mod-security-users Mailing List for ModSecurity (Page 34)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users — General discussion about mod_security
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(17) |
Aug
(7) |
Sep
(8) |
Oct
(11) |
Nov
(14) |
Dec
(19) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(46) |
Feb
(14) |
Mar
(20) |
Apr
(48) |
May
(15) |
Jun
(20) |
Jul
(36) |
Aug
(24) |
Sep
(31) |
Oct
(28) |
Nov
(23) |
Dec
(12) |
| 2005 |
Jan
(69) |
Feb
(61) |
Mar
(82) |
Apr
(53) |
May
(26) |
Jun
(71) |
Jul
(27) |
Aug
(52) |
Sep
(28) |
Oct
(49) |
Nov
(104) |
Dec
(74) |
| 2006 |
Jan
(61) |
Feb
(148) |
Mar
(82) |
Apr
(139) |
May
(65) |
Jun
(116) |
Jul
(92) |
Aug
(101) |
Sep
(84) |
Oct
(103) |
Nov
(174) |
Dec
(102) |
| 2007 |
Jan
(166) |
Feb
(161) |
Mar
(181) |
Apr
(152) |
May
(192) |
Jun
(250) |
Jul
(127) |
Aug
(165) |
Sep
(97) |
Oct
(135) |
Nov
(206) |
Dec
(56) |
| 2008 |
Jan
(160) |
Feb
(135) |
Mar
(98) |
Apr
(89) |
May
(115) |
Jun
(95) |
Jul
(188) |
Aug
(167) |
Sep
(153) |
Oct
(84) |
Nov
(82) |
Dec
(85) |
| 2009 |
Jan
(139) |
Feb
(133) |
Mar
(128) |
Apr
(105) |
May
(135) |
Jun
(79) |
Jul
(92) |
Aug
(134) |
Sep
(73) |
Oct
(112) |
Nov
(159) |
Dec
(80) |
| 2010 |
Jan
(100) |
Feb
(116) |
Mar
(130) |
Apr
(59) |
May
(88) |
Jun
(59) |
Jul
(69) |
Aug
(67) |
Sep
(82) |
Oct
(76) |
Nov
(59) |
Dec
(34) |
| 2011 |
Jan
(84) |
Feb
(74) |
Mar
(81) |
Apr
(94) |
May
(188) |
Jun
(72) |
Jul
(118) |
Aug
(109) |
Sep
(111) |
Oct
(80) |
Nov
(51) |
Dec
(44) |
| 2012 |
Jan
(80) |
Feb
(123) |
Mar
(46) |
Apr
(12) |
May
(40) |
Jun
(62) |
Jul
(95) |
Aug
(66) |
Sep
(65) |
Oct
(53) |
Nov
(42) |
Dec
(60) |
| 2013 |
Jan
(96) |
Feb
(96) |
Mar
(108) |
Apr
(72) |
May
(115) |
Jun
(111) |
Jul
(114) |
Aug
(87) |
Sep
(93) |
Oct
(97) |
Nov
(104) |
Dec
(82) |
| 2014 |
Jan
(96) |
Feb
(77) |
Mar
(71) |
Apr
(40) |
May
(48) |
Jun
(78) |
Jul
(54) |
Aug
(44) |
Sep
(58) |
Oct
(79) |
Nov
(51) |
Dec
(52) |
| 2015 |
Jan
(55) |
Feb
(59) |
Mar
(48) |
Apr
(40) |
May
(45) |
Jun
(63) |
Jul
(36) |
Aug
(49) |
Sep
(35) |
Oct
(58) |
Nov
(21) |
Dec
(47) |
| 2016 |
Jan
(35) |
Feb
(81) |
Mar
(43) |
Apr
(41) |
May
(77) |
Jun
(52) |
Jul
(39) |
Aug
(34) |
Sep
(107) |
Oct
(67) |
Nov
(54) |
Dec
(20) |
| 2017 |
Jan
(99) |
Feb
(37) |
Mar
(86) |
Apr
(47) |
May
(57) |
Jun
(55) |
Jul
(34) |
Aug
(31) |
Sep
(16) |
Oct
(49) |
Nov
(53) |
Dec
(33) |
| 2018 |
Jan
(25) |
Feb
(11) |
Mar
(79) |
Apr
(77) |
May
(5) |
Jun
(19) |
Jul
(17) |
Aug
(7) |
Sep
(13) |
Oct
(22) |
Nov
(13) |
Dec
(68) |
| 2019 |
Jan
(44) |
Feb
(17) |
Mar
(40) |
Apr
(39) |
May
(18) |
Jun
(14) |
Jul
(20) |
Aug
(31) |
Sep
(11) |
Oct
(35) |
Nov
(3) |
Dec
(10) |
| 2020 |
Jan
(32) |
Feb
(16) |
Mar
(10) |
Apr
(22) |
May
(2) |
Jun
(34) |
Jul
(1) |
Aug
(8) |
Sep
(36) |
Oct
(16) |
Nov
(13) |
Dec
(10) |
| 2021 |
Jan
(16) |
Feb
(23) |
Mar
(45) |
Apr
(28) |
May
(6) |
Jun
(17) |
Jul
(8) |
Aug
(1) |
Sep
(2) |
Oct
(35) |
Nov
|
Dec
(5) |
| 2022 |
Jan
|
Feb
(17) |
Mar
(23) |
Apr
(23) |
May
(9) |
Jun
(8) |
Jul
|
Aug
|
Sep
(7) |
Oct
(5) |
Nov
(16) |
Dec
(4) |
| 2023 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
(1) |
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
(7) |
Feb
(13) |
Mar
(18) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(1) |
Nov
(5) |
Dec
(3) |
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
(12) |
May
(12) |
Jun
(2) |
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: service m. <ser...@ms...> - 2019-02-04 17:36:38
|
Hello Community, Here's my problem : The server where I have to install ModSecurity must pass by a proxy server to join internet Therefore, I configure this on my debian : export http_proxy=http://myproxy.com:8080 export https_proxy=http://myproxy.com:8080 Then, ModSecurity has to download the https://dashboard.modsecurity.org/rules/download/plain Here's what happen on my WAF server when I reload apache2 : [cid:image001.jpg@01D4BC9F.381D4010] We have a TCP RETRANSMISSION But when I try to wget on this link, it works : [cid:image002.jpg@01D4BC9F.381D4010] It takes into account my export http_proxy from before And If I try this wget on my proxy server, of course it works : [cid:image003.jpg@01D4BC9F.381D4010] My proxy doesn't block the link When I reload apache and tshark the 443 on my proxy, I don't see anything : no accept, no reject etc... There's nothing between my proxy and my WAF My theory is that ModSecurity does not take into account the proxy rules I've set on my debian OS So, If you don't see any other source about my problem, my main question is : How to force ModSecurity to pass by my proxy to download and synchronize the rules ? Thank you for your help Regards, BC Ce message est confidentiel. Son contenu ne represente en aucun cas un engagement de la part de la Mutuelle Saint-Christophe assurances sous reserve de tout accord conclu par ecrit entre vous et la Mutuelle Saint-Christophe assurances. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur. This message is confidential. Its contents do not constitute a commitment by Mutuelle Saint-Christophe assurances except where provided for in a written agreement between you and Mutuelle Saint-Christophe assurances. Any unauthorised disclosure, use or dissemination, either whole or partial, is prohibited. If you are not the intended recipient of the message, please notify the sender immediately. |
|
From: Germán C. <gch...@gm...> - 2019-01-31 16:43:08
|
Hi all, I'm trying to get the JSON parser to work with modsecurity 2.9.2 with Apache HTTPD. I have followed instructions from this link: https://gist.github.com/rpfilomeno/1140359f4bd360137a98#file-modsecurity-installation-owasp-crs-for-centos-6-5-L22 I can see that yajl is found when I run the configure script. I see the following in the config.log: $ cat config.log | grep yajl $ ./configure --with-yajl=/usr/local/lib /usr/local configure:15950: checking for libyajl config script configure:16071: using yajl v2.1.1 YAJL_CFLAGS='-DWITH_YAJL -I/usr/local/include/yajl ' YAJL_LDADD='-lyajl ' YAJL_LIBS='-lyajl ' However after restarting apache, I still see the JSON support nor enabled error. Also, ldd mod_security2.so doesn't show yajl. What am I missing? Thanks in advance, Germán |
|
From: Chaim S. <ch...@ch...> - 2019-01-31 14:04:38
|
I recommend you take a look at Ivan and Christian Folini's book ( https://www.feistyduck.com/books/modsecurity-handbook/) It will answer a lot of questions you have. Also for Mlogic here is a blog I wrote about a basic setup a bit ago: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/sending-modsecurity-logs-to-mysql/ On Thu, Jan 31, 2019 at 8:56 AM Davy Gunarso via mod-security-users < mod...@li...> wrote: > Anyone knows about mlogc in mod security and how to access it? > > Dikirim dari Yahoo Mail di Android > <https://go.onelink.me/107872968?pid=InProduct&c=Global_Internal_YGrowth_AndroidEmailSig__AndroidUsers&af_wl=ym&af_sub1=Internal&af_sub2=Global_YGrowth&af_sub3=EmailSignature> > > Pada Rab, 30 Jan 2019 pada 19:39, Marcello Lorenzi > <ce...@gm...> menulis: > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > -- -- Chaim Sanders http://www.ChaimSanders.com |
|
From: Davy G. <da...@ya...> - 2019-01-31 13:52:57
|
Anyone knows about mlogc in mod security and how to access it? Dikirim dari Yahoo Mail di Android Pada Rab, 30 Jan 2019 pada 19:39, Marcello Lorenzi<ce...@gm...> menulis: _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ |
|
From: Christian V. <cv...@it...> - 2019-01-31 12:13:42
|
Thanks, yes please, give it a try! Cheers. Chris. El 31-01-19 a las 03:44, Christian Folini escribió: > Congratulations for this new release Christian. I'm planning to give it a spin > next week. > > Cheers, > > Christian > > On Thu, Jan 31, 2019 at 02:15:28AM -0300, Christian Varas wrote: >> Hello all, >> >> We are happy to release the new version of Waf2Py, this version works >> with the new modsecurity and nginx connector. >> >> *What can I do with this interface?* >> >> * Create a site in just minutes, >> * Create global or local exclusions with just 2 clicks! >> * Add virtual interfaces >> * Create static routes for the desired app. >> * Check debug, access, error and audit logs in a easy way, >> * Download logs >> * Check the stats for every application with nice graphics >> * Disable/Enable protection with just 1 click. >> * Restrict paths or files. >> * Insert headers. >> * Change configurations >> >> _*About this bundle*_ >> >> * Tested in Debian 9 (No docker). >> >> * Components for this build: >> o Waf2Py App >> o Web2Py 2.17.2 >> o Nginx version: openresty-1.13.6.2 >> o ModSecurity v3 - libsecurity; >> o Modsecurity Nginx connector >> o OWASP ModSecurity Core Rule Set (CRS) >> >> >> Download >> http://www.waf2py.org >> https://github.com/ITSec-Chile/Waf2Py >> >> Some screenshots >> >> https://imgur.com/a/px1T0nY >> >> * We invite you guys to test and support this development to make >> something powerful and free. >> * If something is not working please let me know in GitHub >> >> *Note 1*: By now not all options of nginx and modsecurity are >> implemented with nice switches. Advanced configurations can be made >> throught the "expert configuration" tab. >> *Note 2*: Due to nginx connector is still being improved, maybe not all >> functions works as expected, but with the time this will be better and >> better. >> >> Cheers! >> Chris. >> >> pub rsa4096 2018-11-01 [SC] [expires: 2025-11-01] >> 41C003149D02EABA8D91DA719F943B49D75BA97C >> uid Christian Varas <cv...@it...> >> sub rsa4096 2018-11-01 [E] [expires: 2025-11-01] > >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Christian F. <chr...@ne...> - 2019-01-31 06:44:38
|
Congratulations for this new release Christian. I'm planning to give it a spin next week. Cheers, Christian On Thu, Jan 31, 2019 at 02:15:28AM -0300, Christian Varas wrote: > Hello all, > > We are happy to release the new version of Waf2Py, this version works > with the new modsecurity and nginx connector. > > *What can I do with this interface?* > > * Create a site in just minutes, > * Create global or local exclusions with just 2 clicks! > * Add virtual interfaces > * Create static routes for the desired app. > * Check debug, access, error and audit logs in a easy way, > * Download logs > * Check the stats for every application with nice graphics > * Disable/Enable protection with just 1 click. > * Restrict paths or files. > * Insert headers. > * Change configurations > > _*About this bundle*_ > > * Tested in Debian 9 (No docker). > > * Components for this build: > o Waf2Py App > o Web2Py 2.17.2 > o Nginx version: openresty-1.13.6.2 > o ModSecurity v3 - libsecurity; > o Modsecurity Nginx connector > o OWASP ModSecurity Core Rule Set (CRS) > > > Download > http://www.waf2py.org > https://github.com/ITSec-Chile/Waf2Py > > Some screenshots > > https://imgur.com/a/px1T0nY > > * We invite you guys to test and support this development to make > something powerful and free. > * If something is not working please let me know in GitHub > > *Note 1*: By now not all options of nginx and modsecurity are > implemented with nice switches. Advanced configurations can be made > throught the "expert configuration" tab. > *Note 2*: Due to nginx connector is still being improved, maybe not all > functions works as expected, but with the time this will be better and > better. > > Cheers! > Chris. > > pub rsa4096 2018-11-01 [SC] [expires: 2025-11-01] > 41C003149D02EABA8D91DA719F943B49D75BA97C > uid Christian Varas <cv...@it...> > sub rsa4096 2018-11-01 [E] [expires: 2025-11-01] > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Christian V. <cv...@it...> - 2019-01-31 05:44:07
|
Hello all,
We are happy to release the new version of Waf2Py, this version works
with the new modsecurity and nginx connector.
*What can I do with this interface?*
* Create a site in just minutes,
* Create global or local exclusions with just 2 clicks!
* Add virtual interfaces
* Create static routes for the desired app.
* Check debug, access, error and audit logs in a easy way,
* Download logs
* Check the stats for every application with nice graphics
* Disable/Enable protection with just 1 click.
* Restrict paths or files.
* Insert headers.
* Change configurations
_*About this bundle*_
* Tested in Debian 9 (No docker).
* Components for this build:
o Waf2Py App
o Web2Py 2.17.2
o Nginx version: openresty-1.13.6.2
o ModSecurity v3 - libsecurity;
o Modsecurity Nginx connector
o OWASP ModSecurity Core Rule Set (CRS)
Download
http://www.waf2py.org
https://github.com/ITSec-Chile/Waf2Py
Some screenshots
https://imgur.com/a/px1T0nY
* We invite you guys to test and support this development to make
something powerful and free.
* If something is not working please let me know in GitHub
*Note 1*: By now not all options of nginx and modsecurity are
implemented with nice switches. Advanced configurations can be made
throught the "expert configuration" tab.
*Note 2*: Due to nginx connector is still being improved, maybe not all
functions works as expected, but with the time this will be better and
better.
Cheers!
Chris.
|
|
From: Ervin H. <ai...@gm...> - 2019-01-30 13:51:18
|
Hi Alex, I think SF mailing list doesn't allow attachments, or you've missed it, but no image in your e-mail. Anyway, it would be good to know your ModSecurity version, and relevant config. a. On Wed, Jan 30, 2019 at 1:10 PM Alexandros Kyrlis via mod-security-users < mod...@li...> wrote: > Hello, > > MULTIPART_STRICT_ERROR > > I have seen this error appearing on some cases when a user tries to post > on a forum, possibly with attached file (image). > I suspect this is a false trigger. > > Anyone have any information about this error? > > Thanks > Alex > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Marcello L. <ce...@gm...> - 2019-01-30 12:38:06
|
Il giorno Mer 30 Gen 2019, 13:18 Christian Folini < chr...@ne...> ha scritto: > Hey Davy, > > Please send me a message off-list. > > Cheers, > > Christian > > On Wed, Jan 30, 2019 at 11:40:32AM +0000, Davy Gunarso via > mod-security-users wrote: > > Hello, > > I would like to know if it is possible to subscribe mod security full > service and will I be able to get full service? Like ask any question I > wish about custom rule? Anyone ever do this? > > Davy > > > > Dikirim dari Yahoo Mail di Android > > > > Pada Rab, 16 Jan 2019 pada 21:41, Davy Gunarso<da...@ya...> > menulis: Yes, I have but it is not for specific sqlia type it is a > general or perhaps for all type. Since this is for my thesis I wonder if > there is a specific sqlia type? > > Davy > > > > Dikirim dari Yahoo Mail di Android > > > > Pada Rab, 16 Jan 2019 pada 19:36, Manuel Spartan<spa...@gm...> > menulis: _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Christian F. <chr...@ne...> - 2019-01-30 12:15:31
|
Hey Davy, Please send me a message off-list. Cheers, Christian On Wed, Jan 30, 2019 at 11:40:32AM +0000, Davy Gunarso via mod-security-users wrote: > Hello, > I would like to know if it is possible to subscribe mod security full service and will I be able to get full service? Like ask any question I wish about custom rule? Anyone ever do this? > Davy > > Dikirim dari Yahoo Mail di Android > > Pada Rab, 16 Jan 2019 pada 21:41, Davy Gunarso<da...@ya...> menulis: Yes, I have but it is not for specific sqlia type it is a general or perhaps for all type. Since this is for my thesis I wonder if there is a specific sqlia type? > Davy > > Dikirim dari Yahoo Mail di Android > > Pada Rab, 16 Jan 2019 pada 19:36, Manuel Spartan<spa...@gm...> menulis: _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Alexandros K. <ale...@me...> - 2019-01-30 12:08:31
|
Hello, MULTIPART_STRICT_ERROR I have seen this error appearing on some cases when a user tries to post on a forum, possibly with attached file (image). I suspect this is a false trigger. Anyone have any information about this error? Thanks Alex |
|
From: Davy G. <da...@ya...> - 2019-01-30 11:40:41
|
Hello, I would like to know if it is possible to subscribe mod security full service and will I be able to get full service? Like ask any question I wish about custom rule? Anyone ever do this? Davy Dikirim dari Yahoo Mail di Android Pada Rab, 16 Jan 2019 pada 21:41, Davy Gunarso<da...@ya...> menulis: Yes, I have but it is not for specific sqlia type it is a general or perhaps for all type. Since this is for my thesis I wonder if there is a specific sqlia type? Davy Dikirim dari Yahoo Mail di Android Pada Rab, 16 Jan 2019 pada 19:36, Manuel Spartan<spa...@gm...> menulis: _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ |
|
From: Christian F. <chr...@ne...> - 2019-01-29 05:09:53
|
Hello Matthijs, Manuel Spartan's advice is very sound. Here a bit of additional info: On Mon, Jan 28, 2019 at 04:23:08PM +0100, Matthijs Möhlmann wrote: > I am obviously missing something but I cannot find why. I already tried > adding 'setvar:anomaly_score-=5' and other parts. In my opinion one should > not disable the rules 949110 and 980130, then SQL injections won't be > detected properly (as example)? 949110 is a crucial rule as it makes the blocking decision. You were probably referring to 942110. I agree that this rule is best left intact, but sometimes, I have to disable it for a given path on a given parameter. If I do, I try to do this in a very granular way. 980130 is just a statistics rule. It can be ignored, or axes completely, if you do not have any use for it. Good luck! Christian -- If liberty means anything at all, it means the right to tell people what they do not want to hear. -- George Orwell |
|
From: Manuel S. <spa...@gm...> - 2019-01-29 02:47:07
|
