Thread: [mod-security-users] Issues with "SecRuleUpdateTargetByTag" and Apache-Location
Brought to you by:
victorhora,
zimmerletw
From: Jan P. G. <jg...@so...> - 2013-10-29 12:11:30
|
Software-Versions: libapache2-modsecurity 2.7.5 modsecurity-crs 2.2.8 apache2* 2.2.16-6+squeeze11 Hi everyone, The argument 'login[password]' causes many false-positives because of special-characters. I didn't want to remove the argument globally, so I tried to limit it only to our login-sites. This could be multiple sites because of internationalization, example: https://www.mydomain.invalid/fr/login https://www.mydomain.invalid/en/login https://www.mydomain.invalid/nl/login So i created the configuration like below but it doesn't trigger at all. Did I make a mistake? It works without the Location-tags like a charm, but it isn't good to ignore arguments globally. =============================== ~> cat modsecurity_crs_70_post_custom.conf <Location ~ "^/../login$"> SecRuleUpdateTargetByTag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION" "!ARGS:login[password]" SecRuleUpdateTargetByTag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION" "!ARGS:login[password]" SecRuleUpdateTargetByTag "OWASP_CRS/WEB_ATTACK/XSS" "!ARGS:login[password]" SecRuleUpdateTargetByTag "OWASP_CRS/WEB_ATTACK/LDAP_INJECTION" "!ARGS:login[password]" </Location> =============================== In addition I want to try something without apache2-<location> for cross-webserver-compatibility. Due to http://comments.gmane.org/gmane.comp.apache.mod-security.user/9988 and https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#ctl this should also be possible: SecRule REQUEST_URI "^/../login" "phase:1,id:2001,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=OWASP_CRS/(WEB_ATTACK/(SQL_INJECTION|XSS|LDAP_INJECTION)|PROTOCOL_VIOLATION/EVASION);ARGS:login[password]" Now the problem is that I don't know if it should added before CRS in modsecurity_crs_15_pre_custom.conf or after the CRS in modsecurity_crs_70_post_custom.conf. Best regards Jan |
From: Ryan B. <RBa...@tr...> - 2013-10-29 12:59:48
|
On 10/29/13 7:41 AM, "Jan Phillip Greimann" <jg...@so...> wrote: >Software-Versions: >libapache2-modsecurity 2.7.5 >modsecurity-crs 2.2.8 >apache2* 2.2.16-6+squeeze11 > >Hi everyone, > >The argument 'login[password]' causes many false-positives because of >special-characters. I didn't want to remove the argument globally, so I >tried to limit it only to our login-sites. This could be multiple sites >because of internationalization, example: > >https://www.mydomain.invalid/fr/login >https://www.mydomain.invalid/en/login >https://www.mydomain.invalid/nl/login > >So i created the configuration like below but it doesn't trigger at all. >Did I make a mistake? It works without the Location-tags like a charm, >but it isn't good to ignore arguments globally. > > >=============================== >~> cat modsecurity_crs_70_post_custom.conf > ><Location ~ "^/../login$"> > SecRuleUpdateTargetByTag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION" >"!ARGS:login[password]" > SecRuleUpdateTargetByTag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION" >"!ARGS:login[password]" > SecRuleUpdateTargetByTag "OWASP_CRS/WEB_ATTACK/XSS" >"!ARGS:login[password]" > SecRuleUpdateTargetByTag "OWASP_CRS/WEB_ATTACK/LDAP_INJECTION" >"!ARGS:login[password]" ></Location> >=============================== > This will not work as you are trying to combine startup configs (SecRuleUpdateTargetById) with runtime configs (Location). You will need to use the ctl action below. > >In addition I want to try something without apache2-<location> for >cross-webserver-compatibility. > >Due to > http://comments.gmane.org/gmane.comp.apache.mod-security.user/9988 >and > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#ctl >this should also be possible: > >SecRule REQUEST_URI "^/../login" >"phase:1,id:2001,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=OWASP_CRS/(WE >B_ATTACK/(SQL_INJECTION|XSS|LDAP_INJECTION)|PROTOCOL_VIOLATION/EVASION);AR >GS:login[password]" > >Now the problem is that I don't know if it should added before CRS in > modsecurity_crs_15_pre_custom.conf >or after the CRS in > modsecurity_crs_70_post_custom.conf. When using the "ctl" action to conditionally modify the rules at runtime, you need to add this to the 15 file so that it is updated before the current transaction hits the standard CRS rules. -Ryan > > >Best regards >Jan > > >-------------------------------------------------------------------------- >---- >Android is increasing in popularity, but the open development platform >that >developers love is also attractive to malware creators. Download this >white >paper to learn more about secure code signing practices that can help keep >Android apps secure. >http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktr >k >_______________________________________________ >mod-security-users mailing list >mod...@li... >https://lists.sourceforge.net/lists/listinfo/mod-security-users >Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >http://www.modsecurity.org/projects/commercial/rules/ >http://www.modsecurity.org/projects/commercial/support/ > ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Jan P. G. <jg...@so...> - 2013-10-30 08:21:17
|
Am 29.10.2013 13:59, schrieb Ryan Barnett: > > On 10/29/13 7:41 AM, "Jan Phillip Greimann" <jg...@so...> wrote: >> >> SecRule REQUEST_URI "^/../login" >> "phase:1,id:2001,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=OWASP_CRS/(WE >> B_ATTACK/(SQL_INJECTION|XSS|LDAP_INJECTION)|PROTOCOL_VIOLATION/EVASION);AR >> GS:login[password]" >> > When using the "ctl" action to conditionally modify the rules at runtime, > you need to add this to the 15 file so that it is updated before the > current transaction hits the standard CRS rules. > > -Ryan > Tank you for the quick response, that's a great help. In addition I have a second question. Is it possible to define multiple arguments on the statement above, like "ARGS:arg1,arg2,arg3" or is it possible with a chain? Best regards Jan |
From: Josh Amishav-Z. <ja...@ow...> - 2013-10-30 08:53:26
|
On Wed, Oct 30, 2013 at 10:21 AM, Jan Phillip Greimann <jg...@so...>wrote: > > Tank you for the quick response, that's a great help. In addition I have > a second question. Is it possible to define multiple arguments on the > statement above, like "ARGS:arg1,arg2,arg3" or is it possible with a > chain? > > Hi Jan, You can seperate multiple collections using the | symbol, for example: SecRule ARGS:arg1|ARGS:arg2|ARGS:arg3 "^/../login" "phase:1,id:2001,t:none,nolog,pass" -- - Josh > > Best regards > Jan > > > > ------------------------------------------------------------------------------ > Android is increasing in popularity, but the open development platform that > developers love is also attractive to malware creators. Download this white > paper to learn more about secure code signing practices that can help keep > Android apps secure. > http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
From: Jan P. G. <jg...@so...> - 2013-10-30 09:09:03
|
Am 30.10.2013 09:53, schrieb Josh Amishav-Zlatin: > Hi Jan, > > You can seperate multiple collections using the | symbol, for example: > > SecRule ARGS:arg1|ARGS:arg2|ARGS:arg3 "^/../login" > "phase:1,id:2001,t:none,nolog,pass" > > -- > - Josh Hi Josh, that's not quite the answer to my question. My question is about the ARGS which are used within the Action ctl:ruleRemoveTargetByTag=OWASP_CRS/WEB_ATTACK/XSS;ARGS:login Not for the rule-filter itself. - Jan |
From: Josh Amishav-Z. <ja...@ow...> - 2013-10-30 10:21:06
|
On Wed, Oct 30, 2013 at 11:08 AM, Jan Phillip Greimann <jg...@so...>wrote: > > Hi Josh, > > that's not quite the answer to my question. My question is about the > ARGS which are used within the Action > > ctl:ruleRemoveTargetByTag=OWASP_CRS/WEB_ATTACK/XSS;ARGS:login > > Not for the rule-filter itself. > Hi Jan, Sorry for the confusion. To exclude multiple variables, try using multiple ctl directives within the action. For example the following rules return a 403 if the string 'jojo' is in a parameter value unless the parameter name is 't' or 'y'. SecRule REQUEST_FILENAME "^/$" "phase:2,id:2,t:none,pass,ctl:ruleRemoveTargetByTag=test;ARGS:t,ctl:ruleRemoveTargetByTag=test;ARGS:y" SecRule ARGS jojo "phase:2,t:none,deny,id:1,tag:'test'" -- - Josh > > - Jan > > > > ------------------------------------------------------------------------------ > Android is increasing in popularity, but the open development platform that > developers love is also attractive to malware creators. Download this white > paper to learn more about secure code signing practices that can help keep > Android apps secure. > http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
From: Jan P. G. <jg...@so...> - 2013-10-30 13:58:06
|
Hi Josh, I've got a second problem: SecRule REQUEST_FILENAME "^/../login$" "phase:1,id:1005,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=OWASP_CRS/(WEB_ATTACK/(SQL_INJECTION|XSS|LDAP_INJECTION)|PROTOCOL_VIOLATION/EVASION);ARGS:login[password]" is one of my rules. In my logic it should work, but I get the following error: Syntax error on line 23 of /etc/modsecurity/modsecurity_crs_15_pre_custom.conf: Error parsing actions: ModSecurity: Invalid regular expression "OWASP_CRS/(WEB_ATTACK/(SQL_INJECTION" Action 'configtest' failed. The Apache error log may have more information. failed! Where is the problem, in my opinion it's right. :-/ |
From: Jose P. V. L. <pab...@gm...> - 2013-10-30 15:17:10
|
In line 23 on /etc/modsecurity/modsecurity_crs_15_pre_custom.conf there is a error with invalid regular expression. If that number line is your new rule REQUEST FILENAME it seems that does not valid regular expression: ^/../login$ Here you can find a login block rule: http://serverfault.com/questions/308964/how-to-use-regex-for-mod-security I don´t know mod_security version of the post and version you are using. Kind regards, 2013/10/30 Jan Phillip Greimann <jg...@so...> > Hi Josh, > > I've got a second problem: > > SecRule REQUEST_FILENAME "^/../login$" > > "phase:1,id:1005,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=OWASP_CRS/(WEB_ATTACK/(SQL_INJECTION|XSS|LDAP_INJECTION)|PROTOCOL_VIOLATION/EVASION);ARGS:login[password]" > > is one of my rules. In my logic it should work, but I get the following > error: > > Syntax error on line 23 of > /etc/modsecurity/modsecurity_crs_15_pre_custom.conf: > Error parsing actions: ModSecurity: Invalid regular expression > "OWASP_CRS/(WEB_ATTACK/(SQL_INJECTION" > Action 'configtest' failed. > The Apache error log may have more information. > failed! > > Where is the problem, in my opinion it's right. :-/ > > > > ------------------------------------------------------------------------------ > Android is increasing in popularity, but the open development platform that > developers love is also attractive to malware creators. Download this white > paper to learn more about secure code signing practices that can help keep > Android apps secure. > http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
From: Jan P. G. <jg...@so...> - 2013-10-30 15:48:14
|
Hello Jose, I think you read the error wrong, there was said which is the problem: "OWASP_CRS/(WEB_ATTACK/(SQL_INJECTION" where the full regex would be: "OWASP_CRS/(WEB_ATTACK/(SQL_INJECTION|XSS|LDAP_INJECTION)|PROTOCOL_VIOLATION/EVASION)" which is correct, I've checked it multiple times, see also: https://www.debuggex.com/r/zZI0Q1VgUViLPme9 (Regex Debugger) The problem seems to be a bug how modsecurity is reading the configuration-line, especially the pipe. By the way, I use ModSecurity v2.7.5. - Jan Am 30.10.2013 16:16, schrieb Jose Pablo Valcárcel Lázaro: > In line 23 on /etc/modsecurity/modsecurity_crs_15_pre_custom.conf there > is a error with invalid regular expression. > > If that number line is your new rule REQUEST FILENAME it seems that does > not valid regular expression: ^/../login$ > > Here you can find a login block rule: > http://serverfault.com/questions/308964/how-to-use-regex-for-mod-security > > I don´t know mod_security version of the post and version you are using. > > Kind regards, > > > 2013/10/30 Jan Phillip Greimann <jg...@so... <mailto:jg...@so...>> > > Hi Josh, > > I've got a second problem: > > SecRule REQUEST_FILENAME "^/../login$" > "phase:1,id:1005,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=OWASP_CRS/(WEB_ATTACK/(SQL_INJECTION|XSS|LDAP_INJECTION)|PROTOCOL_VIOLATION/EVASION);ARGS:login[password]" > > is one of my rules. In my logic it should work, but I get the following > error: > > Syntax error on line 23 of > /etc/modsecurity/modsecurity_crs_15_pre_custom.conf: > Error parsing actions: ModSecurity: Invalid regular expression > "OWASP_CRS/(WEB_ATTACK/(SQL_INJECTION" > Action 'configtest' failed. > The Apache error log may have more information. > failed! > > Where is the problem, in my opinion it's right. :-/ > > > ------------------------------------------------------------------------------ > Android is increasing in popularity, but the open development > platform that > developers love is also attractive to malware creators. Download > this white > paper to learn more about secure code signing practices that can > help keep > Android apps secure. > http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > <mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > > > ------------------------------------------------------------------------------ > Android is increasing in popularity, but the open development platform that > developers love is also attractive to malware creators. Download this white > paper to learn more about secure code signing practices that can help keep > Android apps secure. > http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > Mit freundlichen Grüßen, Jan Phillip Greimann -- Softjury GmbH Südfeldstr. 10 32120 Hiddenhausen Tel: +49.5221.854022-0 Fax: +49.5221.854022-9 Web: http://www.softjury.de/ Mail: jg...@so... Geschäftsführer: Per Hlawatschek Registergericht: AG Bad Oeynhausen HRB 10056 Sitz der Gesellschaft: Hiddenhausen Steuernummer: 324/5723/1814 USt-IdNr.: DE249058376 |
From: Josh Amishav-Z. <ja...@ow...> - 2013-10-30 16:46:42
|
On Wed, Oct 30, 2013 at 3:57 PM, Jan Phillip Greimann <jg...@so...>wrote: > Hi Josh, > > I've got a second problem: > > SecRule REQUEST_FILENAME "^/../login$" > > "phase:1,id:1005,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=OWASP_CRS/(WEB_ATTACK/(SQL_INJECTION|XSS|LDAP_INJECTION)|PROTOCOL_VIOLATION/EVASION);ARGS:login[password]" > > Hi Jan, As a workaround perhaps tweak the regex to bypass the problematic characters, e.g.: SecRule REQUEST_FILENAME "^/../login$" "phase:1,id:1005,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=OWASP_CRS.*WEB_ATTACK.*SQL_INJECTION.XSS.LDAP_INJECTION.*PROTOCOL_VIOLATION.*EVASION.*;ARGS:login[password]" -- - Josh is one of my rules. In my logic it should work, but I get the following > error: > > Syntax error on line 23 of > /etc/modsecurity/modsecurity_crs_15_pre_custom.conf: > Error parsing actions: ModSecurity: Invalid regular expression > "OWASP_CRS/(WEB_ATTACK/(SQL_INJECTION" > Action 'configtest' failed. > The Apache error log may have more information. > failed! > > Where is the problem, in my opinion it's right. :-/ > > > > ------------------------------------------------------------------------------ > Android is increasing in popularity, but the open development platform that > developers love is also attractive to malware creators. Download this white > paper to learn more about secure code signing practices that can help keep > Android apps secure. > http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
From: Jose P. V. L. <pab...@gm...> - 2013-10-31 09:24:06
|
Hi again. In this link (http://sourceforge.net/mailarchive/message.php?msg_id=31395454) that directive is used as follows: SecRule REQUEST_URI "/login.pl" "phase:1,t:none,pass, \ id:613,nolog,ctl:ruleRemoveTargetByTag=WEB_ATTACK/SQL_INJECTION;ARGS:password As a normal firewall, it seems mod_security needs rule enabling before the general rule disabling (In a normal firewall, top firewall rules enables services while bottom rules denied all access). I´ll hope this can help you. Kind regards, 2013/10/30 Josh Amishav-Zlatin <ja...@ow...> > On Wed, Oct 30, 2013 at 3:57 PM, Jan Phillip Greimann <jg...@so...>wrote: > >> Hi Josh, >> >> I've got a second problem: >> >> SecRule REQUEST_FILENAME "^/../login$" >> >> "phase:1,id:1005,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=OWASP_CRS/(WEB_ATTACK/(SQL_INJECTION|XSS|LDAP_INJECTION)|PROTOCOL_VIOLATION/EVASION);ARGS:login[password]" >> >> > Hi Jan, > > As a workaround perhaps tweak the regex to bypass the problematic > characters, e.g.: > > SecRule REQUEST_FILENAME "^/../login$" > "phase:1,id:1005,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=OWASP_CRS.*WEB_ATTACK.*SQL_INJECTION.XSS.LDAP_INJECTION.*PROTOCOL_VIOLATION.*EVASION.*;ARGS:login[password]" > > -- > - Josh > > is one of my rules. In my logic it should work, but I get the following >> error: >> >> Syntax error on line 23 of >> /etc/modsecurity/modsecurity_crs_15_pre_custom.conf: >> Error parsing actions: ModSecurity: Invalid regular expression >> "OWASP_CRS/(WEB_ATTACK/(SQL_INJECTION" >> Action 'configtest' failed. >> The Apache error log may have more information. >> failed! >> >> Where is the problem, in my opinion it's right. :-/ >> >> >> >> ------------------------------------------------------------------------------ >> Android is increasing in popularity, but the open development platform >> that >> developers love is also attractive to malware creators. Download this >> white >> paper to learn more about secure code signing practices that can help keep >> Android apps secure. >> >> http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > > > > ------------------------------------------------------------------------------ > Android is increasing in popularity, but the open development platform that > developers love is also attractive to malware creators. Download this white > paper to learn more about secure code signing practices that can help keep > Android apps secure. > http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |