mod-security-users — General discussion about mod_security

Re: [mod-security-users] Dedicated Apache for modsecurity, what is recommended MPM?

[Jens S. <Jen...@t-...>]

Hi Christian,

> Hello highclass99,
>
> There are a lot of nginxes that could be removed from your setup but that's
> not the question you are asking.
>
> I do not know anybody who runs ModSec on prefork Apache, the event MPM is
> clearly the standard these days.

For e.g. openSUSE seems to use per default the prefork MPM

  https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.reference/cha.apache2.html#sec.apache2.modules.mpm.prefork

and shipped also mod_security as external module.

And by the way, in a special case using a CGI bash script (I know that's 
not the best idea) I'm also using prefork Apache with ModSecurity v2 
(since the ModSecurity v3 Apache connector is still beta).

> With that being said, I do not have the
> perf numbers. If you do compare them, please be sure to share.
>
> As for ModSec3 on NGINX: I think it's a lot less buggy than it used to be.
> Performance and a few isolated missing features are an issue though.
>
> You may want to keep an eye on this meta issue:
> https://github.com/SpiderLabs/ModSecurity/issues/1734
>
> Good luck,
>
> Christian

Regards

Jens

> On Mon, Sep 24, 2018 at 04:35:35PM +0900, highclass99 wrote:
>> Hello,
>>
>> I run a
>> nginx <-> static files
>> nginx <-> apache modsecurity proxy <-> nginx <-> dynamic files(fastcgi)
>>
>> configuration.
>>
>> So, apache is only 100% for WAF.
>> In this case my theory was that since apache modsecurity is probably not io
>> bound but cpu bound, I set the apache MPM as prefork.
>> This apache instance handles thousands of requests/sec.
>>
>> I could not find any good information on whether this is optimal
>> performance wise.
>>
>> Performance wise is this a better choice than worker or event MPM, when
>> considering the apache is 100% only modsecurity requests?
>>
>> Also, I used the above model because nginx modsecurity was too buggy in the
>> past, I am considering using  modsecurity 3 with nginx. In that case would
>> it be optimal to increase nginx worker instances since modsecurity would
>> probably be cpu bound?
>
>
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>

Re: [mod-security-users] Dedicated Apache for modsecurity, what is recommended MPM?

[Christian F. <chr...@ne...>]

On Mon, Sep 24, 2018 at 11:47:57AM +0200, Reindl Harald wrote:
> 
> 
> Am 24.09.18 um 10:24 schrieb Christian Folini:
> > There are a lot of nginxes that could be removed from your setup but that's
> > not the question you are asking.
> > 
> > I do not know anybody who runs ModSec on prefork Apache, the event MPM is
> > clearly the standard these days. 
> 
> me using prefork :-)
> 
> httpd+modsec = backend servers with PHP
> apache trafficserver = keep image requests away

Now look at that. Thanks for sharing. I was not aware if your setup.

Christian


-- 
Life would be tragic if it weren't funny. ... My expectations were
reduced to zero when I was 21. Everything since then has been a bonus.
-- Stephen Hawking

Re: [mod-security-users] Dedicated Apache for modsecurity, what is recommended MPM?

[Reindl H. <h.r...@th...>]

Am 24.09.18 um 10:24 schrieb Christian Folini:
> There are a lot of nginxes that could be removed from your setup but that's
> not the question you are asking.
> 
> I do not know anybody who runs ModSec on prefork Apache, the event MPM is
> clearly the standard these days. 

me using prefork :-)

httpd+modsec = backend servers with PHP
apache trafficserver = keep image requests away

mostly because <Directory> gives some nice options you don't have with
modsec on the load balancer and in don't like fcgi that mucu not talking
about a ton of vhsost with php settings in their vhost definition

Re: [mod-security-users] Dedicated Apache for modsecurity, what is recommended MPM?

[Christian F. <chr...@ne...>]

Hello highclass99,

There are a lot of nginxes that could be removed from your setup but that's
not the question you are asking.

I do not know anybody who runs ModSec on prefork Apache, the event MPM is
clearly the standard these days. With that being said, I do not have the
perf numbers. If you do compare them, please be sure to share.

As for ModSec3 on NGINX: I think it's a lot less buggy than it used to be.
Performance and a few isolated missing features are an issue though.

You may want to keep an eye on this meta issue:
https://github.com/SpiderLabs/ModSecurity/issues/1734

Good luck,

Christian


On Mon, Sep 24, 2018 at 04:35:35PM +0900, highclass99 wrote:
> Hello,
> 
> I run a
> nginx <-> static files
> nginx <-> apache modsecurity proxy <-> nginx <-> dynamic files(fastcgi)
> 
> configuration.
> 
> So, apache is only 100% for WAF.
> In this case my theory was that since apache modsecurity is probably not io
> bound but cpu bound, I set the apache MPM as prefork.
> This apache instance handles thousands of requests/sec.
> 
> I could not find any good information on whether this is optimal
> performance wise.
> 
> Performance wise is this a better choice than worker or event MPM, when
> considering the apache is 100% only modsecurity requests?
> 
> Also, I used the above model because nginx modsecurity was too buggy in the
> past, I am considering using  modsecurity 3 with nginx. In that case would
> it be optimal to increase nginx worker instances since modsecurity would
> probably be cpu bound?


> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

[mod-security-users] Dedicated Apache for modsecurity, what is recommended MPM?

[highclass99 <hig...@gm...>]

Hello,

I run a
nginx <-> static files
nginx <-> apache modsecurity proxy <-> nginx <-> dynamic files(fastcgi)

configuration.

So, apache is only 100% for WAF.
In this case my theory was that since apache modsecurity is probably not io
bound but cpu bound, I set the apache MPM as prefork.
This apache instance handles thousands of requests/sec.

I could not find any good information on whether this is optimal
performance wise.

Performance wise is this a better choice than worker or event MPM, when
considering the apache is 100% only modsecurity requests?

Also, I used the above model because nginx modsecurity was too buggy in the
past, I am considering using  modsecurity 3 with nginx. In that case would
it be optimal to increase nginx worker instances since modsecurity would
probably be cpu bound?

Re: [mod-security-users] modsecurity iis statuscode always 500

[Victor H. <vic...@gm...>]

Sorry, this is a known issue with ModSecurity for IIS:
https://github.com/SpiderLabs/ModSecurity/issues/601

I suggest that you follow up your experience on the issue and we'll see if
anyone from the community can help with this one.

Cheers

On Tue, Sep 11, 2018 at 1:56 AM 곽민 <mi...@gm...> wrote:

> I was install modsecurity 2.9.2  in windows server 2016 / iis 10
>
> Core rule set version is 2.2.9
>
> When i tested in php page, modsecurity successfully block matched rule
> traffic,
>
> but log is always 500(internal server error)(Regardless of pass or block)
>
> I think modsecurity can't get status code because status code in audit log
> always '0'
> example log : WIN-EU34NTQNDKV 192.168.1.6 - - [11/Sep/2018:12:20:44 +0900]
> "GET /dvwa/vulnerabilities/sqli/ HTTP/1.1" 0 0 "-" "-" 17798225733810651262
> "-" /20180911/20180911-1220/20180911-122044-17798225733810651262 0 1019
> md5:749962ae19cfa1b79a228f97305c2b3c
>
> so i add SecstreamInBodyInspection On and SecRequestBodyAccess On
>
> and also disable dynamic content and static content compression
>
> But status code 500,
>
> How to fix that?
>
> thanks~
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>


-- 
-
Victor Ribeiro Hora

[mod-security-users] modsecurity iis statuscode always 500

[곽민 <mi...@gm...>]

I was install modsecurity 2.9.2  in windows server 2016 / iis 10

Core rule set version is 2.2.9

When i tested in php page, modsecurity successfully block matched rule
traffic,

but log is always 500(internal server error)(Regardless of pass or block)

I think modsecurity can't get status code because status code in audit log
always '0'
example log : WIN-EU34NTQNDKV 192.168.1.6 - - [11/Sep/2018:12:20:44 +0900]
"GET /dvwa/vulnerabilities/sqli/ HTTP/1.1" 0 0 "-" "-" 17798225733810651262
"-" /20180911/20180911-1220/20180911-122044-17798225733810651262 0 1019
md5:749962ae19cfa1b79a228f97305c2b3c

so i add SecstreamInBodyInspection On and SecRequestBodyAccess On

and also disable dynamic content and static content compression

But status code 500,

How to fix that?

thanks~

Re: [mod-security-users] mod_maxminddb support

[Christian F. <chr...@ne...>]

Thank you Marc. This is most useful. Could have looked this up myself,
but I thought it was faster that way.

Cheers,

Christian

On Fri, Sep 07, 2018 at 11:19:46AM +0200, Marc Stern wrote:
> Here is how I use it (simplified version):
> 
> Initialisation:
> 
>    # TX.remote_addr contains the IP I want to use, depending on reverse
>    proxy, ...
>    SecAction "phase:1,nolog,setenv:MMDB_ADDR=%{TX.remote_addr}"
>    # Enable MaxMindDB
>    MaxMindDBEnable On
>    MaxMindDBFile CITY_DB "path_to_the_DB"
>    MaxMindDBEnv geo_country_code  CITY_DB/country/iso_code
> 
> Block a country (e.g. Japan):
> 
>    SecRule ENV:geo_country_code  "@streq JP" "phase:2,t:none,deny"
> 
> 
> Regards
> 
> 
> 	*Marc Stern
> *Approach Belgium <https://www.approach.be>
> Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium
> Follow us: <https://www.linkedin.com/company/16513/>
> <https://twitter.com/ApproachBe>
> /*Inspiring the cyber-security community*/
> 
> 
> This e-mail and any attachment are confidential and intended solely for the
> use of the individual to whom it is addressed. If you are not the intended
> recipient, please contact the sender and delete this message and any
> attachment from your system. Unauthorised publication, use, dissemination,
> forwarding, printing or copying of this e-mail and its associated
> attachments is strictly prohibited.
> On 06-09-18 15:28, Christian Folini wrote:
> > Hey Marc,
> > 
> > This sounds very good. Thank you for your work.
> > 
> > Could you given an example of you we can integrate the mod_maxminddb and
> > the new db into  ModSecurity. Say use a 2-letter country code in a SecRule
> > construct? I have not tried this out yet.
> > 
> > Best,
> > 
> > Christian
> > 
> > On Thu, Sep 06, 2018 at 09:22:00AM +0200, Marc Stern wrote:
> > > As you know, the geo-localisation databases used by ModSecurity are no more
> > > updated.
> > > Maxmind, the databases provider, developed a new DB format and provides its
> > > own module (mod_maxminddb).
> > > mod_maxminddb was lacking a feature to integrate it smoothly with
> > > ModSecurity: settings the IP address from inside a rule. I introduced this
> > > feature some time ago and I'm happy to announce that this patch was merged
> > > in Maxmind's code and is thus officially part of the module.
> > > You can now set an environment variable in a rule - in (real) phase 1 - and
> > > mod_maxminddb will use this IP address as source.
> > > Note that, for most uses, mod_remote_ip is an easier solution.
> > > 
> > > *Marc Stern*
> > > Approach Belgium <https://www.approach.be>
> > > Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium
> > > Follow us: <https://www.linkedin.com/company/16513/>
> > > <https://twitter.com/ApproachBe>
> > > /*Inspiring the cyber-security community*/
> > > 
> > > ------------------------------------------------------------------------------
> > > Check out the vibrant tech community on one of the world's most
> > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > > _______________________________________________
> > > mod-security-users mailing list
> > > mod...@li...
> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > > http://www.modsecurity.org/projects/commercial/rules/
> > > http://www.modsecurity.org/projects/commercial/support/
> > ------------------------------------------------------------------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
> > 
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

Re: [mod-security-users] mod_maxminddb support

[Marc S. <mar...@ap...>]

Here is how I use it (simplified version):

Initialisation:

    # TX.remote_addr contains the IP I want to use, depending on reverse
    proxy, ...
    SecAction "phase:1,nolog,setenv:MMDB_ADDR=%{TX.remote_addr}"
    # Enable MaxMindDB
    MaxMindDBEnable On
    MaxMindDBFile CITY_DB "path_to_the_DB"
    MaxMindDBEnv geo_country_code  CITY_DB/country/iso_code

Block a country (e.g. Japan):

    SecRule ENV:geo_country_code  "@streq JP" "phase:2,t:none,deny"


Regards


	*Marc Stern
*Approach Belgium <https://www.approach.be>
Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium
Follow us: <https://www.linkedin.com/company/16513/> 
<https://twitter.com/ApproachBe>
/*Inspiring the cyber-security community*/


This e-mail and any attachment are confidential and intended solely for 
the use of the individual to whom it is addressed. If you are not the 
intended recipient, please contact the sender and delete this message 
and any attachment from your system. Unauthorised publication, use, 
dissemination, forwarding, printing or copying of this e-mail and its 
associated attachments is strictly prohibited.
On 06-09-18 15:28, Christian Folini wrote:
> Hey Marc,
>
> This sounds very good. Thank you for your work.
>
> Could you given an example of you we can integrate the mod_maxminddb and
> the new db into  ModSecurity. Say use a 2-letter country code in a SecRule
> construct? I have not tried this out yet.
>
> Best,
>
> Christian
>
> On Thu, Sep 06, 2018 at 09:22:00AM +0200, Marc Stern wrote:
>> As you know, the geo-localisation databases used by ModSecurity are no more
>> updated.
>> Maxmind, the databases provider, developed a new DB format and provides its
>> own module (mod_maxminddb).
>> mod_maxminddb was lacking a feature to integrate it smoothly with
>> ModSecurity: settings the IP address from inside a rule. I introduced this
>> feature some time ago and I'm happy to announce that this patch was merged
>> in Maxmind's code and is thus officially part of the module.
>> You can now set an environment variable in a rule - in (real) phase 1 - and
>> mod_maxminddb will use this IP address as source.
>> Note that, for most uses, mod_remote_ip is an easier solution.
>>
>> *Marc Stern*
>> Approach Belgium <https://www.approach.be>
>> Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium
>> Follow us: <https://www.linkedin.com/company/16513/>
>> <https://twitter.com/ApproachBe>
>> /*Inspiring the cyber-security community*/
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>

Re: [mod-security-users] mod_maxminddb support

[Christian F. <chr...@ne...>]

Hey Marc,

This sounds very good. Thank you for your work.

Could you given an example of you we can integrate the mod_maxminddb and
the new db into  ModSecurity. Say use a 2-letter country code in a SecRule
construct? I have not tried this out yet.

Best,

Christian

On Thu, Sep 06, 2018 at 09:22:00AM +0200, Marc Stern wrote:
> As you know, the geo-localisation databases used by ModSecurity are no more
> updated.
> Maxmind, the databases provider, developed a new DB format and provides its
> own module (mod_maxminddb).
> mod_maxminddb was lacking a feature to integrate it smoothly with
> ModSecurity: settings the IP address from inside a rule. I introduced this
> feature some time ago and I'm happy to announce that this patch was merged
> in Maxmind's code and is thus officially part of the module.
> You can now set an environment variable in a rule - in (real) phase 1 - and
> mod_maxminddb will use this IP address as source.
> Note that, for most uses, mod_remote_ip is an easier solution.
> 
> *Marc Stern*
> Approach Belgium <https://www.approach.be>
> Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium
> Follow us: <https://www.linkedin.com/company/16513/>
> <https://twitter.com/ApproachBe>
> /*Inspiring the cyber-security community*/
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

[mod-security-users] mod_maxminddb support

[Marc S. <mar...@ap...>]

As you know, the geo-localisation databases used by ModSecurity are no 
more updated.
Maxmind, the databases provider, developed a new DB format and provides 
its own module (mod_maxminddb).
mod_maxminddb was lacking a feature to integrate it smoothly with 
ModSecurity: settings the IP address from inside a rule. I introduced 
this feature some time ago and I'm happy to announce that this patch was 
merged in Maxmind's code and is thus officially part of the module.
You can now set an environment variable in a rule - in (real) phase 1 - 
and mod_maxminddb will use this IP address as source.
Note that, for most uses, mod_remote_ip is an easier solution.

*Marc Stern*
Approach Belgium <https://www.approach.be>
Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium
Follow us: <https://www.linkedin.com/company/16513/> 
<https://twitter.com/ApproachBe>
/*Inspiring the cyber-security community*/

[mod-security-users] Modsec v3 severity not logged properly

[Christian V. <cv...@it...>]

Hello,

I’m having some issues with modsecurity 3 nginx connector,  in the rules, the severity is properly set, like “CRITICAL”, "WARNING", "NOTICE", but when is logged in the audit logs, the severity comes with the id and not with the "name".

I’m expecting: “severity”: “CRITICAL”
I’m getting: “ severity”: “2”

Does anyone know how to solve this ?, maybe I’m missing an option in the config file...


{"transaction":{"client_ip":"192.168.104.1","time_stamp":"Tue Aug 14 16:17:41 2018","server_id":"43207054df5b4474bc005b6ead41801dd55b95f8","client_port":56856,"host_ip":"192.168.104.1","host_port":80,"id":"153427786186.625665","request":{"method":"GET","http_version":1.1,"uri":"/favicon.ico","body":"","headers":{"Host":"www.test.com","Connection":"keep-alive","Pragma":"no-cache","Cache-Control":"no-cache","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36","Cookie":"_ga=GA1.2.822423841.1533594347; __utmz=129959823.1533594349.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); _gid=GA1.2.1519461480.1534272702; __utma=129959823.822423841.1533594347.1533854693.1534272702.5; __utmc=129959823","Accept":"image/webp,image/apng,image/*,*/*;q=0.8","Referer":"http://www.test.com/?s=sdsd%3Cscript%3Ealert();%3C/S","Accept-Encoding":"gzip, deflate","Accept-Language":"en-US,en;q=0.9,es;q=0.8"}},"response":{"http_code":403},"producer":{"modsecurity":"ModSecurity v3.0.2 (Linux)","connector":"ModSecurity-nginx v1.0.0","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[{"message":"XSS Filter - Category 1: Script Tag Vector","details":{"match":"Matched \"Operator `Rx' with parameter `(?i)([<＜]script[^>＞]*[>＞][\\s\\S]*?)' against variable `REQUEST_HEADERS:Referer' (Value: `http://www.test.com/?s=sdsd%3Cscript%3Ealert();%3C/S' )","reference":"o30,8o30,8v303,55t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls","ruleId":"941110","file":"/opt/waf/nginx/etc/modsec_rules/www.test.com/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf","lineNumber":"63","data":"Matched Data: <script> found within REQUEST_HEADERS:Referer: http://www.test.com/?s=sdsd%3Cscript%3Ealert();%3C/S","severity":"2","ver":"OWASP_CRS/3.0.0","rev":"2","tags":["application-multi","language-multi","platform-multi","attack-xss","OWASP_CRS/WEB_ATTACK/XSS","WASCTC/WASC-8","WASCTC/WASC-22","OWASP_TOP_10/A3","OWASP_AppSensor/IE1","CAPEC-242"],"maturity":"4","accuracy":"9"}}]}}

Cheers.
Chris.

Re: [mod-security-users] rules error simply by changing regex

[Christian F. <chr...@ne...>]

Hello Gregory,

Varying cookie names are painful. I'm afraid you will have to remove them all
since regexes are not supported on SecRuleUpdateTargetById and 
ctl:ruleRemoveTargetById. At least when I last checked.

This also explains the error even if the message could be a more readable.

Ahoj,

Christian

On Thu, Aug 16, 2018 at 06:35:59PM -0700, Gregory LeFevre wrote:
> Hi,
> 
> I'm testing modsecurity 3.0.2 with the OWASP CRS 3.0.2 with nginx on a dev
> server.
> 
> I'm trying to exclude inspection of particular cookies by various rules.
> I'm trying to match the cookie names with regular expressions because the
> cookie names may vary.
> 
> I don't want to have a rule ignore all cookies.
> 
> I have not had success with SecRuleUpdateTargetById. For example, these
> didn't seem to work (the rules still trigger):
> 
> SecRuleUpdateTargetById 921151 "!REQUEST_COOKIES_NAMES:/mixpanel$/"
> SecRuleUpdateTargetById 921151 "!REQUEST_COOKIES_NAMES:/^_hp2_/"
> 
> So I was trying SecAction, e.g.:
> 
> SecAction
> "id:201,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetById=921151;REQUEST_COOKIES_NAMES:/mixpanel$/"
> SecAction
> "id:301,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetById=921151;REQUEST_COOKIES_NAMES:/^_hp2_/"
> 
> The first SecAction (mixpanel) is apparently accepted but the second
> SecAction (_hp2_) gives a rule error upon nginx startup:
> 
> Aug 17 01:06:02 devserver.example.com nginx[19370]: 2018/08/17 01:06:02
> [emerg] 19370#0: "modsecurity_rules_file" directive Rules error. File:
> /path_to/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.
> Line: 98. Column: 108. Expecting an action, got:  ^_hp2_/" in
> /path_to/nginx.conf:138
> 
> Aug 17 01:06:02 devserver.example.com nginx-cl[19362]: Starting nginx:
> nginx: [emerg] "modsecurity_rules_file" directive Rules error. File:
> /path_to/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.
> Line: 98. Column: 108. Expecting an action, got:  ^_hp2_/" in
> /path_to/nginx.conf:138
> 
> Would anyone have an idea why a rules error would trigger only from a
> regular expression change (the only apparent difference between the rules
> other than the rule id)?
> 
> Thank you,
> 
> Gregory

> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot

> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/


-- 
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:chr...@ne...
twitter: @ChrFolini

[mod-security-users] rules error simply by changing regex

[Gregory L. <gr...@cl...>]

Hi,

I'm testing modsecurity 3.0.2 with the OWASP CRS 3.0.2 with nginx on a dev
server.

