Thread: [mod-security-users] mod_security: Invalid character detected [252]
Brought to you by:
victorhora,
zimmerletw
From: Carlos M. G. <cm...@ne...> - 2003-12-12 13:50:49
|
Greetings. I installed mod_Security on a server, and for the moments, all the pages works fine. Now, I have some little issues that I describe above (extracted from the audit_log file). Anybody can help me on this issue...?? Any recommendation about the mod_Security conf. directives and security....??? Thanks in advance.. ======================================== Request: 200.75.133.65 - - [Fri Dec 12 09:44:48 2003] "GET /images/buttonse/inkassoausk%FCnfte.gif HTTP/1.1" 500 541 Handler: (null) Error: mod_security: Invalid character detected [252] ---------------------------------------- GET /images/buttonse/inkassoausk%FCnfte.gif HTTP/1.1 Accept: image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Connection: keep-alive Host: www.XXXXXX.org Keep-Alive: 300 Referer: http://www.XXXX.org/htme/marktberatung.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 mod_security-message: Invalid character detected mod_security-action: 500 HTTP/1.1 500 Internal Server Error Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 ======================================== Request: 200.75.133.65 - - [Fri Dec 12 09:44:48 2003] "GET /images/buttonse/inkassoausk%FCnfte-down.gif HTTP/1.1" 500 541 Handler: (null) Error: mod_security: Invalid character detected [252] ---------------------------------------- GET /images/buttonse/inkassoausk%FCnfte-down.gif HTTP/1.1 Accept: image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Connection: keep-alive Host: www.XXXXX.org Keep-Alive: 300 Referer: http://www.XXXX.org/htme/marktberatung.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 mod_security-message: Invalid character detected mod_security-action: 500 HTTP/1.1 500 Internal Server Error Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 Here I send you the mod_secirity conf file. <IfModule mod_security.c> # Turn the filtering engine On or Off SecFilterEngine On # Make sure that URL encoding is valid SecFilterCheckURLEncoding On # Unicode encoding check SecFilterCheckUnicodeEncoding Off # Only allow bytes from this range SecFilterForceByteRange 32 126 # Only log suspicious requests SecAuditEngine RelevantOnly # The name of the audit log file SecAuditLog /var/www/logs/audit_log # Debug level set to a minimum SecFilterDebugLog /var/www/logs/modsec_debug_log SecFilterDebugLevel 1 # Should mod_security inspect POST payloads SecFilterScanPOST On # By default log and deny suspicious requests # with HTTP status 500 <IfModule mod_security.c> # Turn the filtering engine On or Off SecFilterEngine On # Make sure that URL encoding is valid SecFilterCheckURLEncoding On # Unicode encoding check SecFilterCheckUnicodeEncoding Off # Only allow bytes from this range SecFilterForceByteRange 32 126 # Only log suspicious requests SecAuditEngine RelevantOnly # The name of the audit log file SecAuditLog /var/www/logs/audit_log # Debug level set to a minimum SecFilterDebugLog /var/www/logs/modsec_debug_log SecFilterDebugLevel 1 # Should mod_security inspect POST payloads SecFilterScanPOST On # By default log and deny suspicious requests # with HTTP status 500 <IfModule mod_security.c> # Turn the filtering engine On or Off SecFilterEngine On # Make sure that URL encoding is valid SecFilterCheckURLEncoding On # Unicode encoding check SecFilterCheckUnicodeEncoding Off # Only allow bytes from this range SecFilterForceByteRange 32 126 # Only log suspicious requests SecAuditEngine RelevantOnly # The name of the audit log file SecAuditLog /var/www/logs/audit_log # Debug level set to a minimum SecFilterDebugLog /var/www/logs/modsec_debug_log SecFilterDebugLevel 1 # Should mod_security inspect POST payloads SecFilterScanPOST On # By default log and deny suspicious requests # with HTTP status 500 # Requiere de HTTP_USER_AGENT y HTTP_HOST en cada request (telnet al 80 no servira) SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" # Evita ataques SQL-inject SecFilter "delete[[:space:]]+from" SecFilter "insert[[:space:]]+into" SecFilter "select.+from" # Detecta intentos por ejecutar binarios en el servidor SecFilter "bin/" SecFilter "etc/" # Elimina el spam a traves del FormMail <Location /cgi-bin/FormMail> SecFilterSelective "ARG_recipient" "!@webkreator.com$" </Location> # Prohibe la subida (upload) de archivos SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data #### REGLAS OBTENIDAS DE SNORT ### # WEB-ATTACKS ps command attempt SecFilterSelective THE_REQUEST "/bin/ps" # WEB-ATTACKS /bin/ps command attempt SecFilterSelective THE_REQUEST "ps\x20" # WEB-ATTACKS wget command attempt SecFilter "wget\x20" # WEB-ATTACKS uname -a command attempt SecFilter "uname\x20-a" # WEB-ATTACKS /usr/bin/id command attempt SecFilter "/usr/bin/id" # WEB-ATTACKS id command attempt SecFilter "\;id" # WEB-ATTACKS echo command attempt SecFilter "/bin/echo" # WEB-ATTACKS kill command attempt SecFilter "/bin/kill" # WEB-ATTACKS chmod command attempt SecFilter "/bin/chmod" # WEB-ATTACKS chgrp command attempt SecFilter "/chgrp" # WEB-ATTACKS chown command attempt SecFilter "/chown" # WEB-ATTACKS chsh command attempt SecFilter "/usr/bin/chsh" # WEB-ATTACKS tftp command attempt SecFilter "tftp\x20" # WEB-ATTACKS /usr/bin/gcc command attempt SecFilter "/usr/bin/gcc" # WEB-ATTACKS gcc command attempt SecFilter "gcc\x20-o" # WEB-ATTACKS /usr/bin/cc command attempt SecFilter "/usr/bin/cc" # WEB-ATTACKS cc command attempt SecFilter "cc\x20" # WEB-ATTACKS /usr/bin/cpp command attempt SecFilter "/usr/bin/cpp" # WEB-ATTACKS cpp command attempt SecFilter "cpp\x20" # WEB-ATTACKS /usr/bin/g++ command attempt SecFilter "/usr/bin/g\+\+" # WEB-ATTACKS g++ command attempt SecFilter "g\+\+\x20" # WEB-ATTACKS bin/python access attempt SecFilter "bin/python" # WEB-ATTACKS python access attempt SecFilter "python\x20" # WEB-ATTACKS bin/tclsh execution attempt SecFilter "bin/tclsh" # WEB-ATTACKS tclsh execution attempt SecFilter "tclsh8\x20" # WEB-ATTACKS bin/nasm command attempt SecFilter "bin/nasm" # WEB-ATTACKS nasm command attempt SecFilter "nasm\x20" # WEB-ATTACKS /usr/bin/perl execution attempt SecFilter "/usr/bin/perl" # WEB-ATTACKS perl execution attempt SecFilter "perl\x20" # WEB-ATTACKS nt admin addition attempt SecFilter "net localgroup administrators /add" # WEB-ATTACKS traceroute command attempt SecFilter "traceroute\x20" # WEB-ATTACKS ping command attempt SecFilter "/bin/ping" # WEB-ATTACKS netcat command attempt SecFilter "nc\x20" # WEB-ATTACKS nmap command attempt SecFilter "nmap\x20" # WEB-ATTACKS xterm command attempt SecFilter "/usr/X11R6/bin/xterm" # WEB-ATTACKS X application to remote host attempt SecFilter "\x20-display\x20" # WEB-ATTACKS lsof command attempt SecFilter "lsof\x20" # WEB-ATTACKS rm command attempt SecFilter "rm\x20" # WEB-ATTACKS mail command attempt SecFilter "/bin/mail" # WEB-ATTACKS mail command attempt SecFilter "mail\x20" # WEB-ATTACKS /bin/ls command attempt SecFilterSelective THE_REQUEST "/bin/ls" # WEB-ATTACKS /etc/inetd.conf access SecFilter "/etc/inetd\.conf" log,pass # WEB-ATTACKS /etc/motd access SecFilter "/etc/motd" log,pass # WEB-ATTACKS /etc/shadow access SecFilter "/etc/shadow" log,pass # WEB-ATTACKS conf/httpd.conf attempt SecFilter "conf/httpd\.conf" log,pass # WEB-ATTACKS .htgroup access SecFilterSelective THE_REQUEST "\.htgroup" log,pass # WEB-CGI php.cgi access SecFilterSelective THE_REQUEST "/php\.cgi" # WEB-CGI nph-test-cgi access SecFilterSelective THE_REQUEST "/nph-test-cgi" # WEB-CGI test-cgi attempt SecFilterSelective THE_REQUEST "/test-cgi/*\?*" # WEB-CGI test-cgi access SecFilterSelective THE_REQUEST "/test-cgi" # WEB-CGI testcgi access SecFilterSelective THE_REQUEST "/testcgi" log,pass # WEB-CGI test.cgi access SecFilterSelective THE_REQUEST "/test\.cgi" log,pass # WEB-CGI finger access SecFilterSelective THE_REQUEST "/finger" # WEB-CGI environ.cgi access SecFilterSelective THE_REQUEST "/environ\.cgi" # WEB-CGI formmail arbitrary command execution attempt SecFilterSelective THE_REQUEST "/formmail" chain SecFilter "\x0a" # WEB-MISC Nessus 404 probe SecFilterSelective THE_REQUEST "/nessus_is_probing_you_" # WEB-MISC http directory traversal SecFilter "\.\./" # WEB-MISC sadmind worm access SecFilter "GET x HTTP/1\.0" # WEB-MISC .history access SecFilterSelective THE_REQUEST "/\.history" # WEB-MISC .bash_history access SecFilterSelective THE_REQUEST "/\.bash_history" # WEB-MISC /~nobody access SecFilterSelective THE_REQUEST "/~nobody" # WEB-MISC Apache Chunked-Encoding worm attempt SecFilter "CCCCCCC\: AAAAAAAAAAAAAAAAAAA" # WEB-PHP strings overflow SecFilterSelective THE_REQUEST "\?STRENGUR" # WEB-PHP php.exe access SecFilterSelective THE_REQUEST "/php\.exe" log,pass </IfModule> |
From: Ivan R. <iv...@we...> - 2003-12-12 13:57:30
|
> I installed mod_Security on a server, and for the moments, all the pages > works fine. Now, I have some little issues that I describe above > (extracted from the audit_log file). > Anybody can help me on this issue...?? You've configured mod_security to reject requests containing characters that fall outside the 32-126 range (inclusive). And there are such characters in the example request you gave us. For example: /images/buttonse/inkassoausk%FCnfte.gif contains %fc (252) Change this line: SecFilterForceByteRange 32 126 into: SecFilterForceByteRange 32 255 and your problems will go away. FYI, future releases will include the ability to specify several ranges of acceptable characters, not only one as right now. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |