|
From: Frederic F. <fre...@gm...> - 2018-01-04 14:37:40
|
Hello all,
First post in this list !
I’m playing with what should be a super-simple setup (NGINX+modsecurity+CRS 3.0).
Still, not everything is working as expected.
I’m trying to block requests from some countries (I’m testing from a CH IP).
In my REQUEST-910-IP-REPUTATION.conf sits the rule which I want to use:
#
# -=[ GeoIP Checks ]=-
#
# This rule requires activating the SecGeoLookupDB directive
# in the crs-setup.conf file and specifying
# the list of blocked countries (tx.high_risk_country_codes).
#
# This rule does a GeoIP resolution on the client IP address.
#
SecRule TX:HIGH_RISK_COUNTRY_CODES "!^$" \
"msg:'Client IP is from a HIGH Risk Country Location.',\
severity:'CRITICAL',\
id:910100,\
phase:request,\
log,\
block,\
t:none,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
chain"
SecRule TX:REAL_IP "@geoLookup" \
"chain"
SecRule GEO:COUNTRY_CODE "@within %{tx.high_risk_country_codes}" \
"setvar:'tx.msg=%{rule.msg}',\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id <http://rule.id/>}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
setvar:ip.reput_block_flag=1,\
expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
setvar:'ip.reput_block_reason=%{rule.msg}'"
And in my crs-setup.conf I have:
SecAction \
"id:900600,\
phase:1,\
log,\
pass,\
t:none,\
setvar:'tx.high_risk_country_codes=CH YU LT EG’"
Now, I can find rule ID 900600 in my audit log but not rule ID 910100, see below.
---UkhFLq7B---A--
[04/Jan/2018:14:20:10 +0000] 151507561010.797697 37.0.34.57 28266 37.0.34.57 80
---UkhFLq7B---B--
GET / HTTP/1.1
Host: xxxxxx.northeurope.cloudapp.azure.com <http://xxxxxx.northeurope.cloudapp.azure.com/>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
If-Modified-Since: Tue, 26 Dec 2017 16:01:12 GMT
If-None-Match: "5a427248-264"
---UkhFLq7B---D--
---UkhFLq7B---F--
HTTP/1.1 304
Server: nginx/1.13.8
Date: Thu, 04 Jan 2018 14:20:10 GMT
Last-Modified: Tue, 26 Dec 2017 16:01:12 GMT
Connection: keep-alive
ETag: "5a427248-264"
---UkhFLq7B---H--
ModSecurity: Warning. [file "/etc/nginx/modsec/crs-setup.conf"] [line "563"] [id "900600"] [rev ""] [msg ""] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "37.0.34.57"] [uri "/"] [unique_id "151507561010.797697"] [ref ""]
---UkhFLq7B---I--
---UkhFLq7B---J--
---UkhFLq7B---Z--
My “paranoia level" is set to 1. I know for sure that CRS rules are enforced, if I change the paranoia level to 4 and launch requests containing special characters other rules do trigger.
Thanks a lot for your help with this.
Best,
Fred |
|
From: Christian F. <chr...@ne...> - 2018-01-04 16:27:07
|
Hi Frederic,
On Thu, Jan 04, 2018 at 03:37:30PM +0100, Frederic Fichter wrote:
> First post in this list !
Welcome!
> I’m playing with what should be a super-simple setup
> (NGINX+modsecurity+CRS 3.0).
> Still, not everything is working as expected.
Is that ModSec 3.0 or 2.9.x?
> I’m trying to block requests from some countries (I’m testing from a CH
> IP).
They are the worst. :)
Could you raise the debuglog level 9 and check the part dealing with
910100? You can also submit it here, if you are not sure what to make
out of it.
Good luck!
Ahoj,
Christian
> In my REQUEST-910-IP-REPUTATION.conf sits the rule which I want to use:
> #
> # -=[ GeoIP Checks ]=-
> #
> # This rule requires activating the SecGeoLookupDB directive
> # in the crs-setup.conf file and specifying
> # the list of blocked countries (tx.high_risk_country_codes).
> #
> # This rule does a GeoIP resolution on the client IP address.
> #
> SecRule TX:HIGH_RISK_COUNTRY_CODES "!^$" \
> "msg:'Client IP is from a HIGH Risk Country Location.',\
> severity:'CRITICAL',\
> id:910100,\
> phase:request,\
> log,\
> block,\
> t:none,\
> tag:'application-multi',\
> tag:'language-multi',\
> tag:'platform-multi',\
> tag:'attack-reputation-ip',\
> chain"
> SecRule TX:REAL_IP "@geoLookup" \
> "chain"
> SecRule GEO:COUNTRY_CODE "@within %{tx.high_risk_country_codes}" \
> "setvar:'tx.msg=%{rule.msg}',\
> setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
> setvar:tx.%{[1]rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%
> {matched_var},\
> setvar:ip.reput_block_flag=1,\
> expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
> setvar:'ip.reput_block_reason=%{rule.msg}'"
> And in my crs-setup.conf I have:
> SecAction \
> "id:900600,\
> phase:1,\
> log,\
> pass,\
> t:none,\
> setvar:'tx.high_risk_country_codes=CH YU LT EG’"
> Now, I can find rule ID 900600 in my audit log but not rule ID 910100,
> see below.
> ---UkhFLq7B---A--
> [04/Jan/2018:14:20:10 +0000] 151507561010.797697 37.0.34.57 28266
> 37.0.34.57 80
> ---UkhFLq7B---B--
> GET / HTTP/1.1
> Host: [2]xxxxxx.northeurope.cloudapp.azure.com
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0)
> Gecko/20100101 Firefox/57.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Connection: keep-alive
> Cache-Control: max-age=0
> Upgrade-Insecure-Requests: 1
> If-Modified-Since: Tue, 26 Dec 2017 16:01:12 GMT
> If-None-Match: "5a427248-264"
> ---UkhFLq7B---D--
> ---UkhFLq7B---F--
> HTTP/1.1 304
> Server: nginx/1.13.8
> Date: Thu, 04 Jan 2018 14:20:10 GMT
> Last-Modified: Tue, 26 Dec 2017 16:01:12 GMT
> Connection: keep-alive
> ETag: "5a427248-264"
> ---UkhFLq7B---H--
> ModSecurity: Warning. [file "/etc/nginx/modsec/crs-setup.conf"] [line
> "563"] [id "900600"] [rev ""] [msg ""] [data ""] [severity "0"] [ver
> ""] [maturity "0"] [accuracy "0"] [hostname "37.0.34.57"] [uri "/"]
> [unique_id "151507561010.797697"] [ref ""]
> ---UkhFLq7B---I--
> ---UkhFLq7B---J--
> ---UkhFLq7B---Z--
> My “paranoia level" is set to 1. I know for sure that CRS rules are
> enforced, if I change the paranoia level to 4 and launch requests
> containing special characters other rules do trigger.
> Thanks a lot for your help with this.
> Best,
> Fred
>
> References
>
> 1. http://rule.id/
> 2. http://xxxxxx.northeurope.cloudapp.azure.com/
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
--
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:chr...@ne...
twitter: @ChrFolini
|
|
From: Frederic F. <fre...@gm...> - 2018-01-05 08:34:24
|
Hi, ModSec 3.0 here :) DebugLog is as follow: [4] (Rule: 910100) Executing operator "Rx" with param "^$" against TX:HIGH_RISK_COUNTRY_CODES. [9] Target value: "CH YU LT EG" (Variable: TX:HIGH_RISK_COUNTRY_CODES) [9] Matched vars updated. [4] Running [independent] (non-disruptive) action: msg [9] Saving msg: Client IP is from a HIGH Risk Country Location. [4] Running [independent] (non-disruptive) action: log [9] Saving transaction to logs [4] Rule returned 1. [4] Executing chained rule. [4] (Rule: 0) Executing operator "GeoLookup" with param "" against TX:REAL_IP. [9] Target value: "37.0.34.57" (Variable: TX:REAL_IP) [4] Rule returned 0. [9] Matched vars cleaned. So 910100 actually does trigger, but the “block” action is not applied. Could you shed a light on that ? :) Again, thanks much for your help with this, Best, Fred |
|
From: Christian F. <chr...@ne...> - 2018-01-05 09:04:28
|
Hello Frédéric, On Fri, Jan 05, 2018 at 09:34:13AM +0100, Frederic Fichter wrote: > DebugLog is as follow: > > [4] (Rule: 910100) Executing operator "Rx" with param "^$" against TX:HIGH_RISK_COUNTRY_CODES. > [9] Target value: "CH YU LT EG" (Variable: TX:HIGH_RISK_COUNTRY_CODES) > [9] Matched vars updated. > [4] Running [independent] (non-disruptive) action: msg > [9] Saving msg: Client IP is from a HIGH Risk Country Location. > [4] Running [independent] (non-disruptive) action: log > [9] Saving transaction to logs > [4] Rule returned 1. > [4] Executing chained rule. > [4] (Rule: 0) Executing operator "GeoLookup" with param "" against TX:REAL_IP. > [9] Target value: "37.0.34.57" (Variable: TX:REAL_IP) > [4] Rule returned 0. > [9] Matched vars cleaned. > > So 910100 actually does trigger, but the “block” action is not applied. Could you shed a light on that ? :) No, I do not think it did trigger. If you look at the rule, it's tri-fold. The one that triggered was the first rule that checks high-risk-countries is not empty. That seems to be the case, so on to the 2nd rule, which is the execution of the GeoIPLookup (look up in the book why this is done via an operator in a rule) and that rule returned a 0. That is odd. @Felipe: How good is the GeoIP support in 3.0? I take it this is mean to work but it looks as if it would not. Ahoj, Christian -- Moderation, the Golden Mean, the Aristonmetron, is the secret of wisdom and of happiness. But it does not mean embracing an unadventurous mediocrity: rather it is an elaborate balancing-act, a feat of intellectual skill demanding constant vigilance. Its aim is a reconciliation of opposites. -- Robertson Davies |
|
From: Frederic F. <fre...@gm...> - 2018-01-05 09:11:45
|
This one (found in crs-setup.conf) does the job if I change the action to “block”: SecAction \ "id:900600,\ phase:1,\ log,\ pass,\ t:none,\ setvar:'tx.high_risk_country_codes=CH YU LT EG'" |
|
From: Frederic F. <fre...@gm...> - 2018-01-09 08:42:02
|
Hello again, Did anybody had GeoIP, i.e. rule id:910100 (TX:HIGH_RISK_COUNTRY_CODES) from OWASP CRS working with modsecurity 3.0 ? Best, Fred > On 5 Jan 2018, at 10:04, Christian Folini <chr...@ne...> wrote: > > @Felipe: How good is the GeoIP support in 3.0? I take it this is mean to > work but it looks as if it would not. |