Hi Matthijs, You will have lots of trouble with that type of requests it will trigger many rules, you will end up with a huge list of disabled rules, take a look at rule 9002700 from the CRS which similar to your use case have to deal with scary payloads and ended whitelisting a similar ARG from several rules by id and by tag to make it work https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/dev/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf Remember that doing that also opens you site to attacks and php is a powerful language that can easily be used for doing nasty stuff, so try as much as possible to do positive validation and whitelist the content ARG from as little rules as you can and if you can add apparmor or selinux in top of it to prevent some of the attacks ( there are several tutorials but here is an easy one to follow https://www.secjuice.com/apparmor-say-goodbye-to-remote-command-execution/ ) Good luck! Sent from my iPhone > On 28 Jan 2019, at 10:23, Matthijs Möhlmann <mat...@ca...> wrote: > > Hello all, > > This is my first post on the mod security mailinglist. Do tel me if I am on the wrong list or did not give enough information. > > Currently I have modsecurity running on our webserver but am getting a 403 on a valid request. I don't blame modsecurity but the webdeveloper because it's not really standard practice how they send the data. > The developer tells me that he can't change the current code and asked me to whitelist this request. > > It is a POST request to a webform with an parameter 'content' which is problematic. After adding the following rule: > SecRule REQUEST_URI "@beginsWith /php/xhr/ajax.php" "id:1,phase:1,pass,ctl:ruleRemoveTargetById=941110;ARGS:content,ctl:ruleRemoveTargetById=941160;ARGS:content,ctl:ruleRemoveTargetById=941100;ARGS:content" > > I can see in the logs that the rule is evaluated and the rules are not evaluated (according how I interprete the logs). > > Before adding this rule, I get the following log: > [Mon Jan 28 16:11:41.786860 2019] [:error] [pid 29543] [client 127.0.0.1:52049] [client 127.0.0.1] ModSecurity: Warning. detected XSS using libinjection. [file "/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "56"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: expect found within ARGS:content: <p style=\\x22font-family: Arial, Helvetica, sans-serif; margin: 0; padding: 0; font-size: 14px; line-height: 19px; color: #555555;\\x22><strong> Beste<span class=\\x22js-customer-name\\x22></span>, </strong></p>\\x0a<p style=\\x22font-family: Arial, Helvetica, sans-serif; margin: 0; padding: 0; font-size: 14px; line-height: 19px; color: #555555;\\x22>Bedankt voor je interesse in Gardini. We hebben je aanvraag bekeken en versturen hierbij een aantal ontwerpen voor..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [hostname "example.com"] [uri "/php/xhr/ajax.php"] [unique_id "XE8brR1hhu4iGRiJND3QdgAAAEo"], referer: https://example.com/tuinen-archief.html > [Mon Jan 28 16:11:41.788859 2019] [:error] [pid 29543] [client 127.0.0.1:52049] [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i)<[^\\\\w<>]*(?:[^<>\\"'\\\\s]*:)?[^\\\\w<>]*(?:\\\\W*?s\\\\W*?c\\\\W*?r\\\\W*?i\\\\W*?p\\\\W*?t|\\\\W*?f\\\\W*?o\\\\W*?r\\\\W*?m|\\\\W*?s\\\\W*?t\\\\W*?y\\\\W*?l\\\\W*?e|\\\\W*?s\\\\W*?v\\\\W*?g|\\\\W*?m\\\\W*?a\\\\W*?r\\\\W*?q\\\\W*?u\\\\W*?e\\\\W*?e|(?:\\\\W*?l\\\\W*?i\\\\W*?n\\\\W*?k|\\\\W*?o\\\\W*?b\\\\W*?j\\\\W*?e\\ ..." at ARGS:content. [file "/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "267"] [id "941160"] [rev "2"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <p style=\\x22font-family: Arial, Helvetica, sans-serif; margin: 0; padding: 0; font-size: 14px; line-height: 19px; color: #555555;\\x22><strong> Beste<span class=\\x22js-customer-name\\x22></span>, </strong></p>\\x0a<p style=\\x22font-family: Arial, Helvetica, sans-serif; margin: 0; padding: 0; font-size: 14px; line-height: 19px; color: #555555;\\x22>Bedankt voor je interesse in Gardini. We hebben je aanvraag bekeken en versturen hierbij een aantal ontwerpen voor jouw tuin. We hebben een selectie..."] [severity "CRITICAL"] [ver "O [hostname "example.com"] [uri "/php/xhr/ajax.php"] [unique_id "XE8brR1hhu4iGRiJND3QdgAAAEo"], referer: https://example.com/tuinen-archief.html > [Mon Jan 28 16:11:41.806143 2019] [:error] [pid 29543] [client 127.0.0.1:52049] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "example.com"] [uri "/php/xhr/ajax.php"] [unique_id "XE8brR1hhu4iGRiJND3QdgAAAEo"], referer: https://example.com/tuinen-archief.html > [Mon Jan 28 16:11:41.806488 2019] [:error] [pid 29543] [client 127.0.0.1:52049] [client 127.0.0.1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 15 - SQLI=0,XSS=15,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): NoScript XSS InjectionChecker: HTML Injection"] [tag "event-correlation"] [hostname "example.com"] [uri "/php/xhr/ajax.php"] [unique_id "XE8brR1hhu4iGRiJND3QdgAAAEo"], referer: https://example.com/tuinen-archief.html > > And those are the logs after I added the rule: > [Mon Jan 28 16:13:04.299976 2019] [:error] [pid 6007] [client 127.0.0.1:52054] [client 127.0.0.1] ModSecurity: Warning. String match "/php/xhr/ajax.php" at REQUEST_URI. [file "/etc/apache2/sites-enabled/000-example.com.conf"] [line "76"] [id "1"] [hostname "example.com"] [uri "/php/xhr/ajax.php"] [unique_id "XE8cANrOxSULdso9GnrLGwAAAGU"], referer: https://example.com/tuinen-archief.html > [Mon Jan 28 16:13:04.366574 2019] [:error] [pid 6007] [client 127.0.0.1:52054] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "example.com"] [uri "/php/xhr/ajax.php"] [unique_id "XE8cANrOxSULdso9GnrLGwAAAGU"], referer: https://example.com/tuinen-archief.html > [Mon Jan 28 16:13:04.367032 2019] [:error] [pid 6007] [client 127.0.0.1:52054] [client 127.0.0.1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): XSS Filter - Category 5: Disallowed HTML Attributes"] [tag "event-correlation"] [hostname "example.com"] [uri "/php/xhr/ajax.php"] [unique_id "XE8cANrOxSULdso9GnrLGwAAAGU"], referer: https://example.com/tuinen-archief.html > > As you can see, I still get an '403 Forbidden'. > > I am obviously missing something but I cannot find why. I already tried adding 'setvar:anomaly_score-=5' and other parts. In my opinion one should not disable the rules 949110 and 980130, then SQL injections won't be detected properly (as example)? > > Can someone help me out what I am missing here? > > Regards, Matthijs > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Matthijs M. <mat...@ca...> - 2019-01-28 15:40:15
|
Hello all, This is my first post on the mod security mailinglist. Do tel me if I am on the wrong list or did not give enough information. Currently I have modsecurity running on our webserver but am getting a 403 on a valid request. I don't blame modsecurity but the webdeveloper because it's not really standard practice how they send the data. The developer tells me that he can't change the current code and asked me to whitelist this request. It is a POST request to a webform with an parameter 'content' which is problematic. After adding the following rule: SecRule REQUEST_URI "@beginsWith /php/xhr/ajax.php" "id:1,phase:1,pass,ctl:ruleRemoveTargetById=941110;ARGS:content,ctl:ruleRemoveTargetById=941160;ARGS:content,ctl:ruleRemoveTargetById=941100;ARGS:content" I can see in the logs that the rule is evaluated and the rules are not evaluated (according how I interprete the logs). Before adding this rule, I get the following log: [Mon Jan 28 16:11:41.786860 2019] [:error] [pid 29543] [client 127.0.0.1:52049] [client 127.0.0.1] ModSecurity: Warning. detected XSS using libinjection. [file "/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "56"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: expect found within ARGS:content: <p style=\\x22font-family: Arial, Helvetica, sans-serif; margin: 0; padding: 0; font-size: 14px; line-height: 19px; color: #555555;\\x22><strong> Beste<span class=\\x22js-customer-name\\x22></span>, </strong></p>\\x0a<p style=\\x22font-family: Arial, Helvetica, sans-serif; margin: 0; padding: 0; font-size: 14px; line-height: 19px; color: #555555;\\x22>Bedankt voor je interesse in Gardini. We hebben je aanvraag bekeken en versturen hierbij een aantal ontwerpen voor..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [hostname "example.com"] [uri "/php/xhr/ajax.php"] [unique_id "XE8brR1hhu4iGRiJND3QdgAAAEo"], referer: https://example.com/tuinen-archief.html [Mon Jan 28 16:11:41.788859 2019] [:error] [pid 29543] [client 127.0.0.1:52049] [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i)<[^\\\\w<>]*(?:[^<>\\"'\\\\s]*:)?[^\\\\w<>]*(?:\\\\W*?s\\\\W*?c\\\\W*?r\\\\W*?i\\\\W*?p\\\\W*?t|\\\\W*?f\\\\W*?o\\\\W*?r\\\\W*?m|\\\\W*?s\\\\W*?t\\\\W*?y\\\\W*?l\\\\W*?e|\\\\W*?s\\\\W*?v\\\\W*?g|\\\\W*?m\\\\W*?a\\\\W*?r\\\\W*?q\\\\W*?u\\\\W*?e\\\\W*?e|(?:\\\\W*?l\\\\W*?i\\\\W*?n\\\\W*?k|\\\\W*?o\\\\W*?b\\\\W*?j\\\\W*?e\\ ..." at ARGS:content. [file "/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "267"] [id "941160"] [rev "2"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <p style=\\x22font-family: Arial, Helvetica, sans-serif; margin: 0; padding: 0; font-size: 14px; line-height: 19px; color: #555555;\\x22><strong> Beste<span class=\\x22js-customer-name\\x22></span>, </strong></p>\\x0a<p style=\\x22font-family: Arial, Helvetica, sans-serif; margin: 0; padding: 0; font-size: 14px; line-height: 19px; color: #555555;\\x22>Bedankt voor je interesse in Gardini. We hebben je aanvraag bekeken en versturen hierbij een aantal ontwerpen voor jouw tuin. We hebben een selectie..."] [severity "CRITICAL"] [ver "O [hostname "example.com"] [uri "/php/xhr/ajax.php"] [unique_id "XE8brR1hhu4iGRiJND3QdgAAAEo"], referer: https://example.com/tuinen-archief.html [Mon Jan 28 16:11:41.806143 2019] [:error] [pid 29543] [client 127.0.0.1:52049] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "example.com"] [uri "/php/xhr/ajax.php"] [unique_id "XE8brR1hhu4iGRiJND3QdgAAAEo"], referer: https://example.com/tuinen-archief.html [Mon Jan 28 16:11:41.806488 2019] [:error] [pid 29543] [client 127.0.0.1:52049] [client 127.0.0.1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 15 - SQLI=0,XSS=15,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): NoScript XSS InjectionChecker: HTML Injection"] [tag "event-correlation"] [hostname "example.com"] [uri "/php/xhr/ajax.php"] [unique_id "XE8brR1hhu4iGRiJND3QdgAAAEo"], referer: https://example.com/tuinen-archief.html And those are the logs after I added the rule: [Mon Jan 28 16:13:04.299976 2019] [:error] [pid 6007] [client 127.0.0.1:52054] [client 127.0.0.1] ModSecurity: Warning. String match "/php/xhr/ajax.php" at REQUEST_URI. [file "/etc/apache2/sites-enabled/000-example.com.conf"] [line "76"] [id "1"] [hostname "example.com"] [uri "/php/xhr/ajax.php"] [unique_id "XE8cANrOxSULdso9GnrLGwAAAGU"], referer: https://example.com/tuinen-archief.html [Mon Jan 28 16:13:04.366574 2019] [:error] [pid 6007] [client 127.0.0.1:52054] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "example.com"] [uri "/php/xhr/ajax.php"] [unique_id "XE8cANrOxSULdso9GnrLGwAAAGU"], referer: https://example.com/tuinen-archief.html [Mon Jan 28 16:13:04.367032 2019] [:error] [pid 6007] [client 127.0.0.1:52054] [client 127.0.0.1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): XSS Filter - Category 5: Disallowed HTML Attributes"] [tag "event-correlation"] [hostname "example.com"] [uri "/php/xhr/ajax.php"] [unique_id "XE8cANrOxSULdso9GnrLGwAAAGU"], referer: https://example.com/tuinen-archief.html As you can see, I still get an '403 Forbidden'. I am obviously missing something but I cannot find why. I already tried adding 'setvar:anomaly_score-=5' and other parts. In my opinion one should not disable the rules 949110 and 980130, then SQL injections won't be detected properly (as example)? Can someone help me out what I am missing here? Regards, Matthijs |
|
From: Manuel S. <spa...@gm...> - 2019-01-28 03:58:47
|
Hi Dan, you may take the audit log and rebuild the request with problems and send it to a debugging instance or vhost with debugloglevel 4 at least and track what is going on. You may even do that as part of your regular process by adding a rule right before 949110 with inspectfile and do whatever you want in an external script to very specific use cases. Cheers! Sent from my iPhone > On 27 Jan 2019, at 07:34, Dan Oppenheimer <dan...@po...> wrote: > > Thanks for your responses! > > I tried updating to CRS 3.1.0 and modsecurity 3.0.3. Unfortunately, I get the same behavior. I see a log entry for rule 949110 in the nginx error.log file. But I do not see any other log entries that tell me which rules led to the high anomaly score in either the nginx error.log nor in the modescurity audit log. The modsecurity debug log is more helpful, but I can't run with debugging turned on in production. This context is needed for us to understand why traffic was blocked so that we have information required to address an attack or exclude a rule. At this point, I think I need to switch from anomaly scoring mode to self contained mode. It looks like anomaly scoring mode with nginx does not provide enough context in the logs to be usable. As a future request, it would be good to have rule 949110 provide a list of rule ids which led to the high anomaly score. > > Thanks, > > Dan > >> On Fri, Jan 25, 2019 at 3:13 PM Gregory LeFevre <gr...@cl...> wrote: >> >> Hi Dan, >> >> Just a guess, but what happens if you change the nginx error_log severity level to info and restart (rather than reload) nginx? >> >> Granted that I don't know what you may already have the nginx log level set to and whether the fact that you already see the "Anomaly Score Exceeded" message disrupts my theory, but, again, just a guess. >> >> Gregory >> >>> On Fri, Jan 25, 2019 at 8:45 AM Dan Oppenheimer <dan...@po...> wrote: >>> Hi all, >>> >>> We have modsecurity 3.0.2 being used by nginx 1.14.0 via the modsecurity/nginx connector. We are using the core rule set 3.0.2 configured for anomaly scoring. The following is being blocked by modsecurity: >>> >>> 2019/01/24 10:17:52 [warn] 22326#0: *120 [client 172.16.17.54] ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `10' ) [file "/etc/nginx/modsec/owasp-modsecurity-crs-3.0.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "36"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "172.16.17.54"] [uri "/api/auto-engagement/list/b107e2c8-b4e4-470a-b10d-025b11b376cd"] [unique_id "154834307287.337943"] [ref ""], client: 172.16.17.54, server: stress-secure-pointillist.altidev.net, request: "DELETE /api/auto-engagement/list/b107e2c8-b4e4-470a-b10d-025b11b376cd HTTP/1.1", host: "stress-secure-pointillist.altidev.net", referrer: "https://test.pointillist.com/studio/story/d5fac22e-e0eb-49ea-8297-a0ec11ce1149" >>> >>> But I do not see any other log message in either the nginx error.log or the modsecurity audit log. As rule 949110 is the rule which determines whether or not the anomaly score is high enough to be blocked, I would expect to see more context in one or both of those files. That is, I would expect to see one or more log message for the rules that triggered the high anomaly score. I have set DELETE to an allowed header in the crs-setup.conf file: >>> >>> SecAction \ >>> "id:900200,\ >>> phase:1,\ >>> nolog,\ >>> pass,\ >>> t:none,\ >>> setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'" >>> >>> I have also enabled audit logging in the modsecurity.conf file: >>> >>> SecAuditEngine On >>> >>> SecAuditLogRelevantStatus "^(?:5|4(?!04))" >>> >>> # Log everything we know about a transaction. >>> SecAuditLogParts ABIJDEFHKZ >>> >>> SecAuditLogType Serial >>> SecAuditLog /var/log/nginx/modsec_audit.log >>> >>> Thanks, >>> >>> Dan >>> -- >>> DevOps Engineer >>> Pointillist, Inc >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > -- > DevOps Engineer > Pointillist, Inc > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Dan O. <dan...@po...> - 2019-01-27 13:05:07
|
Thanks for your responses! I tried updating to CRS 3.1.0 and modsecurity 3.0.3. Unfortunately, I get the same behavior. I see a log entry for rule 949110 in the nginx error.log file. But I do not see any other log entries that tell me which rules led to the high anomaly score in either the nginx error.log nor in the modescurity audit log. The modsecurity debug log is more helpful, but I can't run with debugging turned on in production. This context is needed for us to understand why traffic was blocked so that we have information required to address an attack or exclude a rule. At this point, I think I need to switch from anomaly scoring mode to self contained mode. It looks like anomaly scoring mode with nginx does not provide enough context in the logs to be usable. As a future request, it would be good to have rule 949110 provide a list of rule ids which led to the high anomaly score. Thanks, Dan On Fri, Jan 25, 2019 at 3:13 PM Gregory LeFevre <gr...@cl...> wrote: > > Hi Dan, > > Just a guess, but what happens if you change the nginx *error_log* severity > level to *info* and restart (rather than reload) nginx? > > Granted that I don't know what you may already have the nginx log level > set to and whether the fact that you already see the "Anomaly Score > Exceeded" message disrupts my theory, but, again, just a guess. > > Gregory > > On Fri, Jan 25, 2019 at 8:45 AM Dan Oppenheimer < > dan...@po...> wrote: > >> Hi all, >> >> We have modsecurity 3.0.2 being used by nginx 1.14.0 via the >> modsecurity/nginx connector. We are using the core rule set 3.0.2 >> configured for anomaly scoring. The following is being blocked by >> modsecurity: >> >> 2019/01/24 10:17:52 [warn] 22326#0: *120 [client 172.16.17.54] >> ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against >> variable `TX:ANOMALY_SCORE' (Value: `10' ) [file >> "/etc/nginx/modsec/owasp-modsecurity-crs-3.0.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] >> [line "36"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded >> (Total Score: 10)"] [data ""] [severity "2"] [ver ""] [maturity "0"] >> [accuracy "0"] [hostname "172.16.17.54"] [uri >> "/api/auto-engagement/list/b107e2c8-b4e4-470a-b10d-025b11b376cd"] >> [unique_id "154834307287.337943"] [ref ""], client: 172.16.17.54, server: >> stress-secure-pointillist.altidev.net, request: "DELETE >> /api/auto-engagement/list/b107e2c8-b4e4-470a-b10d-025b11b376cd HTTP/1.1", >> host: "stress-secure-pointillist.altidev.net", referrer: " >> https://test.pointillist.com/studio/story/d5fac22e-e0eb-49ea-8297-a0ec11ce1149 >> " >> >> But I do not see any other log message in either the nginx error.log or >> the modsecurity audit log. As rule 949110 is the rule which determines >> whether or not the anomaly score is high enough to be blocked, I would >> expect to see more context in one or both of those files. That is, I would >> expect to see one or more log message for the rules that triggered the high >> anomaly score. I have set DELETE to an allowed header in the >> crs-setup.conf file: >> >> SecAction \ >> "id:900200,\ >> phase:1,\ >> nolog,\ >> pass,\ >> t:none,\ >> setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'" >> >> I have also enabled audit logging in the modsecurity.conf file: >> >> SecAuditEngine On >> >> SecAuditLogRelevantStatus "^(?:5|4(?!04))" >> >> # Log everything we know about a transaction. >> SecAuditLogParts ABIJDEFHKZ >> >> SecAuditLogType Serial >> SecAuditLog /var/log/nginx/modsec_audit.log >> >> Thanks, >> >> Dan >> -- >> DevOps Engineer >> Pointillist, Inc >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > -- DevOps Engineer Pointillist, Inc |
|
From: Christian F. <chr...@ne...> - 2019-01-25 20:13:30
|
Hello, The OWASP ModSecurity Core Rule Set project news for January 2019 are out https://coreruleset.org/20190124/crs-project-news-january-2019/ Retweets are welcome: https://twitter.com/CoreRuleSet/status/1088786400433094656 This month, we announce detailed plans for the Cloudfest Hackathon in late March in Germany and many, many pull requests covering bypasses and other problems. Best, Christian -- One sign that you’ve approached actual mastery of a subject is that you get less arrogant; because you’ve spent so much time being wrong. -- Matthew D. Green |
|
From: Gregory L. <gr...@cl...> - 2019-01-25 20:12:54
|
Hi Dan, Just a guess, but what happens if you change the nginx *error_log* severity level to *info* and restart (rather than reload) nginx? Granted that I don't know what you may already have the nginx log level set to and whether the fact that you already see the "Anomaly Score Exceeded" message disrupts my theory, but, again, just a guess. Gregory On Fri, Jan 25, 2019 at 8:45 AM Dan Oppenheimer < dan...@po...> wrote: > Hi all, > > We have modsecurity 3.0.2 being used by nginx 1.14.0 via the > modsecurity/nginx connector. We are using the core rule set 3.0.2 > configured for anomaly scoring. The following is being blocked by > modsecurity: > > 2019/01/24 10:17:52 [warn] 22326#0: *120 [client 172.16.17.54] > ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against > variable `TX:ANOMALY_SCORE' (Value: `10' ) [file > "/etc/nginx/modsec/owasp-modsecurity-crs-3.0.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] > [line "36"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded > (Total Score: 10)"] [data ""] [severity "2"] [ver ""] [maturity "0"] > [accuracy "0"] [hostname "172.16.17.54"] [uri > "/api/auto-engagement/list/b107e2c8-b4e4-470a-b10d-025b11b376cd"] > [unique_id "154834307287.337943"] [ref ""], client: 172.16.17.54, server: > stress-secure-pointillist.altidev.net, request: "DELETE > /api/auto-engagement/list/b107e2c8-b4e4-470a-b10d-025b11b376cd HTTP/1.1", > host: "stress-secure-pointillist.altidev.net", referrer: " > https://test.pointillist.com/studio/story/d5fac22e-e0eb-49ea-8297-a0ec11ce1149 > " > > But I do not see any other log message in either the nginx error.log or > the modsecurity audit log. As rule 949110 is the rule which determines > whether or not the anomaly score is high enough to be blocked, I would > expect to see more context in one or both of those files. That is, I would > expect to see one or more log message for the rules that triggered the high > anomaly score. I have set DELETE to an allowed header in the > crs-setup.conf file: > > SecAction \ > "id:900200,\ > phase:1,\ > nolog,\ > pass,\ > t:none,\ > setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'" > > I have also enabled audit logging in the modsecurity.conf file: > > SecAuditEngine On > > SecAuditLogRelevantStatus "^(?:5|4(?!04))" > > # Log everything we know about a transaction. > SecAuditLogParts ABIJDEFHKZ > > SecAuditLogType Serial > SecAuditLog /var/log/nginx/modsec_audit.log > > Thanks, > > Dan > -- > DevOps Engineer > Pointillist, Inc > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Christian F. <chr...@ne...> - 2019-01-25 19:55:55
|
Hey Dan, There used to be a rule that triggered without writing an alert message (-> nolog). I'm no longer sure if this was fixed in 3.0.2 or only in 3.1.0. Could you try to reproduce in 3.1.0? Ideally you'll see the alert and the rule. Best, Christian On Fri, Jan 25, 2019 at 11:15:55AM -0500, Dan Oppenheimer wrote: > Hi all, > > We have modsecurity 3.0.2 being used by nginx 1.14.0 via the > modsecurity/nginx connector. We are using the core rule set 3.0.2 > configured for anomaly scoring. The following is being blocked by > modsecurity: > > 2019/01/24 10:17:52 [warn] 22326#0: *120 [client 172.16.17.54] ModSecurity: > Warning. Matched "Operator `Ge' with parameter `5' against variable > `TX:ANOMALY_SCORE' (Value: `10' ) [file > "/etc/nginx/modsec/owasp-modsecurity-crs-3.0.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] > [line "36"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded > (Total Score: 10)"] [data ""] [severity "2"] [ver ""] [maturity "0"] > [accuracy "0"] [hostname "172.16.17.54"] [uri > "/api/auto-engagement/list/b107e2c8-b4e4-470a-b10d-025b11b376cd"] > [unique_id "154834307287.337943"] [ref ""], client: 172.16.17.54, server: > stress-secure-pointillist.altidev.net, request: "DELETE > /api/auto-engagement/list/b107e2c8-b4e4-470a-b10d-025b11b376cd HTTP/1.1", > host: "stress-secure-pointillist.altidev.net", referrer: " > https://test.pointillist.com/studio/story/d5fac22e-e0eb-49ea-8297-a0ec11ce1149 > " > > But I do not see any other log message in either the nginx error.log or the > modsecurity audit log. As rule 949110 is the rule which determines whether > or not the anomaly score is high enough to be blocked, I would expect to > see more context in one or both of those files. That is, I would expect to > see one or more log message for the rules that triggered the high anomaly > score. I have set DELETE to an allowed header in the crs-setup.conf file: > > SecAction \ > "id:900200,\ > phase:1,\ > nolog,\ > pass,\ > t:none,\ > setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'" > > I have also enabled audit logging in the modsecurity.conf file: > > SecAuditEngine On > > SecAuditLogRelevantStatus "^(?:5|4(?!04))" > > # Log everything we know about a transaction. > SecAuditLogParts ABIJDEFHKZ > > SecAuditLogType Serial > SecAuditLog /var/log/nginx/modsec_audit.log > > Thanks, > > Dan > -- > DevOps Engineee > Pointillist, Inc > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Dan O. <dan...@po...> - 2019-01-25 16:43:17
|
Hi all, We have modsecurity 3.0.2 being used by nginx 1.14.0 via the modsecurity/nginx connector. We are using the core rule set 3.0.2 configured for anomaly scoring. The following is being blocked by modsecurity: 2019/01/24 10:17:52 [warn] 22326#0: *120 [client 172.16.17.54] ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `10' ) [file "/etc/nginx/modsec/owasp-modsecurity-crs-3.0.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "36"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "172.16.17.54"] [uri "/api/auto-engagement/list/b107e2c8-b4e4-470a-b10d-025b11b376cd"] [unique_id "154834307287.337943"] [ref ""], client: 172.16.17.54, server: stress-secure-pointillist.altidev.net, request: "DELETE /api/auto-engagement/list/b107e2c8-b4e4-470a-b10d-025b11b376cd HTTP/1.1", host: "stress-secure-pointillist.altidev.net", referrer: " https://test.pointillist.com/studio/story/d5fac22e-e0eb-49ea-8297-a0ec11ce1149 " But I do not see any other log message in either the nginx error.log or the modsecurity audit log. As rule 949110 is the rule which determines whether or not the anomaly score is high enough to be blocked, I would expect to see more context in one or both of those files. That is, I would expect to see one or more log message for the rules that triggered the high anomaly score. I have set DELETE to an allowed header in the crs-setup.conf file: SecAction \ "id:900200,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'" I have also enabled audit logging in the modsecurity.conf file: SecAuditEngine On SecAuditLogRelevantStatus "^(?:5|4(?!04))" # Log everything we know about a transaction. SecAuditLogParts ABIJDEFHKZ SecAuditLogType Serial SecAuditLog /var/log/nginx/modsec_audit.log Thanks, Dan -- DevOps Engineer Pointillist, Inc |
|
From: Christian F. <chr...@ne...> - 2019-01-22 19:39:46
|
On Tue, Jan 22, 2019 at 04:21:03PM +0100, Peter Bittner wrote: > Thanks, Christian! You're welcome. > Looks like there is also the Reference Manual [1], which covers the > configuration > directives. The overview is missing here for newcomers. I'm looking into an > existing configuration file now, that helps a bit. Good plan. Otherwise, my tutorials at https://www.netnea.com/cms/apache-tutorials/ cover the log files in sufficient depth as well. Cheers, Christian > > [1] https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#Configuration_Directives > > On Di, Jan 22, 2019 at 3:53 PM, Christian Folini > <chr...@ne...> wrote: > > Hey Scott, > > > > It's available as an e-book from Feisty Duck. > > > > https://www.feistyduck.com/books/modsecurity-handbook/ > > > > Best, > > > > Christian > > > > On Tue, Jan 22, 2019 at 02:26:27PM +0000, Scott Hovey wrote: > > > Hi Christian, > > > > > > > > When I look at a host we run, there are the following folders > > > and > > > > > files in > > > > > `/modsecurity`: > > > > > > > > > > - apache/ > > > > > - audit/ > > > > > - data/ > > > > > - tmp/ > > > > > - upload/ > > > > > - modsec_audit.log > > > > > - virus-check.log > > > > > > > > The ModSecurity Handbook is covering this in sufficient detail. > > > > > > Is that available on line too? > > > > > > Thanks, > > > Scott > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's > > > SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Peter B. <pet...@vs...> - 2019-01-22 15:21:17
|
Thanks, Christian! Looks like there is also the Reference Manual [1], which covers the configuration directives. The overview is missing here for newcomers. I'm looking into an existing configuration file now, that helps a bit. [1] https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#Configuration_Directives On Di, Jan 22, 2019 at 3:53 PM, Christian Folini <chr...@ne...> wrote: > Hey Scott, > > It's available as an e-book from Feisty Duck. > > https://www.feistyduck.com/books/modsecurity-handbook/ > > Best, > > Christian > > On Tue, Jan 22, 2019 at 02:26:27PM +0000, Scott Hovey wrote: >> Hi Christian, >> >> > > When I look at a host we run, there are the following folders >> and >> > > files in >> > > `/modsecurity`: >> > > >> > > - apache/ >> > > - audit/ >> > > - data/ >> > > - tmp/ >> > > - upload/ >> > > - modsec_audit.log >> > > - virus-check.log >> > >> > The ModSecurity Handbook is covering this in sufficient detail. >> >> Is that available on line too? >> >> Thanks, >> Scott >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Christian F. <chr...@ne...> - 2019-01-22 14:53:23
|
Hey Scott, It's available as an e-book from Feisty Duck. https://www.feistyduck.com/books/modsecurity-handbook/ Best, Christian On Tue, Jan 22, 2019 at 02:26:27PM +0000, Scott Hovey wrote: > Hi Christian, > > > > When I look at a host we run, there are the following folders and > > > files in > > > `/modsecurity`: > > > > > > - apache/ > > > - audit/ > > > - data/ > > > - tmp/ > > > - upload/ > > > - modsec_audit.log > > > - virus-check.log > > > > The ModSecurity Handbook is covering this in sufficient detail. > > Is that available on line too? > > Thanks, > Scott > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Scott H. <sco...@re...> - 2019-01-22 14:41:42
|
Hi Christian,
> > When I look at a host we run, there are the following folders and
> > files in
> > `/modsecurity`:
> >
> > - apache/
> > - audit/
> > - data/
> > - tmp/
> > - upload/
> > - modsec_audit.log
> > - virus-check.log
>
> The ModSecurity Handbook is covering this in sufficient detail.
Is that available on line too?
Thanks,
Scott
|
139 messages has been excluded from this view by a project administrator.
