Thread: [mod-security-users] Filter question
Brought to you by:
victorhora,
zimmerletw
From: Gerwin K. -|- D. W. <ge...@di...> - 2004-09-20 13:02:53
|
Hello guys, I want the following filter but i can't figger it out exactly. I want to check ARGS if there is http:// in it AND .txt OR.jpg OR .gif. so it should match on all: id=http://www.ddddd.br/dc.jpg id=http://www.ddddd.br/dc.txt id=http://www.ddddd.br/dc.jpg What should be the filter code to use? Gerwin |
From: Jim M. <ji...@ww...> - 2006-02-23 15:58:27
|
Hi, I am semi-new (just over a week) user to mod_security, having installed it when a bad PHP script on our web server was used to spam hundreds of AOL users. It's done a fine job of blocking further attempts to abuse PHP. The script that the attackers used was called contactus.php and they used SMTP header injection to do the spam. I noticed that when I first installed mod_security, it blocked a lot of attempts, but I have seen very little activity in the audit log since. But the Apache log shows that the script is still being called. So I decided to log all calls to contactus.php to see what was happening. I'm running mod_security 1.9.2 under Apache 1.3.34 and here is the complete config: <ifModule mod_security.c> # Turn the filtering engine On or Off SecFilterEngine On # Make sure that URL encoding is valid SecFilterCheckURLEncoding On # Unicode encoding check SecFilterCheckUnicodeEncoding Off # Only allow bytes from this range SecFilterForceByteRange 0 255 # Only log suspicious requests SecAuditEngine RelevantOnly # The name of the audit log file SecAuditLog logs/audit_log # Debug level set to a minimum SecFilterDebugLog logs/modsec_debug_log SecFilterDebugLevel 0 # Should mod_security inspect POST payloads SecFilterScanPOST On # By default log and deny suspicious requests # with HTTP status 500 SecFilterDefaultAction "deny,log,status:500" # # rules # # filter out SMTP injection attempts to exploit badly-written PHP scripts # skip the check if the script is formmail.pl SecFilterSelective SCRIPT_FILENAME "formmail\.pl" skip SecFilterSelective ARGS_VALUES "\n[[:space:]]*(to|bcc|cc)[[:space:]]*:.*@" SecFilterSelective SCRIPT_FILENAME "contactus\.php" "auditlog,pass" </IfModule> I added the third rule this morning to try and log calls to contactus.php that do not get blocked by the second rule. Here is a log entry: ==00004f90============================== Request: lib.uah.edu 211.220.247.254 - - [23/Feb/2006:09:49:32 -0600] "POST /contactus.php HTTP/1.1" 200 16163 "http://lib.uah.edu/" "-" - "-" ---------------------------------------- POST /contactus.php HTTP/1.1 Connection: Keep-Alive, Close Content-Length: 773 Content-Type: application/x-www-form-urlencoded Host: lib.uah.edu Referer: http://lib.uah.edu/ mod_security-message: Warning. Pattern match "contactus\\.php" at SCRIPT_FILENAME 773 esh_formmail_recipient=where7087%40lib.uah.edu&esh_formmail_cc=th%0D%0AContent-Type%3A+multipart%2Falternative%3B+boundary%3D1bcca4044c1101318a576bbebb0fdef3%0AMIME-Version%3A+1.0%0ASubject%3A+whose+rank+they+can+borrow%0Abcc%3A+StarlaK8099%40aol.com%0A%0AThis+is+a+multi-part+message+in+MIME+format.%0A%0A--1bcca4044c1101318a576bbebb0fdef3%0AContent-Type%3A+text%2Fplain%3B+charset%3D%22us-ascii%22%0AMIME-Version%3A+1.0%0AContent-Transfer-Encoding%3A+7bit%0A%0Adance+and+she+fell+dead+to+the+earth+uthor+s+ote+n+hiele+s+anish+opular+radition+it+is+related+that+she+was+one+argrethe+kofgaard%0A--1bcca4044c1101318a576bbebb0fdef3--%0A%0D%0A.%0D%0A&formmail_submit=where7087%40lib.uah.edu&esh_formmail_bcc=where7087%40lib.uah.edu&esh_formmail_subject=where7087%40lib.uah.edu HTTP/1.1 200 OK X-Powered-By: PHP/4.3.4 Connection: close Transfer-Encoding: chunked Content-Type: text/html --00004f90-- Note that part of the request reads, "%0Abcc%3A+StarlaK8099%40aol.com", so why didn't the second rule block the request? Not sure what I'm doing wrong here. Thanks... Jim McCullars University of Alabama in Huntsville |
From: Ivan R. <iv...@we...> - 2006-02-23 16:32:59
|
Jim McCullars wrote: > I'm running mod_security 1.9.2 > under Apache 1.3.34 and here is the complete config: > > ... > > SecFilterSelective SCRIPT_FILENAME "formmail\.pl" skip > SecFilterSelective ARGS_VALUES "\n[[:space:]]*(to|bcc|cc)[[:space:]]*:.*@" > SecFilterSelective SCRIPT_FILENAME "contactus\.php" "auditlog,pass" > > ... > > Note that part of the request reads, "%0Abcc%3A+StarlaK8099%40aol.com", so > why didn't the second rule block the request? Not sure what I'm doing > wrong here. Thanks... I think this is because the regex library used by Apache (and thus used by ModSecurity) is not very capable - it does not understand "\n". I tried replacing "\n" with \x0a (this is a ModSecurity extension) and with "[[:cntrl:]]". Both worked. Note that it is possible (and recommended) to compile ModSecurity with PCRE (http://www.pcre.org) and thus work with a much better regex library (not to mention the performance increase). -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
From: Jim M. <ji...@ww...> - 2006-02-23 17:35:41
|
On Thu, 23 Feb 2006, Ivan Ristic wrote: > I think this is because the regex library used by Apache (and thus > used by ModSecurity) is not very capable - it does not understand "\n". Oops. Now, here's something kind of funny. I had noticed that sometimes the pattern worked and sometimes it didn't. Looking closer, I finally noticed that the only time it worked was when the last character in the previous line was an "n" (because [[:space:]] matches the newline). D'oh! > Note that it is possible (and recommended) to compile ModSecurity > with PCRE (http://www.pcre.org) and thus work with a much better > regex library (not to mention the performance increase). That has to be added to Apache, right? The documentation page for 1.9.2 tells how to do this with apxs, but I don't use DSO. Could the docs be updated to tell how to add this module to Apache as a static module? There are some caveats as to the ordering of modules in Apache, and this is a topic that I have never fully understood. Thanks for the "\x0a" trick - I just hooked one! :-) Jim McCullars University of Alabama in Huntsville |
From: Ivan R. <iv...@we...> - 2006-02-23 19:44:40
|
Jim McCullars wrote: > > That has to be added to Apache, right? The documentation page for > 1.9.2 tells how to do this with apxs, but I don't use DSO. Could the docs > be updated to tell how to add this module to Apache as a static module? If someone tells me how it's done :) I've never tried to compile Apache 1.x statically with PCRE. > There are some caveats as to the ordering of modules in Apache, and this > is a topic that I have never fully understood. You can always reorder them at runtime... -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
From: Ivan R. <iv...@we...> - 2004-09-20 13:14:02
|
Gerwin Krist -|- Digitalus Webhosting wrote: > Hello guys, > > I want the following filter but i can't figger it out exactly. > I want to check ARGS if there is http:// in it AND .txt OR.jpg OR .gif. > so it should match on all: > id=http://www.ddddd.br/dc.jpg > id=http://www.ddddd.br/dc.txt > id=http://www.ddddd.br/dc.jpg > > What should be the filter code to use? Try something like this: SecFilterSelective ARGS "(http:/).+(\.txt|\.jpg|\.gif)" ^1 ^2 1. Anti-evasion techniques mod_security uses will compress multiple forward slash characters to only one. 2. Because the dot character has a special meaning in regular expressions you will want to escape it to neutralise it. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
From: Gerwin K. -|- D. W. <ge...@di...> - 2004-09-20 15:48:31
|
Ye this will do the trick, thanks :) Op ma 20-09-2004, om 15:00 schreef Gerwin Krist -|- Digitalus Webhosting: > Hello guys, > > I want the following filter but i can't figger it out exactly. > I want to check ARGS if there is http:// in it AND .txt OR.jpg OR .gif. > so it should match on all: > id=http://www.ddddd.br/dc.jpg > id=http://www.ddddd.br/dc.txt > id=http://www.ddddd.br/dc.jpg > > What should be the filter code to use? > > Gerwin > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 > Project Admins to receive an Apple iPod Mini FREE for your judgement on > who ports your project to Linux PPC the best. Sponsored by IBM. > Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > |