mod-security-users Mailing List for ModSecurity (Page 9)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users — General discussion about mod_security
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(17) |
Aug
(7) |
Sep
(8) |
Oct
(11) |
Nov
(14) |
Dec
(19) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(46) |
Feb
(14) |
Mar
(20) |
Apr
(48) |
May
(15) |
Jun
(20) |
Jul
(36) |
Aug
(24) |
Sep
(31) |
Oct
(28) |
Nov
(23) |
Dec
(12) |
| 2005 |
Jan
(69) |
Feb
(61) |
Mar
(82) |
Apr
(53) |
May
(26) |
Jun
(71) |
Jul
(27) |
Aug
(52) |
Sep
(28) |
Oct
(49) |
Nov
(104) |
Dec
(74) |
| 2006 |
Jan
(61) |
Feb
(148) |
Mar
(82) |
Apr
(139) |
May
(65) |
Jun
(116) |
Jul
(92) |
Aug
(101) |
Sep
(84) |
Oct
(103) |
Nov
(174) |
Dec
(102) |
| 2007 |
Jan
(166) |
Feb
(161) |
Mar
(181) |
Apr
(152) |
May
(192) |
Jun
(250) |
Jul
(127) |
Aug
(165) |
Sep
(97) |
Oct
(135) |
Nov
(206) |
Dec
(56) |
| 2008 |
Jan
(160) |
Feb
(135) |
Mar
(98) |
Apr
(89) |
May
(115) |
Jun
(95) |
Jul
(188) |
Aug
(167) |
Sep
(153) |
Oct
(84) |
Nov
(82) |
Dec
(85) |
| 2009 |
Jan
(139) |
Feb
(133) |
Mar
(128) |
Apr
(105) |
May
(135) |
Jun
(79) |
Jul
(92) |
Aug
(134) |
Sep
(73) |
Oct
(112) |
Nov
(159) |
Dec
(80) |
| 2010 |
Jan
(100) |
Feb
(116) |
Mar
(130) |
Apr
(59) |
May
(88) |
Jun
(59) |
Jul
(69) |
Aug
(67) |
Sep
(82) |
Oct
(76) |
Nov
(59) |
Dec
(34) |
| 2011 |
Jan
(84) |
Feb
(74) |
Mar
(81) |
Apr
(94) |
May
(188) |
Jun
(72) |
Jul
(118) |
Aug
(109) |
Sep
(111) |
Oct
(80) |
Nov
(51) |
Dec
(44) |
| 2012 |
Jan
(80) |
Feb
(123) |
Mar
(46) |
Apr
(12) |
May
(40) |
Jun
(62) |
Jul
(95) |
Aug
(66) |
Sep
(65) |
Oct
(53) |
Nov
(42) |
Dec
(60) |
| 2013 |
Jan
(96) |
Feb
(96) |
Mar
(108) |
Apr
(72) |
May
(115) |
Jun
(111) |
Jul
(114) |
Aug
(87) |
Sep
(93) |
Oct
(97) |
Nov
(104) |
Dec
(82) |
| 2014 |
Jan
(96) |
Feb
(77) |
Mar
(71) |
Apr
(40) |
May
(48) |
Jun
(78) |
Jul
(54) |
Aug
(44) |
Sep
(58) |
Oct
(79) |
Nov
(51) |
Dec
(52) |
| 2015 |
Jan
(55) |
Feb
(59) |
Mar
(48) |
Apr
(40) |
May
(45) |
Jun
(63) |
Jul
(36) |
Aug
(49) |
Sep
(35) |
Oct
(58) |
Nov
(21) |
Dec
(47) |
| 2016 |
Jan
(35) |
Feb
(81) |
Mar
(43) |
Apr
(41) |
May
(77) |
Jun
(52) |
Jul
(39) |
Aug
(34) |
Sep
(107) |
Oct
(67) |
Nov
(54) |
Dec
(20) |
| 2017 |
Jan
(99) |
Feb
(37) |
Mar
(86) |
Apr
(47) |
May
(57) |
Jun
(55) |
Jul
(34) |
Aug
(31) |
Sep
(16) |
Oct
(49) |
Nov
(53) |
Dec
(33) |
| 2018 |
Jan
(25) |
Feb
(11) |
Mar
(79) |
Apr
(77) |
May
(5) |
Jun
(19) |
Jul
(17) |
Aug
(7) |
Sep
(13) |
Oct
(22) |
Nov
(13) |
Dec
(68) |
| 2019 |
Jan
(44) |
Feb
(17) |
Mar
(40) |
Apr
(39) |
May
(18) |
Jun
(14) |
Jul
(20) |
Aug
(31) |
Sep
(11) |
Oct
(35) |
Nov
(3) |
Dec
(10) |
| 2020 |
Jan
(32) |
Feb
(16) |
Mar
(10) |
Apr
(22) |
May
(2) |
Jun
(34) |
Jul
(1) |
Aug
(8) |
Sep
(36) |
Oct
(16) |
Nov
(13) |
Dec
(10) |
| 2021 |
Jan
(16) |
Feb
(23) |
Mar
(45) |
Apr
(28) |
May
(6) |
Jun
(17) |
Jul
(8) |
Aug
(1) |
Sep
(2) |
Oct
(35) |
Nov
|
Dec
(5) |
| 2022 |
Jan
|
Feb
(17) |
Mar
(23) |
Apr
(23) |
May
(9) |
Jun
(8) |
Jul
|
Aug
|
Sep
(7) |
Oct
(5) |
Nov
(16) |
Dec
(4) |
| 2023 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
(1) |
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
(7) |
Feb
(13) |
Mar
(18) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(1) |
Nov
(5) |
Dec
(3) |
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
(12) |
May
(12) |
Jun
(2) |
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Andrew H. <and...@lo...> - 2022-02-16 18:05:32
|
Hi Jamie, That works for me: > GET /foo HTTP/1.1 > Host: example.com > User-Agent: curl/7.81.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 429 Too Many Requests < Date: Wed, 16 Feb 2022 16:52:32 GMT < Server: Apache < Retry-After: 10 < Content-Length: 227 < Content-Type: text/html; charset=iso-8859-1 Is your Apache config loading mod_headers? E.g.: LoadModule headers_module lib/httpd/mod_headers.so It's not a "core" Apache module, so it may not be compiled by default. For what it's worth, in my opinion, ModSecurity is really, really not a good place to do any kind of rate limiting. Especially on Apache: the underlying persistent collection mechanism is ridiculously flakey and will break your heart (and eat your RAM). The implementation of 'deprecatevar' is particularly "interesting". (Can you tell I've been burnt by all this before? :) ) I've had much more success putting HAProxy in front of Apache and using its stick tables to take care of rate limiting. I've also heard good things about using the Apache mod_qos module, although I've never tried it myself. You can also do some clever things using iptables and tc. Thanks, Andrew -- Andrew Howe Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 |
|
From: Jamie B. <ja...@ib...> - 2022-02-15 15:35:41
|
Hi
I’m using the following to rate limit request:
<LocationMatch "^/foo">
SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog,id:100
SecAction "phase:5,deprecatevar:ip.hitcounter=1/10,pass,nolog,id:102"
SecRule IP:HITCOUNTER "@gt 60"
"phase:2,pause:300,deny,status:429,setenv:RATELIMITED,skip:1,nolog,id:103"
SecAction "phase:2,pass,setvar:ip.hitcounter=+1,nolog,id:104"
Header always set Retry-After "10" env=RATELIMITED
</LocationMatch>
The limiting is working as expected, with a 429 response code when reached
but there is no Retry-After header shown in the response. Can anyone help
me to figure out why?
Thanks
Jamie
|
|
From: Christian F. <chr...@ne...> - 2021-12-24 13:22:37
|
I remember that discussion now, thanks. I am not sure if the developers are actively following the mailing list. So it's probably best to ask this question on github. Best, Christian On Fri, Dec 24, 2021 at 12:53:47PM +0000, Srikanth Arunachalam via mod-security-users wrote: > Hi Christian, > > Thanks for getting back to me so quickly. Yes, SecArgumentsLimit is a > Modsec keyword in V3. > This allows to restrict the rule apply to quantity specified in > SecArgumentsLimit. > > We had some performance considerations in the past, when, json payload has > high depth cardinality of list. > Rule id 942460 (Metacharacter search on non-alphanumberic characters \W) > spends lot of time. > > There has also been some discussions on this SecArgumentsLimit on > https://github.com/SpiderLabs/ModSecurity/pull/2234 > > This woks fantastic for JSON based payload. To be more precise, including a > value of SecArgumentsLimit allows to process partial set of payload, rather > than the whole file. > > We couldnt apply the same for the XML payload is the concern I have raised > in this forum. > > Kind Regards > Srikanth Arunachalam > > On Thu, Dec 23, 2021 at 11:01 PM Christian Folini < > chr...@ne...> wrote: > > > Hey Srikanth, > > > > I'm not familia with SecArgumentsLimit. Is it a v3 directive? > > > > What do you want it to do exactly with your XML payload? > > > > Best, > > > > Christian Folini > > > > On Thu, Dec 23, 2021 at 04:43:56PM +0000, Srikanth Arunachalam via > > mod-security-users wrote: > > > Hi > > > > > > We have a not very large XML payload (3mb) with tags including > > > multiple entries separated with comma. > > > > > > When I remove the comma separation the WAF process takes about 14sec > > to > > > complete. > > > When I include the comma separation lists in XML tag, it complex in 29 > > > seconds. > > > > > > Had this been a json payload, I would have used SecArgumentsLimit. It has > > > not been effective in XML. > > > > > > Any sooner suggestion/response would be appreciated. > > > > > > Kind Regards > > > Srikanth Arunachalam > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Srikanth A. <sri...@go...> - 2021-12-24 13:01:08
|
Hi Christian, Thanks for getting back to me so quickly. Yes, SecArgumentsLimit is a Modsec keyword in V3. This allows to restrict the rule apply to quantity specified in SecArgumentsLimit. We had some performance considerations in the past, when, json payload has high depth cardinality of list. Rule id 942460 (Metacharacter search on non-alphanumberic characters \W) spends lot of time. There has also been some discussions on this SecArgumentsLimit on https://github.com/SpiderLabs/ModSecurity/pull/2234 This woks fantastic for JSON based payload. To be more precise, including a value of SecArgumentsLimit allows to process partial set of payload, rather than the whole file. We couldnt apply the same for the XML payload is the concern I have raised in this forum. Kind Regards Srikanth Arunachalam On Thu, Dec 23, 2021 at 11:01 PM Christian Folini < chr...@ne...> wrote: > Hey Srikanth, > > I'm not familia with SecArgumentsLimit. Is it a v3 directive? > > What do you want it to do exactly with your XML payload? > > Best, > > Christian Folini > > On Thu, Dec 23, 2021 at 04:43:56PM +0000, Srikanth Arunachalam via > mod-security-users wrote: > > Hi > > > > We have a not very large XML payload (3mb) with tags including > > multiple entries separated with comma. > > > > When I remove the comma separation the WAF process takes about 14sec > to > > complete. > > When I include the comma separation lists in XML tag, it complex in 29 > > seconds. > > > > Had this been a json payload, I would have used SecArgumentsLimit. It has > > not been effective in XML. > > > > Any sooner suggestion/response would be appreciated. > > > > Kind Regards > > Srikanth Arunachalam > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Christian F. <chr...@ne...> - 2021-12-23 22:58:03
|
Hey Srikanth, I'm not familia with SecArgumentsLimit. Is it a v3 directive? What do you want it to do exactly with your XML payload? Best, Christian Folini On Thu, Dec 23, 2021 at 04:43:56PM +0000, Srikanth Arunachalam via mod-security-users wrote: > Hi > > We have a not very large XML payload (3mb) with tags including > multiple entries separated with comma. > > When I remove the comma separation the WAF process takes about 14sec to > complete. > When I include the comma separation lists in XML tag, it complex in 29 > seconds. > > Had this been a json payload, I would have used SecArgumentsLimit. It has > not been effective in XML. > > Any sooner suggestion/response would be appreciated. > > Kind Regards > Srikanth Arunachalam > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Srikanth A. <sri...@go...> - 2021-12-23 16:51:51
|
Hi
We have a not very large XML payload (3mb) with tags including
multiple entries separated with comma.
When I remove the comma separation the WAF process takes about 14sec to
complete.
When I include the comma separation lists in XML tag, it complex in 29
seconds.
Had this been a json payload, I would have used SecArgumentsLimit. It has
not been effective in XML.
Any sooner suggestion/response would be appreciated.
Kind Regards
Srikanth Arunachalam
|
|
From: Christian F. <chr...@ne...> - 2021-12-22 13:30:00
|
Dear all, CRS has published a blog post about ModSecurity. In this article we lay down our position with regards to Trustwave pulling out of ModSecurity on the mid term and we introduce Coraza WAF as a new multipurpose open source WAF engine. https://coreruleset.org/20211222/talking-about-modsecurity-and-the-new-coraza-waf/ Please help us spread the word on twitter: https://twitter.com/CoreRuleSet/status/1473642801736949768 Have questions? Please ask them here! Happy holidays - and a calm and normal 2022! Christian -- I would rather have a mind opened by wonder than one closed by belief. -- Gerry Spence |
|
From: Quinn C. <qu...@st...> - 2021-10-31 23:04:04
|
On 31 Oct 2021 13:39:57, Reindl Harald wrote:
> <LocationMatch "(.*)\/editor\/plugins\/preview\.php$">
I like this solution too.
Also, if your editors are connecting from a fixed location or use a VPN, you can turn off SecRequestBodyAccess for a specific IP address either by using:
<If "-R '111.222.333.444'">
SecRequestBodyAccess Off
</If>
or:
SecRule REMOTE_ADDR "^111.222.333.444" "phase:1,nolog,allow,ctl:responseBodyAccess=Off,id:1001"
Regards,
Quinn
|
|
From: Christian F. <chr...@ne...> - 2021-10-31 20:57:00
|
Hey Harald, On Sun, Oct 31, 2021 at 03:35:35PM +0100, Reindl Harald wrote: > it's not completly disabled > SecRequestBodyAccess versus SecRuleEngine! > > phase:1 and all the header stuff is still active > > SecRequestBodyAccess: > Configures whether request bodies will be buffered and processed by > ModSecurity by default. That's decent enough. Watch our for next CRS release where more rules will happen in phase 1. Cheers, Christian > > > ______________________________________________________________ > > > Od: "Reindl Harald" <h.r...@th...> > > > Komu: mod...@li... > > > Datum: 31.10.2021 13:41 > > > Předmět: Re: [mod-security-users] Recommended rule exclusions for > > WYSIWYG editor editing > > > > > > > Am 31.10.21 um 13:34 schrieb Filip Bartmann: > > > I'm discovering mod_security with core rule set as very usefull, but > > I'm going in to trouble with editing HTML via admin part of my CMS > > including file uploads other parts works well. > > > > > > Is there any recomendations for minimal rule exlusions for allowing > > this, but with as many as possible rules enabled. In editing html in > > forms I get many detections in this as XSS attacks or so on. > > > > you started that topic already afew weeks ago > > > > there is nothing like post HTML and enable as much as possible rules at > > the same time - you will have a fulltimejob adding more and more rules > > to exceptions and a minimal WYSIWG change can hit another rule tomorrow > > > > forget it, been there, done that many years ago - it's not worth > > > > <IfModule mod_security2.c> > > <LocationMatch "(.*)\/editor\/plugins\/preview\.php$"> > > SecRequestBodyAccess Off > > </LocationMatch> > > </IfModule> > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Reindl H. <h.r...@th...> - 2021-10-31 14:41:48
|
Am 31.10.21 um 13:57 schrieb Filip Bartmann: > Hello thanks, > > so I do this, I thought, that core rule set can be enabled even if i > want to POST HTML content. it's not completly disabled SecRequestBodyAccess versus SecRuleEngine! phase:1 and all the header stuff is still active SecRequestBodyAccess: Configures whether request bodies will be buffered and processed by ModSecurity by default. > ______________________________________________________________ > > Od: "Reindl Harald" <h.r...@th...> > > Komu: mod...@li... > > Datum: 31.10.2021 13:41 > > Předmět: Re: [mod-security-users] Recommended rule exclusions for > WYSIWYG editor editing > > > > Am 31.10.21 um 13:34 schrieb Filip Bartmann: > > I'm discovering mod_security with core rule set as very usefull, but > I'm going in to trouble with editing HTML via admin part of my CMS > including file uploads other parts works well. > > > > Is there any recomendations for minimal rule exlusions for allowing > this, but with as many as possible rules enabled. In editing html in > forms I get many detections in this as XSS attacks or so on. > > you started that topic already afew weeks ago > > there is nothing like post HTML and enable as much as possible rules at > the same time - you will have a fulltimejob adding more and more rules > to exceptions and a minimal WYSIWG change can hit another rule tomorrow > > forget it, been there, done that many years ago - it's not worth > > <IfModule mod_security2.c> > <LocationMatch "(.*)\/editor\/plugins\/preview\.php$"> > SecRequestBodyAccess Off > </LocationMatch> > </IfModule> |
|
From: Christian F. <chr...@ne...> - 2021-10-31 14:11:00
|
Hey Filip, I do not want to disturb Harald's dark outlook with an overly optimistic perspective, but CRS has come a long way since the old days and free form textareas generally work. However, if you insist on posting HTML content, then it's best to enable CRS, but disable all XSS rules by tag on this very field. Other than that check out the rule exclusion packages, maybe they can help. (part of CRS). Cheers, Christian On Sun, Oct 31, 2021 at 01:57:16PM +0100, Filip Bartmann wrote: > Hello thanks, > so I do this, I thought, that core rule set can be enabled even if i want to POST HTML content. > > With best regards, > Filip Bartmann > > ______________________________________________________________ > > Od: "Reindl Harald" <h.r...@th...> > > Komu: mod...@li... > > Datum: 31.10.2021 13:41 > > Předmět: Re: [mod-security-users] Recommended rule exclusions for WYSIWYG editor editing > > > > > Am 31.10.21 um 13:34 schrieb Filip Bartmann: > > I'm discovering mod_security with core rule set as very usefull, but I'm going in to trouble with editing HTML via admin part of my CMS including file uploads other parts works well. > > > Is there any recomendations for minimal rule exlusions for allowing > this, but with as many as possible rules enabled. In editing html in forms I > get many detections in this as XSS attacks or so on. > > you started that topic already afew weeks ago > > there is nothing like post HTML and enable as much as possible rules at the > same time - you will have a fulltimejob adding more and more rules to > exceptions and a minimal WYSIWG change can hit another rule tomorrow > > forget it, been there, done that many years ago - it's not worth > > <IfModule mod_security2.c> > <LocationMatch "(.*)\/editor\/plugins\/preview\.php$"> > SecRequestBodyAccess Off > </LocationMatch> > </IfModule> > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users <https://lists.sourceforge.net/lists/listinfo/mod-security-users> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ <http://www.modsecurity.org/projects/commercial/rules/> > http://www.modsecurity.org/projects/commercial/support/ <http://www.modsecurity.org/projects/commercial/support/> > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Filip B. <fi...@ce...> - 2021-10-31 13:01:30
|
Hello thanks, so I do this, I thought, that core rule set can be enabled even if i want to POST HTML content. With best regards, Filip Bartmann ______________________________________________________________ > Od: "Reindl Harald" <h.r...@th...> > Komu: mod...@li... > Datum: 31.10.2021 13:41 > Předmět: Re: [mod-security-users] Recommended rule exclusions for WYSIWYG editor editing > Am 31.10.21 um 13:34 schrieb Filip Bartmann: > I'm discovering mod_security with core rule set as very usefull, but I'm going in to trouble with editing HTML via admin part of my CMS including file uploads other parts works well. > > Is there any recomendations for minimal rule exlusions for allowing this, but with as many as possible rules enabled. In editing html in forms I get many detections in this as XSS attacks or so on. you started that topic already afew weeks ago there is nothing like post HTML and enable as much as possible rules at the same time - you will have a fulltimejob adding more and more rules to exceptions and a minimal WYSIWG change can hit another rule tomorrow forget it, been there, done that many years ago - it's not worth <IfModule mod_security2.c> <LocationMatch "(.*)\/editor\/plugins\/preview\.php$"> SecRequestBodyAccess Off </LocationMatch> </IfModule> _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users <https://lists.sourceforge.net/lists/listinfo/mod-security-users> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ <http://www.modsecurity.org/projects/commercial/rules/> http://www.modsecurity.org/projects/commercial/support/ <http://www.modsecurity.org/projects/commercial/support/> |
|
From: Reindl H. <h.r...@th...> - 2021-10-31 12:40:17
|
Am 31.10.21 um 13:34 schrieb Filip Bartmann: > I'm discovering mod_security with core rule set as very usefull, but I'm going in to trouble with editing HTML via admin part of my CMS including file uploads other parts works well. > > Is there any recomendations for minimal rule exlusions for allowing this, but with as many as possible rules enabled. In editing html in forms I get many detections in this as XSS attacks or so on. you started that topic already afew weeks ago there is nothing like post HTML and enable as much as possible rules at the same time - you will have a fulltimejob adding more and more rules to exceptions and a minimal WYSIWG change can hit another rule tomorrow forget it, been there, done that many years ago - it's not worth <IfModule mod_security2.c> <LocationMatch "(.*)\/editor\/plugins\/preview\.php$"> SecRequestBodyAccess Off </LocationMatch> </IfModule> |
|
From: Filip B. <fi...@ce...> - 2021-10-31 12:35:02
|
Hello, I'm discovering mod_security with core rule set as very usefull, but I'm going in to trouble with editing HTML via admin part of my CMS including file uploads other parts works well. Is there any recomendations for minimal rule exlusions for allowing this, but with as many as possible rules enabled. In editing html in forms I get many detections in this as XSS attacks or so on. Thanks, Filip Bartmann |
|
From: Quinn C. <qu...@st...> - 2021-10-29 18:19:02
|
Thanks Andrew! On 29 Oct 2021 11:12:35, Andrew Howe wrote: > Hello Quinn, > > The syntax for *using* variables is subtly different to the syntax for > *defining* variables, e.g. > setvar:tx.my_thing > versus > SecRule TX:my_thing > > At least in the Core Rule Set project, we try to emphasise this > difference by using upper-case letters for the collection (e.g. TX) > when *using* a variable and lower-case letters (e.g. tx) when > *defining* a variable. In addition, lower-case letters are used for > variables in both cases. (See: > https://github.com/coreruleset/coreruleset/blob/v3.4/dev/CONTRIBUTING.md#variable-naming-conventions). > > It looks like the example from the ModSecurity Reference Manual you > mentioned also changes the case of the variable name, for even more > emphasis. > > Hopefully that answers your question. > > Thanks, > Andrew > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Andrew H. <rub...@gm...> - 2021-10-29 09:12:58
|
Hello Quinn,
The syntax for *using* variables is subtly different to the syntax for
*defining* variables, e.g.
setvar:tx.my_thing
versus
SecRule TX:my_thing
At least in the Core Rule Set project, we try to emphasise this
difference by using upper-case letters for the collection (e.g. TX)
when *using* a variable and lower-case letters (e.g. tx) when
*defining* a variable. In addition, lower-case letters are used for
variables in both cases. (See:
https://github.com/coreruleset/coreruleset/blob/v3.4/dev/CONTRIBUTING.md#variable-naming-conventions).
It looks like the example from the ModSecurity Reference Manual you
mentioned also changes the case of the variable name, for even more
emphasis.
Hopefully that answers your question.
Thanks,
Andrew
|
|
From: Quinn C. <qu...@st...> - 2021-10-28 21:34:08
|
Hello all,
Under the `drop` section in the v2.x reference manual [1], there is this example:
SecAction phase:1,id:109,initcol:ip=%{REMOTE_ADDR},nolog
SecRule ARGS:login "!^$" "nolog,phase:1,id:110,setvar:ip.auth_attempt=+1,deprecatevar:ip.auth_attempt=25/120"
SecRule IP:AUTH_ATTEMPT "@gt 25" "log,drop,phase:1,id:111,msg:'Possible Brute Force Attack'"
I notice that `ip.auth_attempt` is all lowercase, while `IP:AUTH_ATTEMPT` is all uppercase. Is this the required format? I find it confusing if a variable is lowercase in one location but uppercase in another, so I'm hoping the above example is an error and it would be better to standard the case of variables as they are used in rules?
I couldn't find anywhere in the manual where it is suggested that SecRule variables should be uppercase while SecRule and SecAction actions use lowercase variables. In fact, there is an example under the description of SecAction [2], where an uppercase variable is initialized as `initcol:RESOURCE=…`, and I've seen other examples on the web where lowercase variable names are used as SecRule variables.
Just trying to make sense of this.
Thanks!
Quinn
[1] https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#drop
[2] https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secaction
|
|
From: Walter H. <mo...@sp...> - 2021-10-27 12:29:32
|
Hi Filip, This error can happen if ModSecurity’s regular expression engine (PCRE) is doing more work than the allowed limit. ModSecurity then stops running the rule. It could be that somebody sent a really complex or large request to your machine (if the error happened in a request rule). Or perhaps, your page or response returned was really large (if the error happened in a response rule). The reason for this limit is to prevent a DoS on your server by sending malicious payloads (or eliciting complex responses) that stress the regular expression engine and eat up all your CPU time. So it is smart to keep a limit on the regex work. But often you will need to raise the PCRE limits to a level that the errors are gone or almost gone. You can define ModSecurity’s PCRE limits in your mod_security2.conf with the commands SecPcreMatchLimit and SecPcreMatchLimitRecursion. For instance, you could set them as follows: SecPcreMatchLimit 100000 SecPcreMatchLimitRecursion 100000 I personally have not needed to set them any higher than 100000. But I know that some use higher values, such as 200000 or 250000. These numbers are passed by ModSecurity to the PCRE library. For in-depth information about how it uses these numbers, please see http://pcre.org/original/doc/html/pcreapi.html <http://pcre.org/original/doc/html/pcreapi.html> and look for ‘limits’. Another angle is to look at the log file to see which rule exceeded the limit. It is possible that you might not need that rule. For instance, I often received your same error on Core Rule Set’s 951190 rule. That rule prevents Ingres SQL information leakages. I don’t use Ingres ever. So, instead of raising the PCRE limits even more, I just disable that rule. You can disable a rule by adding the following to your .conf file: SecRuleRemoveById 123456 Where 123456 is the rule ID that you want to disable. Note that disabling rules might open up attack vectors, so always do this carefully. Hope this helps! Kind regards, Walter Hop Core Rule Set co-lead > On 27 Oct 2021, at 12:37, Filip Bartmann <fi...@ce...> wrote: > > Hello, > I starting to use mod_security for Apache2 with crs and in log i many times see: > > Execution error - PCRE limits exceeded (-8): (null) > > How can I prevent this? > > Thanks, > Filip Bartmann > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Filip B. <fi...@ce...> - 2021-10-27 10:37:31
|
Hello, I starting to use mod_security for Apache2 with crs and in log i many times see: Execution error - PCRE limits exceeded (-8): (null) How can I prevent this? Thanks, Filip Bartmann |
|
From: Web C. <we...@we...> - 2021-10-23 16:56:36
|
Dear Azurit
To see what happens while testing I will try that, thank you :)
Does someone know how to print the result uf a transformation function
like: "t:normalizePathWin" in the Message ("msg")?
Is the transformation applied to REQUEST_URI or REQUEST_URI_RAW in the Rule
below?
Greetings,
Webco
<az...@po...> schrieb am Sa., 23. Okt. 2021, 16:57:
> Hi
>
> try enabling debug log in ModSecurity.
>
>
> Citát Web Coach <we...@we...>:
>
> > Hello together :)
> >
> > How can I find the reason why the rule below was triggered? It looks like
> > the audit log does not provide enough information in this case either.
> >
> > %{REQUEST_URI} gives me: /yyyyy.php?site=http://blubb
> > %{REQUEST_URI_RAW} gives me: /yyyyy.php?site=http://blubb
> >
> > I think the transformed REQUEST_URI might be something like
> > "/yyyyy.php?site=http:/blubb" without the double slash. I want to be sure
> > why the rule was triggered and I want to see it black on white for
> > certainty. How would you do it?
> >
> > ModSecurity version: 2.9.4
> > Apache Version: 2.4.48
> >
> > Rule / in httpd.conf
> > ------------------
> > # Make sure there are no URI evasion attempts
> > SecRule REQUEST_URI "!@streq %{REQUEST_URI_RAW}" \
> > "id:11000,phase:1,deny,t:normalizePathWin,log,\
> > msg:'URI evasion attempt REQUEST_URI: %{REQUEST_URI} REQUEST_URI_RAW:
> > %{REQUEST_URI_RAW}'"
> >
> > error.log
> > ------------------
> > [yyyy-mm-dd hh:mm:ss.mmmmmm] [-:error] 127.0.0.1:35220
> > zzzzzzz__zzzzzzzzzzzzzzzzzz [client 127.0.0.1] ModSecurity: Access denied
> > with code 403 (phase 1). Match of "streq %{REQUEST_URI_RAW}" against
> > "REQUEST_URI" required. [file "/opt/apache-2.4.48/conf/httpd.conf"] [line
> > "200"] [id "11000"] [msg "URI evasion attempt REQUEST_URI:
> /yyyyy.php?site=
> > http://blubb REQUEST_URI_RAW: /yyyyy.php?site=http://blubb"] [tag
> > "domain.tld Public"] [hostname "domain.tld"] [uri "/yyyyy.php"]
> [unique_id
> > "zzzzzzz__zzzzzzzzzzzzzzzzzz"]
> >
> > Regards,
> > Webco
>
>
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
|
|
From: <az...@po...> - 2021-10-23 14:58:07
|
Hi
try enabling debug log in ModSecurity.
Citát Web Coach <we...@we...>:
> Hello together :)
>
> How can I find the reason why the rule below was triggered? It looks like
> the audit log does not provide enough information in this case either.
>
> %{REQUEST_URI} gives me: /yyyyy.php?site=http://blubb
> %{REQUEST_URI_RAW} gives me: /yyyyy.php?site=http://blubb
>
> I think the transformed REQUEST_URI might be something like
> "/yyyyy.php?site=http:/blubb" without the double slash. I want to be sure
> why the rule was triggered and I want to see it black on white for
> certainty. How would you do it?
>
> ModSecurity version: 2.9.4
> Apache Version: 2.4.48
>
> Rule / in httpd.conf
> ------------------
> # Make sure there are no URI evasion attempts
> SecRule REQUEST_URI "!@streq %{REQUEST_URI_RAW}" \
> "id:11000,phase:1,deny,t:normalizePathWin,log,\
> msg:'URI evasion attempt REQUEST_URI: %{REQUEST_URI} REQUEST_URI_RAW:
> %{REQUEST_URI_RAW}'"
>
> error.log
> ------------------
> [yyyy-mm-dd hh:mm:ss.mmmmmm] [-:error] 127.0.0.1:35220
> zzzzzzz__zzzzzzzzzzzzzzzzzz [client 127.0.0.1] ModSecurity: Access denied
> with code 403 (phase 1). Match of "streq %{REQUEST_URI_RAW}" against
> "REQUEST_URI" required. [file "/opt/apache-2.4.48/conf/httpd.conf"] [line
> "200"] [id "11000"] [msg "URI evasion attempt REQUEST_URI: /yyyyy.php?site=
> http://blubb REQUEST_URI_RAW: /yyyyy.php?site=http://blubb"] [tag
> "domain.tld Public"] [hostname "domain.tld"] [uri "/yyyyy.php"] [unique_id
> "zzzzzzz__zzzzzzzzzzzzzzzzzz"]
>
> Regards,
> Webco
|
|
From: Web C. <we...@we...> - 2021-10-23 11:57:01
|
Hello together :)
How can I find the reason why the rule below was triggered? It looks like
the audit log does not provide enough information in this case either.
%{REQUEST_URI} gives me: /yyyyy.php?site=http://blubb
%{REQUEST_URI_RAW} gives me: /yyyyy.php?site=http://blubb
I think the transformed REQUEST_URI might be something like
"/yyyyy.php?site=http:/blubb" without the double slash. I want to be sure
why the rule was triggered and I want to see it black on white for
certainty. How would you do it?
ModSecurity version: 2.9.4
Apache Version: 2.4.48
Rule / in httpd.conf
------------------
# Make sure there are no URI evasion attempts
SecRule REQUEST_URI "!@streq %{REQUEST_URI_RAW}" \
"id:11000,phase:1,deny,t:normalizePathWin,log,\
msg:'URI evasion attempt REQUEST_URI: %{REQUEST_URI} REQUEST_URI_RAW:
%{REQUEST_URI_RAW}'"
error.log
------------------
[yyyy-mm-dd hh:mm:ss.mmmmmm] [-:error] 127.0.0.1:35220
zzzzzzz__zzzzzzzzzzzzzzzzzz [client 127.0.0.1] ModSecurity: Access denied
with code 403 (phase 1). Match of "streq %{REQUEST_URI_RAW}" against
"REQUEST_URI" required. [file "/opt/apache-2.4.48/conf/httpd.conf"] [line
"200"] [id "11000"] [msg "URI evasion attempt REQUEST_URI: /yyyyy.php?site=
http://blubb REQUEST_URI_RAW: /yyyyy.php?site=http://blubb"] [tag
"domain.tld Public"] [hostname "domain.tld"] [uri "/yyyyy.php"] [unique_id
"zzzzzzz__zzzzzzzzzzzzzzzzzz"]
Regards,
Webco
|
|
From: Christian V. <cv...@it...> - 2021-10-21 13:25:31
|
Yo have to add exceptions to avoid mod security block certain HTML POST data.
Look in the error log of apache or audit log of mod-security, then look for the errors that are blocking the HTML POST, and search the id of the rule, then in the apache config (the one where you CMS is configured), you can add the exception like this:
If you want to disable specific rule in a specific path:
<LocationMatch "/user/login">
SecRuleRemoveById 981319
</LocationMatch>
If you want to disable specific rule globally:
SecRuleRemoveById 981173
If you want to disable mod security in a specific path:
<Location /some_path/anotherpath>
<IfModule security2_module>
SecRuleEngine Off
</IfModule>
</Location>
Cheers.
Chris.
> El 21-10-2021, a las 09:02, Reindl Harald <h.r...@th...> escribió:
>
>
>
> Am 21.10.21 um 11:30 schrieb Filip Bartmann:
>> I'm new to mod_security and I have own CMS. I want in admin to edit HTML content. How can I enable to POST HTML tags? I Use mod_security v2 with Apache
>
> <IfModule mod_security2.c>
> <LocationMatch "(.*)\/editor\/plugins\/preview\.php$">
> SecRequestBodyAccess Off
> </LocationMatch>
> </IfModule>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
|
|
From: Reindl H. <h.r...@th...> - 2021-10-21 12:20:46
|
Am 21.10.21 um 11:30 schrieb Filip Bartmann: > I'm new to mod_security and I have own CMS. I want in admin to edit HTML content. How can I enable to POST HTML tags? I Use mod_security v2 with Apache <IfModule mod_security2.c> <LocationMatch "(.*)\/editor\/plugins\/preview\.php$"> SecRequestBodyAccess Off </LocationMatch> </IfModule> |
|
From: Filip B. <fi...@ce...> - 2021-10-21 11:58:11
|
Hello, Yes I use. Filip Bartmann ______________________________________________________________ > Od: az...@po... > Komu: mod...@li... > Datum: 21.10.2021 12:25 > Předmět: Re: [mod-security-users] Allow HTML in post > Hi Filip, what rules are you using? CRS? azurit Citát Filip Bartmann <fi...@ce...>: > Hello, > I'm new to mod_security and I have own CMS. I want in admin to edit > HTML content. How can I enable to POST HTML tags? I Use mod_security > v2 with Apache. > > Thanks, > Filip Bartmann > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users <https://lists.sourceforge.net/lists/listinfo/mod-security-users> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ <http://www.modsecurity.org/projects/commercial/rules/> > http://www.modsecurity.org/projects/commercial/support/ <http://www.modsecurity.org/projects/commercial/support/> _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users <https://lists.sourceforge.net/lists/listinfo/mod-security-users> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ <http://www.modsecurity.org/projects/commercial/rules/> http://www.modsecurity.org/projects/commercial/support/ <http://www.modsecurity.org/projects/commercial/support/> |
139 messages has been excluded from this view by a project administrator.
