mod-security-users — General discussion about mod_security

Re: [mod-security-users] Allow HTML in post

[<az...@po...>]

Hi Filip,

what rules are you using? CRS?

azurit




Citát Filip Bartmann <fi...@ce...>:

> Hello,
> I'm new to mod_security and I have own CMS. I want in admin to edit  
> HTML content. How can I enable to POST HTML tags? I Use mod_security  
> v2 with Apache.
>  
> Thanks,
> Filip Bartmann
>  
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

[mod-security-users] Allow HTML in post

[Filip B. <fi...@ce...>]

Hello,
I'm new to mod_security and I have own CMS. I want in admin to edit HTML content. How can I enable to POST HTML tags? I Use mod_security v2 with Apache.
 
Thanks,
Filip Bartmann
 

Re: [mod-security-users] Modsecurity ClamAV integration Filename and Virus name details

[<az...@po...>]

Hi Homesh,

i'm glad everything works for you!

I can't recommend any specific ClamAV configuration but this will  
definitely add some latency to request handling. You can try playing  
with antivirus setting tx.antivirus-plugin_clamav_chunk_size_bytes so  
data is not splitted into too many chunks (depends on how big files  
are you usually uploading).

Anyway, i doubt there's a possibility to create a faster option of  
integrating antivirus support into ModSecurity as my solution is using  
Lua for antivirus communication and ClamAV INSTREAM command, so:
  - Lua script is read, compiled and stored in memory on web server startup
  - Lua script works similar to clamdscan so the only thing it's doing  
is reading and sending data into ClamAV (i.e. it's not reading whole  
signatures on every run as clamscan command is doing), make sure that  
tmp files are not stored on slow storage
  - Lua script is not run for requests not doing file upload



Citát homesh joshi <ho...@gm...>:

> Dear Azur,
>
> Your plugin works for me.  Currently tested with CRS, Here is the sample log
>
> [19/Oct/2021:10:30:38 +0530] [
> www.xyz.com/sid#7f178bfaf8a0][rid#7f178f5bc0a0][/files/upload.php][1]
> Access denied with code 403 (phase 2). String match "Win.Test.EICAR_HDB-1"
> at TX:antivirus-plugin_virus_name. [file
> "/usr/share/modsecurity-crs/plugins/antivirus-before.conf"] [line "19"] [id
> "9502120"] [msg "Virus *Win.Test.EICAR_HDB-1* found in uploaded file  
> *eicar.com
> <http://eicar.com>*."] [data "Virus Win.Test.EICAR_HDB-1 found in uploaded
> file eicar.com."] [severity "CRITICAL"] [ver "antivirus-plugin/1.0.0"] [tag
> "capec/1000/262/441/442"]
>
> Can you please suggest best practices on clam-av for modsec ? I am worried
> if clam av may add latency to the apache request handling capacity.
>
> Thanks,
> Homesh
>
>
> On Mon, Oct 18, 2021 at 11:59 PM homesh joshi <ho...@gm...> wrote:
>
>> Thanks for your efforts. Will test this tomorrow and let you know.
>>
>> Regards,
>> Homesh
>>
>> On Mon, 18 Oct, 2021, 11:53 pm , <az...@po...> wrote:
>>
>>> Good news everyone (mainly Homesh)!
>>>
>>> As HTTP protocol allows uploading of multiple files at once, it
>>> appears to be a good idea to have a filename of infected file in logs.
>>> I decided to add this functionality.
>>>
>>> Homesh, please redownload everything and try again:
>>> https://github.com/coreruleset/antivirus-plugin
>>>
>>> Let me know if it's working for you, thanks.
>>>
>>> Enjoy!
>>>
>>>
>>>
>>> Citát homesh joshi <ho...@gm...>:
>>>
>>> > Dear Azur,
>>> >
>>> > Yes I was able to do the testing using your plugin.
>>> > I want to report the filename also in the reporting dashboard saying
>>> that
>>> > filename = xyz.pdf virusname=abc
>>> > Now I am able to get the virusname but want to know the filename as
>>> well.
>>> >
>>> > Thanks,
>>> > Homesh
>>> >
>>> >
>>> > On Mon, Oct 18, 2021 at 12:06 PM <az...@po...> wrote:
>>> >
>>> >> Hi Homesh,
>>> >>
>>> >>
>>> >> > Thank you very much for the suggestion on antivirus plugin.
>>> >> > I tested the antivirus plugin with CRS I have following queries
>>> >>
>>> >>
>>> >> You are welcome! Is plugin working ok for you?
>>> >>
>>> >>
>>> >>
>>> >> > Is CRS a prerequisite for this plugin ? as I don't use CRS I want to
>>> use
>>> >> > this without CRS. I understand this plugin rule uses LUA script.
>>> >>
>>> >>
>>> >> I cannot guarantee it for the future but, currently, it should work
>>> >> also without CRS.
>>> >>
>>> >>
>>> >>
>>> >> > I was able to see the virus name in the logs, however what is the
>>> >> variable
>>> >> > name for the filename which was scanned. so I will call that variable
>>> >> > inside the TAG or msg
>>> >>
>>> >>
>>> >> Filename if get directly from Modsecurity using FILES_TMPNAMES
>>> >> variable but it's only a temporary name of the uploaded file.
>>> >>
>>> >>
>>> >>
>>> >> azur
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> > Thanks,
>>> >> > Homesh
>>> >> >
>>> >> >
>>> >> > On Mon, Oct 4, 2021 at 1:40 PM homesh joshi <ho...@gm...>
>>> wrote:
>>> >> >
>>> >> >> Thanks will test this and update you soon.
>>> >> >>
>>> >> >> On Mon, 4 Oct, 2021, 1:33 pm , <az...@po...> wrote:
>>> >> >>
>>> >> >>> Hi,
>>> >> >>>
>>> >> >>> if you are using CRS, please check this:
>>> >> >>> https://github.com/coreruleset/antivirus-plugin
>>> >> >>>
>>> >> >>> azur
>>> >> >>>
>>> >> >>>
>>> >> >>> Citát homesh joshi <ho...@gm...>:
>>> >> >>>
>>> >> >>> > Hi All,
>>> >> >>> >
>>> >> >>> > Hope you all are well.
>>> >> >>> > I have done the Modsecurity and ClamAV integration and am now
>>> able to
>>> >> >>> block
>>> >> >>> > the malicious file upload. I wanted to get the filename and virus
>>> >> name
>>> >> >>> > details inside modsec audit logs.
>>> >> >>> >
>>> >> >>> > I am not able to find any documentation on this. Can you please
>>> share
>>> >> >>> any
>>> >> >>> > document or tutorial on this ?
>>> >> >>> >
>>> >> >>> > Thanks,
>>> >> >>> > Homesh
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>> _______________________________________________
>>> >> >>> mod-security-users mailing list
>>> >> >>> mod...@li...
>>> >> >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>> >> >>> Commercial ModSecurity Rules and Support from Trustwave's
>>> SpiderLabs:
>>> >> >>> http://www.modsecurity.org/projects/commercial/rules/
>>> >> >>> http://www.modsecurity.org/projects/commercial/support/
>>> >> >>>
>>> >> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> mod-security-users mailing list
>>> >> mod...@li...
>>> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>> >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>> >> http://www.modsecurity.org/projects/commercial/rules/
>>> >> http://www.modsecurity.org/projects/commercial/support/
>>> >>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> mod-security-users mailing list
>>> mod...@li...
>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>> http://www.modsecurity.org/projects/commercial/rules/
>>> http://www.modsecurity.org/projects/commercial/support/
>>>
>>

Re: [mod-security-users] Modsecurity ClamAV integration Filename and Virus name details

[homesh j. <ho...@gm...>]

Dear Azur,

Your plugin works for me.  Currently tested with CRS, Here is the sample log

[19/Oct/2021:10:30:38 +0530] [
www.xyz.com/sid#7f178bfaf8a0][rid#7f178f5bc0a0][/files/upload.php][1]
Access denied with code 403 (phase 2). String match "Win.Test.EICAR_HDB-1"
at TX:antivirus-plugin_virus_name. [file
"/usr/share/modsecurity-crs/plugins/antivirus-before.conf"] [line "19"] [id
"9502120"] [msg "Virus *Win.Test.EICAR_HDB-1* found in uploaded file *eicar.com
<http://eicar.com>*."] [data "Virus Win.Test.EICAR_HDB-1 found in uploaded
file eicar.com."] [severity "CRITICAL"] [ver "antivirus-plugin/1.0.0"] [tag
"capec/1000/262/441/442"]

Can you please suggest best practices on clam-av for modsec ? I am worried
if clam av may add latency to the apache request handling capacity.

Thanks,
Homesh


On Mon, Oct 18, 2021 at 11:59 PM homesh joshi <ho...@gm...> wrote:

> Thanks for your efforts. Will test this tomorrow and let you know.
>
> Regards,
> Homesh
>
> On Mon, 18 Oct, 2021, 11:53 pm , <az...@po...> wrote:
>
>> Good news everyone (mainly Homesh)!
>>
>> As HTTP protocol allows uploading of multiple files at once, it
>> appears to be a good idea to have a filename of infected file in logs.
>> I decided to add this functionality.
>>
>> Homesh, please redownload everything and try again:
>> https://github.com/coreruleset/antivirus-plugin
>>
>> Let me know if it's working for you, thanks.
>>
>> Enjoy!
>>
>>
>>
>> Citát homesh joshi <ho...@gm...>:
>>
>> > Dear Azur,
>> >
>> > Yes I was able to do the testing using your plugin.
>> > I want to report the filename also in the reporting dashboard saying
>> that
>> > filename = xyz.pdf virusname=abc
>> > Now I am able to get the virusname but want to know the filename as
>> well.
>> >
>> > Thanks,
>> > Homesh
>> >
>> >
>> > On Mon, Oct 18, 2021 at 12:06 PM <az...@po...> wrote:
>> >
>> >> Hi Homesh,
>> >>
>> >>
>> >> > Thank you very much for the suggestion on antivirus plugin.
>> >> > I tested the antivirus plugin with CRS I have following queries
>> >>
>> >>
>> >> You are welcome! Is plugin working ok for you?
>> >>
>> >>
>> >>
>> >> > Is CRS a prerequisite for this plugin ? as I don't use CRS I want to
>> use
>> >> > this without CRS. I understand this plugin rule uses LUA script.
>> >>
>> >>
>> >> I cannot guarantee it for the future but, currently, it should work
>> >> also without CRS.
>> >>
>> >>
>> >>
>> >> > I was able to see the virus name in the logs, however what is the
>> >> variable
>> >> > name for the filename which was scanned. so I will call that variable
>> >> > inside the TAG or msg
>> >>
>> >>
>> >> Filename if get directly from Modsecurity using FILES_TMPNAMES
>> >> variable but it's only a temporary name of the uploaded file.
>> >>
>> >>
>> >>
>> >> azur
>> >>
>> >>
>> >>
>> >>
>> >> > Thanks,
>> >> > Homesh
>> >> >
>> >> >
>> >> > On Mon, Oct 4, 2021 at 1:40 PM homesh joshi <ho...@gm...>
>> wrote:
>> >> >
>> >> >> Thanks will test this and update you soon.
>> >> >>
>> >> >> On Mon, 4 Oct, 2021, 1:33 pm , <az...@po...> wrote:
>> >> >>
>> >> >>> Hi,
>> >> >>>
>> >> >>> if you are using CRS, please check this:
>> >> >>> https://github.com/coreruleset/antivirus-plugin
>> >> >>>
>> >> >>> azur
>> >> >>>
>> >> >>>
>> >> >>> Citát homesh joshi <ho...@gm...>:
>> >> >>>
>> >> >>> > Hi All,
>> >> >>> >
>> >> >>> > Hope you all are well.
>> >> >>> > I have done the Modsecurity and ClamAV integration and am now
>> able to
>> >> >>> block
>> >> >>> > the malicious file upload. I wanted to get the filename and virus
>> >> name
>> >> >>> > details inside modsec audit logs.
>> >> >>> >
>> >> >>> > I am not able to find any documentation on this. Can you please
>> share
>> >> >>> any
>> >> >>> > document or tutorial on this ?
>> >> >>> >
>> >> >>> > Thanks,
>> >> >>> > Homesh
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>> _______________________________________________
>> >> >>> mod-security-users mailing list
>> >> >>> mod...@li...
>> >> >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> >> >>> Commercial ModSecurity Rules and Support from Trustwave's
>> SpiderLabs:
>> >> >>> http://www.modsecurity.org/projects/commercial/rules/
>> >> >>> http://www.modsecurity.org/projects/commercial/support/
>> >> >>>
>> >> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> mod-security-users mailing list
>> >> mod...@li...
>> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> >> http://www.modsecurity.org/projects/commercial/rules/
>> >> http://www.modsecurity.org/projects/commercial/support/
>> >>
>>
>>
>>
>>
>>
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>>
>

Re: [mod-security-users] Modsecurity ClamAV integration Filename and Virus name details

[homesh j. <ho...@gm...>]

Thanks for your efforts. Will test this tomorrow and let you know.

Regards,
Homesh

On Mon, 18 Oct, 2021, 11:53 pm , <az...@po...> wrote:

> Good news everyone (mainly Homesh)!
>
> As HTTP protocol allows uploading of multiple files at once, it
> appears to be a good idea to have a filename of infected file in logs.
> I decided to add this functionality.
>
> Homesh, please redownload everything and try again:
> https://github.com/coreruleset/antivirus-plugin
>
> Let me know if it's working for you, thanks.
>
> Enjoy!
>
>
>
> Citát homesh joshi <ho...@gm...>:
>
> > Dear Azur,
> >
> > Yes I was able to do the testing using your plugin.
> > I want to report the filename also in the reporting dashboard saying that
> > filename = xyz.pdf virusname=abc
> > Now I am able to get the virusname but want to know the filename as well.
> >
> > Thanks,
> > Homesh
> >
> >
> > On Mon, Oct 18, 2021 at 12:06 PM <az...@po...> wrote:
> >
> >> Hi Homesh,
> >>
> >>
> >> > Thank you very much for the suggestion on antivirus plugin.
> >> > I tested the antivirus plugin with CRS I have following queries
> >>
> >>
> >> You are welcome! Is plugin working ok for you?
> >>
> >>
> >>
> >> > Is CRS a prerequisite for this plugin ? as I don't use CRS I want to
> use
> >> > this without CRS. I understand this plugin rule uses LUA script.
> >>
> >>
> >> I cannot guarantee it for the future but, currently, it should work
> >> also without CRS.
> >>
> >>
> >>
> >> > I was able to see the virus name in the logs, however what is the
> >> variable
> >> > name for the filename which was scanned. so I will call that variable
> >> > inside the TAG or msg
> >>
> >>
> >> Filename if get directly from Modsecurity using FILES_TMPNAMES
> >> variable but it's only a temporary name of the uploaded file.
> >>
> >>
> >>
> >> azur
> >>
> >>
> >>
> >>
> >> > Thanks,
> >> > Homesh
> >> >
> >> >
> >> > On Mon, Oct 4, 2021 at 1:40 PM homesh joshi <ho...@gm...>
> wrote:
> >> >
> >> >> Thanks will test this and update you soon.
> >> >>
> >> >> On Mon, 4 Oct, 2021, 1:33 pm , <az...@po...> wrote:
> >> >>
> >> >>> Hi,
> >> >>>
> >> >>> if you are using CRS, please check this:
> >> >>> https://github.com/coreruleset/antivirus-plugin
> >> >>>
> >> >>> azur
> >> >>>
> >> >>>
> >> >>> Citát homesh joshi <ho...@gm...>:
> >> >>>
> >> >>> > Hi All,
> >> >>> >
> >> >>> > Hope you all are well.
> >> >>> > I have done the Modsecurity and ClamAV integration and am now
> able to
> >> >>> block
> >> >>> > the malicious file upload. I wanted to get the filename and virus
> >> name
> >> >>> > details inside modsec audit logs.
> >> >>> >
> >> >>> > I am not able to find any documentation on this. Can you please
> share
> >> >>> any
> >> >>> > document or tutorial on this ?
> >> >>> >
> >> >>> > Thanks,
> >> >>> > Homesh
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>> _______________________________________________
> >> >>> mod-security-users mailing list
> >> >>> mod...@li...
> >> >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> >> >>> Commercial ModSecurity Rules and Support from Trustwave's
> SpiderLabs:
> >> >>> http://www.modsecurity.org/projects/commercial/rules/
> >> >>> http://www.modsecurity.org/projects/commercial/support/
> >> >>>
> >> >>
> >>
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> mod-security-users mailing list
> >> mod...@li...
> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> >> http://www.modsecurity.org/projects/commercial/rules/
> >> http://www.modsecurity.org/projects/commercial/support/
> >>
>
>
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>

Re: [mod-security-users] Modsecurity ClamAV integration Filename and Virus name details

[<az...@po...>]

Good news everyone (mainly Homesh)!

As HTTP protocol allows uploading of multiple files at once, it  
appears to be a good idea to have a filename of infected file in logs.  
I decided to add this functionality.

Homesh, please redownload everything and try again:
https://github.com/coreruleset/antivirus-plugin

Let me know if it's working for you, thanks.

Enjoy!



Citát homesh joshi <ho...@gm...>:

> Dear Azur,
>
> Yes I was able to do the testing using your plugin.
> I want to report the filename also in the reporting dashboard saying that
> filename = xyz.pdf virusname=abc
> Now I am able to get the virusname but want to know the filename as well.
>
> Thanks,
> Homesh
>
>
> On Mon, Oct 18, 2021 at 12:06 PM <az...@po...> wrote:
>
>> Hi Homesh,
>>
>>
>> > Thank you very much for the suggestion on antivirus plugin.
>> > I tested the antivirus plugin with CRS I have following queries
>>
>>
>> You are welcome! Is plugin working ok for you?
>>
>>
>>
>> > Is CRS a prerequisite for this plugin ? as I don't use CRS I want to use
>> > this without CRS. I understand this plugin rule uses LUA script.
>>
>>
>> I cannot guarantee it for the future but, currently, it should work
>> also without CRS.
>>
>>
>>
>> > I was able to see the virus name in the logs, however what is the
>> variable
>> > name for the filename which was scanned. so I will call that variable
>> > inside the TAG or msg
>>
>>
>> Filename if get directly from Modsecurity using FILES_TMPNAMES
>> variable but it's only a temporary name of the uploaded file.
>>
>>
>>
>> azur
>>
>>
>>
>>
>> > Thanks,
>> > Homesh
>> >
>> >
>> > On Mon, Oct 4, 2021 at 1:40 PM homesh joshi <ho...@gm...> wrote:
>> >
>> >> Thanks will test this and update you soon.
>> >>
>> >> On Mon, 4 Oct, 2021, 1:33 pm , <az...@po...> wrote:
>> >>
>> >>> Hi,
>> >>>
>> >>> if you are using CRS, please check this:
>> >>> https://github.com/coreruleset/antivirus-plugin
>> >>>
>> >>> azur
>> >>>
>> >>>
>> >>> Citát homesh joshi <ho...@gm...>:
>> >>>
>> >>> > Hi All,
>> >>> >
>> >>> > Hope you all are well.
>> >>> > I have done the Modsecurity and ClamAV integration and am now able to
>> >>> block
>> >>> > the malicious file upload. I wanted to get the filename and virus
>> name
>> >>> > details inside modsec audit logs.
>> >>> >
>> >>> > I am not able to find any documentation on this. Can you please share
>> >>> any
>> >>> > document or tutorial on this ?
>> >>> >
>> >>> > Thanks,
>> >>> > Homesh
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> mod-security-users mailing list
>> >>> mod...@li...
>> >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> >>> http://www.modsecurity.org/projects/commercial/rules/
>> >>> http://www.modsecurity.org/projects/commercial/support/
>> >>>
>> >>
>>
>>
>>
>>
>>
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>>

Re: [mod-security-users] Modsecurity ClamAV integration Filename and Virus name details

[homesh j. <ho...@gm...>]

Dear Azur,

Yes I was able to do the testing using your plugin.
I want to report the filename also in the reporting dashboard saying that
filename = xyz.pdf virusname=abc
Now I am able to get the virusname but want to know the filename as well.

Thanks,
Homesh


On Mon, Oct 18, 2021 at 12:06 PM <az...@po...> wrote:

> Hi Homesh,
>
>
> > Thank you very much for the suggestion on antivirus plugin.
> > I tested the antivirus plugin with CRS I have following queries
>
>
> You are welcome! Is plugin working ok for you?
>
>
>
> > Is CRS a prerequisite for this plugin ? as I don't use CRS I want to use
> > this without CRS. I understand this plugin rule uses LUA script.
>
>
> I cannot guarantee it for the future but, currently, it should work
> also without CRS.
>
>
>
> > I was able to see the virus name in the logs, however what is the
> variable
> > name for the filename which was scanned. so I will call that variable
> > inside the TAG or msg
>
>
> Filename if get directly from Modsecurity using FILES_TMPNAMES
> variable but it's only a temporary name of the uploaded file.
>
>
>
> azur
>
>
>
>
> > Thanks,
> > Homesh
> >
> >
> > On Mon, Oct 4, 2021 at 1:40 PM homesh joshi <ho...@gm...> wrote:
> >
> >> Thanks will test this and update you soon.
> >>
> >> On Mon, 4 Oct, 2021, 1:33 pm , <az...@po...> wrote:
> >>
> >>> Hi,
> >>>
> >>> if you are using CRS, please check this:
> >>> https://github.com/coreruleset/antivirus-plugin
> >>>
> >>> azur
> >>>
> >>>
> >>> Citát homesh joshi <ho...@gm...>:
> >>>
> >>> > Hi All,
> >>> >
> >>> > Hope you all are well.
> >>> > I have done the Modsecurity and ClamAV integration and am now able to
> >>> block
> >>> > the malicious file upload. I wanted to get the filename and virus
> name
> >>> > details inside modsec audit logs.
> >>> >
> >>> > I am not able to find any documentation on this. Can you please share
> >>> any
> >>> > document or tutorial on this ?
> >>> >
> >>> > Thanks,
> >>> > Homesh
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> mod-security-users mailing list
> >>> mod...@li...
> >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> >>> http://www.modsecurity.org/projects/commercial/rules/
> >>> http://www.modsecurity.org/projects/commercial/support/
> >>>
> >>
>
>
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>

Re: [mod-security-users] Modsecurity ClamAV integration Filename and Virus name details

[<az...@po...>]

Hi Homesh,


> Thank you very much for the suggestion on antivirus plugin.
> I tested the antivirus plugin with CRS I have following queries


You are welcome! Is plugin working ok for you?



> Is CRS a prerequisite for this plugin ? as I don't use CRS I want to use
> this without CRS. I understand this plugin rule uses LUA script.


I cannot guarantee it for the future but, currently, it should work  
also without CRS.



> I was able to see the virus name in the logs, however what is the variable
> name for the filename which was scanned. so I will call that variable
> inside the TAG or msg


Filename if get directly from Modsecurity using FILES_TMPNAMES  
variable but it's only a temporary name of the uploaded file.



azur




> Thanks,
> Homesh
>
>
> On Mon, Oct 4, 2021 at 1:40 PM homesh joshi <ho...@gm...> wrote:
>
>> Thanks will test this and update you soon.
>>
>> On Mon, 4 Oct, 2021, 1:33 pm , <az...@po...> wrote:
>>
>>> Hi,
>>>
>>> if you are using CRS, please check this:
>>> https://github.com/coreruleset/antivirus-plugin
>>>
>>> azur
>>>
>>>
>>> Citát homesh joshi <ho...@gm...>:
>>>
>>> > Hi All,
>>> >
>>> > Hope you all are well.
>>> > I have done the Modsecurity and ClamAV integration and am now able to
>>> block
>>> > the malicious file upload. I wanted to get the filename and virus name
>>> > details inside modsec audit logs.
>>> >
>>> > I am not able to find any documentation on this. Can you please share
>>> any
>>> > document or tutorial on this ?
>>> >
>>> > Thanks,
>>> > Homesh
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> mod-security-users mailing list
>>> mod...@li...
>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>> http://www.modsecurity.org/projects/commercial/rules/
>>> http://www.modsecurity.org/projects/commercial/support/
>>>
>>

Re: [mod-security-users] Modsecurity ClamAV integration Filename and Virus name details

[homesh j. <ho...@gm...>]

Hi Azurit,

Thank you very much for the suggestion on antivirus plugin.
I tested the antivirus plugin with CRS I have following queries

Is CRS a prerequisite for this plugin ? as I don't use CRS I want to use
this without CRS. I understand this plugin rule uses LUA script.
I was able to see the virus name in the logs, however what is the variable
name for the filename which was scanned. so I will call that variable
inside the TAG or msg

Thanks,
Homesh


On Mon, Oct 4, 2021 at 1:40 PM homesh joshi <ho...@gm...> wrote:

> Thanks will test this and update you soon.
>
> On Mon, 4 Oct, 2021, 1:33 pm , <az...@po...> wrote:
>
>> Hi,
>>
>> if you are using CRS, please check this:
>> https://github.com/coreruleset/antivirus-plugin
>>
>> azur
>>
>>
>> Citát homesh joshi <ho...@gm...>:
>>
>> > Hi All,
>> >
>> > Hope you all are well.
>> > I have done the Modsecurity and ClamAV integration and am now able to
>> block
>> > the malicious file upload. I wanted to get the filename and virus name
>> > details inside modsec audit logs.
>> >
>> > I am not able to find any documentation on this. Can you please share
>> any
>> > document or tutorial on this ?
>> >
>> > Thanks,
>> > Homesh
>>
>>
>>
>>
>>
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>>
>

Re: [mod-security-users] 回复： Does the expirevar work on modsec v3?

[Ehsan M. <ehs...@gm...>]

thanks
I'll have a look at that.

On Wed, Oct 13, 2021 at 2:48 PM huiming via mod-security-users <
mod...@li...> wrote:

> but workaround available,
> https://github.com/SpiderLabs/ModSecurity/issues/1803
>
>
>
>
> ------------------ 原始邮件 ------------------
> *发件人:* "mod-security-users" <ehs...@gm...>;
> *发送时间:* 2021年10月13日(星期三) 晚上7:15
> *收件人:* "mod-security-users"<mod...@li...>;
> *主题:* [mod-security-users] Does the expirevar work on modsec v3?
>
> Hi folks
> Quick question, Does the expirevar work on modsec v3?
>
> The problem is that I am trying to stop brute force attacks, and when a IP
> is determined as an attacker it will be blocked forever. It seems that
> expirevar is not working.
>
> P.S. Am using modsec V3 + nginx
>
> Thnak u all
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>


-- 
                    regards
                 Ehsan.Mahdavi
PhD candidated for Computer Engineering
    by Isfahan University of Technology
        http://emahdavi.ece.iut.ac.ir/

[mod-security-users] 回复： Does the expirevar work on modsec v3?

[<877...@qq...>]

but workaround available, 
https://github.com/SpiderLabs/ModSecurity/issues/1803








------------------ 原始邮件 ------------------
发件人:                                                                                                                        "mod-security-users"                                                                                    <ehs...@gm...&gt;;
发送时间:&nbsp;2021年10月13日(星期三) 晚上7:15
收件人:&nbsp;"mod-security-users"<mod...@li...&gt;;

主题:&nbsp;[mod-security-users] Does the expirevar work on modsec v3?



Hi folksQuick question,&nbsp;Does the expirevar work on modsec v3?


The problem is that I am trying to stop brute force attacks, and when a IP is determined&nbsp;as an attacker it will be blocked forever. It seems that expirevar&nbsp;is not working.


P.S. Am using modsec V3&nbsp;+ nginx


Thnak u all

[mod-security-users] 回复： Does the expirevar work on modsec v3?

[<877...@qq...>]

No









------------------ 原始邮件 ------------------
发件人:                                                                                                                        "mod-security-users"                                                                                    <ehs...@gm...&gt;;
发送时间:&nbsp;2021年10月13日(星期三) 晚上7:15
收件人:&nbsp;"mod-security-users"<mod...@li...&gt;;

主题:&nbsp;[mod-security-users] Does the expirevar work on modsec v3?



Hi folksQuick question,&nbsp;Does the expirevar work on modsec v3?


The problem is that I am trying to stop brute force attacks, and when a IP is determined&nbsp;as an attacker it will be blocked forever. It seems that expirevar&nbsp;is not working.


P.S. Am using modsec V3&nbsp;+ nginx


Thnak u all

[mod-security-users] Does the expirevar work on modsec v3?

[Ehsan M. <ehs...@gm...>]

Hi folks
Quick question, Does the expirevar work on modsec v3?

The problem is that I am trying to stop brute force attacks, and when a IP
is determined as an attacker it will be blocked forever. It seems that
expirevar is not working.

P.S. Am using modsec V3 + nginx

Thnak u all

Re: [mod-security-users] Modsecurity ClamAV integration Filename and Virus name details

[homesh j. <ho...@gm...>]

Thanks will test this and update you soon.

On Mon, 4 Oct, 2021, 1:33 pm , <az...@po...> wrote:

> Hi,
>
> if you are using CRS, please check this:
> https://github.com/coreruleset/antivirus-plugin
>
> azur
>
>
> Citát homesh joshi <ho...@gm...>:
>
> > Hi All,
> >
> > Hope you all are well.
> > I have done the Modsecurity and ClamAV integration and am now able to
> block
> > the malicious file upload. I wanted to get the filename and virus name
> > details inside modsec audit logs.
> >
> > I am not able to find any documentation on this. Can you please share any
> > document or tutorial on this ?
> >
> > Thanks,
> > Homesh
>
>
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>

Re: [mod-security-users] Modsecurity ClamAV integration Filename and Virus name details

[<az...@po...>]

Hi,

if you are using CRS, please check this:
https://github.com/coreruleset/antivirus-plugin

azur


Citát homesh joshi <ho...@gm...>:

> Hi All,
>
> Hope you all are well.
> I have done the Modsecurity and ClamAV integration and am now able to block
> the malicious file upload. I wanted to get the filename and virus name
> details inside modsec audit logs.
>
> I am not able to find any documentation on this. Can you please share any
> document or tutorial on this ?
>
> Thanks,
> Homesh

[mod-security-users] Modsecurity ClamAV integration Filename and Virus name details

[homesh j. <ho...@gm...>]

Hi All,

Hope you all are well.
I have done the Modsecurity and ClamAV integration and am now able to block
the malicious file upload. I wanted to get the filename and virus name
details inside modsec audit logs.

I am not able to find any documentation on this. Can you please share any
document or tutorial on this ?

Thanks,
Homesh

Re: [mod-security-users] ModSecurity v3

[Michael W. <sco...@ya...>]

Thanks for the reply
Tel:       01257 266394 Mobile: 07944032617 Email:  sco...@ya... 

    On Thursday, 30 September 2021, 22:13:25 BST, Christian Folini <chr...@ne...> wrote:  
 
 Hey Michael,

A lot of people use ModSec3 successfully in production and the developers have
it labelled as production ready for NGINX for several years.

Personally, I see that ModSec3 is not passing the entire test suite for CRS
(2-3% of tests are failing) and I am not satisfied with the performance.

Also: ModSec 2.9.x on Apache is still the reference implementation for CRS.

Hope this helps to put everything in perspective.

Best,

Christian

On Thu, Sep 30, 2021 at 12:47:10PM +0000, Michael Woods via mod-security-users wrote:
> Hi Everyone,Is version 3 of ModSecurity now production ready? It's not clear from the Github page.RegardsMike


> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/



_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
  

Re: [mod-security-users] ModSecurity v3

[Christian F. <chr...@ne...>]

Hey Michael,

A lot of people use ModSec3 successfully in production and the developers have
it labelled as production ready for NGINX for several years.

Personally, I see that ModSec3 is not passing the entire test suite for CRS
(2-3% of tests are failing) and I am not satisfied with the performance.

Also: ModSec 2.9.x on Apache is still the reference implementation for CRS.

Hope this helps to put everything in perspective.

Best,

Christian

On Thu, Sep 30, 2021 at 12:47:10PM +0000, Michael Woods via mod-security-users wrote:
> Hi Everyone,Is version 3 of ModSecurity now production ready? It's not clear from the Github page.RegardsMike


> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

[mod-security-users] ModSecurity v3

[Michael W. <sco...@ya...>]

Hi Everyone,Is version 3 of ModSecurity now production ready? It's not clear from the Github page.RegardsMike

[mod-security-users] who can help me explain FREE_TEXT_QUOTE_MACRO_EXPANSION ｉｎ easy-understand language ?

[<877...@qq...>]

as the title:
  FREE_TEXT_QUOTE_MACRO_EXPANSION                 (([^%'])|([^\\][\\][%][{])|([^\\]([\\][\\])+[\\][%][{])|[^\\][\\][']|[^\\]([\\][\\])+[\\]['])+

Re: [mod-security-users] Mod_Security Wordpress False Positives

[<az...@po...>]

Hi Devin,

WordPress exclusion package was created only for vanilla WordPress  
i.e. is does not work with plugins - your problem is, probably,  
related to some plugin. I can help you more if you can provide me with  
full log of the blocked request.

azur



Citát Devin A <de...@pa...>:

> I am rather new to Mod_Security, I have enabled the mod_security rules
> within HAProxy and I have Wordpress sites behind my load balancer. I am
> confused on why I have quite a few false positives still being activated.
>
> In my crs-setup.conf:
>
> SecAction \
>  "id:900130,\
>   phase:1,\
>   nolog,\
>   pass,\
>   t:none,\
>   setvar:tx.crs_exclusions_wordpress=1”
>
> I see that in the REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf, I have
> quite a few rules in there that look like appropriate Wordpress exclusions,
> however when I have users trying to edit/post messages to Wordpress rules
> are still being fired. From what I can see in the logs, it appears Rule
> 941100 is constantly being triggered. Is there a rule that I am missing in
> the exclusions that isn’t there by default?
>
> Jul 21 08:10:04 localhost hapee-lb[3473802]: fe_mydomain.com/owasp_crs
> ModSecurity: Warning. detected XSS using libinjection. [file
> "/etc/hapee-2.2/modsec.rules.d/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"]
> [line "37"] [id "941100"] [rev ""] [msg "XSS Attack Detected via
> libinjection"] [data "Matched Data: XSS data found within ARGS:content:
> <span style="font-weight: 400;">Let's be totally honest here for a minute!
> At this moment in the digital evolution, your credit union website should d
> (4130 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.2"]
> [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag
> "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag
> "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname
> "10.241.155.221"] [uri "https://www.mydomain.com/wp-admin/admin-ajax.php"]
> [unique_id "162688020249.349253"] [ref
> "v2688,4353t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
>
> Jul 21 08:10:04 localhost hapee-lb[3473802]: fe_mydomain.com/owasp_crs
> ModSecurity: Warning. Matched "Operator `Rx' with parameter
> `(?i:(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|d
> (3146 characters omitted)' against variable `ARGS:content' (Value: `<span
> style="font-weight: 400;">Let\xe2\x80\x99s be totally honest here for a
> minute! At this moment (4613 characters omitted)' ) [file
> "/etc/hapee-2.2/modsec.rules.d/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"]
> [line "180"] [id "941160"] [rev ""] [msg "NoScript XSS InjectionChecker:
> HTML Injection"] [data "Matched Data: <span style="font-weight: 400;">Let's
> be totally honest here for a minute! At this moment in the digital
> evolution, your credit union website should do a lot more for you than just
> looki (4666 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.2"]
> [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag
> "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag
> "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname
> "10.241.155.221"] [uri "https://www.mydomain.com/wp-admin/admin-ajax.php"]
> [unique_id "162688020249.349253"] [ref
> "o0,544v2688,4353t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
>
> Jul 21 08:10:04 localhost hapee-lb[3473802]: fe_mydomain.com/owasp_crs
> [client 66.235.234.117] ModSecurity: Access denied with code 403 (phase 2).
> Matched "Operator `Ge' with parameter `5' against variable
> `TX:ANOMALY_SCORE' (Value: `10' ) [file
> "/etc/hapee-2.2/modsec.rules.d/rules/REQUEST-949-BLOCKING-EVALUATION.conf"]
> [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded
> (Total Score: 10)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"]
> [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag
> "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname
> "10.241.155.221"] [uri "https://www.mydomain.com/wp-admin/admin-ajax.php"]
> [unique_id "162688020249.349253"] [ref ""]
>
> Jul 21 08:10:04 localhost hapee-lb[3473802]: 66.235.234.117:38827
> [21/Jul/2021:08:10:04.023] fe_mydomain.com~ be_mydomain.com/www 1/-1/0/-1/1
> 403 197 - - PH-- - 330/2/0/0/0 0/0 TLSv1.3 {|Basic QiRpdGU6QjFkM3IxNw==|
> https://www.mydomain.com/wp-admin/post.php?post=7774&act|Mozilla/5.0
> (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/91.0.4472.114 Safari/537.36} "POST
> https://www.mydomain.com/wp-admin/admin-ajax.php HTTP/2.0"
>
> Jul 21 08:10:04 localhost hapee-lb[3473802]: fe_mydomain.com/owasp_crs
> ModSecurity: Warning. detected XSS using libinjection. [file
> "/etc/hapee-2.2/modsec.rules.d/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"]
> [line "37"] [id "941100"] [rev ""] [msg "XSS Attack Detected via
> libinjection"] [data "Matched Data: XSS data found within ARGS:content:
> <span style="font-weight: 400;">Let's be totally honest here for a minute!
> At this moment in the digital evolution, your credit union website should d
> (4130 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.2"]
> [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag
> "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag
> "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname
> "10.241.155.221"] [uri "https://www.mydomain.com/wp-admin/post.php"]
> [unique_id "162688020416.416944"] [ref
> "v2787,4353t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
> Jul 21 08:10:04 localhost hapee-lb[3473802]: fe_mydomain.com/owasp_crs
> ModSecurity: Warning. Matched "Operator `Rx' with parameter
> `(?i:(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|d
> (3146 characters omitted)' against variable `ARGS:content' (Value: `<span
> style="font-weight: 400;">Let\xe2\x80\x99s be totally honest here for a
> minute! At this moment (4613 characters omitted)' ) [file
> "/etc/hapee-2.2/modsec.rules.d/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"]
> [line "180"] [id "941160"] [rev ""] [msg "NoScript XSS InjectionChecker:
> HTML Injection"] [data "Matched Data: <span style="font-weight: 400;">Let's
> be totally honest here for a minute! At this moment in the digital
> evolution, your credit union website should do a lot more for you than just
> looki (4666 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.2"]
> [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag
> "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag
> "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname
> "10.241.155.221"] [uri "https://www.mydomain.com/wp-admin/post.php"]
> [unique_id "162688020416.416944"] [ref
> "o0,544v2787,4353t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
>
> Jul 21 08:10:04 localhost hapee-lb[3473802]: fe_mydomain.com/owasp_crs
> [client 66.235.234.117] ModSecurity: Access denied with code 403 (phase 2).
> Matched "Operator `Ge' with parameter `5' against variable
> `TX:ANOMALY_SCORE' (Value: `10' ) [file
> "/etc/hapee-2.2/modsec.rules.d/rules/REQUEST-949-BLOCKING-EVALUATION.conf"]
> [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded
> (Total Score: 10)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"]
> [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag
> "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname
> "10.241.155.221"] [uri "https://www.mydomain.com/wp-admin/post.php"]
> [unique_id "162688020416.416944"] [ref ""]
>
> Jul 21 08:10:04 localhost hapee-lb[3473802]: 66.235.234.117:38827
> [21/Jul/2021:08:10:04.285] fe_mydomain.com~ be_mydomain.com/www 1/-1/0/-1/1
> 403 197 - - PH-- - 333/2/0/0/0 0/0 TLSv1.3 {|Basic QiRpdGU6QjFkM3IxNw==|
> https://www.mydomain.com/wp-admin/post.php?post=7774&act|Mozilla/5.0
> (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/91.0.4472.114 Safari/537.36} "POST
> https://www.mydomain.com/wp-admin/post.php HTTP/2.0”
>
>
> Appreciate your help and assistance on this..
>
> Devin Acosta

[mod-security-users] Mod_Security Wordpress False Positives

[Devin A <de...@pa...>]

I am rather new to Mod_Security, I have enabled the mod_security rules
within HAProxy and I have Wordpress sites behind my load balancer. I am
confused on why I have quite a few false positives still being activated.

In my crs-setup.conf:

SecAction \
 "id:900130,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.crs_exclusions_wordpress=1”

I see that in the REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf, I have
quite a few rules in there that look like appropriate Wordpress exclusions,
however when I have users trying to edit/post messages to Wordpress rules
are still being fired. From what I can see in the logs, it appears Rule
941100 is constantly being triggered. Is there a rule that I am missing in
the exclusions that isn’t there by default?

Jul 21 08:10:04 localhost hapee-lb[3473802]: fe_mydomain.com/owasp_crs
ModSecurity: Warning. detected XSS using libinjection. [file
"/etc/hapee-2.2/modsec.rules.d/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"]
[line "37"] [id "941100"] [rev ""] [msg "XSS Attack Detected via
libinjection"] [data "Matched Data: XSS data found within ARGS:content:
<span style="font-weight: 400;">Let's be totally honest here for a minute!
At this moment in the digital evolution, your credit union website should d
(4130 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.2"]
[maturity "0"] [accuracy "0"] [tag "application-multi"] [tag
"language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag
"paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname
"10.241.155.221"] [uri "https://www.mydomain.com/wp-admin/admin-ajax.php"]
[unique_id "162688020249.349253"] [ref
"v2688,4353t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]

Jul 21 08:10:04 localhost hapee-lb[3473802]: fe_mydomain.com/owasp_crs
ModSecurity: Warning. Matched "Operator `Rx' with parameter
`(?i:(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|d
(3146 characters omitted)' against variable `ARGS:content' (Value: `<span
style="font-weight: 400;">Let\xe2\x80\x99s be totally honest here for a
minute! At this moment (4613 characters omitted)' ) [file
"/etc/hapee-2.2/modsec.rules.d/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"]
[line "180"] [id "941160"] [rev ""] [msg "NoScript XSS InjectionChecker:
HTML Injection"] [data "Matched Data: <span style="font-weight: 400;">Let's
be totally honest here for a minute! At this moment in the digital
evolution, your credit union website should do a lot more for you than just
looki (4666 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.2"]
[maturity "0"] [accuracy "0"] [tag "application-multi"] [tag
"language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag
"paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname
"10.241.155.221"] [uri "https://www.mydomain.com/wp-admin/admin-ajax.php"]
[unique_id "162688020249.349253"] [ref
"o0,544v2688,4353t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]

Jul 21 08:10:04 localhost hapee-lb[3473802]: fe_mydomain.com/owasp_crs
[client 66.235.234.117] ModSecurity: Access denied with code 403 (phase 2).
Matched "Operator `Ge' with parameter `5' against variable
`TX:ANOMALY_SCORE' (Value: `10' ) [file
"/etc/hapee-2.2/modsec.rules.d/rules/REQUEST-949-BLOCKING-EVALUATION.conf"]
[line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded
(Total Score: 10)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"]
[maturity "0"] [accuracy "0"] [tag "application-multi"] [tag
"language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname
"10.241.155.221"] [uri "https://www.mydomain.com/wp-admin/admin-ajax.php"]
[unique_id "162688020249.349253"] [ref ""]

Jul 21 08:10:04 localhost hapee-lb[3473802]: 66.235.234.117:38827
[21/Jul/2021:08:10:04.023] fe_mydomain.com~ be_mydomain.com/www 1/-1/0/-1/1
403 197 - - PH-- - 330/2/0/0/0 0/0 TLSv1.3 {|Basic QiRpdGU6QjFkM3IxNw==|
https://www.mydomain.com/wp-admin/post.php?post=7774&act|Mozilla/5.0
(Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/91.0.4472.114 Safari/537.36} "POST
https://www.mydomain.com/wp-admin/admin-ajax.php HTTP/2.0"

Jul 21 08:10:04 localhost hapee-lb[3473802]: fe_mydomain.com/owasp_crs
ModSecurity: Warning. detected XSS using libinjection. [file
"/etc/hapee-2.2/modsec.rules.d/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"]
[line "37"] [id "941100"] [rev ""] [msg "XSS Attack Detected via
libinjection"] [data "Matched Data: XSS data found within ARGS:content:
<span style="font-weight: 400;">Let's be totally honest here for a minute!
At this moment in the digital evolution, your credit union website should d
(4130 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.2"]
[maturity "0"] [accuracy "0"] [tag "application-multi"] [tag
"language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag
"paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname
"10.241.155.221"] [uri "https://www.mydomain.com/wp-admin/post.php"]
[unique_id "162688020416.416944"] [ref
"v2787,4353t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
Jul 21 08:10:04 localhost hapee-lb[3473802]: fe_mydomain.com/owasp_crs
ModSecurity: Warning. Matched "Operator `Rx' with parameter
`(?i:(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|d
(3146 characters omitted)' against variable `ARGS:content' (Value: `<span
style="font-weight: 400;">Let\xe2\x80\x99s be totally honest here for a
minute! At this moment (4613 characters omitted)' ) [file
"/etc/hapee-2.2/modsec.rules.d/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"]
[line "180"] [id "941160"] [rev ""] [msg "NoScript XSS InjectionChecker:
HTML Injection"] [data "Matched Data: <span style="font-weight: 400;">Let's
be totally honest here for a minute! At this moment in the digital
evolution, your credit union website should do a lot more for you than just
looki (4666 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.2"]
[maturity "0"] [accuracy "0"] [tag "application-multi"] [tag
"language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag
"paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname
"10.241.155.221"] [uri "https://www.mydomain.com/wp-admin/post.php"]
[unique_id "162688020416.416944"] [ref
"o0,544v2787,4353t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]

Jul 21 08:10:04 localhost hapee-lb[3473802]: fe_mydomain.com/owasp_crs
[client 66.235.234.117] ModSecurity: Access denied with code 403 (phase 2).
Matched "Operator `Ge' with parameter `5' against variable
`TX:ANOMALY_SCORE' (Value: `10' ) [file
"/etc/hapee-2.2/modsec.rules.d/rules/REQUEST-949-BLOCKING-EVALUATION.conf"]
[line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded
(Total Score: 10)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"]
[maturity "0"] [accuracy "0"] [tag "application-multi"] [tag
"language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname
"10.241.155.221"] [uri "https://www.mydomain.com/wp-admin/post.php"]
[unique_id "162688020416.416944"] [ref ""]

Jul 21 08:10:04 localhost hapee-lb[3473802]: 66.235.234.117:38827
[21/Jul/2021:08:10:04.285] fe_mydomain.com~ be_mydomain.com/www 1/-1/0/-1/1
403 197 - - PH-- - 333/2/0/0/0 0/0 TLSv1.3 {|Basic QiRpdGU6QjFkM3IxNw==|
https://www.mydomain.com/wp-admin/post.php?post=7774&act|Mozilla/5.0
(Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/91.0.4472.114 Safari/537.36} "POST
https://www.mydomain.com/wp-admin/post.php HTTP/2.0”


Appreciate your help and assistance on this..

Devin Acosta

[mod-security-users] Observing memory leak with ruleset creation

[adoring g. <gad...@gm...>]

Hi,

I am observing a memory leak with the operator objects not being freed,
once the ruleset is cleaned up.
With a test program that initializes modsecurity, reads a ruleset and
cleans up the ruleset

global_modsec = msc_init();
global_rules = msc_create_rules_set();
const char* error = NULL;
msc_rules_add_file(global_rules, "rules.conf", &error);
msc_rules_cleanup(global_rules);
msc_cleanup(global_modsec);

I see memory leaks:

==1836==
*==1836== 142,421,048 bytes in 30,350 blocks are possibly lost in loss
record 410 of 412*
==1836==    at 0x4C2C089: calloc (vg_replace_malloc.c:762)
==1836==    by 0x4FBAFDD: acmp_add_pattern (acmp.cc:517)
==1836==    by 0x4FA4CBB: modsecurity::operators::Pm::init(std::string
const&, std::string*) (pm.cc:136)
==1836==    by 0x4EFF823: yy::seclang_parser::parse()
(seclang-parser.yy:874)
==1836==    by 0x4F39373: modsecurity::Parser::Driver::parse(std::string
const&, std::string const&) (driver.cc:145)
==1836==    by 0x4F39697:
modsecurity::Parser::Driver::parseFile(std::string const&) (driver.cc:189)
==1836==    by 0x4F50CC6: modsecurity::RulesSet::loadFromUri(char const*)
(rules_set.cc:53)
==1836==    by 0x4F52542: msc_rules_add_file (rules_set.cc:296)
==1836==    by 0x4011D7: process_rules (modsec_memory.c:15)
==1836==    by 0x40126C: main (modsec_memory.c:33)
==1836==
==1836== *569,323,113 (1,344 direct, 569,321,769 indirect) bytes in 21
blocks are definitely lost in loss record 412 of 412*
==1836==    at 0x4C2A593: operator new(unsigned long)
(vg_replace_malloc.c:344)
==1836==    by 0x4EF56B1: yy::seclang_parser::parse()
(seclang-parser.yy:1032)
==1836==    by 0x4F39373: modsecurity::Parser::Driver::parse(std::string
const&, std::string const&) (driver.cc:145)
==1836==    by 0x4F39697:
modsecurity::Parser::Driver::parseFile(std::string const&) (driver.cc:189)
==1836==    by 0x4F50CC6: modsecurity::RulesSet::loadFromUri(char const*)
(rules_set.cc:53)
==1836==    by 0x4F52542: msc_rules_add_file (rules_set.cc:296)
==1836==    by 0x4011D7: process_rules (modsec_memory.c:15)
==1836==    by 0x40126C: main (modsec_memory.c:33)

How do we deallocate the memory used by the parser?

[mod-security-users] We are happy to announce ModSecurity version 3.0.5!

[Felipe Z. <fe...@zi...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It is a pleasure to announce the release of ModSecurity version 3.0.5
(libModSecurity). This version contains several improvements in different
areas, including new features, cleanups, overall performance improvements,
and fixes.

A remarkable feature for version 3.0.5 is the limitation on the number of
arguments to process; this is especially useful while inspecting JSON
with a high number of key/values. Read more -
https://github.com/SpiderLabs/ModSecurity/pull/2234


New features

- - Having ARGS_NAMES, variables proxied
[@zimmerle, @martinhsv, @KaNikita]
- - Use explicit path for cross-compile environments.
[Issue #2485 - @dtoubelis]
- - Fix: FILES variable does not use multipart part name for key
[Issue #2377 - @martinhsv]
- - Regression: Mark the test as failed in case of segfault.
[@zimmerle]
- - GeoIP: switch to GEOIP_MEMORY_CACHE from GEOIP_INDEX_CACHE
[Issues #2378, #2186 - @defanator]
- - Add support to test framework for audit log content verification and add
regression tests for issues #2000, #2196
[@zimmerle]
- - Support configurable limit on number of arguments processed
[Issue #2234 - @jleproust, @martinhsv]
- - Multipart Content-Dispostion should allow field: filename*=
[@martinhsv]
- - Adds support to lua 5.4
[@zimmerle]
- - Add support for new operator rxGlobal
[@martinhsv]


Bug fixes

- - Replaces put with setenv in SetEnv action
[Issue #2469 - @martinhsv, @WGH-, @zimmerle]
- - Regex key selection should not be case-sensitive
[Issue #2296, #2107, #2297 - @michaelgranzow-avi, @victorhora,
@airween, @martinhsv, @zimmerle]
- - Fix: Only delete Multipart tmp files after rules have run
[Issue #2427 - @martinhsv]
- - Fixed MatchedVar on chained rules
[Issue #2423, #2435, #2436 - @michaelgranzow-avi]
- - Fix maxminddb link on FreeBSD
[Issue #2131 - @granalberto, @zimmerle]
- - Fix IP address logging in Section A
[Issue #2300 - @inaratech, @zavazingo, @martinhsv]
- - rx: exit after full match (remove /g emulation); ensure capture
groups occuring after unused groups still populate TX vars
[Issue #2336 - @martinhsv]
- - Correct CHANGES file entry for #2234
- - Fix rule-update-target for non-regex
[Issue #2251 - @martinhsv]
- - Fix configure script when packaging for Buildroot
[Issue #2235 - @frankvanbever]
- - modsecurity.pc.in: add Libs.private
[Issue #1918, #2253 - @ffontaine, @Dridi, @victorhora]


Security impacting issues

- - Handle URI received with uri-fragment
[@martinhsv]

The complete list of changes is available on our changelogs:
- - https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.5

The source and binaries (and the respective hashes/signatures) are
available at:
- - https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.5

The list of open issues is available on GitHub:
- - https://github.com/SpiderLabs/ModSecurity/labels/3.x

Stay tuned. We are going to release a follow-up blog post detailing the
significant bits of this release.

Thanks to everybody who helped in this process: reporting issues, making
comments and suggestions, sending patches, and participating in the
community ;)

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iF0EARECAB0WIQQZDvrMoen6RmqOzZzm37CM6LESdwUCYOYt2wAKCRDm37CM6LES
d1tmAJ9fc8jBWOPX+76nGAm4fTl/2ZQVHACcCbJNBofbrmXU6Glc1CyZkBjE8wg=
=OIWQ
-----END PGP SIGNATURE-----

Re: [mod-security-users] string compare

[<877...@qq...>]

i got it. bb always is uppercase .




------------------ Original ------------------
From:                                                                                                                        "mod-security-users"                                                                                    <mod...@li...&gt;;
Date:&nbsp;Fri, Jul 2, 2021 06:02 PM
To:&nbsp;"mod-security-users"<mod...@li...&gt;;
Cc:&nbsp;"huiming"<877...@qq...&gt;;
Subject:&nbsp;[mod-security-users] string compare



hi all, 


Who can help me understand why the highlighted is not&nbsp; toupper(aa) == toupper(bb)&nbsp; or tolower(aa)==tolower(bb)&nbsp; ?


in file ModSecurity/src/variables/variable.h


class VariableMonkeyResolution {
&nbsp;public:
&nbsp; &nbsp; VariableMonkeyResolution () { } 
&nbsp; &nbsp; static inline bool comp(const std::string &amp;a, const std::string &amp;b) {
&nbsp; &nbsp; &nbsp; &nbsp; return a.size() == b.size()
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&amp;&amp; std::equal(a.begin(), a.end(), b.begin(),
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; [](char aa, char bb) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; return toupper(aa) == bb; 
&nbsp; &nbsp; &nbsp; &nbsp; }); 
&nbsp; &nbsp; }&nbsp; &nbsp;



thanks
huiming