Thread: [mod-security-users] POST vars disappears
Brought to you by:
victorhora,
zimmerletw
From: argolnx <ar...@gm...> - 2009-12-22 19:15:20
|
My server is a CentOS updated server, running mod_security 2.5.9 (using EPEL yum repo). After installing this i've found that a call from a provider (i think is made using a http call from .NET) don't pass anymore the paramters in the POST scope. I've found that even including only modsecurity_crs_10_config.conf the problem appears, so I've created a whitelist entry on the top of the file for source IP but I want to understand what is the problem. Could someone help me? I've taken some examples using post_log apache module: Without mod_security (i've marked some XXX for privacy) ==70370b74============================== Request: 84.55.xx.xx 212.249.xx.xx - - [22/Dec/2009:19:05:42 +0100] "POST /gateway/mobilex.cfm HTTP/1.1" 200 5313 "-" "NTH Gateway/5.43.1" DejKlFQ3wEsAACZVMBAAAAAA "-" Handler: jrun-handler ---------------------------------------- POST /gateway/mobilex.cfm HTTP/1.1 User-Agent: NTH Gateway/5.43.1 Connection: Close Content-Type: application/x-www-form-urlencoded Host: 84.55.xx.xx Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Content-Length: 142 142 destination=5555&messageid=6740368&keyword=FFF&sender=0041795244021&time=2009.12.22+19%3A06%3A04&text=fff+lungo+50+test&provider=22802&header= HTTP/1.1 200 OK Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 With mod_security: ==1c8fee30============================== Request: 84.55.xx.xx 212.249.xx.xx - - [22/Dec/2009:18:56:42 +0100] "POST /gateway/mobilex.cfm HTTP/1.1" 500 8467 "-" "NTH Gateway/5.43.1" 7bMmnFQ3wEsAACS@MF4AAAAB "-" Handler: jrun-handler ---------------------------------------- POST /gateway/mobilex.cfm HTTP/1.1 User-Agent: NTH Gateway/5.43.1 Connection: Close Content-Type: application/x-www-form-urlencoded Host: 84.55.xx.xx Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Content-Length: 142 0 HTTP/1.1 500 The required parameter DESTINATION was not provided. server-error: true Content-Length: 8467 Connection: close Content-Type: text/html; charset=UTF-8 |
From: Christian B. <ch...@jw...> - 2009-12-22 22:20:35
|
Hi argolnx! I ran the request through my own CentOS server with modsecurity 2.5.11 and the recent core-rules. It looks as if one of the PHP-IDS rules has fired upon the "time=2009..." part of your request. The crucial part is time=2009.12.22+19 It matches "some words, followed by '=', followed by word chars and a space". In PHP-IDS's eyes, this is a JavaScript obfuscation. Apart from that, it looks a bit like the sender does want to send in chunked transfer encoding, but does not mention this in his POST request. I.e. the first POST contains a content-length (142), a body which looks like a http-chunk (starting with 142\n) whereas the second POST request seems to be the trailing chunk (starting with 0\n) packed into a second POST request instead of a single chunk. It got a connection close response from the server and put the remaining data (the closing HTTP-chunk "0\n") into another POST request. This may be due to modsecurity interference, though, but more likely, the sender sent incorrect HTTP. Below is an audit-log record of my replay with ModSecurity in blocking mode (i.e. SecRuleEngine On). As you see, my client correctly put "142" into its content-length, which is the 142 bytes payload + 4 bytes for the additional "142\n" chunk header. 22/Dec/2009:23:12:29 +0100] gHos41@sQIIAABH3PkgAAAAA 192.168.10.13 57232 192.168.10.10 80 --3cead863-B-- POST /gateway/mobilex.cfm HTTP/1.1 User-Agent: NTH Gateway/5.43.1 Connection: Close Content-Type: application/x-www-form-urlencoded Host: 192.168.10.10 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Content-Length: 146 --3cead863-C-- 142 destination=5555&messageid=6740368&keyword=FFF&sender=0041795244021&time=2009.12.22+19%3A06%3A04&text=fff+lungo+50+test&provider=22802&header= --3cead863-F-- HTTP/1.1 403 Forbidden Content-Length: 279 Connection: close Content-Type: text/html; charset=iso-8859-1 --3cead863-H-- Message: Pattern match "^[\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/core-rules/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "62"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] Message: Pattern match "(?:\.\s*\w+\W*=)|(?:\W\s*(?:location|document)\s*\W[^({[;]+[({[;])|(?:\(\w+\?[:\w]+\))|(?:\w{2,}\s*=\s*\d+[^&\w]\w+)|(?:\]\s*\(\s*\w+)" at REQUEST_BODY. [file "/etc/httpd/core-rules/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "123"] [id "phpids-23"] [msg "Detects JavaScript location/document property access and window access obfuscation"] [data "time=2009.12"] [severity "CRITICAL"] [tag "WEB_ATTACK"] Message: Pattern match "(?:\.\s*\w+\W*=)|(?:\W\s*(?:location|document)\s*\W[^({[;]+[({[;])|(?:\(\w+\?[:\w]+\))|(?:\w{2,}\s*=\s*\d+[^&\w]\w+)|(?:\]\s*\(\s*\w+)" at REQUEST_BODY. [file "/etc/httpd/core-rules/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "123"] [id "phpids-23"] [msg "Detects JavaScript location/document property access and window access obfuscation"] [data "time=2009.12"] [severity "CRITICAL"] [tag "WEB_ATTACK"] Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/core-rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score (score 45): Detects JavaScript location/document property access and window access obfuscation"] Action: Intercepted (phase 2) Apache-Handler: proxy-server Stopwatch: 1261519949671651 280981 (3989* 279446 -) Producer: ModSecurity for Apache/2.5.11 (http://www.modsecurity.org/); core ruleset/2.0.3. Server: Apache/2.2.3 (CentOS) --3cead863-K-- SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}" SecRule "REQUEST_METHOD" "@rx ^POST$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'POST request must have a Content-Length header',id:960012,tag:PROTOCOL_VIOLATION/EVASION,severity:4" SecRule "REQUEST_HEADERS:Content-Type" "@rx ^application\\/x-www-form-urlencoded(?:;(?:\\s?charset\\s?=\\s?[\\w\\d\\-]{1,18})?)??$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:950108,tag:PROTOCOL_VIOLATION/EVASION,severity:5" SecRule "REQUEST_HEADERS:Host" "@rx ^[\\d.:]+$" "phase:2,t:none,block,nolog,auditlog,status:400,msg:'Host header is a numeric IP address',severity:2,id:960017,tag:PROTOCOL_VIOLATION/IP_HOST,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/IP_HOST-%{matched_var_name}=%{matched_var}'" SecRule "REQUEST_METHOD" "!@rx ^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:2,chain,t:none,block,nolog,auditlog,status:501,msg:'Request content type is not allowed by policy',id:960010,tag:POLICY/ENCODING_NOT_ALLOWED,severity:4" SecRule "ARGS_NAMES" "@rx .*" "phase:2,chain,t:none,nolog,auditlog,pass,capture,setvar:tx.arg_name_%{tx.0}=+1,msg:'Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name.'" SecRule "ARGS_NAMES" "@rx .*" "phase:2,chain,t:none,nolog,auditlog,pass,capture,setvar:tx.arg_name_%{tx.0}=+1,msg:'Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name.'" SecRule "ARGS_NAMES" "@rx .*" "phase:2,chain,t:none,nolog,auditlog,pass,capture,setvar:tx.arg_name_%{tx.0}=+1,msg:'Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name.'" SecRule "ARGS_NAMES" "@rx .*" "phase:2,chain,t:none,nolog,auditlog,pass,capture,setvar:tx.arg_name_%{tx.0}=+1,msg:'Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name.'" SecRule "ARGS_NAMES" "@rx .*" "phase:2,chain,t:none,nolog,auditlog,pass,capture,setvar:tx.arg_name_%{tx.0}=+1,msg:'Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name.'" SecRule "ARGS_NAMES" "@rx .*" "phase:2,chain,t:none,nolog,auditlog,pass,capture,setvar:tx.arg_name_%{tx.0}=+1,msg:'Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name.'" SecRule "ARGS_NAMES" "@rx .*" "phase:2,chain,t:none,nolog,auditlog,pass,capture,setvar:tx.arg_name_%{tx.0}=+1,msg:'Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name.'" SecRule "ARGS_NAMES" "@rx .*" "phase:2,chain,t:none,nolog,auditlog,pass,capture,setvar:tx.arg_name_%{tx.0}=+1,msg:'Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name.'" SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer" "@pmFromFile modsecurity_40_generic_attacks.data" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}" SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer" "@pmFromFile modsecurity_40_generic_attacks.data" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}" SecRule "REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/*" "@rx (?:\\.\\s*\\w+\\W*=)|(?:\\W\\s*(?:location|document)\\s*\\W[^({[;]+[({[;])|(?:\\(\\w+\\?[:\\w]+\\))|(?:\\w{2,}\\s*=\\s*\\d+[^&\\w]\\w+)|(?:\\]\\s*\\(\\s*\\w+)" "phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript location/document property access and window access obfuscation',id:phpids-23,tag:WEB_ATTACK,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/*" "@rx (?:\\.\\s*\\w+\\W*=)|(?:\\W\\s*(?:location|document)\\s*\\W[^({[;]+[({[;])|(?:\\(\\w+\\?[:\\w]+\\))|(?:\\w{2,}\\s*=\\s*\\d+[^&\\w]\\w+)|(?:\\]\\s*\\(\\s*\\w+)" "phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript location/document property access and window access obfuscation',id:phpids-23,tag:WEB_ATTACK,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}" SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK" SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer" "@pm jscript onsubmit copyparentfolder javascript meta onchange onmove onkeydown onkeyup activexobject onerror onmouseup ecmascript bexpression onmouseover vbscript: <![cdata[ http: .innerhtml settimeout shell: onabort asfunction: onkeypress onmousedown onclick .fromcharcode background-image: .cookie x-javascript ondragdrop onblur mocha: javascript: onfocus lowsrc getparentfolder onresize @import alert script onselect onmouseout application onmousemove background .execscript livescript: vbscript getspecialfolder .addimport iframe onunload createtextrange <input onload" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,skip:1,setvar:tx.pm_xss_data_%{matched_var_name}=%{matched_var}" SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES" SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES" SecRule "TX:ANOMALY_SCORE" "@ge 20" "phase:2,t:none,nolog,auditlog,deny,msg:'Anomaly Score Exceeded (score %{TX.ANOMALY_SCORE}): %{tx.msg}',setvar:tx.inbound_tx_msg=%{tx.msg}" SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'" --3cead863-Z-- Am 22.12.2009 um 20:15 schrieb argolnx: > My server is a CentOS updated server, running mod_security 2.5.9 (using EPEL yum > repo). > > After installing this i've found that a call from a provider (i think is made > using a http call from .NET) don't pass anymore the paramters in the POST scope. > > I've found that even including only modsecurity_crs_10_config.conf the problem > appears, so I've created a whitelist entry on the top of the file for source IP > but I want to understand what is the problem. > > Could someone help me? > > I've taken some examples using post_log apache module: > Without mod_security (i've marked some XXX for privacy) > ==70370b74============================== > Request: 84.55.xx.xx 212.249.xx.xx - - [22/Dec/2009:19:05:42 +0100] "POST > /gateway/mobilex.cfm HTTP/1.1" 200 5313 "-" "NTH Gateway/5.43.1" > DejKlFQ3wEsAACZVMBAAAAAA "-" > Handler: jrun-handler > ---------------------------------------- > POST /gateway/mobilex.cfm HTTP/1.1 > User-Agent: NTH Gateway/5.43.1 > Connection: Close > Content-Type: application/x-www-form-urlencoded > Host: 84.55.xx.xx > Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 > Content-Length: 142 > > 142 > destination=5555&messageid=6740368&keyword=FFF&sender=0041795244021&time=2009.12.22+19%3A06%3A04&text=fff+lungo+50+test&provider=22802&header= > > HTTP/1.1 200 OK > Connection: close > Transfer-Encoding: chunked > Content-Type: text/html; charset=UTF-8 > > With mod_security: > ==1c8fee30============================== > Request: 84.55.xx.xx 212.249.xx.xx - - [22/Dec/2009:18:56:42 +0100] "POST > /gateway/mobilex.cfm HTTP/1.1" 500 8467 "-" "NTH Gateway/5.43.1" > 7bMmnFQ3wEsAACS@MF4AAAAB "-" > Handler: jrun-handler > ---------------------------------------- > POST /gateway/mobilex.cfm HTTP/1.1 > User-Agent: NTH Gateway/5.43.1 > Connection: Close > Content-Type: application/x-www-form-urlencoded > Host: 84.55.xx.xx > Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 > Content-Length: 142 > > 0 > > > HTTP/1.1 500 The required parameter DESTINATION was not provided. > server-error: true > Content-Length: 8467 > Connection: close > Content-Type: text/html; charset=UTF-8 > > ------------------------------------------------------------------------------ > This SF.Net email is sponsored by the Verizon Developer Community > Take advantage of Verizon's best-in-class app development support > A streamlined, 14 day to market process makes app distribution fast and easy > Join now and get one step closer to millions of Verizon customers > http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html |
From: Ivan R. <iva...@gm...> - 2009-12-22 23:40:36
|
Actually, that looks to me like the ModSecurity 1.9.x log format. In it, a request body is preceded with a line that contains the length of the body... On Tue, Dec 22, 2009 at 10:20 PM, Christian Bockermann <ch...@jw...> wrote: > Hi argolnx! > > I ran the request through my own CentOS server with modsecurity 2.5.11 and the > recent core-rules. It looks as if one of the PHP-IDS rules has fired upon the > "time=2009..." part of your request. > > The crucial part is time=2009.12.22+19 > > It matches "some words, followed by '=', followed by word chars and a space". > In PHP-IDS's eyes, this is a JavaScript obfuscation. > > > Apart from that, it looks a bit like the sender does want to send in chunked > transfer encoding, but does not mention this in his POST request. > I.e. the first POST contains a content-length (142), a body which looks like a > http-chunk (starting with 142\n) whereas the second POST request seems to be > the trailing chunk (starting with 0\n) packed into a second POST request instead > of a single chunk. > It got a connection close response from the server and put the remaining data > (the closing HTTP-chunk "0\n") into another POST request. > > This may be due to modsecurity interference, though, but more likely, the sender > sent incorrect HTTP. > > Below is an audit-log record of my replay with ModSecurity in blocking mode (i.e. > SecRuleEngine On). As you see, my client correctly put "142" into its content-length, > which is the 142 bytes payload + 4 bytes for the additional "142\n" chunk header. > > > > > 22/Dec/2009:23:12:29 +0100] gHos41@sQIIAABH3PkgAAAAA 192.168.10.13 57232 192.168.10.10 80 > --3cead863-B-- > POST /gateway/mobilex.cfm HTTP/1.1 > User-Agent: NTH Gateway/5.43.1 > Connection: Close > Content-Type: application/x-www-form-urlencoded > Host: 192.168.10.10 > Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 > Content-Length: 146 > > --3cead863-C-- > 142 > destination=5555&messageid=6740368&keyword=FFF&sender=0041795244021&time=2009.12.22+19%3A06%3A04&text=fff+lungo+50+test&provider=22802&header= > --3cead863-F-- > HTTP/1.1 403 Forbidden > Content-Length: 279 > Connection: close > Content-Type: text/html; charset=iso-8859-1 > > --3cead863-H-- > Message: Pattern match "^[\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/core-rules/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "62"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] > Message: Pattern match "(?:\.