mod-security-users — General discussion about mod_security

[mod-security-users] Open Position: Webserver Engineer in Switzerland

[Christian F. <chr...@ne...>]

Hi there,

My company, netnea.com, is a small consulting / contracting company based in
Berne, the capital of Switzerland. We specialize in network monitoring and
Apache / ModSecurity.

We have an open position for a webserver engineer with a strong interest in
security.

I am the author of the 2nd Edition of the ModSecurity Handbook, I maintain
a popular set of Apache / ModSecurity tutorials on the netnea.com website
and I am one of the co-leads of the OWASP ModSecurity Core Rule Set project.

Obviously, the new netnea employee would work with me and with our
customers on these topics. We have Swiss banks, Swiss government and
two state owned companies among our clients. Go figure. Most of the
work I do is in very interesting high-security settings.

Good experience with Apache and or NGINX is a must, prior work with 
ModSecurity is welcome. Given this ML, this is not really a question I guess.

We do not pay a lot of attention to certificates, but a proven record of
successful projects is needed. A "let's get things done" attitude and an
interest in self-learning is very important to us. But this does not mean you
need to have 15 years of experience. A dedicated student is equally
interesting to us. It's more about the personality than the certs.

Also, decent German active and passive is a must (alternatively, native 
French speaker with very good passive German skills).

If you are interested in this position, then please get in touch via mail to
chr...@ne....

Best,

Christian

-- 
What one man can do himself directly is but little. If however he can
stir up ten others to take up the task he has accomplished much.
-- Wilbur Wright

Re: [mod-security-users] Operator GE matched 5 at TX:anomaly_score but no rule matched the request

[Christian F. <chr...@ne...>]

Hey Stefan,

On Mon, Jan 29, 2018 at 04:29:33PM +0100, Stefan Priebe - Profihost AG wrote:
> I had a rule chained into to SecRule commands.
> 
> I had
> SecRule C D ..chain,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}..
> SecRule A B ...
> 
> it seemed all requests which matched Rule "C D" already got the anomaly
> score. I believed this only happens in case A B matches as well as
> they're chained.

That's a common misconception. And it happened to me as well. :)

The ModSec Handbook (2nd ed, p. 371) reads: Nondistruptive actions can be used
anywhere in the chain. They'll be executed immediately after an individual
rule matches.

When working with anomaly scores, you need put the setvar on the last
rule in the chain, like we do in the CRS. See 920180 for example.

Ahoj,,

Christian


-- 
All of the great leaders have had one characteristic in common: it
was the willingness to confront unequivocally the major anxiety of
their people in their time. This, and not much else, is the 
essence of leadership.
-- John Kenneth Galbraith

Re: [mod-security-users] Operator GE matched 5 at TX:anomaly_score but no rule matched the request

[Stefan P. - P. AG <s.p...@pr...>]

HI,

Am 29.01.2018 um 15:23 schrieb Christian Folini:
> Hi Stefan,
> 
> Welcome to the ModSecurity mailinglist. It's nice to see familiar faces from
> Apache Dev on this list too.
> 
> This rings a bell, but I can't find the issue / pull request in question
> on the quick. There was a rule that did not log properly.
> 
> Not sure if this made it into 3.0.2 (-> 3.0/master). Could you try the
> request in question on 3.1/dev and see if you have the proper alert?


git master is already 3.0.2 but i think i found my issue but may be you
can confirm it.

I had a rule chained into to SecRule commands.

I had
SecRule C D ..chain,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}..
SecRule A B ...

it seemed all requests which matched Rule "C D" already got the anomaly
score. I believed this only happens in case A B matches as well as
they're chained.

Greets,
Stefan
> 
> Best,
> 
> Christian
> 
> 
> On Mon, Jan 29, 2018 at 02:22:58PM +0100, Stefan Priebe - Profihost AG wrote:
>> Hello,
>>
>> i'm running mod_security 2.9.2 with current crs git master
>> (v3.0/master). I've some requests where no matching rule is logged to
>> the audit log except Operator GE matched 5 at TX:anomaly_score ... and
>> Operator GE matched 5 at TX:inbound_anomaly_score. Any ideas how to find
>> out why the anomaly score is > 0
>>
>> Full log:
>> --2add8d70-A--
>> [29/Jan/2018:13:53:21 +0100] Wm8ZQY0z4w0DYRA6xm2k3QAAAA8 1.2.3.4 41438
>> 1.2.3.5 443
>> --2add8d70-B--
>> GET
>> /wp-login.php?redirect_to=https%3A%2F%2Fwww.mydomain.de%2Fwp-admin%2F&reauth=1
>> HTTP/2.0
>> Pragma: no-cache
>> Cache-Control: no-cache
>> User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
>> like Gecko) Ubuntu Chromium/63.0.3239.132 Chrome/63.0.3239.132 Safari/537.36
>> Upgrade-Insecure-Requests: 1
>> Accept:
>> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
>> Accept-Encoding: gzip, deflate, br
>> Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
>> Cookie: PHPSESSID=u4o0fs52l0j3bot1m8j4pjgsd3
>> Host: www.mydomain.de
>>
>> --2add8d70-F--
>> HTTP/1.1 409 Conflict
>> Content-Length: 505
>> Content-Type: text/html; charset=iso-8859-1
>>
>> --2add8d70-E--
>>
>> --2add8d70-H--
>> Message: Access denied with code 409 (phase 2). Operator GE matched 5 at
>> TX:anomaly_score. [file
>> "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"]
>> [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total
>> Score: 10)"] [severity "CRITICAL"] [tag "application-multi"] [tag
>> "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
>> Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score.
>> [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"]
>> [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total
>> Inbound Score: 10 -
>> SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): "] [tag
>> "event-correlation"]
>> Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client
>> 1.2.3.4] ModSecurity: Access denied with code 409 (phase 2). Operator GE
>> matched 5 at TX:anomaly_score. [file
>> "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"]
>> [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total
>> Score: 10)"] [severity "CRITICAL"] [tag "application-multi"] [tag
>> "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
>> [hostname "www.mydomain.de"] [uri "/wp-login.php"] [unique_id
>> "Wm8ZQY0z4w0DYRA6xm2k3QAAAA8"]
>> Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client
>> 1.2.3.4] ModSecurity: Warning. Operator GE matched 5 at
>> TX:inbound_anomaly_score. [file
>> "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line
>> "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound
>> Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): "]
>> [tag "event-correlation"] [hostname "www.mydomain.de"] [uri
>> "/wp-login.php"] [unique_id "Wm8ZQY0z4w0DYRA6xm2k3QAAAA8"]
>> Action: Intercepted (phase 2)
>> Apache-Handler: php-fastcgi5.6
>> Stopwatch: 1517230401011338 4605 (- - -)
>> Stopwatch2: 1517230401011338 4605; combined=3476, p1=296, p2=3080, p3=0,
>> p4=0, p5=100, sr=57, sw=0, l=0, gc=0
>> Response-Body-Transformed: Dechunked
>> Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/);
>> OWASP_CRS/3.0.2.
>> Server: Apache
>> Engine-Mode: "ENABLED"
>>
>> --2add8d70-Z--
>>
>>
>> Greets,
>> Stefan
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
> 

[mod-security-users] ModSecurity-apache connector in ModSecurity-3.0

[Andrew J. <4an...@gm...>]

Hello,


What will be the release schedule for Stable version of ModSecurity-apache
connector ?

Thanks in Advance

Regards,
Andrew Joshwa

Re: [mod-security-users] Operator GE matched 5 at TX:anomaly_score but no rule matched the request

[Christian F. <chr...@ne...>]

Hi Stefan,

Welcome to the ModSecurity mailinglist. It's nice to see familiar faces from
Apache Dev on this list too.

This rings a bell, but I can't find the issue / pull request in question
on the quick. There was a rule that did not log properly.

Not sure if this made it into 3.0.2 (-> 3.0/master). Could you try the
request in question on 3.1/dev and see if you have the proper alert?

Best,

Christian


On Mon, Jan 29, 2018 at 02:22:58PM +0100, Stefan Priebe - Profihost AG wrote:
> Hello,
> 
> i'm running mod_security 2.9.2 with current crs git master
> (v3.0/master). I've some requests where no matching rule is logged to
> the audit log except Operator GE matched 5 at TX:anomaly_score ... and
> Operator GE matched 5 at TX:inbound_anomaly_score. Any ideas how to find
> out why the anomaly score is > 0
> 
> Full log:
> --2add8d70-A--
> [29/Jan/2018:13:53:21 +0100] Wm8ZQY0z4w0DYRA6xm2k3QAAAA8 1.2.3.4 41438
> 1.2.3.5 443
> --2add8d70-B--
> GET
> /wp-login.php?redirect_to=https%3A%2F%2Fwww.mydomain.de%2Fwp-admin%2F&reauth=1
> HTTP/2.0
> Pragma: no-cache
> Cache-Control: no-cache
> User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
> like Gecko) Ubuntu Chromium/63.0.3239.132 Chrome/63.0.3239.132 Safari/537.36
> Upgrade-Insecure-Requests: 1
> Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
> Accept-Encoding: gzip, deflate, br
> Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
> Cookie: PHPSESSID=u4o0fs52l0j3bot1m8j4pjgsd3
> Host: www.mydomain.de
> 
> --2add8d70-F--
> HTTP/1.1 409 Conflict
> Content-Length: 505
> Content-Type: text/html; charset=iso-8859-1
> 
> --2add8d70-E--
> 
> --2add8d70-H--
> Message: Access denied with code 409 (phase 2). Operator GE matched 5 at
> TX:anomaly_score. [file
> "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"]
> [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total
> Score: 10)"] [severity "CRITICAL"] [tag "application-multi"] [tag
> "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
> Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score.
> [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"]
> [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total
> Inbound Score: 10 -
> SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): "] [tag
> "event-correlation"]
> Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client
> 1.2.3.4] ModSecurity: Access denied with code 409 (phase 2). Operator GE
> matched 5 at TX:anomaly_score. [file
> "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"]
> [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total
> Score: 10)"] [severity "CRITICAL"] [tag "application-multi"] [tag
> "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
> [hostname "www.mydomain.de"] [uri "/wp-login.php"] [unique_id
> "Wm8ZQY0z4w0DYRA6xm2k3QAAAA8"]
> Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client
> 1.2.3.4] ModSecurity: Warning. Operator GE matched 5 at
> TX:inbound_anomaly_score. [file
> "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line
> "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound
> Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): "]
> [tag "event-correlation"] [hostname "www.mydomain.de"] [uri
> "/wp-login.php"] [unique_id "Wm8ZQY0z4w0DYRA6xm2k3QAAAA8"]
> Action: Intercepted (phase 2)
> Apache-Handler: php-fastcgi5.6
> Stopwatch: 1517230401011338 4605 (- - -)
> Stopwatch2: 1517230401011338 4605; combined=3476, p1=296, p2=3080, p3=0,
> p4=0, p5=100, sr=57, sw=0, l=0, gc=0
> Response-Body-Transformed: Dechunked
> Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/);
> OWASP_CRS/3.0.2.
> Server: Apache
> Engine-Mode: "ENABLED"
> 
> --2add8d70-Z--
> 
> 
> Greets,
> Stefan
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

-- 
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:chr...@ne...
twitter: @ChrFolini

[mod-security-users] Operator GE matched 5 at TX:anomaly_score but no rule matched the request

[Stefan P. - P. AG <s.p...@pr...>]

Hello,

i'm running mod_security 2.9.2 with current crs git master
(v3.0/master). I've some requests where no matching rule is logged to
the audit log except Operator GE matched 5 at TX:anomaly_score ... and
Operator GE matched 5 at TX:inbound_anomaly_score. Any ideas how to find
out why the anomaly score is > 0

Full log:
--2add8d70-A--
[29/Jan/2018:13:53:21 +0100] Wm8ZQY0z4w0DYRA6xm2k3QAAAA8 1.2.3.4 41438
1.2.3.5 443
--2add8d70-B--
GET
/wp-login.php?redirect_to=https%3A%2F%2Fwww.mydomain.de%2Fwp-admin%2F&reauth=1
HTTP/2.0
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Ubuntu Chromium/63.0.3239.132 Chrome/63.0.3239.132 Safari/537.36
Upgrade-Insecure-Requests: 1
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=u4o0fs52l0j3bot1m8j4pjgsd3
Host: www.mydomain.de

--2add8d70-F--
HTTP/1.1 409 Conflict
Content-Length: 505
Content-Type: text/html; charset=iso-8859-1

--2add8d70-E--

--2add8d70-H--
Message: Access denied with code 409 (phase 2). Operator GE matched 5 at
TX:anomaly_score. [file
"/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"]
[line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total
Score: 10)"] [severity "CRITICAL"] [tag "application-multi"] [tag
"language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score.
[file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"]
[line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total
Inbound Score: 10 -
SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): "] [tag
"event-correlation"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client
1.2.3.4] ModSecurity: Access denied with code 409 (phase 2). Operator GE
matched 5 at TX:anomaly_score. [file
"/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"]
[line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total
Score: 10)"] [severity "CRITICAL"] [tag "application-multi"] [tag
"language-multi"] [tag "platform-multi"] [tag "attack-generic"]
[hostname "www.mydomain.de"] [uri "/wp-login.php"] [unique_id
"Wm8ZQY0z4w0DYRA6xm2k3QAAAA8"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client
1.2.3.4] ModSecurity: Warning. Operator GE matched 5 at
TX:inbound_anomaly_score. [file
"/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line
"73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound
Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): "]
[tag "event-correlation"] [hostname "www.mydomain.de"] [uri
"/wp-login.php"] [unique_id "Wm8ZQY0z4w0DYRA6xm2k3QAAAA8"]
Action: Intercepted (phase 2)
Apache-Handler: php-fastcgi5.6
Stopwatch: 1517230401011338 4605 (- - -)
Stopwatch2: 1517230401011338 4605; combined=3476, p1=296, p2=3080, p3=0,
p4=0, p5=100, sr=57, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/);
OWASP_CRS/3.0.2.
Server: Apache
Engine-Mode: "ENABLED"

--2add8d70-Z--


Greets,
Stefan

Re: [mod-security-users] Help - hostname blank in error.log

[Christian F. <chr...@ne...>]

Hello Eduardo,

I have not seen this problem before. And I worked with the exact same versions
lately (all self compiled).

Maybe you post your configuration here - or somebody from the devs has an
idea.

Best,

Christian

On Wed, Jan 24, 2018 at 01:03:25PM -0300, Eduardo Carneiro wrote:
>    Hi everyone!
>    I have a Nginx 1.13.8 server (as a reverse proxy) with ModSecurity 3.0.
>    It is always showing an empty hostname field in the error.log (hostname
>    "").
>    Someone please can help with this?
>    Thanks in advance!
>    --
>    Eduardo Carneiro

> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot

> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/


-- 
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:chr...@ne...
twitter: @ChrFolini

[mod-security-users] Help - hostname blank in error.log

[Eduardo C. <edu...@gm...>]

Hi everyone!

I have a Nginx 1.13.8 server (as a reverse proxy) with ModSecurity 3.0. It
is always showing an empty hostname field in the error.log (hostname "").

Someone please can help with this?

Thanks in advance!

-- 
Eduardo Carneiro

Re: [mod-security-users] LibModsecurity and Nginx

[Christian F. <chr...@ne...>]

Hey Christian

On Fri, Jan 19, 2018 at 11:48:21AM -0300, Christian Varas wrote:
> Does everybody know if if LibModSecurity is stable to work whit nginx ?

All I hear is that it really works and while I do not have it in production
myself, but the intense use before the O'Reilly webinar I did a few days back
confirmed that statement.

It is not entirely feature complete (setenv is missing, for example), but
it's enough to run the Core Rule Set.

> I'm still using modsecurity refactory version for nginx and works like a
> charm. I would like to move to libmodsecurity and the connector for
> nginx but i'm not sure if is stable to work...

If you are happy with that version, then I am quite sure 3.0 is at least
as stable as that.

Best,

Christian


-- 
Half of the harm that is done in this world
is due to people who want to feel important.
They don't mean to do harm.
But the harm does not interest them.
-- T.S. Eliot

[mod-security-users] LibModsecurity and Nginx

[Christian V. <cv...@it...>]

Hi All,

Does everybody know if if LibModSecurity is stable to work whit nginx ?

I'm still using modsecurity refactory version for nginx and works like a
charm. I would like to move to libmodsecurity and the connector for
nginx but i'm not sure if is stable to work...


Anybody have some experience with libmodsec and nginx ?


Cheers.

Chris.

-- 

Re: [mod-security-users] mod_security - alert mail

[Ed G. <ED...@ha...>]

What I did:

I use mlogc to send my logs to a database table.   I wrote a script  that reads the database table, consults a whitelist, and anything not on the list is reported by hourly email.  There is a "high water mark" that keeps me from reporting the same things over and over again.

Best,

Ed


On Thu, 2018-01-11 at 18:05 +0100, Christian Folini wrote:

Hey Edouard,

On Thu, Jan 11, 2018 at 01:13:51PM -0300, Edouard Guigné wrote:


I supposed users often ask for this, is there a way to configure
mod_security to get alert emails when some rules are activated ?
And to configure what activated rules are allowed to send email alert ? (I
do not want every activated rules send alert by email).



There are various options and you need to build this yourself.

Personally, I think detection / blocking and alerting should be
separated. But there is nothing stopping you from using the exec action
in phase 5 to trigger an email. But think about the number of emails
you get when somebody runs a vulnerability scan on your site.

I think it is smarter to sit on the logs and scan them for alerts,
add some intelligence and then do the alarming.

That way you can make sure that there is at most a message every 5 minutes or
stuff like that. It's hard to get that right from within ModSec.

Just my 2 cents.

Ahoj,

Christian






Best regards,
EG

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
mod-security-users mailing list
mod...@li...<mailto:mod...@li...>
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/





--

Ed Greenberg  |  Web Developer and LInux System Administrator
________________________________
HAPPY Software, Inc. l  Work HAPPY-er!
t. 888-484-2779  l  f. 518-584-5388

This message and any of its attachments are intended only for the use of the designated recipient, or the recipient’s designee, and may contain information that is confidential or privileged. If you are not the intended recipient, please immediately notify HAPPY Software, Inc., delete all copies of the message and any attachments and do not disseminate or make any use of their contents.

Re: [mod-security-users] mod_security - alert mail

[Reindl H. <h.r...@th...>]

Am 11.01.2018 um 17:13 schrieb Edouard Guigné:
> Hello Dear Mod_security users,
> 
> I spend time on my server logs to check if there is any attacks detected 
> by mod_security.
> 
> I supposed users often ask for this, is there a way to configure 
> mod_security to get alert emails when some rules are activated ?
> And to configure what activated rules are allowed to send email alert ? 
> (I do not want every activated rules send alert by email)

have fun when you are under attack - invitation for a self-DOS

grep your logs and generate mails based on that in a regulary time 
schedule like once out twice per hour but don't consider it a smart idea 
that a attacker on a webserver can instantly attack your mailserver and 
inbox too

Re: [mod-security-users] mod_security - alert mail

[Christian F. <chr...@ne...>]

Hey Edouard,

On Thu, Jan 11, 2018 at 01:13:51PM -0300, Edouard Guigné wrote:
> I supposed users often ask for this, is there a way to configure
> mod_security to get alert emails when some rules are activated ?
> And to configure what activated rules are allowed to send email alert ? (I
> do not want every activated rules send alert by email).

There are various options and you need to build this yourself.

Personally, I think detection / blocking and alerting should be
separated. But there is nothing stopping you from using the exec action
in phase 5 to trigger an email. But think about the number of emails
you get when somebody runs a vulnerability scan on your site.

I think it is smarter to sit on the logs and scan them for alerts,
add some intelligence and then do the alarming.

That way you can make sure that there is at most a message every 5 minutes or
stuff like that. It's hard to get that right from within ModSec.

Just my 2 cents.

Ahoj,

Christian



> 
> Best regards,
> EG
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

-- 
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:chr...@ne...
twitter: @ChrFolini

[mod-security-users] mod_security - alert mail

[Edouard G. <eg...@pa...>]

Hello Dear Mod_security users,

I spend time on my server logs to check if there is any attacks detected 
by mod_security.

I supposed users often ask for this, is there a way to configure 
mod_security to get alert emails when some rules are activated ?
And to configure what activated rules are allowed to send email alert ? 
(I do not want every activated rules send alert by email).

Best regards,
EG

Re: [mod-security-users] Deny if POST Contains

[Sachin S. <sac...@ya...>]

 Seems mod_security 2.7.3 is not parsing JSON POST. Try to compile new version of json if it works !
- Sachin 
    On Wednesday, January 10, 2018, 9:51:56 PM GMT+5:30, Sachin Sharma via mod-security-users <mod...@li...> wrote:  
 
 Hi All,
I am trying to reject a api call if POST (json format) contains string1. I have enabled 
SecRequestBodyAccess On

curl -H "Content-Type: application/json" -k1 -u sachin:testing  -X POST http://localhost/wapi/v2.0/record:a -d '{"name": "s2.testzone.com", "ipv4addr":"192.168.10.197","view": "default",}'

New to mod_security test below secrule but nothing worked. Please help !

    SecRule ARGS_POST  "@contains testzone.com" "id:420008,t:none,deny,log,msg:'Denied'"

    Secrule REQUEST_BODY "@contains testzone.com" "id:420009,t:none,deny,log,msg:'Denied'"
- Sachin ------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
  

[mod-security-users] Deny if POST Contains

[Sachin S. <sac...@ya...>]

Hi All,
I am trying to reject a api call if POST (json format) contains string1. I have enabled 
SecRequestBodyAccess On

curl -H "Content-Type: application/json" -k1 -u sachin:testing  -X POST http://localhost/wapi/v2.0/record:a -d '{"name": "s2.testzone.com", "ipv4addr":"192.168.10.197","view": "default",}'

New to mod_security test below secrule but nothing worked. Please help !

    SecRule ARGS_POST  "@contains testzone.com" "id:420008,t:none,deny,log,msg:'Denied'"

    Secrule REQUEST_BODY "@contains testzone.com" "id:420009,t:none,deny,log,msg:'Denied'"
- Sachin 

[mod-security-users] Help : Found another rule with same id : Mod Security.conf file (URGENT)

[Elavarasan ~ A. <ela...@ac...>]

Good Day Mod Security,

Would appreciate your help,

I’m using Cent OS v7 with Apache 2.4.

After installed Mod Security and restart the apache web service, Apache failed to start and it’s throwing error message as “FOUND ANOTHER RULE WITH SAME ID” at mod_security.conf file
[cid:image001.png@01D38A0C.3FDF0F20]

But when I search the ID but could not able to find out the same id more than one.
find /etc/httpd -name '*.conf' -exec grep -H "'200000'" {} \;

So how do I resolve this kind of error message.

Thank you for your support and co-operation on this.

Thanks,
Elavarasan
SINGAPORE  | (65) 6227 7996            FAX     | (65) 6227 9672
PHILIPPINES | (63) 2 661 9804            EMAIL  | ela...@ac...<mailto:ela...@ac...>

[cid:image006.png@01D309E4.22117800]<https://www.acpcomputer.com/>
Bite-sized, ready to go e-learning – https://www.loop.sg<https://www.loop.sg/>....🔆
Let kids be the creators of technology – https://www.kidscode.sg<https://www.kidscode.sg/>  ....🔆

Think Green: Please Think Twice Before Printing This Email
Think Green: Please Think Twice Before Printing This Email
Confidentiality/Privileged Statement The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information other than the intended recipient is prohibited. If you received this by mistake, please contact the sender and delete the material from any computer

Re: [mod-security-users] SecRule TX:HIGH_RISK_COUNTRY_CODES does not trigger ?

[Frederic F. <fre...@gm...>]

Hello again,

Did anybody had GeoIP, i.e. rule id:910100 (TX:HIGH_RISK_COUNTRY_CODES) from OWASP CRS working with modsecurity 3.0 ?

Best,

Fred



> On 5 Jan 2018, at 10:04, Christian Folini <chr...@ne...> wrote:
> 
> @Felipe: How good is the GeoIP support in 3.0? I take it this is mean to
> work but it looks as if it would not.

Re: [mod-security-users] Adjust Anomaly Threshold on Cookies?

[leon m. <mig...@ya...>]

That's fantastic, thank you!  I'll do both those things!

Leon 

    On Monday, 8 January 2018, 10:02, Christian Folini <chr...@ne...> wrote:
 

 Hey Leon,

Your rule id point to an outdated version of the Core Rule Set (2.2.x)

I suggest you update to the Core Rule Set 3.0.2 version and the alerts
should disappear as the rules in question are no longer part of the
default installation.

It is generally possible to exclude individual cookies from a given rule.
But the syntax is slightly different from the one you presented. I suggest
you follow the tutorial about the handling of false positives at

https://www.netnea.com/cms/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set/

Good luck!

Christian

On Mon, Jan 08, 2018 at 09:48:50AM +0000, leon matthews via mod-security-users wrote:
>    Despite a ton of Googling, reading the Modsecurity Handbook and trial
>    and error I still can't figure out if I can adjust sensitivity to
>    specific rules on specific cookies.
>    Our false positives seem to be caused by rules 981260 and 981231
>    finding matches in the XSRF token cookies automatically made by our
>    website's framework. I can disable the rules for the cookies, but I'd
>    like to know if I can just make the existing ones less sensitive for
>    specific cookie names so there's still some security in place.
>    The following rule crashes with the error 'Rules must have at least id
>    action'
>    SecRule REQUEST_COOKIES:EXAMPLE-NAME
>    "phase:2,id:108,t:none,setvar:tx.inbound_anomaly_score_level=25,pass,lo
>    g"
>    What's the best way to handle these cookies or this situation?

> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot

> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/


-- 
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:chr...@ne...
twitter: @ChrFolini

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/


   

Re: [mod-security-users] Adjust Anomaly Threshold on Cookies?

[Christian F. <chr...@ne...>]

Hey Leon,

Your rule id point to an outdated version of the Core Rule Set (2.2.x)

I suggest you update to the Core Rule Set 3.0.2 version and the alerts
should disappear as the rules in question are no longer part of the
default installation.

It is generally possible to exclude individual cookies from a given rule.
But the syntax is slightly different from the one you presented. I suggest
you follow the tutorial about the handling of false positives at

https://www.netnea.com/cms/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set/

Good luck!

Christian

On Mon, Jan 08, 2018 at 09:48:50AM +0000, leon matthews via mod-security-users wrote:
>    Despite a ton of Googling, reading the Modsecurity Handbook and trial
>    and error I still can't figure out if I can adjust sensitivity to
>    specific rules on specific cookies.
>    Our false positives seem to be caused by rules 981260 and 981231
>    finding matches in the XSRF token cookies automatically made by our
>    website's framework. I can disable the rules for the cookies, but I'd
>    like to know if I can just make the existing ones less sensitive for
>    specific cookie names so there's still some security in place.
>    The following rule crashes with the error 'Rules must have at least id
>    action'
>    SecRule REQUEST_COOKIES:EXAMPLE-NAME
>    "phase:2,id:108,t:none,setvar:tx.inbound_anomaly_score_level=25,pass,lo
>    g"
>    What's the best way to handle these cookies or this situation?

> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot

> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/


-- 
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:chr...@ne...
twitter: @ChrFolini

[mod-security-users] Adjust Anomaly Threshold on Cookies?

[leon m. <mig...@ya...>]

Despite a ton of Googling, reading the Modsecurity Handbook and trial and error I still can't figure out if I can adjust sensitivity to specific rules on specific cookies.Our false positives seem to be caused by rules 981260 and 981231 finding matches in the XSRF token cookies automatically made by our website's framework. I can disable the rules for the cookies, but I'd like to know if I can just make the existing ones less sensitive for specific cookie names so there's still some security in place.The following rule crashes with the error 'Rules must have at least id action'SecRule REQUEST_COOKIES:EXAMPLE-NAME "phase:2,id:108,t:none,setvar:tx.inbound_anomaly_score_level=25,pass,log"What's the best way to handle these cookies or this situation?

Re: [mod-security-users] SecRule TX:HIGH_RISK_COUNTRY_CODES does not trigger ?

[Frederic F. <fre...@gm...>]

This one (found in crs-setup.conf) does the job if I change the action to “block”:

SecAction \
 "id:900600,\
  phase:1,\
  log,\
  pass,\
  t:none,\
  setvar:'tx.high_risk_country_codes=CH YU LT EG'"

Re: [mod-security-users] SecRule TX:HIGH_RISK_COUNTRY_CODES does not trigger ?

[Christian F. <chr...@ne...>]

Hello Frédéric,

On Fri, Jan 05, 2018 at 09:34:13AM +0100, Frederic Fichter wrote:
> DebugLog is as follow:
> 
> [4] (Rule: 910100) Executing operator "Rx" with param "^$" against TX:HIGH_RISK_COUNTRY_CODES.
> [9] Target value: "CH YU LT EG" (Variable: TX:HIGH_RISK_COUNTRY_CODES)
> [9] Matched vars updated.
> [4] Running [independent] (non-disruptive) action: msg
> [9] Saving msg: Client IP is from a HIGH Risk Country Location.
> [4] Running [independent] (non-disruptive) action: log
> [9] Saving transaction to logs
> [4] Rule returned 1.
> [4] Executing chained rule.
> [4] (Rule: 0) Executing operator "GeoLookup" with param "" against TX:REAL_IP.
> [9] Target value: "37.0.34.57" (Variable: TX:REAL_IP)
> [4] Rule returned 0.
> [9] Matched vars cleaned.
> 
> So 910100 actually does trigger, but the “block” action is not applied. Could you shed a light on that ? :)

No, I do not think it did trigger.

If you look at the rule, it's tri-fold. The one that triggered was the
first rule that checks high-risk-countries is not empty. That seems to
be the case, so on to the 2nd rule, which is the execution of the
GeoIPLookup (look up in the book why this is done via an operator in a rule)
and that rule returned a 0. That is odd.

@Felipe: How good is the GeoIP support in 3.0? I take it this is mean to
work but it looks as if it would not.

Ahoj,

Christian


-- 
Moderation, the Golden Mean, the Aristonmetron, is the secret of
wisdom and of happiness.  But it does not mean embracing an
unadventurous mediocrity: rather it is an elaborate balancing-act, a
feat of intellectual skill demanding constant vigilance.  Its aim is a
reconciliation of opposites.
-- Robertson Davies

Re: [mod-security-users] SecRule TX:HIGH_RISK_COUNTRY_CODES does not trigger ?

[Frederic F. <fre...@gm...>]

Hi,

ModSec 3.0 here :)

DebugLog is as follow:

[4] (Rule: 910100) Executing operator "Rx" with param "^$" against TX:HIGH_RISK_COUNTRY_CODES.
[9] Target value: "CH YU LT EG" (Variable: TX:HIGH_RISK_COUNTRY_CODES)
[9] Matched vars updated.
[4] Running [independent] (non-disruptive) action: msg
[9] Saving msg: Client IP is from a HIGH Risk Country Location.
[4] Running [independent] (non-disruptive) action: log
[9] Saving transaction to logs
[4] Rule returned 1.
[4] Executing chained rule.
[4] (Rule: 0) Executing operator "GeoLookup" with param "" against TX:REAL_IP.
[9] Target value: "37.0.34.57" (Variable: TX:REAL_IP)
[4] Rule returned 0.
[9] Matched vars cleaned.

So 910100 actually does trigger, but the “block” action is not applied. Could you shed a light on that ? :)

Again, thanks much for your help with this,

Best,

Fred

Re: [mod-security-users] SecRule TX:HIGH_RISK_COUNTRY_CODES does not trigger ?

[Christian F. <chr...@ne...>]

Hi Frederic,

On Thu, Jan 04, 2018 at 03:37:30PM +0100, Frederic Fichter wrote:
>    First post in this list !

Welcome!

>    I’m playing with what should be a super-simple setup
>    (NGINX+modsecurity+CRS 3.0).
>    Still, not everything is working as expected.

Is that ModSec 3.0 or 2.9.x?

>    I’m trying to block requests from some countries (I’m testing from a CH
>    IP).

They are the worst. :)

Could you raise the debuglog level 9 and check the part dealing with
910100? You can also submit it here, if you are not sure what to make
out of it.

Good luck!

Ahoj,

Christian

>    In my REQUEST-910-IP-REPUTATION.conf sits the rule which I want to use:
>    #
>    # -=[ GeoIP Checks ]=-
>    #
>    # This rule requires activating the SecGeoLookupDB directive
>    # in the crs-setup.conf file and specifying
>    # the list of blocked countries (tx.high_risk_country_codes).
>    #
>    # This rule does a GeoIP resolution on the client IP address.
>    #
>    SecRule TX:HIGH_RISK_COUNTRY_CODES "!^$" \
>    "msg:'Client IP is from a HIGH Risk Country Location.',\
>     severity:'CRITICAL',\
>     id:910100,\
>     phase:request,\
>     log,\
>     block,\
>     t:none,\
>     tag:'application-multi',\
>     tag:'language-multi',\
>     tag:'platform-multi',\
>     tag:'attack-reputation-ip',\
>     chain"
>     SecRule TX:REAL_IP "@geoLookup" \
>      "chain"
>       SecRule GEO:COUNTRY_CODE "@within %{tx.high_risk_country_codes}" \
>        "setvar:'tx.msg=%{rule.msg}',\
>         setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
>         setvar:tx.%{[1]rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%
>    {matched_var},\
>         setvar:ip.reput_block_flag=1,\
>         expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
>         setvar:'ip.reput_block_reason=%{rule.msg}'"
>    And in my crs-setup.conf I have:
>    SecAction \
>    "id:900600,\
>     phase:1,\
>     log,\
>     pass,\
>     t:none,\
>     setvar:'tx.high_risk_country_codes=CH YU LT EG’"
>    Now, I can find rule ID 900600 in my audit log but not rule ID 910100,
>    see below.
>    ---UkhFLq7B---A--
>    [04/Jan/2018:14:20:10 +0000] 151507561010.797697 37.0.34.57 28266
>    37.0.34.57 80
>    ---UkhFLq7B---B--
>    GET / HTTP/1.1
>    Host: [2]xxxxxx.northeurope.cloudapp.azure.com
>    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0)
>    Gecko/20100101 Firefox/57.0
>    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>    Accept-Language: en-US,en;q=0.5
>    Accept-Encoding: gzip, deflate
>    Connection: keep-alive
>    Cache-Control: max-age=0
>    Upgrade-Insecure-Requests: 1
>    If-Modified-Since: Tue, 26 Dec 2017 16:01:12 GMT
>    If-None-Match: "5a427248-264"
>    ---UkhFLq7B---D--
>    ---UkhFLq7B---F--
>    HTTP/1.1 304
>    Server: nginx/1.13.8
>    Date: Thu, 04 Jan 2018 14:20:10 GMT
>    Last-Modified: Tue, 26 Dec 2017 16:01:12 GMT
>    Connection: keep-alive
>    ETag: "5a427248-264"
>    ---UkhFLq7B---H--
>    ModSecurity: Warning.  [file "/etc/nginx/modsec/crs-setup.conf"] [line
>    "563"] [id "900600"] [rev ""] [msg ""] [data ""] [severity "0"] [ver
>    ""] [maturity "0"] [accuracy "0"] [hostname "37.0.34.57"] [uri "/"]
>    [unique_id "151507561010.797697"] [ref ""]
>    ---UkhFLq7B---I--
>    ---UkhFLq7B---J--
>    ---UkhFLq7B---Z--
>    My “paranoia level" is set to 1. I know for sure that CRS rules are
>    enforced, if I change the paranoia level to 4 and launch requests
>    containing special characters other rules do trigger.
>    Thanks a lot for your help with this.
>    Best,
>    Fred
> 
> References
> 
>    1. http://rule.id/
>    2. http://xxxxxx.northeurope.cloudapp.azure.com/

> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot

> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/


-- 
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:chr...@ne...
twitter: @ChrFolini