mod-security-users Mailing List for ModSecurity (Page 42)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users — General discussion about mod_security
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(17) |
Aug
(7) |
Sep
(8) |
Oct
(11) |
Nov
(14) |
Dec
(19) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(46) |
Feb
(14) |
Mar
(20) |
Apr
(48) |
May
(15) |
Jun
(20) |
Jul
(36) |
Aug
(24) |
Sep
(31) |
Oct
(28) |
Nov
(23) |
Dec
(12) |
| 2005 |
Jan
(69) |
Feb
(61) |
Mar
(82) |
Apr
(53) |
May
(26) |
Jun
(71) |
Jul
(27) |
Aug
(52) |
Sep
(28) |
Oct
(49) |
Nov
(104) |
Dec
(74) |
| 2006 |
Jan
(61) |
Feb
(148) |
Mar
(82) |
Apr
(139) |
May
(65) |
Jun
(116) |
Jul
(92) |
Aug
(101) |
Sep
(84) |
Oct
(103) |
Nov
(174) |
Dec
(102) |
| 2007 |
Jan
(166) |
Feb
(161) |
Mar
(181) |
Apr
(152) |
May
(192) |
Jun
(250) |
Jul
(127) |
Aug
(165) |
Sep
(97) |
Oct
(135) |
Nov
(206) |
Dec
(56) |
| 2008 |
Jan
(160) |
Feb
(135) |
Mar
(98) |
Apr
(89) |
May
(115) |
Jun
(95) |
Jul
(188) |
Aug
(167) |
Sep
(153) |
Oct
(84) |
Nov
(82) |
Dec
(85) |
| 2009 |
Jan
(139) |
Feb
(133) |
Mar
(128) |
Apr
(105) |
May
(135) |
Jun
(79) |
Jul
(92) |
Aug
(134) |
Sep
(73) |
Oct
(112) |
Nov
(159) |
Dec
(80) |
| 2010 |
Jan
(100) |
Feb
(116) |
Mar
(130) |
Apr
(59) |
May
(88) |
Jun
(59) |
Jul
(69) |
Aug
(67) |
Sep
(82) |
Oct
(76) |
Nov
(59) |
Dec
(34) |
| 2011 |
Jan
(84) |
Feb
(74) |
Mar
(81) |
Apr
(94) |
May
(188) |
Jun
(72) |
Jul
(118) |
Aug
(109) |
Sep
(111) |
Oct
(80) |
Nov
(51) |
Dec
(44) |
| 2012 |
Jan
(80) |
Feb
(123) |
Mar
(46) |
Apr
(12) |
May
(40) |
Jun
(62) |
Jul
(95) |
Aug
(66) |
Sep
(65) |
Oct
(53) |
Nov
(42) |
Dec
(60) |
| 2013 |
Jan
(96) |
Feb
(96) |
Mar
(108) |
Apr
(72) |
May
(115) |
Jun
(111) |
Jul
(114) |
Aug
(87) |
Sep
(93) |
Oct
(97) |
Nov
(104) |
Dec
(82) |
| 2014 |
Jan
(96) |
Feb
(77) |
Mar
(71) |
Apr
(40) |
May
(48) |
Jun
(78) |
Jul
(54) |
Aug
(44) |
Sep
(58) |
Oct
(79) |
Nov
(51) |
Dec
(52) |
| 2015 |
Jan
(55) |
Feb
(59) |
Mar
(48) |
Apr
(40) |
May
(45) |
Jun
(63) |
Jul
(36) |
Aug
(49) |
Sep
(35) |
Oct
(58) |
Nov
(21) |
Dec
(47) |
| 2016 |
Jan
(35) |
Feb
(81) |
Mar
(43) |
Apr
(41) |
May
(77) |
Jun
(52) |
Jul
(39) |
Aug
(34) |
Sep
(107) |
Oct
(67) |
Nov
(54) |
Dec
(20) |
| 2017 |
Jan
(99) |
Feb
(37) |
Mar
(86) |
Apr
(47) |
May
(57) |
Jun
(55) |
Jul
(34) |
Aug
(31) |
Sep
(16) |
Oct
(49) |
Nov
(53) |
Dec
(33) |
| 2018 |
Jan
(25) |
Feb
(11) |
Mar
(79) |
Apr
(77) |
May
(5) |
Jun
(19) |
Jul
(17) |
Aug
(7) |
Sep
(13) |
Oct
(22) |
Nov
(13) |
Dec
(68) |
| 2019 |
Jan
(44) |
Feb
(17) |
Mar
(40) |
Apr
(39) |
May
(18) |
Jun
(14) |
Jul
(20) |
Aug
(31) |
Sep
(11) |
Oct
(35) |
Nov
(3) |
Dec
(10) |
| 2020 |
Jan
(32) |
Feb
(16) |
Mar
(10) |
Apr
(22) |
May
(2) |
Jun
(34) |
Jul
(1) |
Aug
(8) |
Sep
(36) |
Oct
(16) |
Nov
(13) |
Dec
(10) |
| 2021 |
Jan
(16) |
Feb
(23) |
Mar
(45) |
Apr
(28) |
May
(6) |
Jun
(17) |
Jul
(8) |
Aug
(1) |
Sep
(2) |
Oct
(35) |
Nov
|
Dec
(5) |
| 2022 |
Jan
|
Feb
(17) |
Mar
(23) |
Apr
(23) |
May
(9) |
Jun
(8) |
Jul
|
Aug
|
Sep
(7) |
Oct
(5) |
Nov
(16) |
Dec
(4) |
| 2023 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
(1) |
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
(7) |
Feb
(13) |
Mar
(18) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(1) |
Nov
(5) |
Dec
(3) |
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
(12) |
May
(12) |
Jun
(2) |
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Robert P. <rpa...@fe...> - 2018-06-06 22:38:09
|
Hi, On Wed, Jun 6, 2018 at 2:28 PM, Chaim Sanders <ch...@ch...> wrote: > I think you might be looking for something like this: > > https://github.com/SpiderLabs/ModSecurity/tree/v3/master/ > examples/simple_example_using_c > I was going to suggest this as well ^ I started writing bindings for both PUC Lua and LuaJIT (ffi), but stopped for performance reasons There is also https://github.com/senghoo/modsecurity-go, but it is abandoned at this point (again for performance reasons). Overall, for any integration there will be two focal points: gathering HTTP data to feed into libmodsecurity, and the C/swing/FFI/whatever-have-you logic to integrate libmodsecurity into the environment in question. Are there any specific troubles or spots of question you're running into while building an integration? |
|
From: Osama E. <oel...@gm...> - 2018-06-06 22:22:17
|
Thanks Chaim. Are there any up-to-date API bindings for other languages such as Python, Node.js, etc. or are only the C bindings currently available? (I could use a bridge to directly call the C/C++ interfaces if needed so it shouldn’t be a show stopper but would be nice) Also, are these bindings considered production ready? Is there documentation (or read the source code)? Thanks. -- Osama Elnaggar On June 7, 2018 at 7:30:57 AM, Chaim Sanders (ch...@ch...) wrote: I think you might be looking for something like this: https://github.com/SpiderLabs/ModSecurity/tree/v3/master/examples/simple_example_using_c On Wed, Jun 6, 2018, 4:06 PM Osama Elnaggar <oel...@gm...> wrote: > Hi, > > I was wondering if there were any examples of calling > libmodsecurity/ModSecurity v3 directly from your application. I noticed > that there were some bindings such as this ( > https://github.com/SpiderLabs/ModSecurity-Python-bindings) but it has > not been updated for over 2 years. Are others directly calling ModSecurity > from their Python/Java/Node.js applications? If so, can you point me to an > example of how to get this up and running? Thanks. > > > -- > Osama Elnaggar > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ |
|
From: Chaim S. <ch...@ch...> - 2018-06-06 21:29:21
|
I think you might be looking for something like this: https://github.com/SpiderLabs/ModSecurity/tree/v3/master/examples/simple_example_using_c On Wed, Jun 6, 2018, 4:06 PM Osama Elnaggar <oel...@gm...> wrote: > Hi, > > I was wondering if there were any examples of calling > libmodsecurity/ModSecurity v3 directly from your application. I noticed > that there were some bindings such as this ( > https://github.com/SpiderLabs/ModSecurity-Python-bindings) but it has > not been updated for over 2 years. Are others directly calling ModSecurity > from their Python/Java/Node.js applications? If so, can you point me to an > example of how to get this up and running? Thanks. > > > -- > Osama Elnaggar > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Osama E. <oel...@gm...> - 2018-06-06 20:04:05
|
Hi, I was wondering if there were any examples of calling libmodsecurity/ModSecurity v3 directly from your application. I noticed that there were some bindings such as this ( https://github.com/SpiderLabs/ModSecurity-Python-bindings) but it has not been updated for over 2 years. Are others directly calling ModSecurity from their Python/Java/Node.js applications? If so, can you point me to an example of how to get this up and running? Thanks. -- Osama Elnaggar |
|
From: Christian F. <chr...@ne...> - 2018-05-22 07:07:40
|
Hi there, You said you run 3.0.2 and the issue was fixed in said version. But glad you got it fixed. Ahoj, Christian On Tue, May 22, 2018 at 08:57:33AM +0200, Marcello Lorenzi wrote: > Hi Christian, > we found an issue into the CRS 3.0.2 version > https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/773 and the rule > with id 22 is a debug rule not expected. We have fixed it with a specific > rule. > > Marcello > > On Tue, May 22, 2018 at 5:45 AM, Christian Folini < > chr...@ne...> wrote: > > > Hey Marcello, > > > > The file mentioned in your alert message points to a CRS rule, however, the > > ID 22 does not. There is no rule with ID 22 in the CRS. Also the unique_id > > looks a bit odd and an empty hostname... > > > > I can not really tell what's happening here. > > > > Ahoj, > > > > Christian > > > > On Mon, May 21, 2018 at 11:20:37AM +0200, Marcello Lorenzi wrote: > > > Hi Users, > > > we are testing mod_security on a Nginx 1.12.2 version on our development > > > environment and we installed the mod_security 2.9.2 with the OWASP CRS > > > 3.0.2. Into our error_log we noticed this error repeated: > > > > > > 2018/05/21 09:13:41 [error] 247#247: [client 10.0.0.1] ModSecurity: > > > Warning. Pattern match "(.*)" at REQUEST_URI. [file > > > "/usr/local/nginx/conf/crs-rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] > > > [line "500"] [id "22"] [msg "got /cp"] [hostname ""] [uri > > "/pub/test.html"] > > > [unique_id "ALAcAchiAcAcAcAcAVAcAcAG"] > > > > > > We configure the file RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf to > > skip > > > the rule with SecRuleRemoveById related to the rule ID, but the entries > > are > > > present into the error_log. > > > > > > Could you confirm if the configuration permits the contents and logs the > > > entry? Is it possible to remove also the logging phase? > > > > > > Thanks in advance, > > > Marcello > > > > > ------------------------------------------------------------ > > ------------------ > > > Check out the vibrant tech community on one of the world's most > > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > -- > > https://www.feistyduck.com/training/modsecurity-training-course > > https://www.feistyduck.com/books/modsecurity-handbook/ > > mailto:chr...@ne... > > twitter: @ChrFolini > > > > ------------------------------------------------------------ > > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
|
From: Marcello L. <ce...@gm...> - 2018-05-22 06:57:44
|
Hi Christian, we found an issue into the CRS 3.0.2 version https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/773 and the rule with id 22 is a debug rule not expected. We have fixed it with a specific rule. Marcello On Tue, May 22, 2018 at 5:45 AM, Christian Folini < chr...@ne...> wrote: > Hey Marcello, > > The file mentioned in your alert message points to a CRS rule, however, the > ID 22 does not. There is no rule with ID 22 in the CRS. Also the unique_id > looks a bit odd and an empty hostname... > > I can not really tell what's happening here. > > Ahoj, > > Christian > > On Mon, May 21, 2018 at 11:20:37AM +0200, Marcello Lorenzi wrote: > > Hi Users, > > we are testing mod_security on a Nginx 1.12.2 version on our development > > environment and we installed the mod_security 2.9.2 with the OWASP CRS > > 3.0.2. Into our error_log we noticed this error repeated: > > > > 2018/05/21 09:13:41 [error] 247#247: [client 10.0.0.1] ModSecurity: > > Warning. Pattern match "(.*)" at REQUEST_URI. [file > > "/usr/local/nginx/conf/crs-rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] > > [line "500"] [id "22"] [msg "got /cp"] [hostname ""] [uri > "/pub/test.html"] > > [unique_id "ALAcAchiAcAcAcAcAVAcAcAG"] > > > > We configure the file RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf to > skip > > the rule with SecRuleRemoveById related to the rule ID, but the entries > are > > present into the error_log. > > > > Could you confirm if the configuration permits the contents and logs the > > entry? Is it possible to remove also the logging phase? > > > > Thanks in advance, > > Marcello > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > -- > https://www.feistyduck.com/training/modsecurity-training-course > https://www.feistyduck.com/books/modsecurity-handbook/ > mailto:chr...@ne... > twitter: @ChrFolini > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Christian F. <chr...@ne...> - 2018-05-22 03:45:57
|
Hey Marcello, The file mentioned in your alert message points to a CRS rule, however, the ID 22 does not. There is no rule with ID 22 in the CRS. Also the unique_id looks a bit odd and an empty hostname... I can not really tell what's happening here. Ahoj, Christian On Mon, May 21, 2018 at 11:20:37AM +0200, Marcello Lorenzi wrote: > Hi Users, > we are testing mod_security on a Nginx 1.12.2 version on our development > environment and we installed the mod_security 2.9.2 with the OWASP CRS > 3.0.2. Into our error_log we noticed this error repeated: > > 2018/05/21 09:13:41 [error] 247#247: [client 10.0.0.1] ModSecurity: > Warning. Pattern match "(.*)" at REQUEST_URI. [file > "/usr/local/nginx/conf/crs-rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] > [line "500"] [id "22"] [msg "got /cp"] [hostname ""] [uri "/pub/test.html"] > [unique_id "ALAcAchiAcAcAcAcAVAcAcAG"] > > We configure the file RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf to skip > the rule with SecRuleRemoveById related to the rule ID, but the entries are > present into the error_log. > > Could you confirm if the configuration permits the contents and logs the > entry? Is it possible to remove also the logging phase? > > Thanks in advance, > Marcello > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
|
From: Marcello L. <ce...@gm...> - 2018-05-21 09:20:46
|
Hi Users, we are testing mod_security on a Nginx 1.12.2 version on our development environment and we installed the mod_security 2.9.2 with the OWASP CRS 3.0.2. Into our error_log we noticed this error repeated: 2018/05/21 09:13:41 [error] 247#247: [client 10.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at REQUEST_URI. [file "/usr/local/nginx/conf/crs-rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "500"] [id "22"] [msg "got /cp"] [hostname ""] [uri "/pub/test.html"] [unique_id "ALAcAchiAcAcAcAcAVAcAcAG"] We configure the file RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf to skip the rule with SecRuleRemoveById related to the rule ID, but the entries are present into the error_log. Could you confirm if the configuration permits the contents and logs the entry? Is it possible to remove also the logging phase? Thanks in advance, Marcello |
|
From: Irvin V. Á. <irv...@in...> - 2018-05-04 19:03:54
|
Hello, nice to meet everyone.
I'm writing to you because. Recently I have purchased Mod Security
commercial set rules.
I'm still having doubts about how to properly configure these commercial
rules.
The only way I have found to configure this rules on my server is creating
a Virtual Host and adding the "SecRemoteRules" statement as is shown in the
following module:
<IfModule mod_security2.c>
# Default recommended configuration
SecRuleEngine Off
SecRemoteRules fe586c346452c1240c6786518c1e8d5f2d726e2a
https://dashboard.modsecurity.org/rules/download/plain
SecRequestBodyAccess Off
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:reque
stBodyProcessor=XML"
SecRequestBodyLimit 20107200
SecRequestBodyNoFilesLimit 9048576
SecRequestBodyInMemoryLimit 9048576
SecRequestBodyLimitAction Reject
#SecPcreMatchLimit 5000
#SecPcreMatchLimitRecursion 5000
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal
error flagged: %{MATCHED_VAR_NAME}'"
SecResponseBodyAccess Off
SecDebugLog /var/log/httpd/modsec_debug.log
SecDebugLogLevel 0
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/httpd/att_modsec_audit.log
SecArgumentSeparator &
SecCookieFormat 0
SecTmpDir /var/lib/mod_security
#SecDataDir /var/lib/mod_security
</IfModule>
However, if I try to add this configuration to a file called
mod_security.conf, and call it from the apache configuration in
/etc/httpd/conf/httpd.conf
<IfModule security2_module>
Include owasp-modsecurity-crs/crs-setup.conf
Include owasp-modsecurity-crs/rules/*.conf
Include /etc/httpd/modsecurity.d/mod_security.conf
</IfModule>
My site will not load, ports are open but, apache starts but page will not
load.
Moreover, If I Try to configure SecRemoteRules Statement in each Virtual
Host, Apache will not load due to the following error:
[root@mxinsl09 conf.d]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor
preset: disabled)
Active: failed (Result: exit-code) since vie 2018-05-04 13:12:02 CDT; 6s
ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 716937 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited,
status=1/FAILURE)
Process: 57115 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
(code=exited, status=0/SUCCESS)
Process: 716886 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
(code=exited, status=1/FAILURE)
Main PID: 716886 (code=exited, status=1/FAILURE)
may 04 13:12:02 mxinsl09 httpd[716886]: [Fri May 04 13:12:02.762480 2018]
[proxy:warn] [pid 716886:tid 122869981182080] AH01146...sharing
may 04 13:12:02 mxinsl09 httpd[716886]: [Fri May 04 13:12:02.762482 2018]
[proxy:warn] [pid 716886:tid 122869981182080] AH01146...sharing
may 04 13:12:02 mxinsl09 httpd[716886]: AH00526: Syntax error on line 168
of /etc/httpd/conf.d/femsa_reverse_proxy.conf:
may 04 13:12:02 mxinsl09 httpd[716886]: ModSecurity: SecRemoteRules cannot
be used more than once.
may 04 13:12:02 mxinsl09 systemd[1]: httpd.service: main process exited,
code=exited, status=1/FAILURE
may 04 13:12:02 mxinsl09 kill[716937]: kill: cannot find process ""
may 04 13:12:02 mxinsl09 systemd[1]: httpd.service: control process exited,
code=exited status=1
may 04 13:12:02 mxinsl09 systemd[1]: Failed to start The Apache HTTP Server.
may 04 13:12:02 mxinsl09 systemd[1]: Unit httpd.service entered failed
state.
may 04 13:12:02 mxinsl09 systemd[1]: httpd.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
It Seems "SecRemoteRules" cannot be used more than once.
I wonder if leaving the first configuration, (SecRemoteRules directive on
just one Virtual Host), will protect my entire server no matter the number
of virtual hosts on that server.
Sorry if this mailing list is for advanced or more detailed questions, but
I have not answer from the support Email: sec...@mo... and M
odS...@tr...
I'm willing to hearing from you.
Irvin.
--
|
|
From: Guillermo C. <fla...@gm...> - 2018-04-26 19:06:56
|
Hi! Edouard! To be more specific, in your V2 setup you'll have 2, independent, SSL sessions/connections: Internet <== SSL connection 1 ==> Proxy (here, the SSL 1 ends and modsec can see plaintext) <== SSL connection 2 ==> Web Server You can even use different certificates for the SSL1 and SSL2 connections, and use (or not), client certificates in any of them. This would be totally transparent to modsec. I'd recommend using the V2 setup (you should consider insiders threat, not only external). Best regards! On 04/26/2018 03:55 PM, Christian Folini wrote: > Hello Edouard, > > It's like Harald explains. The Reverse Proxy decrypts the https traffic and > ModSecurity sees cleartext http. > > Installing ModSec on the RP is the standard setup. > > Ahoj, > > Christian > > On Thu, Apr 26, 2018 at 03:23:38PM -0300, Edouard Guigné wrote: >> Hello Dear Mod_security users, >> >> I installed mod_security on a proxy web server with apache, in order to >> inspect & protect traffic to a final web serveur on my LAN. >> >> Internet <== HTTPS ==> [PROXY with mod_security] <<=== LAN HTTP ===> [ WEB >> server] >> >> This was the V1 configuration. >> >> Then, I changed to V2 : >> >> Internet <== HTTPS ==> [PROXY with mod_security] <<=== LAN *HTTP**S* ===> [ >> WEB server] >> >> So I wondered if with V2, mod_security is able to inspect the traffic on the >> proxy server, because the traffic is encrypted in HTTPS. >> >> Should I better to install mod_security on the WEB server instead of the >> PROXY ? >> >> Best Regards, >> >> EG >> > >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot > >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > |
|
From: Christian F. <chr...@ne...> - 2018-04-26 18:56:12
|
Hello Edouard, It's like Harald explains. The Reverse Proxy decrypts the https traffic and ModSecurity sees cleartext http. Installing ModSec on the RP is the standard setup. Ahoj, Christian On Thu, Apr 26, 2018 at 03:23:38PM -0300, Edouard Guigné wrote: > Hello Dear Mod_security users, > > I installed mod_security on a proxy web server with apache, in order to > inspect & protect traffic to a final web serveur on my LAN. > > Internet <== HTTPS ==> [PROXY with mod_security] <<=== LAN HTTP ===> [ WEB > server] > > This was the V1 configuration. > > Then, I changed to V2 : > > Internet <== HTTPS ==> [PROXY with mod_security] <<=== LAN *HTTP**S* ===> [ > WEB server] > > So I wondered if with V2, mod_security is able to inspect the traffic on the > proxy server, because the traffic is encrypted in HTTPS. > > Should I better to install mod_security on the WEB server instead of the > PROXY ? > > Best Regards, > > EG > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
|
From: Reindl H. <h.r...@th...> - 2018-04-26 18:51:49
|
Am 26.04.2018 um 20:23 schrieb Edouard Guigné: > Hello Dear Mod_security users, > > I installed mod_security on a proxy web server with apache, in order to > inspect & protect traffic to a final web serveur on my LAN. > > Internet <== HTTPS ==> [PROXY with mod_security] <<=== LAN HTTP ===> [ > WEB server] > > This was the V1 configuration. > > Then, I changed to V2 : > > Internet <== HTTPS ==> [PROXY with mod_security] <<=== LAN *HTTP**S* > ===> [ WEB server] > > So I wondered if with V2, mod_security is able to inspect the traffic on > the proxy server, because the traffic is encrypted in HTTPS. > > Should I better to install mod_security on the WEB server instead of the > PROXY ? sounds like you don't understand https it's *transport layer* and so mod_security don't need to know anything about https at all |
|
From: Edouard G. <eg...@pa...> - 2018-04-26 18:48:42
|
Hello Dear Mod_security users, I installed mod_security on a proxy web server with apache, in order to inspect & protect traffic to a final web serveur on my LAN. Internet <== HTTPS ==> [PROXY with mod_security] <<=== LAN HTTP ===> [ WEB server] This was the V1 configuration. Then, I changed to V2 : Internet <== HTTPS ==> [PROXY with mod_security] <<=== LAN *HTTP**S* ===> [ WEB server] So I wondered if with V2, mod_security is able to inspect the traffic on the proxy server, because the traffic is encrypted in HTTPS. Should I better to install mod_security on the WEB server instead of the PROXY ? Best Regards, EG |
|
From: William C. <wil...@mu...> - 2018-04-24 16:12:57
|
XML parse errors fire a few rules in OWASP 3. Here's an example snip from
our logs related to such:
{"wafEvent":{"cluster":"","node":"icvlab11401","timestamp":"2018-04-24T15:47:50.312Z","clientIpAddr":"1.2.3.4","clientPort":666,"uri":"/acme/voodoo/lounge","serverIpAddr":"127.0.0.1","serverPort":999,"transId":2,"correlationId":"13cd1823-e5ba-42e3-bea0-b5131408212e"},"ruleMatch":[{"ruleId":200002,"ruleVersion":"","severity":2,"phase":2,"message":"Failed
to parse request
body.","tags":[]},{"ruleId":920130,"ruleVersion":"OWASP_CRS/3.0.0","severity":2,"phase":2,"message":"Failed
to parse request
body.","tags":["application-multi","language-multi","platform-multi","attack-protocol","OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ","CAPEC-272"]},{"ruleId":949110,"ruleVersion":"","severity":2,"phase":2,"message":"Inbound
Anomaly Score Exceeded (Total Score:
5)","tags":["application-multi","language-multi","platform-multi","attack-generic"]},{"ruleId":980130,"ruleVersion":"","severity":0,"phase":5,"message":"Inbound
Anomaly Score Exceeded (Total Inbound Score: 5 -
SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Failed to parse
request body.'","tags":["event-correlation"]}]}
On a somewhat related note, does anyone have a trick, patch or pointers to
the ModSec 3.0 source to prevent the libxml2 from spewing parse error
artifacts to the console? For example (body.xml ModSec's name for the
request document):
body.xml:8: parser error : expected '>'
</soapenv:Envelope>
^
Regards - Jay
On Tue, Apr 24, 2018 at 10:55 AM, Robert Paprocki <
rpa...@fe...> wrote:
> Given that XML parsing shouldn't even occur unless the content type
> indicates an XML document in the body, is it much of a concern? How much
> XML traffic do you actually serve up?
>
> As for the usefulness of the XML variable within the rule variables, that
> itself might be a better question for the CRS mailing list/developers.
>
> On Tue, Apr 24, 2018 at 7:52 AM, Jai Harpalani via mod-security-users <
> mod...@li...> wrote:
>
>> As expected, parsing an XML request takes a significant amount of time. I
>> am trying to determine if there is any benefit to parsing XML requests if
>> the only rules I am using are from OWASP CRS. Are there any OWASP CRS rules
>> which require XML requests to be parsed?
>>
>> I see many rules with the following pattern:
>>
>> SecRule ARGS_NAMES|ARGS|XML:/* "(?:\n|\r)+(?:get|post|head|op
>> tions|connect|put|delete|trace|propfind|propatch|mkcol|copy|move|lock|unlock)\s+"
>> \
>> "msg:'HTTP Request Smuggling Attack',\
>> phase:request,\
>> id:921110,\
>> rev:'1',\
>> . . .
>>
>> These rules are not doing anything "XML-specific". For the rule above,
>> the operator can be applied to a plain text request. So, why pay the
>> penalty of parsing XML?
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>>
>>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
>
|
|
From: Robert P. <rpa...@fe...> - 2018-04-24 15:55:13
|
Given that XML parsing shouldn't even occur unless the content type indicates an XML document in the body, is it much of a concern? How much XML traffic do you actually serve up? As for the usefulness of the XML variable within the rule variables, that itself might be a better question for the CRS mailing list/developers. On Tue, Apr 24, 2018 at 7:52 AM, Jai Harpalani via mod-security-users < mod...@li...> wrote: > As expected, parsing an XML request takes a significant amount of time. I > am trying to determine if there is any benefit to parsing XML requests if > the only rules I am using are from OWASP CRS. Are there any OWASP CRS rules > which require XML requests to be parsed? > > I see many rules with the following pattern: > > SecRule ARGS_NAMES|ARGS|XML:/* "(?:\n|\r)+(?:get|post|head| > options|connect|put|delete|trace|propfind|propatch|mkcol|copy|move|lock|unlock)\s+" > \ > "msg:'HTTP Request Smuggling Attack',\ > phase:request,\ > id:921110,\ > rev:'1',\ > . . . > > These rules are not doing anything "XML-specific". For the rule above, the > operator can be applied to a plain text request. So, why pay the penalty of > parsing XML? > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
|
From: Jai H. <jai...@mu...> - 2018-04-24 14:53:15
|
As expected, parsing an XML request takes a significant amount of time. I
am trying to determine if there is any benefit to parsing XML requests if
the only rules I am using are from OWASP CRS. Are there any OWASP CRS rules
which require XML requests to be parsed?
I see many rules with the following pattern:
SecRule ARGS_NAMES|ARGS|XML:/*
"(?:\n|\r)+(?:get|post|head|options|connect|put|delete|trace|propfind|propatch|mkcol|copy|move|lock|unlock)\s+"
\
"msg:'HTTP Request Smuggling Attack',\
phase:request,\
id:921110,\
rev:'1',\
. . .
These rules are not doing anything "XML-specific". For the rule above, the
operator can be applied to a plain text request. So, why pay the penalty of
parsing XML?
|
|
From: Osama E. <oel...@gm...> - 2018-04-10 23:34:22
|
Hi Eirik, I don't think you can do this out of the box. One workable but ugly hack would be as follows: - have 2 copies of ModSecurity running (your primary one - referred to as PrimaryMod - that accepts requests from the Internet and another one listening on localhost on a different port - referred to as LocalhostMod). To keep things "clean", you can use Docker / LXC containers for each of these or at least for one - add a rule that searches for the XML base64-encoded parameter that you want to inspect - if found, invoke a Lua script that takes this parameter, converts it to XML and then generates a new HTTP request (after base64-decoding, etc.) with the proper headers and send it to LocalhostMod. You can send only the XML payload and nothing else as LocalhostMod is there just to handle this use case - have LocalhostMod return different response HTTP response codes depending on if an attack was detected (404 if something malicious was found for example and 200 otherwise) - have the Lua script read this value in and based on this, have your SecRule block, etc. So it is similar to how @inspectFile works but instead of invoking an AV engine or file inspection script, you are calling another ModSecurity instance To minimize latency, you’ll want to make sure that you are only hitting LocalhostMod for requests that you are sure have the XML payload you want to inspect -- Osama Elnaggar On April 10, 2018 at 6:42:37 PM, Eirik Øverby - ModSecurity ( ltn...@an...) wrote: Hi, Apologies for flooding the list.. We are struggling with a national e-ID scheme - and other things - that require XML messages to be passed as HTTP POST parameters, base64-encoded - not as content-type */xml as one would expect. In order to inspect this XML we therefore need to urldecode|base64decode and possibly lowercase before we can have mod_security (3) parse the XML. However, from how I read the transformation and validation functions, I'm not certain I can use them. The request content-type is application/x-www-form-urlencoded. I was thinking something like this: - SecRule looking for the parameter name in question and applying a regex to make sure it looks like base64, chained with - SecRule transforming MATCHED_VAR with base64Decode - SecRule setting requestBodyProcessor=XML - SecRule validating DTD and/or schema However, since the base64Decode cannot work on REQUEST_BODY (since it would see more than just the content of that parameter) and requestBodyProcessor should be set in phase:1, I can't see how I can do this. Is there a way to create a "fake" REQUEST_BODY and child transaction that can be used to evaluate the XML? Or have I missed something obvious here? Needless to say, any parameters we receive with base64-encoded content tends to trigger all sorts of false positives. What's an accepted way of dealing with this in an environment where we do not know which parameters we will be receiving (we know some, but by far not all)? /Eirik ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ |
|
From: Eirik Ø. - M. <ltn...@an...> - 2018-04-10 08:40:57
|
Hi, Apologies for flooding the list.. We are struggling with a national e-ID scheme - and other things - that require XML messages to be passed as HTTP POST parameters, base64-encoded - not as content-type */xml as one would expect. In order to inspect this XML we therefore need to urldecode|base64decode and possibly lowercase before we can have mod_security (3) parse the XML. However, from how I read the transformation and validation functions, I'm not certain I can use them. The request content-type is application/x-www-form-urlencoded. I was thinking something like this: - SecRule looking for the parameter name in question and applying a regex to make sure it looks like base64, chained with - SecRule transforming MATCHED_VAR with base64Decode - SecRule setting requestBodyProcessor=XML - SecRule validating DTD and/or schema However, since the base64Decode cannot work on REQUEST_BODY (since it would see more than just the content of that parameter) and requestBodyProcessor should be set in phase:1, I can't see how I can do this. Is there a way to create a "fake" REQUEST_BODY and child transaction that can be used to evaluate the XML? Or have I missed something obvious here? Needless to say, any parameters we receive with base64-encoded content tends to trigger all sorts of false positives. What's an accepted way of dealing with this in an environment where we do not know which parameters we will be receiving (we know some, but by far not all)? /Eirik |
|
From: Christian F. <chr...@ne...> - 2018-04-09 08:37:26
|
Hello Eirik, There is a separate mailinglist for CRS. But here is a brief response. It does indeed sounds as if you did not understand the concept so far. crs-setup is indeed very brief with its explanations. The tutorials at netnea.com are much more elaborate and there is also an article at lwn.net that introduces it. Basically: The rule fires when a pattern matches, the match is recorded in the audit log and the score is raised. If the anomaly score reaches the threshold, the request is blocked - unless you run in detectiononly mode. Personally, I always run in blocking mode, but I start with a very high threshold and then lower it gradually as I clean up the false positives. See my tutorials for detailed guidance. Best, Christian On Mon, Apr 09, 2018 at 10:25:36AM +0200, Eirik Øverby - ModSecurity wrote: > Hi, > > I understand that the recommended way of using the CRS is the "Anomaly scoring" mode. Taking that into account, and considering this is a quite new installation and we're seeing a lot of FPs (this is in the nature of our applications and those that interact with it), we've followed the recommendations in crs-setup.conf.sample and adjusted paranoia level and thresholds accordingly. > > However, it seems that a large number of the CRS rules are firing independently, regardless of the accumulated anomaly scores. Is this because we're running in DetectionOnly mode? Or is it because many of the rules explicitly say 'block'? In some cases, we see the audit log containing multiple messages for a transaction, showing that the anomaly thresholds are consulted. In others - in fact most - we see only a single message from a single rule that has fired. > > Apologies if I have misunderstood how this works - I'm just hoping we can make effective use of this without first learning all the intricacies of the CRS ruleset. > > Wbr > /Eirik > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
|
From: Eirik Ø. - M. <ltn...@an...> - 2018-04-09 08:25:50
|
Hi, I understand that the recommended way of using the CRS is the "Anomaly scoring" mode. Taking that into account, and considering this is a quite new installation and we're seeing a lot of FPs (this is in the nature of our applications and those that interact with it), we've followed the recommendations in crs-setup.conf.sample and adjusted paranoia level and thresholds accordingly. However, it seems that a large number of the CRS rules are firing independently, regardless of the accumulated anomaly scores. Is this because we're running in DetectionOnly mode? Or is it because many of the rules explicitly say 'block'? In some cases, we see the audit log containing multiple messages for a transaction, showing that the anomaly thresholds are consulted. In others - in fact most - we see only a single message from a single rule that has fired. Apologies if I have misunderstood how this works - I'm just hoping we can make effective use of this without first learning all the intricacies of the CRS ruleset. Wbr /Eirik |
|
From: Christian F. <chr...@ne...> - 2018-04-07 20:12:17
|
On Fri, Apr 06, 2018 at 09:36:37PM +0000, Felipe Zimmerle wrote: > Lets follow up the discussion here: > https://github.com/SpiderLabs/ModSecurity/issues/1734 Sure. Wherever we can collaborate to bring ModSec3 the necessary speed boost. Christian -- It's when they say 2 + 2 = 5 that I begin to argue. -- Eric Pepke |
|
From: Felipe Z. <fe...@zi...> - 2018-04-06 22:02:56
|
Hi, On Fri, Apr 6, 2018 at 6:15 PM Christian Folini <chr...@ne...> wrote: > Dear Felipe, > > On Fri, Apr 06, 2018 at 02:05:56PM +0000, Felipe Zimmerle wrote: > > I would suggest you to work an real use case. Using a real environment. > As > > you said, testing in the loop back is not good thing. > > Sure. Here you have data from a light production service with static files > mostly. I've picked this one to be nice with ModSecurity. > > Apache, naked : 20.8 rps > > Apache, ModSec2, 1 rule : 21.1 rps > Apache, ModSec2, 10 rules : 19.6 rps > Apache, ModSec2, CRS3 : 19.0 rps > > > NGINX, naked : 21.8 rps > > NGINX, ModSec3.0.0, 1 rule : 20.6 rps > NGINX, ModSec3.0.0, 10 rules : 19.2 rps > NGINX, ModSec3.0.0, CRS3 : 15.2 rps > > NGINX, ModSec3.0.2, 1 rule : 19.8 rps > NGINX, ModSec3.0.2, 10 rules : 19.4 rps > NGINX, ModSec3.0.2, CRS3 : 17.9 rps > > Thank you Folini, i think those are more "concrete" numbers to work with. Lets follow up the discussion here: https://github.com/SpiderLabs/ModSecurity/issues/1734 Br., Felipe. |
|
From: Christian F. <chr...@ne...> - 2018-04-06 21:15:03
|
Dear Felipe, On Fri, Apr 06, 2018 at 02:05:56PM +0000, Felipe Zimmerle wrote: > I would suggest you to work an real use case. Using a real environment. As > you said, testing in the loop back is not good thing. Sure. Here you have data from a light production service with static files mostly. I've picked this one to be nice with ModSecurity. Apache, naked : 20.8 rps Apache, ModSec2, 1 rule : 21.1 rps Apache, ModSec2, 10 rules : 19.6 rps Apache, ModSec2, CRS3 : 19.0 rps NGINX, naked : 21.8 rps NGINX, ModSec3.0.0, 1 rule : 20.6 rps NGINX, ModSec3.0.0, 10 rules : 19.2 rps NGINX, ModSec3.0.0, CRS3 : 15.2 rps NGINX, ModSec3.0.2, 1 rule : 19.8 rps NGINX, ModSec3.0.2, 10 rules : 19.4 rps NGINX, ModSec3.0.2, CRS3 : 17.9 rps The network latency diluted the numbers and suddenly a naked Apache is faster than a naked NGINX. But the performance problem of ModSec3 is still visible as is the performance improvement from 3.0.0 to 3.0.2. Best regards, Christian -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
|
From: Christian F. <chr...@ne...> - 2018-04-06 19:18:44
|
Eirik, I'm afraid, that is likely the case. If it would only be a single rule, I'd avise you to drop that rule. But given you want to disable whole classes of rules and you have tried out multiple alternative paths, I do not see any way around this anymore. The root cause is probably that you use the parameter in a case-insensitive way and ModSec is very pedantic with parameter names - as it should be actually. Sorry for the bad news, Christian On Fri, Apr 06, 2018 at 09:07:42PM +0200, Eirik Øverby - ModSecurity wrote: > Hi, > > And there is no way I can achieve the same in some other way than repeating the ctl: action as many times as there are ways to spell the parameter name? > > I tried feeding it regex there (as it does allow regex in the SecRule itself), didn't work of course. I'd rather not disable all processing for all parameters.. > > /Eirik > > > On 6 Apr 2018, at 14:55, Christian Folini <chr...@ne...> wrote: > > > > Yes, too bad. That would have been an elegant solution. > > > > The coverage for macro expansion has always been punctual in ModSecurity. > > I wish it was consistent and universal. > > > > See https://github.com/SpiderLabs/ModSecurity/issues/1725 > > for another example. > > > > Ahoj, > > > > Christian > > > > On Fri, Apr 06, 2018 at 02:45:43PM +0200, Eirik Øverby - ModSecurity wrote: > >> Hi, > >> > >> I'm on 3.0.2 with nginx - and I get this from modsec-rules-check: > >> Expecting an action, got: %{MATCHED_VAR_NAME},\ > >> > >> I think the above is enough to see that it doesn't work :) > >> > >> /Eirik > >> > >>> On 6 Apr 2018, at 14:40, Christian Folini <chr...@ne...> wrote: > >>> > >>> Hey Eirik, > >>> > >>> If it works, it would be "...attack-sqli;%{MATCHED_VAR_NAME}". I doubt this > >>> works, but I have been proved wrong on Monday night with a similar question, > >>> so don't trust me too much. > >>> > >>> ModSec2.9 is quite talkative on DebugLogLevel 9, so you should be able to > >>> tell if it worked based on the logfile. > >>> > >>> Ahoj, > >>> > >>> Christian > >>> > >>> > >>> On Fri, Apr 06, 2018 at 02:28:09PM +0200, Eirik Øverby - ModSecurity wrote: > >>>> Hi again, > >>>> > >>>>> On 5 Apr 2018, at 21:19, Eirik Øverby - ModSecurity <ltn...@an...> wrote: > >>>>>> SecRule REQUEST_URI "@beginsWith /mdpayacs/pareq" \ > >>>>>> "phase:1,id:1003,t:none,pass,nolog,chain,\ > >>>>>> ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:TermURL,\ > >>>>>> ctl:ruleRemoveTargetByTag=attack-rce;ARGS:TermURL,\ > >>>>>> ctl:ruleRemoveTargetByTag=attack-xss;ARGS:TermURL" > >>>>>> SecRule ARGS:TermURL "@beginsWith http" "t:none" > >>>>> > >>>>> before anyone comments - yes, I modified this to say phase:2 - does not make any difference.. > >>>> > >>>> The error, as it turned out, was that mod_security matches argument names in a case-sesnitive fashion, but our application does not. The TermURL parameter is sent to us from many different sources, with various degrees of CamelCasing and CAPItaliSation. > >>>> > >>>> Question: Can I use e.g. MATCHED_VAR_NAME as argument to ruleRemoteTargetBy*? For example > >>>> SecRule ARGS:/[Vv][Aa][Rr]/ "foo" "...... ctl:ruleRemoveTargetByTag=attack-sqli;MATCHED_VAR_NAME" > >>>> > >>>> I have tried this, with no success so far - also with ARGS: prefix to MATCHED_VAR_NAME. I've also tried to use it in a chained rule. > >>>> > >>>> /Eirik > >>>> ------------------------------------------------------------------------------ > >>>> Check out the vibrant tech community on one of the world's most > >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot > >>>> _______________________________________________ > >>>> mod-security-users mailing list > >>>> mod...@li... > >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users > >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > >>>> http://www.modsecurity.org/projects/commercial/rules/ > >>>> http://www.modsecurity.org/projects/commercial/support/ > >>> > >>> -- > >>> https://www.feistyduck.com/training/modsecurity-training-course > >>> https://www.feistyduck.com/books/modsecurity-handbook/ > >>> mailto:chr...@ne... > >>> twitter: @ChrFolini > >>> > >>> ------------------------------------------------------------------------------ > >>> Check out the vibrant tech community on one of the world's most > >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot > >>> _______________________________________________ > >>> mod-security-users mailing list > >>> mod...@li... > >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users > >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > >>> http://www.modsecurity.org/projects/commercial/rules/ > >>> http://www.modsecurity.org/projects/commercial/support/ > >> > > > >> ------------------------------------------------------------------------------ > >> Check out the vibrant tech community on one of the world's most > >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > >> _______________________________________________ > >> mod-security-users mailing list > >> mod...@li... > >> https://lists.sourceforge.net/lists/listinfo/mod-security-users > >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > >> http://www.modsecurity.org/projects/commercial/rules/ > >> http://www.modsecurity.org/projects/commercial/support/ > > > > > > -- > > https://www.feistyduck.com/training/modsecurity-training-course > > https://www.feistyduck.com/books/modsecurity-handbook/ > > mailto:chr...@ne... > > twitter: @ChrFolini > > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
|
From: Eirik Ø. - M. <ltn...@an...> - 2018-04-06 19:07:59
|
Hi, And there is no way I can achieve the same in some other way than repeating the ctl: action as many times as there are ways to spell the parameter name? I tried feeding it regex there (as it does allow regex in the SecRule itself), didn't work of course. I'd rather not disable all processing for all parameters.. /Eirik > On 6 Apr 2018, at 14:55, Christian Folini <chr...@ne...> wrote: > > Yes, too bad. That would have been an elegant solution. > > The coverage for macro expansion has always been punctual in ModSecurity. > I wish it was consistent and universal. > > See https://github.com/SpiderLabs/ModSecurity/issues/1725 > for another example. > > Ahoj, > > Christian > > On Fri, Apr 06, 2018 at 02:45:43PM +0200, Eirik Øverby - ModSecurity wrote: >> Hi, >> >> I'm on 3.0.2 with nginx - and I get this from modsec-rules-check: >> Expecting an action, got: %{MATCHED_VAR_NAME},\ >> >> I think the above is enough to see that it doesn't work :) >> >> /Eirik >> >>> On 6 Apr 2018, at 14:40, Christian Folini <chr...@ne...> wrote: >>> >>> Hey Eirik, >>> >>> If it works, it would be "...attack-sqli;%{MATCHED_VAR_NAME}". I doubt this >>> works, but I have been proved wrong on Monday night with a similar question, >>> so don't trust me too much. >>> >>> ModSec2.9 is quite talkative on DebugLogLevel 9, so you should be able to >>> tell if it worked based on the logfile. >>> >>> Ahoj, >>> >>> Christian >>> >>> >>> On Fri, Apr 06, 2018 at 02:28:09PM +0200, Eirik Øverby - ModSecurity wrote: >>>> Hi again, >>>> >>>>> On 5 Apr 2018, at 21:19, Eirik Øverby - ModSecurity <ltn...@an...> wrote: >>>>>> SecRule REQUEST_URI "@beginsWith /mdpayacs/pareq" \ >>>>>> "phase:1,id:1003,t:none,pass,nolog,chain,\ >>>>>> ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:TermURL,\ >>>>>> ctl:ruleRemoveTargetByTag=attack-rce;ARGS:TermURL,\ >>>>>> ctl:ruleRemoveTargetByTag=attack-xss;ARGS:TermURL" >>>>>> SecRule ARGS:TermURL "@beginsWith http" "t:none" >>>>> >>>>> before anyone comments - yes, I modified this to say phase:2 - does not make any difference.. >>>> >>>> The error, as it turned out, was that mod_security matches argument names in a case-sesnitive fashion, but our application does not. The TermURL parameter is sent to us from many different sources, with various degrees of CamelCasing and CAPItaliSation. >>>> >>>> Question: Can I use e.g. MATCHED_VAR_NAME as argument to ruleRemoteTargetBy*? For example >>>> SecRule ARGS:/[Vv][Aa][Rr]/ "foo" "...... ctl:ruleRemoveTargetByTag=attack-sqli;MATCHED_VAR_NAME" >>>> >>>> I have tried this, with no success so far - also with ARGS: prefix to MATCHED_VAR_NAME. I've also tried to use it in a chained rule. >>>> >>>> /Eirik >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> -- >>> https://www.feistyduck.com/training/modsecurity-training-course >>> https://www.feistyduck.com/books/modsecurity-handbook/ >>> mailto:chr...@ne... >>> twitter: @ChrFolini >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >> > >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot > >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > -- > https://www.feistyduck.com/training/modsecurity-training-course > https://www.feistyduck.com/books/modsecurity-handbook/ > mailto:chr...@ne... > twitter: @ChrFolini > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
139 messages has been excluded from this view by a project administrator.