I'm trying to exclude inspection of particular cookies by various rules.
I'm trying to match the cookie names with regular expressions because the
cookie names may vary.

I don't want to have a rule ignore all cookies.

I have not had success with SecRuleUpdateTargetById. For example, these
didn't seem to work (the rules still trigger):

SecRuleUpdateTargetById 921151 "!REQUEST_COOKIES_NAMES:/mixpanel$/"
SecRuleUpdateTargetById 921151 "!REQUEST_COOKIES_NAMES:/^_hp2_/"

So I was trying SecAction, e.g.:

SecAction
"id:201,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetById=921151;REQUEST_COOKIES_NAMES:/mixpanel$/"
SecAction
"id:301,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetById=921151;REQUEST_COOKIES_NAMES:/^_hp2_/"

The first SecAction (mixpanel) is apparently accepted but the second
SecAction (_hp2_) gives a rule error upon nginx startup:

Aug 17 01:06:02 devserver.example.com nginx[19370]: 2018/08/17 01:06:02
[emerg] 19370#0: "modsecurity_rules_file" directive Rules error. File:
/path_to/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.
Line: 98. Column: 108. Expecting an action, got:  ^_hp2_/" in
/path_to/nginx.conf:138

Aug 17 01:06:02 devserver.example.com nginx-cl[19362]: Starting nginx:
nginx: [emerg] "modsecurity_rules_file" directive Rules error. File:
/path_to/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.
Line: 98. Column: 108. Expecting an action, got:  ^_hp2_/" in
/path_to/nginx.conf:138

Would anyone have an idea why a rules error would trigger only from a
regular expression change (the only apparent difference between the rules
other than the rule id)?

Thank you,

Gregory

Re: [mod-security-users] Waf2Py [Beta] - A nice web interface for modsecurity and nginx implementation

[Felipe R. <fel...@gm...>]

Nicely done!

On Wed, Aug 1, 2018, 19:58 Tajul Azhar bin Mohd Tajul Ariffin <
ta...@of...> wrote:

> Nice!
>
> On Thu, 2 Aug 2018 at 3:44 AM, Christian Varas <cv...@it...> wrote:
>
>> Hello list,
>>
>> We are happy to release a new web interface for nginx and modsecurity
>> implementation.
>>
>> *What can I do with this interface?*
>>
>>    - Create a site in just minutes,
>>    - Create global or local exclusions with just 2 clicks!
>>    - Add virtual interfaces
>>    - Create static routes for the desired app.
>>    - Check debug, access, error and audit logs in a easy way,
>>    - Download logs
>>    - Check the stats for every application with nice graphics
>>    - Disable/Enable protection with just 1 click.
>>    - Restrict paths or files.
>>    - Insert headers.
>>    - Change configurations
>>
>>
>> *Download*
>>
>>    - http://www.waf2py.org   (some pictures here)
>>    - https://github.com/ITSec-Chile/Waf2Py
>>
>>
>>
>> We invite you guys to test and support this development to make something
>> powerful and free.
>>
>>
>> *PD1*: Documentation of use is still in progress, anyway is designed to
>> be intuitive and easy to manage.
>> *PD2*: If something is not working please let me know by mail or in
>> GitHub
>>
>> Cheers!
>> Chris.
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>>
> --
> Tajul Azhar bin Mohd Tajul Ariffin Application Security Analyst
> www.ofisgate.com.my
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>

Re: [mod-security-users] Waf2Py [Beta] - A nice web interface for modsecurity and nginx implementation

[Tajul A. b. M. T. A. <ta...@of...>]

Nice!

On Thu, 2 Aug 2018 at 3:44 AM, Christian Varas <cv...@it...> wrote:

> Hello list,
>
> We are happy to release a new web interface for nginx and modsecurity
> implementation.
>
> *What can I do with this interface?*
>
>    - Create a site in just minutes,
>    - Create global or local exclusions with just 2 clicks!
>    - Add virtual interfaces
>    - Create static routes for the desired app.
>    - Check debug, access, error and audit logs in a easy way,
>    - Download logs
>    - Check the stats for every application with nice graphics
>    - Disable/Enable protection with just 1 click.
>    - Restrict paths or files.
>    - Insert headers.
>    - Change configurations
>
>
> *Download*
>
>    - http://www.waf2py.org   (some pictures here)
>    - https://github.com/ITSec-Chile/Waf2Py
>
>
>
> We invite you guys to test and support this development to make something
> powerful and free.
>
>
> *PD1*: Documentation of use is still in progress, anyway is designed to
> be intuitive and easy to manage.
> *PD2*: If something is not working please let me know by mail or in GitHub
>
> Cheers!
> Chris.
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
-- 
Tajul Azhar bin Mohd Tajul Ariffin Application Security Analyst
www.ofisgate.com.my

Re: [mod-security-users] Waf2Py [Beta] - A nice web interface for modsecurity and nginx implementation

[Dino E. <din...@my...>]

I got really excited and then I noticed modsecurity 3 is not supported yet :(

From: Christian Varas [mailto:cv...@it...]
Sent: Wednesday, August 1, 2018 3:14 PM
To: mod...@li...
Subject: [mod-security-users] Waf2Py [Beta] - A nice web interface for modsecurity and nginx implementation

Hello list,

We are happy to release a new web interface for nginx and modsecurity implementation.

What can I do with this interface?

  *   Create a site in just minutes,
  *   Create global or local exclusions with just 2 clicks!
  *   Add virtual interfaces
  *   Create static routes for the desired app.
  *   Check debug, access, error and audit logs in a easy way,
  *   Download logs
  *   Check the stats for every application with nice graphics
  *   Disable/Enable protection with just 1 click.
  *   Restrict paths or files.
  *   Insert headers.
  *   Change configurations

Download

  *   http://www.waf2py.org<http://www.waf2py.org/>   (some pictures here)
  *   https://github.com/ITSec-Chile/Waf2Py


We invite you guys to test and support this development to make something powerful and free.


PD1: Documentation of use is still in progress, anyway is designed to be intuitive and easy to manage.
PD2: If something is not working please let me know by mail or in GitHub

Cheers!
Chris.

[mod-security-users] Waf2Py [Beta] - A nice web interface for modsecurity and nginx implementation

[Christian V. <cv...@it...>]

Hello list, 

We are happy to release a new web interface for nginx and modsecurity implementation.

What can I do with this interface?
Create a site in just minutes,
Create global or local exclusions with just 2 clicks!
Add virtual interfaces
Create static routes for the desired app.
Check debug, access, error and audit logs in a easy way,
Download logs
Check the stats for every application with nice graphics
Disable/Enable protection with just 1 click.
Restrict paths or files.
Insert headers.
Change configurations

Download
http://www.waf2py.org <http://www.waf2py.org/>   (some pictures here)
https://github.com/ITSec-Chile/Waf2Py <https://github.com/ITSec-Chile/Waf2Py>


We invite you guys to test and support this development to make something powerful and free.


PD1: Documentation of use is still in progress, anyway is designed to be intuitive and easy to manage.
PD2: If something is not working please let me know by mail or in GitHub

Cheers!
Chris.

[mod-security-users] libmodsecurity + inspect files not working

[Ehsan M. <ehs...@gm...>]

Hi folks

I'm using libmodsecurity + nginx and I tried to inspect a possible virus
infection.
I used the old crs v2.0 rule like below:
SecRule FILES_TMPNAMES "@inspectFile /bin/runAV" \
"phase:2,t:none,block,msg:'Virus found in uploaded
file',id:'950115',tag:'MALICIOUS_SOFTWARE/VIRUS',tag:'PCI/5.1',severity:'2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{
rule.id}-MALICIOUS_SOFTWARE/VIRUS-%{matched_var_name}=%{tx.0}"

It doesn't recognize any virus! I tested the clamAv and it responds to the
same virus file I have uploaded. I also tried modsecurity_nginx_refactoring
and it could capture the virus file.
However no success on libmodsecurity + nginx.

P.S.
1. For modsecurity v2.0 nginx refactoring branch I've set SecUploadKeepFiles
RelevantOnly and for libmodsecurity I've set SecUploadKeepFiles on
2. I tried more verbose debug logs with SecDebugLogLevel 9 and I get the
following:
                 [4] (Rule: 950115) Executing operator "InspectFile" with
param "/bin/runAV" against FILES_TMPNAMES.
                 [4] Rule returned 0.
                 [9] Matched vars cleaned.
3. I Suspected to  FILES_TMPNAMES  so I added the following rule:
        SecRule FILES_TMPNAMES "@rx .*" \
              "phase:2,t:none,block,msg:'Virus found in uploaded
file',id:'116',tag:'MALICIOUS_SOFTWARE/VIRUS',tag:'PCI/5.1',severity:'2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{
rule.id}-MALICIOUS_SOFTWARE/VIRUS-%{matched_var_name}=%{tx.0}"
and the debug log now contains:
                 [4] (Rule: 116) Executing operator "Rx" with param ".*"
against FILES_TMPNAMES.
                 [4] Rule returned 0.
                 [9] Matched vars cleaned.
It turns out the  FILES_TMPNAMES is empty.

What Am I missing??

-- 
                    regards
                 Ehsan.Mahdavi

[mod-security-users] News from the Core Rule Set (2018-07-26)

[Christian F. <chr...@ne...>]

Dear all,

The revamped news from the OWASP ModSecurity Core Rule Set project have been
published at https://coreruleset.org/20180726/crs-project-news-july-2018/

There is a report from the CRS community summit in London earlier this month,
a group photo from said meeting and the link to a new CRS channel on the OWASP
slack.

Best,

Christian Folini

-- 
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:chr...@ne...
twitter: @ChrFolini

[mod-security-users] Sending libmodsecurity logs to ELK

[Dino E. <din...@my...>]

Can anyone point me to a guide for sending libmodsecurity JSON logs to ELK?

Thanks a lot

Re: [mod-security-users] Exempt an argument from inspection in libmodsecurity

[Ehsan M. <ehs...@gm...>]

Thanks for your response.
I'll try that!

On Sun, Jul 22, 2018 at 3:29 PM Walter Hop <mo...@sp...> wrote:

>
> On 22 Jul 2018, at 12:50, Ehsan Mahdavi <ehs...@gm...> wrote:
>
>
> How do I totally exempt an argument from inspection? For example I need to
> exempt ARGS:FOO from matching with any rule.
>
>
> I usually use a syntax like this:
>
> SecAction \
>     "id:12345,phase:1,t:none,nolog,pass,\
>         ctl:ruleRemoveTargetByTag=.*;ARGS:foo"
>
> WH
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>


-- 
                    regards
                 Ehsan.Mahdavi

Re: [mod-security-users] Exempt an argument from inspection in libmodsecurity

[Walter H. <mo...@sp...>]

On 22 Jul 2018, at 12:50, Ehsan Mahdavi <ehs...@gm...> wrote:
> 
> How do I totally exempt an argument from inspection? For example I need to exempt ARGS:FOO from matching with any rule.

I usually use a syntax like this:

SecAction \
    "id:12345,phase:1,t:none,nolog,pass,\
        ctl:ruleRemoveTargetByTag=.*;ARGS:foo"

WH

[mod-security-users] Exempt an argument from inspection in libmodsecurity

[Ehsan M. <ehs...@gm...>]

Hi all,

Am using libmodsecurity with nginx.

How do I totally exempt an argument from inspection? For example I need to
exempt ARGS:FOO from matching with any rule.

Best Regards

Re: [mod-security-users] Modsecurity 3.X Web Console

[Dino E. <din...@my...>]

Is there a parser available for libmodsecurity logs to logstash? Everything I see seems to be for modsecurity 2.9.x. Is the format of the logs for modsecurity 2.9.x the same as libmodsecurity?



From: Chaim Sanders [mailto:ch...@ch...]
Sent: Wednesday, July 11, 2018 7:21 AM
To: mod...@li...
Subject: Re: [mod-security-users] Modsecurity 3.X Web Console

None actively supported Moodyy folks just use the ELK stack
On Tue, Jul 10, 2018, 11:58 AM Dino Edwards <din...@my...<mailto:din...@my...>> wrote:
Hello all,

Is there a web based console for managing Modsecurity 3.x and/or viewing alerts? I found waf-fle however I didn’t see any mention of support for modsecurity 3.x and it doesn’t look like it has been updated since 2014.

Thanks


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
mod-security-users mailing list
mod...@li...<mailto:mod...@li...>
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/