Thread: [mod-security-users] SecRuleUpdateTargetById working for some rules, not others
Brought to you by:
victorhora,
zimmerletw
From: Todd M. B. <to...@to...> - 2012-01-14 08:38:28
|
Was getting a pile of false positives related to an ARGS in POST data so I chose to disable with a long list of SecRuleUpdateTargetById. I placed them in crs_48 file so they are read after the rules they're meant to amend. After implementing I noticed that 8 out of the 20 rules I added worked as expected, but 12 just simply don't work. First, here's the list of rules: #/etc/httpd/modsecurity/base_rules/modsecurity_crs_48_local_exceptions.conf # Whitelist SQL Injection rule firing on "1or" in REQUEST_FILENAME SecRuleUpdateTargetById 981248 "!REQUEST_FILENAME" #okay # javax.faces.ViewState causing 125k false positives per day SecRuleUpdateTargetById 950109 "!ARGS:javax.faces.ViewState" #okay SecRuleUpdateTargetById 950901 "!ARGS:javax.faces.ViewState" SecRuleUpdateTargetById 958700 "!ARGS:javax.faces.ViewState" #okay SecRuleUpdateTargetById 958821 "!ARGS:javax.faces.ViewState" #okay SecRuleUpdateTargetById 958833 "!ARGS:javax.faces.ViewState" #okay SecRuleUpdateTargetById 958836 "!ARGS:javax.faces.ViewState" #okay SecRuleUpdateTargetById 958871 "!ARGS:javax.faces.ViewState" #okay SecRuleUpdateTargetById 959071 "!ARGS:javax.faces.ViewState" SecRuleUpdateTargetById 959072 "!ARGS:javax.faces.ViewState" SecRuleUpdateTargetById 960024 "!ARGS:javax.faces.ViewState" SecRuleUpdateTargetById 972030 "!ARGS:javax.faces.ViewState" #okay SecRuleUpdateTargetById 981210 "!ARGS:javax.faces.ViewState" SecRuleUpdateTargetById 981212 "!ARGS:javax.faces.ViewState" SecRuleUpdateTargetById 981241 "!ARGS:javax.faces.ViewState" SecRuleUpdateTargetById 981242 "!ARGS:javax.faces.ViewState" SecRuleUpdateTargetById 981243 "!ARGS:javax.faces.ViewState" SecRuleUpdateTargetById 981244 "!ARGS:javax.faces.ViewState" SecRuleUpdateTargetById 981246 "!ARGS:javax.faces.ViewState" SecRuleUpdateTargetById 981248 "!ARGS:javax.faces.ViewState" #okay SecRuleUpdateTargetById 981260 "!ARGS:javax.faces.ViewState" #okay Those marked okay work as expected. The rest to not. Example from debug logs for juxtaposition: # working as expected (981248) [14/Jan/2012:07:38:04 +0000] [foo.com/sid#1fbc3ab0][rid#2aaab159a098][/path/to/spacer.gif.html][5] Rule 1fbf8568: SecRule "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|!REQUEST_FILENAME|!ARGS:javax.faces.ViewState" "@rx (?i:(?:@.+=\\s*\\(\\s*select)|(?:\\d+\\s*x?or|div|like|between|and\\s*\\d+\\s*[\\-+])|(?:\\/\\w+;?\\s+(?:having|and|x?or|div|like|between|and|select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*(?:drop|alter))|(?:(?:;|#|--)\\s*(?:update|insert)\\s*\\w{2,})|(?:[^\\w]SET\\s*@\\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*[!=+]+[\\s\\d]*[(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)=()]))" "phase:2,log,auditlog,capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,block,msg:'Detects chained SQL injection attempts 1/2',id:981248,tag:WEB_ATTACK/SQLI,tag:WEB_ATTACK/ID,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0},setvar:tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}" # not working as expected (981212) [14/Jan/2012:07:38:03 +0000] [foo.com/sid#1fbc3ab0][rid#2aaab159a098][/path/to/spacer.gif.html][5] Rule 1efc6e60: SecRule "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(\\!\\=|\\&\\&|\\|\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\s+between\\s+0\\s+and)|(?:is\\s+null)|(like\\s+null)|(?:(?:^|\\W)in[+\\s]*\\([\\s\\d\"]+[^()]*\\))|(?:xor|<>|rlike(?:\\s+binary)?)|(?:regexp\\s+binary))" "phase:2,log,auditlog,rev:2.2.1,capture,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack: SQL Operator Detected',id:981212,logdata:%{TX.0},severity:2,tag:WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.notice_anomaly_score},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" The hit or miss nature of this has me stumped. Appreciate any help. todd |
From: Breno S. <bre...@gm...> - 2012-01-14 12:35:36
|
Hey Todd, Yes, this a strange behaviour. I just got the rule 950901 and insert a SecUpdateTargetById after in my custom rule file: SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i:([\s'\"`´’‘\(\)]*)?([\d\w]+)([\s'\"`´’‘\(\)]*)?(?:=|<=>|r?like|sounds\s+like|regexp)([\s'\"`´’‘\(\)]*)?\2|([\s'\"`´’‘\(\)]*)?([\d\w]+)([\s'\"`´’‘\(\)]*)?(?:!=|<=|>=|<>|<|>|\^|is\s+not|not\s+like|not\s+regexp)([\s'\"`´’‘\(\)]*)?(?!\6)([\d\w]+))" \ "phase:2,rev:'2.2.3',capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'950901',logdata:'%{TX.0}',severity:'2',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{ rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" SecRuleUpdateTargetById 950901 And looks like it is working fine. [14/Jan/2012:20:18:37 +0900] [ 192.168.0.102/sid#2135a4f0][rid#21363b30][/index.html][4] Recipe: Invoking rule 2130e020; [file "/etc/apache2/modsecurity/modsecurity_crs_15_customrules.conf"] [line "225"] [id "950901"] [rev "2.2.3"]. [14/Jan/2012:20:18:37 +0900] [ 192.168.0.102/sid#2135a4f0][rid#21363b30][/index.html][5] Rule 2130e020: SecRule "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|!ARGS:javax.faces.ViewState" "@rx (?i:([\\s'\"`\xc2\xb4\xe2\x80\x99\x I will load the entire CRS base_rules and place in the file u placed. Can you try to insert the SecUpdateTargetByID directives in the lastest file to be loaded by ModSecurity ? Thanks Breno On Sat, Jan 14, 2012 at 2:08 AM, Todd Michael Bushnell < to...@to...> wrote: > Was getting a pile of false positives related to an ARGS in POST data so I > chose to disable with a long list of SecRuleUpdateTargetById. I placed > them in crs_48 file so they are read after the rules they're meant to > amend. After implementing I noticed that 8 out of the 20 rules I added > worked as expected, but 12 just simply don't work. First, here's the list > of rules: > > > #/etc/httpd/modsecurity/base_rules/modsecurity_crs_48_local_exceptions.conf > > # Whitelist SQL Injection rule firing on "1or" in REQUEST_FILENAME > SecRuleUpdateTargetById 981248 "!REQUEST_FILENAME" #okay > > # javax.faces.ViewState causing 125k false positives per day > SecRuleUpdateTargetById 950109 "!ARGS:javax.faces.ViewState" #okay > SecRuleUpdateTargetById 950901 "!ARGS:javax.faces.ViewState" > SecRuleUpdateTargetById 958700 "!ARGS:javax.faces.ViewState" #okay > SecRuleUpdateTargetById 958821 "!ARGS:javax.faces.ViewState" #okay > SecRuleUpdateTargetById 958833 "!ARGS:javax.faces.ViewState" #okay > SecRuleUpdateTargetById 958836 "!ARGS:javax.faces.ViewState" #okay > SecRuleUpdateTargetById 958871 "!ARGS:javax.faces.ViewState" #okay > SecRuleUpdateTargetById 959071 "!ARGS:javax.faces.ViewState" > SecRuleUpdateTargetById 959072 "!ARGS:javax.faces.ViewState" > SecRuleUpdateTargetById 960024 "!ARGS:javax.faces.ViewState" > SecRuleUpdateTargetById 972030 "!ARGS:javax.faces.ViewState" #okay > SecRuleUpdateTargetById 981210 "!ARGS:javax.faces.ViewState" > SecRuleUpdateTargetById 981212 "!ARGS:javax.faces.ViewState" > SecRuleUpdateTargetById 981241 "!ARGS:javax.faces.ViewState" > SecRuleUpdateTargetById 981242 "!ARGS:javax.faces.ViewState" > SecRuleUpdateTargetById 981243 "!ARGS:javax.faces.ViewState" > SecRuleUpdateTargetById 981244 "!ARGS:javax.faces.ViewState" > SecRuleUpdateTargetById 981246 "!ARGS:javax.faces.ViewState" > SecRuleUpdateTargetById 981248 "!ARGS:javax.faces.ViewState" #okay > SecRuleUpdateTargetById 981260 "!ARGS:javax.faces.ViewState" #okay > > Those marked okay work as expected. The rest to not. Example from debug > logs for juxtaposition: > > # working as expected (981248) > [14/Jan/2012:07:38:04 +0000] [ > foo.com/sid#1fbc3ab0][rid#2aaab159a098][/path/to/spacer.gif.html][5<http://foo.com/sid#1fbc3ab0][rid%232aaab159a098][/path/to/spacer.gif.html][5>] > Rule 1fbf8568: SecRule > "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|!REQUEST_FILENAME|!ARGS:javax.faces.ViewState" > "@rx (?i:(?:@.+=\\s*\\(\\s*select)|(?: > \\d+\\s*x?or|div|like|between|and\\s*\\d+\\s*[\\-+])|(?: > \\/\\w+;?\\s+(?:having|and|x?or|div|like|between|and|select)\\W > )|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*(?:drop|alter) > )|(?:(?:;|#|--)\\s*(?:update|insert)\\s*\\w{2,})|(?:[^\\w]SET\\s*@\\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not > |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*[!=+]+[\\s\\d]*[(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)=()]))" > "phase:2,log,auditlog,capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,block,msg:'Detects > chained SQL injection attempts > 1/2',id:981248,tag:WEB_ATTACK/SQLI,tag:WEB_ATTACK/ID,logdata:%{TX.0},severity:2,setvar:tx.msg=%{ > rule.id > }-%{rule.msg},setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0},setvar:tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}" > > # not working as expected (981212) > [14/Jan/2012:07:38:03 +0000] [ > foo.com/sid#1fbc3ab0][rid#2aaab159a098][/path/to/spacer.gif.html][5<http://foo.com/sid#1fbc3ab0][rid%232aaab159a098][/path/to/spacer.gif.html][5>] > Rule 1efc6e60: SecRule > "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*" > "@rx (?i:(\\!\\=|\\&\\&|\\|\\|| > >>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\s+between\\s+0\\s+and)|(?:is\\s+null)|(like\\s+null)|(?:(?:^|\\W)in[+\\s]*\\([\\s\\d\"]+[^()]*\\))|(?:xor|<>|rlike(?: > \\s+binary)?)|(?:regexp\\s+binary))" > "phase:2,log,auditlog,rev:2.2.1,capture,t:none,t:urlDecodeUni,block,msg:'SQL > Injection Attack: SQL Operator > Detected',id:981212,logdata:%{TX.0},severity:2,tag:WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.notice_anomaly_score},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ > rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" > > The hit or miss nature of this has me stumped. Appreciate any help. > > todd > > > > > > > > ------------------------------------------------------------------------------ > RSA(R) Conference 2012 > Mar 27 - Feb 2 > Save $400 by Jan. 27 > Register now! > http://p.sf.net/sfu/rsa-sfdev2dev2 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
From: Breno S. <bre...@gm...> - 2012-01-14 12:41:47
|
Todd, It is working fine for me with full crs. Are you using ModSecurity 2.6.3 ? Thanks On Sat, Jan 14, 2012 at 6:35 AM, Breno Silva <bre...@gm...> wrote: > Hey Todd, > > Yes, this a strange behaviour. I just got the rule 950901 and insert a > SecUpdateTargetById after in my custom rule file: > > SecRule > REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* > "(?i:([\s'\"`´’‘\(\)]*)?([\d\w]+)([\s'\"`´’‘\(\)]*)?(?:=|<=>|r?like|sounds\s+like|regexp)([\s'\"`´’‘\(\)]*)?\2|([\s'\"`´’‘\(\)]*)?([\d\w]+)([\s'\"`´’‘\(\)]*)?(?:!=|<=|>=|<>|<|>|\^|is\s+not|not\s+like|not\s+regexp)([\s'\"`´’‘\(\)]*)?(?!\6)([\d\w]+))" > \ > > "phase:2,rev:'2.2.3',capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,ctl:auditLogParts=+E,block,msg:'SQL > Injection > Attack',id:'950901',logdata:'%{TX.0}',severity:'2',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{ > rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" > > > SecRuleUpdateTargetById 950901 > > And looks like it is working fine. > > [14/Jan/2012:20:18:37 +0900] [ > 192.168.0.102/sid#2135a4f0][rid#21363b30][/index.html][4<http://192.168.0.102/sid#2135a4f0][rid%2321363b30][/index.html][4>] > Recipe: Invoking rule 2130e020; [file > "/etc/apache2/modsecurity/modsecurity_crs_15_customrules.conf"] [line > "225"] [id "950901"] [rev "2.2.3"]. > [14/Jan/2012:20:18:37 +0900] [ > 192.168.0.102/sid#2135a4f0][rid#21363b30][/index.html][5<http://192.168.0.102/sid#2135a4f0][rid%2321363b30][/index.html][5>] > Rule 2130e020: SecRule > "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|!ARGS:javax.faces.ViewState" > "@rx (?i:([\\s'\"`\xc2\xb4\xe2\x80\x99\x > > I will load the entire CRS base_rules and place in the file u placed. > > Can you try to insert the SecUpdateTargetByID directives in the lastest > file to be loaded by ModSecurity ? > > Thanks > > Breno > > On Sat, Jan 14, 2012 at 2:08 AM, Todd Michael Bushnell < > to...@to...> wrote: > >> Was getting a pile of false positives related to an ARGS in POST data so >> I chose to disable with a long list of SecRuleUpdateTargetById. I placed >> them in crs_48 file so they are read after the rules they're meant to >> amend. After implementing I noticed that 8 out of the 20 rules I added >> worked as expected, but 12 just simply don't work. First, here's the list >> of rules: >> >> >> #/etc/httpd/modsecurity/base_rules/modsecurity_crs_48_local_exceptions.conf >> >> # Whitelist SQL Injection rule firing on "1or" in REQUEST_FILENAME >> SecRuleUpdateTargetById 981248 "!REQUEST_FILENAME" #okay >> >> # javax.faces.ViewState causing 125k false positives per day >> SecRuleUpdateTargetById 950109 "!ARGS:javax.faces.ViewState" #okay >> SecRuleUpdateTargetById 950901 "!ARGS:javax.faces.ViewState" >> SecRuleUpdateTargetById 958700 "!ARGS:javax.faces.ViewState" #okay >> SecRuleUpdateTargetById 958821 "!ARGS:javax.faces.ViewState" #okay >> SecRuleUpdateTargetById 958833 "!ARGS:javax.faces.ViewState" #okay >> SecRuleUpdateTargetById 958836 "!ARGS:javax.faces.ViewState" #okay >> SecRuleUpdateTargetById 958871 "!ARGS:javax.faces.ViewState" #okay >> SecRuleUpdateTargetById 959071 "!ARGS:javax.faces.ViewState" >> SecRuleUpdateTargetById 959072 "!ARGS:javax.faces.ViewState" >> SecRuleUpdateTargetById 960024 "!ARGS:javax.faces.ViewState" >> SecRuleUpdateTargetById 972030 "!ARGS:javax.faces.ViewState" #okay >> SecRuleUpdateTargetById 981210 "!ARGS:javax.faces.ViewState" >> SecRuleUpdateTargetById 981212 "!ARGS:javax.faces.ViewState" >> SecRuleUpdateTargetById 981241 "!ARGS:javax.faces.ViewState" >> SecRuleUpdateTargetById 981242 "!ARGS:javax.faces.ViewState" >> SecRuleUpdateTargetById 981243 "!ARGS:javax.faces.ViewState" >> SecRuleUpdateTargetById 981244 "!ARGS:javax.faces.ViewState" >> SecRuleUpdateTargetById 981246 "!ARGS:javax.faces.ViewState" >> SecRuleUpdateTargetById 981248 "!ARGS:javax.faces.ViewState" #okay >> SecRuleUpdateTargetById 981260 "!ARGS:javax.faces.ViewState" #okay >> >> Those marked okay work as expected. The rest to not. Example from debug >> logs for juxtaposition: >> >> # working as expected (981248) >> [14/Jan/2012:07:38:04 +0000] [ >> foo.com/sid#1fbc3ab0][rid#2aaab159a098][/path/to/spacer.gif.html][5<http://foo.com/sid#1fbc3ab0][rid%232aaab159a098][/path/to/spacer.gif.html][5>] >> Rule 1fbf8568: SecRule >> "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|!REQUEST_FILENAME|!ARGS:javax.faces.ViewState" >> "@rx (?i:(?:@.+=\\s*\\(\\s*select)|(?: >> \\d+\\s*x?or|div|like|between|and\\s*\\d+\\s*[\\-+])|(?: >> \\/\\w+;?\\s+(?:having|and|x?or|div|like|between|and|select)\\W >> )|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*(?:drop|alter) >> )|(?:(?:;|#|--)\\s*(?:update|insert)\\s*\\w{2,})|(?:[^\\w]SET\\s*@\\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not >> |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*[!=+]+[\\s\\d]*[(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)=()]))" >> "phase:2,log,auditlog,capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,block,msg:'Detects >> chained SQL injection attempts >> 1/2',id:981248,tag:WEB_ATTACK/SQLI,tag:WEB_ATTACK/ID,logdata:%{TX.0},severity:2,setvar:tx.msg=%{ >> rule.id >> }-%{rule.msg},setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0},setvar:tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}" >> >> # not working as expected (981212) >> [14/Jan/2012:07:38:03 +0000] [ >> foo.com/sid#1fbc3ab0][rid#2aaab159a098][/path/to/spacer.gif.html][5<http://foo.com/sid#1fbc3ab0][rid%232aaab159a098][/path/to/spacer.gif.html][5>] >> Rule 1efc6e60: SecRule >> "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*" >> "@rx (?i:(\\!\\=|\\&\\&|\\|\\|| >> >>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\s+between\\s+0\\s+and)|(?:is\\s+null)|(like\\s+null)|(?:(?:^|\\W)in[+\\s]*\\([\\s\\d\"]+[^()]*\\))|(?:xor|<>|rlike(?: >> \\s+binary)?)|(?:regexp\\s+binary))" >> "phase:2,log,auditlog,rev:2.2.1,capture,t:none,t:urlDecodeUni,block,msg:'SQL >> Injection Attack: SQL Operator >> Detected',id:981212,logdata:%{TX.0},severity:2,tag:WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.notice_anomaly_score},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ >> rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" >> >> The hit or miss nature of this has me stumped. Appreciate any help. >> >> todd >> >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> RSA(R) Conference 2012 >> Mar 27 - Feb 2 >> Save $400 by Jan. 27 >> Register now! >> http://p.sf.net/sfu/rsa-sfdev2dev2 >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> > |
From: Todd M. B. <to...@to...> - 2012-01-17 23:50:31
|
Per advice, I updated to latest CRS (2.2.1 -> 2.2.3), although I have not yet updated the modsecurity module (2.6.1 -> 2.6.3). Still, this seems to have worked. Much thanks to Breno and others who recommended I bump my version to the latest. I just have one last question that's arisen based on some of the back 'n forth: when do i use modsecurity_crs_48_local_exceptions.conf vs. modsecurity_crs_60_custom_rules.conf? As it stands, I have two local rules files crs_15 and crs_48; however, some of the blogs postings I've been reading reference crs_60_custom_rules so as to fire after ALL other rule files. My understanding was that I just needed rules such as SecRuleUpdateTargetById to be after the standard rules, but before the inbound/outbound blocking rules. Placing as crs_60_custom_rules would put them after all rules files, including the correlation files which I thought would present a problem in Anomaly Scoring mode. To test, I moved my file around, trying crs_48 as well as crs_60, and I did not see a difference in behavior. Appreciate the expert input on this one. Thanks again. todd On Jan 14, 2012, at 4:41 AM, Breno Silva wrote: > Todd, > > It is working fine for me with full crs. > > Are you using ModSecurity 2.6.3 ? > > Thanks > > On Sat, Jan 14, 2012 at 6:35 AM, Breno Silva <bre...@gm...> wrote: > Hey Todd, > > Yes, this a strange behaviour. I just got the rule 950901 and insert a SecUpdateTargetById after in my custom rule file: > > SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i:([\s'\"`´’‘\(\)]*)?([\d\w]+)([\s'\"`´’‘\(\)]*)?(?:=|<=>|r?like|sounds\s+like|regexp)([\s'\"`´’‘\(\)]*)?\2|([\s'\"`´’‘\(\)]*)?([\d\w]+)([\s'\"`´’‘\(\)]*)?(?:!=|<=|>=|<>|<|>|\^|is\s+not|not\s+like|not\s+regexp)([\s'\"`´’‘\(\)]*)?(?!\6)([\d\w]+))" \ > "phase:2,rev:'2.2.3',capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'950901',logdata:'%{TX.0}',severity:'2',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" > > > SecRuleUpdateTargetById 950901 > > And looks like it is working fine. > > [14/Jan/2012:20:18:37 +0900] [192.168.0.102/sid#2135a4f0][rid#21363b30][/index.html][4] Recipe: Invoking rule 2130e020; [file "/etc/apache2/modsecurity/modsecurity_crs_15_customrules.conf"] [line "225"] [id "950901"] [rev "2.2.3"]. > [14/Jan/2012:20:18:37 +0900] [192.168.0.102/sid#2135a4f0][rid#21363b30][/index.html][5] Rule 2130e020: SecRule "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|!ARGS:javax.faces.ViewState" "@rx (?i:([\\s'\"`\xc2\xb4\xe2\x80\x99\x > > I will load the entire CRS base_rules and place in the file u placed. > > Can you try to insert the SecUpdateTargetByID directives in the lastest file to be loaded by ModSecurity ? > > Thanks > > Breno > > On Sat, Jan 14, 2012 at 2:08 AM, Todd Michael Bushnell <to...@to...> wrote: > Was getting a pile of false positives related to an ARGS in POST data so I chose to disable with a long list of SecRuleUpdateTargetById. I placed them in crs_48 file so they are read after the rules they're meant to amend. After implementing I noticed that 8 out of the 20 rules I added worked as expected, but 12 just simply don't work. First, here's the list of rules: > > #/etc/httpd/modsecurity/base_rules/modsecurity_crs_48_local_exceptions.conf > > # Whitelist SQL Injection rule firing on "1or" in REQUEST_FILENAME > SecRuleUpdateTargetById 981248 "!REQUEST_FILENAME" #okay > > # javax.faces.ViewState causing 125k false positives per day > SecRuleUpdateTargetById 950109 "!ARGS:javax.faces.ViewState" #okay > SecRuleUpdateTargetById 950901 "!ARGS:javax.faces.ViewState" > SecRuleUpdateTargetById 958700 "!ARGS:javax.faces.ViewState" #okay > SecRuleUpdateTargetById 958821 "!ARGS:javax.faces.ViewState" #okay > SecRuleUpdateTargetById 958833 "!ARGS:javax.faces.ViewState" #okay > SecRuleUpdateTargetById 958836 "!ARGS:javax.faces.ViewState" #okay > SecRuleUpdateTargetById 958871 "!ARGS:javax.faces.ViewState" #okay > SecRuleUpdateTargetById 959071 "!ARGS:javax.faces.ViewState" > SecRuleUpdateTargetById 959072 "!ARGS:javax.faces.ViewState" > SecRuleUpdateTargetById 960024 "!ARGS:javax.faces.ViewState" > SecRuleUpdateTargetById 972030 "!ARGS:javax.faces.ViewState" #okay > SecRuleUpdateTargetById 981210 "!ARGS:javax.faces.ViewState" > SecRuleUpdateTargetById 981212 "!ARGS:javax.faces.ViewState" > SecRuleUpdateTargetById 981241 "!ARGS:javax.faces.ViewState" > SecRuleUpdateTargetById 981242 "!ARGS:javax.faces.ViewState" > SecRuleUpdateTargetById 981243 "!ARGS:javax.faces.ViewState" > SecRuleUpdateTargetById 981244 "!ARGS:javax.faces.ViewState" > SecRuleUpdateTargetById 981246 "!ARGS:javax.faces.ViewState" > SecRuleUpdateTargetById 981248 "!ARGS:javax.faces.ViewState" #okay > SecRuleUpdateTargetById 981260 "!ARGS:javax.faces.ViewState" #okay > > Those marked okay work as expected. The rest to not. Example from debug logs for juxtaposition: > > # working as expected (981248) > [14/Jan/2012:07:38:04 +0000] [foo.com/sid#1fbc3ab0][rid#2aaab159a098][/path/to/spacer.gif.html][5] Rule 1fbf8568: SecRule "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|!REQUEST_FILENAME|!ARGS:javax.faces.ViewState" "@rx (?i:(?:@.+=\\s*\\(\\s*select)|(?:\\d+\\s*x?or|div|like|between|and\\s*\\d+\\s*[\\-+])|(?:\\/\\w+;?\\s+(?:having|and|x?or|div|like|between|and|select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*(?:drop|alter))|(?:(?:;|#|--)\\s*(?:update|insert)\\s*\\w{2,})|(?:[^\\w]SET\\s*@\\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*[!=+]+[\\s\\d]*[(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)=()]))" "phase:2,log,auditlog,capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,block,msg:'Detects chained SQL injection attempts 1/2',id:981248,tag:WEB_ATTACK/SQLI,tag:WEB_ATTACK/ID,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0},setvar:tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}" > > # not working as expected (981212) > [14/Jan/2012:07:38:03 +0000] [foo.com/sid#1fbc3ab0][rid#2aaab159a098][/path/to/spacer.gif.html][5] Rule 1efc6e60: SecRule "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(\\!\\=|\\&\\&|\\|\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\s+between\\s+0\\s+and)|(?:is\\s+null)|(like\\s+null)|(?:(?:^|\\W)in[+\\s]*\\([\\s\\d\"]+[^()]*\\))|(?:xor|<>|rlike(?:\\s+binary)?)|(?:regexp\\s+binary))" "phase:2,log,auditlog,rev:2.2.1,capture,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack: SQL Operator Detected',id:981212,logdata:%{TX.0},severity:2,tag:WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.notice_anomaly_score},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" > > The hit or miss nature of this has me stumped. Appreciate any help. > > todd > > > > > > > ------------------------------------------------------------------------------ > RSA(R) Conference 2012 > Mar 27 - Feb 2 > Save $400 by Jan. 27 > Register now! > http://p.sf.net/sfu/rsa-sfdev2dev2 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > |
From: Todd B. <to...@to...> - 2012-01-14 20:31:27
|
Thanks Breno. I should have added that I did try changing the filename to crs_99 to make it the last possible file to load, to no avail. I am running 2.6.1. Perhaps it's an issue in older versions though I don't recall seeing anything in the changelogs for 2.6.2 and 2.6.3. Maybe I missed it. Not a big fan of upgrading without just cause, but in the absence of any other idea, I guess this qualifies as just cause, right? ;-) If anyone can confirm that there is an issue with 2.6.1, feel free to chime in. I'm with the kiddos so won't get to tackle this until later anyway. todd On Sat, Jan 14, 2012 at 4:41 AM, Breno Silva <bre...@gm...> wrote: > Todd, > > > It is working fine for me with full crs. > > Are you using ModSecurity 2.6.3 ? > > Thanks > > On Sat, Jan 14, 2012 at 6:35 AM, Breno Silva <bre...@gm...>wrote: > >> Hey Todd, >> >> Yes, this a strange behaviour. I just got the rule 950901 and insert a >> SecUpdateTargetById after in my custom rule file: >> >> SecRule >> REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* >> "(?i:([\s'\"`´’‘\(\)]*)?([\d\w]+)([\s'\"`´’‘\(\)]*)?(?:=|<=>|r?like|sounds\s+like|regexp)([\s'\"`´’‘\(\)]*)?\2|([\s'\"`´’‘\(\)]*)?([\d\w]+)([\s'\"`´’‘\(\)]*)?(?:!=|<=|>=|<>|<|>|\^|is\s+not|not\s+like|not\s+regexp)([\s'\"`´’‘\(\)]*)?(?!\6)([\d\w]+))" >> \ >> >> "phase:2,rev:'2.2.3',capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,ctl:auditLogParts=+E,block,msg:'SQL >> Injection >> Attack',id:'950901',logdata:'%{TX.0}',severity:'2',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{ >> rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" >> >> >> SecRuleUpdateTargetById 950901 >> >> And looks like it is working fine. >> >> [14/Jan/2012:20:18:37 +0900] [ >> 192.168.0.102/sid#2135a4f0][rid#21363b30][/index.html][4<http://192.168.0.102/sid#2135a4f0][rid%2321363b30][/index.html][4>] >> Recipe: Invoking rule 2130e020; [file >> "/etc/apache2/modsecurity/modsecurity_crs_15_customrules.conf"] [line >> "225"] [id "950901"] [rev "2.2.3"]. >> [14/Jan/2012:20:18:37 +0900] [ >> 192.168.0.102/sid#2135a4f0][rid#21363b30][/index.html][5<http://192.168.0.102/sid#2135a4f0][rid%2321363b30][/index.html][5>] >> Rule 2130e020: SecRule >> "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|!ARGS:javax.faces.ViewState" >> "@rx (?i:([\\s'\"`\xc2\xb4\xe2\x80\x99\x >> >> I will load the entire CRS base_rules and place in the file u placed. >> >> Can you try to insert the SecUpdateTargetByID directives in the lastest >> file to be loaded by ModSecurity ? >> >> Thanks >> >> Breno >> >> On Sat, Jan 14, 2012 at 2:08 AM, Todd Michael Bushnell < >> to...@to...> wrote: >> >>> Was getting a pile of false positives related to an ARGS in POST data so >>> I chose to disable with a long list of SecRuleUpdateTargetById. I placed >>> them in crs_48 file so they are read after the rules they're meant to >>> amend. After implementing I noticed that 8 out of the 20 rules I added >>> worked as expected, but 12 just simply don't work. First, here's the list >>> of rules: >>> >>> >>> #/etc/httpd/modsecurity/base_rules/modsecurity_crs_48_local_exceptions.conf >>> >>> # Whitelist SQL Injection rule firing on "1or" in REQUEST_FILENAME >>> SecRuleUpdateTargetById 981248 "!REQUEST_FILENAME" #okay >>> >>> # javax.faces.ViewState causing 125k false positives per day >>> SecRuleUpdateTargetById 950109 "!ARGS:javax.faces.ViewState" #okay >>> SecRuleUpdateTargetById 950901 "!ARGS:javax.faces.ViewState" >>> SecRuleUpdateTargetById 958700 "!ARGS:javax.faces.ViewState" #okay >>> SecRuleUpdateTargetById 958821 "!ARGS:javax.faces.ViewState" #okay >>> SecRuleUpdateTargetById 958833 "!ARGS:javax.faces.ViewState" #okay >>> SecRuleUpdateTargetById 958836 "!ARGS:javax.faces.ViewState" #okay >>> SecRuleUpdateTargetById 958871 "!ARGS:javax.faces.ViewState" #okay >>> SecRuleUpdateTargetById 959071 "!ARGS:javax.faces.ViewState" >>> SecRuleUpdateTargetById 959072 "!ARGS:javax.faces.ViewState" >>> SecRuleUpdateTargetById 960024 "!ARGS:javax.faces.ViewState" >>> SecRuleUpdateTargetById 972030 "!ARGS:javax.faces.ViewState" #okay >>> SecRuleUpdateTargetById 981210 "!ARGS:javax.faces.ViewState" >>> SecRuleUpdateTargetById 981212 "!ARGS:javax.faces.ViewState" >>> SecRuleUpdateTargetById 981241 "!ARGS:javax.faces.ViewState" >>> SecRuleUpdateTargetById 981242 "!ARGS:javax.faces.ViewState" >>> SecRuleUpdateTargetById 981243 "!ARGS:javax.faces.ViewState" >>> SecRuleUpdateTargetById 981244 "!ARGS:javax.faces.ViewState" >>> SecRuleUpdateTargetById 981246 "!ARGS:javax.faces.ViewState" >>> SecRuleUpdateTargetById 981248 "!ARGS:javax.faces.ViewState" #okay >>> SecRuleUpdateTargetById 981260 "!ARGS:javax.faces.ViewState" #okay >>> >>> Those marked okay work as expected. The rest to not. Example from >>> debug logs for juxtaposition: >>> >>> # working as expected (981248) >>> [14/Jan/2012:07:38:04 +0000] [ >>> foo.com/sid#1fbc3ab0][rid#2aaab159a098][/path/to/spacer.gif.html][5<http://foo.com/sid#1fbc3ab0][rid%232aaab159a098][/path/to/spacer.gif.html][5>] >>> Rule 1fbf8568: SecRule >>> "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|!REQUEST_FILENAME|!ARGS:javax.faces.ViewState" >>> "@rx (?i:(?:@.+=\\s*\\(\\s*select)|(?: >>> \\d+\\s*x?or|div|like|between|and\\s*\\d+\\s*[\\-+])|(?: >>> \\/\\w+;?\\s+(?:having|and|x?or|div|like|between|and|select)\\W >>> )|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*(?:drop|alter) >>> )|(?:(?:;|#|--)\\s*(?:update|insert)\\s*\\w{2,})|(?:[^\\w]SET\\s*@\\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not >>> |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*[!=+]+[\\s\\d]*[(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)=()]))" >>> "phase:2,log,auditlog,capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,block,msg:'Detects >>> chained SQL injection attempts >>> 1/2',id:981248,tag:WEB_ATTACK/SQLI,tag:WEB_ATTACK/ID,logdata:%{TX.0},severity:2,setvar:tx.msg=%{ >>> rule.id >>> }-%{rule.msg},setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0},setvar:tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}" >>> >>> # not working as expected (981212) >>> [14/Jan/2012:07:38:03 +0000] [ >>> foo.com/sid#1fbc3ab0][rid#2aaab159a098][/path/to/spacer.gif.html][5<http://foo.com/sid#1fbc3ab0][rid%232aaab159a098][/path/to/spacer.gif.html][5>] >>> Rule 1efc6e60: SecRule >>> "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*" >>> "@rx (?i:(\\!\\=|\\&\\&|\\|\\|| >>> >>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\s+between\\s+0\\s+and)|(?:is\\s+null)|(like\\s+null)|(?:(?:^|\\W)in[+\\s]*\\([\\s\\d\"]+[^()]*\\))|(?:xor|<>|rlike(?: >>> \\s+binary)?)|(?:regexp\\s+binary))" >>> "phase:2,log,auditlog,rev:2.2.1,capture,t:none,t:urlDecodeUni,block,msg:'SQL >>> Injection Attack: SQL Operator >>> Detected',id:981212,logdata:%{TX.0},severity:2,tag:WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.notice_anomaly_score},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ >>> rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" >>> >>> The hit or miss nature of this has me stumped. Appreciate any help. >>> >>> todd >>> >>> >>> >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> RSA(R) Conference 2012 >>> Mar 27 - Feb 2 >>> Save $400 by Jan. 27 >>> Register now! >>> http://p.sf.net/sfu/rsa-sfdev2dev2 >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> >> > |
From: Michael H. <mic...@gm...> - 2012-01-14 21:03:25
|
Hi, which version of crs are you using? Some of the rule id's you mentioned where 2 times used in crs 2.2.1 i think. You should use 2.2.3. Best Regards Michael 2012/1/14 Todd Bushnell <to...@to...>: > Thanks Breno. I should have added that I did try changing the filename to > crs_99 to make it the last possible file to load, to no avail. I am running > 2.6.1. Perhaps it's an issue in older versions though I don't recall seeing > anything in the changelogs for 2.6.2 and 2.6.3. Maybe I missed it. Not a > big fan of upgrading without just cause, but in the absence of any other > idea, I guess this qualifies as just cause, right? ;-) > > If anyone can confirm that there is an issue with 2.6.1, feel free to chime > in. I'm with the kiddos so won't get to tackle this until later anyway. > > todd > > > On Sat, Jan 14, 2012 at 4:41 AM, Breno Silva <bre...@gm...> wrote: >> >> Todd, >> >> >> It is working fine for me with full crs. >> >> Are you using ModSecurity 2.6.3 ? >> >> Thanks >> >> On Sat, Jan 14, 2012 at 6:35 AM, Breno Silva <bre...@gm...> >> wrote: >>> >>> Hey Todd, >>> >>> Yes, this a strange behaviour. I just got the rule 950901 and insert a >>> SecUpdateTargetById after in my custom rule file: >>> >>> SecRule >>> REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* >>> "(?i:([\s'\"`´’‘\(\)]*)?([\d\w]+)([\s'\"`´’‘\(\)]*)?(?:=|<=>|r?like|sounds\s+like|regexp)([\s'\"`´’‘\(\)]*)?\2|([\s'\"`´’‘\(\)]*)?([\d\w]+)([\s'\"`´’‘\(\)]*)?(?:!=|<=|>=|<>|<|>|\^|is\s+not|not\s+like|not\s+regexp)([\s'\"`´’‘\(\)]*)?(?!\6)([\d\w]+))" >>> \ >>> >>> "phase:2,rev:'2.2.3',capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,ctl:auditLogParts=+E,block,msg:'SQL >>> Injection >>> Attack',id:'950901',logdata:'%{TX.0}',severity:'2',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" >>> >>> >>> SecRuleUpdateTargetById 950901 >>> >>> And looks like it is working fine. >>> >>> [14/Jan/2012:20:18:37 +0900] >>> [192.168.0.102/sid#2135a4f0][rid#21363b30][/index.html][4] Recipe: Invoking >>> rule 2130e020; [file >>> "/etc/apache2/modsecurity/modsecurity_crs_15_customrules.conf"] [line "225"] >>> [id "950901"] [rev "2.2.3"]. >>> [14/Jan/2012:20:18:37 +0900] >>> [192.168.0.102/sid#2135a4f0][rid#21363b30][/index.html][5] Rule 2130e020: >>> SecRule >>> "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|!ARGS:javax.faces.ViewState" >>> "@rx (?i:([\\s'\"`\xc2\xb4\xe2\x80\x99\x >>> >>> I will load the entire CRS base_rules and place in the file u placed. >>> >>> Can you try to insert the SecUpdateTargetByID directives in the lastest >>> file to be loaded by ModSecurity ? >>> >>> Thanks >>> >>> Breno >>> >>> On Sat, Jan 14, 2012 at 2:08 AM, Todd Michael Bushnell >>> <to...@to...> wrote: >>>> >>>> Was getting a pile of false positives related to an ARGS in POST data so >>>> I chose to disable with a long list of SecRuleUpdateTargetById. I placed >>>> them in crs_48 file so they are read after the rules they're meant to amend. >>>> After implementing I noticed that 8 out of the 20 rules I added worked as >>>> expected, but 12 just simply don't work. First, here's the list of rules: >>>> >>>> >>>> #/etc/httpd/modsecurity/base_rules/modsecurity_crs_48_local_exceptions.conf >>>> >>>> # Whitelist SQL Injection rule firing on "1or" in REQUEST_FILENAME >>>> SecRuleUpdateTargetById 981248 "!REQUEST_FILENAME" #okay >>>> >>>> # javax.faces.ViewState causing 125k false positives per day >>>> SecRuleUpdateTargetById 950109 "!ARGS:javax.faces.ViewState" #okay >>>> SecRuleUpdateTargetById 950901 "!ARGS:javax.faces.ViewState" >>>> SecRuleUpdateTargetById 958700 "!ARGS:javax.faces.ViewState" #okay >>>> SecRuleUpdateTargetById 958821 "!ARGS:javax.faces.ViewState" #okay >>>> SecRuleUpdateTargetById 958833 "!ARGS:javax.faces.ViewState" #okay >>>> SecRuleUpdateTargetById 958836 "!ARGS:javax.faces.ViewState" #okay >>>> SecRuleUpdateTargetById 958871 "!ARGS:javax.faces.ViewState" #okay >>>> SecRuleUpdateTargetById 959071 "!ARGS:javax.faces.ViewState" >>>> SecRuleUpdateTargetById 959072 "!ARGS:javax.faces.ViewState" >>>> SecRuleUpdateTargetById 960024 "!ARGS:javax.faces.ViewState" >>>> SecRuleUpdateTargetById 972030 "!ARGS:javax.faces.ViewState" #okay >>>> SecRuleUpdateTargetById 981210 "!ARGS:javax.faces.ViewState" >>>> SecRuleUpdateTargetById 981212 "!ARGS:javax.faces.ViewState" >>>> SecRuleUpdateTargetById 981241 "!ARGS:javax.faces.ViewState" >>>> SecRuleUpdateTargetById 981242 "!ARGS:javax.faces.ViewState" >>>> SecRuleUpdateTargetById 981243 "!ARGS:javax.faces.ViewState" >>>> SecRuleUpdateTargetById 981244 "!ARGS:javax.faces.ViewState" >>>> SecRuleUpdateTargetById 981246 "!ARGS:javax.faces.ViewState" >>>> SecRuleUpdateTargetById 981248 "!ARGS:javax.faces.ViewState" #okay >>>> SecRuleUpdateTargetById 981260 "!ARGS:javax.faces.ViewState" #okay >>>> >>>> Those marked okay work as expected. The rest to not. Example from >>>> debug logs for juxtaposition: >>>> >>>> # working as expected (981248) >>>> [14/Jan/2012:07:38:04 +0000] >>>> [foo.com/sid#1fbc3ab0][rid#2aaab159a098][/path/to/spacer.gif.html][5] Rule >>>> 1fbf8568: SecRule >>>> "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|!REQUEST_FILENAME|!ARGS:javax.faces.ViewState" >>>> "@rx >>>> (?i:(?:@.+=\\s*\\(\\s*select)|(?:\\d+\\s*x?or|div|like|between|and\\s*\\d+\\s*[\\-+])|(?:\\/\\w+;?\\s+(?:having|and|x?or|div|like|between|and|select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*(?:drop|alter))|(?:(?:;|#|--)\\s*(?:update|insert)\\s*\\w{2,})|(?:[^\\w]SET\\s*@\\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not >>>> |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*[!=+]+[\\s\\d]*[(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)=()]))" >>>> "phase:2,log,auditlog,capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,block,msg:'Detects >>>> chained SQL injection attempts >>>> 1/2',id:981248,tag:WEB_ATTACK/SQLI,tag:WEB_ATTACK/ID,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0},setvar:tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}" >>>> >>>> # not working as expected (981212) >>>> [14/Jan/2012:07:38:03 +0000] >>>> [foo.com/sid#1fbc3ab0][rid#2aaab159a098][/path/to/spacer.gif.html][5] Rule >>>> 1efc6e60: SecRule >>>> "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*" >>>> "@rx >>>> (?i:(\\!\\=|\\&\\&|\\|\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\s+between\\s+0\\s+and)|(?:is\\s+null)|(like\\s+null)|(?:(?:^|\\W)in[+\\s]*\\([\\s\\d\"]+[^()]*\\))|(?:xor|<>|rlike(?:\\s+binary)?)|(?:regexp\\s+binary))" >>>> "phase:2,log,auditlog,rev:2.2.1,capture,t:none,t:urlDecodeUni,block,msg:'SQL >>>> Injection Attack: SQL Operator >>>> Detected',id:981212,logdata:%{TX.0},severity:2,tag:WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.notice_anomaly_score},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" >>>> >>>> The hit or miss nature of this has me stumped. Appreciate any help. >>>> >>>> todd >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> RSA(R) Conference 2012 >>>> Mar 27 - Feb 2 >>>> Save $400 by Jan. 27 >>>> Register now! >>>> http://p.sf.net/sfu/rsa-sfdev2dev2 >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>>> >>> >> > > > ------------------------------------------------------------------------------ > RSA(R) Conference 2012 > Mar 27 - Feb 2 > Save $400 by Jan. 27 > Register now! > http://p.sf.net/sfu/rsa-sfdev2dev2 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
From: Breno S. <bre...@gm...> - 2012-01-14 21:11:26
|
Hey Todd, Yes, we fix some issues in the new versions related to this directive. Also ans mentioned by Michael you should upgrade your crs. Let me know if it works for you. Thanks Breno On Sat, Jan 14, 2012 at 3:03 PM, Michael Haas <mic...@gm...>wrote: > Hi, > > which version of crs are you using? > Some of the rule id's you mentioned where 2 times used in crs 2.2.1 i > think. > You should use 2.2.3. > > Best Regards > Michael > > > 2012/1/14 Todd Bushnell <to...@to...>: > > Thanks Breno. I should have added that I did try changing the filename > to > > crs_99 to make it the last possible file to load, to no avail. I am > running > > 2.6.1. Perhaps it's an issue in older versions though I don't recall > seeing > > anything in the changelogs for 2.6.2 and 2.6.3. Maybe I missed it. Not > a > > big fan of upgrading without just cause, but in the absence of any other > > idea, I guess this qualifies as just cause, right? ;-) > > > > If anyone can confirm that there is an issue with 2.6.1, feel free to > chime > > in. I'm with the kiddos so won't get to tackle this until later anyway. > > > > todd > > > > > > On Sat, Jan 14, 2012 at 4:41 AM, Breno Silva <bre...@gm...> > wrote: > >> > >> Todd, > >> > >> > >> It is working fine for me with full crs. > >> > >> Are you using ModSecurity 2.6.3 ? > >> > >> Thanks > >> > >> On Sat, Jan 14, 2012 at 6:35 AM, Breno Silva <bre...@gm...> > >> wrote: > >>> > >>> Hey Todd, > >>> > >>> Yes, this a strange behaviour. I just got the rule 950901 and insert a > >>> SecUpdateTargetById after in my custom rule file: > >>> > >>> SecRule > >>> > REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* > >>> > "(?i:([\s'\"`´’‘\(\)]*)?([\d\w]+)([\s'\"`´’‘\(\)]*)?(?:=|<=>|r?like|sounds\s+like|regexp)([\s'\"`´’‘\(\)]*)?\2|([\s'\"`´’‘\(\)]*)?([\d\w]+)([\s'\"`´’‘\(\)]*)?(?:!=|<=|>=|<>|<|>|\^|is\s+not|not\s+like|not\s+regexp)([\s'\"`´’‘\(\)]*)?(?!\6)([\d\w]+))" > >>> \ > >>> > >>> > "phase:2,rev:'2.2.3',capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,ctl:auditLogParts=+E,block,msg:'SQL > >>> Injection > >>> > Attack',id:'950901',logdata:'%{TX.0}',severity:'2',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{ > rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" > >>> > >>> > >>> SecRuleUpdateTargetById 950901 > >>> > >>> And looks like it is working fine. > >>> > >>> [14/Jan/2012:20:18:37 +0900] > >>> [192.168.0.102/sid#2135a4f0][rid#21363b30][/index.html][4] Recipe: > Invoking > >>> rule 2130e020; [file > >>> "/etc/apache2/modsecurity/modsecurity_crs_15_customrules.conf"] [line > "225"] > >>> [id "950901"] [rev "2.2.3"]. > >>> [14/Jan/2012:20:18:37 +0900] > >>> [192.168.0.102/sid#2135a4f0][rid#21363b30][/index.html][5] Rule > 2130e020: > >>> SecRule > >>> > "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|!ARGS:javax.faces.ViewState" > >>> "@rx (?i:([\\s'\"`\xc2\xb4\xe2\x80\x99\x > >>> > >>> I will load the entire CRS base_rules and place in the file u placed. > >>> > >>> Can you try to insert the SecUpdateTargetByID directives in the lastest > >>> file to be loaded by ModSecurity ? > >>> > >>> Thanks > >>> > >>> Breno > >>> > >>> On Sat, Jan 14, 2012 at 2:08 AM, Todd Michael Bushnell > >>> <to...@to...> wrote: > >>>> > >>>> Was getting a pile of false positives related to an ARGS in POST data > so > >>>> I chose to disable with a long list of SecRuleUpdateTargetById. I > placed > >>>> them in crs_48 file so they are read after the rules they're meant to > amend. > >>>> After implementing I noticed that 8 out of the 20 rules I added > worked as > >>>> expected, but 12 just simply don't work. First, here's the list of > rules: > >>>> > >>>> > >>>> > #/etc/httpd/modsecurity/base_rules/modsecurity_crs_48_local_exceptions.conf > >>>> > >>>> # Whitelist SQL Injection rule firing on "1or" in REQUEST_FILENAME > >>>> SecRuleUpdateTargetById 981248 "!REQUEST_FILENAME" #okay > >>>> > >>>> # javax.faces.ViewState causing 125k false positives per day > >>>> SecRuleUpdateTargetById 950109 "!ARGS:javax.faces.ViewState" #okay > >>>> SecRuleUpdateTargetById 950901 "!ARGS:javax.faces.ViewState" > >>>> SecRuleUpdateTargetById 958700 "!ARGS:javax.faces.ViewState" #okay > >>>> SecRuleUpdateTargetById 958821 "!ARGS:javax.faces.ViewState" #okay > >>>> SecRuleUpdateTargetById 958833 "!ARGS:javax.faces.ViewState" #okay > >>>> SecRuleUpdateTargetById 958836 "!ARGS:javax.faces.ViewState" #okay > >>>> SecRuleUpdateTargetById 958871 "!ARGS:javax.faces.ViewState" #okay > >>>> SecRuleUpdateTargetById 959071 "!ARGS:javax.faces.ViewState" > >>>> SecRuleUpdateTargetById 959072 "!ARGS:javax.faces.ViewState" > >>>> SecRuleUpdateTargetById 960024 "!ARGS:javax.faces.ViewState" > >>>> SecRuleUpdateTargetById 972030 "!ARGS:javax.faces.ViewState" #okay > >>>> SecRuleUpdateTargetById 981210 "!ARGS:javax.faces.ViewState" > >>>> SecRuleUpdateTargetById 981212 "!ARGS:javax.faces.ViewState" > >>>> SecRuleUpdateTargetById 981241 "!ARGS:javax.faces.ViewState" > >>>> SecRuleUpdateTargetById 981242 "!ARGS:javax.faces.ViewState" > >>>> SecRuleUpdateTargetById 981243 "!ARGS:javax.faces.ViewState" > >>>> SecRuleUpdateTargetById 981244 "!ARGS:javax.faces.ViewState" > >>>> SecRuleUpdateTargetById 981246 "!ARGS:javax.faces.ViewState" > >>>> SecRuleUpdateTargetById 981248 "!ARGS:javax.faces.ViewState" #okay > >>>> SecRuleUpdateTargetById 981260 "!ARGS:javax.faces.ViewState" #okay > >>>> > >>>> Those marked okay work as expected. The rest to not. Example from > >>>> debug logs for juxtaposition: > >>>> > >>>> # working as expected (981248) > >>>> [14/Jan/2012:07:38:04 +0000] > >>>> [foo.com/sid#1fbc3ab0][rid#2aaab159a098][/path/to/spacer.gif.html][5] > Rule > >>>> 1fbf8568: SecRule > >>>> > "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|!REQUEST_FILENAME|!ARGS:javax.faces.ViewState" > >>>> "@rx > >>>> > (?i:(?:@.+=\\s*\\(\\s*select)|(?:\\d+\\s*x?or|div|like|between|and\\s*\\d+\\s*[\\-+])|(?:\\/\\w+;?\\s+(?:having|and|x?or|div|like|between|and|select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*(?:drop|alter))|(?:(?:;|#|--)\\s*(?:update|insert)\\s*\\w{2,})|(?:[^\\w]SET\\s*@\\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not > >>>> > |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*[!=+]+[\\s\\d]*[(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)=()]))" > >>>> > "phase:2,log,auditlog,capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,block,msg:'Detects > >>>> chained SQL injection attempts > >>>> > 1/2',id:981248,tag:WEB_ATTACK/SQLI,tag:WEB_ATTACK/ID,logdata:%{TX.0},severity:2,setvar:tx.msg=%{ > rule.id > }-%{rule.msg},setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0},setvar:tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}" > >>>> > >>>> # not working as expected (981212) > >>>> [14/Jan/2012:07:38:03 +0000] > >>>> [foo.com/sid#1fbc3ab0][rid#2aaab159a098][/path/to/spacer.gif.html][5] > Rule > >>>> 1efc6e60: SecRule > >>>> > "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*" > >>>> "@rx > >>>> > (?i:(\\!\\=|\\&\\&|\\|\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\s+between\\s+0\\s+and)|(?:is\\s+null)|(like\\s+null)|(?:(?:^|\\W)in[+\\s]*\\([\\s\\d\"]+[^()]*\\))|(?:xor|<>|rlike(?:\\s+binary)?)|(?:regexp\\s+binary))" > >>>> > "phase:2,log,auditlog,rev:2.2.1,capture,t:none,t:urlDecodeUni,block,msg:'SQL > >>>> Injection Attack: SQL Operator > >>>> > Detected',id:981212,logdata:%{TX.0},severity:2,tag:WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.notice_anomaly_score},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ > rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" > >>>> > >>>> The hit or miss nature of this has me stumped. Appreciate any help. > >>>> > >>>> todd > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > ------------------------------------------------------------------------------ > >>>> RSA(R) Conference 2012 > >>>> Mar 27 - Feb 2 > >>>> Save $400 by Jan. 27 > >>>> Register now! > >>>> http://p.sf.net/sfu/rsa-sfdev2dev2 > >>>> _______________________________________________ > >>>> mod-security-users mailing list > >>>> mod...@li... > >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users > >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > >>>> http://www.modsecurity.org/projects/commercial/rules/ > >>>> http://www.modsecurity.org/projects/commercial/support/ > >>>> > >>> > >> > > > > > > > ------------------------------------------------------------------------------ > > RSA(R) Conference 2012 > > Mar 27 - Feb 2 > > Save $400 by Jan. 27 > > Register now! > > http://p.sf.net/sfu/rsa-sfdev2dev2 > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > |