >>>>>>>>> --7337282c-Z-- >>>>>>>>> >>>>>>>>> Thanks for any help anyone can offer. >>>>>>>>> >>>>>>>>> Sent with Proton Mail secure email. >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> mod-security-users mailing list >>>>>>>> mod...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>>> Commercial ModSecurity Rules and Support from Trustwave's >>>>>>>> SpiderLabs: >>>>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>>> >>>>>>> _______________________________________________ >>>>>>> mod-security-users mailing list >>>>>>> mod...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>> >>>>>> _______________________________________________ >>>>>> mod-security-users mailing list >>>>>> mod...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>> >>>>> _______________________________________________ >>>>> mod-security-users mailing list >>>>> mod...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>> http://www.modsecurity.org/projects/commercial/support/ >>>> >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Christian F. <chr...@ne...> - 2022-11-12 08:24:04
|
Hi there, Would you mind sharing the logfile for those alerts? Ideally with the individual requests triggering them. Best, Christian On Sat, Nov 12, 2022 at 12:41:45AM +0000, O Lányi via mod-security-users wrote: > modsecurity.conf: https://pastebin.com/ZggGuyKG > crs-setup.conf: https://pastebin.com/s11sF0pj > > It seems to be logging any HTTP/1.0 HTTPS request that does not have a Host: header, for some reason > > testing with curl: > > HTTP/1.0 HTTPS with no host header = LOGGED > HTTP/1.0 HTTPS with host header = not logged > HTTP/1.0 HTTP with no host header = not logged > HTTP/1.0 HTTP with host header = not logged > HTTP/1.1 HTTPS with no host header = not logged > HTTP/1.1 HTTPS with host header = not logged > HTTP/1.1 HTTP with no host header = not logged > HTTP/1.1 HTTP with host header = not logged > > but why? > > > > > Sent with Proton Mail secure email. > > ------- Original Message ------- > On Friday, November 11th, 2022 at 3:51 AM, <az...@po...> wrote: > > > > Can you upload your modsecurity.conf and crs-setup.conf somewhere? > > > > > > > > > > Citát O Lányi via mod-security-users > > mod...@li...: > > > > > It's already set like that. > > > > > > ------- Original Message ------- > > > On Thursday, November 10th, 2022 at 4:39 AM, az...@po... wrote: > > > > > > > Try setting SecAuditEngine to RelevantOnly in modsecurity.conf, see: > > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditengine > > > > > > > > Citát O Lányi via mod-security-users > > > > mod...@li...: > > > > > > > > > The response was a 308. 99.999% of 308's are not put in the audit > > > > > log. Why was this specific one put in the audit log? > > > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > > > ------- Original Message ------- > > > > > On Wednesday, November 9th, 2022 at 10:58 AM, az...@po... wrote: > > > > > > > > > > > This depends on the HTTP status code - logged are all requests with > > > > > > status code that matches regexp set in SecAuditLogRelevantStatus > > > > > > directive in modsecurity.conf (i.e. also requests that were NOT > > > > > > blocked may be logged). For more info, see: > > > > > > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus > > > > > > > > > > azurit > > > > > > > > > > > > Citát O Lányi via mod-security-users > > > > > > mod...@li...: > > > > > > > > > > > > > I understand the logging parts (I turned on additional parts to try > > > > > > > to understand why harmless requests are being placed in the audit > > > > > > > log), but why was this particular HTTP request put into the audit > > > > > > > log at all? What was "wrong" with it? > > > > > > > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > > > > > > > ------- Original Message ------- > > > > > > > On Wednesday, November 9th, 2022 at 10:30 AM, az...@po... wrote: > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > what is logged depends on SecAuditLogParts directive in > > > > > > > > modsecurity.conf. For more info, see: > > > > > > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts > > > > > > > > > > > > azurit > > > > > > > > > > > > > > > > Citát O Lányi via mod-security-users > > > > > > > > mod...@li...: > > > > > > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > > > > > I'm trying to learn to appreciate modsecurity but everything about > > > > > > > > > it is frustrating and confusing to me. I thought I'd try reaching > > > > > > > > > out in hopes someone could help -- this is my last hope before I > > > > > > > > > give up and turn it off. > > > > > > > > > > > > > > > > > > I am using DetectionOnly mode > > > > > > > > > > > > > > > > > > What was this put in the audit log? Why are there so many rules > > > > > > > > > listed? Why can't it just tell me simply what rule triggered the > > > > > > > > > inclusion in the log, rather than 75 lines of gibberish? Is this a > > > > > > > > > bug? > > > > > > > > > > > > > > > > > > --7337282c-A-- > > > > > > > > > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc > > > > > > > > > (REMOTE_IP) 56866 (MY_IP) 443 > > > > > > > > > --7337282c-B-- > > > > > > > > > GET / HTTP/1.0 > > > > > > > > > > > > > > > > > > --7337282c-F-- > > > > > > > > > HTTP/1.1 308 Permanent Redirect > > > > > > > > > Expect-CT: max-age=604800, enforce, > > > > > > > > > > > > report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" > > > > > > > > > > > > > > > Referrer-Policy: unsafe-url > > > > > > > > > Strict-Transport-Security: max-age=31536000; > > > > > > > > > includeSubDomains; preload > > > > > > > > > X-Content-Type-Options: nosniff > > > > > > > > > X-Frame-Options: SAMEORIGIN > > > > > > > > > X-XSS-Protection: 1; mode=block > > > > > > > > > Location: https://othersite/ > > > > > > > > > Content-Length: 428 > > > > > > > > > Connection: close > > > > > > > > > Content-Type: text/html; charset=iso-8859-1 > > > > > > > > > > > > > > > > > > --7337282c-E-- > > > > > > > > > > > > > > > > > > --7337282c-H-- > > > > > > > > > Stopwatch: 1668000670057655 23939 (- - -) > > > > > > > > > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, > > > > > > > > > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 > > > > > > > > > Response-Body-Transformed: Dechunked > > > > > > > > > Producer: ModSecurity for Apache/2.9.5 > > > > > > > > > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. > > > > > > > > > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 > > > > > > > > > Engine-Mode: "DETECTION_ONLY" > > > > > > > > > > > > > > > > > > --7337282c-K-- > > > > > > > > > SecAction > > > > > > > > "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" > > > > > > > > > > > > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" > > > > > > > > > > > > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" > > > > > > > > > > > > > SecRule "&TX:paranoia_level" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" > > > > > > > > > > > > > SecRule "&TX:executing_paranoia_level" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" > > > > > > > > > > > > > SecRule "&TX:sampling_percentage" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" > > > > > > > > > > > > > SecRule "&TX:critical_anomaly_score" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" > > > > > > > > > > > > > SecRule "&TX:error_anomaly_score" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" > > > > > > > > > > > > > SecRule "&TX:warning_anomaly_score" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" > > > > > > > > > > > > > SecRule "&TX:notice_anomaly_score" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" > > > > > > > > > > > > > SecRule "&TX:do_reput_block" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" > > > > > > > > > > > > > SecRule "&TX:reput_block_duration" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" > > > > > > > > > > > > > SecRule "&TX:allowed_methods" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET > > > > > > > > > > HEAD > > > > > > > > > > > > > > POST > > > > > > > > > > > > > > > > > OPTIONS'" > > > > > > > > > > > > > > > > > > SecRule "&TX:allowed_request_content_type" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| > > > > |multipart/form-data| > > > > > > > > > > |multipart/related| > > > > > > > > > > > > > > |text/xml| > > > > > > > > > > > > > > > > > |application/x > > > > > > > > > ml| |application/soap+xml| |application/x-amf| |application/json| > > > > > > > > > |application/cloudevents+json| > > > > > > > > > |application/cloudevents-batch+json| > > > > > > > > > |application/octet-stream| |application/csp-report| > > > > > > > > > |application/xss-auditor-report| |text/plain|'" > > > > > > > > > > > > > > > > > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" > > > > > > > > > > > > > SecRule "&TX:allowed_http_versions" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 > > > > > > > > > > HTTP/1.1 > > > > > > > > > > > > > > HTTP/2 > > > > > > > > > > > > > > > > > HTTP/2.0'" > > > > > > > > > > > > > > > > > > SecRule "&TX:restricted_extensions" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ > > > > .cs/ > > > > > > > > > > .csproj/ > > > > > > > > > > > > > > .csr/ > > > > > > > > > > > > > > > > > .dat > > > > > > > > > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ > > > > > > > > > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ > > > > > > > > > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ > > > > > > > > > .vbs/ .vbproj/ > > > > > > > > > .vsdisco/ .webinfo/ .xsd/ .xsx/'" > > > > > > > > > > > > > > > > > > SecRule "&TX:restricted_headers" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ > > > > > > > > > > /lock-token/ > > > > > > > > > > > > > > /content-range/ > > > > > > > > > > > > > > > > > /if/'" > > > > > > > > > > > > > > > > > > SecRule "&TX:static_extensions" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ > > > > /.css/ > > > > > > > > > > /.ico/ > > > > > > > > > > > > > > /.svg/ > > > > > > > > > > > > > > > > > /.webp/'" > > > > > > > > > > > > > > > > > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" > > > > > > > > > > > > > SecAction > > > > > > > > "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 > > > > > > > > ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco > > > > > > > > re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" > > > > > > > > > > > > > SecAction > > > > > > > > "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" > > > > > > > > > > > > > SecRule "REQBODY_PROCESSOR" "!@rx > > > > > > > > > (?:URLENCODED|MULTIPART|XML|JSON)" > > > > > > > > > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body > > > > > > > > inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" > > > > > > > > > > > > > SecRule "TX:sampling_percentage" "@eq 100" > > > > > > > > "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" > > > > > > > > > > > > > SecRule > > > > > > > > > "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" > > > > > > > > "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" > > > > > > > > > > > > > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" > > > > > > > > > "@eq 0" > > > > > > > > "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" > > > > > > > > > > > > > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" > > > > > > > > > "@eq 0" > > > > > > > > "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" > > > > > > > > > > > > > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" > > > > > > > > > "@eq 0" > > > > > > > > "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" > > > > > > > > > > > > > SecRule > > > > > > > > > "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" > > > > > > > > "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" > > > > > > > > > > > > > SecRule > > > > > > > > > "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq > > > > > > > > > 0" > > > > > > > > "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" > > > > > > > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > > > > > > > "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > > > > > > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > > > > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > > > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > > > > > > > > > > SecRule "RESPONSE_STATUS" "!@rx ^404$" > > > > > > > > > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS > > > > > > > > > Information Leakage',logdata:'Matched Data: %{TX.0} found within > > > > > > > > > %{MATCHED_VAR_NAME}: > > > > > > > > > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla > > > > > > > > tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" > > > > > > > > > > > > > #SecRule "RESPONSE_BODY" "@rx \\bServer Error > > > > > > > > > in.{0,50}?\\bApplication\\b" > > > > > > > > "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > > > > > > > > > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" > > > > > > > > "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > > > > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > > > > > > > "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > > > > > > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > > > > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > > > > > > > > > > > > > > > SecAction > > > > > > > > "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} > > > > > > > > > > > > > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" > > > > > > > > > > > > > > > > > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt > > > > > > > > > %{tx.inbound_anomaly_score_threshold}" > > > > > > > > > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly > > > > > > > > > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - > > > > > > > > > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score > > > > > > > > },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level > > > > scores: > > > > > > > > > > %{TX.ANOMALY_SCORE_PL1}, > > > > > > > > > > > > > > %{TX.ANOMALY_SCORE_PL2}, > > > > > > > > > > > > > > > > > %{TX.ANO > > > > > > > > > MALY_SCORE_PL3}, > > > > > > > > %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > > > > > > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > > > > > > > > > > > > > > > SecAction > > > > > > > > "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. > > > > > > > > outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" > > > > > > > > > > > > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt > > > > > > > > > %{tx.outbound_anomaly_score_threshold}" > > > > > > > > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly > > > > > > > > > > > > > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): > > > > > > > > > individual paranoia level scores: %{TX.OUTBO > > > > > > > > > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, > > > > > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, > > > > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > > > > > > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > > > > > > > > > > > > > > > --7337282c-Z-- > > > > > > > > > > > > > > > > > > Thanks for any help anyone can offer. > > > > > > > > > > > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > mod-security-users mailing list > > > > > > > > mod...@li... > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > > > > > SpiderLabs: > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > _______________________________________________ > > > > > > > mod-security-users mailing list > > > > > > > mod...@li... > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > _______________________________________________ > > > > > > mod-security-users mailing list > > > > > > mod...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
139 messages has been excluded from this view by a project administrator.
