Thread: [mod-security-users] Filter question

Brought to you by: victorhora, zimmerletw

mod-security-users

[mod-security-users] Filter question

From: Gerwin K. -|- D. W. <ge...@di...> - 2004-09-20 13:02:53

Hello guys,

I want the following filter but i can't figger it out exactly.
I want to check ARGS if there is http:// in it AND .txt OR.jpg OR .gif.
so it should match on all: 
id=http://www.ddddd.br/dc.jpg
id=http://www.ddddd.br/dc.txt
id=http://www.ddddd.br/dc.jpg

What should be the filter code to use?

Gerwin

[mod-security-users] Filter question

From: Jim M. <ji...@ww...> - 2006-02-23 15:58:27

Hi, I am semi-new (just over a week) user to mod_security, having
installed it when a bad PHP script on our web server was used to spam
hundreds of AOL users.  It's done a fine job of blocking further attempts
to abuse PHP.

The script that the attackers used was called contactus.php and they used
SMTP header injection to do the spam.  I noticed that when I first
installed mod_security, it blocked a lot of attempts, but I have seen very
little activity in the audit log since.  But the Apache log shows that the
script is still being called.  So I decided to log all calls to
contactus.php to see what was happening.  I'm running mod_security 1.9.2
under Apache 1.3.34 and here is the complete config:

<ifModule mod_security.c>
    # Turn the filtering engine On or Off
    SecFilterEngine On

    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding On

    # Unicode encoding check
    SecFilterCheckUnicodeEncoding Off

    # Only allow bytes from this range
    SecFilterForceByteRange 0 255

    # Only log suspicious requests
    SecAuditEngine RelevantOnly

    # The name of the audit log file
    SecAuditLog logs/audit_log
    # Debug level set to a minimum
    SecFilterDebugLog logs/modsec_debug_log
    SecFilterDebugLevel 0

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # By default log and deny suspicious requests
    # with HTTP status 500
    SecFilterDefaultAction "deny,log,status:500"
#
# rules
#
# filter out SMTP injection attempts to exploit badly-written PHP scripts
# skip the check if the script is formmail.pl

SecFilterSelective SCRIPT_FILENAME "formmail\.pl" skip
SecFilterSelective ARGS_VALUES "\n[[:space:]]*(to|bcc|cc)[[:space:]]*:.*@"
SecFilterSelective SCRIPT_FILENAME "contactus\.php" "auditlog,pass"

</IfModule>


I added the third rule this morning to try and log calls to contactus.php
that do not get blocked by the second rule.  Here is a log entry:

==00004f90==============================
Request: lib.uah.edu 211.220.247.254 - - [23/Feb/2006:09:49:32 -0600]
"POST /contactus.php HTTP/1.1" 200 16163 "http://lib.uah.edu/" "-" - "-"
----------------------------------------
POST /contactus.php HTTP/1.1
Connection: Keep-Alive, Close
Content-Length: 773
Content-Type: application/x-www-form-urlencoded
Host: lib.uah.edu
Referer: http://lib.uah.edu/
mod_security-message: Warning. Pattern match "contactus\\.php" at
SCRIPT_FILENAME

773
esh_formmail_recipient=where7087%40lib.uah.edu&esh_formmail_cc=th%0D%0AContent-Type%3A+multipart%2Falternative%3B+boundary%3D1bcca4044c1101318a576bbebb0fdef3%0AMIME-Version%3A+1.0%0ASubject%3A+whose+rank+they+can+borrow%0Abcc%3A+StarlaK8099%40aol.com%0A%0AThis+is+a+multi-part+message+in+MIME+format.%0A%0A--1bcca4044c1101318a576bbebb0fdef3%0AContent-Type%3A+text%2Fplain%3B+charset%3D%22us-ascii%22%0AMIME-Version%3A+1.0%0AContent-Transfer-Encoding%3A+7bit%0A%0Adance+and+she+fell+dead+to+the+earth+uthor+s+ote+n+hiele+s+anish+opular+radition+it+is+related+that+she+was+one+argrethe+kofgaard%0A--1bcca4044c1101318a576bbebb0fdef3--%0A%0D%0A.%0D%0A&formmail_submit=where7087%40lib.uah.edu&esh_formmail_bcc=where7087%40lib.uah.edu&esh_formmail_subject=where7087%40lib.uah.edu

HTTP/1.1 200 OK
X-Powered-By: PHP/4.3.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
--00004f90--

Note that part of the request reads, "%0Abcc%3A+StarlaK8099%40aol.com", so
why didn't the second rule block the request?  Not sure what I'm doing
wrong here.  Thanks...

Jim McCullars
University of Alabama in Huntsville

Re: [mod-security-users] Filter question

From: Ivan R. <iv...@we...> - 2006-02-23 16:32:59

Jim McCullars wrote:
> I'm running mod_security 1.9.2
> under Apache 1.3.34 and here is the complete config:
>
> ...
> 
> SecFilterSelective SCRIPT_FILENAME "formmail\.pl" skip
> SecFilterSelective ARGS_VALUES "\n[[:space:]]*(to|bcc|cc)[[:space:]]*:.*@"
> SecFilterSelective SCRIPT_FILENAME "contactus\.php" "auditlog,pass"
>
> ...
>
> Note that part of the request reads, "%0Abcc%3A+StarlaK8099%40aol.com", so
> why didn't the second rule block the request?  Not sure what I'm doing
> wrong here.  Thanks...

  I think this is because the regex library used by Apache (and thus
  used by ModSecurity) is not very capable - it does not understand "\n".

  I tried replacing "\n" with \x0a (this is a ModSecurity extension)
  and with "[[:cntrl:]]". Both worked.

  Note that it is possible (and recommended) to compile ModSecurity
  with PCRE (http://www.pcre.org) and thus work with a much better
  regex library (not to mention the performance increase).

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

Re: [mod-security-users] Filter question

From: Jim M. <ji...@ww...> - 2006-02-23 17:35:41

On Thu, 23 Feb 2006, Ivan Ristic wrote:

>   I think this is because the regex library used by Apache (and thus
>   used by ModSecurity) is not very capable - it does not understand "\n".

   Oops.  Now, here's something kind of funny.  I had noticed that
sometimes the pattern worked and sometimes it didn't.  Looking closer, I
finally noticed that the only time it worked was when the last character
in the previous line was an "n" (because [[:space:]] matches the newline).
D'oh!

>   Note that it is possible (and recommended) to compile ModSecurity
>   with PCRE (http://www.pcre.org) and thus work with a much better
>   regex library (not to mention the performance increase).

   That has to be added to Apache, right?  The documentation page for
1.9.2 tells how to do this with apxs, but I don't use DSO.  Could the docs
be updated to tell how to add this module to Apache as a static module?
There are some caveats as to the ordering of modules in Apache, and this
is a topic that I have never fully understood.

   Thanks for the "\x0a" trick - I just hooked one!  :-)

Jim McCullars
University of Alabama in Huntsville

Re: [mod-security-users] Filter question

From: Ivan R. <iv...@we...> - 2006-02-23 19:44:40

Jim McCullars wrote:
>
> That has to be added to Apache, right?  The documentation page for
> 1.9.2 tells how to do this with apxs, but I don't use DSO.  Could the docs
> be updated to tell how to add this module to Apache as a static module?

  If someone tells me how it's done :) I've never tried to compile
  Apache 1.x statically with PCRE.


> There are some caveats as to the ordering of modules in Apache, and this
> is a topic that I have never fully understood.

  You can always reorder them at runtime...

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

Re: [mod-security-users] Filter question

From: Ivan R. <iv...@we...> - 2004-09-20 13:14:02

Gerwin Krist -|- Digitalus Webhosting wrote:
> Hello guys,
> 
> I want the following filter but i can't figger it out exactly.
> I want to check ARGS if there is http:// in it AND .txt OR.jpg OR .gif.
> so it should match on all: 
> id=http://www.ddddd.br/dc.jpg
> id=http://www.ddddd.br/dc.txt
> id=http://www.ddddd.br/dc.jpg
> 
> What should be the filter code to use?

  Try something like this:

  SecFilterSelective ARGS "(http:/).+(\.txt|\.jpg|\.gif)"
                                ^1     ^2

  1. Anti-evasion techniques mod_security uses will compress multiple
     forward slash characters to only one.

  2. Because the dot character has a special meaning in regular
     expressions you will want to escape it to neutralise it.

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

Re: [mod-security-users] Filter question

From: Gerwin K. -|- D. W. <ge...@di...> - 2004-09-20 15:48:31

Ye this will do the trick, thanks :)

Op ma 20-09-2004, om 15:00 schreef Gerwin Krist -|- Digitalus
Webhosting:
> Hello guys,
> 
> I want the following filter but i can't figger it out exactly.
> I want to check ARGS if there is http:// in it AND .txt OR.jpg OR .gif.
> so it should match on all: 
> id=http://www.ddddd.br/dc.jpg
> id=http://www.ddddd.br/dc.txt
> id=http://www.ddddd.br/dc.jpg
> 
> What should be the filter code to use?
> 
> Gerwin
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM.
> Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>