Thread: [mod-security-users] modsecurity pause action seems to be causing request to be dropped

Brought to you by: victorhora, zimmerletw

mod-security-users

[mod-security-users] modsecurity pause action seems to be causing request to be dropped

From: Paul B. <pau...@ou...> - 2020-02-07 07:33:00

Yesterday this seemed to be working for me, but today this rule is seems to be causing the request to be dropped

Rule:
SecRule REQUEST_URI "@rx ^/slow/page" "id:2003,phase:2,nolog,noauditlog,pause:371"

If I comment it out page returns, uncommented curl comes straight back with:
* Empty reply from server
* Connection #0 to host modsectest.local left intact
curl: (52) Empty reply from server

This is being tested against a simple newly built test environment:
Ubuntu 18.04.3 LTS
Apache2 and mod-sec installed from repository
Loading CRS3

If anyone can see an obvious explanation for this, I'd be very grateful.
Thanks,
Paul

[mod-security-users] FW: modsecurity pause action seems to be causing request to be dropped

From: Paul B. <pau...@ou...> - 2020-02-07 17:23:32

Alexandre Schaff very kindly replied to me directly, and set me on the right path. Things are now sort of working, but I believe the behaviour of pause is not as I'd expect.

My SecDefaultAction is pass.
The ModSecurity Handbook v2, described the pause action as "Pause for a period of time, then execute allow". For this reason I removed the "pass" as it seemed to be being ignored.
Although it sounds like the behaviour of pause in relation to other actions was modified back in 2013 : https://github.com/SpiderLabs/ModSecurity/issues/445 . I'd hope that this had been updated into ubuntu's libapache2-mod-security2 package.

However I think the behaviour I am seeing doesn't seem to match either the pre-2013 case, or the expected behaviour suggested by that post:

  *   pause = pause then drop
  *   pass,pause = pause then allow

Processing of additional rules does not take place:

SecRule REQUEST_URI "@rx ^/slow/page" "id:2004,phase:2,log,msg:'***POST PAGE***',noauditlog,pass,pause:500,chain"
SecRule REQUEST_METHOD "@rx ^POST$"
# Add delay to rendering login page
SecRule REQUEST_URI "@rx ^/slow/page" "id:2003,phase:2,log,msg:'***GET PAGE***',noauditlog,pass,pause:200"

ie. if it matched on rule ID:2004 then rule ID:2003 doesn't get processed.

Thanks,
Paul

________________________________
From: SCHAFF Alexandre
Sent: 07 February 2020 09:37
To: Paul Beckett <pau...@ou...>
Subject: Re: modsecurity pause action seems to be causing request to be dropped

Bonjour,

Issue in src code when action in SecRule 'pause' interacts with SecDefaultAction sets a disruptive action. Interaction happens when there is no disruptive action in the SecRule.

Try
SecRule REQUEST_URI "@rx ^/slow/page" "id:2003,phase:2,pass,nolog,noauditlog,pause:371"

Alexandre.


________________________________
From: Paul Beckett <pau...@ou...>
Sent: Friday, February 7, 2020 8:32 AM
To: mod...@li... <mod...@li...>
Subject: [mod-security-users] modsecurity pause action seems to be causing request to be dropped

Yesterday this seemed to be working for me, but today this rule is seems to be causing the request to be dropped

Rule:
SecRule REQUEST_URI "@rx ^/slow/page" "id:2003,phase:2,nolog,noauditlog,pause:371"

If I comment it out page returns, uncommented curl comes straight back with:
* Empty reply from server
* Connection #0 to host modsectest.local left intact
curl: (52) Empty reply from server

This is being tested against a simple newly built test environment:
Ubuntu 18.04.3 LTS
Apache2 and mod-sec installed from repository
Loading CRS3

If anyone can see an obvious explanation for this, I'd be very grateful.
Thanks,
Paul

Re: [mod-security-users] FW: modsecurity pause action seems to be causing request to be dropped

From: Christian F. <chr...@ne...> - 2020-02-07 21:37:14

Hey Paul,

Sorry, I do not have time to look into this. But I do agree is an action that
has an unexpected behaviour. I remember this clearly from when I wrote the
book and played around with it.

I do not think a lot of people are using it. Probably for this reason.

Best,

Christian

On Fri, Feb 07, 2020 at 05:23:21PM +0000, Paul Beckett wrote:
> Alexandre Schaff very kindly replied to me directly, and set me on the right path. Things are now sort of working, but I believe the behaviour of pause is not as I'd expect.
> 
> My SecDefaultAction is pass.
> The ModSecurity Handbook v2, described the pause action as "Pause for a period of time, then execute allow". For this reason I removed the "pass" as it seemed to be being ignored.
> Although it sounds like the behaviour of pause in relation to other actions was modified back in 2013 : https://github.com/SpiderLabs/ModSecurity/issues/445 . I'd hope that this had been updated into ubuntu's libapache2-mod-security2 package.
> 
> However I think the behaviour I am seeing doesn't seem to match either the pre-2013 case, or the expected behaviour suggested by that post:
> 
>   *   pause = pause then drop
>   *   pass,pause = pause then allow
> 
> Processing of additional rules does not take place:
> 
> SecRule REQUEST_URI "@rx ^/slow/page" "id:2004,phase:2,log,msg:'***POST PAGE***',noauditlog,pass,pause:500,chain"
> SecRule REQUEST_METHOD "@rx ^POST$"
> # Add delay to rendering login page
> SecRule REQUEST_URI "@rx ^/slow/page" "id:2003,phase:2,log,msg:'***GET PAGE***',noauditlog,pass,pause:200"
> 
> ie. if it matched on rule ID:2004 then rule ID:2003 doesn't get processed.
> 
> Thanks,
> Paul
> 
> ________________________________
> From: SCHAFF Alexandre
> Sent: 07 February 2020 09:37
> To: Paul Beckett <pau...@ou...>
> Subject: Re: modsecurity pause action seems to be causing request to be dropped
> 
> Bonjour,
> 
> Issue in src code when action in SecRule 'pause' interacts with SecDefaultAction sets a disruptive action. Interaction happens when there is no disruptive action in the SecRule.
> 
> Try
> SecRule REQUEST_URI "@rx ^/slow/page" "id:2003,phase:2,pass,nolog,noauditlog,pause:371"
> 
> Alexandre.
> 
> 
> ________________________________
> From: Paul Beckett <pau...@ou...>
> Sent: Friday, February 7, 2020 8:32 AM
> To: mod...@li... <mod...@li...>
> Subject: [mod-security-users] modsecurity pause action seems to be causing request to be dropped
> 
> Yesterday this seemed to be working for me, but today this rule is seems to be causing the request to be dropped
> 
> Rule:
> SecRule REQUEST_URI "@rx ^/slow/page" "id:2003,phase:2,nolog,noauditlog,pause:371"
> 
> If I comment it out page returns, uncommented curl comes straight back with:
> * Empty reply from server
> * Connection #0 to host modsectest.local left intact
> curl: (52) Empty reply from server
> 
> This is being tested against a simple newly built test environment:
> Ubuntu 18.04.3 LTS
> Apache2 and mod-sec installed from repository
> Loading CRS3
> 
> If anyone can see an obvious explanation for this, I'd be very grateful.
> Thanks,
> Paul
> 


> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/