mod-security-users Mailing List for ModSecurity (Page 47)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users — General discussion about mod_security
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(17) |
Aug
(7) |
Sep
(8) |
Oct
(11) |
Nov
(14) |
Dec
(19) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(46) |
Feb
(14) |
Mar
(20) |
Apr
(48) |
May
(15) |
Jun
(20) |
Jul
(36) |
Aug
(24) |
Sep
(31) |
Oct
(28) |
Nov
(23) |
Dec
(12) |
| 2005 |
Jan
(69) |
Feb
(61) |
Mar
(82) |
Apr
(53) |
May
(26) |
Jun
(71) |
Jul
(27) |
Aug
(52) |
Sep
(28) |
Oct
(49) |
Nov
(104) |
Dec
(74) |
| 2006 |
Jan
(61) |
Feb
(148) |
Mar
(82) |
Apr
(139) |
May
(65) |
Jun
(116) |
Jul
(92) |
Aug
(101) |
Sep
(84) |
Oct
(103) |
Nov
(174) |
Dec
(102) |
| 2007 |
Jan
(166) |
Feb
(161) |
Mar
(181) |
Apr
(152) |
May
(192) |
Jun
(250) |
Jul
(127) |
Aug
(165) |
Sep
(97) |
Oct
(135) |
Nov
(206) |
Dec
(56) |
| 2008 |
Jan
(160) |
Feb
(135) |
Mar
(98) |
Apr
(89) |
May
(115) |
Jun
(95) |
Jul
(188) |
Aug
(167) |
Sep
(153) |
Oct
(84) |
Nov
(82) |
Dec
(85) |
| 2009 |
Jan
(139) |
Feb
(133) |
Mar
(128) |
Apr
(105) |
May
(135) |
Jun
(79) |
Jul
(92) |
Aug
(134) |
Sep
(73) |
Oct
(112) |
Nov
(159) |
Dec
(80) |
| 2010 |
Jan
(100) |
Feb
(116) |
Mar
(130) |
Apr
(59) |
May
(88) |
Jun
(59) |
Jul
(69) |
Aug
(67) |
Sep
(82) |
Oct
(76) |
Nov
(59) |
Dec
(34) |
| 2011 |
Jan
(84) |
Feb
(74) |
Mar
(81) |
Apr
(94) |
May
(188) |
Jun
(72) |
Jul
(118) |
Aug
(109) |
Sep
(111) |
Oct
(80) |
Nov
(51) |
Dec
(44) |
| 2012 |
Jan
(80) |
Feb
(123) |
Mar
(46) |
Apr
(12) |
May
(40) |
Jun
(62) |
Jul
(95) |
Aug
(66) |
Sep
(65) |
Oct
(53) |
Nov
(42) |
Dec
(60) |
| 2013 |
Jan
(96) |
Feb
(96) |
Mar
(108) |
Apr
(72) |
May
(115) |
Jun
(111) |
Jul
(114) |
Aug
(87) |
Sep
(93) |
Oct
(97) |
Nov
(104) |
Dec
(82) |
| 2014 |
Jan
(96) |
Feb
(77) |
Mar
(71) |
Apr
(40) |
May
(48) |
Jun
(78) |
Jul
(54) |
Aug
(44) |
Sep
(58) |
Oct
(79) |
Nov
(51) |
Dec
(52) |
| 2015 |
Jan
(55) |
Feb
(59) |
Mar
(48) |
Apr
(40) |
May
(45) |
Jun
(63) |
Jul
(36) |
Aug
(49) |
Sep
(35) |
Oct
(58) |
Nov
(21) |
Dec
(47) |
| 2016 |
Jan
(35) |
Feb
(81) |
Mar
(43) |
Apr
(41) |
May
(77) |
Jun
(52) |
Jul
(39) |
Aug
(34) |
Sep
(107) |
Oct
(67) |
Nov
(54) |
Dec
(20) |
| 2017 |
Jan
(99) |
Feb
(37) |
Mar
(86) |
Apr
(47) |
May
(57) |
Jun
(55) |
Jul
(34) |
Aug
(31) |
Sep
(16) |
Oct
(49) |
Nov
(53) |
Dec
(33) |
| 2018 |
Jan
(25) |
Feb
(11) |
Mar
(79) |
Apr
(77) |
May
(5) |
Jun
(19) |
Jul
(17) |
Aug
(7) |
Sep
(13) |
Oct
(22) |
Nov
(13) |
Dec
(68) |
| 2019 |
Jan
(44) |
Feb
(17) |
Mar
(40) |
Apr
(39) |
May
(18) |
Jun
(14) |
Jul
(20) |
Aug
(31) |
Sep
(11) |
Oct
(35) |
Nov
(3) |
Dec
(10) |
| 2020 |
Jan
(32) |
Feb
(16) |
Mar
(10) |
Apr
(22) |
May
(2) |
Jun
(34) |
Jul
(1) |
Aug
(8) |
Sep
(36) |
Oct
(16) |
Nov
(13) |
Dec
(10) |
| 2021 |
Jan
(16) |
Feb
(23) |
Mar
(45) |
Apr
(28) |
May
(6) |
Jun
(17) |
Jul
(8) |
Aug
(1) |
Sep
(2) |
Oct
(35) |
Nov
|
Dec
(5) |
| 2022 |
Jan
|
Feb
(17) |
Mar
(23) |
Apr
(23) |
May
(9) |
Jun
(8) |
Jul
|
Aug
|
Sep
(7) |
Oct
(5) |
Nov
(16) |
Dec
(4) |
| 2023 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
(1) |
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
(7) |
Feb
(13) |
Mar
(18) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(1) |
Nov
(5) |
Dec
(3) |
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
(12) |
May
(12) |
Jun
(2) |
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Christian F. <chr...@ne...> - 2018-03-21 19:12:42
|
Hello Cristiano, Did you try ctl:ruleEngine=On? Christian On Wed, Mar 21, 2018 at 01:47:54PM -0300, Cristiano Galdino wrote: > Hi! > > My platform: > > - Modsecurity: 2.9.0-1 (from Ubuntu repository) > - CRS 3.0 > - Apache 2.4.18-2ubuntu3.5 > > Modsecurity is configured with SecRuleEngine DetectionOnly but I want to activate some rules to block requests. > > This is my configuration: > > IncludeOptional /etc/modsecurity/modsecurity.conf (set SecRuleEngine DetectionOnly) > IncludeOptional /usr/share/modsecurity-crs/owasp-crs.load > └──> Load all CRS 3 > IncludeOptional /usr/share/modsecurity-crs/my-rules.load > └──> Load my specifics Rules. > > I want to include in my rules something that activates CRS rules. For example, change rule 920350 to engine=on to block accesses by IP. > > How to do this? > > Best regards, > > > Cristiano Galdino > cri...@ga... > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
|
From: Cristiano G. <cri...@ga...> - 2018-03-21 16:48:20
|
Hi! My platform: - Modsecurity: 2.9.0-1 (from Ubuntu repository) - CRS 3.0 - Apache 2.4.18-2ubuntu3.5 Modsecurity is configured with SecRuleEngine DetectionOnly but I want to activate some rules to block requests. This is my configuration: IncludeOptional /etc/modsecurity/modsecurity.conf (set SecRuleEngine DetectionOnly) IncludeOptional /usr/share/modsecurity-crs/owasp-crs.load └──> Load all CRS 3 IncludeOptional /usr/share/modsecurity-crs/my-rules.load └──> Load my specifics Rules. I want to include in my rules something that activates CRS rules. For example, change rule 920350 to engine=on to block accesses by IP. How to do this? Best regards, Cristiano Galdino cri...@ga... |
|
From: Christian F. <chr...@ne...> - 2018-03-21 12:22:14
|
That's a reasonable suggestion. Would you mind making a pull request with your proposed wording? Best, Christian On Wed, Mar 21, 2018 at 12:50:19PM +0200, Eero Volotinen wrote: > Well, > > Maybe it's time to fix documentation: > > # HTTP methods that a client is allowed to use. > # Default: GET HEAD POST OPTIONS > # Example: for RESTful APIs, add the following methods: PUT PATCH DELETE > # Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK > # MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK > # Uncomment this rule to change the default. > SecAction \ > "id:900200,\ > phase:1,\ > nolog,\ > pass,\ > t:none,\ > setvar:'tx.allowed_methods=GET POST'" > > It's not working as expected. How about saying that rules is not blocking > trace method? > > Eero > > > > On Wed, Mar 21, 2018 at 12:25 PM, Reindl Harald <h.r...@th...> > wrote: > > > > > > > Am 21.03.2018 um 11:11 schrieb Eero Volotinen: > > > >> Not enought familiar with modsecurity. > >> > >> Just wondering, that there is no any rule to block trace in crs. is there > >> easy way to implement that? > >> > > > > why would someone do that when you can and should disable it entirely on > > your webserver? i guess you are coming from OpenVAS warnings but then also > > search for options to disable thins proper instead burry them within a > > firewall layer > > > > [root@srv-rhsoft:~]$ cat conf/httpd-core.conf | grep Trace > > TraceEnable Off > > > > On Wed, Mar 21, 2018 at 11:53 AM, Christian Folini < > >> chr...@ne... <mailto:chr...@ne...>> wrote: > >> > >> Hey Eero, > >> > >> The TRACE method is somewhat special. At least in Apache. The request > >> skips phase 2 and thus the CRS rule covering tx.allowed_methods. > >> > >> There are discussions to move this block of rules to phase 1 though. > >> https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015 > >> <https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015> > >> > >> You may want to chime in there. > >> > >> Ahoj, > >> > >> Christian > >> > >> On Wed, Mar 21, 2018 at 09:15:52AM +0200, Eero Volotinen wrote: > >> > Hi, > >> > > >> > Just noticed that crs ruleset is not blocking trace method, even > >> > setvar:'tx.allowed_methods=GET POST'" > >> > > >> > Is this a bug? > >> > > > > ------------------------------------------------------------ > > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
|
From: Reindl H. <h.r...@th...> - 2018-03-21 11:38:32
|
Am 21.03.2018 um 12:34 schrieb Eero Volotinen: > It blocks HEAD requests also, so it works as expected in that case, but > not TRACE blocking HEAD requests is stupid - period the httpd-developers had a good reason why they implicit included it in <Limit> wevn when you tried to only allow "GET POST" by not knowing about the purpose of HEAD requests and vreaking things for no sane reason > On Wed, Mar 21, 2018 at 1:00 PM, Reindl Harald <h.r...@th... > <mailto:h.r...@th...>> wrote: > > > > Am 21.03.2018 um 11:50 schrieb Eero Volotinen: > > Maybe it's time to fix documentation: > > # HTTP methods that a client is allowed to use. > # Default: GET HEAD POST OPTIONS > # Example: for RESTful APIs, add the following methods: PUT > PATCH DELETE > # Example: for WebDAV, add the following methods: CHECKOUT COPY > DELETE LOCK > # MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK > # Uncomment this rule to change the default. > SecAction \ > "id:900200,\ > phase:1,\ > nolog,\ > pass,\ > t:none,\ > setvar:'tx.allowed_methods=GET POST'" > > It's not working as expected. How about saying that rules is not > blocking trace method? > > > the above implies you would block HEAD (since it's not listed) - i > guess that also don't do what you expect as well as you can't > disable HEAD requests with <Limit> and i even go so far that you > don't want block HEAD requests at all even if you think you do > > > anyways, the way to go is this one and no reason for a third place > > TraceEnable Off > <IfModule mod_allowmethods.c> > <Location /> > AllowMethods GET HEAD POST > </Location> > </IfModule> > > On Wed, Mar 21, 2018 at 12:25 PM, Reindl Harald > <h.r...@th... <mailto:h.r...@th...> > <mailto:h.r...@th... <mailto:h.r...@th...>>> > wrote: > > > > Am 21.03.2018 um 11:11 schrieb Eero Volotinen: > > Not enought familiar with modsecurity. > > Just wondering, that there is no any rule to block > trace in crs. > is there easy way to implement that? > > > why would someone do that when you can and should disable it > entirely on your webserver? i guess you are coming from OpenVAS > warnings but then also search for options to disable thins > proper > instead burry them within a firewall layer > > [root@srv-rhsoft:~]$ cat conf/httpd-core.conf | grep Trace > TraceEnable Off > > On Wed, Mar 21, 2018 at 11:53 AM, Christian Folini > <chr...@ne... > <mailto:chr...@ne...> > <mailto:chr...@ne... > <mailto:chr...@ne...>> > <mailto:chr...@ne... > <mailto:chr...@ne...> > > <mailto:chr...@ne... > <mailto:chr...@ne...>>>> wrote: > > Hey Eero, > > The TRACE method is somewhat special. At least in > Apache. > The request > skips phase 2 and thus the CRS rule covering > tx.allowed_methods. > > There are discussions to move this block of rules > to phase > 1 though. > https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015 > <https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015> > > <https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015 > <https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015>> > > <https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015 > <https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015> > > <https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015 > <https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015>>> > > You may want to chime in there. > > Ahoj, > > Christian > > On Wed, Mar 21, 2018 at 09:15:52AM +0200, Eero > Volotinen wrote: > > Hi, > > > > Just noticed that crs ruleset is not blocking trace > method, even > > setvar:'tx.allowed_methods=GET POST'" > > > > Is this a bug? |
|
From: Eero V. <eer...@ik...> - 2018-03-21 11:34:30
|
It blocks HEAD requests also, so it works as expected in that case, but not TRACE Eero On Wed, Mar 21, 2018 at 1:00 PM, Reindl Harald <h.r...@th...> wrote: > > > Am 21.03.2018 um 11:50 schrieb Eero Volotinen: > >> Maybe it's time to fix documentation: >> >> # HTTP methods that a client is allowed to use. >> # Default: GET HEAD POST OPTIONS >> # Example: for RESTful APIs, add the following methods: PUT PATCH DELETE >> # Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE >> LOCK >> # MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK >> # Uncomment this rule to change the default. >> SecAction \ >> "id:900200,\ >> phase:1,\ >> nolog,\ >> pass,\ >> t:none,\ >> setvar:'tx.allowed_methods=GET POST'" >> >> It's not working as expected. How about saying that rules is not blocking >> trace method? >> > > the above implies you would block HEAD (since it's not listed) - i guess > that also don't do what you expect as well as you can't disable HEAD > requests with <Limit> and i even go so far that you don't want block HEAD > requests at all even if you think you do > > > anyways, the way to go is this one and no reason for a third place > > TraceEnable Off > <IfModule mod_allowmethods.c> > <Location /> > AllowMethods GET HEAD POST > </Location> > </IfModule> > > On Wed, Mar 21, 2018 at 12:25 PM, Reindl Harald <h.r...@th... >> <mailto:h.r...@th...>> wrote: >> >> >> >> Am 21.03.2018 um 11:11 schrieb Eero Volotinen: >> >> Not enought familiar with modsecurity. >> >> Just wondering, that there is no any rule to block trace in crs. >> is there easy way to implement that? >> >> >> why would someone do that when you can and should disable it >> entirely on your webserver? i guess you are coming from OpenVAS >> warnings but then also search for options to disable thins proper >> instead burry them within a firewall layer >> >> [root@srv-rhsoft:~]$ cat conf/httpd-core.conf | grep Trace >> TraceEnable Off >> >> On Wed, Mar 21, 2018 at 11:53 AM, Christian Folini >> <chr...@ne... >> <mailto:chr...@ne...> >> <mailto:chr...@ne... >> >> <mailto:chr...@ne...>>> wrote: >> >> Hey Eero, >> >> The TRACE method is somewhat special. At least in Apache. >> The request >> skips phase 2 and thus the CRS rule covering >> tx.allowed_methods. >> >> There are discussions to move this block of rules to phase >> 1 though. >> https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015 >> <https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015> >> <https://github.com/SpiderLabs >> /owasp-modsecurity-crs/issues/1015 >> <https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015 >> >> >> >> You may want to chime in there. >> >> Ahoj, >> >> Christian >> >> On Wed, Mar 21, 2018 at 09:15:52AM +0200, Eero Volotinen >> wrote: >> > Hi, >> > >> > Just noticed that crs ruleset is not blocking trace >> method, even >> > setvar:'tx.allowed_methods=GET POST'" >> > >> > Is this a bug? >> > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Reindl H. <h.r...@th...> - 2018-03-21 11:00:32
|
Am 21.03.2018 um 11:50 schrieb Eero Volotinen: > Maybe it's time to fix documentation: > > # HTTP methods that a client is allowed to use. > # Default: GET HEAD POST OPTIONS > # Example: for RESTful APIs, add the following methods: PUT PATCH DELETE > # Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK > # MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK > # Uncomment this rule to change the default. > SecAction \ > "id:900200,\ > phase:1,\ > nolog,\ > pass,\ > t:none,\ > setvar:'tx.allowed_methods=GET POST'" > > It's not working as expected. How about saying that rules is not > blocking trace method? the above implies you would block HEAD (since it's not listed) - i guess that also don't do what you expect as well as you can't disable HEAD requests with <Limit> and i even go so far that you don't want block HEAD requests at all even if you think you do anyways, the way to go is this one and no reason for a third place TraceEnable Off <IfModule mod_allowmethods.c> <Location /> AllowMethods GET HEAD POST </Location> </IfModule> > On Wed, Mar 21, 2018 at 12:25 PM, Reindl Harald <h.r...@th... > <mailto:h.r...@th...>> wrote: > > > > Am 21.03.2018 um 11:11 schrieb Eero Volotinen: > > Not enought familiar with modsecurity. > > Just wondering, that there is no any rule to block trace in crs. > is there easy way to implement that? > > > why would someone do that when you can and should disable it > entirely on your webserver? i guess you are coming from OpenVAS > warnings but then also search for options to disable thins proper > instead burry them within a firewall layer > > [root@srv-rhsoft:~]$ cat conf/httpd-core.conf | grep Trace > TraceEnable Off > > On Wed, Mar 21, 2018 at 11:53 AM, Christian Folini > <chr...@ne... > <mailto:chr...@ne...> > <mailto:chr...@ne... > <mailto:chr...@ne...>>> wrote: > > Hey Eero, > > The TRACE method is somewhat special. At least in Apache. > The request > skips phase 2 and thus the CRS rule covering > tx.allowed_methods. > > There are discussions to move this block of rules to phase > 1 though. > https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015 > <https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015> > > <https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015 > <https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015>> > > You may want to chime in there. > > Ahoj, > > Christian > > On Wed, Mar 21, 2018 at 09:15:52AM +0200, Eero Volotinen wrote: > > Hi, > > > > Just noticed that crs ruleset is not blocking trace > method, even > > setvar:'tx.allowed_methods=GET POST'" > > > > Is this a bug? |
|
From: Eero V. <eer...@ik...> - 2018-03-21 10:50:29
|
Well, Maybe it's time to fix documentation: # HTTP methods that a client is allowed to use. # Default: GET HEAD POST OPTIONS # Example: for RESTful APIs, add the following methods: PUT PATCH DELETE # Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK # MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK # Uncomment this rule to change the default. SecAction \ "id:900200,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:'tx.allowed_methods=GET POST'" It's not working as expected. How about saying that rules is not blocking trace method? Eero On Wed, Mar 21, 2018 at 12:25 PM, Reindl Harald <h.r...@th...> wrote: > > > Am 21.03.2018 um 11:11 schrieb Eero Volotinen: > >> Not enought familiar with modsecurity. >> >> Just wondering, that there is no any rule to block trace in crs. is there >> easy way to implement that? >> > > why would someone do that when you can and should disable it entirely on > your webserver? i guess you are coming from OpenVAS warnings but then also > search for options to disable thins proper instead burry them within a > firewall layer > > [root@srv-rhsoft:~]$ cat conf/httpd-core.conf | grep Trace > TraceEnable Off > > On Wed, Mar 21, 2018 at 11:53 AM, Christian Folini < >> chr...@ne... <mailto:chr...@ne...>> wrote: >> >> Hey Eero, >> >> The TRACE method is somewhat special. At least in Apache. The request >> skips phase 2 and thus the CRS rule covering tx.allowed_methods. >> >> There are discussions to move this block of rules to phase 1 though. >> https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015 >> <https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015> >> >> You may want to chime in there. >> >> Ahoj, >> >> Christian >> >> On Wed, Mar 21, 2018 at 09:15:52AM +0200, Eero Volotinen wrote: >> > Hi, >> > >> > Just noticed that crs ruleset is not blocking trace method, even >> > setvar:'tx.allowed_methods=GET POST'" >> > >> > Is this a bug? >> > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Reindl H. <h.r...@th...> - 2018-03-21 10:25:34
|
Am 21.03.2018 um 11:11 schrieb Eero Volotinen: > Not enought familiar with modsecurity. > > Just wondering, that there is no any rule to block trace in crs. is > there easy way to implement that? why would someone do that when you can and should disable it entirely on your webserver? i guess you are coming from OpenVAS warnings but then also search for options to disable thins proper instead burry them within a firewall layer [root@srv-rhsoft:~]$ cat conf/httpd-core.conf | grep Trace TraceEnable Off > On Wed, Mar 21, 2018 at 11:53 AM, Christian Folini > <chr...@ne... <mailto:chr...@ne...>> wrote: > > Hey Eero, > > The TRACE method is somewhat special. At least in Apache. The request > skips phase 2 and thus the CRS rule covering tx.allowed_methods. > > There are discussions to move this block of rules to phase 1 though. > https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015 > <https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015> > > You may want to chime in there. > > Ahoj, > > Christian > > On Wed, Mar 21, 2018 at 09:15:52AM +0200, Eero Volotinen wrote: > > Hi, > > > > Just noticed that crs ruleset is not blocking trace method, even > > setvar:'tx.allowed_methods=GET POST'" > > > > Is this a bug? |
|
From: Christian F. <chr...@ne...> - 2018-03-21 10:25:20
|
Hello Eero, On Wed, Mar 21, 2018 at 12:11:15PM +0200, Eero Volotinen wrote: > Just wondering, that there is no any rule to block trace in crs. is there > easy way to implement that? You can blog TRACE in 3 ways in Apache: - TraceEnable Off (-> This is the default in 2.4) - mod_allowmethods (never did this with TRACE. Maybe it has special treatment. better check.) - Write ModSec Rule in phase 1 (Take existing CRS rule as a base or look at ModSec integration tutorial at netnea.com and take the method check in the whitelisting example) Cheers, Christian > > -- > Eero > > On Wed, Mar 21, 2018 at 11:53 AM, Christian Folini < > chr...@ne...> wrote: > > > Hey Eero, > > > > The TRACE method is somewhat special. At least in Apache. The request > > skips phase 2 and thus the CRS rule covering tx.allowed_methods. > > > > There are discussions to move this block of rules to phase 1 though. > > https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015 > > > > You may want to chime in there. > > > > Ahoj, > > > > Christian > > > > On Wed, Mar 21, 2018 at 09:15:52AM +0200, Eero Volotinen wrote: > > > Hi, > > > > > > Just noticed that crs ruleset is not blocking trace method, even > > > setvar:'tx.allowed_methods=GET POST'" > > > > > > Is this a bug? > > > > > > Eero > > > > > ------------------------------------------------------------ > > ------------------ > > > Check out the vibrant tech community on one of the world's most > > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > -- > > https://www.feistyduck.com/training/modsecurity-training-course > > https://www.feistyduck.com/books/modsecurity-handbook/ > > mailto:chr...@ne... > > twitter: @ChrFolini > > > > ------------------------------------------------------------ > > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
|
From: Osama E. <oel...@gm...> - 2018-03-21 10:21:04
|
For Apache 2, add the following to Apache’s configuration: TraceEnable Off nginx: use limit_except - https://nginx.org/en/docs/http/ngx_http_core_module.html#limit_except -- Osama Elnaggar On March 21, 2018 at 9:13:52 PM, Eero Volotinen (eer...@ik...) wrote: Not enought familiar with modsecurity. Just wondering, that there is no any rule to block trace in crs. is there easy way to implement that? -- Eero On Wed, Mar 21, 2018 at 11:53 AM, Christian Folini < chr...@ne...> wrote: > Hey Eero, > > The TRACE method is somewhat special. At least in Apache. The request > skips phase 2 and thus the CRS rule covering tx.allowed_methods. > > There are discussions to move this block of rules to phase 1 though. > https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015 > > You may want to chime in there. > > Ahoj, > > Christian > > On Wed, Mar 21, 2018 at 09:15:52AM +0200, Eero Volotinen wrote: > > Hi, > > > > Just noticed that crs ruleset is not blocking trace method, even > > setvar:'tx.allowed_methods=GET POST'" > > > > Is this a bug? > > > > Eero > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > -- > https://www.feistyduck.com/training/modsecurity-training-course > https://www.feistyduck.com/books/modsecurity-handbook/ > mailto:chr...@ne... > twitter: @ChrFolini > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ |
|
From: Eero V. <eer...@ik...> - 2018-03-21 10:11:32
|
Not enought familiar with modsecurity. Just wondering, that there is no any rule to block trace in crs. is there easy way to implement that? -- Eero On Wed, Mar 21, 2018 at 11:53 AM, Christian Folini < chr...@ne...> wrote: > Hey Eero, > > The TRACE method is somewhat special. At least in Apache. The request > skips phase 2 and thus the CRS rule covering tx.allowed_methods. > > There are discussions to move this block of rules to phase 1 though. > https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015 > > You may want to chime in there. > > Ahoj, > > Christian > > On Wed, Mar 21, 2018 at 09:15:52AM +0200, Eero Volotinen wrote: > > Hi, > > > > Just noticed that crs ruleset is not blocking trace method, even > > setvar:'tx.allowed_methods=GET POST'" > > > > Is this a bug? > > > > Eero > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > -- > https://www.feistyduck.com/training/modsecurity-training-course > https://www.feistyduck.com/books/modsecurity-handbook/ > mailto:chr...@ne... > twitter: @ChrFolini > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Christian F. <chr...@ne...> - 2018-03-21 09:53:23
|
Hey Eero, The TRACE method is somewhat special. At least in Apache. The request skips phase 2 and thus the CRS rule covering tx.allowed_methods. There are discussions to move this block of rules to phase 1 though. https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015 You may want to chime in there. Ahoj, Christian On Wed, Mar 21, 2018 at 09:15:52AM +0200, Eero Volotinen wrote: > Hi, > > Just noticed that crs ruleset is not blocking trace method, even > setvar:'tx.allowed_methods=GET POST'" > > Is this a bug? > > Eero > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
|
From: Eero V. <eer...@ik...> - 2018-03-21 07:16:02
|
Hi, Just noticed that crs ruleset is not blocking trace method, even setvar:'tx.allowed_methods=GET POST'" Is this a bug? Eero |
|
From: Christian F. <chr...@ne...> - 2018-03-21 05:08:26
|
Hi Gregory, Including modsec-dev list in my response too. On Tue, Mar 20, 2018 at 08:19:14PM -0700, Gregory LeFevre wrote: > Is access to phase timing known to work in ModSecurity 3.x with Nginx? No, I do not think it is. I did not give it a through testing, but I saw the same you did and then I also noticed that event DURATION is ignored with 3.0.0. Ahoj, Christian -- If you have men who will only come if they know there is a good road, I don't want them. I want men who will come if there is no road at all. -- David Livingstone |
|
From: Gregory L. <gr...@cl...> - 2018-03-21 03:19:24
|
Hello,
Is access to phase timing known to work in ModSecurity 3.x with Nginx?
For example, should I be able to write a SecAction in phase:5 to
log PERF_PHASE2, or PERF_ALL, etc.?
I'm using an earlier version of Nginx, and I have such rules, and lines for
them do, in fact, show up in the log, but without the performance
information. For example, this (which I include in
RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf):
SecAction "id:90110, phase:5, pass, t:none, log, noauditlog, msg:'PERF_ALL:
%{PERF_ALL}'"
shows up in the log as:
... [id "90110"] [rev ""] [msg "PERF_ALL: "] [data ""] [severity "0"] [ver
""] [maturity "0"] [accuracy "0"] ...
Just curious whether this should be considered possible now or whether
anyone already may have had success doing so.
Thank you,
Gregory
|
|
From: Robert P. <rpa...@fe...> - 2018-03-21 00:20:02
|
Can you post a reproducible example (and what git commit you built against) to verify? Im afk and don't have access to my dev env but I did see that the current v2/master does sanitize args in json bodied noted with the "sanitizearg" rule action (assuming the body processing engine is configured appropriately of course) Sent from my iPhone > On Mar 20, 2018, at 14:25, Osama Elnaggar <oel...@gm...> wrote: > > Are you sure about this? I tried it with the format set to JSON and it still didn’t work. > > If you are interesting in tackling this, below are some pointers Felipe sent a few months ago: > > The general idea is that the content to be sanitized is placed under an apt_trable that is further checked while the logs are being generated. > > For instance: regarding the request headers, we have the log generation detailed here: > https://github.com/SpiderLabs/ModSecurity/blob/bb577950bf983811ff1892e87d815a1909c0b96b/apache2/msc_logging.c#L1211-L1236 > > As of the "sanitization selection”, we have: > https://github.com/SpiderLabs/ModSecurity/blob/923c3c67938da4de4f7f147816b6d2d6ffff5e6f/apache2/re_actions.c#L1425-L1431 > > The sanitizeMatch is a little bit more complex, but still uses the same logic: > https://github.com/SpiderLabs/ModSecurity/blob/923c3c67938da4de4f7f147816b6d2d6ffff5e6f/apache2/re_actions.c#L1350-L1423 > > All the sanitize actions are bound here - > https://github.com/SpiderLabs/ModSecurity/blob/923c3c67938da4de4f7f147816b6d2d6ffff5e6f/apache2/re_actions.c#L2663-L2791 > > Both JSON and XML have their own structures to hold their data, as you can see: > > - JSON: https://github.com/SpiderLabs/ModSecurity/blob/923c3c67938da4de4f7f147816b6d2d6ffff5e6f/apache2/modsecurity.h#L391 > - XML: https://github.com/SpiderLabs/ModSecurity/blob/923c3c67938da4de4f7f147816b6d2d6ffff5e6f/apache2/modsecurity.h#L389 > > -- > Osama Elnaggar > >> On March 21, 2018 at 5:41:12 AM, Robert Paprocki (rpa...@fe...) wrote: >> >> Whups, wow, I really need to open my eyes :p >> >> The patch above allows for sanitizing JSON request bodies only when SecAuditLogFormat is also set to JSON. I've pushed up https://github.com/SpiderLabs/ModSecurity/pull/1714 which enables sanitization of JSON request bodies in native audit log formats. >> >>> On Thu, Mar 15, 2018 at 1:07 PM, Osama Elnaggar <oel...@gm...> wrote: >>> I don't think the proposed patch actually works. I tried patching v2.9.2 with it and even using v2 master but with no success. Have you been able to get the patch working Robert? >>> >>> -- >>> Osama Elnaggar >>> >>>> On March 15, 2018 at 11:06:37 AM, Robert Paprocki (rpa...@fe...) wrote: >>>> >>>> Have a look at >>>> >>>> https://github.com/SpiderLabs/ModSecurity/commit/f86de566d18dda6351ecba52d5e5f1d29ad02a12 >>>> >>>> JSON body audit log sanitization was only very recently introduced, it's not yet made its way to a formal release. (I need to check sources before opening my mouth :p). >>>> >>>> So you can rebuild ModSecurity off `v2/master` if you want to test this functionality. :) >>>> >>>>> On Wed, Mar 14, 2018 at 4:47 PM, Cristiano Galdino <cri...@ga...> wrote: >>>>> Hello there! >>>>> >>>>> If modsecurity can parse the values of JSON payloads, why can not it sanitize? >>>>> >>>>> This is non-sense for me. >>>>> >>>>> Look this request: >>>>> $> curl -H "Content-Type: application/json" -X POST -d '{"CVV":"123","blah":"/bin/bash"}' localhost/Authenticate >>>>> >>>>> and this is audit-log: >>>>> >>>>> --9eb5dc70-A-- >>>>> [14/Mar/2018:20:37:35 --0300] WqmyP6wfJasAAFQJf@AAAAAS 127.0.0.1 53230 127.0.0.1 80 >>>>> --9eb5dc70-B-- >>>>> POST /Authenticate HTTP/1.1 >>>>> Host: localhost >>>>> User-Agent: curl/7.47.0 >>>>> Accept: */* >>>>> Content-Type: application/json >>>>> Content-Length: 36 >>>>> >>>>> --9eb5dc70-C-- >>>>> {"CVV":"123","blah":"/bin/bash"} >>>>> --9eb5dc70-E-- >>>>> {"message":"Failed"} >>>>> --9eb5dc70-F-- >>>>> HTTP/1.1 400 Bad Request >>>>> Access-Control-Allow-Origin: * >>>>> Content-Type: application/json >>>>> Content-Length: 190 >>>>> X-Content-Type-Options: nosniff >>>>> X-Frame-Options: sameorigin >>>>> Connection: close >>>>> >>>>> --9eb5dc70-H-- >>>>> Message: Warning. Matched phrase "bin/bash" at ARGS:blah. [file "/usr/share/modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "448"] [id "932160"] [rev "1"] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/bash found within ARGS:blah: /bin/bash"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] >>>>> Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] >>>>> Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0): Remote Command Execution: Unix Shell Code Found"] [tag "event-correlation"] >>>>> Apache-Handler: proxy-server >>>>> Stopwatch: 1521070655519139 8420 (- - -) >>>>> Stopwatch2: 1521070655519139 8420; combined=1400, p1=343, p2=801, p3=40, p4=129, p5=86, sr=35, sw=1, l=0, gc=0 >>>>> Response-Body-Transformed: Dechunked >>>>> Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); OWASP_CRS/3.0.0. >>>>> Server: Apache/2.4.18 >>>>> Sanitised-Args: "CVV". >>>>> Engine-Mode: "DETECTION_ONLY" >>>>> >>>>> --9eb5dc70-Z-- >>>>> >>>>> >>>>> Cristiano Galdino >>>>> (61) 9860 1 9860 >>>>> cri...@ga... >>>>> >>>>>> On 14 Mar 2018 19:05 -0300, Christian Folini <chr...@ne...>, wrote: >>>>>> Sorry, I was a bit quick to jump to that conclusion. Overlooked your remark >>>>>> on JSON. >>>>>> >>>>>> I confirm this does not work. >>>>>> >>>>>> Sanitation is generally an issue as there is no sanitation in the alerts >>>>>> written into the error-log. Even it is less severe as the audit log. >>>>>> >>>>>> Best, >>>>>> >>>>>> Christian >>>>>> >>>>>> >>>>>>> On Wed, Mar 14, 2018 at 06:41:25PM -0300, Cristiano Galdino wrote: >>>>>>> Yep! My application use JSON payloads. >>>>>>> Christian, please try it: >>>>>>> $> curl -H "Content-Type: application/json" -X POST -d '{"cvv”:"123"}' >>>>>>> [1]http://localhost/?id=/bin/bash >>>>>>> >>>>>>> Cristiano Galdino >>>>>>> (61) 9860 1 9860 >>>>>>> cri...@ga... >>>>>>> >>>>>>> On 14 Mar 2018 18:38 -0300, Robert Paprocki >>>>>>> <rpa...@fe...>, wrote: >>>>>>> >>>>>>> Christian, you tested with a application/x-www-form-urlencoded >>>>>>> request; Christiano's use case involves JSON-encoded bodies. >>>>>>> I do not believe JSON request bodies can be translated into data >>>>>>> collections that can have sanitize actions applied on them at this >>>>>>> point. >>>>>>> >>>>>>> On Wed, Mar 14, 2018 at 2:34 PM, Christian Folini >>>>>>> <[2]chr...@ne...> wrote: >>>>>>> >>>>>>> Hello Cristiano, >>>>>>> I did the following request: >>>>>>> $> curl localhost -d "CVV=0000-0000-0000-0000" -d "exec=/bin/bash" >>>>>>> and got the following audit-log when using CRS3 (parameter exec >>>>>>> triggering >>>>>>> the writing of the audit log): >>>>>>> --a7997f3d-A-- >>>>>>> [14/Mar/2018:22:29:03 +0100] WqmUH6r6pkVX9OUmJm3aggAAAAM 127.0.0.1 >>>>>>> 50058 127.0.0.1 40080 >>>>>>> --a7997f3d-B-- >>>>>>> POST / HTTP/1.1 >>>>>>> Host: localhost >>>>>>> User-Agent: curl/7.50.1 >>>>>>> Accept: */* >>>>>>> Content-Length: 38 >>>>>>> Content-Type: application/x-www-form-urlencoded >>>>>>> --a7997f3d-C-- >>>>>>> CVV=*******************&exec=/bin/bash >>>>>>> --a7997f3d-F-- >>>>>>> HTTP/1.1 200 OK >>>>>>> Last-Modified: Sun, 17 Dec 2017 11:08:45 GMT >>>>>>> ETag: "2d-5608741dac6fd" >>>>>>> Accept-Ranges: bytes >>>>>>> Content-Length: 45 >>>>>>> Content-Type: text/html >>>>>>> ... >>>>>>> I'm running ModSec 2.9.2 on Apache 2.4.29, both self compiled >>>>>>> according to >>>>>>> the tutorials on [3]netnea.com. >>>>>>> My ModSec Configuration: >>>>>>> ------------------------------------------------------------ >>>>>>> ------------------ >>>>>>> SecRuleEngine On >>>>>>> SecRequestBodyAccess On >>>>>>> SecRequestBodyLimit 10000000 >>>>>>> SecRequestBodyNoFilesLimit 64000 >>>>>>> SecResponseBodyAccess On >>>>>>> SecResponseBodyLimit 10000000 >>>>>>> SecTmpDir /tmp/ >>>>>>> SecDataDir /tmp/ >>>>>>> SecUploadDir /tmp/ >>>>>>> SecDebugLog /apache/logs/modsec_debug.log >>>>>>> SecDebugLogLevel 3 >>>>>>> SecAuditEngine RelevantOnly >>>>>>> SecAuditLogRelevantStatus "^(?:5|4(?!04))" >>>>>>> SecAuditLogParts ABEFHIJZ >>>>>>> SecAuditLogType Concurrent >>>>>>> SecAuditLog /apache/logs/modsec_audit.log >>>>>>> SecAuditLogStorageDir /apache/logs/audit/ >>>>>>> SecPcreMatchLimit 500000 >>>>>>> SecPcreMatchLimitRecursion 500000 >>>>>>> SecDefaultAction "phase:2,pass,log" >>>>>>> # == ModSec Rule ID Namespace Definition >>>>>>> # Service-specific before Core-Rules: 10000 - 49999 >>>>>>> # Service-specific after Core-Rules: 50000 - 79999 >>>>>>> # Locally shared rules: 80000 - 99999 >>>>>>> # - Performance: 90000 - 90199 >>>>>>> # Recommended ModSec Rules (few): 200000 - 200010 >>>>>>> # OWASP Core-Rules: 900000 - 999999 >>>>>>> # === ModSec timestamps at the start of each phase (ids: 90000 - >>>>>>> 90009) >>>>>>> SecAction "id:'90000',phase:1,nolog,pass,setvar:TX. >>>>>>> ModSecTimestamp1start=%{DURATION}" >>>>>>> SecAction "id:'90001',phase:2,nolog,pass,setvar:TX. >>>>>>> ModSecTimestamp2start=%{DURATION}" >>>>>>> SecAction "id:'90002',phase:3,nolog,pass,setvar:TX. >>>>>>> ModSecTimestamp3start=%{DURATION}" >>>>>>> SecAction "id:'90003',phase:4,nolog,pass,setvar:TX. >>>>>>> ModSecTimestamp4start=%{DURATION}" >>>>>>> SecAction "id:'90004',phase:5,nolog,pass,setvar:TX. >>>>>>> ModSecTimestamp5start=%{DURATION}" >>>>>>> # SecRule REQUEST_FILENAME "@beginsWith /" >>>>>>> "id:'90005',phase:5,t:none,nolog,noauditlog,pass,setenv: >>>>>>> write_perflog" >>>>>>> # === ModSec Recommended Rules (in modsec src package) (ids: >>>>>>> 200000-200010) >>>>>>> SecRule REQUEST_HEADERS:Content-Type "text/xml" >>>>>>> "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl: >>>>>>> requestBodyProcessor=XML" >>>>>>> SecRule REQBODY_ERROR "!@eq 0" "id:'200001',phase:2,t:none, >>>>>>> deny,status:400,log,msg:'Failed to parse request body.',\ >>>>>>> logdata:'%{reqbody_error_msg}',severity:2" >>>>>>> SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ >>>>>>> "id:'200002',phase:2,t:none,log,deny,status:403, \ >>>>>>> msg:'Multipart request body failed strict validation: \ >>>>>>> PE %{REQBODY_PROCESSOR_ERROR}, \ >>>>>>> BQ %{MULTIPART_BOUNDARY_QUOTED}, \ >>>>>>> BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ >>>>>>> DB %{MULTIPART_DATA_BEFORE}, \ >>>>>>> DA %{MULTIPART_DATA_AFTER}, \ >>>>>>> HF %{MULTIPART_HEADER_FOLDING}, \ >>>>>>> LF %{MULTIPART_LF_LINE}, \ >>>>>>> SM %{MULTIPART_MISSING_SEMICOLON}, \ >>>>>>> IQ %{MULTIPART_INVALID_QUOTING}, \ >>>>>>> IP %{MULTIPART_INVALID_PART}, \ >>>>>>> IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ >>>>>>> FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" >>>>>>> SecRule TX:/^MSC_/ "!@streq 0" "id:'200004',phase:2,t:none, >>>>>>> deny,status:500,msg:'ModSecurity internal error flagged: >>>>>>> %{MATCHED_VAR_NAME}'" >>>>>>> # === ModSecurity Rules (ids: 900000-999999) >>>>>>> # === ModSec Core Rules Base Configuration (ids: 900001-900021) >>>>>>> Include /home/dune73/data/git/crs-official/crs-setup.conf. >>>>>>> example >>>>>>> SecAction "id:900111,phase:1,nolog,pass,t:none,setvar:tx.inbound_ >>>>>>> anomaly_score_threshold=500,setvar:tx.outbound_anomaly_ >>>>>>> score_threshold=500" >>>>>>> SecAction "id:'900000',phase:1,nolog,pass,t:none,setvar:tx. >>>>>>> paranoia_level=4" >>>>>>> # === ModSecurity Ignore Rules Before Core Rules Inclusion; order by >>>>>>> id of ignored rule (ids: 10000-49999) >>>>>>> # SecRule ARGS:a "." >>>>>>> "id:1001,phase:2,pass,log,msg:'XXX1: %{MATCHED_VAR}'" >>>>>>> # SecRule ARGS_GET:a "." >>>>>>> "id:1002,phase:2,pass,log,msg:'XXX2: %{MATCHED_VAR}'" >>>>>>> # SecRule ARGS_POST:a "." >>>>>>> "id:1003,phase:2,pass,log,msg:'XXX3: %{MATCHED_VAR}'" >>>>>>> # SecRule REQUEST_URI "." >>>>>>> "id:1004,phase:2,pass,log,msg:'XXX4: %{MATCHED_VAR}'" >>>>>>> # SecRule REQUEST_HEADERS:User-Agent "." >>>>>>> "id:1005,phase:2,pass,log,msg:'XXX5: %{MATCHED_VAR}'" >>>>>>> SecRule ARGS:b "." "id:1006,phase:2,pass,log, >>>>>>> auditlog,msg:'XXX6: %{MATCHED_VAR}'" >>>>>>> SecAction "nolog,phase:2,id:101,sanitiseArg:CVV" >>>>>>> SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse" >>>>>>> # === ModSecurity Core Rules Inclusion >>>>>>> Include /home/dune73/data/git/crs-official/rules/*.conf >>>>>>> # === ModSec Core Rules: Startup Time Rules Exclusions >>>>>>> # === ModSec timestamps at the end of each phase (ids: 90010 - >>>>>>> 90019) >>>>>>> SecAction "id:'90010',phase:1,pass,nolog,setvar:TX. >>>>>>> ModSecTimestamp1end=%{DURATION}" >>>>>>> SecAction "id:'90011',phase:2,pass,nolog,setvar:TX. >>>>>>> ModSecTimestamp2end=%{DURATION}" >>>>>>> SecAction "id:'90012',phase:3,pass,nolog,setvar:TX. >>>>>>> ModSecTimestamp3end=%{DURATION}" >>>>>>> SecAction "id:'90013',phase:4,pass,nolog,setvar:TX. >>>>>>> ModSecTimestamp4end=%{DURATION}" >>>>>>> SecAction "id:'90014',phase:5,pass,nolog,setvar:TX. >>>>>>> ModSecTimestamp5end=%{DURATION}" >>>>>>> # === ModSec performance calculations and variable export (ids: >>>>>>> 90100 - 90199) >>>>>>> SecAction "id:'90100',phase:5,pass,nolog,setvar:TX.perf_ >>>>>>> modsecinbound=%{PERF_PHASE1}" >>>>>>> SecAction "id:'90101',phase:5,pass,nolog,setvar:TX.perf_ >>>>>>> modsecinbound=+%{PERF_PHASE2}" >>>>>>> SecAction "id:'90102',phase:5,pass,nolog,setvar:TX.perf_ >>>>>>> application=%{TX.ModSecTimestamp3start}" >>>>>>> SecAction "id:'90103',phase:5,pass,nolog,setvar:TX.perf_ >>>>>>> application=-%{TX.ModSecTimestamp2end}" >>>>>>> SecAction "id:'90104',phase:5,pass,nolog,setvar:TX.perf_ >>>>>>> modsecoutbound=%{PERF_PHASE3}" >>>>>>> SecAction "id:'90105',phase:5,pass,nolog,setvar:TX.perf_ >>>>>>> modsecoutbound=+%{PERF_PHASE4}" >>>>>>> SecAction "id:'90106',phase:5,pass,nolog,setenv:ModSecTimeIn=%{ >>>>>>> TX.perf_modsecinbound}" >>>>>>> SecAction "id:'90107',phase:5,pass,nolog,setenv:ApplicationTime=% >>>>>>> {TX.perf_application}" >>>>>>> SecAction "id:'90108',phase:5,pass,nolog,setenv:ModSecTimeOut=%{ >>>>>>> TX.perf_modsecoutbound}" >>>>>>> SecAction "id:'90109',phase:5,pass,nolog,setenv: >>>>>>> ModSecAnomalyScoreIn=%{TX.anomaly_score}" >>>>>>> SecAction "id:'90110',phase:5,pass,nolog,setenv: >>>>>>> ModSecAnomalyScoreOut=%{TX.outbound_anomaly_score}" >>>>>>> # === End ModSec Configuration >>>>>>> ------------------------------------------------------------ >>>>>>> ------------------ >>>>>>> So I think this generally works. If it does not for you, then please >>>>>>> try and >>>>>>> reproduce the behaviour on the latest ModSec version of the 2.9 >>>>>>> series and >>>>>>> open a bug report in case. >>>>>>> Ahoj, >>>>>>> Christian >>>>>>>> On Wed, Mar 14, 2018 at 06:13:04PM -0300, Cristiano Galdino wrote: >>>>>>>> Hi Christian! >>>>>>>> Modsecurity: 2.9.0-1 (from Ubuntu repository) >>>>>>>> Apache 2.4.18-2ubuntu3.5 >>>>>>>> Tks! >>>>>>>> >>>>>>>> Cristiano Galdino >>>>>>>> [4]cri...@ga... >>>>>>>> >>>>>>>> On 14 Mar 2018 17:55 -0300, Christian Folini >>>>>>>> <[5]chr...@ne...>, wrote: >>>>>>>> >>>>>>>> Hello Christiano, >>>>>>>> What platform are you using? (-> ModSec version, Apache / >>>>>>> NGINX / >>>>>>>> IIS?) >>>>>>>> Ahoj, >>>>>>>> Christian >>>>>>>> On Wed, Mar 14, 2018 at 05:06:28PM -0300, Cristiano Galdino >>>>>>> wrote: >>>>>>>> >>>>>>>> Hello! >>>>>>>> I created a rule in ModSecurity to sanitize param CVV (credit >>>>>>> card) >>>>>>>> but >>>>>>>> it is not working. >>>>>>>> Samples: >>>>>>>> SecAction "nolog,phase:2,id:101,sanitiseArg:CVV” >>>>>>>> SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse" >>>>>>>> This prevents me from using modsecurity because PCI does not >>>>>>> allow >>>>>>>> CVV >>>>>>>> to be stored. >>>>>>>> I found this issue without response. >>>>>>>> [1][6]https://github.com/SpiderLabs/ModSecurity/issues/715 >>>>>>>> What can I do? >>>>>>>> Cristiano Galdino >>>>>>>> [7]cri...@ga... >>>>>>>> References >>>>>>>> 1. [8]https://github.com/SpiderLabs/ModSecurity/issues/715 >>>>>>>> >>>>>>>> ------------------------------------------------------------ >>>>>>> -------- >>>>>>>> ---------- >>>>>>>> Check out the vibrant tech community on one of the world's >>>>>>> most >>>>>>>> engaging tech sites, Slashdot.org! >>>>>>> [9]http://sdm.link/slashdot >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> mod-security-users mailing list >>>>>>>> [10]mod...@li... >>>>>>>> [11]https://lists.sourceforge.net/ >>>>>>> lists/listinfo/mod-security-users >>>>>>>> Commercial ModSecurity Rules and Support from Trustwave's >>>>>>>> SpiderLabs: >>>>>>>> [12]http://www.modsecurity.org/projects/commercial/rules/ >>>>>>>> [13]http://www.modsecurity.org/projects/commercial/support/ >>>>>>>> >>>>>>>> -- >>>>>>>> [14]https://www.feistyduck.com/training/modsecurity-training- >>>>>>> course >>>>>>>> [15]https://www.feistyduck.com/books/modsecurity-handbook/ >>>>>>>> mailto:[16]chr...@ne... >>>>>>>> twitter: @ChrFolini >>>>>>>> ------------------------------------------------------------ >>>>>>> -------- >>>>>>>> ---------- >>>>>>>> Check out the vibrant tech community on one of the world's >>>>>>> most >>>>>>>> engaging tech sites, Slashdot.org! >>>>>>> [17]http://sdm.link/slashdot >>>>>>>> _______________________________________________ >>>>>>>> mod-security-users mailing list >>>>>>>> [18]mod...@li... >>>>>>>> [19]https://lists.sourceforge.net/ >>>>>>> lists/listinfo/mod-security-users >>>>>>>> Commercial ModSecurity Rules and Support from Trustwave's >>>>>>>> SpiderLabs: >>>>>>>> [20]http://www.modsecurity.org/projects/commercial/rules/ >>>>>>>> [21]http://www.modsecurity.org/projects/commercial/support/ >>>>>>>> ------------------------------------------------------------ >>>>>>> ------------------ >>>>>>>> Check out the vibrant tech community on one of the world's most >>>>>>>> engaging tech sites, Slashdot.org! [22]http://sdm.link/slashdot >>>>>>>> _______________________________________________ >>>>>>>> mod-security-users mailing list >>>>>>>> [23]mod...@li... >>>>>>>> [24]https://lists.sourceforge.net/lists/listinfo/mod-security- >>>>>>> users >>>>>>>> Commercial ModSecurity Rules and Support from Trustwave's >>>>>>> SpiderLabs: >>>>>>>> [25]http://www.modsecurity.org/projects/commercial/rules/ >>>>>>>> [26]http://www.modsecurity.org/projects/commercial/support/ >>>>>>> -- >>>>>>> [27]https://www.feistyduck.com/training/modsecurity-training-course >>>>>>> [28]https://www.feistyduck.com/books/modsecurity-handbook/ >>>>>>> mailto:[29]chr...@ne... >>>>>>> twitter: @ChrFolini >>>>>>> ------------------------------------------------------------ >>>>>>> ------------------ >>>>>>> Check out the vibrant tech community on one of the world's most >>>>>>> engaging tech sites, Slashdot.org! [30]http://sdm.link/slashdot >>>>>>> _______________________________________________ >>>>>>> mod-security-users mailing list >>>>>>> [31]mod...@li... >>>>>>> [32]https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>> Commercial ModSecurity Rules and Support from Trustwave's >>>>>>> SpiderLabs: >>>>>>> [33]http://www.modsecurity.org/projects/commercial/rules/ >>>>>>> [34]http://www.modsecurity.org/projects/commercial/support/ >>>>>>> >>>>>>> -------------------------------------------------------------------- >>>>>>> ---------- >>>>>>> Check out the vibrant tech community on one of the world's most >>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>>> _______________________________________________ >>>>>>> mod-security-users mailing list >>>>>>> mod...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>> Commercial ModSecurity Rules and Support from Trustwave's >>>>>>> SpiderLabs: >>>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>>> >>>>>>> References >>>>>>> >>>>>>> 1. http://localhost:3000/api/login >>>>>>> 2. mailto:chr...@ne... >>>>>>> 3. http://netnea.com/ >>>>>>> 4. mailto:cri...@ga... >>>>>>> 5. mailto:chr...@ne... >>>>>>> 6. https://github.com/SpiderLabs/ModSecurity/issues/715 >>>>>>> 7. mailto:cri...@ga... >>>>>>> 8. https://github.com/SpiderLabs/ModSecurity/issues/715 >>>>>>> 9. http://sdm.link/slashdot >>>>>>> 10. mailto:mod...@li... >>>>>>> 11. https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>> 12. http://www.modsecurity.org/projects/commercial/rules/ >>>>>>> 13. http://www.modsecurity.org/projects/commercial/support/ >>>>>>> 14. https://www.feistyduck.com/training/modsecurity-training-course >>>>>>> 15. https://www.feistyduck.com/books/modsecurity-handbook/ >>>>>>> 16. mailto:chr...@ne... >>>>>>> 17. http://sdm.link/slashdot >>>>>>> 18. mailto:mod...@li... >>>>>>> 19. https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>> 20. http://www.modsecurity.org/projects/commercial/rules/ >>>>>>> 21. http://www.modsecurity.org/projects/commercial/support/ >>>>>>> 22. http://sdm.link/slashdot >>>>>>> 23. mailto:mod...@li... >>>>>>> 24. https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>> 25. http://www.modsecurity.org/projects/commercial/rules/ >>>>>>> 26. http://www.modsecurity.org/projects/commercial/support/ >>>>>>> 27. https://www.feistyduck.com/training/modsecurity-training-course >>>>>>> 28. https://www.feistyduck.com/books/modsecurity-handbook/ >>>>>>> 29. mailto:chr...@ne... >>>>>>> 30. http://sdm.link/slashdot >>>>>>> 31. mailto:mod...@li... >>>>>>> 32. https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>> 33. http://www.modsecurity.org/projects/commercial/rules/ >>>>>>> 34. http://www.modsecurity.org/projects/commercial/support/ >>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> Check out the vibrant tech community on one of the world's most >>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>> >>>>>>> _______________________________________________ >>>>>>> mod-security-users mailing list >>>>>>> mod...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>> >>>>>> >>>>>> -- >>>>>> https://www.feistyduck.com/training/modsecurity-training-course >>>>>> https://www.feistyduck.com/books/modsecurity-handbook/ >>>>>> mailto:chr...@ne... >>>>>> twitter: @ChrFolini >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Check out the vibrant tech community on one of the world's most >>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>> _______________________________________________ >>>>>> mod-security-users mailing list >>>>>> mod...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>> _______________________________________________ >>>>> mod-security-users mailing list >>>>> mod...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >> |
|
From: Osama E. <oel...@gm...> - 2018-03-20 21:25:13
|
Are you sure about this? I tried it with the format set to JSON and it still didn’t work. If you are interesting in tackling this, below are some pointers Felipe sent a few months ago: The general idea is that the content to be sanitized is placed under an apt_trable that is further checked while the logs are being generated. For instance: regarding the request headers, we have the log generation detailed here: https://github.com/SpiderLabs/ModSecurity/blob/bb577950bf983811ff1892e87d815a1909c0b96b/apache2/msc_logging.c#L1211-L1236 As of the "sanitization selection”, we have: https://github.com/SpiderLabs/ModSecurity/blob/923c3c67938da4de4f7f147816b6d2d6ffff5e6f/apache2/re_actions.c#L1425-L1431 The sanitizeMatch is a little bit more complex, but still uses the same logic: https://github.com/SpiderLabs/ModSecurity/blob/923c3c67938da4de4f7f147816b6d2d6ffff5e6f/apache2/re_actions.c#L1350-L1423 All the sanitize actions are bound here - https://github.com/SpiderLabs/ModSecurity/blob/923c3c67938da4de4f7f147816b6d2d6ffff5e6f/apache2/re_actions.c#L2663-L2791 Both JSON and XML have their own structures to hold their data, as you can see: - JSON: https://github.com/SpiderLabs/ModSecurity/blob/923c3c67938da4de4f7f147816b6d2d6ffff5e6f/apache2/modsecurity.h#L391 - XML: https://github.com/SpiderLabs/ModSecurity/blob/923c3c67938da4de4f7f147816b6d2d6ffff5e6f/apache2/modsecurity.h#L389 -- Osama Elnaggar On March 21, 2018 at 5:41:12 AM, Robert Paprocki ( rpa...@fe...) wrote: Whups, wow, I really need to open my eyes :p The patch above allows for sanitizing JSON request bodies only when SecAuditLogFormat is *also* set to JSON. I've pushed up https://github.com/SpiderLabs/ModSecurity/pull/1714 which enables sanitization of JSON request bodies in native audit log formats. On Thu, Mar 15, 2018 at 1:07 PM, Osama Elnaggar <oel...@gm...> wrote: > I don't think the proposed patch actually works. I tried patching v2.9.2 > with it and even using v2 master but with no success. Have you been able > to get the patch working Robert? > > -- > Osama Elnaggar > > On March 15, 2018 at 11:06:37 AM, Robert Paprocki (rpaprocki@ > fearnothingproductions.net) wrote: > > Have a look at > > https://github.com/SpiderLabs/ModSecurity/commit/ > f86de566d18dda6351ecba52d5e5f1d29ad02a12 > > JSON body audit log sanitization was only very recently introduced, it's > not yet made its way to a formal release. (I need to check sources before > opening my mouth :p). > > So you can rebuild ModSecurity off `v2/master` if you want to test this > functionality. :) > > On Wed, Mar 14, 2018 at 4:47 PM, Cristiano Galdino <cri...@ga...> > wrote: > >> Hello there! >> >> If modsecurity can parse the values of JSON payloads, why can not it >> sanitize? >> >> This is non-sense for me. >> >> Look this request: >> $> curl -H "Content-Type: application/json" -X POST -d >> '{"CVV":"123","blah":"/bin/bash"}' localhost/Authenticate >> >> and this is audit-log: >> >> --9eb5dc70-A-- >> >> [14/Mar/2018:20:37:35 --0300] WqmyP6wfJasAAFQJf@AAAAAS 127.0.0.1 53230 >> 127.0.0.1 80 >> >> --9eb5dc70-B-- >> >> POST /Authenticate HTTP/1.1 >> >> Host: localhost >> >> User-Agent: curl/7.47.0 >> >> Accept: */* >> >> Content-Type: application/json >> >> Content-Length: 36 >> >> >> --9eb5dc70-C-- >> >> {"CVV":"123","blah":"/bin/bash"} >> >> --9eb5dc70-E-- >> >> {"message":"Failed"} >> >> --9eb5dc70-F-- >> >> HTTP/1.1 400 Bad Request >> >> Access-Control-Allow-Origin: * >> >> Content-Type: application/json >> >> Content-Length: 190 >> >> X-Content-Type-Options: nosniff >> >> X-Frame-Options: sameorigin >> >> Connection: close >> >> >> --9eb5dc70-H-- >> >> Message: Warning. Matched phrase "bin/bash" at ARGS:blah. [file >> "/usr/share/modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] >> [line "448"] [id "932160"] [rev "1"] [msg "Remote Command Execution: Unix >> Shell Code Found"] [data "Matched Data: bin/bash found within ARGS:blah: >> /bin/bash"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] >> [accuracy "8"] [tag "application-multi"] [tag "language-shell"] [tag >> "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] >> [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] >> >> Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file >> "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] >> [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total >> Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag >> "language-multi"] [tag "platform-multi"] [tag "attack-generic"] >> >> Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. >> [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] >> [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total >> Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0): >> Remote Command Execution: Unix Shell Code Found"] [tag "event-correlation"] >> >> Apache-Handler: proxy-server >> >> Stopwatch: 1521070655519139 8420 (- - -) >> >> Stopwatch2: 1521070655519139 8420; combined=1400, p1=343, p2=801, p3=40, >> p4=129, p5=86, sr=35, sw=1, l=0, gc=0 >> >> Response-Body-Transformed: Dechunked >> >> Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); >> OWASP_CRS/3.0.0. >> >> Server: Apache/2.4.18 >> >> Sanitised-Args: "CVV". >> >> Engine-Mode: "DETECTION_ONLY" >> >> >> --9eb5dc70-Z-- >> >> >> >> Cristiano Galdino >> (61) 9860 1 9860 >> cri...@ga... >> >> On 14 Mar 2018 19:05 -0300, Christian Folini <chr...@ne...>, >> wrote: >> >> Sorry, I was a bit quick to jump to that conclusion. Overlooked your >> remark >> on JSON. >> >> I confirm this does not work. >> >> Sanitation is generally an issue as there is no sanitation in the alerts >> written into the error-log. Even it is less severe as the audit log. >> >> Best, >> >> Christian >> >> >> On Wed, Mar 14, 2018 at 06:41:25PM -0300, Cristiano Galdino wrote: >> >> Yep! My application use JSON payloads. >> Christian, please try it: >> $> curl -H "Content-Type: application/json" -X POST -d '{"cvv”:"123"}' >> [1]http://localhost/?id=/bin/bash >> >> Cristiano Galdino >> (61) 9860 1 9860 >> cri...@ga... >> >> On 14 Mar 2018 18:38 -0300, Robert Paprocki >> <rpa...@fe...>, wrote: >> >> Christian, you tested with a application/x-www-form-urlencoded >> request; Christiano's use case involves JSON-encoded bodies. >> I do not believe JSON request bodies can be translated into data >> collections that can have sanitize actions applied on them at this >> point. >> >> On Wed, Mar 14, 2018 at 2:34 PM, Christian Folini >> <[2]chr...@ne...> wrote: >> >> Hello Cristiano, >> I did the following request: >> $> curl localhost -d "CVV=0000-0000-0000-0000" -d "exec=/bin/bash" >> and got the following audit-log when using CRS3 (parameter exec >> triggering >> the writing of the audit log): >> --a7997f3d-A-- >> [14/Mar/2018:22:29:03 +0100] WqmUH6r6pkVX9OUmJm3aggAAAAM 127.0.0.1 >> 50058 127.0.0.1 40080 >> --a7997f3d-B-- >> POST / HTTP/1.1 >> Host: localhost >> User-Agent: curl/7.50.1 >> Accept: */* >> Content-Length: 38 >> Content-Type: application/x-www-form-urlencoded >> --a7997f3d-C-- >> CVV=*******************&exec=/bin/bash >> --a7997f3d-F-- >> HTTP/1.1 200 OK >> Last-Modified: Sun, 17 Dec 2017 11:08:45 GMT >> ETag: "2d-5608741dac6fd" >> Accept-Ranges: bytes >> Content-Length: 45 >> Content-Type: text/html >> ... >> I'm running ModSec 2.9.2 on Apache 2.4.29, both self compiled >> according to >> the tutorials on [3]netnea.com. >> My ModSec Configuration: >> ------------------------------------------------------------ >> ------------------ >> SecRuleEngine On >> SecRequestBodyAccess On >> SecRequestBodyLimit 10000000 >> SecRequestBodyNoFilesLimit 64000 >> SecResponseBodyAccess On >> SecResponseBodyLimit 10000000 >> SecTmpDir /tmp/ >> SecDataDir /tmp/ >> SecUploadDir /tmp/ >> SecDebugLog /apache/logs/modsec_debug.log >> SecDebugLogLevel 3 >> SecAuditEngine RelevantOnly >> SecAuditLogRelevantStatus "^(?:5|4(?!04))" >> SecAuditLogParts ABEFHIJZ >> SecAuditLogType Concurrent >> SecAuditLog /apache/logs/modsec_audit.log >> SecAuditLogStorageDir /apache/logs/audit/ >> SecPcreMatchLimit 500000 >> SecPcreMatchLimitRecursion 500000 >> SecDefaultAction "phase:2,pass,log" >> # == ModSec Rule ID Namespace Definition >> # Service-specific before Core-Rules: 10000 - 49999 >> # Service-specific after Core-Rules: 50000 - 79999 >> # Locally shared rules: 80000 - 99999 >> # - Performance: 90000 - 90199 >> # Recommended ModSec Rules (few): 200000 - 200010 >> # OWASP Core-Rules: 900000 - 999999 >> # === ModSec timestamps at the start of each phase (ids: 90000 - >> 90009) >> SecAction "id:'90000',phase:1,nolog,pass,setvar:TX. >> ModSecTimestamp1start=%{DURATION}" >> SecAction "id:'90001',phase:2,nolog,pass,setvar:TX. >> ModSecTimestamp2start=%{DURATION}" >> SecAction "id:'90002',phase:3,nolog,pass,setvar:TX. >> ModSecTimestamp3start=%{DURATION}" >> SecAction "id:'90003',phase:4,nolog,pass,setvar:TX. >> ModSecTimestamp4start=%{DURATION}" >> SecAction "id:'90004',phase:5,nolog,pass,setvar:TX. >> ModSecTimestamp5start=%{DURATION}" >> # SecRule REQUEST_FILENAME "@beginsWith /" >> "id:'90005',phase:5,t:none,nolog,noauditlog,pass,setenv: >> write_perflog" >> # === ModSec Recommended Rules (in modsec src package) (ids: >> 200000-200010) >> SecRule REQUEST_HEADERS:Content-Type "text/xml" >> "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl: >> requestBodyProcessor=XML" >> SecRule REQBODY_ERROR "!@eq 0" "id:'200001',phase:2,t:none, >> deny,status:400,log,msg:'Failed to parse request body.',\ >> logdata:'%{reqbody_error_msg}',severity:2" >> SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ >> "id:'200002',phase:2,t:none,log,deny,status:403, \ >> msg:'Multipart request body failed strict validation: \ >> PE %{REQBODY_PROCESSOR_ERROR}, \ >> BQ %{MULTIPART_BOUNDARY_QUOTED}, \ >> BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ >> DB %{MULTIPART_DATA_BEFORE}, \ >> DA %{MULTIPART_DATA_AFTER}, \ >> HF %{MULTIPART_HEADER_FOLDING}, \ >> LF %{MULTIPART_LF_LINE}, \ >> SM %{MULTIPART_MISSING_SEMICOLON}, \ >> IQ %{MULTIPART_INVALID_QUOTING}, \ >> IP %{MULTIPART_INVALID_PART}, \ >> IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ >> FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" >> SecRule TX:/^MSC_/ "!@streq 0" "id:'200004',phase:2,t:none, >> deny,status:500,msg:'ModSecurity internal error flagged: >> %{MATCHED_VAR_NAME}'" >> # === ModSecurity Rules (ids: 900000-999999) >> # === ModSec Core Rules Base Configuration (ids: 900001-900021) >> Include /home/dune73/data/git/crs-official/crs-setup.conf. >> example >> SecAction "id:900111,phase:1,nolog,pass,t:none,setvar:tx.inbound_ >> anomaly_score_threshold=500,setvar:tx.outbound_anomaly_ >> score_threshold=500" >> SecAction "id:'900000',phase:1,nolog,pass,t:none,setvar:tx. >> paranoia_level=4" >> # === ModSecurity Ignore Rules Before Core Rules Inclusion; order by >> id of ignored rule (ids: 10000-49999) >> # SecRule ARGS:a "." >> "id:1001,phase:2,pass,log,msg:'XXX1: %{MATCHED_VAR}'" >> # SecRule ARGS_GET:a "." >> "id:1002,phase:2,pass,log,msg:'XXX2: %{MATCHED_VAR}'" >> # SecRule ARGS_POST:a "." >> "id:1003,phase:2,pass,log,msg:'XXX3: %{MATCHED_VAR}'" >> # SecRule REQUEST_URI "." >> "id:1004,phase:2,pass,log,msg:'XXX4: %{MATCHED_VAR}'" >> # SecRule REQUEST_HEADERS:User-Agent "." >> "id:1005,phase:2,pass,log,msg:'XXX5: %{MATCHED_VAR}'" >> SecRule ARGS:b "." "id:1006,phase:2,pass,log, >> auditlog,msg:'XXX6: %{MATCHED_VAR}'" >> SecAction "nolog,phase:2,id:101,sanitiseArg:CVV" >> SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse" >> # === ModSecurity Core Rules Inclusion >> Include /home/dune73/data/git/crs-official/rules/*.conf >> # === ModSec Core Rules: Startup Time Rules Exclusions >> # === ModSec timestamps at the end of each phase (ids: 90010 - >> 90019) >> SecAction "id:'90010',phase:1,pass,nolog,setvar:TX. >> ModSecTimestamp1end=%{DURATION}" >> SecAction "id:'90011',phase:2,pass,nolog,setvar:TX. >> ModSecTimestamp2end=%{DURATION}" >> SecAction "id:'90012',phase:3,pass,nolog,setvar:TX. >> ModSecTimestamp3end=%{DURATION}" >> SecAction "id:'90013',phase:4,pass,nolog,setvar:TX. >> ModSecTimestamp4end=%{DURATION}" >> SecAction "id:'90014',phase:5,pass,nolog,setvar:TX. >> ModSecTimestamp5end=%{DURATION}" >> # === ModSec performance calculations and variable export (ids: >> 90100 - 90199) >> SecAction "id:'90100',phase:5,pass,nolog,setvar:TX.perf_ >> modsecinbound=%{PERF_PHASE1}" >> SecAction "id:'90101',phase:5,pass,nolog,setvar:TX.perf_ >> modsecinbound=+%{PERF_PHASE2}" >> SecAction "id:'90102',phase:5,pass,nolog,setvar:TX.perf_ >> application=%{TX.ModSecTimestamp3start}" >> SecAction "id:'90103',phase:5,pass,nolog,setvar:TX.perf_ >> application=-%{TX.ModSecTimestamp2end}" >> SecAction "id:'90104',phase:5,pass,nolog,setvar:TX.perf_ >> modsecoutbound=%{PERF_PHASE3}" >> SecAction "id:'90105',phase:5,pass,nolog,setvar:TX.perf_ >> modsecoutbound=+%{PERF_PHASE4}" >> SecAction "id:'90106',phase:5,pass,nolog,setenv:ModSecTimeIn=%{ >> TX.perf_modsecinbound}" >> SecAction "id:'90107',phase:5,pass,nolog,setenv:ApplicationTime=% >> {TX.perf_application}" >> SecAction "id:'90108',phase:5,pass,nolog,setenv:ModSecTimeOut=%{ >> TX.perf_modsecoutbound}" >> SecAction "id:'90109',phase:5,pass,nolog,setenv: >> ModSecAnomalyScoreIn=%{TX.anomaly_score}" >> SecAction "id:'90110',phase:5,pass,nolog,setenv: >> ModSecAnomalyScoreOut=%{TX.outbound_anomaly_score}" >> # === End ModSec Configuration >> ------------------------------------------------------------ >> ------------------ >> So I think this generally works. If it does not for you, then please >> try and >> reproduce the behaviour on the latest ModSec version of the 2.9 >> series and >> open a bug report in case. >> Ahoj, >> Christian >> On Wed, Mar 14, 2018 at 06:13:04PM -0300, Cristiano Galdino wrote: >> >> Hi Christian! >> Modsecurity: 2.9.0-1 (from Ubuntu repository) >> Apache 2.4.18-2ubuntu3.5 >> Tks! >> >> Cristiano Galdino >> [4]cri...@ga... >> >> On 14 Mar 2018 17:55 -0300, Christian Folini >> <[5]chr...@ne...>, wrote: >> >> Hello Christiano, >> What platform are you using? (-> ModSec version, Apache / >> >> NGINX / >> >> IIS?) >> Ahoj, >> Christian >> On Wed, Mar 14, 2018 at 05:06:28PM -0300, Cristiano Galdino >> >> wrote: >> >> >> Hello! >> I created a rule in ModSecurity to sanitize param CVV (credit >> >> card) >> >> but >> it is not working. >> Samples: >> SecAction "nolog,phase:2,id:101,sanitiseArg:CVV” >> SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse" >> This prevents me from using modsecurity because PCI does not >> >> allow >> >> CVV >> to be stored. >> I found this issue without response. >> [1][6]https://github.com/SpiderLabs/ModSecurity/issues/715 >> What can I do? >> Cristiano Galdino >> [7]cri...@ga... >> References >> 1. [8]https://github.com/SpiderLabs/ModSecurity/issues/715 >> >> ------------------------------------------------------------ >> >> -------- >> >> ---------- >> Check out the vibrant tech community on one of the world's >> >> most >> >> engaging tech sites, Slashdot.org! >> >> [9]http://sdm.link/slashdot >> >> >> _______________________________________________ >> mod-security-users mailing list >> [10]mod...@li... >> [11]https://lists.sourceforge.net/ >> >> lists/listinfo/mod-security-users >> >> Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> [12]http://www.modsecurity.org/projects/commercial/rules/ >> [13]http://www.modsecurity.org/projects/commercial/support/ >> >> -- >> [14]https://www.feistyduck.com/training/modsecurity-training- >> >> course >> >> [15]https://www.feistyduck.com/books/modsecurity-handbook/ >> mailto:[16]chr...@ne... >> twitter: @ChrFolini >> ------------------------------------------------------------ >> >> -------- >> >> ---------- >> Check out the vibrant tech community on one of the world's >> >> most >> >> engaging tech sites, Slashdot.org! >> >> [17]http://sdm.link/slashdot >> >> _______________________________________________ >> mod-security-users mailing list >> [18]mod...@li... >> [19]https://lists.sourceforge.net/ >> >> lists/listinfo/mod-security-users >> >> Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> [20]http://www.modsecurity.org/projects/commercial/rules/ >> [21]http://www.modsecurity.org/projects/commercial/support/ >> ------------------------------------------------------------ >> >> ------------------ >> >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! [22]http://sdm.link/slashdot >> _______________________________________________ >> mod-security-users mailing list >> [23]mod...@li... >> [24]https://lists.sourceforge.net/lists/listinfo/mod-security- >> >> users >> >> Commercial ModSecurity Rules and Support from Trustwave's >> >> SpiderLabs: >> >> [25]http://www.modsecurity.org/projects/commercial/rules/ >> [26]http://www.modsecurity.org/projects/commercial/support/ >> >> -- >> [27]https://www.feistyduck.com/training/modsecurity-training-course >> [28]https://www.feistyduck.com/books/modsecurity-handbook/ >> mailto:[29]chr...@ne... >> twitter: @ChrFolini >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! [30]http://sdm.link/slashdot >> _______________________________________________ >> mod-security-users mailing list >> [31]mod...@li... >> [32]https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> [33]http://www.modsecurity.org/projects/commercial/rules/ >> [34]http://www.modsecurity.org/projects/commercial/support/ >> >> -------------------------------------------------------------------- >> ---------- >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> References >> >> 1. http://localhost:3000/api/login >> 2. mailto:chr...@ne... >> 3. http://netnea.com/ >> 4. mailto:cri...@ga... >> 5. mailto:chr...@ne... >> 6. https://github.com/SpiderLabs/ModSecurity/issues/715 >> 7. mailto:cri...@ga... >> 8. https://github.com/SpiderLabs/ModSecurity/issues/715 >> 9. http://sdm.link/slashdot >> 10. mailto:mod...@li... >> 11. https://lists.sourceforge.net/lists/listinfo/mod-security-users >> 12. http://www.modsecurity.org/projects/commercial/rules/ >> 13. http://www.modsecurity.org/projects/commercial/support/ >> 14. https://www.feistyduck.com/training/modsecurity-training-course >> 15. https://www.feistyduck.com/books/modsecurity-handbook/ >> 16. mailto:chr...@ne... >> 17. http://sdm.link/slashdot >> 18. mailto:mod...@li... >> 19. https://lists.sourceforge.net/lists/listinfo/mod-security-users >> 20. http://www.modsecurity.org/projects/commercial/rules/ >> 21. http://www.modsecurity.org/projects/commercial/support/ >> 22. http://sdm.link/slashdot >> 23. mailto:mod...@li... >> 24. https://lists.sourceforge.net/lists/listinfo/mod-security-users >> 25. http://www.modsecurity.org/projects/commercial/rules/ >> 26. http://www.modsecurity.org/projects/commercial/support/ >> 27. https://www.feistyduck.com/training/modsecurity-training-course >> 28. https://www.feistyduck.com/books/modsecurity-handbook/ >> 29. mailto:chr...@ne... >> 30. http://sdm.link/slashdot >> 31. mailto:mod...@li... >> 32. https://lists.sourceforge.net/lists/listinfo/mod-security-users >> 33. http://www.modsecurity.org/projects/commercial/rules/ >> 34. http://www.modsecurity.org/projects/commercial/support/ >> >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> -- >> https://www.feistyduck.com/training/modsecurity-training-course >> https://www.feistyduck.com/books/modsecurity-handbook/ >> mailto:chr...@ne... >> twitter: @ChrFolini >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot______ > _________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
|
From: Robert P. <rpa...@fe...> - 2018-03-20 18:41:20
|
Whups, wow, I really need to open my eyes :p The patch above allows for sanitizing JSON request bodies only when SecAuditLogFormat is *also* set to JSON. I've pushed up https://github.com/SpiderLabs/ModSecurity/pull/1714 which enables sanitization of JSON request bodies in native audit log formats. On Thu, Mar 15, 2018 at 1:07 PM, Osama Elnaggar <oel...@gm...> wrote: > I don't think the proposed patch actually works. I tried patching v2.9.2 > with it and even using v2 master but with no success. Have you been able > to get the patch working Robert? > > -- > Osama Elnaggar > > On March 15, 2018 at 11:06:37 AM, Robert Paprocki (rpaprocki@ > fearnothingproductions.net) wrote: > > Have a look at > > https://github.com/SpiderLabs/ModSecurity/commit/ > f86de566d18dda6351ecba52d5e5f1d29ad02a12 > > JSON body audit log sanitization was only very recently introduced, it's > not yet made its way to a formal release. (I need to check sources before > opening my mouth :p). > > So you can rebuild ModSecurity off `v2/master` if you want to test this > functionality. :) > > On Wed, Mar 14, 2018 at 4:47 PM, Cristiano Galdino <cri...@ga...> > wrote: > >> Hello there! >> >> If modsecurity can parse the values of JSON payloads, why can not it >> sanitize? >> >> This is non-sense for me. >> >> Look this request: >> $> curl -H "Content-Type: application/json" -X POST -d >> '{"CVV":"123","blah":"/bin/bash"}' localhost/Authenticate >> >> and this is audit-log: >> >> --9eb5dc70-A-- >> >> [14/Mar/2018:20:37:35 --0300] WqmyP6wfJasAAFQJf@AAAAAS 127.0.0.1 53230 >> 127.0.0.1 80 >> >> --9eb5dc70-B-- >> >> POST /Authenticate HTTP/1.1 >> >> Host: localhost >> >> User-Agent: curl/7.47.0 >> >> Accept: */* >> >> Content-Type: application/json >> >> Content-Length: 36 >> >> >> --9eb5dc70-C-- >> >> {"CVV":"123","blah":"/bin/bash"} >> >> --9eb5dc70-E-- >> >> {"message":"Failed"} >> >> --9eb5dc70-F-- >> >> HTTP/1.1 400 Bad Request >> >> Access-Control-Allow-Origin: * >> >> Content-Type: application/json >> >> Content-Length: 190 >> >> X-Content-Type-Options: nosniff >> >> X-Frame-Options: sameorigin >> >> Connection: close >> >> >> --9eb5dc70-H-- >> >> Message: Warning. Matched phrase "bin/bash" at ARGS:blah. [file >> "/usr/share/modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] >> [line "448"] [id "932160"] [rev "1"] [msg "Remote Command Execution: Unix >> Shell Code Found"] [data "Matched Data: bin/bash found within ARGS:blah: >> /bin/bash"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] >> [accuracy "8"] [tag "application-multi"] [tag "language-shell"] [tag >> "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] >> [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] >> >> Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file >> "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] >> [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total >> Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag >> "language-multi"] [tag "platform-multi"] [tag "attack-generic"] >> >> Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. >> [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] >> [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total >> Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0): >> Remote Command Execution: Unix Shell Code Found"] [tag "event-correlation"] >> >> Apache-Handler: proxy-server >> >> Stopwatch: 1521070655519139 8420 (- - -) >> >> Stopwatch2: 1521070655519139 8420; combined=1400, p1=343, p2=801, p3=40, >> p4=129, p5=86, sr=35, sw=1, l=0, gc=0 >> >> Response-Body-Transformed: Dechunked >> >> Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); >> OWASP_CRS/3.0.0. >> >> Server: Apache/2.4.18 >> >> Sanitised-Args: "CVV". >> >> Engine-Mode: "DETECTION_ONLY" >> >> >> --9eb5dc70-Z-- >> >> >> >> Cristiano Galdino >> (61) 9860 1 9860 >> cri...@ga... >> >> On 14 Mar 2018 19:05 -0300, Christian Folini <chr...@ne...>, >> wrote: >> >> Sorry, I was a bit quick to jump to that conclusion. Overlooked your >> remark >> on JSON. >> >> I confirm this does not work. >> >> Sanitation is generally an issue as there is no sanitation in the alerts >> written into the error-log. Even it is less severe as the audit log. >> >> Best, >> >> Christian >> >> >> On Wed, Mar 14, 2018 at 06:41:25PM -0300, Cristiano Galdino wrote: >> >> Yep! My application use JSON payloads. >> Christian, please try it: >> $> curl -H "Content-Type: application/json" -X POST -d '{"cvv”:"123"}' >> [1]http://localhost/?id=/bin/bash >> >> Cristiano Galdino >> (61) 9860 1 9860 >> cri...@ga... >> >> On 14 Mar 2018 18:38 -0300, Robert Paprocki >> <rpa...@fe...>, wrote: >> >> Christian, you tested with a application/x-www-form-urlencoded >> request; Christiano's use case involves JSON-encoded bodies. >> I do not believe JSON request bodies can be translated into data >> collections that can have sanitize actions applied on them at this >> point. >> >> On Wed, Mar 14, 2018 at 2:34 PM, Christian Folini >> <[2]chr...@ne...> wrote: >> >> Hello Cristiano, >> I did the following request: >> $> curl localhost -d "CVV=0000-0000-0000-0000" -d "exec=/bin/bash" >> and got the following audit-log when using CRS3 (parameter exec >> triggering >> the writing of the audit log): >> --a7997f3d-A-- >> [14/Mar/2018:22:29:03 +0100] WqmUH6r6pkVX9OUmJm3aggAAAAM 127.0.0.1 >> 50058 127.0.0.1 40080 >> --a7997f3d-B-- >> POST / HTTP/1.1 >> Host: localhost >> User-Agent: curl/7.50.1 >> Accept: */* >> Content-Length: 38 >> Content-Type: application/x-www-form-urlencoded >> --a7997f3d-C-- >> CVV=*******************&exec=/bin/bash >> --a7997f3d-F-- >> HTTP/1.1 200 OK >> Last-Modified: Sun, 17 Dec 2017 11:08:45 GMT >> ETag: "2d-5608741dac6fd" >> Accept-Ranges: bytes >> Content-Length: 45 >> Content-Type: text/html >> ... >> I'm running ModSec 2.9.2 on Apache 2.4.29, both self compiled >> according to >> the tutorials on [3]netnea.com. >> My ModSec Configuration: >> ------------------------------------------------------------ >> ------------------ >> SecRuleEngine On >> SecRequestBodyAccess On >> SecRequestBodyLimit 10000000 >> SecRequestBodyNoFilesLimit 64000 >> SecResponseBodyAccess On >> SecResponseBodyLimit 10000000 >> SecTmpDir /tmp/ >> SecDataDir /tmp/ >> SecUploadDir /tmp/ >> SecDebugLog /apache/logs/modsec_debug.log >> SecDebugLogLevel 3 >> SecAuditEngine RelevantOnly >> SecAuditLogRelevantStatus "^(?:5|4(?!04))" >> SecAuditLogParts ABEFHIJZ >> SecAuditLogType Concurrent >> SecAuditLog /apache/logs/modsec_audit.log >> SecAuditLogStorageDir /apache/logs/audit/ >> SecPcreMatchLimit 500000 >> SecPcreMatchLimitRecursion 500000 >> SecDefaultAction "phase:2,pass,log" >> # == ModSec Rule ID Namespace Definition >> # Service-specific before Core-Rules: 10000 - 49999 >> # Service-specific after Core-Rules: 50000 - 79999 >> # Locally shared rules: 80000 - 99999 >> # - Performance: 90000 - 90199 >> # Recommended ModSec Rules (few): 200000 - 200010 >> # OWASP Core-Rules: 900000 - 999999 >> # === ModSec timestamps at the start of each phase (ids: 90000 - >> 90009) >> SecAction "id:'90000',phase:1,nolog,pass,setvar:TX. >> ModSecTimestamp1start=%{DURATION}" >> SecAction "id:'90001',phase:2,nolog,pass,setvar:TX. >> ModSecTimestamp2start=%{DURATION}" >> SecAction "id:'90002',phase:3,nolog,pass,setvar:TX. >> ModSecTimestamp3start=%{DURATION}" >> SecAction "id:'90003',phase:4,nolog,pass,setvar:TX. >> ModSecTimestamp4start=%{DURATION}" >> SecAction "id:'90004',phase:5,nolog,pass,setvar:TX. >> ModSecTimestamp5start=%{DURATION}" >> # SecRule REQUEST_FILENAME "@beginsWith /" >> "id:'90005',phase:5,t:none,nolog,noauditlog,pass,setenv: >> write_perflog" >> # === ModSec Recommended Rules (in modsec src package) (ids: >> 200000-200010) >> SecRule REQUEST_HEADERS:Content-Type "text/xml" >> "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl: >> requestBodyProcessor=XML" >> SecRule REQBODY_ERROR "!@eq 0" "id:'200001',phase:2,t:none, >> deny,status:400,log,msg:'Failed to parse request body.',\ >> logdata:'%{reqbody_error_msg}',severity:2" >> SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ >> "id:'200002',phase:2,t:none,log,deny,status:403, \ >> msg:'Multipart request body failed strict validation: \ >> PE %{REQBODY_PROCESSOR_ERROR}, \ >> BQ %{MULTIPART_BOUNDARY_QUOTED}, \ >> BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ >> DB %{MULTIPART_DATA_BEFORE}, \ >> DA %{MULTIPART_DATA_AFTER}, \ >> HF %{MULTIPART_HEADER_FOLDING}, \ >> LF %{MULTIPART_LF_LINE}, \ >> SM %{MULTIPART_MISSING_SEMICOLON}, \ >> IQ %{MULTIPART_INVALID_QUOTING}, \ >> IP %{MULTIPART_INVALID_PART}, \ >> IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ >> FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" >> SecRule TX:/^MSC_/ "!@streq 0" "id:'200004',phase:2,t:none, >> deny,status:500,msg:'ModSecurity internal error flagged: >> %{MATCHED_VAR_NAME}'" >> # === ModSecurity Rules (ids: 900000-999999) >> # === ModSec Core Rules Base Configuration (ids: 900001-900021) >> Include /home/dune73/data/git/crs-official/crs-setup.conf. >> example >> SecAction "id:900111,phase:1,nolog,pass,t:none,setvar:tx.inbound_ >> anomaly_score_threshold=500,setvar:tx.outbound_anomaly_ >> score_threshold=500" >> SecAction "id:'900000',phase:1,nolog,pass,t:none,setvar:tx. >> paranoia_level=4" >> # === ModSecurity Ignore Rules Before Core Rules Inclusion; order by >> id of ignored rule (ids: 10000-49999) >> # SecRule ARGS:a "." >> "id:1001,phase:2,pass,log,msg:'XXX1: %{MATCHED_VAR}'" >> # SecRule ARGS_GET:a "." >> "id:1002,phase:2,pass,log,msg:'XXX2: %{MATCHED_VAR}'" >> # SecRule ARGS_POST:a "." >> "id:1003,phase:2,pass,log,msg:'XXX3: %{MATCHED_VAR}'" >> # SecRule REQUEST_URI "." >> "id:1004,phase:2,pass,log,msg:'XXX4: %{MATCHED_VAR}'" >> # SecRule REQUEST_HEADERS:User-Agent "." >> "id:1005,phase:2,pass,log,msg:'XXX5: %{MATCHED_VAR}'" >> SecRule ARGS:b "." "id:1006,phase:2,pass,log, >> auditlog,msg:'XXX6: %{MATCHED_VAR}'" >> SecAction "nolog,phase:2,id:101,sanitiseArg:CVV" >> SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse" >> # === ModSecurity Core Rules Inclusion >> Include /home/dune73/data/git/crs-official/rules/*.conf >> # === ModSec Core Rules: Startup Time Rules Exclusions >> # === ModSec timestamps at the end of each phase (ids: 90010 - >> 90019) >> SecAction "id:'90010',phase:1,pass,nolog,setvar:TX. >> ModSecTimestamp1end=%{DURATION}" >> SecAction "id:'90011',phase:2,pass,nolog,setvar:TX. >> ModSecTimestamp2end=%{DURATION}" >> SecAction "id:'90012',phase:3,pass,nolog,setvar:TX. >> ModSecTimestamp3end=%{DURATION}" >> SecAction "id:'90013',phase:4,pass,nolog,setvar:TX. >> ModSecTimestamp4end=%{DURATION}" >> SecAction "id:'90014',phase:5,pass,nolog,setvar:TX. >> ModSecTimestamp5end=%{DURATION}" >> # === ModSec performance calculations and variable export (ids: >> 90100 - 90199) >> SecAction "id:'90100',phase:5,pass,nolog,setvar:TX.perf_ >> modsecinbound=%{PERF_PHASE1}" >> SecAction "id:'90101',phase:5,pass,nolog,setvar:TX.perf_ >> modsecinbound=+%{PERF_PHASE2}" >> SecAction "id:'90102',phase:5,pass,nolog,setvar:TX.perf_ >> application=%{TX.ModSecTimestamp3start}" >> SecAction "id:'90103',phase:5,pass,nolog,setvar:TX.perf_ >> application=-%{TX.ModSecTimestamp2end}" >> SecAction "id:'90104',phase:5,pass,nolog,setvar:TX.perf_ >> modsecoutbound=%{PERF_PHASE3}" >> SecAction "id:'90105',phase:5,pass,nolog,setvar:TX.perf_ >> modsecoutbound=+%{PERF_PHASE4}" >> SecAction "id:'90106',phase:5,pass,nolog,setenv:ModSecTimeIn=%{ >> TX.perf_modsecinbound}" >> SecAction "id:'90107',phase:5,pass,nolog,setenv:ApplicationTime=% >> {TX.perf_application}" >> SecAction "id:'90108',phase:5,pass,nolog,setenv:ModSecTimeOut=%{ >> TX.perf_modsecoutbound}" >> SecAction "id:'90109',phase:5,pass,nolog,setenv: >> ModSecAnomalyScoreIn=%{TX.anomaly_score}" >> SecAction "id:'90110',phase:5,pass,nolog,setenv: >> ModSecAnomalyScoreOut=%{TX.outbound_anomaly_score}" >> # === End ModSec Configuration >> ------------------------------------------------------------ >> ------------------ >> So I think this generally works. If it does not for you, then please >> try and >> reproduce the behaviour on the latest ModSec version of the 2.9 >> series and >> open a bug report in case. >> Ahoj, >> Christian >> On Wed, Mar 14, 2018 at 06:13:04PM -0300, Cristiano Galdino wrote: >> >> Hi Christian! >> Modsecurity: 2.9.0-1 (from Ubuntu repository) >> Apache 2.4.18-2ubuntu3.5 >> Tks! >> >> Cristiano Galdino >> [4]cri...@ga... >> >> On 14 Mar 2018 17:55 -0300, Christian Folini >> <[5]chr...@ne...>, wrote: >> >> Hello Christiano, >> What platform are you using? (-> ModSec version, Apache / >> >> NGINX / >> >> IIS?) >> Ahoj, >> Christian >> On Wed, Mar 14, 2018 at 05:06:28PM -0300, Cristiano Galdino >> >> wrote: >> >> >> Hello! >> I created a rule in ModSecurity to sanitize param CVV (credit >> >> card) >> >> but >> it is not working. >> Samples: >> SecAction "nolog,phase:2,id:101,sanitiseArg:CVV” >> SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse" >> This prevents me from using modsecurity because PCI does not >> >> allow >> >> CVV >> to be stored. >> I found this issue without response. >> [1][6]https://github.com/SpiderLabs/ModSecurity/issues/715 >> What can I do? >> Cristiano Galdino >> [7]cri...@ga... >> References >> 1. [8]https://github.com/SpiderLabs/ModSecurity/issues/715 >> >> ------------------------------------------------------------ >> >> -------- >> >> ---------- >> Check out the vibrant tech community on one of the world's >> >> most >> >> engaging tech sites, Slashdot.org! >> >> [9]http://sdm.link/slashdot >> >> >> _______________________________________________ >> mod-security-users mailing list >> [10]mod...@li... >> [11]https://lists.sourceforge.net/ >> >> lists/listinfo/mod-security-users >> >> Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> [12]http://www.modsecurity.org/projects/commercial/rules/ >> [13]http://www.modsecurity.org/projects/commercial/support/ >> >> -- >> [14]https://www.feistyduck.com/training/modsecurity-training- >> >> course >> >> [15]https://www.feistyduck.com/books/modsecurity-handbook/ >> mailto:[16]chr...@ne... >> twitter: @ChrFolini >> ------------------------------------------------------------ >> >> -------- >> >> ---------- >> Check out the vibrant tech community on one of the world's >> >> most >> >> engaging tech sites, Slashdot.org! >> >> [17]http://sdm.link/slashdot >> >> _______________________________________________ >> mod-security-users mailing list >> [18]mod...@li... >> [19]https://lists.sourceforge.net/ >> >> lists/listinfo/mod-security-users >> >> Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> [20]http://www.modsecurity.org/projects/commercial/rules/ >> [21]http://www.modsecurity.org/projects/commercial/support/ >> ------------------------------------------------------------ >> >> ------------------ >> >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! [22]http://sdm.link/slashdot >> _______________________________________________ >> mod-security-users mailing list >> [23]mod...@li... >> [24]https://lists.sourceforge.net/lists/listinfo/mod-security- >> >> users >> >> Commercial ModSecurity Rules and Support from Trustwave's >> >> SpiderLabs: >> >> [25]http://www.modsecurity.org/projects/commercial/rules/ >> [26]http://www.modsecurity.org/projects/commercial/support/ >> >> -- >> [27]https://www.feistyduck.com/training/modsecurity-training-course >> [28]https://www.feistyduck.com/books/modsecurity-handbook/ >> mailto:[29]chr...@ne... >> twitter: @ChrFolini >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! [30]http://sdm.link/slashdot >> _______________________________________________ >> mod-security-users mailing list >> [31]mod...@li... >> [32]https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> [33]http://www.modsecurity.org/projects/commercial/rules/ >> [34]http://www.modsecurity.org/projects/commercial/support/ >> >> -------------------------------------------------------------------- >> ---------- >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> References >> >> 1. http://localhost:3000/api/login >> 2. mailto:chr...@ne... >> 3. http://netnea.com/ >> 4. mailto:cri...@ga... >> 5. mailto:chr...@ne... >> 6. https://github.com/SpiderLabs/ModSecurity/issues/715 >> 7. mailto:cri...@ga... >> 8. https://github.com/SpiderLabs/ModSecurity/issues/715 >> 9. http://sdm.link/slashdot >> 10. mailto:mod...@li... >> 11. https://lists.sourceforge.net/lists/listinfo/mod-security-users >> 12. http://www.modsecurity.org/projects/commercial/rules/ >> 13. http://www.modsecurity.org/projects/commercial/support/ >> 14. https://www.feistyduck.com/training/modsecurity-training-course >> 15. https://www.feistyduck.com/books/modsecurity-handbook/ >> 16. mailto:chr...@ne... >> 17. http://sdm.link/slashdot >> 18. mailto:mod...@li... >> 19. https://lists.sourceforge.net/lists/listinfo/mod-security-users >> 20. http://www.modsecurity.org/projects/commercial/rules/ >> 21. http://www.modsecurity.org/projects/commercial/support/ >> 22. http://sdm.link/slashdot >> 23. mailto:mod...@li... >> 24. https://lists.sourceforge.net/lists/listinfo/mod-security-users >> 25. http://www.modsecurity.org/projects/commercial/rules/ >> 26. http://www.modsecurity.org/projects/commercial/support/ >> 27. https://www.feistyduck.com/training/modsecurity-training-course >> 28. https://www.feistyduck.com/books/modsecurity-handbook/ >> 29. mailto:chr...@ne... >> 30. http://sdm.link/slashdot >> 31. mailto:mod...@li... >> 32. https://lists.sourceforge.net/lists/listinfo/mod-security-users >> 33. http://www.modsecurity.org/projects/commercial/rules/ >> 34. http://www.modsecurity.org/projects/commercial/support/ >> >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> -- >> https://www.feistyduck.com/training/modsecurity-training-course >> https://www.feistyduck.com/books/modsecurity-handbook/ >> mailto:chr...@ne... >> twitter: @ChrFolini >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot______ > _________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
|
From: Christian F. <chr...@ne...> - 2018-03-20 06:57:17
|
Hi there, Please save the date of our first Community Summit: July 4, 2018, at 4pm in London. https://coreruleset.org/20180320/save-the-date-crs-community-summit-on-july-4-2018/ This is meant to be a get-together of the community. We want to learn about you and how you use CRS in your setups - and we want to talk with you about the road map for the project and various feature requests. The date is the night before AppSecEU. So you can join this get-together on Wednesday and then attend AppSec EU on Thursday / Friday. Please do consider to join us when Chaim, Walter and I meet for the first time face2face. :) Best, Christian -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
|
From: Christian F. <chr...@ne...> - 2018-03-16 15:29:27
|
Hey Deanna, Kirk Jackson responded to your message on March 2. Is there anything wrong with his advice? Best, Christian On Fri, Mar 16, 2018 at 09:17:49AM -0600, Deanna Stevenson wrote: > Hi All, > > Any advise on possible solutions for my problem? > > Sincerely, > Deanna > > > > On Tue, Mar 6, 2018 at 10:22 AM, Franziska Buehler < > fra...@gm...> wrote: > > > Hi, > > > > Just a note about the linked blog post: > > > > https://www.oreilly.com/ideas/how-to-tune-your-waf- > > installation-to-reduce-false-positives > > > > It was Christian Folini who has written this blog post about how to > > reduce false positives. > > Chaim linked it on https://coreruleset.org. > > > > Best regards, > > Franziska > > > > ------------------------------------------------------------ > > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
|
From: Deanna S. <dst...@gm...> - 2018-03-16 15:17:57
|
Hi All, Any advise on possible solutions for my problem? Sincerely, Deanna On Tue, Mar 6, 2018 at 10:22 AM, Franziska Buehler < fra...@gm...> wrote: > Hi, > > Just a note about the linked blog post: > > https://www.oreilly.com/ideas/how-to-tune-your-waf- > installation-to-reduce-false-positives > > It was Christian Folini who has written this blog post about how to > reduce false positives. > Chaim linked it on https://coreruleset.org. > > Best regards, > Franziska > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Osama E. <oel...@gm...> - 2018-03-15 20:08:04
|
I don't think the proposed patch actually works. I tried patching v2.9.2 with it and even using v2 master but with no success. Have you been able to get the patch working Robert? -- Osama Elnaggar On March 15, 2018 at 11:06:37 AM, Robert Paprocki ( rpa...@fe...) wrote: Have a look at https://github.com/SpiderLabs/ModSecurity/commit/f86de566d18dda6351ecba52d5e5f1d29ad02a12 JSON body audit log sanitization was only very recently introduced, it's not yet made its way to a formal release. (I need to check sources before opening my mouth :p). So you can rebuild ModSecurity off `v2/master` if you want to test this functionality. :) On Wed, Mar 14, 2018 at 4:47 PM, Cristiano Galdino <cri...@ga...> wrote: > Hello there! > > If modsecurity can parse the values of JSON payloads, why can not it > sanitize? > > This is non-sense for me. > > Look this request: > $> curl -H "Content-Type: application/json" -X POST -d > '{"CVV":"123","blah":"/bin/bash"}' localhost/Authenticate > > and this is audit-log: > > --9eb5dc70-A-- > > [14/Mar/2018:20:37:35 --0300] WqmyP6wfJasAAFQJf@AAAAAS 127.0.0.1 53230 > 127.0.0.1 80 > > --9eb5dc70-B-- > > POST /Authenticate HTTP/1.1 > > Host: localhost > > User-Agent: curl/7.47.0 > > Accept: */* > > Content-Type: application/json > > Content-Length: 36 > > > --9eb5dc70-C-- > > {"CVV":"123","blah":"/bin/bash"} > > --9eb5dc70-E-- > > {"message":"Failed"} > > --9eb5dc70-F-- > > HTTP/1.1 400 Bad Request > > Access-Control-Allow-Origin: * > > Content-Type: application/json > > Content-Length: 190 > > X-Content-Type-Options: nosniff > > X-Frame-Options: sameorigin > > Connection: close > > > --9eb5dc70-H-- > > Message: Warning. Matched phrase "bin/bash" at ARGS:blah. [file > "/usr/share/modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] > [line "448"] [id "932160"] [rev "1"] [msg "Remote Command Execution: Unix > Shell Code Found"] [data "Matched Data: bin/bash found within ARGS:blah: > /bin/bash"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] > [accuracy "8"] [tag "application-multi"] [tag "language-shell"] [tag > "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] > [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] > > Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file > "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] > [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total > Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag > "language-multi"] [tag "platform-multi"] [tag "attack-generic"] > > Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file > "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line > "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound > Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0): Remote > Command Execution: Unix Shell Code Found"] [tag "event-correlation"] > > Apache-Handler: proxy-server > > Stopwatch: 1521070655519139 8420 (- - -) > > Stopwatch2: 1521070655519139 8420; combined=1400, p1=343, p2=801, p3=40, > p4=129, p5=86, sr=35, sw=1, l=0, gc=0 > > Response-Body-Transformed: Dechunked > > Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); > OWASP_CRS/3.0.0. > > Server: Apache/2.4.18 > > Sanitised-Args: "CVV". > > Engine-Mode: "DETECTION_ONLY" > > > --9eb5dc70-Z-- > > > > Cristiano Galdino > (61) 9860 1 9860 > cri...@ga... > > On 14 Mar 2018 19:05 -0300, Christian Folini <chr...@ne...>, > wrote: > > Sorry, I was a bit quick to jump to that conclusion. Overlooked your remark > on JSON. > > I confirm this does not work. > > Sanitation is generally an issue as there is no sanitation in the alerts > written into the error-log. Even it is less severe as the audit log. > > Best, > > Christian > > > On Wed, Mar 14, 2018 at 06:41:25PM -0300, Cristiano Galdino wrote: > > Yep! My application use JSON payloads. > Christian, please try it: > $> curl -H "Content-Type: application/json" -X POST -d '{"cvv”:"123"}' > [1]http://localhost/?id=/bin/bash > > Cristiano Galdino > (61) 9860 1 9860 > cri...@ga... > > On 14 Mar 2018 18:38 -0300, Robert Paprocki > <rpa...@fe...>, wrote: > > Christian, you tested with a application/x-www-form-urlencoded > request; Christiano's use case involves JSON-encoded bodies. > I do not believe JSON request bodies can be translated into data > collections that can have sanitize actions applied on them at this > point. > > On Wed, Mar 14, 2018 at 2:34 PM, Christian Folini > <[2]chr...@ne...> wrote: > > Hello Cristiano, > I did the following request: > $> curl localhost -d "CVV=0000-0000-0000-0000" -d "exec=/bin/bash" > and got the following audit-log when using CRS3 (parameter exec > triggering > the writing of the audit log): > --a7997f3d-A-- > [14/Mar/2018:22:29:03 +0100] WqmUH6r6pkVX9OUmJm3aggAAAAM 127.0.0.1 > 50058 127.0.0.1 40080 > --a7997f3d-B-- > POST / HTTP/1.1 > Host: localhost > User-Agent: curl/7.50.1 > Accept: */* > Content-Length: 38 > Content-Type: application/x-www-form-urlencoded > --a7997f3d-C-- > CVV=*******************&exec=/bin/bash > --a7997f3d-F-- > HTTP/1.1 200 OK > Last-Modified: Sun, 17 Dec 2017 11:08:45 GMT > ETag: "2d-5608741dac6fd" > Accept-Ranges: bytes > Content-Length: 45 > Content-Type: text/html > ... > I'm running ModSec 2.9.2 on Apache 2.4.29, both self compiled > according to > the tutorials on [3]netnea.com. > My ModSec Configuration: > ------------------------------------------------------------ > ------------------ > SecRuleEngine On > SecRequestBodyAccess On > SecRequestBodyLimit 10000000 > SecRequestBodyNoFilesLimit 64000 > SecResponseBodyAccess On > SecResponseBodyLimit 10000000 > SecTmpDir /tmp/ > SecDataDir /tmp/ > SecUploadDir /tmp/ > SecDebugLog /apache/logs/modsec_debug.log > SecDebugLogLevel 3 > SecAuditEngine RelevantOnly > SecAuditLogRelevantStatus "^(?:5|4(?!04))" > SecAuditLogParts ABEFHIJZ > SecAuditLogType Concurrent > SecAuditLog /apache/logs/modsec_audit.log > SecAuditLogStorageDir /apache/logs/audit/ > SecPcreMatchLimit 500000 > SecPcreMatchLimitRecursion 500000 > SecDefaultAction "phase:2,pass,log" > # == ModSec Rule ID Namespace Definition > # Service-specific before Core-Rules: 10000 - 49999 > # Service-specific after Core-Rules: 50000 - 79999 > # Locally shared rules: 80000 - 99999 > # - Performance: 90000 - 90199 > # Recommended ModSec Rules (few): 200000 - 200010 > # OWASP Core-Rules: 900000 - 999999 > # === ModSec timestamps at the start of each phase (ids: 90000 - > 90009) > SecAction "id:'90000',phase:1,nolog,pass,setvar:TX. > ModSecTimestamp1start=%{DURATION}" > SecAction "id:'90001',phase:2,nolog,pass,setvar:TX. > ModSecTimestamp2start=%{DURATION}" > SecAction "id:'90002',phase:3,nolog,pass,setvar:TX. > ModSecTimestamp3start=%{DURATION}" > SecAction "id:'90003',phase:4,nolog,pass,setvar:TX. > ModSecTimestamp4start=%{DURATION}" > SecAction "id:'90004',phase:5,nolog,pass,setvar:TX. > ModSecTimestamp5start=%{DURATION}" > # SecRule REQUEST_FILENAME "@beginsWith /" > "id:'90005',phase:5,t:none,nolog,noauditlog,pass,setenv: > write_perflog" > # === ModSec Recommended Rules (in modsec src package) (ids: > 200000-200010) > SecRule REQUEST_HEADERS:Content-Type "text/xml" > "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl: > requestBodyProcessor=XML" > SecRule REQBODY_ERROR "!@eq 0" "id:'200001',phase:2,t:none, > deny,status:400,log,msg:'Failed to parse request body.',\ > logdata:'%{reqbody_error_msg}',severity:2" > SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ > "id:'200002',phase:2,t:none,log,deny,status:403, \ > msg:'Multipart request body failed strict validation: \ > PE %{REQBODY_PROCESSOR_ERROR}, \ > BQ %{MULTIPART_BOUNDARY_QUOTED}, \ > BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ > DB %{MULTIPART_DATA_BEFORE}, \ > DA %{MULTIPART_DATA_AFTER}, \ > HF %{MULTIPART_HEADER_FOLDING}, \ > LF %{MULTIPART_LF_LINE}, \ > SM %{MULTIPART_MISSING_SEMICOLON}, \ > IQ %{MULTIPART_INVALID_QUOTING}, \ > IP %{MULTIPART_INVALID_PART}, \ > IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ > FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" > SecRule TX:/^MSC_/ "!@streq 0" "id:'200004',phase:2,t:none, > deny,status:500,msg:'ModSecurity internal error flagged: > %{MATCHED_VAR_NAME}'" > # === ModSecurity Rules (ids: 900000-999999) > # === ModSec Core Rules Base Configuration (ids: 900001-900021) > Include /home/dune73/data/git/crs-official/crs-setup.conf. > example > SecAction "id:900111,phase:1,nolog,pass,t:none,setvar:tx.inbound_ > anomaly_score_threshold=500,setvar:tx.outbound_anomaly_ > score_threshold=500" > SecAction "id:'900000',phase:1,nolog,pass,t:none,setvar:tx. > paranoia_level=4" > # === ModSecurity Ignore Rules Before Core Rules Inclusion; order by > id of ignored rule (ids: 10000-49999) > # SecRule ARGS:a "." > "id:1001,phase:2,pass,log,msg:'XXX1: %{MATCHED_VAR}'" > # SecRule ARGS_GET:a "." > "id:1002,phase:2,pass,log,msg:'XXX2: %{MATCHED_VAR}'" > # SecRule ARGS_POST:a "." > "id:1003,phase:2,pass,log,msg:'XXX3: %{MATCHED_VAR}'" > # SecRule REQUEST_URI "." > "id:1004,phase:2,pass,log,msg:'XXX4: %{MATCHED_VAR}'" > # SecRule REQUEST_HEADERS:User-Agent "." > "id:1005,phase:2,pass,log,msg:'XXX5: %{MATCHED_VAR}'" > SecRule ARGS:b "." "id:1006,phase:2,pass,log, > auditlog,msg:'XXX6: %{MATCHED_VAR}'" > SecAction "nolog,phase:2,id:101,sanitiseArg:CVV" > SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse" > # === ModSecurity Core Rules Inclusion > Include /home/dune73/data/git/crs-official/rules/*.conf > # === ModSec Core Rules: Startup Time Rules Exclusions > # === ModSec timestamps at the end of each phase (ids: 90010 - > 90019) > SecAction "id:'90010',phase:1,pass,nolog,setvar:TX. > ModSecTimestamp1end=%{DURATION}" > SecAction "id:'90011',phase:2,pass,nolog,setvar:TX. > ModSecTimestamp2end=%{DURATION}" > SecAction "id:'90012',phase:3,pass,nolog,setvar:TX. > ModSecTimestamp3end=%{DURATION}" > SecAction "id:'90013',phase:4,pass,nolog,setvar:TX. > ModSecTimestamp4end=%{DURATION}" > SecAction "id:'90014',phase:5,pass,nolog,setvar:TX. > ModSecTimestamp5end=%{DURATION}" > # === ModSec performance calculations and variable export (ids: > 90100 - 90199) > SecAction "id:'90100',phase:5,pass,nolog,setvar:TX.perf_ > modsecinbound=%{PERF_PHASE1}" > SecAction "id:'90101',phase:5,pass,nolog,setvar:TX.perf_ > modsecinbound=+%{PERF_PHASE2}" > SecAction "id:'90102',phase:5,pass,nolog,setvar:TX.perf_ > application=%{TX.ModSecTimestamp3start}" > SecAction "id:'90103',phase:5,pass,nolog,setvar:TX.perf_ > application=-%{TX.ModSecTimestamp2end}" > SecAction "id:'90104',phase:5,pass,nolog,setvar:TX.perf_ > modsecoutbound=%{PERF_PHASE3}" > SecAction "id:'90105',phase:5,pass,nolog,setvar:TX.perf_ > modsecoutbound=+%{PERF_PHASE4}" > SecAction "id:'90106',phase:5,pass,nolog,setenv:ModSecTimeIn=%{ > TX.perf_modsecinbound}" > SecAction "id:'90107',phase:5,pass,nolog,setenv:ApplicationTime=% > {TX.perf_application}" > SecAction "id:'90108',phase:5,pass,nolog,setenv:ModSecTimeOut=%{ > TX.perf_modsecoutbound}" > SecAction "id:'90109',phase:5,pass,nolog,setenv: > ModSecAnomalyScoreIn=%{TX.anomaly_score}" > SecAction "id:'90110',phase:5,pass,nolog,setenv: > ModSecAnomalyScoreOut=%{TX.outbound_anomaly_score}" > # === End ModSec Configuration > ------------------------------------------------------------ > ------------------ > So I think this generally works. If it does not for you, then please > try and > reproduce the behaviour on the latest ModSec version of the 2.9 > series and > open a bug report in case. > Ahoj, > Christian > On Wed, Mar 14, 2018 at 06:13:04PM -0300, Cristiano Galdino wrote: > > Hi Christian! > Modsecurity: 2.9.0-1 (from Ubuntu repository) > Apache 2.4.18-2ubuntu3.5 > Tks! > > Cristiano Galdino > [4]cri...@ga... > > On 14 Mar 2018 17:55 -0300, Christian Folini > <[5]chr...@ne...>, wrote: > > Hello Christiano, > What platform are you using? (-> ModSec version, Apache / > > NGINX / > > IIS?) > Ahoj, > Christian > On Wed, Mar 14, 2018 at 05:06:28PM -0300, Cristiano Galdino > > wrote: > > > Hello! > I created a rule in ModSecurity to sanitize param CVV (credit > > card) > > but > it is not working. > Samples: > SecAction "nolog,phase:2,id:101,sanitiseArg:CVV” > SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse" > This prevents me from using modsecurity because PCI does not > > allow > > CVV > to be stored. > I found this issue without response. > [1][6]https://github.com/SpiderLabs/ModSecurity/issues/715 > What can I do? > Cristiano Galdino > [7]cri...@ga... > References > 1. [8]https://github.com/SpiderLabs/ModSecurity/issues/715 > > ------------------------------------------------------------ > > -------- > > ---------- > Check out the vibrant tech community on one of the world's > > most > > engaging tech sites, Slashdot.org! > > [9]http://sdm.link/slashdot > > > _______________________________________________ > mod-security-users mailing list > [10]mod...@li... > [11]https://lists.sourceforge.net/ > > lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > [12]http://www.modsecurity.org/projects/commercial/rules/ > [13]http://www.modsecurity.org/projects/commercial/support/ > > -- > [14]https://www.feistyduck.com/training/modsecurity-training- > > course > > [15]https://www.feistyduck.com/books/modsecurity-handbook/ > mailto:[16]chr...@ne... > twitter: @ChrFolini > ------------------------------------------------------------ > > -------- > > ---------- > Check out the vibrant tech community on one of the world's > > most > > engaging tech sites, Slashdot.org! > > [17]http://sdm.link/slashdot > > _______________________________________________ > mod-security-users mailing list > [18]mod...@li... > [19]https://lists.sourceforge.net/ > > lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > [20]http://www.modsecurity.org/projects/commercial/rules/ > [21]http://www.modsecurity.org/projects/commercial/support/ > ------------------------------------------------------------ > > ------------------ > > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! [22]http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > [23]mod...@li... > [24]https://lists.sourceforge.net/lists/listinfo/mod-security- > > users > > Commercial ModSecurity Rules and Support from Trustwave's > > SpiderLabs: > > [25]http://www.modsecurity.org/projects/commercial/rules/ > [26]http://www.modsecurity.org/projects/commercial/support/ > > -- > [27]https://www.feistyduck.com/training/modsecurity-training-course > [28]https://www.feistyduck.com/books/modsecurity-handbook/ > mailto:[29]chr...@ne... > twitter: @ChrFolini > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! [30]http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > [31]mod...@li... > [32]https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > [33]http://www.modsecurity.org/projects/commercial/rules/ > [34]http://www.modsecurity.org/projects/commercial/support/ > > -------------------------------------------------------------------- > ---------- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > References > > 1. http://localhost:3000/api/login > 2. mailto:chr...@ne... > 3. http://netnea.com/ > 4. mailto:cri...@ga... > 5. mailto:chr...@ne... > 6. https://github.com/SpiderLabs/ModSecurity/issues/715 > 7. mailto:cri...@ga... > 8. https://github.com/SpiderLabs/ModSecurity/issues/715 > 9. http://sdm.link/slashdot > 10. mailto:mod...@li... > 11. https://lists.sourceforge.net/lists/listinfo/mod-security-users > 12. http://www.modsecurity.org/projects/commercial/rules/ > 13. http://www.modsecurity.org/projects/commercial/support/ > 14. https://www.feistyduck.com/training/modsecurity-training-course > 15. https://www.feistyduck.com/books/modsecurity-handbook/ > 16. mailto:chr...@ne... > 17. http://sdm.link/slashdot > 18. mailto:mod...@li... > 19. https://lists.sourceforge.net/lists/listinfo/mod-security-users > 20. http://www.modsecurity.org/projects/commercial/rules/ > 21. http://www.modsecurity.org/projects/commercial/support/ > 22. http://sdm.link/slashdot > 23. mailto:mod...@li... > 24. https://lists.sourceforge.net/lists/listinfo/mod-security-users > 25. http://www.modsecurity.org/projects/commercial/rules/ > 26. http://www.modsecurity.org/projects/commercial/support/ > 27. https://www.feistyduck.com/training/modsecurity-training-course > 28. https://www.feistyduck.com/books/modsecurity-handbook/ > 29. mailto:chr...@ne... > 30. http://sdm.link/slashdot > 31. mailto:mod...@li... > 32. https://lists.sourceforge.net/lists/listinfo/mod-security-users > 33. http://www.modsecurity.org/projects/commercial/rules/ > 34. http://www.modsecurity.org/projects/commercial/support/ > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > > -- > https://www.feistyduck.com/training/modsecurity-training-course > https://www.feistyduck.com/books/modsecurity-handbook/ > mailto:chr...@ne... > twitter: @ChrFolini > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ |
|
From: Robert P. <rpa...@fe...> - 2018-03-15 00:04:48
|
Have a look at https://github.com/SpiderLabs/ModSecurity/commit/f86de566d18dda6351ecba52d5e5f1d29ad02a12 JSON body audit log sanitization was only very recently introduced, it's not yet made its way to a formal release. (I need to check sources before opening my mouth :p). So you can rebuild ModSecurity off `v2/master` if you want to test this functionality. :) On Wed, Mar 14, 2018 at 4:47 PM, Cristiano Galdino <cri...@ga...> wrote: > Hello there! > > If modsecurity can parse the values of JSON payloads, why can not it > sanitize? > > This is non-sense for me. > > Look this request: > $> curl -H "Content-Type: application/json" -X POST -d > '{"CVV":"123","blah":"/bin/bash"}' localhost/Authenticate > > and this is audit-log: > > --9eb5dc70-A-- > > [14/Mar/2018:20:37:35 --0300] WqmyP6wfJasAAFQJf@AAAAAS 127.0.0.1 53230 > 127.0.0.1 80 > > --9eb5dc70-B-- > > POST /Authenticate HTTP/1.1 > > Host: localhost > > User-Agent: curl/7.47.0 > > Accept: */* > > Content-Type: application/json > > Content-Length: 36 > > > --9eb5dc70-C-- > > {"CVV":"123","blah":"/bin/bash"} > > --9eb5dc70-E-- > > {"message":"Failed"} > > --9eb5dc70-F-- > > HTTP/1.1 400 Bad Request > > Access-Control-Allow-Origin: * > > Content-Type: application/json > > Content-Length: 190 > > X-Content-Type-Options: nosniff > > X-Frame-Options: sameorigin > > Connection: close > > > --9eb5dc70-H-- > > Message: Warning. Matched phrase "bin/bash" at ARGS:blah. [file > "/usr/share/modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] > [line "448"] [id "932160"] [rev "1"] [msg "Remote Command Execution: Unix > Shell Code Found"] [data "Matched Data: bin/bash found within ARGS:blah: > /bin/bash"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] > [accuracy "8"] [tag "application-multi"] [tag "language-shell"] [tag > "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] > [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] > > Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file > "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] > [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total > Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag > "language-multi"] [tag "platform-multi"] [tag "attack-generic"] > > Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file > "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line > "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound > Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0): Remote > Command Execution: Unix Shell Code Found"] [tag "event-correlation"] > > Apache-Handler: proxy-server > > Stopwatch: 1521070655519139 8420 (- - -) > > Stopwatch2: 1521070655519139 8420; combined=1400, p1=343, p2=801, p3=40, > p4=129, p5=86, sr=35, sw=1, l=0, gc=0 > > Response-Body-Transformed: Dechunked > > Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); > OWASP_CRS/3.0.0. > > Server: Apache/2.4.18 > > Sanitised-Args: "CVV". > > Engine-Mode: "DETECTION_ONLY" > > > --9eb5dc70-Z-- > > > > Cristiano Galdino > (61) 9860 1 9860 > cri...@ga... > > On 14 Mar 2018 19:05 -0300, Christian Folini <chr...@ne...>, > wrote: > > Sorry, I was a bit quick to jump to that conclusion. Overlooked your remark > on JSON. > > I confirm this does not work. > > Sanitation is generally an issue as there is no sanitation in the alerts > written into the error-log. Even it is less severe as the audit log. > > Best, > > Christian > > > On Wed, Mar 14, 2018 at 06:41:25PM -0300, Cristiano Galdino wrote: > > Yep! My application use JSON payloads. > Christian, please try it: > $> curl -H "Content-Type: application/json" -X POST -d '{"cvv”:"123"}' > [1]http://localhost/?id=/bin/bash > > Cristiano Galdino > (61) 9860 1 9860 > cri...@ga... > > On 14 Mar 2018 18:38 -0300, Robert Paprocki > <rpa...@fe...>, wrote: > > Christian, you tested with a application/x-www-form-urlencoded > request; Christiano's use case involves JSON-encoded bodies. > I do not believe JSON request bodies can be translated into data > collections that can have sanitize actions applied on them at this > point. > > On Wed, Mar 14, 2018 at 2:34 PM, Christian Folini > <[2]chr...@ne...> wrote: > > Hello Cristiano, > I did the following request: > $> curl localhost -d "CVV=0000-0000-0000-0000" -d "exec=/bin/bash" > and got the following audit-log when using CRS3 (parameter exec > triggering > the writing of the audit log): > --a7997f3d-A-- > [14/Mar/2018:22:29:03 +0100] WqmUH6r6pkVX9OUmJm3aggAAAAM 127.0.0.1 > 50058 127.0.0.1 40080 > --a7997f3d-B-- > POST / HTTP/1.1 > Host: localhost > User-Agent: curl/7.50.1 > Accept: */* > Content-Length: 38 > Content-Type: application/x-www-form-urlencoded > --a7997f3d-C-- > CVV=*******************&exec=/bin/bash > --a7997f3d-F-- > HTTP/1.1 200 OK > Last-Modified: Sun, 17 Dec 2017 11:08:45 GMT > ETag: "2d-5608741dac6fd" > Accept-Ranges: bytes > Content-Length: 45 > Content-Type: text/html > ... > I'm running ModSec 2.9.2 on Apache 2.4.29, both self compiled > according to > the tutorials on [3]netnea.com. > My ModSec Configuration: > ------------------------------------------------------------ > ------------------ > SecRuleEngine On > SecRequestBodyAccess On > SecRequestBodyLimit 10000000 > SecRequestBodyNoFilesLimit 64000 > SecResponseBodyAccess On > SecResponseBodyLimit 10000000 > SecTmpDir /tmp/ > SecDataDir /tmp/ > SecUploadDir /tmp/ > SecDebugLog /apache/logs/modsec_debug.log > SecDebugLogLevel 3 > SecAuditEngine RelevantOnly > SecAuditLogRelevantStatus "^(?:5|4(?!04))" > SecAuditLogParts ABEFHIJZ > SecAuditLogType Concurrent > SecAuditLog /apache/logs/modsec_audit.log > SecAuditLogStorageDir /apache/logs/audit/ > SecPcreMatchLimit 500000 > SecPcreMatchLimitRecursion 500000 > SecDefaultAction "phase:2,pass,log" > # == ModSec Rule ID Namespace Definition > # Service-specific before Core-Rules: 10000 - 49999 > # Service-specific after Core-Rules: 50000 - 79999 > # Locally shared rules: 80000 - 99999 > # - Performance: 90000 - 90199 > # Recommended ModSec Rules (few): 200000 - 200010 > # OWASP Core-Rules: 900000 - 999999 > # === ModSec timestamps at the start of each phase (ids: 90000 - > 90009) > SecAction "id:'90000',phase:1,nolog,pass,setvar:TX. > ModSecTimestamp1start=%{DURATION}" > SecAction "id:'90001',phase:2,nolog,pass,setvar:TX. > ModSecTimestamp2start=%{DURATION}" > SecAction "id:'90002',phase:3,nolog,pass,setvar:TX. > ModSecTimestamp3start=%{DURATION}" > SecAction "id:'90003',phase:4,nolog,pass,setvar:TX. > ModSecTimestamp4start=%{DURATION}" > SecAction "id:'90004',phase:5,nolog,pass,setvar:TX. > ModSecTimestamp5start=%{DURATION}" > # SecRule REQUEST_FILENAME "@beginsWith /" > "id:'90005',phase:5,t:none,nolog,noauditlog,pass,setenv: > write_perflog" > # === ModSec Recommended Rules (in modsec src package) (ids: > 200000-200010) > SecRule REQUEST_HEADERS:Content-Type "text/xml" > "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl: > requestBodyProcessor=XML" > SecRule REQBODY_ERROR "!@eq 0" "id:'200001',phase:2,t:none, > deny,status:400,log,msg:'Failed to parse request body.',\ > logdata:'%{reqbody_error_msg}',severity:2" > SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ > "id:'200002',phase:2,t:none,log,deny,status:403, \ > msg:'Multipart request body failed strict validation: \ > PE %{REQBODY_PROCESSOR_ERROR}, \ > BQ %{MULTIPART_BOUNDARY_QUOTED}, \ > BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ > DB %{MULTIPART_DATA_BEFORE}, \ > DA %{MULTIPART_DATA_AFTER}, \ > HF %{MULTIPART_HEADER_FOLDING}, \ > LF %{MULTIPART_LF_LINE}, \ > SM %{MULTIPART_MISSING_SEMICOLON}, \ > IQ %{MULTIPART_INVALID_QUOTING}, \ > IP %{MULTIPART_INVALID_PART}, \ > IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ > FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" > SecRule TX:/^MSC_/ "!@streq 0" "id:'200004',phase:2,t:none, > deny,status:500,msg:'ModSecurity internal error flagged: > %{MATCHED_VAR_NAME}'" > # === ModSecurity Rules (ids: 900000-999999) > # === ModSec Core Rules Base Configuration (ids: 900001-900021) > Include /home/dune73/data/git/crs-official/crs-setup.conf. > example > SecAction "id:900111,phase:1,nolog,pass,t:none,setvar:tx.inbound_ > anomaly_score_threshold=500,setvar:tx.outbound_anomaly_ > score_threshold=500" > SecAction "id:'900000',phase:1,nolog,pass,t:none,setvar:tx. > paranoia_level=4" > # === ModSecurity Ignore Rules Before Core Rules Inclusion; order by > id of ignored rule (ids: 10000-49999) > # SecRule ARGS:a "." > "id:1001,phase:2,pass,log,msg:'XXX1: %{MATCHED_VAR}'" > # SecRule ARGS_GET:a "." > "id:1002,phase:2,pass,log,msg:'XXX2: %{MATCHED_VAR}'" > # SecRule ARGS_POST:a "." > "id:1003,phase:2,pass,log,msg:'XXX3: %{MATCHED_VAR}'" > # SecRule REQUEST_URI "." > "id:1004,phase:2,pass,log,msg:'XXX4: %{MATCHED_VAR}'" > # SecRule REQUEST_HEADERS:User-Agent "." > "id:1005,phase:2,pass,log,msg:'XXX5: %{MATCHED_VAR}'" > SecRule ARGS:b "." "id:1006,phase:2,pass,log, > auditlog,msg:'XXX6: %{MATCHED_VAR}'" > SecAction "nolog,phase:2,id:101,sanitiseArg:CVV" > SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse" > # === ModSecurity Core Rules Inclusion > Include /home/dune73/data/git/crs-official/rules/*.conf > # === ModSec Core Rules: Startup Time Rules Exclusions > # === ModSec timestamps at the end of each phase (ids: 90010 - > 90019) > SecAction "id:'90010',phase:1,pass,nolog,setvar:TX. > ModSecTimestamp1end=%{DURATION}" > SecAction "id:'90011',phase:2,pass,nolog,setvar:TX. > ModSecTimestamp2end=%{DURATION}" > SecAction "id:'90012',phase:3,pass,nolog,setvar:TX. > ModSecTimestamp3end=%{DURATION}" > SecAction "id:'90013',phase:4,pass,nolog,setvar:TX. > ModSecTimestamp4end=%{DURATION}" > SecAction "id:'90014',phase:5,pass,nolog,setvar:TX. > ModSecTimestamp5end=%{DURATION}" > # === ModSec performance calculations and variable export (ids: > 90100 - 90199) > SecAction "id:'90100',phase:5,pass,nolog,setvar:TX.perf_ > modsecinbound=%{PERF_PHASE1}" > SecAction "id:'90101',phase:5,pass,nolog,setvar:TX.perf_ > modsecinbound=+%{PERF_PHASE2}" > SecAction "id:'90102',phase:5,pass,nolog,setvar:TX.perf_ > application=%{TX.ModSecTimestamp3start}" > SecAction "id:'90103',phase:5,pass,nolog,setvar:TX.perf_ > application=-%{TX.ModSecTimestamp2end}" > SecAction "id:'90104',phase:5,pass,nolog,setvar:TX.perf_ > modsecoutbound=%{PERF_PHASE3}" > SecAction "id:'90105',phase:5,pass,nolog,setvar:TX.perf_ > modsecoutbound=+%{PERF_PHASE4}" > SecAction "id:'90106',phase:5,pass,nolog,setenv:ModSecTimeIn=%{ > TX.perf_modsecinbound}" > SecAction "id:'90107',phase:5,pass,nolog,setenv:ApplicationTime=% > {TX.perf_application}" > SecAction "id:'90108',phase:5,pass,nolog,setenv:ModSecTimeOut=%{ > TX.perf_modsecoutbound}" > SecAction "id:'90109',phase:5,pass,nolog,setenv: > ModSecAnomalyScoreIn=%{TX.anomaly_score}" > SecAction "id:'90110',phase:5,pass,nolog,setenv: > ModSecAnomalyScoreOut=%{TX.outbound_anomaly_score}" > # === End ModSec Configuration > ------------------------------------------------------------ > ------------------ > So I think this generally works. If it does not for you, then please > try and > reproduce the behaviour on the latest ModSec version of the 2.9 > series and > open a bug report in case. > Ahoj, > Christian > On Wed, Mar 14, 2018 at 06:13:04PM -0300, Cristiano Galdino wrote: > > Hi Christian! > Modsecurity: 2.9.0-1 (from Ubuntu repository) > Apache 2.4.18-2ubuntu3.5 > Tks! > > Cristiano Galdino > [4]cri...@ga... > > On 14 Mar 2018 17:55 -0300, Christian Folini > <[5]chr...@ne...>, wrote: > > Hello Christiano, > What platform are you using? (-> ModSec version, Apache / > > NGINX / > > IIS?) > Ahoj, > Christian > On Wed, Mar 14, 2018 at 05:06:28PM -0300, Cristiano Galdino > > wrote: > > > Hello! > I created a rule in ModSecurity to sanitize param CVV (credit > > card) > > but > it is not working. > Samples: > SecAction "nolog,phase:2,id:101,sanitiseArg:CVV” > SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse" > This prevents me from using modsecurity because PCI does not > > allow > > CVV > to be stored. > I found this issue without response. > [1][6]https://github.com/SpiderLabs/ModSecurity/issues/715 > What can I do? > Cristiano Galdino > [7]cri...@ga... > References > 1. [8]https://github.com/SpiderLabs/ModSecurity/issues/715 > > ------------------------------------------------------------ > > -------- > > ---------- > Check out the vibrant tech community on one of the world's > > most > > engaging tech sites, Slashdot.org! > > [9]http://sdm.link/slashdot > > > _______________________________________________ > mod-security-users mailing list > [10]mod...@li... > [11]https://lists.sourceforge.net/ > > lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > [12]http://www.modsecurity.org/projects/commercial/rules/ > [13]http://www.modsecurity.org/projects/commercial/support/ > > -- > [14]https://www.feistyduck.com/training/modsecurity-training- > > course > > [15]https://www.feistyduck.com/books/modsecurity-handbook/ > mailto:[16]chr...@ne... > twitter: @ChrFolini > ------------------------------------------------------------ > > -------- > > ---------- > Check out the vibrant tech community on one of the world's > > most > > engaging tech sites, Slashdot.org! > > [17]http://sdm.link/slashdot > > _______________________________________________ > mod-security-users mailing list > [18]mod...@li... > [19]https://lists.sourceforge.net/ > > lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > [20]http://www.modsecurity.org/projects/commercial/rules/ > [21]http://www.modsecurity.org/projects/commercial/support/ > ------------------------------------------------------------ > > ------------------ > > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! [22]http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > [23]mod...@li... > [24]https://lists.sourceforge.net/lists/listinfo/mod-security- > > users > > Commercial ModSecurity Rules and Support from Trustwave's > > SpiderLabs: > > [25]http://www.modsecurity.org/projects/commercial/rules/ > [26]http://www.modsecurity.org/projects/commercial/support/ > > -- > [27]https://www.feistyduck.com/training/modsecurity-training-course > [28]https://www.feistyduck.com/books/modsecurity-handbook/ > mailto:[29]chr...@ne... > twitter: @ChrFolini > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! [30]http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > [31]mod...@li... > [32]https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > [33]http://www.modsecurity.org/projects/commercial/rules/ > [34]http://www.modsecurity.org/projects/commercial/support/ > > -------------------------------------------------------------------- > ---------- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > References > > 1. http://localhost:3000/api/login > 2. mailto:chr...@ne... > 3. http://netnea.com/ > 4. mailto:cri...@ga... > 5. mailto:chr...@ne... > 6. https://github.com/SpiderLabs/ModSecurity/issues/715 > 7. mailto:cri...@ga... > 8. https://github.com/SpiderLabs/ModSecurity/issues/715 > 9. http://sdm.link/slashdot > 10. mailto:mod...@li... > 11. https://lists.sourceforge.net/lists/listinfo/mod-security-users > 12. http://www.modsecurity.org/projects/commercial/rules/ > 13. http://www.modsecurity.org/projects/commercial/support/ > 14. https://www.feistyduck.com/training/modsecurity-training-course > 15. https://www.feistyduck.com/books/modsecurity-handbook/ > 16. mailto:chr...@ne... > 17. http://sdm.link/slashdot > 18. mailto:mod...@li... > 19. https://lists.sourceforge.net/lists/listinfo/mod-security-users > 20. http://www.modsecurity.org/projects/commercial/rules/ > 21. http://www.modsecurity.org/projects/commercial/support/ > 22. http://sdm.link/slashdot > 23. mailto:mod...@li... > 24. https://lists.sourceforge.net/lists/listinfo/mod-security-users > 25. http://www.modsecurity.org/projects/commercial/rules/ > 26. http://www.modsecurity.org/projects/commercial/support/ > 27. https://www.feistyduck.com/training/modsecurity-training-course > 28. https://www.feistyduck.com/books/modsecurity-handbook/ > 29. mailto:chr...@ne... > 30. http://sdm.link/slashdot > 31. mailto:mod...@li... > 32. https://lists.sourceforge.net/lists/listinfo/mod-security-users > 33. http://www.modsecurity.org/projects/commercial/rules/ > 34. http://www.modsecurity.org/projects/commercial/support/ > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > > -- > https://www.feistyduck.com/training/modsecurity-training-course > https://www.feistyduck.com/books/modsecurity-handbook/ > mailto:chr...@ne... > twitter: @ChrFolini > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
|
From: Cristiano G. <cri...@ga...> - 2018-03-14 23:50:09
|
Hello there!
If modsecurity can parse the values of JSON payloads, why can not it sanitize?
This is non-sense for me.
Look this request:
$> curl -H "Content-Type: application/json" -X POST -d '{"CVV":"123","blah":"/bin/bash"}' localhost/Authenticate
and this is audit-log:
--9eb5dc70-A--
[14/Mar/2018:20:37:35 --0300] WqmyP6wfJasAAFQJf@AAAAAS 127.0.0.1 53230 127.0.0.1 80
--9eb5dc70-B--
POST /Authenticate HTTP/1.1
Host: localhost
User-Agent: curl/7.47.0
Accept: */*
Content-Type: application/json
Content-Length: 36
--9eb5dc70-C--
{"CVV":"123","blah":"/bin/bash"}
--9eb5dc70-E--
{"message":"Failed"}
--9eb5dc70-F--
HTTP/1.1 400 Bad Request
Access-Control-Allow-Origin: *
Content-Type: application/json
Content-Length: 190
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Connection: close
--9eb5dc70-H--
Message: Warning. Matched phrase "bin/bash" at ARGS:blah. [file "/usr/share/modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "448"] [id "932160"] [rev "1"] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/bash found within ARGS:blah: /bin/bash"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"]
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0): Remote Command Execution: Unix Shell Code Found"] [tag "event-correlation"]
Apache-Handler: proxy-server
Stopwatch: 1521070655519139 8420 (- - -)
Stopwatch2: 1521070655519139 8420; combined=1400, p1=343, p2=801, p3=40, p4=129, p5=86, sr=35, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
Server: Apache/2.4.18
Sanitised-Args: "CVV".
Engine-Mode: "DETECTION_ONLY"
--9eb5dc70-Z--
Cristiano Galdino
(61) 9860 1 9860
cri...@ga...
On 14 Mar 2018 19:05 -0300, Christian Folini <chr...@ne...>, wrote:
> Sorry, I was a bit quick to jump to that conclusion. Overlooked your remark
> on JSON.
>
> I confirm this does not work.
>
> Sanitation is generally an issue as there is no sanitation in the alerts
> written into the error-log. Even it is less severe as the audit log.
>
> Best,
>
> Christian
>
>
> On Wed, Mar 14, 2018 at 06:41:25PM -0300, Cristiano Galdino wrote:
> > Yep! My application use JSON payloads.
> > Christian, please try it:
> > $> curl -H "Content-Type: application/json" -X POST -d '{"cvv”:"123"}'
> > [1]http://localhost/?id=/bin/bash
> >
> > Cristiano Galdino
> > (61) 9860 1 9860
> > cri...@ga...
> >
> > On 14 Mar 2018 18:38 -0300, Robert Paprocki
> > <rpa...@fe...>, wrote:
> >
> > Christian, you tested with a application/x-www-form-urlencoded
> > request; Christiano's use case involves JSON-encoded bodies.
> > I do not believe JSON request bodies can be translated into data
> > collections that can have sanitize actions applied on them at this
> > point.
> >
> > On Wed, Mar 14, 2018 at 2:34 PM, Christian Folini
> > <[2]chr...@ne...> wrote:
> >
> > Hello Cristiano,
> > I did the following request:
> > $> curl localhost -d "CVV=0000-0000-0000-0000" -d "exec=/bin/bash"
> > and got the following audit-log when using CRS3 (parameter exec
> > triggering
> > the writing of the audit log):
> > --a7997f3d-A--
> > [14/Mar/2018:22:29:03 +0100] WqmUH6r6pkVX9OUmJm3aggAAAAM 127.0.0.1
> > 50058 127.0.0.1 40080
> > --a7997f3d-B--
> > POST / HTTP/1.1
> > Host: localhost
> > User-Agent: curl/7.50.1
> > Accept: */*
> > Content-Length: 38
> > Content-Type: application/x-www-form-urlencoded
> > --a7997f3d-C--
> > CVV=*******************&exec=/bin/bash
> > --a7997f3d-F--
> > HTTP/1.1 200 OK
> > Last-Modified: Sun, 17 Dec 2017 11:08:45 GMT
> > ETag: "2d-5608741dac6fd"
> > Accept-Ranges: bytes
> > Content-Length: 45
> > Content-Type: text/html
> > ...
> > I'm running ModSec 2.9.2 on Apache 2.4.29, both self compiled
> > according to
> > the tutorials on [3]netnea.com.
> > My ModSec Configuration:
> > ------------------------------------------------------------
> > ------------------
> > SecRuleEngine On
> > SecRequestBodyAccess On
> > SecRequestBodyLimit 10000000
> > SecRequestBodyNoFilesLimit 64000
> > SecResponseBodyAccess On
> > SecResponseBodyLimit 10000000
> > SecTmpDir /tmp/
> > SecDataDir /tmp/
> > SecUploadDir /tmp/
> > SecDebugLog /apache/logs/modsec_debug.log
> > SecDebugLogLevel 3
> > SecAuditEngine RelevantOnly
> > SecAuditLogRelevantStatus "^(?:5|4(?!04))"
> > SecAuditLogParts ABEFHIJZ
> > SecAuditLogType Concurrent
> > SecAuditLog /apache/logs/modsec_audit.log
> > SecAuditLogStorageDir /apache/logs/audit/
> > SecPcreMatchLimit 500000
> > SecPcreMatchLimitRecursion 500000
> > SecDefaultAction "phase:2,pass,log"
> > # == ModSec Rule ID Namespace Definition
> > # Service-specific before Core-Rules: 10000 - 49999
> > # Service-specific after Core-Rules: 50000 - 79999
> > # Locally shared rules: 80000 - 99999
> > # - Performance: 90000 - 90199
> > # Recommended ModSec Rules (few): 200000 - 200010
> > # OWASP Core-Rules: 900000 - 999999
> > # === ModSec timestamps at the start of each phase (ids: 90000 -
> > 90009)
> > SecAction "id:'90000',phase:1,nolog,pass,setvar:TX.
> > ModSecTimestamp1start=%{DURATION}"
> > SecAction "id:'90001',phase:2,nolog,pass,setvar:TX.
> > ModSecTimestamp2start=%{DURATION}"
> > SecAction "id:'90002',phase:3,nolog,pass,setvar:TX.
> > ModSecTimestamp3start=%{DURATION}"
> > SecAction "id:'90003',phase:4,nolog,pass,setvar:TX.
> > ModSecTimestamp4start=%{DURATION}"
> > SecAction "id:'90004',phase:5,nolog,pass,setvar:TX.
> > ModSecTimestamp5start=%{DURATION}"
> > # SecRule REQUEST_FILENAME "@beginsWith /"
> > "id:'90005',phase:5,t:none,nolog,noauditlog,pass,setenv:
> > write_perflog"
> > # === ModSec Recommended Rules (in modsec src package) (ids:
> > 200000-200010)
> > SecRule REQUEST_HEADERS:Content-Type "text/xml"
> > "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:
> > requestBodyProcessor=XML"
> > SecRule REQBODY_ERROR "!@eq 0" "id:'200001',phase:2,t:none,
> > deny,status:400,log,msg:'Failed to parse request body.',\
> > logdata:'%{reqbody_error_msg}',severity:2"
> > SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
> > "id:'200002',phase:2,t:none,log,deny,status:403, \
> > msg:'Multipart request body failed strict validation: \
> > PE %{REQBODY_PROCESSOR_ERROR}, \
> > BQ %{MULTIPART_BOUNDARY_QUOTED}, \
> > BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
> > DB %{MULTIPART_DATA_BEFORE}, \
> > DA %{MULTIPART_DATA_AFTER}, \
> > HF %{MULTIPART_HEADER_FOLDING}, \
> > LF %{MULTIPART_LF_LINE}, \
> > SM %{MULTIPART_MISSING_SEMICOLON}, \
> > IQ %{MULTIPART_INVALID_QUOTING}, \
> > IP %{MULTIPART_INVALID_PART}, \
> > IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
> > FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
> > SecRule TX:/^MSC_/ "!@streq 0" "id:'200004',phase:2,t:none,
> > deny,status:500,msg:'ModSecurity internal error flagged:
> > %{MATCHED_VAR_NAME}'"
> > # === ModSecurity Rules (ids: 900000-999999)
> > # === ModSec Core Rules Base Configuration (ids: 900001-900021)
> > Include /home/dune73/data/git/crs-official/crs-setup.conf.
> > example
> > SecAction "id:900111,phase:1,nolog,pass,t:none,setvar:tx.inbound_
> > anomaly_score_threshold=500,setvar:tx.outbound_anomaly_
> > score_threshold=500"
> > SecAction "id:'900000',phase:1,nolog,pass,t:none,setvar:tx.
> > paranoia_level=4"
> > # === ModSecurity Ignore Rules Before Core Rules Inclusion; order by
> > id of ignored rule (ids: 10000-49999)
> > # SecRule ARGS:a "."
> > "id:1001,phase:2,pass,log,msg:'XXX1: %{MATCHED_VAR}'"
> > # SecRule ARGS_GET:a "."
> > "id:1002,phase:2,pass,log,msg:'XXX2: %{MATCHED_VAR}'"
> > # SecRule ARGS_POST:a "."
> > "id:1003,phase:2,pass,log,msg:'XXX3: %{MATCHED_VAR}'"
> > # SecRule REQUEST_URI "."
> > "id:1004,phase:2,pass,log,msg:'XXX4: %{MATCHED_VAR}'"
> > # SecRule REQUEST_HEADERS:User-Agent "."
> > "id:1005,phase:2,pass,log,msg:'XXX5: %{MATCHED_VAR}'"
> > SecRule ARGS:b "." "id:1006,phase:2,pass,log,
> > auditlog,msg:'XXX6: %{MATCHED_VAR}'"
> > SecAction "nolog,phase:2,id:101,sanitiseArg:CVV"
> > SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse"
> > # === ModSecurity Core Rules Inclusion
> > Include /home/dune73/data/git/crs-official/rules/*.conf
> > # === ModSec Core Rules: Startup Time Rules Exclusions
> > # === ModSec timestamps at the end of each phase (ids: 90010 -
> > 90019)
> > SecAction "id:'90010',phase:1,pass,nolog,setvar:TX.
> > ModSecTimestamp1end=%{DURATION}"
> > SecAction "id:'90011',phase:2,pass,nolog,setvar:TX.
> > ModSecTimestamp2end=%{DURATION}"
> > SecAction "id:'90012',phase:3,pass,nolog,setvar:TX.
> > ModSecTimestamp3end=%{DURATION}"
> > SecAction "id:'90013',phase:4,pass,nolog,setvar:TX.
> > ModSecTimestamp4end=%{DURATION}"
> > SecAction "id:'90014',phase:5,pass,nolog,setvar:TX.
> > ModSecTimestamp5end=%{DURATION}"
> > # === ModSec performance calculations and variable export (ids:
> > 90100 - 90199)
> > SecAction "id:'90100',phase:5,pass,nolog,setvar:TX.perf_
> > modsecinbound=%{PERF_PHASE1}"
> > SecAction "id:'90101',phase:5,pass,nolog,setvar:TX.perf_
> > modsecinbound=+%{PERF_PHASE2}"
> > SecAction "id:'90102',phase:5,pass,nolog,setvar:TX.perf_
> > application=%{TX.ModSecTimestamp3start}"
> > SecAction "id:'90103',phase:5,pass,nolog,setvar:TX.perf_
> > application=-%{TX.ModSecTimestamp2end}"
> > SecAction "id:'90104',phase:5,pass,nolog,setvar:TX.perf_
> > modsecoutbound=%{PERF_PHASE3}"
> > SecAction "id:'90105',phase:5,pass,nolog,setvar:TX.perf_
> > modsecoutbound=+%{PERF_PHASE4}"
> > SecAction "id:'90106',phase:5,pass,nolog,setenv:ModSecTimeIn=%{
> > TX.perf_modsecinbound}"
> > SecAction "id:'90107',phase:5,pass,nolog,setenv:ApplicationTime=%
> > {TX.perf_application}"
> > SecAction "id:'90108',phase:5,pass,nolog,setenv:ModSecTimeOut=%{
> > TX.perf_modsecoutbound}"
> > SecAction "id:'90109',phase:5,pass,nolog,setenv:
> > ModSecAnomalyScoreIn=%{TX.anomaly_score}"
> > SecAction "id:'90110',phase:5,pass,nolog,setenv:
> > ModSecAnomalyScoreOut=%{TX.outbound_anomaly_score}"
> > # === End ModSec Configuration
> > ------------------------------------------------------------
> > ------------------
> > So I think this generally works. If it does not for you, then please
> > try and
> > reproduce the behaviour on the latest ModSec version of the 2.9
> > series and
> > open a bug report in case.
> > Ahoj,
> > Christian
> > On Wed, Mar 14, 2018 at 06:13:04PM -0300, Cristiano Galdino wrote:
> > > Hi Christian!
> > > Modsecurity: 2.9.0-1 (from Ubuntu repository)
> > > Apache 2.4.18-2ubuntu3.5
> > > Tks!
> > >
> > > Cristiano Galdino
> > > [4]cri...@ga...
> > >
> > > On 14 Mar 2018 17:55 -0300, Christian Folini
> > > <[5]chr...@ne...>, wrote:
> > >
> > > Hello Christiano,
> > > What platform are you using? (-> ModSec version, Apache /
> > NGINX /
> > > IIS?)
> > > Ahoj,
> > > Christian
> > > On Wed, Mar 14, 2018 at 05:06:28PM -0300, Cristiano Galdino
> > wrote:
> > >
> > > Hello!
> > > I created a rule in ModSecurity to sanitize param CVV (credit
> > card)
> > > but
> > > it is not working.
> > > Samples:
> > > SecAction "nolog,phase:2,id:101,sanitiseArg:CVV”
> > > SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse"
> > > This prevents me from using modsecurity because PCI does not
> > allow
> > > CVV
> > > to be stored.
> > > I found this issue without response.
> > > [1][6]https://github.com/SpiderLabs/ModSecurity/issues/715
> > > What can I do?
> > > Cristiano Galdino
> > > [7]cri...@ga...
> > > References
> > > 1. [8]https://github.com/SpiderLabs/ModSecurity/issues/715
> > >
> > > ------------------------------------------------------------
> > --------
> > > ----------
> > > Check out the vibrant tech community on one of the world's
> > most
> > > engaging tech sites, Slashdot.org!
> > [9]http://sdm.link/slashdot
> > >
> > > _______________________________________________
> > > mod-security-users mailing list
> > > [10]mod...@li...
> > > [11]https://lists.sourceforge.net/
> > lists/listinfo/mod-security-users
> > > Commercial ModSecurity Rules and Support from Trustwave's
> > > SpiderLabs:
> > > [12]http://www.modsecurity.org/projects/commercial/rules/
> > > [13]http://www.modsecurity.org/projects/commercial/support/
> > >
> > > --
> > > [14]https://www.feistyduck.com/training/modsecurity-training-
> > course
> > > [15]https://www.feistyduck.com/books/modsecurity-handbook/
> > > mailto:[16]chr...@ne...
> > > twitter: @ChrFolini
> > > ------------------------------------------------------------
> > --------
> > > ----------
> > > Check out the vibrant tech community on one of the world's
> > most
> > > engaging tech sites, Slashdot.org!
> > [17]http://sdm.link/slashdot
> > > _______________________________________________
> > > mod-security-users mailing list
> > > [18]mod...@li...
> > > [19]https://lists.sourceforge.net/
> > lists/listinfo/mod-security-users
> > > Commercial ModSecurity Rules and Support from Trustwave's
> > > SpiderLabs:
> > > [20]http://www.modsecurity.org/projects/commercial/rules/
> > > [21]http://www.modsecurity.org/projects/commercial/support/
> > > ------------------------------------------------------------
> > ------------------
> > > Check out the vibrant tech community on one of the world's most
> > > engaging tech sites, Slashdot.org! [22]http://sdm.link/slashdot
> > > _______________________________________________
> > > mod-security-users mailing list
> > > [23]mod...@li...
> > > [24]https://lists.sourceforge.net/lists/listinfo/mod-security-
> > users
> > > Commercial ModSecurity Rules and Support from Trustwave's
> > SpiderLabs:
> > > [25]http://www.modsecurity.org/projects/commercial/rules/
> > > [26]http://www.modsecurity.org/projects/commercial/support/
> > --
> > [27]https://www.feistyduck.com/training/modsecurity-training-course
> > [28]https://www.feistyduck.com/books/modsecurity-handbook/
> > mailto:[29]chr...@ne...
> > twitter: @ChrFolini
> > ------------------------------------------------------------
> > ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! [30]http://sdm.link/slashdot
> > _______________________________________________
> > mod-security-users mailing list
> > [31]mod...@li...
> > [32]https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's
> > SpiderLabs:
> > [33]http://www.modsecurity.org/projects/commercial/rules/
> > [34]http://www.modsecurity.org/projects/commercial/support/
> >
> > --------------------------------------------------------------------
> > ----------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's
> > SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
> >
> > References
> >
> > 1. http://localhost:3000/api/login
> > 2. mailto:chr...@ne...
> > 3. http://netnea.com/
> > 4. mailto:cri...@ga...
> > 5. mailto:chr...@ne...
> > 6. https://github.com/SpiderLabs/ModSecurity/issues/715
> > 7. mailto:cri...@ga...
> > 8. https://github.com/SpiderLabs/ModSecurity/issues/715
> > 9. http://sdm.link/slashdot
> > 10. mailto:mod...@li...
> > 11. https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > 12. http://www.modsecurity.org/projects/commercial/rules/
> > 13. http://www.modsecurity.org/projects/commercial/support/
> > 14. https://www.feistyduck.com/training/modsecurity-training-course
> > 15. https://www.feistyduck.com/books/modsecurity-handbook/
> > 16. mailto:chr...@ne...
> > 17. http://sdm.link/slashdot
> > 18. mailto:mod...@li...
> > 19. https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > 20. http://www.modsecurity.org/projects/commercial/rules/
> > 21. http://www.modsecurity.org/projects/commercial/support/
> > 22. http://sdm.link/slashdot
> > 23. mailto:mod...@li...
> > 24. https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > 25. http://www.modsecurity.org/projects/commercial/rules/
> > 26. http://www.modsecurity.org/projects/commercial/support/
> > 27. https://www.feistyduck.com/training/modsecurity-training-course
> > 28. https://www.feistyduck.com/books/modsecurity-handbook/
> > 29. mailto:chr...@ne...
> > 30. http://sdm.link/slashdot
> > 31. mailto:mod...@li...
> > 32. https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > 33. http://www.modsecurity.org/projects/commercial/rules/
> > 34. http://www.modsecurity.org/projects/commercial/support/
>
> > ------------------------------------------------------------------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
>
>
> --
> https://www.feistyduck.com/training/modsecurity-training-course
> https://www.feistyduck.com/books/modsecurity-handbook/
> mailto:chr...@ne...
> twitter: @ChrFolini
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
|
|
From: Christian F. <chr...@ne...> - 2018-03-14 22:05:30
|
Sorry, I was a bit quick to jump to that conclusion. Overlooked your remark
on JSON.
I confirm this does not work.
Sanitation is generally an issue as there is no sanitation in the alerts
written into the error-log. Even it is less severe as the audit log.
Best,
Christian
On Wed, Mar 14, 2018 at 06:41:25PM -0300, Cristiano Galdino wrote:
> Yep! My application use JSON payloads.
> Christian, please try it:
> $> curl -H "Content-Type: application/json" -X POST -d '{"cvv”:"123"}'
> [1]http://localhost/?id=/bin/bash
>
> Cristiano Galdino
> (61) 9860 1 9860
> cri...@ga...
>
> On 14 Mar 2018 18:38 -0300, Robert Paprocki
> <rpa...@fe...>, wrote:
>
> Christian, you tested with a application/x-www-form-urlencoded
> request; Christiano's use case involves JSON-encoded bodies.
> I do not believe JSON request bodies can be translated into data
> collections that can have sanitize actions applied on them at this
> point.
>
> On Wed, Mar 14, 2018 at 2:34 PM, Christian Folini
> <[2]chr...@ne...> wrote:
>
> Hello Cristiano,
> I did the following request:
> $> curl localhost -d "CVV=0000-0000-0000-0000" -d "exec=/bin/bash"
> and got the following audit-log when using CRS3 (parameter exec
> triggering
> the writing of the audit log):
> --a7997f3d-A--
> [14/Mar/2018:22:29:03 +0100] WqmUH6r6pkVX9OUmJm3aggAAAAM 127.0.0.1
> 50058 127.0.0.1 40080
> --a7997f3d-B--
> POST / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.50.1
> Accept: */*
> Content-Length: 38
> Content-Type: application/x-www-form-urlencoded
> --a7997f3d-C--
> CVV=*******************&exec=/bin/bash
> --a7997f3d-F--
> HTTP/1.1 200 OK
> Last-Modified: Sun, 17 Dec 2017 11:08:45 GMT
> ETag: "2d-5608741dac6fd"
> Accept-Ranges: bytes
> Content-Length: 45
> Content-Type: text/html
> ...
> I'm running ModSec 2.9.2 on Apache 2.4.29, both self compiled
> according to
> the tutorials on [3]netnea.com.
> My ModSec Configuration:
> ------------------------------------------------------------
> ------------------
> SecRuleEngine On
> SecRequestBodyAccess On
> SecRequestBodyLimit 10000000
> SecRequestBodyNoFilesLimit 64000
> SecResponseBodyAccess On
> SecResponseBodyLimit 10000000
> SecTmpDir /tmp/
> SecDataDir /tmp/
> SecUploadDir /tmp/
> SecDebugLog /apache/logs/modsec_debug.log
> SecDebugLogLevel 3
> SecAuditEngine RelevantOnly
> SecAuditLogRelevantStatus "^(?:5|4(?!04))"
> SecAuditLogParts ABEFHIJZ
> SecAuditLogType Concurrent
> SecAuditLog /apache/logs/modsec_audit.log
> SecAuditLogStorageDir /apache/logs/audit/
> SecPcreMatchLimit 500000
> SecPcreMatchLimitRecursion 500000
> SecDefaultAction "phase:2,pass,log"
> # == ModSec Rule ID Namespace Definition
> # Service-specific before Core-Rules: 10000 - 49999
> # Service-specific after Core-Rules: 50000 - 79999
> # Locally shared rules: 80000 - 99999
> # - Performance: 90000 - 90199
> # Recommended ModSec Rules (few): 200000 - 200010
> # OWASP Core-Rules: 900000 - 999999
> # === ModSec timestamps at the start of each phase (ids: 90000 -
> 90009)
> SecAction "id:'90000',phase:1,nolog,pass,setvar:TX.
> ModSecTimestamp1start=%{DURATION}"
> SecAction "id:'90001',phase:2,nolog,pass,setvar:TX.
> ModSecTimestamp2start=%{DURATION}"
> SecAction "id:'90002',phase:3,nolog,pass,setvar:TX.
> ModSecTimestamp3start=%{DURATION}"
> SecAction "id:'90003',phase:4,nolog,pass,setvar:TX.
> ModSecTimestamp4start=%{DURATION}"
> SecAction "id:'90004',phase:5,nolog,pass,setvar:TX.
> ModSecTimestamp5start=%{DURATION}"
> # SecRule REQUEST_FILENAME "@beginsWith /"
> "id:'90005',phase:5,t:none,nolog,noauditlog,pass,setenv:
> write_perflog"
> # === ModSec Recommended Rules (in modsec src package) (ids:
> 200000-200010)
> SecRule REQUEST_HEADERS:Content-Type "text/xml"
> "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:
> requestBodyProcessor=XML"
> SecRule REQBODY_ERROR "!@eq 0" "id:'200001',phase:2,t:none,
> deny,status:400,log,msg:'Failed to parse request body.',\
> logdata:'%{reqbody_error_msg}',severity:2"
> SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
> "id:'200002',phase:2,t:none,log,deny,status:403, \
> msg:'Multipart request body failed strict validation: \
> PE %{REQBODY_PROCESSOR_ERROR}, \
> BQ %{MULTIPART_BOUNDARY_QUOTED}, \
> BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
> DB %{MULTIPART_DATA_BEFORE}, \
> DA %{MULTIPART_DATA_AFTER}, \
> HF %{MULTIPART_HEADER_FOLDING}, \
> LF %{MULTIPART_LF_LINE}, \
> SM %{MULTIPART_MISSING_SEMICOLON}, \
> IQ %{MULTIPART_INVALID_QUOTING}, \
> IP %{MULTIPART_INVALID_PART}, \
> IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
> FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
> SecRule TX:/^MSC_/ "!@streq 0" "id:'200004',phase:2,t:none,
> deny,status:500,msg:'ModSecurity internal error flagged:
> %{MATCHED_VAR_NAME}'"
> # === ModSecurity Rules (ids: 900000-999999)
> # === ModSec Core Rules Base Configuration (ids: 900001-900021)
> Include /home/dune73/data/git/crs-official/crs-setup.conf.
> example
> SecAction "id:900111,phase:1,nolog,pass,t:none,setvar:tx.inbound_
> anomaly_score_threshold=500,setvar:tx.outbound_anomaly_
> score_threshold=500"
> SecAction "id:'900000',phase:1,nolog,pass,t:none,setvar:tx.
> paranoia_level=4"
> # === ModSecurity Ignore Rules Before Core Rules Inclusion; order by
> id of ignored rule (ids: 10000-49999)
> # SecRule ARGS:a "."
> "id:1001,phase:2,pass,log,msg:'XXX1: %{MATCHED_VAR}'"
> # SecRule ARGS_GET:a "."
> "id:1002,phase:2,pass,log,msg:'XXX2: %{MATCHED_VAR}'"
> # SecRule ARGS_POST:a "."
> "id:1003,phase:2,pass,log,msg:'XXX3: %{MATCHED_VAR}'"
> # SecRule REQUEST_URI "."
> "id:1004,phase:2,pass,log,msg:'XXX4: %{MATCHED_VAR}'"
> # SecRule REQUEST_HEADERS:User-Agent "."
> "id:1005,phase:2,pass,log,msg:'XXX5: %{MATCHED_VAR}'"
> SecRule ARGS:b "." "id:1006,phase:2,pass,log,
> auditlog,msg:'XXX6: %{MATCHED_VAR}'"
> SecAction "nolog,phase:2,id:101,sanitiseArg:CVV"
> SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse"
> # === ModSecurity Core Rules Inclusion
> Include /home/dune73/data/git/crs-official/rules/*.conf
> # === ModSec Core Rules: Startup Time Rules Exclusions
> # === ModSec timestamps at the end of each phase (ids: 90010 -
> 90019)
> SecAction "id:'90010',phase:1,pass,nolog,setvar:TX.
> ModSecTimestamp1end=%{DURATION}"
> SecAction "id:'90011',phase:2,pass,nolog,setvar:TX.
> ModSecTimestamp2end=%{DURATION}"
> SecAction "id:'90012',phase:3,pass,nolog,setvar:TX.
> ModSecTimestamp3end=%{DURATION}"
> SecAction "id:'90013',phase:4,pass,nolog,setvar:TX.
> ModSecTimestamp4end=%{DURATION}"
> SecAction "id:'90014',phase:5,pass,nolog,setvar:TX.
> ModSecTimestamp5end=%{DURATION}"
> # === ModSec performance calculations and variable export (ids:
> 90100 - 90199)
> SecAction "id:'90100',phase:5,pass,nolog,setvar:TX.perf_
> modsecinbound=%{PERF_PHASE1}"
> SecAction "id:'90101',phase:5,pass,nolog,setvar:TX.perf_
> modsecinbound=+%{PERF_PHASE2}"
> SecAction "id:'90102',phase:5,pass,nolog,setvar:TX.perf_
> application=%{TX.ModSecTimestamp3start}"
> SecAction "id:'90103',phase:5,pass,nolog,setvar:TX.perf_
> application=-%{TX.ModSecTimestamp2end}"
> SecAction "id:'90104',phase:5,pass,nolog,setvar:TX.perf_
> modsecoutbound=%{PERF_PHASE3}"
> SecAction "id:'90105',phase:5,pass,nolog,setvar:TX.perf_
> modsecoutbound=+%{PERF_PHASE4}"
> SecAction "id:'90106',phase:5,pass,nolog,setenv:ModSecTimeIn=%{
> TX.perf_modsecinbound}"
> SecAction "id:'90107',phase:5,pass,nolog,setenv:ApplicationTime=%
> {TX.perf_application}"
> SecAction "id:'90108',phase:5,pass,nolog,setenv:ModSecTimeOut=%{
> TX.perf_modsecoutbound}"
> SecAction "id:'90109',phase:5,pass,nolog,setenv:
> ModSecAnomalyScoreIn=%{TX.anomaly_score}"
> SecAction "id:'90110',phase:5,pass,nolog,setenv:
> ModSecAnomalyScoreOut=%{TX.outbound_anomaly_score}"
> # === End ModSec Configuration
> ------------------------------------------------------------
> ------------------
> So I think this generally works. If it does not for you, then please
> try and
> reproduce the behaviour on the latest ModSec version of the 2.9
> series and
> open a bug report in case.
> Ahoj,
> Christian
> On Wed, Mar 14, 2018 at 06:13:04PM -0300, Cristiano Galdino wrote:
> > Hi Christian!
> > Modsecurity: 2.9.0-1 (from Ubuntu repository)
> > Apache 2.4.18-2ubuntu3.5
> > Tks!
> >
> > Cristiano Galdino
> > [4]cri...@ga...
> >
> > On 14 Mar 2018 17:55 -0300, Christian Folini
> > <[5]chr...@ne...>, wrote:
> >
> > Hello Christiano,
> > What platform are you using? (-> ModSec version, Apache /
> NGINX /
> > IIS?)
> > Ahoj,
> > Christian
> > On Wed, Mar 14, 2018 at 05:06:28PM -0300, Cristiano Galdino
> wrote:
> >
> > Hello!
> > I created a rule in ModSecurity to sanitize param CVV (credit
> card)
> > but
> > it is not working.
> > Samples:
> > SecAction "nolog,phase:2,id:101,sanitiseArg:CVV”
> > SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse"
> > This prevents me from using modsecurity because PCI does not
> allow
> > CVV
> > to be stored.
> > I found this issue without response.
> > [1][6]https://github.com/SpiderLabs/ModSecurity/issues/715
> > What can I do?
> > Cristiano Galdino
> > [7]cri...@ga...
> > References
> > 1. [8]https://github.com/SpiderLabs/ModSecurity/issues/715
> >
> > ------------------------------------------------------------
> --------
> > ----------
> > Check out the vibrant tech community on one of the world's
> most
> > engaging tech sites, Slashdot.org!
> [9]http://sdm.link/slashdot
> >
> > _______________________________________________
> > mod-security-users mailing list
> > [10]mod...@li...
> > [11]https://lists.sourceforge.net/
> lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's
> > SpiderLabs:
> > [12]http://www.modsecurity.org/projects/commercial/rules/
> > [13]http://www.modsecurity.org/projects/commercial/support/
> >
> > --
> > [14]https://www.feistyduck.com/training/modsecurity-training-
> course
> > [15]https://www.feistyduck.com/books/modsecurity-handbook/
> > mailto:[16]chr...@ne...
> > twitter: @ChrFolini
> > ------------------------------------------------------------
> --------
> > ----------
> > Check out the vibrant tech community on one of the world's
> most
> > engaging tech sites, Slashdot.org!
> [17]http://sdm.link/slashdot
> > _______________________________________________
> > mod-security-users mailing list
> > [18]mod...@li...
> > [19]https://lists.sourceforge.net/
> lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's
> > SpiderLabs:
> > [20]http://www.modsecurity.org/projects/commercial/rules/
> > [21]http://www.modsecurity.org/projects/commercial/support/
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! [22]http://sdm.link/slashdot
> > _______________________________________________
> > mod-security-users mailing list
> > [23]mod...@li...
> > [24]https://lists.sourceforge.net/lists/listinfo/mod-security-
> users
> > Commercial ModSecurity Rules and Support from Trustwave's
> SpiderLabs:
> > [25]http://www.modsecurity.org/projects/commercial/rules/
> > [26]http://www.modsecurity.org/projects/commercial/support/
> --
> [27]https://www.feistyduck.com/training/modsecurity-training-course
> [28]https://www.feistyduck.com/books/modsecurity-handbook/
> mailto:[29]chr...@ne...
> twitter: @ChrFolini
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! [30]http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> [31]mod...@li...
> [32]https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's
> SpiderLabs:
> [33]http://www.modsecurity.org/projects/commercial/rules/
> [34]http://www.modsecurity.org/projects/commercial/support/
>
> --------------------------------------------------------------------
> ----------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's
> SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
> References
>
> 1. http://localhost:3000/api/login
> 2. mailto:chr...@ne...
> 3. http://netnea.com/
> 4. mailto:cri...@ga...
> 5. mailto:chr...@ne...
> 6. https://github.com/SpiderLabs/ModSecurity/issues/715
> 7. mailto:cri...@ga...
> 8. https://github.com/SpiderLabs/ModSecurity/issues/715
> 9. http://sdm.link/slashdot
> 10. mailto:mod...@li...
> 11. https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 12. http://www.modsecurity.org/projects/commercial/rules/
> 13. http://www.modsecurity.org/projects/commercial/support/
> 14. https://www.feistyduck.com/training/modsecurity-training-course
> 15. https://www.feistyduck.com/books/modsecurity-handbook/
> 16. mailto:chr...@ne...
> 17. http://sdm.link/slashdot
> 18. mailto:mod...@li...
> 19. https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 20. http://www.modsecurity.org/projects/commercial/rules/
> 21. http://www.modsecurity.org/projects/commercial/support/
> 22. http://sdm.link/slashdot
> 23. mailto:mod...@li...
> 24. https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 25. http://www.modsecurity.org/projects/commercial/rules/
> 26. http://www.modsecurity.org/projects/commercial/support/
> 27. https://www.feistyduck.com/training/modsecurity-training-course
> 28. https://www.feistyduck.com/books/modsecurity-handbook/
> 29. mailto:chr...@ne...
> 30. http://sdm.link/slashdot
> 31. mailto:mod...@li...
> 32. https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 33. http://www.modsecurity.org/projects/commercial/rules/
> 34. http://www.modsecurity.org/projects/commercial/support/
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
--
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:chr...@ne...
twitter: @ChrFolini
|
139 messages has been excluded from this view by a project administrator.
