Thread: [mod-security-users] How to Change the Anomaly Score for a Rule
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: kwenu <uz...@ya...> - 2011-08-08 15:37:30
|
Hi
Im trying to change the anomaly score for a rule that its fired when a
file name is triggered within the URL
Looking at the rule below I know that i have not included a VARIABLE
that "@ge 0" can be applied to - I realise this and have trawled thru
the debug logs but cannot identify the correct variable to use here
SecRule REQUEST_FILENAME "@streq /navlid_div.gif"
"chain,phase:2,t:none,log,pass,msg:'Adjusting FP Score'"
SecRule
&TX:'/981244-Detects.*basic.*SQL.*authentication.*bypass.*attempts.*1/3-WEB_ATTACK/SQLI-REQUEST_FILENAME/'
"@ge 0" "setvar:tx.anomaly_score=-5"
The rule above has been put in modsecurity_crs_48_local_exceptions.conf
Heres a snippet of the debug log where i was hoping to snag the correct
@TX line from
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Target value: "/theme/common/image/navlid_div.gif"
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Added regex subexpression to TX.0: div
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][4]
Operator completed in 85 usec.
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Setting variable: tx.msg=%{rule.id}-%{rule.msg}
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{rule.id} to: 981244
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{rule.msg} to: Detects basic SQL authentication bypass
attempts 1/3
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Set variable "tx.msg" to "981244-Detects basic SQL authentication bypass
attempts 1/3".
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Setting variable: tx.anomaly_score=+7
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Original collection variable: tx.anomaly_score = "13"
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Relative change: anomaly_score=13+7
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Set variable "tx.anomaly_score" to "20".
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Setting variable: tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{tx.msg} to: 981244-Detects basic SQL authentication
bypass attempts 1/3
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{matched_var_name} to: REQUEST_FILENAME
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{tx.0} to: div
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Set variable "tx.981244-Detects basic SQL authentication bypass attempts
1/3-WEB_ATTACK/SQLI-REQUEST_FILENAME" to "div".
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Setting variable: tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Set variable "tx.981244-Detects basic SQL authentication bypass attempts
1/3-WEB_ATTACK/SQLI-REQUEST_FILENAME" to "div".
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Setting variable: tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{tx.msg} to: 981244-Detects basic SQL authentication
bypass attempts 1/3
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{matched_var_name} to: REQUEST_FILENAME
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{tx.0} to: div
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Set variable "tx.981244-Detects basic SQL authentication bypass attempts
1/3-WEB_ATTACK/ID-REQUEST_FILENAME" to "div".
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Setting variable: tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{tx.msg} to: 981244-Detects basic SQL authentication
bypass attempts 1/3
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{matched_var_name} to: REQUEST_FILENAME
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{tx.0} to: div
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Set variable "tx.981244-Detects basic SQL authentication bypass attempts
1/3-WEB_ATTACK/LFI-REQUEST_FILENAME" to "div".
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{TX.0} to: div
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{TX.0} to: div
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][4]
Warning. Pattern match
"(?i:(?:\\d(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s+(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s+\\d)|(?:^admin\\s*(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)|(\\/\\*)+(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)+\\s?(?:--|#|\\/\\*|{)?)|(?:(\"|'|
..." at REQUEST_FILENAME. [file
"/pxy/shared/conf/modsecurity.d/crs_2.2.1/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "560"] [id "981244"] [msg "Detects basic SQL authentication bypass
attempts 1/3"] [data "div"] [severity "CRITICAL"] [tag
"WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
T (1) urlDecodeUni: "/theme/common/image/navlid_div.gif"
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
T (1) replaceComments: "/theme/common/image/navlid_div.gif"
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][4]
Rule returned 1.
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Match -> mode NEXT_RULE.
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][4]
Recipe: Invoking rule 952efa8; [file
"/pxy/shared/conf/modsecurity.d/crs_2.2.1/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "562"] [id "981255"].8:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{TX.0} to: div
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][5]
Rule 952efa8: SecRule
"REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*"
"@rx
(?i:(?:\\sexec\\s+xp_cmdshell)|(?:(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s*!\\s*[(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\w])|(?:from\\W+information_schema\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\s*\\([^\\)]*)|(?:(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98);?\\s*(?:select|union|having)\\s*[^\\s])|(?:\\wiif\\s*\\()|(?:exec\\s+master\\.)|(?:union
select
@)|(?:union[\\w(\\s]*select)|(?:select.*\\w?user\\()|(?:into[\\s+]+(?:dump|out)file\\s*(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)))"
"phase:2,nolog,auditlog,capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,block,msg:'Detects
MSSQL code execution and information gathering
attempts',id:981255,tag:WEB_ATTACK/SQLI,tag:WEB_ATTACK/ID,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0},setvar:tx.%{tx.msg}-WEB_ATTACK/ID-%{m
|
|
From: Abdellah T. <adt...@pa...> - 2011-08-08 17:55:33
|
One of my client is unable to access the application, anybody can show me how to white list an IP address in modsecurity? I will appreciate it. Thanks Abdellah |
|
From: Christian B. <ch...@jw...> - 2011-08-08 19:51:30
|
Hi Abdellah,
the easiest way is to switch of ModSecurity based on the client IP:
SecRule REMOTE_ADDE "@streq 192.168.10.1" "phase:1,ctl:ruleEngine=Off,msg:'Turning off rule-engine for IP %{REMOTE_ADDR}'"
Best regards,
Chris
Am 08.08.2011 um 19:39 schrieb Abdellah Tantan:
> One of my client is unable to access the application, anybody can show me how to white list an IP address in modsecurity?
>
> I will appreciate it.
>
> Thanks
> Abdellah
>
>
> ------------------------------------------------------------------------------
> BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
> The must-attend event for mobile developers. Connect with experts.
> Get tools for creating Super Apps. See the latest technologies.
> Sessions, hands-on labs, demos & much more. Register early & save!
> http://p.sf.net/sfu/rim-blackberry-1_______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
|
|
From: Breno S. <bre...@gm...> - 2011-08-08 20:48:07
|
You can also use @ipmatch operator.
Thanks
Breno
On Mon, Aug 8, 2011 at 2:51 PM, Christian Bockermann <ch...@jw...>wrote:
> Hi Abdellah,
>
> the easiest way is to switch of ModSecurity based on the client IP:
>
> SecRule REMOTE_ADDE "@streq 192.168.10.1"
> "phase:1,ctl:ruleEngine=Off,msg:'Turning off rule-engine for IP
> %{REMOTE_ADDR}'"
>
> Best regards,
> Chris
>
>
> Am 08.08.2011 um 19:39 schrieb Abdellah Tantan:
>
> > One of my client is unable to access the application, anybody can show me
> how to white list an IP address in modsecurity?
> >
> > I will appreciate it.
> >
> > Thanks
> > Abdellah
> >
> >
> >
> ------------------------------------------------------------------------------
> > BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
> > The must-attend event for mobile developers. Connect with experts.
> > Get tools for creating Super Apps. See the latest technologies.
> > Sessions, hands-on labs, demos & much more. Register early & save!
> >
> http://p.sf.net/sfu/rim-blackberry-1_______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > ModSecurity Services from Trustwave's SpiderLabs:
> > https://www.trustwave.com/spiderLabs.php
>
>
>
> ------------------------------------------------------------------------------
> BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
> The must-attend event for mobile developers. Connect with experts.
> Get tools for creating Super Apps. See the latest technologies.
> Sessions, hands-on labs, demos & much more. Register early & save!
> http://p.sf.net/sfu/rim-blackberry-1
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>
|
|
From: Ryan B. <RBa...@tr...> - 2011-08-09 14:16:19
|
Just a quick note about whitelisting IP addresses.
If you only need to analyze a single IP address then you probably want to use @streq vs. other operators such as @rx or even @ipMatch. @streq is easier to use vs. @rx since you don't need to worry about escaping the "dot" chars or using anchoring -
SecRule REMOTE_ADDR "@streq 127.0.0.1" "phase:1,t:none,nolog,pass"
SecRule REMOTE_ADDR "@rx ^127\.0\.0\.1$" "phase:1,t:none,nolog,pass"
@streq is also faster than using @ipMatch for single IP address. As a simple example, I tested with these two rules -
SecRule REMOTE_ADDR "@streq 127.0.0.1" "phase:1,t:none,nolog,pass"
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1" "phase:1,t:none,nolog,pass"
Here is the resulting debug log. Notice the bolded lines which tell you how long it took for the operator to complete -
Recipe: Invoking rule 1009bd450; [file "/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_15_customrules.conf"] [line "1"].
Rule 1009bd450: SecRule "REMOTE_ADDR" "@streq 127.0.0.1" "phase:1,t:none,nolog,pass"
Transformation completed in 0 usec.
Executing operator "streq" with param "127.0.0.1" against REMOTE_ADDR.
Target value: "127.0.0.1"
Operator completed in 1 usec.
Warning. String match "127.0.0.1" at REMOTE_ADDR. [file "/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_15_customrules.conf"] [line "1"]
Rule returned 1.
Match -> mode NEXT_RULE.
Recipe: Invoking rule 1009bdb48; [file "/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_15_customrules.conf"] [line "2"].
Rule 1009bdb48: SecRule "REMOTE_ADDR" "@ipMatch 127.0.0.1" "phase:1,t:none,nolog,pass"
Transformation completed in 0 usec.
Executing operator "ipMatch" with param "127.0.0.1" against REMOTE_ADDR.
Target value: "127.0.0.1"
Operator completed in 7 usec.
Warning. IPmatch "127.0.0.1" matched "127.0.0.1" at REMOTE_ADDR. [file "/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_15_customrules.conf"] [line "2"]
Rule returned 1.
Match -> mode NEXT_RULE.
As you can see, @streq took only 1 usec while @ipMatch took 7 usec. So if you have very simple IP address rules, and you are concerned about performance, you should use @streq. For all other scenarios (multiple IP addresses, ranges, etc…) you should use @ipMatch as it will be more accurate and easier to read.
-Ryan
From: Breno Silva <bre...@gm...<mailto:bre...@gm...>>
Date: Mon, 8 Aug 2011 15:47:58 -0500
To: Christian Bockermann <ch...@jw...<mailto:ch...@jw...>>
Cc: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Subject: Re: [mod-security-users] Whitelisting an IP address.
You can also use @ipmatch operator.
Thanks
Breno
On Mon, Aug 8, 2011 at 2:51 PM, Christian Bockermann <ch...@jw...<mailto:ch...@jw...>> wrote:
Hi Abdellah,
the easiest way is to switch of ModSecurity based on the client IP:
SecRule REMOTE_ADDE "@streq 192.168.10.1" "phase:1,ctl:ruleEngine=Off,msg:'Turning off rule-engine for IP %{REMOTE_ADDR}'"
Best regards,
Chris
Am 08.08.2011 um 19:39 schrieb Abdellah Tantan:
> One of my client is unable to access the application, anybody can show me how to white list an IP address in modsecurity?
>
> I will appreciate it.
>
> Thanks
> Abdellah
>
>
> ------------------------------------------------------------------------------
> BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
> The must-attend event for mobile developers. Connect with experts.
> Get tools for creating Super Apps. See the latest technologies.
> Sessions, hands-on labs, demos & much more. Register early & save!
> http://p.sf.net/sfu/rim-blackberry-1_______________________________________________
> mod-security-users mailing list
> mod...@li...<mailto:mod...@li...>
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts.
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
mod-security-users mailing list
mod...@li...<mailto:mod...@li...>
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php
________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
|
|
From: kwenu <uz...@ya...> - 2011-08-09 11:34:23
|
Just figured it out
I dont believe i have the logic worked out yet since the documentation
says nothing about how such rules are processed. The documentation
should explain how these rules are processed since putting rules in
modsecurity_crs_48_general_exceptions.conf does not appear to run rules
multiple times but the once only - i could be wrong here
So this rules appears to match once only and not (as i beleived) against
every match of a rule against this one request
Since the URL is matched 8 times i simply used 3 multiplied by 8 which
gives 24 -
So when this real is used it will subtract 24 before blocking actions
are invoked
What i originally thought was that the regex will take care of every
rule match against this URL and substract 5 every time (if
setvar:tx.anomaly_score=-5). That is not the case
What i would like is a way of specifying multiple rules against a
particular URL and setting anomaly score to -5 - that would in my mind
be much better
SecRule REQUEST_FILENAME ".*/navlid_div\.gif$"
"chain,phase:2,t:none,log,pass,msg:'Adjusting FP Score'"
SecRule
&TX:'/98124[248]-Detects.*[12]/[1-3]-WEB_ATTACK/(ID|SQLI|LFI)-REQUEST_FILENAME/'
"@ge 0" "setvar:tx.anomaly_score=-24"
On 08/08/11 16:37, kwenu wrote:
> Hi
>
> Im trying to change the anomaly score for a rule that its fired when a
> file name is triggered within the URL
>
> Looking at the rule below I know that i have not included a VARIABLE
> that "@ge 0" can be applied to - I realise this and have trawled thru
> the debug logs but cannot identify the correct variable to use here
>
> SecRule REQUEST_FILENAME "@streq /navlid_div.gif"
> "chain,phase:2,t:none,log,pass,msg:'Adjusting FP Score'"
> SecRule
> &TX:'/981244-Detects.*basic.*SQL.*authentication.*bypass.*attempts.*1/3-WEB_ATTACK/SQLI-REQUEST_FILENAME/'
> "@ge 0" "setvar:tx.anomaly_score=-5"
>
> The rule above has been put in modsecurity_crs_48_local_exceptions.conf
>
> Heres a snippet of the debug log where i was hoping to snag the
> correct @TX line from
>
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Target value: "/theme/common/image/navlid_div.gif"
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Added regex subexpression to TX.0: div
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][4]
> Operator completed in 85 usec.
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Setting variable: tx.msg=%{rule.id}-%{rule.msg}
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{rule.id} to: 981244
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{rule.msg} to: Detects basic SQL authentication bypass
> attempts 1/3
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Set variable "tx.msg" to "981244-Detects basic SQL authentication
> bypass attempts 1/3".
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Setting variable: tx.anomaly_score=+7
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Original collection variable: tx.anomaly_score = "13"
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Relative change: anomaly_score=13+7
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Set variable "tx.anomaly_score" to "20".
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Setting variable: tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{tx.msg} to: 981244-Detects basic SQL authentication
> bypass attempts 1/3
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{matched_var_name} to: REQUEST_FILENAME
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{tx.0} to: div
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Set variable "tx.981244-Detects basic SQL authentication bypass
> attempts 1/3-WEB_ATTACK/SQLI-REQUEST_FILENAME" to "div".
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Setting variable: tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Set variable "tx.981244-Detects basic SQL authentication bypass
> attempts 1/3-WEB_ATTACK/SQLI-REQUEST_FILENAME" to "div".
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Setting variable: tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{tx.msg} to: 981244-Detects basic SQL authentication
> bypass attempts 1/3
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{matched_var_name} to: REQUEST_FILENAME
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{tx.0} to: div
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Set variable "tx.981244-Detects basic SQL authentication bypass
> attempts 1/3-WEB_ATTACK/ID-REQUEST_FILENAME" to "div".
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Setting variable: tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{tx.msg} to: 981244-Detects basic SQL authentication
> bypass attempts 1/3
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{matched_var_name} to: REQUEST_FILENAME
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{tx.0} to: div
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Set variable "tx.981244-Detects basic SQL authentication bypass
> attempts 1/3-WEB_ATTACK/LFI-REQUEST_FILENAME" to "div".
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{TX.0} to: div
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{TX.0} to: div
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][4]
> Warning. Pattern match
> "(?i:(?:\\d(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s+(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s+\\d)|(?:^admin\\s*(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)|(\\/\\*)+(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)+\\s?(?:--|#|\\/\\*|{)?)|(?:(\"|'|
> ..." at REQUEST_FILENAME. [file
> "/pxy/shared/conf/modsecurity.d/crs_2.2.1/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
> [line "560"] [id "981244"] [msg "Detects basic SQL authentication
> bypass attempts 1/3"] [data "div"] [severity "CRITICAL"] [tag
> "WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> T (1) urlDecodeUni: "/theme/common/image/navlid_div.gif"
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> T (1) replaceComments: "/theme/common/image/navlid_div.gif"
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][4]
> Rule returned 1.
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Match -> mode NEXT_RULE.
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][4]
> Recipe: Invoking rule 952efa8; [file
> "/pxy/shared/conf/modsecurity.d/crs_2.2.1/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
> [line "562"] [id "981255"].8:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
> Resolved macro %{TX.0} to: div
> [08/Aug/2011:14:38:55 +0000]
> [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][5]
> Rule 952efa8: SecRule
> "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*"
> "@rx
> (?i:(?:\\sexec\\s+xp_cmdshell)|(?:(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s*!\\s*[(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\w])|(?:from\\W+information_schema\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\s*\\([^\\)]*)|(?:(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98);?\\s*(?:select|union|having)\\s*[^\\s])|(?:\\wiif\\s*\\()|(?:exec\\s+master\\.)|(?:union
> select
> @)|(?:union[\\w(\\s]*select)|(?:select.*\\w?user\\()|(?:into[\\s+]+(?:dump|out)file\\s*(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)))"
> "phase:2,nolog,auditlog,capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,block,msg:'Detects
> MSSQL code execution and information gathering
> attempts',id:981255,tag:WEB_ATTACK/SQLI,tag:WEB_ATTACK/ID,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0},setvar:tx.%{tx.msg}-WEB_ATTACK/ID-%{m
>
>
> ------------------------------------------------------------------------------
> BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
> The must-attend event for mobile developers. Connect with experts.
> Get tools for creating Super Apps. See the latest technologies.
> Sessions, hands-on labs, demos& much more. Register early& save!
> http://p.sf.net/sfu/rim-blackberry-1
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
|
|
From: Ryan B. <RBa...@tr...> - 2011-08-09 13:53:06
|
From: kwenu <uz...@ya...<mailto:uz...@ya...>>
Date: Tue, 9 Aug 2011 06:34:13 -0500
To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Subject: Re: [mod-security-users] How to Change the Anomaly Score for a Rule
Just figured it out
I dont believe i have the logic worked out yet since the documentation says nothing about how such rules are processed. The documentation should explain how these rules are processed since putting rules in modsecurity_crs_48_general_exceptions.conf does not appear to run rules multiple times but the once only - i could be wrong here
So this rules appears to match once only and not (as i beleived) against every match of a rule against this one request
Since the URL is matched 8 times i simply used 3 multiplied by 8 which gives 24 -
So when this real is used it will subtract 24 before blocking actions are invoked
What i originally thought was that the regex will take care of every rule match against this URL and substract 5 every time (if setvar:tx.anomaly_score=-5). That is not the case
What i would like is a way of specifying multiple rules against a particular URL and setting anomaly score to -5 - that would in my mind be much better
SecRule REQUEST_FILENAME ".*/navlid_div\.gif$" "chain,phase:2,t:none,log,pass,msg:'Adjusting FP Score'"
SecRule &TX:'/98124[248]-Detects.*[12]/[1-3]-WEB_ATTACK/(ID|SQLI|LFI)-REQUEST_FILENAME/' "@ge 0" "setvar:tx.anomaly_score=-24"
If you are adding exception rules to the 48 local exceptions file in order to adjust anomaly scores, then yes, you need to review the debug log for a false positive to verify exactly how many TX variables (and their associated anomaly score values) were triggered by mistake. This will then let you know how to construct the exception rule. You showed 1 example below for this -
Set variable "tx.981244-Detects basic SQL authentication bypass attempts 1/3-WEB_ATTACK/LFI-REQUEST_FILENAME" to "div".
So you could construct the exception like you did and adjust the anomaly score by –7. But, as you said, there may be other rules that matched. You would need to do an exception for each.
-Ryan
On 08/08/11 16:37, kwenu wrote:
Hi
Im trying to change the anomaly score for a rule that its fired when a file name is triggered within the URL
Looking at the rule below I know that i have not included a VARIABLE that "@ge 0" can be applied to - I realise this and have trawled thru the debug logs but cannot identify the correct variable to use here
SecRule REQUEST_FILENAME "@streq /navlid_div.gif" "chain,phase:2,t:none,log,pass,msg:'Adjusting FP Score'"
SecRule &TX:'/981244-Detects.*basic.*SQL.*authentication.*bypass.*attempts.*1/3-WEB_ATTACK/SQLI-REQUEST_FILENAME/' "@ge 0" "setvar:tx.anomaly_score=-5"
The rule above has been put in modsecurity_crs_48_local_exceptions.conf
Heres a snippet of the debug log where i was hoping to snag the correct @TX line from
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Target value: "/theme/common/image/navlid_div.gif"
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Added regex subexpression to TX.0: div
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][4] Operator completed in 85 usec.
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Setting variable: tx.msg=%{rule.id}-%{rule.msg}
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{rule.id} to: 981244
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{rule.msg} to: Detects basic SQL authentication bypass attempts 1/3
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Set variable "tx.msg" to "981244-Detects basic SQL authentication bypass attempts 1/3".
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Setting variable: tx.anomaly_score=+7
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Original collection variable: tx.anomaly_score = "13"
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Relative change: anomaly_score=13+7
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Set variable "tx.anomaly_score" to "20".
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Setting variable: tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{tx.msg} to: 981244-Detects basic SQL authentication bypass attempts 1/3
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{matched_var_name} to: REQUEST_FILENAME
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{tx.0} to: div
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Set variable "tx.981244-Detects basic SQL authentication bypass attempts 1/3-WEB_ATTACK/SQLI-REQUEST_FILENAME" to "div".
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Setting variable: tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Set variable "tx.981244-Detects basic SQL authentication bypass attempts 1/3-WEB_ATTACK/SQLI-REQUEST_FILENAME" to "div".
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Setting variable: tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{tx.msg} to: 981244-Detects basic SQL authentication bypass attempts 1/3
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{matched_var_name} to: REQUEST_FILENAME
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{tx.0} to: div
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Set variable "tx.981244-Detects basic SQL authentication bypass attempts 1/3-WEB_ATTACK/ID-REQUEST_FILENAME" to "div".
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Setting variable: tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{tx.msg} to: 981244-Detects basic SQL authentication bypass attempts 1/3
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{matched_var_name} to: REQUEST_FILENAME
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{tx.0} to: div
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Set variable "tx.981244-Detects basic SQL authentication bypass attempts 1/3-WEB_ATTACK/LFI-REQUEST_FILENAME" to "div".
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{TX.0} to: div
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{TX.0} to: div
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][4] Warning. Pattern match "(?i:(?:\\d(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s+(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s+\\d)|(?:^admin\\s*(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)|(\\/\\*)+(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)+\\s?(?:--|#|\\/\\*|{)?)|(?:(\"|'| ..." at REQUEST_FILENAME. [file "/pxy/shared/conf/modsecurity.d/crs_2.2.1/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "560"] [id "981244"] [msg "Detects basic SQL authentication bypass attempts 1/3"] [data "div"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] T (1) urlDecodeUni: "/theme/common/image/navlid_div.gif"
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] T (1) replaceComments: "/theme/common/image/navlid_div.gif"
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][4] Rule returned 1.
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Match -> mode NEXT_RULE.
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][4] Recipe: Invoking rule 952efa8; [file "/pxy/shared/conf/modsecurity.d/crs_2.2.1/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "562"] [id "981255"].8:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{TX.0} to: div
[08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][5] Rule 952efa8: SecRule "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:\\sexec\\s+xp_cmdshell)|(?:(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s*!\\s*[(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\w])|(?:from\\W+information_schema\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\s*\\([^\\)]*)|(?:(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98);?\\s*(?:select|union|having)\\s*[^\\s])|(?:\\wiif\\s*\\()|(?:exec\\s+master\\.)|(?:union select @)|(?:union[\\w(\\s]*select)|(?:select.*\\w?user\\()|(?:into[\\s+]+(?:dump|out)file\\s*(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)))" "phase:2,nolog,auditlog,capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,block,msg:'Detects MSSQL code execution and information gathering attempts',id:981255,tag:WEB_ATTACK/SQLI,tag:WEB_ATTACK/ID,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0},setvar:tx.%{tx.msg}-WEB_ATTACK/ID-%{m
------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts.
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
mod-security-users mailing list
mod...@li...<mailto:mod...@li...>https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php
________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X