Thread: [mod-security-users] Help w/ PCRE for ARGS and ARGS_NAME
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Neha C. <nc...@gm...> - 2015-03-26 03:20:31
|
Hello, I have roughly 50 SecRules that are working without issue. However, I have two specifically that should each match an ARGS and an ARGS_NAME variable, but I can't seem to match them correctly - I believe my regex is bad, or I'm not writing the rules correctly. In the first rule, I'm attempting to use PCRE so that apachectl -t will match OK. The whitespace in the raw 'ARGS_NAMES:data[Form Phone Number]' causes modsecurity to complain. The matching regex itself is "(data(\[.*\])+)". After loading, modsec still flags this request parameter (occuring in the Request Body) as violating ID 981173. Current rule: SecRule ARGS_NAMES:"/^data[Tests][Form\sPhone\sNumber]$/" "(data(\[.*\])+)*" "id:307,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=.* ;ARGS_NAMES:/^data[Tests][Form\sPhone\sNumber]$/" The alert: [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: ] found within ARGS_NAMES:data[Tests][Form Phone Number]: data[Tests][Form Phone Number]"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "x.x.com"] [uri "/accnt/metad"] [unique_id "VRCOTwobAq4AABfAuc0AAADg"] In other problematic rule, I want to whitelist all requests with the Request Body JSON variable set, in the format of '{data {"this":"that","foo":""}}. Modsecurity still flags this as a violation of ID 981173. In general, I want to be able to get a tighter match on this parameter, as opposed to a '*.' whitespace, but I'd at least like to start with an appropriate method of whitelisting I can build on. Here's the current rule: SecRule ARGS_NAMES:"/^{\"data\"*/" "(.**)" "id:308,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=. *;ARGS_NAMES:/^{\"data\"*/" The alert: [2015-03-23T22:09:01.63216 [Mon Mar 23 22:09:01.632127 2015] [:error] [pid 6592:tid 140471007414016] [client 66.206.85.131] ModSecurity: Warning. Pattern match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" at ARGS_NAMES:{"data":{"description":"Foo Bar","ids":["8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888"]}}. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: \x22 found within ARGS_NAMES:{\x22data\x22:{\x22description\x22:\x22Foo Bar\x22,\x22transaction_ids\x22:[\x8d8b8b8a-8c84-8888-8888-88888888888888\x22,\8d8b8b8a-8c84-8888-8888-88888888888888\x22,\8d8b8b8a-8c84-8888-8888-88888888888888\x22,\x8d8b8b8a-8c84-8888-8888-88888888888888\x22,\x8d8b8b8a-8c84-8888-8888-88888888888888 [hostname "x.x.com"] [uri "/trans/data"] [unique_id "VRCO-QobAq4AABnAKcsAAAAO"] What am I doing wrong here? |
|
From: Achim H. <web...@si...> - 2015-03-26 08:40:03
|
Hi Neha,
the rule complains 'cause it detects more than 4 " (double quote), see
the {4,} at end of the regex.
You have to increase the number of allowed ".
I'd suggest to copy the rule twice, then remove the " in first copy and
reduce the second copy to " itself and give it a proper count.
Example for the second copy
(".*?){23,}
Then also don't forget to disable the original rule (i.e. RemovebyId).
Hope this helps
Achim
On 26.03.2015 04:20, Neha Chriss wrote:
> Pattern match
> "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}"
> at ARGS_NAMES:{"data":{"description":"Foo
> Bar","ids":["8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888"]}}.
> [file
> "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
> [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly
> Detection Alert - Total # of special characters exceeded"] [data "Matched
> Data: \x22 found within
> ARGS_NAMES:{\x22data\x22:{\x22description\x22:\x22Foo
|
|
From: Chaim S. <CSa...@tr...> - 2015-03-27 14:04:25
|
Neha, Also keep in mind that this rule is from the 2.x branch of CRS. The 3.x branch is available on the CRS github (https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.0.0-dev) and doesn't feature this logic anymore. If you are using ModSecurity 2.8 or above, you might find this to be an easier solution. Chaim Sanders Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com -----Original Message----- From: Achim Hoffmann [mailto:web...@si...] Sent: Thursday, March 26, 2015 4:19 AM To: mod...@li... Subject: Re: [mod-security-users] Help w/ PCRE for ARGS and ARGS_NAME Hi Neha, the rule complains 'cause it detects more than 4 " (double quote), see the {4,} at end of the regex. You have to increase the number of allowed ". I'd suggest to copy the rule twice, then remove the " in first copy and reduce the second copy to " itself and give it a proper count. Example for the second copy (".*?){23,} Then also don't forget to disable the original rule (i.e. RemovebyId). Hope this helps Achim On 26.03.2015 04:20, Neha Chriss wrote: > Pattern match > "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" > at ARGS_NAMES:{"data":{"description":"Foo > Bar","ids":["8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888"]}}. > [file > "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_i > njection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg > "Restricted SQL Character Anomaly Detection Alert - Total # of special > characters exceeded"] [data "Matched > Data: \x22 found within > ARGS_NAMES:{\x22data\x22:{\x22description\x22:\x22Foo ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://scanmail.trustwave.com/?c=4062&d=y8eT1Y5Y6qVz80rm1YEUHkDf9W90AUyIu8VSAQw5sA&s=5&u=http%3a%2f%2fgoparallel%2esourceforge%2enet%2f _______________________________________________ mod-security-users mailing list mod...@li... http://scanmail.trustwave.com/?c=4062&d=y8eT1Y5Y6qVz80rm1YEUHkDf9W90AUyIu5lQV1hl4g&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://scanmail.trustwave.com/?c=4062&d=zMeT1UBtG5Uoq86lLGnMMA4Ok77G4vFBwXcSCVX6bQ&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercial%2frules%2f http://scanmail.trustwave.com/?c=4062&d=zMeT1UBtG5Uoq86lLGnMMA4Ok77G4vFBwXYWW1muOA&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercial%2fsupport%2f ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
|
From: Neha C. <nc...@gm...> - 2015-04-06 23:29:11
|
Chaim,
I will consider updating to the 3.x branch. In the meantime, I'm not quite
clear why my whitelist
for a specific ARGS_NAME is failing to suppress rules associated with the
ARGS_NAME:
I have a SecRule that's supposed to filter an ARGS_NAMES variable that
looks like so:
{"data":{"uuid":"contact-3861","newContact":true,"contact_uuid":"1734cd84-cfb2-4b61-ab93-84c","contact_name":"Howard","initial_date":"2015-04-08","bookkeeping_type":"debit","request_goal_id":null,"amount":8640,"associate_with_goal":"true","periodicity":"once","category-id":"contact-3861","category-name":"Uncategorized","pin":"2675","contact_valid":"true","arrive_by":"2015-04-14"}
This is passed in the Request Body on a PUT and/or POST.
The SecRule:
SecRule ARGS_NAMES:"(\{\"(data)\"\:)((\{\"[a-z_]+\"\:).*)" "(.*)"
"id:308,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=.*;ARGS_NAMES:(\{\"(data)\"\:)((\{\"[a-z_]+\"\:).*)"
The regex matches the ARGS_NAMES itself, as I've tested on regexr.com, but
Modsecurity still alerts on ID 981245 and 981243, each with has a tag
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"
In some cases, I think the Request body needs to be split, and the request
fragment triggers an alert also.
Why doesn't ctlruleRemoveTargetByTag work correctly here? Is my rule
structured correctly? It seems the ARGS_NAMES doesn't match, and the
request gets processed as normal.
Thanks,
Neha
On Fri, Mar 27, 2015 at 7:04 AM, Chaim Sanders <CSa...@tr...>
wrote:
> Neha,
> Also keep in mind that this rule is from the 2.x branch of CRS. The 3.x
> branch is available on the CRS github (
> https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.0.0-dev) and
> doesn't feature this logic anymore. If you are using ModSecurity 2.8 or
> above, you might find this to be an easier solution.
>
> Chaim Sanders
> Security Researcher, SpiderLabs
>
> Trustwave | SMART SECURITY ON DEMAND
> www.trustwave.com
>
>
> -----Original Message-----
> From: Achim Hoffmann [mailto:web...@si...]
> Sent: Thursday, March 26, 2015 4:19 AM
> To: mod...@li...
> Subject: Re: [mod-security-users] Help w/ PCRE for ARGS and ARGS_NAME
>
> Hi Neha,
>
> the rule complains 'cause it detects more than 4 " (double quote), see the
> {4,} at end of the regex.
>
> You have to increase the number of allowed ".
> I'd suggest to copy the rule twice, then remove the " in first copy and
> reduce the second copy to " itself and give it a proper count.
> Example for the second copy
> (".*?){23,}
> Then also don't forget to disable the original rule (i.e. RemovebyId).
>
> Hope this helps
> Achim
>
> On 26.03.2015 04:20, Neha Chriss wrote:
> > Pattern match
> >
> "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}"
> > at ARGS_NAMES:{"data":{"description":"Foo
> >
> Bar","ids":["8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888"]}}.
> > [file
> > "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_i
> > njection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg
> > "Restricted SQL Character Anomaly Detection Alert - Total # of special
> > characters exceeded"] [data "Matched
> > Data: \x22 found within
> > ARGS_NAMES:{\x22data\x22:{\x22description\x22:\x22Foo
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now.
> http://scanmail.trustwave.com/?c=4062&d=y8eT1Y5Y6qVz80rm1YEUHkDf9W90AUyIu8VSAQw5sA&s=5&u=http%3a%2f%2fgoparallel%2esourceforge%2enet%2f
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
>
> http://scanmail.trustwave.com/?c=4062&d=y8eT1Y5Y6qVz80rm1YEUHkDf9W90AUyIu5lQV1hl4g&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>
> http://scanmail.trustwave.com/?c=4062&d=zMeT1UBtG5Uoq86lLGnMMA4Ok77G4vFBwXcSCVX6bQ&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercial%2frules%2f
>
> http://scanmail.trustwave.com/?c=4062&d=zMeT1UBtG5Uoq86lLGnMMA4Ok77G4vFBwXYWW1muOA&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercial%2fsupport%2f
>
> ________________________________
>
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is strictly prohibited. If you
> received this transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in electronic or hard
> copy format.
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
|
|
From: Christopher J. M. <cjm...@gm...> - 2015-04-08 14:46:39
|
Hi, I have this pesky ASP .NET application that I am trying to put ModSecurity in front of. But, every time I enable it, even with no rules, the webpages fail to load properly (CSS...at least..appears to be gone). I should mention that with even the simplest of rules enabled I see them hit in the debug log. Frankly, the debug log goes crazy. 95mb in just 5 minutes at debug level 9...even with no rules! If I turn off ModSecurity it works fine. I have tried tuning several parameters but before continuing with trial and error I thought I would ask what others have done. Thanks! -cjm |
|
From: Christopher J. M. <cjm...@gm...> - 2015-04-09 03:07:25
|
Hi, I have this pesky ASP .NET application that I am trying to put ModSecurity in front of. But, every time I enable it, even with no rules, the webpages fail to load properly (CSS...at least..appears to be gone). I should mention that with even the simplest of rules enabled I see them hit in the debug log. Frankly, the debug log goes crazy. 95mb debug log in just 5 minutes at debug level 9...even with no rules! If I turn off ModSecurity the ASP .NET content works fine. I have tried tuning several parameters but before continuing with trial and error I thought I would ask what others have done. Thanks! -cjm |
|
From: Neha C. <nc...@gm...> - 2015-04-06 23:22:29
|
Hello Achim,
Apologies for the delayed response, thank you for your message.
So I was reticent to follow this suggestion initially - it just felt wrong.
I assume if I create a whitelist - matching a specific argument, and I'm
specifying
that all rules should be removed by tag ".*", then there should be no
SecRule with a
tag that will trigger for this rule. These all go into crs_15_custom.conf.
I don't quite
understand why the whitelist doesn't have an affect on the SecRule that
triggers.
Of course, I puzzled over this and created a modified version of the rule,
and that's dealt with
issue, but of course it has come up again with another rule.. See follow-up
to Chaim's email.
On Thu, Mar 26, 2015 at 1:18 AM, Achim Hoffmann <web...@si...>
wrote:
> Hi Neha,
>
> the rule complains 'cause it detects more than 4 " (double quote), see
> the {4,} at end of the regex.
>
> You have to increase the number of allowed ".
> I'd suggest to copy the rule twice, then remove the " in first copy and
> reduce the second copy to " itself and give it a proper count.
> Example for the second copy
> (".*?){23,}
> Then also don't forget to disable the original rule (i.e. RemovebyId).
>
> Hope this helps
> Achim
>
> On 26.03.2015 04:20, Neha Chriss wrote:
> > Pattern match
> >
> "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}"
> > at ARGS_NAMES:{"data":{"description":"Foo
> >
> Bar","ids":["8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888"]}}.
> > [file
> >
> "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
> > [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character
> Anomaly
> > Detection Alert - Total # of special characters exceeded"] [data "Matched
> > Data: \x22 found within
> > ARGS_NAMES:{\x22data\x22:{\x22description\x22:\x22Foo
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X