mod-security-users Mailing List for ModSecurity (Page 32)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users — General discussion about mod_security
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(17) |
Aug
(7) |
Sep
(8) |
Oct
(11) |
Nov
(14) |
Dec
(19) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(46) |
Feb
(14) |
Mar
(20) |
Apr
(48) |
May
(15) |
Jun
(20) |
Jul
(36) |
Aug
(24) |
Sep
(31) |
Oct
(28) |
Nov
(23) |
Dec
(12) |
| 2005 |
Jan
(69) |
Feb
(61) |
Mar
(82) |
Apr
(53) |
May
(26) |
Jun
(71) |
Jul
(27) |
Aug
(52) |
Sep
(28) |
Oct
(49) |
Nov
(104) |
Dec
(74) |
| 2006 |
Jan
(61) |
Feb
(148) |
Mar
(82) |
Apr
(139) |
May
(65) |
Jun
(116) |
Jul
(92) |
Aug
(101) |
Sep
(84) |
Oct
(103) |
Nov
(174) |
Dec
(102) |
| 2007 |
Jan
(166) |
Feb
(161) |
Mar
(181) |
Apr
(152) |
May
(192) |
Jun
(250) |
Jul
(127) |
Aug
(165) |
Sep
(97) |
Oct
(135) |
Nov
(206) |
Dec
(56) |
| 2008 |
Jan
(160) |
Feb
(135) |
Mar
(98) |
Apr
(89) |
May
(115) |
Jun
(95) |
Jul
(188) |
Aug
(167) |
Sep
(153) |
Oct
(84) |
Nov
(82) |
Dec
(85) |
| 2009 |
Jan
(139) |
Feb
(133) |
Mar
(128) |
Apr
(105) |
May
(135) |
Jun
(79) |
Jul
(92) |
Aug
(134) |
Sep
(73) |
Oct
(112) |
Nov
(159) |
Dec
(80) |
| 2010 |
Jan
(100) |
Feb
(116) |
Mar
(130) |
Apr
(59) |
May
(88) |
Jun
(59) |
Jul
(69) |
Aug
(67) |
Sep
(82) |
Oct
(76) |
Nov
(59) |
Dec
(34) |
| 2011 |
Jan
(84) |
Feb
(74) |
Mar
(81) |
Apr
(94) |
May
(188) |
Jun
(72) |
Jul
(118) |
Aug
(109) |
Sep
(111) |
Oct
(80) |
Nov
(51) |
Dec
(44) |
| 2012 |
Jan
(80) |
Feb
(123) |
Mar
(46) |
Apr
(12) |
May
(40) |
Jun
(62) |
Jul
(95) |
Aug
(66) |
Sep
(65) |
Oct
(53) |
Nov
(42) |
Dec
(60) |
| 2013 |
Jan
(96) |
Feb
(96) |
Mar
(108) |
Apr
(72) |
May
(115) |
Jun
(111) |
Jul
(114) |
Aug
(87) |
Sep
(93) |
Oct
(97) |
Nov
(104) |
Dec
(82) |
| 2014 |
Jan
(96) |
Feb
(77) |
Mar
(71) |
Apr
(40) |
May
(48) |
Jun
(78) |
Jul
(54) |
Aug
(44) |
Sep
(58) |
Oct
(79) |
Nov
(51) |
Dec
(52) |
| 2015 |
Jan
(55) |
Feb
(59) |
Mar
(48) |
Apr
(40) |
May
(45) |
Jun
(63) |
Jul
(36) |
Aug
(49) |
Sep
(35) |
Oct
(58) |
Nov
(21) |
Dec
(47) |
| 2016 |
Jan
(35) |
Feb
(81) |
Mar
(43) |
Apr
(41) |
May
(77) |
Jun
(52) |
Jul
(39) |
Aug
(34) |
Sep
(107) |
Oct
(67) |
Nov
(54) |
Dec
(20) |
| 2017 |
Jan
(99) |
Feb
(37) |
Mar
(86) |
Apr
(47) |
May
(57) |
Jun
(55) |
Jul
(34) |
Aug
(31) |
Sep
(16) |
Oct
(49) |
Nov
(53) |
Dec
(33) |
| 2018 |
Jan
(25) |
Feb
(11) |
Mar
(79) |
Apr
(77) |
May
(5) |
Jun
(19) |
Jul
(17) |
Aug
(7) |
Sep
(13) |
Oct
(22) |
Nov
(13) |
Dec
(68) |
| 2019 |
Jan
(44) |
Feb
(17) |
Mar
(40) |
Apr
(39) |
May
(18) |
Jun
(14) |
Jul
(20) |
Aug
(31) |
Sep
(11) |
Oct
(35) |
Nov
(3) |
Dec
(10) |
| 2020 |
Jan
(32) |
Feb
(16) |
Mar
(10) |
Apr
(22) |
May
(2) |
Jun
(34) |
Jul
(1) |
Aug
(8) |
Sep
(36) |
Oct
(16) |
Nov
(13) |
Dec
(10) |
| 2021 |
Jan
(16) |
Feb
(23) |
Mar
(45) |
Apr
(28) |
May
(6) |
Jun
(17) |
Jul
(8) |
Aug
(1) |
Sep
(2) |
Oct
(35) |
Nov
|
Dec
(5) |
| 2022 |
Jan
|
Feb
(17) |
Mar
(23) |
Apr
(23) |
May
(9) |
Jun
(8) |
Jul
|
Aug
|
Sep
(7) |
Oct
(5) |
Nov
(16) |
Dec
(4) |
| 2023 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
(1) |
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
(7) |
Feb
(13) |
Mar
(18) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(1) |
Nov
(5) |
Dec
(3) |
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
(12) |
May
(12) |
Jun
(2) |
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: junaid.khan <jun...@na...> - 2019-03-27 04:20:17
|
I add mention yellow line in modsec conf file and when I restart the nginx service it give error against modsec line call in nginx file.
Mod sec file conf:
# -- Audit log configuration -------------------------------------------------
# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,
# level response status codes).
#
SecAuditLogFormat JSON
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
Error Message:
[root@ny-middleware-fwd ~]# systemctl restart nginx
Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.
[root@ny-middleware-fwd ~]# systemctl status nginx.service
â— nginx.service - The NGINX HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2019-03-27 14:18:52 PKT; 4s ago
Process: 501 ExecStop=/bin/kill -s QUIT (code=exited, status=1/FAILURE)
Process: 331 ExecStart=/usr/local/nginx/sbin/nginx (code=exited, status=0/SUCCESS)
Process: 506 ExecStartPre=/usr/local/nginx/sbin/nginx -t (code=exited, status=1/FAILURE)
Main PID: 333 (code=exited, status=0/SUCCESS)
Mar 27 14:18:52 ny-middleware-fwd systemd[1]: Stopped The NGINX HTTP and reverse proxy server.
Mar 27 14:18:52 ny-middleware-fwd systemd[1]: Unit nginx.service entered failed state.
Mar 27 14:18:52 ny-middleware-fwd systemd[1]: nginx.service failed.
Mar 27 14:18:52 ny-middleware-fwd systemd[1]: Starting The NGINX HTTP and reverse proxy server...
Mar 27 14:18:52 ny-middleware-fwd nginx[506]: nginx: [emerg] ModSecurityConfig in /usr/local/nginx/conf/nginx.conf:50: Unknown...Format
Mar 27 14:18:52 ny-middleware-fwd nginx[506]: nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
Mar 27 14:18:52 ny-middleware-fwd systemd[1]: nginx.service: control process exited, code=exited status=1
Mar 27 14:18:52 ny-middleware-fwd systemd[1]: Failed to start The NGINX HTTP and reverse proxy server.
Mar 27 14:18:52 ny-middleware-fwd systemd[1]: Unit nginx.service entered failed state.
Mar 27 14:18:52 ny-middleware-fwd systemd[1]: nginx.service failed.
From: Christian Varas [mailto:cv...@it...]
Sent: Tuesday, March 26, 2019 6:23 PM
To: mod...@li...
Subject: Re: [mod-security-users] JSON support was not enabled
In your modsec conf append the line in yellow.
If you already have this line and is not working, maybe is because the modsec was not compiled with the json support
SecDebugLogLevel 3
# -- Audit log configuration -------------------------------------------------
# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,
# level response status codes).
#
SecAuditLogDirMode 1733
SecAuditLogFileMode 0550
SecAuditLogFormat JSON
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4)"
# Log everything we know about a transaction.
SecAuditLogParts ABCHIZ
Cheers.
El mar., 26 de mar. de 2019 01:39, junaid.khan <jun...@na... <mailto:jun...@na...> > escribió:
Dear Support
I need to enable JSON support on mod_sec nginx kindly guide how I enable it.
2019/03/19 17:28:22 [error] 5750#0: [client 10.1.1.24] ModSecurity: Warning. Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/usr/local/nginx/conf/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1084"] [id "920430"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/1.1"] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.10"] [hostname ""] [uri "/nayapay-middleware-0.0.1/app-data/get-nayapay-id"] [unique_id "AcAcAcAcAcAYlcAcAbAcAcA2"]
2019/03/19 17:28:22 [error] 5750#0: [client 10.1.1.24] ModSecurity: JSON support was not enabled [hostname ""] [uri "/nayapay-middleware-0.0.1/app-data/get-nayapay-id"] [unique_id "AcAcAcAcAcAYlcAcAbAcAcA2"]
2019/03/19 17:28:22 [error] 5750#0: [client 10.1.1.24] ModSecurity: Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "60"] [id "200002"] [msg "Failed to parse request body."] [data ""] [severity "CRITICAL"] [hostname ""] [uri "/nayapay-middleware-0.0.1/app-data/get-nayapay-id"] [unique_id "AcAcAcAcAcAYlcAcAbAcAcA2"]
^C
Regards,
Junaid Khan | System Administrator
+92 03018281775 | +92 21 38400633 [Ext: 5531]
jun...@na... <mailto:jun...@na...> | <http://www.nayapay.com/> www.nayapay.com
_______________________________________________
mod-security-users mailing list
mod...@li... <mailto:mod...@li...>
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
|
|
From: Doug E. <de...@tt...> - 2019-03-27 01:28:38
|
My current goal is to capture and log the access requests, but modsecurity also has flexibility to permit other functions as deemed necessary in the future. It’s also already there embedded in the application. Sent from my iPhone (615) 498 4756 On Mar 26, 2019, at 7:44 PM, Robert Paprocki <rpa...@fe...<mailto:rpa...@fe...>> wrote: If the goal here is only to capture logic data, and not mutate or block the request, is modsecurity the right tool? Might it be saner to use a simpler proxy that sits in front of the web service and writes the audit trail as its sole function? On Mar 26, 2019, at 17:03, Manuel Spartan <spa...@gm...<mailto:spa...@gm...>> wrote: Hi Doug, you definitively need to read the book :) but in the meanwhile if you are ok with little explanations the best reference ever is the modsecurity reference manual https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29 there are rule examples as well as the descriptions of all operators, variables, actions, etc. Supposing the argument holding the username is called username something like the following example should get you started in Apache 2.2 and 2.4. SecRule ARGS:username "@eq (.*)" "phase:5,id:1,capture,pass,log,noauditlog,setenv:USER=%{matched_var},msg:'Username detected'" LogFormat "%a,%t,%{USER}e,%s" usercapture CustomLog logs/usercapture_log usercapture env=USER Output: 10.0.0.1,[26/SMar/2019:19:56:28 -0600],MyUser,302 El mar., 26 mar. 2019 a las 16:01, Doug Erwin (<de...@tt...<mailto:de...@tt...>>) escribió: Thanks for the guidance. I am still lost, but I ordered a book on amazon, “ModSecurity Handbook,second editin” because it has a chapter on writing rules. At this point I have nothing to help me understand what “phase:5,t:none….” Is and how to configure that stuff and what the various options are. Mine is a system that has modsecurity embedded in it and is on a Microsoft IIS platform and writes the log entries into the event viewer. I plan to do a lot of reading as soon as I get it. I want a real log file and not an event viewer and I want the info I need. I think modsecurity can be a powerful asset, especially since it is already there, but I have to master it first. I just want to capture timestamp, username, and IP from a login attempt and be able to keep that for posterity. Doug Doug Erwin President TTP Solutions / TheTradingPortal.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fTheTradingPortal.com&c=E,1,SxC1ljHaYqW-6TXYimNFUCTFaQUoTLQgviQdtJFlOYFIjbCwehie4_o-PRv0OX-gk2QpSpijijj4rDO76qjvssMWBzuXVwWW8RmesVS_3uCCZxaxKg,,&typo=1> de...@TT...<mailto:de...@TT...> Office: 615-469-0409 Cell: 615-498-4756 <image001.png> From: Joel Williams <jo...@jo...<mailto:jo...@jo...>> Sent: Tuesday, March 26, 2019 12:46 AM To: mod...@li...<mailto:mod...@li...> Subject: Re: [mod-security-users] capturing user logins Hi Doug, Just as an example, here's an extract of what I do to detect successful WordPress logins. <Locationmatch ".*wp-login\.php"> SecRule RESPONSE_STATUS "302" "phase:5,t:none,log,pass,setvar:ip.bf_counter=0,sanitiseArg:pwd,msg:'wordpress-login-success',id:5000136" </locationmatch> Based on my specific knowledge of WordPress, a 302 response from the wp-login.php script indicates that a successful login occurred, because it redirects users to the correct page (generally - there are some false positives that I haven't bothered to filter out). The POST body is also logged, and the password is sanitised so that I only get the user name. I monitor the mod_security logs with Splunk, which extracts individual events and generates a report of logins. You can also do fancier things like generate alerts based on unusual IP address geolocation lookups and time of day. There might not be a general purpose way to log this information across every possible system and not affect performance, but hopefully this is not a requirement. I guess you could scan ever POST request's body for username/uname/user and hope this catches all cases. Joel Manuel Spartan wrote on 26/3/19 11:34 am: Hi Doug, as said before the easiest way is setup a rule to extract the info and parse it in elk or whatever you use, alternatively you can create an environment variable in the rule to get the info and use a conditional apache custom log to save the extracted info if the env var is set in the format you need so you have a clean file with the info. https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#setenv<https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#setenv> Cheers! Sent from my iPhone On 25 Mar 2019, at 16:31, Doug Erwin <de...@tt...<mailto:de...@tt...>> wrote: I would definitely welcome some help. If I understand correctly, it writes everything to the event viewer -> application log. Is there a way to redirect that just write a log file to the file system, maybe even a separate log just for these user logins? Also, is there an online tutorial about writing rules for modsecurity? Maybe something on youtube? Doug Doug Erwin President TTP Solutions / TheTradingPortal.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fTheTradingPortal.com&c=E,1,vewZQD0OGuuiwKa9LJp0SS6YS9DVWbQTh--SDwuUhAvKmfiOqalh03BKqkA9F_SOv6yshbmUytgRyT6ITVCRnY7KIS8JYW_CoW3Y6yqrtSPo0A,,&typo=1> de...@TT...<mailto:de...@TT...> Office: 615-469-0409 Cell: 615-498-4756 <image001.png> From: Chaim Sanders <ch...@ch...<mailto:ch...@ch...>> Sent: Monday, March 25, 2019 2:54 PM To: mod...@li...<mailto:mod...@li...> Subject: Re: [mod-security-users] capturing user logins Yes, You can make a rule that checks if the parameter with the username is provided and log that. You can then parse the log or use MLogc to move things to third party servers like elasticsearch. Let me know if that makes sense or you need more help. Thanks, - Chaim On Mon, Mar 25, 2019 at 3:01 PM Doug Erwin <de...@tt...<mailto:de...@tt...>> wrote: Hi all, I am new to modsecurity but I would like to use it to capture user logins so that I could build a history of user access over time. Is there a way to do that? I am pretty sure that this would be a new special or custom rule. Any thoughts on this? Thanks in advance. Doug Doug Erwin President TTP Solutions / TheTradingPortal.com<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fTheTradingPortal.com&c=E,1,ka5DZkEMWqh8ZRpkawNoM8yEOYF7wTe8_SbHM6Ci4KO3zPK1al2AMrBmtamgtfF01AErQ0zgVgt5AMqm2O1WKB7jagdZ1d2sOKYhGf_8Yww8o5JY&typo=1> de...@TT...<mailto:de...@TT...> Office: 615-469-0409 Cell: 615-498-4756 <image001.png> _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2frules%2f&c=E,1,Z5eBJeHTqjyb2RkSUrjldSJNf_cK9nlA2KNrpUHZDM1odJQckie4CgXbTCB_Z-AOEnd5Oza8guZn0sTeuKEFAKKlXpzFI5r28H8SJjgNDr7e5hobpB3oO53BIw,,&typo=1> http://www.modsecurity.org/projects/commercial/support/<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2fsupport%2f&c=E,1,7bdPfnStuhxnevLrrdcYZpwTZ5uugfr5eUwGsQr12t6liM-AWUP9OUAL8PLEMCN6uh9CoaNrgTC7NqJS2UdQvxOHWD3wprk9Ja808XxMSrMD-uCJieoyeoME4Q,,&typo=1> -- -- Chaim Sanders http://www.ChaimSanders.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.ChaimSanders.com&c=E,1,o4c2YgyDsYKkmgTZYufmhje_WcPKxM7a1UGJAKvvBckafhBFoRwY9X8n97NMo0aPLWRLS4jS5VhpStUoBvUl_Y4sysxRAVXzsmsto2l3Hzfj7_NosW8ufu-Yye8,&typo=1> _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2frules%2f&c=E,1,PxxyhrUvAktNoJcnFS4ylMms274DBnlqQXD_oi99OhKjNVlIWscFo_2cVnRQ7yQS5wKVxWdmY3LsaoI3-9uDZXG7adORAtZfEyJAChJ0f6VY&typo=1> http://www.modsecurity.org/projects/commercial/support/<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2fsupport%2f&c=E,1,R12OIpGetiO_GTlT9ukCqA-W2DSTk5EnXKsr2ZR2S7UNnB8R5S-SV3N-RYtZP8Ynpm6jAu2abLbdc4jblEPrhvccgGldEH239eOhW75IlcEAyrd50vtkepk,&typo=1> _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2frules%2f&c=E,1,YdXBwuvFxQle3BFGAo78cBr0DrFBLfSYzsOLiBVFx9sfL2mexVkkcd97EhPLjH0JghrnYp3xm6vXkTfzq89pYVy4MaYQHtzzOS24URSQDmo,&typo=1> http://www.modsecurity.org/projects/commercial/support/<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2fsupport%2f&c=E,1,J7DJCZf5gGJ1v7tRW7fqVmNqSBKpT8LRcU0o6hx0NUTjCLdEegxZ5JzGePWqCN2WIpjzKGqYbtYUwTisOwtYbhIGNtIGnr5v_R2Mrdh7&typo=1> _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2frules%2f&c=E,1,O28NplVfuDnfq_ddlpeL3Y3iFHwtNE0okC5uupsXjaphyF7rhixYtUje2C946xyCRNri1owm2l_0-sM1ZWLxH0JNyomqLvSnoXUEkgGZWnKXt_9FMGY,&typo=1> http://www.modsecurity.org/projects/commercial/support/<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2fsupport%2f&c=E,1,ay2OTbwxvyRjddOoAFJnaw_YzqgYFLJKF3srEVFScqvvckqgxnBkDLc_GDJF8EX_oLJHOIXGL_nnR2nv_p4NBsrJX4m2T40EEKG1hWiHNg,,&typo=1> _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2frules%2f&c=E,1,Gea63AF6dJv3XjzRtXIDLTGnLM-FIY-rE_dAoWGETH5VWB-zspLKnXWW3-Klt_JyTpK1O5vSTQ0ZLe-WV_4uhXElJnmXf7qVlRMFSDysWmnn7lDw6w,,&typo=1> http://www.modsecurity.org/projects/commercial/support/<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2fsupport%2f&c=E,1,0dQ2h6EQW4O1y_nKGt-YP9kHl8D2qPosVit5G4KGZNpOBMRp7_-Mqys19-1z0ZSQk1orpG-f3CFt6LgFkNBnXCVBLEv-jtf49KKZZNmMstoP3oqIXjNIAzsqeTAP&typo=1> _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2frules%2f&c=E,1,Q-IhXPUfrMqkm9YfmetlvTqOuU2Czs8cWQ5zybsfh5EgmNwDbXgydTLhRSyVgCiSNqbrKKLi3_w30PuGQ2D3MsjVg-TSDM9AHFgQiH2d86eCZ_CcCxsdcIE,&typo=1 https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2fsupport%2f&c=E,1,FhDtxaTZqXL9KPCCQM6qhigtQ8MDeZBmjWgS9ViWzPs20IUlp9KbndZC9RuKmOGqIIZY7dsRaV-ffqfSdUHr2WOMV_512aTQdYL794ehRLpuVVf2of8,&typo=1 |
|
From: Robert P. <rpa...@fe...> - 2019-03-27 00:43:40
|
If the goal here is only to capture logic data, and not mutate or block the request, is modsecurity the right tool? Might it be saner to use a simpler proxy that sits in front of the web service and writes the audit trail as its sole function? > On Mar 26, 2019, at 17:03, Manuel Spartan <spa...@gm...> wrote: > > Hi Doug, you definitively need to read the book :) but in the meanwhile if you are ok with little explanations the best reference ever is the modsecurity reference manual https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29 there are rule examples as well as the descriptions of all operators, variables, actions, etc. > > Supposing the argument holding the username is called username something like the following example should get you started in Apache 2.2 and 2.4. > > SecRule ARGS:username "@eq (.*)" "phase:5,id:1,capture,pass,log,noauditlog,setenv:USER=%{matched_var},msg:'Username detected'" > LogFormat "%a,%t,%{USER}e,%s" usercapture > CustomLog logs/usercapture_log usercapture env=USER > Output: > 10.0.0.1,[26/SMar/2019:19:56:28 -0600],MyUser,302 > >> El mar., 26 mar. 2019 a las 16:01, Doug Erwin (<de...@tt...>) escribió: >> Thanks for the guidance. I am still lost, but I ordered a book on amazon, “ModSecurity Handbook,second editin” because it has a chapter on writing rules. At this point I have nothing to help me understand what “phase:5,t:none….” Is and how to configure that stuff and what the various options are. Mine is a system that has modsecurity embedded in it and is on a Microsoft IIS platform and writes the log entries into the event viewer. I plan to do a lot of reading as soon as I get it. I want a real log file and not an event viewer and I want the info I need. I think modsecurity can be a powerful asset, especially since it is already there, but I have to master it first. I just want to capture timestamp, username, and IP from a login attempt and be able to keep that for posterity. >> >> >> >> Doug >> >> >> >> Doug Erwin >> >> President >> >> TTP Solutions / TheTradingPortal.com >> >> de...@TT... >> >> Office: 615-469-0409 >> >> Cell: 615-498-4756 >> >> <image001.png> >> >> >> >> From: Joel Williams <jo...@jo...> >> Sent: Tuesday, March 26, 2019 12:46 AM >> To: mod...@li... >> Subject: Re: [mod-security-users] capturing user logins >> >> >> >> Hi Doug, >> >> Just as an example, here's an extract of what I do to detect successful WordPress logins. >> >> <Locationmatch ".*wp-login\.php"> >> SecRule RESPONSE_STATUS "302" "phase:5,t:none,log,pass,setvar:ip.bf_counter=0,sanitiseArg:pwd,msg:'wordpress-login-success',id:5000136" >> </locationmatch> >> >> Based on my specific knowledge of WordPress, a 302 response from the wp-login.php script indicates that a successful login occurred, because it redirects users to the correct page (generally - there are some false positives that I haven't bothered to filter out). >> >> The POST body is also logged, and the password is sanitised so that I only get the user name. I monitor the mod_security logs with Splunk, which extracts individual events and generates a report of logins. You can also do fancier things like generate alerts based on unusual IP address geolocation lookups and time of day. >> >> There might not be a general purpose way to log this information across every possible system and not affect performance, but hopefully this is not a requirement. I guess you could scan ever POST request's body for username/uname/user and hope this catches all cases. >> >> Joel >> >> >> Manuel Spartan wrote on 26/3/19 11:34 am: >> >> >> Hi Doug, as said before the easiest way is setup a rule to extract the info and parse it in elk or whatever you use, alternatively you can create an environment variable in the rule to get the info and use a conditional apache custom log to save the extracted info if the env var is set in the format you need so you have a clean file with the info. >> >> >> >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#setenv >> >> >> >> Cheers! >> >> Sent from my iPhone >> >> >> On 25 Mar 2019, at 16:31, Doug Erwin <de...@tt...> wrote: >> >> I would definitely welcome some help. If I understand correctly, it writes everything to the event viewer -> application log. Is there a way to redirect that just write a log file to the file system, maybe even a separate log just for these user logins? >> >> >> >> Also, is there an online tutorial about writing rules for modsecurity? Maybe something on youtube? >> >> >> >> Doug >> >> >> >> Doug Erwin >> >> President >> >> TTP Solutions / TheTradingPortal.com >> >> de...@TT... >> >> Office: 615-469-0409 >> >> Cell: 615-498-4756 >> >> <image001.png> >> >> >> >> From: Chaim Sanders <ch...@ch...> >> Sent: Monday, March 25, 2019 2:54 PM >> To: mod...@li... >> Subject: Re: [mod-security-users] capturing user logins >> >> >> >> Yes, >> >> You can make a rule that checks if the parameter with the username is provided and log that. You can then parse the log or use MLogc to move things to third party servers like elasticsearch. Let me know if that makes sense or you need more help. >> >> Thanks, >> >> - Chaim >> >> >> >> On Mon, Mar 25, 2019 at 3:01 PM Doug Erwin <de...@tt...> wrote: >> >> Hi all, I am new to modsecurity but I would like to use it to capture user logins so that I could build a history of user access over time. Is there a way to do that? I am pretty sure that this would be a new special or custom rule. Any thoughts on this? >> >> >> >> Thanks in advance. >> >> >> >> Doug >> >> >> >> Doug Erwin >> >> President >> >> TTP Solutions / TheTradingPortal.com >> >> de...@TT... >> >> Office: 615-469-0409 >> >> Cell: 615-498-4756 >> >> <image001.png> >> >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> >> >> -- >> >> -- >> Chaim Sanders >> http://www.ChaimSanders.com >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> >> >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Manuel S. <spa...@gm...> - 2019-03-27 00:04:03
|
Hi Doug, you definitively need to read the book :) but in the meanwhile if you are ok with little explanations the best reference ever is the modsecurity reference manual https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29 there are rule examples as well as the descriptions of all operators, variables, actions, etc. Supposing the argument holding the username is called username something like the following example should get you started in Apache 2.2 and 2.4. SecRule ARGS:username "@eq (.*)" "phase:5,id:1,capture,pass,log,noauditlog,setenv:USER=%{matched_var},msg:'Username detected'" LogFormat "%a,%t,%{USER}e,%s" usercapture CustomLog logs/usercapture_log usercapture env=USER Output: 10.0.0.1,[26/SMar/2019:19:56:28 -0600],MyUser,302 El mar., 26 mar. 2019 a las 16:01, Doug Erwin (<de...@tt...>) escribió: > Thanks for the guidance. I am still lost, but I ordered a book on amazon, > “ModSecurity Handbook,second editin” because it has a chapter on writing > rules. At this point I have nothing to help me understand what > “phase:5,t:none….” Is and how to configure that stuff and what the various > options are. Mine is a system that has modsecurity embedded in it and is > on a Microsoft IIS platform and writes the log entries into the event > viewer. I plan to do a lot of reading as soon as I get it. I want a real > log file and not an event viewer and I want the info I need. I think > modsecurity can be a powerful asset, especially since it is already there, > but I have to master it first. I just want to capture timestamp, username, > and IP from a login attempt and be able to keep that for posterity. > > > > Doug > > > > Doug Erwin > > President > > TTP Solutions / TheTradingPortal.com > > de...@TT... > > Office: 615-469-0409 > > Cell: 615-498-4756 > > [image: Email_Signature_Logo] > > > > *From:* Joel Williams <jo...@jo...> > *Sent:* Tuesday, March 26, 2019 12:46 AM > *To:* mod...@li... > *Subject:* Re: [mod-security-users] capturing user logins > > > > Hi Doug, > > Just as an example, here's an extract of what I do to detect successful > WordPress logins. > > <Locationmatch ".*wp-login\.php"> > SecRule RESPONSE_STATUS "302" > "phase:5,t:none,log,pass,setvar:ip.bf_counter=0,sanitiseArg:pwd,msg:'wordpress-login-success',id:5000136" > </locationmatch> > > Based on my specific knowledge of WordPress, a 302 response from the > wp-login.php script indicates that a successful login occurred, because it > redirects users to the correct page (generally - there are some false > positives that I haven't bothered to filter out). > > The POST body is also logged, and the password is sanitised so that I only > get the user name. I monitor the mod_security logs with Splunk, which > extracts individual events and generates a report of logins. You can also > do fancier things like generate alerts based on unusual IP address > geolocation lookups and time of day. > > There might not be a general purpose way to log this information across > every possible system and not affect performance, but hopefully this is not > a requirement. I guess you could scan ever POST request's body for > username/uname/user and hope this catches all cases. > > Joel > > > Manuel Spartan wrote on 26/3/19 11:34 am: > > Hi Doug, as said before the easiest way is setup a rule to extract the > info and parse it in elk or whatever you use, alternatively you can create > an environment variable in the rule to get the info and use a conditional > apache custom log to save the extracted info if the env var is set in the > format you need so you have a clean file with the info. > > > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#setenv > > > > Cheers! > > Sent from my iPhone > > > On 25 Mar 2019, at 16:31, Doug Erwin <de...@tt...> wrote: > > I would definitely welcome some help. If I understand correctly, it > writes everything to the event viewer -> application log. Is there a way > to redirect that just write a log file to the file system, maybe even a > separate log just for these user logins? > > > > Also, is there an online tutorial about writing rules for modsecurity? > Maybe something on youtube? > > > > Doug > > > > Doug Erwin > > President > > TTP Solutions / TheTradingPortal.com > <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fTheTradingPortal.com&c=E,1,vewZQD0OGuuiwKa9LJp0SS6YS9DVWbQTh--SDwuUhAvKmfiOqalh03BKqkA9F_SOv6yshbmUytgRyT6ITVCRnY7KIS8JYW_CoW3Y6yqrtSPo0A,,&typo=1> > > de...@TT... > > Office: 615-469-0409 > > Cell: 615-498-4756 > > <image001.png> > > > > *From:* Chaim Sanders <ch...@ch...> > *Sent:* Monday, March 25, 2019 2:54 PM > *To:* mod...@li... > *Subject:* Re: [mod-security-users] capturing user logins > > > > Yes, > > You can make a rule that checks if the parameter with the username is > provided and log that. You can then parse the log or use MLogc to move > things to third party servers like elasticsearch. Let me know if that makes > sense or you need more help. > > Thanks, > > - Chaim > > > > On Mon, Mar 25, 2019 at 3:01 PM Doug Erwin <de...@tt...> > wrote: > > Hi all, I am new to modsecurity but I would like to use it to capture user > logins so that I could build a history of user access over time. Is there > a way to do that? I am pretty sure that this would be a new special or > custom rule. Any thoughts on this? > > > > Thanks in advance. > > > > Doug > > > > Doug Erwin > > President > > TTP Solutions / TheTradingPortal.com > <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fTheTradingPortal.com&c=E,1,ka5DZkEMWqh8ZRpkawNoM8yEOYF7wTe8_SbHM6Ci4KO3zPK1al2AMrBmtamgtfF01AErQ0zgVgt5AMqm2O1WKB7jagdZ1d2sOKYhGf_8Yww8o5JY&typo=1> > > de...@TT... > > Office: 615-469-0409 > > Cell: 615-498-4756 > > <image001.png> > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2frules%2f&c=E,1,Z5eBJeHTqjyb2RkSUrjldSJNf_cK9nlA2KNrpUHZDM1odJQckie4CgXbTCB_Z-AOEnd5Oza8guZn0sTeuKEFAKKlXpzFI5r28H8SJjgNDr7e5hobpB3oO53BIw,,&typo=1> > http://www.modsecurity.org/projects/commercial/support/ > <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2fsupport%2f&c=E,1,7bdPfnStuhxnevLrrdcYZpwTZ5uugfr5eUwGsQr12t6liM-AWUP9OUAL8PLEMCN6uh9CoaNrgTC7NqJS2UdQvxOHWD3wprk9Ja808XxMSrMD-uCJieoyeoME4Q,,&typo=1> > > > > > -- > > -- > Chaim Sanders > http://www.ChaimSanders.com > <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.ChaimSanders.com&c=E,1,o4c2YgyDsYKkmgTZYufmhje_WcPKxM7a1UGJAKvvBckafhBFoRwY9X8n97NMo0aPLWRLS4jS5VhpStUoBvUl_Y4sysxRAVXzsmsto2l3Hzfj7_NosW8ufu-Yye8,&typo=1> > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2frules%2f&c=E,1,PxxyhrUvAktNoJcnFS4ylMms274DBnlqQXD_oi99OhKjNVlIWscFo_2cVnRQ7yQS5wKVxWdmY3LsaoI3-9uDZXG7adORAtZfEyJAChJ0f6VY&typo=1> > http://www.modsecurity.org/projects/commercial/support/ > <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2fsupport%2f&c=E,1,R12OIpGetiO_GTlT9ukCqA-W2DSTk5EnXKsr2ZR2S7UNnB8R5S-SV3N-RYtZP8Ynpm6jAu2abLbdc4jblEPrhvccgGldEH239eOhW75IlcEAyrd50vtkepk,&typo=1> > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2frules%2f&c=E,1,YdXBwuvFxQle3BFGAo78cBr0DrFBLfSYzsOLiBVFx9sfL2mexVkkcd97EhPLjH0JghrnYp3xm6vXkTfzq89pYVy4MaYQHtzzOS24URSQDmo,&typo=1> > > http://www.modsecurity.org/projects/commercial/support/ <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2fsupport%2f&c=E,1,J7DJCZf5gGJ1v7tRW7fqVmNqSBKpT8LRcU0o6hx0NUTjCLdEegxZ5JzGePWqCN2WIpjzKGqYbtYUwTisOwtYbhIGNtIGnr5v_R2Mrdh7&typo=1> > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Doug E. <de...@tt...> - 2019-03-26 19:57:20
|
Thanks for the guidance. I am still lost, but I ordered a book on amazon, “ModSecurity Handbook,second editin” because it has a chapter on writing rules. At this point I have nothing to help me understand what “phase:5,t:none….” Is and how to configure that stuff and what the various options are. Mine is a system that has modsecurity embedded in it and is on a Microsoft IIS platform and writes the log entries into the event viewer. I plan to do a lot of reading as soon as I get it. I want a real log file and not an event viewer and I want the info I need. I think modsecurity can be a powerful asset, especially since it is already there, but I have to master it first. I just want to capture timestamp, username, and IP from a login attempt and be able to keep that for posterity. Doug Doug Erwin President TTP Solutions / TheTradingPortal.com de...@TT...<mailto:de...@TT...> Office: 615-469-0409 Cell: 615-498-4756 [Email_Signature_Logo] From: Joel Williams <jo...@jo...> Sent: Tuesday, March 26, 2019 12:46 AM To: mod...@li... Subject: Re: [mod-security-users] capturing user logins Hi Doug, Just as an example, here's an extract of what I do to detect successful WordPress logins. <Locationmatch ".*wp-login\.php"> SecRule RESPONSE_STATUS "302" "phase:5,t:none,log,pass,setvar:ip.bf_counter=0,sanitiseArg:pwd,msg:'wordpress-login-success',id:5000136" </locationmatch> Based on my specific knowledge of WordPress, a 302 response from the wp-login.php script indicates that a successful login occurred, because it redirects users to the correct page (generally - there are some false positives that I haven't bothered to filter out). The POST body is also logged, and the password is sanitised so that I only get the user name. I monitor the mod_security logs with Splunk, which extracts individual events and generates a report of logins. You can also do fancier things like generate alerts based on unusual IP address geolocation lookups and time of day. There might not be a general purpose way to log this information across every possible system and not affect performance, but hopefully this is not a requirement. I guess you could scan ever POST request's body for username/uname/user and hope this catches all cases. Joel Manuel Spartan wrote on 26/3/19 11:34 am: Hi Doug, as said before the easiest way is setup a rule to extract the info and parse it in elk or whatever you use, alternatively you can create an environment variable in the rule to get the info and use a conditional apache custom log to save the extracted info if the env var is set in the format you need so you have a clean file with the info. https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#setenv<https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#setenv> Cheers! Sent from my iPhone On 25 Mar 2019, at 16:31, Doug Erwin <de...@tt...<mailto:de...@tt...>> wrote: I would definitely welcome some help. If I understand correctly, it writes everything to the event viewer -> application log. Is there a way to redirect that just write a log file to the file system, maybe even a separate log just for these user logins? Also, is there an online tutorial about writing rules for modsecurity? Maybe something on youtube? Doug Doug Erwin President TTP Solutions / TheTradingPortal.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fTheTradingPortal.com&c=E,1,vewZQD0OGuuiwKa9LJp0SS6YS9DVWbQTh--SDwuUhAvKmfiOqalh03BKqkA9F_SOv6yshbmUytgRyT6ITVCRnY7KIS8JYW_CoW3Y6yqrtSPo0A,,&typo=1> de...@TT...<mailto:de...@TT...> Office: 615-469-0409 Cell: 615-498-4756 <image001.png> From: Chaim Sanders <ch...@ch...<mailto:ch...@ch...>> Sent: Monday, March 25, 2019 2:54 PM To: mod...@li...<mailto:mod...@li...> Subject: Re: [mod-security-users] capturing user logins Yes, You can make a rule that checks if the parameter with the username is provided and log that. You can then parse the log or use MLogc to move things to third party servers like elasticsearch. Let me know if that makes sense or you need more help. Thanks, - Chaim On Mon, Mar 25, 2019 at 3:01 PM Doug Erwin <de...@tt...<mailto:de...@tt...>> wrote: Hi all, I am new to modsecurity but I would like to use it to capture user logins so that I could build a history of user access over time. Is there a way to do that? I am pretty sure that this would be a new special or custom rule. Any thoughts on this? Thanks in advance. Doug Doug Erwin President TTP Solutions / TheTradingPortal.com<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fTheTradingPortal.com&c=E,1,ka5DZkEMWqh8ZRpkawNoM8yEOYF7wTe8_SbHM6Ci4KO3zPK1al2AMrBmtamgtfF01AErQ0zgVgt5AMqm2O1WKB7jagdZ1d2sOKYhGf_8Yww8o5JY&typo=1> de...@TT...<mailto:de...@TT...> Office: 615-469-0409 Cell: 615-498-4756 <image001.png> _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2frules%2f&c=E,1,Z5eBJeHTqjyb2RkSUrjldSJNf_cK9nlA2KNrpUHZDM1odJQckie4CgXbTCB_Z-AOEnd5Oza8guZn0sTeuKEFAKKlXpzFI5r28H8SJjgNDr7e5hobpB3oO53BIw,,&typo=1> http://www.modsecurity.org/projects/commercial/support/<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2fsupport%2f&c=E,1,7bdPfnStuhxnevLrrdcYZpwTZ5uugfr5eUwGsQr12t6liM-AWUP9OUAL8PLEMCN6uh9CoaNrgTC7NqJS2UdQvxOHWD3wprk9Ja808XxMSrMD-uCJieoyeoME4Q,,&typo=1> -- -- Chaim Sanders http://www.ChaimSanders.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.ChaimSanders.com&c=E,1,o4c2YgyDsYKkmgTZYufmhje_WcPKxM7a1UGJAKvvBckafhBFoRwY9X8n97NMo0aPLWRLS4jS5VhpStUoBvUl_Y4sysxRAVXzsmsto2l3Hzfj7_NosW8ufu-Yye8,&typo=1> _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2frules%2f&c=E,1,PxxyhrUvAktNoJcnFS4ylMms274DBnlqQXD_oi99OhKjNVlIWscFo_2cVnRQ7yQS5wKVxWdmY3LsaoI3-9uDZXG7adORAtZfEyJAChJ0f6VY&typo=1> http://www.modsecurity.org/projects/commercial/support/<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2fsupport%2f&c=E,1,R12OIpGetiO_GTlT9ukCqA-W2DSTk5EnXKsr2ZR2S7UNnB8R5S-SV3N-RYtZP8Ynpm6jAu2abLbdc4jblEPrhvccgGldEH239eOhW75IlcEAyrd50vtkepk,&typo=1> _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2frules%2f&c=E,1,YdXBwuvFxQle3BFGAo78cBr0DrFBLfSYzsOLiBVFx9sfL2mexVkkcd97EhPLjH0JghrnYp3xm6vXkTfzq89pYVy4MaYQHtzzOS24URSQDmo,&typo=1> http://www.modsecurity.org/projects/commercial/support/<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2fsupport%2f&c=E,1,J7DJCZf5gGJ1v7tRW7fqVmNqSBKpT8LRcU0o6hx0NUTjCLdEegxZ5JzGePWqCN2WIpjzKGqYbtYUwTisOwtYbhIGNtIGnr5v_R2Mrdh7&typo=1> |
|
From: Eero V. <eer...@ik...> - 2019-03-26 14:19:18
|
Please specify your Linux OS version, distribution name and what package
repository is used to install nginx modsecurity module?
Eero
On Tue, Mar 26, 2019 at 6:39 AM junaid.khan <jun...@na...> wrote:
> Dear Support
>
>
>
> I need to enable JSON support on mod_sec nginx kindly guide how I enable
> it.
>
>
>
>
>
> 2019/03/19 17:28:22 [error] 5750#0: [client 10.1.1.24] ModSecurity:
> Warning. Match of "within %{tx.allowed_http_versions}" against
> "REQUEST_PROTOCOL" required. [file
> "/usr/local/nginx/conf/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]
> [line "1084"] [id "920430"] [msg "HTTP protocol version is not allowed by
> policy"] [data "HTTP/1.1"] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"]
> [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"]
> [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED"] [tag
> "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.10"] [hostname ""]
> [uri "/nayapay-middleware-0.0.1/app-data/get-nayapay-id"] [unique_id
> "AcAcAcAcAcAYlcAcAbAcAcA2"]
>
> 2019/03/19 17:28:22 [error] 5750#0: [client 10.1.1.24] ModSecurity: JSON
> support was not enabled [hostname ""] [uri
> "/nayapay-middleware-0.0.1/app-data/get-nayapay-id"] [unique_id
> "AcAcAcAcAcAYlcAcAbAcAcA2"]
>
> 2019/03/19 17:28:22 [error] 5750#0: [client 10.1.1.24] ModSecurity: Access
> denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR"
> required. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "60"] [id
> "200002"] [msg "Failed to parse request body."] [data ""] [severity
> "CRITICAL"] [hostname ""] [uri
> "/nayapay-middleware-0.0.1/app-data/get-nayapay-id"] [unique_id
> "AcAcAcAcAcAYlcAcAbAcAcA2"]
>
> ^C
>
>
>
> Regards,
>
> *Junaid Khan* | *System Administrator*
>
> +92 03018281775 | +92 21 38400633 [Ext: 5531]
>
> jun...@na... | www.nayapay.com
>
> [image: cid:image001.png@01D43481.09450210]
>
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
|
|
From: Christian V. <cv...@it...> - 2019-03-26 13:54:05
|
In your modsec conf append the line in yellow.
If you already have this line and is not working, maybe is because the
modsec was not compiled with the json support
SecDebugLogLevel 3
# -- Audit log configuration -------------------------------------------------
# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,
# level response status codes).
#
SecAuditLogDirMode 1733
SecAuditLogFileMode 0550
SecAuditLogFormat JSON
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4)"
# Log everything we know about a transaction.
SecAuditLogParts ABCHIZ
Cheers.
El mar., 26 de mar. de 2019 01:39, junaid.khan <jun...@na...>
escribió:
> Dear Support
>
>
>
> I need to enable JSON support on mod_sec nginx kindly guide how I enable
> it.
>
>
>
>
>
> 2019/03/19 17:28:22 [error] 5750#0: [client 10.1.1.24] ModSecurity:
> Warning. Match of "within %{tx.allowed_http_versions}" against
> "REQUEST_PROTOCOL" required. [file
> "/usr/local/nginx/conf/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]
> [line "1084"] [id "920430"] [msg "HTTP protocol version is not allowed by
> policy"] [data "HTTP/1.1"] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"]
> [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"]
> [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED"] [tag
> "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.10"] [hostname ""]
> [uri "/nayapay-middleware-0.0.1/app-data/get-nayapay-id"] [unique_id
> "AcAcAcAcAcAYlcAcAbAcAcA2"]
>
> 2019/03/19 17:28:22 [error] 5750#0: [client 10.1.1.24] ModSecurity: JSON
> support was not enabled [hostname ""] [uri
> "/nayapay-middleware-0.0.1/app-data/get-nayapay-id"] [unique_id
> "AcAcAcAcAcAYlcAcAbAcAcA2"]
>
> 2019/03/19 17:28:22 [error] 5750#0: [client 10.1.1.24] ModSecurity: Access
> denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR"
> required. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "60"] [id
> "200002"] [msg "Failed to parse request body."] [data ""] [severity
> "CRITICAL"] [hostname ""] [uri
> "/nayapay-middleware-0.0.1/app-data/get-nayapay-id"] [unique_id
> "AcAcAcAcAcAYlcAcAbAcAcA2"]
>
> ^C
>
>
>
> Regards,
>
> *Junaid Khan* | *System Administrator*
>
> +92 03018281775 | +92 21 38400633 [Ext: 5531]
>
> jun...@na... | www.nayapay.com
>
> [image: cid:image001.png@01D43481.09450210]
>
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
|
|
From: Joel W. <jo...@jo...> - 2019-03-26 06:00:21
|
Hi Doug, Just as an example, here's an extract of what I do to detect successful WordPress logins. <Locationmatch ".*wp-login\.php"> SecRule RESPONSE_STATUS "302" "phase:5,t:none,log,pass,setvar:ip.bf_counter=0,sanitiseArg:pwd,msg:'wordpress-login-success',id:5000136" </locationmatch> Based on my specific knowledge of WordPress, a 302 response from the wp-login.php script indicates that a successful login occurred, because it redirects users to the correct page (generally - there are some false positives that I haven't bothered to filter out). The POST body is also logged, and the password is sanitised so that I only get the user name. I monitor the mod_security logs with Splunk, which extracts individual events and generates a report of logins. You can also do fancier things like generate alerts based on unusual IP address geolocation lookups and time of day. There might not be a general purpose way to log this information across every possible system and not affect performance, but hopefully this is not a requirement. I guess you could scan ever POST request's body for username/uname/user and hope this catches all cases. Joel Manuel Spartan wrote on 26/3/19 11:34 am: > Hi Doug, as said before the easiest way is setup a rule to extract the > info and parse it in elk or whatever you use, alternatively you can > create an environment variable in the rule to get the info and use a > conditional apache custom log to save the extracted info if the env > var is set in the format you need so you have a clean file with the info. > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#setenv > <https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#setenv> > > Cheers! > > Sent from my iPhone > > On 25 Mar 2019, at 16:31, Doug Erwin <de...@tt... > <mailto:de...@tt...>> wrote: > >> I would definitely welcome some help. If I understand correctly, it >> writes everything to the event viewer -> application log. Is there a >> way to redirect that just write a log file to the file system, maybe >> even a separate log just for these user logins? >> >> Also, is there an online tutorial about writing rules for >> modsecurity? Maybe something on youtube? >> >> Doug >> >> Doug Erwin >> >> President >> >> TTP Solutions / TheTradingPortal.com <http://TheTradingPortal.com> >> >> de...@TT... <mailto:de...@TT...> >> >> Office: 615-469-0409 >> >> Cell: 615-498-4756 >> >> <image001.png> >> >> *From:* Chaim Sanders <ch...@ch... >> <mailto:ch...@ch...>> >> *Sent:* Monday, March 25, 2019 2:54 PM >> *To:* mod...@li... >> <mailto:mod...@li...> >> *Subject:* Re: [mod-security-users] capturing user logins >> >> Yes, >> >> You can make a rule that checks if the parameter with the username is >> provided and log that. You can then parse the log or use MLogc to >> move things to third party servers like elasticsearch. Let me know if >> that makes sense or you need more help. >> >> Thanks, >> >> - Chaim >> >> On Mon, Mar 25, 2019 at 3:01 PM Doug Erwin <de...@tt... >> <mailto:de...@tt...>> wrote: >> >> Hi all, I am new to modsecurity but I would like to use it to >> capture user logins so that I could build a history of user >> access over time. Is there a way to do that? I am pretty sure >> that this would be a new special or custom rule. Any thoughts on >> this? >> >> Thanks in advance. >> >> Doug >> >> Doug Erwin >> >> President >> >> TTP Solutions / TheTradingPortal.com >> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fTheTradingPortal.com&c=E,1,ka5DZkEMWqh8ZRpkawNoM8yEOYF7wTe8_SbHM6Ci4KO3zPK1al2AMrBmtamgtfF01AErQ0zgVgt5AMqm2O1WKB7jagdZ1d2sOKYhGf_8Yww8o5JY&typo=1> >> >> de...@TT... <mailto:de...@TT...> >> >> Office: 615-469-0409 >> >> Cell: 615-498-4756 >> >> <image001.png> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> <mailto:mod...@li...> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2frules%2f&c=E,1,Z5eBJeHTqjyb2RkSUrjldSJNf_cK9nlA2KNrpUHZDM1odJQckie4CgXbTCB_Z-AOEnd5Oza8guZn0sTeuKEFAKKlXpzFI5r28H8SJjgNDr7e5hobpB3oO53BIw,,&typo=1> >> http://www.modsecurity.org/projects/commercial/support/ >> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2fsupport%2f&c=E,1,7bdPfnStuhxnevLrrdcYZpwTZ5uugfr5eUwGsQr12t6liM-AWUP9OUAL8PLEMCN6uh9CoaNrgTC7NqJS2UdQvxOHWD3wprk9Ja808XxMSrMD-uCJieoyeoME4Q,,&typo=1> >> >> >> -- >> >> -- >> Chaim Sanders >> http://www.ChaimSanders.com >> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.ChaimSanders.com&c=E,1,o4c2YgyDsYKkmgTZYufmhje_WcPKxM7a1UGJAKvvBckafhBFoRwY9X8n97NMo0aPLWRLS4jS5VhpStUoBvUl_Y4sysxRAVXzsmsto2l3Hzfj7_NosW8ufu-Yye8,&typo=1> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> <mailto:mod...@li...> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: junaid.khan <jun...@na...> - 2019-03-26 04:38:40
|
Dear Support
I need to enable JSON support on mod_sec nginx kindly guide how I enable it.
2019/03/19 17:28:22 [error] 5750#0: [client 10.1.1.24] ModSecurity: Warning. Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/usr/local/nginx/conf/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1084"] [id "920430"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/1.1"] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.10"] [hostname ""] [uri "/nayapay-middleware-0.0.1/app-data/get-nayapay-id"] [unique_id "AcAcAcAcAcAYlcAcAbAcAcA2"]
2019/03/19 17:28:22 [error] 5750#0: [client 10.1.1.24] ModSecurity: JSON support was not enabled [hostname ""] [uri "/nayapay-middleware-0.0.1/app-data/get-nayapay-id"] [unique_id "AcAcAcAcAcAYlcAcAbAcAcA2"]
2019/03/19 17:28:22 [error] 5750#0: [client 10.1.1.24] ModSecurity: Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "60"] [id "200002"] [msg "Failed to parse request body."] [data ""] [severity "CRITICAL"] [hostname ""] [uri "/nayapay-middleware-0.0.1/app-data/get-nayapay-id"] [unique_id "AcAcAcAcAcAYlcAcAbAcAcA2"]
^C
Regards,
Junaid Khan | System Administrator
+92 03018281775 | +92 21 38400633 [Ext: 5531]
jun...@na... <mailto:jun...@na...> | <http://www.nayapay.com/> www.nayapay.com
|
|
From: Manuel S. <spa...@gm...> - 2019-03-26 02:34:25
|
Hi Doug, as said before the easiest way is setup a rule to extract the info and parse it in elk or whatever you use, alternatively you can create an environment variable in the rule to get the info and use a conditional apache custom log to save the extracted info if the env var is set in the format you need so you have a clean file with the info. https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#setenv Cheers! Sent from my iPhone > On 25 Mar 2019, at 16:31, Doug Erwin <de...@tt...> wrote: > > I would definitely welcome some help. If I understand correctly, it writes everything to the event viewer -> application log. Is there a way to redirect that just write a log file to the file system, maybe even a separate log just for these user logins? > > Also, is there an online tutorial about writing rules for modsecurity? Maybe something on youtube? > > Doug > > Doug Erwin > President > TTP Solutions / TheTradingPortal.com > de...@TT... > Office: 615-469-0409 > Cell: 615-498-4756 > <image001.png> > > From: Chaim Sanders <ch...@ch...> > Sent: Monday, March 25, 2019 2:54 PM > To: mod...@li... > Subject: Re: [mod-security-users] capturing user logins > > Yes, > You can make a rule that checks if the parameter with the username is provided and log that. You can then parse the log or use MLogc to move things to third party servers like elasticsearch. Let me know if that makes sense or you need more help. > Thanks, > - Chaim > > On Mon, Mar 25, 2019 at 3:01 PM Doug Erwin <de...@tt...> wrote: > Hi all, I am new to modsecurity but I would like to use it to capture user logins so that I could build a history of user access over time. Is there a way to do that? I am pretty sure that this would be a new special or custom rule. Any thoughts on this? > > Thanks in advance. > > Doug > > Doug Erwin > President > TTP Solutions / TheTradingPortal.com > de...@TT... > Office: 615-469-0409 > Cell: 615-498-4756 > <image001.png> > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > -- > -- > Chaim Sanders > http://www.ChaimSanders.com > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Doug E. <de...@tt...> - 2019-03-25 20:31:20
|
I would definitely welcome some help. If I understand correctly, it writes everything to the event viewer -> application log. Is there a way to redirect that just write a log file to the file system, maybe even a separate log just for these user logins? Also, is there an online tutorial about writing rules for modsecurity? Maybe something on youtube? Doug Doug Erwin President TTP Solutions / TheTradingPortal.com de...@TT...<mailto:de...@TT...> Office: 615-469-0409 Cell: 615-498-4756 [Email_Signature_Logo] From: Chaim Sanders <ch...@ch...> Sent: Monday, March 25, 2019 2:54 PM To: mod...@li... Subject: Re: [mod-security-users] capturing user logins Yes, You can make a rule that checks if the parameter with the username is provided and log that. You can then parse the log or use MLogc to move things to third party servers like elasticsearch. Let me know if that makes sense or you need more help. Thanks, - Chaim On Mon, Mar 25, 2019 at 3:01 PM Doug Erwin <de...@tt...<mailto:de...@tt...>> wrote: Hi all, I am new to modsecurity but I would like to use it to capture user logins so that I could build a history of user access over time. Is there a way to do that? I am pretty sure that this would be a new special or custom rule. Any thoughts on this? Thanks in advance. Doug Doug Erwin President TTP Solutions / TheTradingPortal.com<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fTheTradingPortal.com&c=E,1,ka5DZkEMWqh8ZRpkawNoM8yEOYF7wTe8_SbHM6Ci4KO3zPK1al2AMrBmtamgtfF01AErQ0zgVgt5AMqm2O1WKB7jagdZ1d2sOKYhGf_8Yww8o5JY&typo=1> de...@TT...<mailto:de...@TT...> Office: 615-469-0409 Cell: 615-498-4756 [Email_Signature_Logo] _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2frules%2f&c=E,1,Z5eBJeHTqjyb2RkSUrjldSJNf_cK9nlA2KNrpUHZDM1odJQckie4CgXbTCB_Z-AOEnd5Oza8guZn0sTeuKEFAKKlXpzFI5r28H8SJjgNDr7e5hobpB3oO53BIw,,&typo=1> http://www.modsecurity.org/projects/commercial/support/<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.modsecurity.org%2fprojects%2fcommercial%2fsupport%2f&c=E,1,7bdPfnStuhxnevLrrdcYZpwTZ5uugfr5eUwGsQr12t6liM-AWUP9OUAL8PLEMCN6uh9CoaNrgTC7NqJS2UdQvxOHWD3wprk9Ja808XxMSrMD-uCJieoyeoME4Q,,&typo=1> -- -- Chaim Sanders http://www.ChaimSanders.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.ChaimSanders.com&c=E,1,o4c2YgyDsYKkmgTZYufmhje_WcPKxM7a1UGJAKvvBckafhBFoRwY9X8n97NMo0aPLWRLS4jS5VhpStUoBvUl_Y4sysxRAVXzsmsto2l3Hzfj7_NosW8ufu-Yye8,&typo=1> |
|
From: Chaim S. <ch...@ch...> - 2019-03-25 19:53:54
|
Yes, You can make a rule that checks if the parameter with the username is provided and log that. You can then parse the log or use MLogc to move things to third party servers like elasticsearch. Let me know if that makes sense or you need more help. Thanks, - Chaim On Mon, Mar 25, 2019 at 3:01 PM Doug Erwin <de...@tt...> wrote: > Hi all, I am new to modsecurity but I would like to use it to capture user > logins so that I could build a history of user access over time. Is there > a way to do that? I am pretty sure that this would be a new special or > custom rule. Any thoughts on this? > > > > Thanks in advance. > > > > Doug > > > > Doug Erwin > > President > > TTP Solutions / TheTradingPortal.com > > de...@TT... > > Office: 615-469-0409 > > Cell: 615-498-4756 > > [image: Email_Signature_Logo] > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > -- -- Chaim Sanders http://www.ChaimSanders.com |
|
From: Doug E. <de...@tt...> - 2019-03-25 18:57:37
|
Hi all, I am new to modsecurity but I would like to use it to capture user logins so that I could build a history of user access over time. Is there a way to do that? I am pretty sure that this would be a new special or custom rule. Any thoughts on this? Thanks in advance. Doug Doug Erwin President TTP Solutions / TheTradingPortal.com de...@TT...<mailto:de...@TT...> Office: 615-469-0409 Cell: 615-498-4756 [Email_Signature_Logo] |
|
From: Chaim S. <ch...@ch...> - 2019-03-25 18:39:42
|
You probably don't have the rule engine in the blocking state. Generally this means changing the SecRuleEngine directive to 'On'. For more details see https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#SecRuleEngine. Let me know if that helps. On Mon, Mar 25, 2019 at 12:43 PM Monah Baki <mon...@gm...> wrote: > Hi all, > > Testing modsecurity, if I enter the IP address of the server, I get the > following: > > [Mon Mar 25 12:34:02.300806 2019] [:error] [pid 14540] [client > 192.168.1.11:57650] [client 192.168.1.11] ModSecurity: Warning. Pattern > match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file > "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] > [line "798"] [id "920350"] [msg "Host header is a numeric IP address"] > [data "192.168.1.2"] [severity "WARNING"] [ver "OWASP_CRS/3.1.0"] [tag > "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag > "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag > "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname > "192.168.1.2"] [uri "/favicon.ico"] [unique_id "XJkC@tolWxi51pCyjt7yHwAAAAI"], > referer: http://192.168.1.2/ > > > I created a a test /etc/passwd in my root documentfolder, but I can still > access the file, I read on a website this would be a simple test, am I > missing something > > > Thanks > Monah > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > -- -- Chaim Sanders http://www.ChaimSanders.com |
|
From: Monah B. <mon...@gm...> - 2019-03-25 16:38:20
|
Hi all, Testing modsecurity, if I enter the IP address of the server, I get the following: [Mon Mar 25 12:34:02.300806 2019] [:error] [pid 14540] [client 192.168.1.11:57650] [client 192.168.1.11] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "798"] [id "920350"] [msg "Host header is a numeric IP address"] [data "192.168.1.2"] [severity "WARNING"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "192.168.1.2"] [uri "/favicon.ico"] [unique_id "XJkC@tolWxi51pCyjt7yHwAAAAI"], referer: http://192.168.1.2/ I created a a test /etc/passwd in my root documentfolder, but I can still access the file, I read on a website this would be a simple test, am I missing something Thanks Monah |
|
From: Eero V. <eer...@ik...> - 2019-03-25 14:55:35
|
Please fix issue in correct way. Set labels on files :) On Mon, Mar 25, 2019, 16:46 Monah Baki <mon...@gm...> wrote: > Eero, > > > Thanks a lot, that was the problem, disabled selinux and it worked. > > On Mon, Mar 25, 2019 at 10:40 AM Eero Volotinen <eer...@ik...> > wrote: > >> Is SeLinux enabled? in enforcing mode? >> >> >> >> Eero >> >> On Mon, Mar 25, 2019, 16:37 Monah Baki <mon...@gm...> wrote: >> >>> Hi all, >>> >>> I'm running Centos 7 and I issued the following command: >>> git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git >>> >>> I followed the steps in INSTALL. >>> >>> In my httpd.conf I have the following: >>> LoadModule security2_module modules/mod_security2.so >>> >>> <VirtualHost *:80> >>> ServerName www.osisolutions.com >>> SecRuleEngine On >>> IncludeOptional /etc/httpd/modsecurity.d/activated_rules/*.conf >>> </VirtualHost> >>> >>> <IfModule dir_module> >>> DirectoryIndex index.html >>> </IfModule> >>> >>> <IfModule security2_module> >>> Include >>> modsecurity.d/owasp-modsecurity-crs/crs-setup.conf >>> Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf >>> </IfModule> >>> >>> If I start http I get the following: >>> >>> Mar 25 10:03:38 new-host-2 systemd[1]: Starting The Apache HTTP Server... >>> -- Subject: Unit httpd.service has begun start-up >>> -- Defined-By: systemd >>> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel >>> -- >>> -- Unit httpd.service has begun starting up. >>> Mar 25 10:03:38 new-host-2 httpd[8138]: [Mon Mar 25 10:03:38.726534 >>> 2019] [so:warn] [pid 8138] AH01574: module security2_module is already >>> loaded, skipping >>> Mar 25 10:03:38 new-host-2 httpd[8138]: httpd: Syntax error on line 178 >>> of /etc/httpd/conf/httpd.conf: Could not open configuration file >>> /etc/httpd/modsecurity.d/owasp-modsecurity-crs/crs-setup.conf: Permission >>> denied >>> Mar 25 10:03:38 new-host-2 systemd[1]: httpd.service: main process >>> exited, code=exited, status=1/FAILURE >>> Mar 25 10:03:38 new-host-2 kill[8139]: kill: cannot find process "" >>> Mar 25 10:03:38 new-host-2 systemd[1]: httpd.service: control process >>> exited, code=exited status=1 >>> Mar 25 10:03:38 new-host-2 systemd[1]: Failed to start The Apache HTTP >>> Server. >>> -- Subject: Unit httpd.service has failed >>> -- Defined-By: systemd >>> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel >>> -- >>> -- Unit httpd.service has failed. >>> >>> >>> >>> [root@new-host-2 ~]# ls -la >>> /etc/httpd/modsecurity.d/owasp-modsecurity-crs/crs-setup.conf >>> -rw-r--r--. 1 apache apache 33615 Mar 24 12:17 >>> /etc/httpd/modsecurity.d/owasp-modsecurity-crs/crs-setup.conf >>> >>> I changed to 777 and I still get the same error. >>> >>> If I comment: >>> >>> <IfModule security2_module> >>> Include >>> modsecurity.d/owasp-modsecurity-crs/crs-setup.conf >>> Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf >>> </IfModule> >>> >>> Apache works >>> >>> >>> >>> Thanks >>> Monah >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >> |
|
From: Monah B. <mon...@gm...> - 2019-03-25 14:46:53
|
Eero, Thanks a lot, that was the problem, disabled selinux and it worked. On Mon, Mar 25, 2019 at 10:40 AM Eero Volotinen <eer...@ik...> wrote: > Is SeLinux enabled? in enforcing mode? > > > > Eero > > On Mon, Mar 25, 2019, 16:37 Monah Baki <mon...@gm...> wrote: > >> Hi all, >> >> I'm running Centos 7 and I issued the following command: >> git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git >> >> I followed the steps in INSTALL. >> >> In my httpd.conf I have the following: >> LoadModule security2_module modules/mod_security2.so >> >> <VirtualHost *:80> >> ServerName www.osisolutions.com >> SecRuleEngine On >> IncludeOptional /etc/httpd/modsecurity.d/activated_rules/*.conf >> </VirtualHost> >> >> <IfModule dir_module> >> DirectoryIndex index.html >> </IfModule> >> >> <IfModule security2_module> >> Include modsecurity.d/owasp-modsecurity-crs/crs-setup.conf >> Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf >> </IfModule> >> >> If I start http I get the following: >> >> Mar 25 10:03:38 new-host-2 systemd[1]: Starting The Apache HTTP Server... >> -- Subject: Unit httpd.service has begun start-up >> -- Defined-By: systemd >> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel >> -- >> -- Unit httpd.service has begun starting up. >> Mar 25 10:03:38 new-host-2 httpd[8138]: [Mon Mar 25 10:03:38.726534 2019] >> [so:warn] [pid 8138] AH01574: module security2_module is already loaded, >> skipping >> Mar 25 10:03:38 new-host-2 httpd[8138]: httpd: Syntax error on line 178 >> of /etc/httpd/conf/httpd.conf: Could not open configuration file >> /etc/httpd/modsecurity.d/owasp-modsecurity-crs/crs-setup.conf: Permission >> denied >> Mar 25 10:03:38 new-host-2 systemd[1]: httpd.service: main process >> exited, code=exited, status=1/FAILURE >> Mar 25 10:03:38 new-host-2 kill[8139]: kill: cannot find process "" >> Mar 25 10:03:38 new-host-2 systemd[1]: httpd.service: control process >> exited, code=exited status=1 >> Mar 25 10:03:38 new-host-2 systemd[1]: Failed to start The Apache HTTP >> Server. >> -- Subject: Unit httpd.service has failed >> -- Defined-By: systemd >> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel >> -- >> -- Unit httpd.service has failed. >> >> >> >> [root@new-host-2 ~]# ls -la >> /etc/httpd/modsecurity.d/owasp-modsecurity-crs/crs-setup.conf >> -rw-r--r--. 1 apache apache 33615 Mar 24 12:17 >> /etc/httpd/modsecurity.d/owasp-modsecurity-crs/crs-setup.conf >> >> I changed to 777 and I still get the same error. >> >> If I comment: >> >> <IfModule security2_module> >> Include modsecurity.d/owasp-modsecurity-crs/crs-setup.conf >> Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf >> </IfModule> >> >> Apache works >> >> >> >> Thanks >> Monah >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > |
|
From: Eero V. <eer...@ik...> - 2019-03-25 14:40:25
|
Is SeLinux enabled? in enforcing mode? Eero On Mon, Mar 25, 2019, 16:37 Monah Baki <mon...@gm...> wrote: > Hi all, > > I'm running Centos 7 and I issued the following command: > git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git > > I followed the steps in INSTALL. > > In my httpd.conf I have the following: > LoadModule security2_module modules/mod_security2.so > > <VirtualHost *:80> > ServerName www.osisolutions.com > SecRuleEngine On > IncludeOptional /etc/httpd/modsecurity.d/activated_rules/*.conf > </VirtualHost> > > <IfModule dir_module> > DirectoryIndex index.html > </IfModule> > > <IfModule security2_module> > Include modsecurity.d/owasp-modsecurity-crs/crs-setup.conf > Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf > </IfModule> > > If I start http I get the following: > > Mar 25 10:03:38 new-host-2 systemd[1]: Starting The Apache HTTP Server... > -- Subject: Unit httpd.service has begun start-up > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- > -- Unit httpd.service has begun starting up. > Mar 25 10:03:38 new-host-2 httpd[8138]: [Mon Mar 25 10:03:38.726534 2019] > [so:warn] [pid 8138] AH01574: module security2_module is already loaded, > skipping > Mar 25 10:03:38 new-host-2 httpd[8138]: httpd: Syntax error on line 178 of > /etc/httpd/conf/httpd.conf: Could not open configuration file > /etc/httpd/modsecurity.d/owasp-modsecurity-crs/crs-setup.conf: Permission > denied > Mar 25 10:03:38 new-host-2 systemd[1]: httpd.service: main process exited, > code=exited, status=1/FAILURE > Mar 25 10:03:38 new-host-2 kill[8139]: kill: cannot find process "" > Mar 25 10:03:38 new-host-2 systemd[1]: httpd.service: control process > exited, code=exited status=1 > Mar 25 10:03:38 new-host-2 systemd[1]: Failed to start The Apache HTTP > Server. > -- Subject: Unit httpd.service has failed > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- > -- Unit httpd.service has failed. > > > > [root@new-host-2 ~]# ls -la > /etc/httpd/modsecurity.d/owasp-modsecurity-crs/crs-setup.conf > -rw-r--r--. 1 apache apache 33615 Mar 24 12:17 > /etc/httpd/modsecurity.d/owasp-modsecurity-crs/crs-setup.conf > > I changed to 777 and I still get the same error. > > If I comment: > > <IfModule security2_module> > Include modsecurity.d/owasp-modsecurity-crs/crs-setup.conf > Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf > </IfModule> > > Apache works > > > > Thanks > Monah > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Monah B. <mon...@gm...> - 2019-03-25 14:36:15
|
Hi all, I'm running Centos 7 and I issued the following command: git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git I followed the steps in INSTALL. In my httpd.conf I have the following: LoadModule security2_module modules/mod_security2.so <VirtualHost *:80> ServerName www.osisolutions.com SecRuleEngine On IncludeOptional /etc/httpd/modsecurity.d/activated_rules/*.conf </VirtualHost> <IfModule dir_module> DirectoryIndex index.html </IfModule> <IfModule security2_module> Include modsecurity.d/owasp-modsecurity-crs/crs-setup.conf Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf </IfModule> If I start http I get the following: Mar 25 10:03:38 new-host-2 systemd[1]: Starting The Apache HTTP Server... -- Subject: Unit httpd.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit httpd.service has begun starting up. Mar 25 10:03:38 new-host-2 httpd[8138]: [Mon Mar 25 10:03:38.726534 2019] [so:warn] [pid 8138] AH01574: module security2_module is already loaded, skipping Mar 25 10:03:38 new-host-2 httpd[8138]: httpd: Syntax error on line 178 of /etc/httpd/conf/httpd.conf: Could not open configuration file /etc/httpd/modsecurity.d/owasp-modsecurity-crs/crs-setup.conf: Permission denied Mar 25 10:03:38 new-host-2 systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE Mar 25 10:03:38 new-host-2 kill[8139]: kill: cannot find process "" Mar 25 10:03:38 new-host-2 systemd[1]: httpd.service: control process exited, code=exited status=1 Mar 25 10:03:38 new-host-2 systemd[1]: Failed to start The Apache HTTP Server. -- Subject: Unit httpd.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit httpd.service has failed. [root@new-host-2 ~]# ls -la /etc/httpd/modsecurity.d/owasp-modsecurity-crs/crs-setup.conf -rw-r--r--. 1 apache apache 33615 Mar 24 12:17 /etc/httpd/modsecurity.d/owasp-modsecurity-crs/crs-setup.conf I changed to 777 and I still get the same error. If I comment: <IfModule security2_module> Include modsecurity.d/owasp-modsecurity-crs/crs-setup.conf Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf </IfModule> Apache works Thanks Monah |
|
From: Felipe Z. <fe...@zi...> - 2019-03-13 13:51:06
|
:D Version 3 should be good to go. It was a typo on the website. I will contact the responsible ppl to have it fixed. Thank you for let us know. -- F. On Wed, Mar 13, 2019 at 12:47 AM Shigeya Tanabe <ta...@na...> wrote: > Hi all, > > https://modsecurity.org/download.html > In the bottom of the download page, there is a note for nginx. > > NOTE: Some instabilities in the Nginx add-on have been reported (see the > Github issues page for details). Please use the "nginx_refactoring" branch > where possible for the most up to date version and stay tuned for the > ModSecurity version 4. > > It it still true and should wait for version 4 or already resolved as of > version 3? "nginx_refactoring" branch looks not active now. > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > -- Br., Felipe Zimmerle |
|
From: Chaim S. <ch...@ch...> - 2019-03-13 12:49:15
|
Yes!
It is somewhat unclear what exactly you're looking for based on your
configuration. If you just want to disable the rule, then you can use
(assuming CRS 3.x):
SecRuleRemoveById 913100
If you want it to continue to audit, add to the anomaly score and block
based on this, but not log, then you can use SecRuleUpdateActionByID
SecRuleUpdateActionById 913100 "block,
t:none,t:lowercase,nolog,severity:'CRITICAL',
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',
setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',setvar:'ip.reput_block_flag=1',
setvar:'ip.reput_block_reason=%{rule.msg}',expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
Of note, SecRuleUpdateActionById and SecRuleRemoveByID should be in
RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf, i.e after your rules. For more
information on why, see
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/dev/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
On Wed, Mar 13, 2019 at 2:22 AM Eero Volotinen <eer...@ik...>
wrote:
> Hi List,
>
> Is there easy way to no log attacks from scanners-user-agents.data?
>
> .. due to log flood ..
>
> --
> Eero
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
--
--
Chaim Sanders
http://www.ChaimSanders.com
|
|
From: Eero V. <eer...@ik...> - 2019-03-13 06:17:54
|
Hi List, Is there easy way to no log attacks from scanners-user-agents.data? .. due to log flood .. -- Eero |
|
From: Shigeya T. <ta...@na...> - 2019-03-13 03:47:07
|
Hi all, https://modsecurity.org/download.html In the bottom of the download page, there is a note for nginx. NOTE: Some instabilities in the Nginx add-on have been reported (see the Github issues page for details). Please use the "nginx_refactoring" branch where possible for the most up to date version and stay tuned for the ModSecurity version 4. It it still true and should wait for version 4 or already resolved as of version 3? "nginx_refactoring" branch looks not active now. |
|
From: Lior G. <li...@gm...> - 2019-03-12 11:10:13
|
HI, Does win 10 + iis 10 supported ? if so where can i get a tutorial ? if followed this one <https://admin-ahead.com/forum/server-security-hardening-21/installing-and-configuring-mod_security-on-windows-server/>but had no success, couldn't even find the Modsecurity on the ms web platform installer (WEBPL). same question for windows 12 and iis 8 thanks |
|
From: izone I. <izo...@ic...> - 2019-03-12 09:26:37
|
من الـ iPhone الخاص بي |
139 messages has been excluded from this view by a project administrator.
