mod-security-users — General discussion about mod_security

Re: [mod-security-users] Problem trying to catch malformed requests

[Ivan R. <iv...@we...>]

Ryan Barnett wrote:
> Ivan can speak better on this, however I believe that the problem is
> that Apache does some processing early in the request loop cycle
> before mod_security has a hook to inspect it.
> 
> Take a look here at the Apache request loop -
> http://modperlbook.org/html/ch01_04.html.  Then compare this will the
> hooks that mod_security has into Apache. -
>
 > ...
>     NULL,                       /* [#8] MIME-typed-dispatched handlers */
>     NULL,                       /* [#1] URI to filename translation    */
>     NULL,                       /* [#4] validate user id from request  */
>     NULL,                       /* [#5] check if the user is ok _here_ */
>     NULL,                       /* [#3] check access by host address   */
>     NULL,                       /* [#6] determine MIME type            */
>     sec_check_access,           /* [#7] pre-run fixups                 */
>     sec_logger,                 /* [#9] log a transaction              */
>     NULL,                       /* [#2] header parser                  */
>     sec_child_init,             /* child_init                          */
>     NULL,                       /* child_exit                          */
>     NULL                        /* [#0] post read-request              */
> 
> Apache runs through steps 0 -  6 before mod_security has a hook to
> perform any actions.

   That's correct. For me it was always a matter of choice whether I
   want to protect applications, or Apache itself. At the moment
   mod_security is configured to protect applications. A further problem
   is that, as Apache processes phases 0-6, it creates a lot of
   information (which mod_security uses) which would otherwise be
   unavailable in hook #0 (for example).

   My idea is to split rule processing into two phases. One would happen
   in hook #0, and the other #6.

   However, as I was making improvements to 1.9 I solved one of the
   major obstacles to move mod_security from hook #7 into earlier phase.
   I won't bother you with programming details but now it may be possible
   to run from hook #0. I don't have time to test it thoroughly but since
   there is demand for it, I'll do a couple of test to see if it works,
   and if does I will release 1.9dev3 (by the end of week) with a
   configuration option to choose the hook to run at.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] New modsec Install

[Ivan R. <iv...@we...>]

LesT wrote:
> We are building a new server and cannot get modsecurity to install.  
> Below find the server info and following that the first few lines of 
> hundreds that follow when attempting to install mod_security 1.8.7
 >
 > ...
>  
> cc -DHARD_SERVER_LIMIT=512  
> -DDEFAULT_PATH="/usr/local/psa/admin/bin:/bin:/usr/bin" -DLINUX=22 
> -DTARGET="httpsd" -DHAVE_SET_DUMPABLE -I/usr/include/gdbm 
> -DMOD_SSL=208122 -DEAPI -O -pipe  -W -Wall 
> -I/home/builder/pb_work_dir/psa_aiconfig_7.5.3/psa/lib/dist/usr/include 
> -DPLESK_Linux 
> -I/home/builder/pb_work_dir/psa_aiconfig_7.5.3/psa/plesk-utils/include 
> -DBSG_CR -DBSG_MSG -I/usr/include -DHAS_RPM -O3 
> -fexpensive-optimizations -I/usr/kerberos/include -fstrength-reduce 
> -pipe -I/usr/include/libxml2 -Wno-unused-parameter -fpic -DSHARED_MODULE 
> -I/usr/local/psa/admin/include  -c mod_security.c
> mod_security.c:35:19: unixd.h: No such file or directory
> mod_security.c:47:20: ap_mpm.h: No such file or directory
> mod_security.c:49:17: apr.h: No such file or directory
> mod_security.c:50:25: apr_strings.h: No such file or directory
> mod_security.c:51:22: apr_hash.h: No such file or directory
> mod_security.c:52:22: apr_user.h: No such file or directory
> mod_security.c:53:21: apr_lib.h: No such file or directory
> mod_security.c:54:24: apr_signal.h: No such file or directory
> mod_security.c:55:30: apr_global_mutex.h: No such file or directory

   The compiler cannot find the Apache include files. Why exactly, I
   don't know - that depends on your system. Do you have a package
   called "http-devel" or "httpd-devel" installed?

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

[mod-security-users] New modsec Install

[LesT <tle...@ea...>]

We are building a new server and cannot get modsecurity to install.  =
Below find the server info and following that the first few lines of =
hundreds that follow when attempting to install mod_security 1.8.7

Linux u15190851.onlinehome-server.com 2.6.11.9-050512a #1 SMP Thu May 12 =
20:53:02 CEST 2005 i686 i686 i386 GNU/Linux

Fedora Core release 2 (Tettnang)

Server version: Apache/2.0.51
Server built:   Nov 12 2004 10:10:20
Server's Module Magic Number: 20020903:9
Architecture:   32-bit
Server compiled with....
 -D APACHE_MPM_DIR=3D"server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D HTTPD_ROOT=3D"/etc/httpd"
 -D SUEXEC_BIN=3D"/usr/sbin/suexec"
 -D DEFAULT_PIDLOG=3D"logs/httpd.pid"
 -D DEFAULT_SCOREBOARD=3D"logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE=3D"logs/accept.lock"
 -D DEFAULT_ERRORLOG=3D"logs/error_log"
 -D AP_TYPES_CONFIG_FILE=3D"conf/mime.types"
 -D SERVER_CONFIG_FILE=3D"conf/httpd.conf"

Compiled in modules:
  core.c
  prefork.c
  http_core.c
  mod_so.c

MODULE_RELEASE "1.8.7"

=3D=3D=3D=3D=3D=3D ONLY A FEW lines as examples to avoid uploaded such a =
large file.

cc -DHARD_SERVER_LIMIT=3D512  =
-DDEFAULT_PATH=3D"/usr/local/psa/admin/bin:/bin:/usr/bin" -DLINUX=3D22 =
-DTARGET=3D"httpsd" -DHAVE_SET_DUMPABLE -I/usr/include/gdbm =
-DMOD_SSL=3D208122 -DEAPI -O -pipe  -W -Wall =
-I/home/builder/pb_work_dir/psa_aiconfig_7.5.3/psa/lib/dist/usr/include =
-DPLESK_Linux =
-I/home/builder/pb_work_dir/psa_aiconfig_7.5.3/psa/plesk-utils/include =
-DBSG_CR -DBSG_MSG -I/usr/include -DHAS_RPM -O3 =
-fexpensive-optimizations -I/usr/kerberos/include -fstrength-reduce =
-pipe -I/usr/include/libxml2 -Wno-unused-parameter -fpic -DSHARED_MODULE =
-I/usr/local/psa/admin/include  -c mod_security.c
mod_security.c:35:19: unixd.h: No such file or directory
mod_security.c:47:20: ap_mpm.h: No such file or directory
mod_security.c:49:17: apr.h: No such file or directory
mod_security.c:50:25: apr_strings.h: No such file or directory
mod_security.c:51:22: apr_hash.h: No such file or directory
mod_security.c:52:22: apr_user.h: No such file or directory
mod_security.c:53:21: apr_lib.h: No such file or directory
mod_security.c:54:24: apr_signal.h: No such file or directory
mod_security.c:55:30: apr_global_mutex.h: No such file or directory
mod_security.c:61: error: syntax error before "security_module"
mod_security.c:61: warning: type defaults to `int' in declaration of =
`security_module'
mod_security.c:61: warning: data definition has no type or storage class
mod_security.c:63: error: syntax error before '*' token
mod_security.c:63: warning: type defaults to `int' in declaration of =
`modsec_debuglog_lock'
mod_security.c:63: warning: data definition has no type or storage class
mod_security.c:64: error: syntax error before '*' token
mod_security.c:64: warning: type defaults to `int' in declaration of =
`modsec_auditlog_lock'
mod_security.c:64: warning: data definition has no type or storage class
mod_security.c:66: error: syntax error before '*' token
mod_security.c:66: warning: type defaults to `int' in declaration of =
`global_sec_filter_in'
mod_security.c:66: warning: data definition has no type or storage class
mod_security.c:67: error: syntax error before '*' token
mod_security.c:67: warning: type defaults to `int' in declaration of =
`global_sec_filter_out'
mod_security.c:67: warning: data definition has no type or storage class
mod_security.c:290: error: syntax error before "apr_array_header_t"
mod_security.c:290: warning: no semicolon at end of struct or union
mod_security.c:291: warning: type defaults to `int' in declaration of =
`signature'
mod_security.c:291: warning: data definition has no type or storage =
class
mod_security.c:299: error: syntax error before "apr_array_header_t"
mod_security.c:299: warning: no semicolon at end of struct or union

Re: [mod-security-users] Concerned about hacker intrusions

[Mike P. <mpl...@am...>]

On Sunday 14 August 2005 02:14 pm, DL...@ao... wrote:
> I would like to know if there is a way to report these intruders or find
> more information on them.  My firewall program allows me to see their IP
> addresses.  Is there some type of company I can send reports of these  IP
> addresses? Basically fighting back the hackers who are making  these
> intruders.  Any replies will be  appreciated.

http://www.dshield.org/fightback.php is a great site to use.  Dshield is part 
of SANS which is a very well respected security group.
-- 
Mike Plemmons
mi...@pl...

[mod-security-users] Concerned about hacker intrusions

[<DL...@ao...>]

I would like to know if there is a way to report these intruders or find  
more information on them.  My firewall program allows me to see their IP  
addresses.  Is there some type of company I can send reports of these  IP addresses?  
Basically fighting back the hackers who are making  these intruders.  Any 
replies will be  appreciated.

Re: [mod-security-users] Problem trying to catch malformed requests

[Ryan B. <rcb...@gm...>]

Ivan can speak better on this, however I believe that the problem is
that Apache does some processing early in the request loop cycle
before mod_security has a hook to inspect it.

Take a look here at the Apache request loop -
http://modperlbook.org/html/ch01_04.html.  Then compare this will the
hooks that mod_security has into Apache. -

module MODULE_VAR_EXPORT security_module =3D {
    STANDARD_MODULE_STUFF,
    sec_init,                   /* module initializer                  */
    sec_create_dir_config,      /* create per-dir    config structures */
    sec_merge_dir_config,       /* merge  per-dir    config structures */
    sec_create_srv_config,      /* create per-server config structures */
    sec_merge_srv_config,       /* merge  per-server config structures */
    sec_cmds,                   /* table of config file commands       */
    NULL,                       /* [#8] MIME-typed-dispatched handlers */
    NULL,                       /* [#1] URI to filename translation    */
    NULL,                       /* [#4] validate user id from request  */
    NULL,                       /* [#5] check if the user is ok _here_ */
    NULL,                       /* [#3] check access by host address   */
    NULL,                       /* [#6] determine MIME type            */
    sec_check_access,           /* [#7] pre-run fixups                 */
    sec_logger,                 /* [#9] log a transaction              */
    NULL,                       /* [#2] header parser                  */
    sec_child_init,             /* child_init                          */
    NULL,                       /* child_exit                          */
    NULL                        /* [#0] post read-request              */

Apache runs through steps 0 -  6 before mod_security has a hook to
perform any actions.

Ivan - please correct me if I am wrong here.  Are there any plans to
implement hooks earlier into the request loop?

--=20
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC


On 8/12/05, Leandro Meiners <lme...@cy...> wrote:
> According to Apache documentation:
> "Although most error messages can be overriden, there are certain
> circumstances where the internal messages are used regardless of the sett=
ing
> of ErrorDocument. In particular, if a malformed request is detected, norm=
al
> request processing will be immediately halted and the internal error mess=
age
> returned. This is necessary to guard against security problems caused by =
bad
> requests."
>=20
> I've tried to catch malformed requests using mod_security but it seems th=
at
> they don't even reach mod_security.
>=20
> Does anyone know how to overcome this limitation?
>=20
> Regards,
>=20
> ------------------------------------------------
> Leandro Federico Meiners
> CYBSEC S.A. Security Systems
> E-mail: lme...@cy...
> Tel/Fax: [54-11] 4382-1600
> Web: http://www.cybsec.com
>=20
>=20
>=20
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practic=
es
> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & Q=
A
> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>

Re: [mod-security-users] Problem trying to catch malformed requests

[Tom A. <tan...@oa...>]

I had the same problem... no solution other than putting a proxy in front of 
your server.

Tom

----- Original Message ----- 
From: "Leandro Meiners" <lme...@cy...>
To: <mod...@li...>
Sent: Friday, August 12, 2005 5:02 PM
Subject: [mod-security-users] Problem trying to catch malformed requests


> According to Apache documentation:
> "Although most error messages can be overriden, there are certain
> circumstances where the internal messages are used regardless of the 
> setting
> of ErrorDocument. In particular, if a malformed request is detected, 
> normal
> request processing will be immediately halted and the internal error 
> message
> returned. This is necessary to guard against security problems caused by 
> bad
> requests."
>
> I've tried to catch malformed requests using mod_security but it seems 
> that
> they don't even reach mod_security.
>
> Does anyone know how to overcome this limitation?
>
> Regards,
>
> ------------------------------------------------
> Leandro Federico Meiners
> CYBSEC S.A. Security Systems
> E-mail: lme...@cy...
> Tel/Fax: [54-11] 4382-1600
> Web: http://www.cybsec.com
>
>
>
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle 
> Practices
> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
> 
> 

[mod-security-users] Problem trying to catch malformed requests

[Leandro M. <lme...@cy...>]

According to Apache documentation:
"Although most error messages can be overriden, there are certain
circumstances where the internal messages are used regardless of the setting
of ErrorDocument. In particular, if a malformed request is detected, normal
request processing will be immediately halted and the internal error message
returned. This is necessary to guard against security problems caused by bad
requests."

I've tried to catch malformed requests using mod_security but it seems that
they don't even reach mod_security.

Does anyone know how to overcome this limitation?

Regards,

------------------------------------------------
Leandro Federico Meiners
CYBSEC S.A. Security Systems
E-mail: lme...@cy...
Tel/Fax: [54-11] 4382-1600
Web: http://www.cybsec.com

Re: [mod-security-users] Command injection attack

[Michael S. <mi...@go...>]

On Fri, 2005-08-12 at 14:04 +0200, David ROBERT wrote:
> Hi,
>=20
> I would like to write a rule to filter this kind of attack (Command
> injection attack):
>=20
> GET /stats.pl?toto=3Daa+bb+cc+|+any_unix_command+#+dd+ee&titi=3Dtata
>=20
> In GET or POST
>=20
> In fact I would like to block all the ";", "|", "#"
>=20
> I wrote :
> SecFilterSelective ARGS [;|\||#]
>=20
> It works but is it the best way ?

You don't need to use the pipes to separate the characters when you use
brackets.  You can do it like this:

SecFilterSelective ARGS [;\|#]

Also, I'm sure you already realize this, so this is just an aside for
anyone else that might not be sure, only use a rule like this if you
know that your applications don't use these characters in their
arguments.  You'd be surprised (I was) at the number of apps that use
pipes in their arguments!  :-)

--=20
Michael T. Shinn                                    KeyID:DAE2EC86
Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xDAE2EC86
=20
Got Root?  http://www.gotroot.com
ModSecurity WebServer Firewall: http://www.modsecurityrules.com
Troubleshooting Firewalls:  http://troubleshootingfirewalls.com

RE: [mod-security-users] Command injection attack

[Sander H. - O. X. <in...@or...>]

mod...@li... wrote:
> Hi,
> 
> I would like to write a rule to filter this kind of attack (Command
> injection attack): 
> 
> GET /stats.pl?toto=aa+bb+cc+|+any_unix_command+#+dd+ee&titi=tata
> 
> In GET or POST
> 
> In fact I would like to block all the ";", "|", "#"
> 
> I wrote :
> SecFilterSelective ARGS [;|\||#]
> 
> It works but is it the best way ?
> 
> David ROBERT

No. You do not need to separate characters by an or (|) statement in [] or
[^] containers. They should contain all the characters you want to match.
Where, for instance a dot (.) will match any character, [;|#] will match to
; or | or #. They more or less contain an array (only not seperated by ,) of
characters you want to match to. Putting an ^ after the [ does the opposite.

Kind regards,
Sander Holthaus

[mod-security-users] Command injection attack

[David R. <cas...@gm...>]

Hi,

I would like to write a rule to filter this kind of attack (Command
injection attack):

GET /stats.pl?toto=3Daa+bb+cc+|+any_unix_command+#+dd+ee&titi=3Dtata

In GET or POST

In fact I would like to block all the ";", "|", "#"

I wrote :
SecFilterSelective ARGS [;|\||#]

It works but is it the best way ?

David ROBERT

Re: [mod-security-users] warning Patern match "^$" at HEADER

[Ivan R. <iv...@we...>]

Markus Rietzler wrote:
> i get a lot of:
> 
> mod_security: Warning. Pattern match "^$" at HEADER [hostname "www.myserver.xx"] [uri "/cgi-bin/somescript.pl?someparams"]
> 
> in my error log.
> 
> my conf shows:
> 
>         # only valid protocols
>         SecFilterSelective SERVER_PROTOCOL !^HTTP/(0\.9|1\.0|1\.1)$
>         SecFilterSelective REQUEST_METHOD !^(GET|HEAD|POST)$
>         # host header present
>         # SecFilterSelective HTTP_Host ^$
 >
 >
 > so as the line is commented this error shouldn't occur.

   Correct.

   Did you restart Apache since you made changes to the
   configuration file? Maybe the message in the error log is from
   before you made the changes?


> is this something i have to take care? does it mean, that
> people couldn't open our pages?

   Not likely. Some scripts or automated tools fail to use the Host
   header. Or it could have been a manual access.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

[mod-security-users] warning Patern match "^$" at HEADER

[Markus R. <we...@mr...>]

i get a lot of:

mod_security: Warning. Pattern match "^$" at HEADER [hostname "www.myserver.xx"] [uri "/cgi-bin/somescript.pl?someparams"]

in my error log.

my conf shows:

        # only valid protocols
        SecFilterSelective SERVER_PROTOCOL !^HTTP/(0\.9|1\.0|1\.1)$
        SecFilterSelective REQUEST_METHOD !^(GET|HEAD|POST)$
        # host header present
        # SecFilterSelective HTTP_Host ^$


so as the line is commented this error shouldn't occur.

it means that http/1.1 is "spoken" but no host-header is sent...

is this something i have to take care? does it mean, that people couldn't open our pages?

markus

Re: [mod-security-users] Which Rules to use?

[Michael S. <mi...@go...>]

I've added a page that explains what each of the rulesets do:

http://www.gotroot.com/tiki-index.php?page=3DWhich+mod_security+rules

Everyones system is unique, so may have to adapt the some of the rules
to your environment.  I would love it if everyone ran with all the rules
- if its any consolation, I run with all the rules on my servers - so
they can get as much testing as possible in as many real environments as
possible as I can't test for everything. =20

So, if you can, run with all the rules and lemme know if something
breaks, be it false positives or negatives.  If you can't afford any
false positives, then you need to look at the rules, understand them and
adapt to your specific environment. =20

So selfishly, I'd say "run them all!", but realistically you should only
run with those rules that work for your system, which may require some
tweaking, twisting and groaning over false alarms.  In short, nothing is
perfect. =20

With all that said, I do try to make sure the rules have the lowest
probability for a false positive that I can test for (but I'm only
human) and I do run with all these rules on my server, so I never
release a rule I'm not comfortable running on my machines.  But, my
machines might be different from yours.  :-)

So, If you have the time to monitor them, and can stand a few false
positives, run with all the rules and post any problems you might have
with them so we can fix them, if not, then you will need to understand
the rules and modify them for your system to fit your specific
needs.  :-)

Oh, also, I run Plesk 7.5.x on some my machines, so for the most part I
would expect that the rules should work fine with the basic Plesk
software, but keep in mind that your users may upload their own custom
apps to your PSA server and there may be a conflict in the rules.  If
you do run into a problem, please let me know and I'll take a look at it
to see if the rule(s) can be modified in general to take that new
application into account.

--=20
Michael T. Shinn                                    KeyID:DAE2EC86
Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xDAE2EC86
=20
Got Root?  http://www.gotroot.com
ModSecurity WebServer Firewall: http://www.modsecurityrules.com
Troubleshooting Firewalls:  http://troubleshootingfirewalls.com

[mod-security-users] RE: [Modsecurity]

[Sander H. - O. X. <in...@or...>]

mod...@go... wrote:
> On Mon, 2005-08-08 at 13:50 -0400, Bill Church wrote:
>> What would be nice it to have, say, IP addresses of certain
>> geographic areas to block.
> 
> I think, but I could mistaken, that there are RBLs for this
> but I'd have to double check if not we could put one
> together.  Either way, its a good idea.  If you know your
> customers, then I don't see why you couldn't do this.

There are quite a few tools for this available, though most are
paid-services. There is one hitch though: just because the connection comes
from a certain geographic area, doesn't mean the end-client is located at
that IP. (For instance, if someone is using a service for anonimity
(proxies, ssh/vpn/tunnels, tor, etc)).

A sidenote, but I think there are not too much businesses that can use this
feature (or afford to). Even if your are aiming for a very specific
geographical region, people still travel and may need to contact a
website/service from a remote location.

Kind Regards,
Sander Holthaus

[mod-security-users] RE: [Modsecurity] Access denied with code 406. Pattern match "\|*\x20*\x20*\|" atTHE_REQUEST

[Bill C. <bil...@bs...>]

 

> -----Original Message-----
> From: Sander Holthaus - Orange XL [mailto:in...@or...] 
> Sent: Friday, August 05, 2005 1:48 PM
> To: 'Bill Church'
> Cc: mod...@li...
> Subject: RE: [Modsecurity] Access denied with code 406. 
> Pattern match "\|*\x20*\x20*\|" atTHE_REQUEST
> > To me, this would be spelled out as
> > 
> >  \| (pipe) * (anything) \x20 (space) * (anything) \x20
> > (space) * (anything) \| (pipe)
> 
> Not entirely. It spells:
> 
> Zero to infinite (pipe) Zero to infinite (space) Zero to 
> infinite (space)
> (pipe)
> 
> Which will match anything with a single pipe in. Therefore it 
> also reads as:
> 
> SecFilterSelective THE_REQUEST "\|"
> 
> Use + instead of *.
> 
> Kind regards,
> Sander Holthaus
> 

You're right, that's actually what I meant by that, sorry. In any case I
think that rule is probably too catchy? I'm not sure of it's original
intention though, it me be acting as intended which is fine if it is.

-Bill

[mod-security-users] RE: [Modsecurity] Access denied with code 406. Pattern match "\|*\x20*\x20*\|" atTHE_REQUEST

[Sander H. - O. X. <in...@or...>]

mod...@go... wrote:
> I'm getting Access denied with code 406. Pattern match
> "\|*\x20*\x20*\|" at THE_REQUEST
> 
> THE_REQUEST is:
> 
>   GET
> /billing/admin.php?op=form&db_table=tld_config&tile=tld_config
> &from=&id=tld_ id|1 HTTP/1.1 
> 
> Now, I see the pipe in there, but I see no spaces which is
> what the rule is searching for:
> 
> The rule:
> 
> #Generic command line attack filter
>   SecFilterSelective THE_REQUEST "\|*\x20*\x20*\|"
> 
> To me, this would be spelled out as
> 
>  \| (pipe) * (anything) \x20 (space) * (anything) \x20
> (space) * (anything) \| (pipe)

Not entirely. It spells:

Zero to infinite (pipe) Zero to infinite (space) Zero to infinite (space)
(pipe)

Which will match anything with a single pipe in. Therefore it also reads as:

SecFilterSelective THE_REQUEST "\|"

Use + instead of *.

Kind regards,
Sander Holthaus

> 
> Am I correct in interpreting this? If so, that would mean
> that there is a bug there because I don't see that in the
> request line (just a single pipe).
> I could just be overlooking something.
> 
> -Bill
> 
> 
> _______________________________________________
> Modsecurity mailing list
> Mod...@go...
> http://lists.gotroot.com/mailman/listinfo/modsecurity

Re: [mod-security-users] THE_REQUEST vs. REQUEST_URI vs. REQUEST_FILE

[Ryan B. <rcb...@gm...>]

On 8/5/05, Ivan Ristic <iv...@we...> wrote:
>   As an reminder, here's what these variables contain:
>=20
>   THE_REQUEST - GET /index.php?x=3Dy
>   REQUEST_URI /index.php?x=3Dy
>   REQUEST_FILENAME - /var/www/htdocs/index.php
>   SCRIPT_FILENAME - /var/www/htdocs/index.php
>=20

My understanding is that the THE_REQUEST directive also includes the
HTTP version data.  For example -

THE_REQUEST - GET /index.php?x=3Dy HTTP/1.1

This is what is documented in Mod_Rewrite for this variable.

--=20
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

Re: [mod-security-users] THE_REQUEST vs. REQUEST_URI vs. REQUEST_FILE

[Ivan R. <iv...@we...>]

> As an reminder, here's what these variables contain:
> 
> THE_REQUEST - GET /index.php?x=y

   Oops, this should actually be something like:

   THE_REQUEST - GET /index.php?x=y HTTP/1.0

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] THE_REQUEST vs. REQUEST_URI vs. REQUEST_FILE

[Ivan R. <iv...@we...>]

Sander Holthaus - Orange XL wrote:
> I'm trying to implement some custom rules for mod_security, but I'm slightly
> confused on what the best and most efficient way is to implement rules.
> 
> Looking at existent rules, there seems to be no real definitive way to match
> requests. Is there any?

   Yes, there can be many solutions to the same problem. In general
   they can all be equal, provided they work properly.


> How do the internals work of mod_security in this
> regard? Are all KEYWORDS generated in one pass, or are some keywords
> initiated and filtered before others?

   Keywords are "generated" on demand. Rules are processed
   in the order they appear in the configuration file.


> An example for the same rule:
> 
> # Exploit phpBB Highlighting Code Execution Attempt (v1)
> SecFilterSelective REQUEST_FILENAME "/viewtopic\.php$" chain
> SecFilterSelective ARG_highlight "(\'\.|\x2527\x252E)"
> 
> # Exploit phpBB Highlighting Code Execution Attempt (v2)
> SecFilterSelective REQUEST_URI
> "/viewtopic\.php\?.*highlight=(\'\.|\x2527\x252E)"
> 
> # Exploit phpBB Highlighting Code Execution Attempt (v3)
> SecFilterSelective THE_REQUEST
> "/viewtopic\.php\?.*highlight=(\'\.|\x2527\x252E)"

   I wouldn't worry too much about it. If you really want
   you can measure the performance to see if any of the
   approaches is faster than the others.

   Personally I don't like to use THE_REQUEST much. I prefer
   REQUEST_URI, or REQUEST_FILENAME.

   As an reminder, here's what these variables contain:

   THE_REQUEST - GET /index.php?x=y
   REQUEST_URI /index.php?x=y
   REQUEST_FILENAME - /var/www/htdocs/index.php
   SCRIPT_FILENAME - /var/www/htdocs/index.php

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

[mod-security-users] RE: [Modsecurity] Soliciting Feature Requests

[Sander H. - O. X. <in...@or...>]

Difficult. For me, it would be really on a per application basis, so for
instance, a php_phpbb_rules.conf with only rules that  address specific
phpBB(2) vulnerabilities. And of course, one general php_rules.conf which
addresses some broad php-issues.

Doing it like that would make rules much more easy to manage, and in broader
terms, make them more efficient to use. Big downside is, that for people
hosting say a 1000 domains on one machine, it won't work, because they
cannot always know which applications each of their customers is using. (not
to mention that having 100 includes in your httpd.conf is also not a good
idea). 

A sollution would be to make a semi-intelligent script, which can build a
ruleset.conf from several smaller files and takes options to include or
exclude specific application rulesets. A start would be to split rules up on
a language basis, e.g. separate files for php, perl, coldfusion, asp,
python, etc, etc.

Kind Regards,
Sander Holthaus

Michael Shinn wrote:
> Also an excellent idea Sander.  Any particular way(s) you
> would like to see them broken out?
> 
> On Fri, 2005-08-05 at 04:01 +0200, Sander Holthaus - Orange XL wrote:
>> I would like to see the rule-sets broken down to application specific
>> rulesets and a few general rulesets. Currently, some of the rulesets
>> are way to big and because of this, a lot of double entries exists.
>> 
>> There are a few scripts which do something similiar for downloading
>> custom SpamAssassin rulesets. 
>> 
>> Kind Regards,
>> Sander Holthaus
>> 
>> 
>> 
> ______________________________________________________________
>>         From: mod...@go...
>>         [mailto:mod...@go...] On Behalf Of David 
>>         Pinard Sent: Friday, August 05, 2005 3:42 AM
>>         To: mod...@go...
>>         Subject: Fwd: [Modsecurity] Soliciting Feature Requests
>> 
>> 
>> 
>>         >So, just in case everyone is not aware of this, please
>>         don't         be afraid >to solicit feature requests from
>>         me, for either the rules or         modsecurity >itself. 
>>         I'm always happy to add something new to either and        
>> ultimately >the best ideas come from you guys!  :-) 
>> 
>>         It would be nice to have a way to automatically exclude rules
>>         that are unneeded or too restrictive.  At the simplest level,
>>         a unique rule id# as the first part of the comment would
>>         allow a script to be written to remark out the corresponding
>>         rule in the appropriate config file.  Each config file could
>>         have its own range of rule id's.  I was thinking of writing
>>         a script to try and do this off of the existing files,
>>         however one simple change to the rule or comment would
>>         render this useless. Ideally I could automate the entire
>>         process to pull updates via a cron job and not have to worry
>>         about breaking sites.  If a new rule is introduced that is
>>         incompatible, you'd just need to put it's ID# in the exclude
>> file and rerun the script. 
>> 
>>         Has anyone already done anything like this?  Or is there a
>>         better way to accomplish the same thing?
>> 
>>         Thanks! -Dave
>> 
>>         --
>>         Support our Education reform efforts at:
>>         www.dumpcms.com
>>         savecmskids.blogspot.com
>> _______________________________________________
>> Modsecurity mailing list
>> Mod...@go...
>> http://lists.gotroot.com/mailman/listinfo/modsecurity

[mod-security-users] THE_REQUEST vs. REQUEST_URI vs. REQUEST_FILE

[Sander H. - O. X. <in...@or...>]

I'm trying to implement some custom rules for mod_security, but I'm slightly
confused on what the best and most efficient way is to implement rules.

Looking at existent rules, there seems to be no real definitive way to match
requests. Is there any? How do the internals work of mod_security in this
regard? Are all KEYWORDS generated in one pass, or are some keywords
initiated and filtered before others?

An example for the same rule:

# Exploit phpBB Highlighting Code Execution Attempt (v1)
SecFilterSelective REQUEST_FILENAME "/viewtopic\.php$" chain
SecFilterSelective ARG_highlight "(\'\.|\x2527\x252E)"

# Exploit phpBB Highlighting Code Execution Attempt (v2)
SecFilterSelective REQUEST_URI
"/viewtopic\.php\?.*highlight=(\'\.|\x2527\x252E)"

# Exploit phpBB Highlighting Code Execution Attempt (v3)
SecFilterSelective THE_REQUEST
"/viewtopic\.php\?.*highlight=(\'\.|\x2527\x252E)"

Kind Regards,
Sander Holthaus - Orange XL

Re: [mod-security-users] Custom directive needed

[Tom A. <tan...@oa...>]

----- Original Message ----- 
From: "Ivan Ristic" <iv...@we...>
To: "Wally" <car...@gm...>
>   You don't need/want mod_security for that. Tail the access log from
>   a script, extract the IP addresses that are attacking you, and
>   use blacklist (http://www.apachesecurity.net/tools/) to deny access
>   to them on the firewall.

You can also look them up in surbl.org or spamhaus.org blacklists to deny 
access, as some of those IPs were listed there.

Tom

Re: [mod-security-users] Which Rules to use?

[Ivan R. <iv...@we...>]

Alex wrote:
> Hello,
> 
> we´re using Plesk 7.5 for Unix on Fedora Core2 Server, and my question is:
> 
> Which rules is prefered to us:
> 
>  Application protection rules
>  UserAgent rules
>  Comment spam rules
>  RootKit/Owned boxes blacklist
>  Proxy scan rules
>  Additional Apache 2.x rules
> 
> Must we all take to the httpd.conf?

  There is no such thing as the "right set". The answer is different
  for each Apache installation. If you don't have the time to look into
  the rules, understand them, monitor their effectivenes and customise
  them for your needs - you are much better not running mod_security.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] Custom directive needed

[Ivan R. <iv...@we...>]

Wally wrote:
> Hey guys, i need to know how to block this one call in mod_security.
> Here is the error_log with the errors that i want to stop happening.
> The problem is that these errors take up the bandwidth, so i need to
> know how to stop apache handling them.
 >
> 
> /usr/local/apache/logs]# tail -f access_log
> 211.229.230.115 - - [02/Aug/2005:01:21:21 -0400]
> "6bNLilgBIbuJkWI3pww0QhnhnM" 501 -

   You don't need/want mod_security for that. Tail the access log from
   a script, extract the IP addresses that are attacking you, and
   use blacklist (http://www.apachesecurity.net/tools/) to deny access
   to them on the firewall.


> 60.214.223.1 - - [02/Aug/2005:01:21:34 -0400] "-" 408 -

   BTW, these are not necessarily attacks. They could be, but only
   if they are coming in large numbers.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org