\s*\w+\W*=)|(?:\W\s*(?:location|document)\s*\W[^({[;]+[({[;])|(?:\(\w+\?[:\w]+\))|(?:\w{2,}\s*=\s*\d+[^&\w]\w+)|(?:\]\s*\(\s*\w+)" at REQUEST_BODY. [file "/etc/httpd/core-rules/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "123"] [id "phpids-23"] [msg "Detects JavaScript location/document property access and window access obfuscation"] [data "time=2009.12"] [severity "CRITICAL"] [tag "WEB_ATTACK"] > Message: Pattern match "(?:\.\s*\w+\W*=)|(?:\W\s*(?:location|document)\s*\W[^({[;]+[({[;])|(?:\(\w+\?[:\w]+\))|(?:\w{2,}\s*=\s*\d+[^&\w]\w+)|(?:\]\s*\(\s*\w+)" at REQUEST_BODY. [file "/etc/httpd/core-rules/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "123"] [id "phpids-23"] [msg "Detects JavaScript location/document property access and window access obfuscation"] [data "time=2009.12"] [severity "CRITICAL"] [tag "WEB_ATTACK"] > Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/core-rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score (score 45): Detects JavaScript location/document property access and window access obfuscation"] > Action: Intercepted (phase 2) > Apache-Handler: proxy-server > Stopwatch: 1261519949671651 280981 (3989* 279446 -) > Producer: ModSecurity for Apache/2.5.11 (http://www.modsecurity.org/); core ruleset/2.0.3. > Server: Apache/2.2.3 (CentOS) > > --3cead863-K-- > SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}" > SecRule "REQUEST_METHOD" "@rx ^POST$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'POST request must have a Content-Length header',id:960012,tag:PROTOCOL_VIOLATION/EVASION,severity:4" > SecRule "REQUEST_HEADERS:Content-Type" "@rx ^application\\/x-www-form-urlencoded(?:;(?:\\s?charset\\s?=\\s?[\\w\\d\\-]{1,18})?)??$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:950108,tag:PROTOCOL_VIOLATION/EVASION,severity:5" > SecRule "REQUEST_HEADERS:Host" "@rx ^[\\d.:]+$" "phase:2,t:none,block,nolog,auditlog,status:400,msg:'Host header is a numeric IP address',severity:2,id:960017,tag:PROTOCOL_VIOLATION/IP_HOST,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/IP_HOST-%{matched_var_name}=%{matched_var}'" > SecRule "REQUEST_METHOD" "!@rx ^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:2,chain,t:none,block,nolog,auditlog,status:501,msg:'Request content type is not allowed by policy',id:960010,tag:POLICY/ENCODING_NOT_ALLOWED,severity:4" > SecRule "ARGS_NAMES" "@rx .*" "phase:2,chain,t:none,nolog,auditlog,pass,capture,setvar:tx.arg_name_%{tx.0}=+1,msg:'Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name.'" > SecRule "ARGS_NAMES" "@rx .*" "phase:2,chain,t:none,nolog,auditlog,pass,capture,setvar:tx.arg_name_%{tx.0}=+1,msg:'Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name.'" > SecRule "ARGS_NAMES" "@rx .*" "phase:2,chain,t:none,nolog,auditlog,pass,capture,setvar:tx.arg_name_%{tx.0}=+1,msg:'Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name.'" > SecRule "ARGS_NAMES" "@rx .*" "phase:2,chain,t:none,nolog,auditlog,pass,capture,setvar:tx.arg_name_%{tx.0}=+1,msg:'Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name.'" > SecRule "ARGS_NAMES" "@rx .*" "phase:2,chain,t:none,nolog,auditlog,pass,capture,setvar:tx.arg_name_%{tx.0}=+1,msg:'Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name.'" > SecRule "ARGS_NAMES" "@rx .*" "phase:2,chain,t:none,nolog,auditlog,pass,capture,setvar:tx.arg_name_%{tx.0}=+1,msg:'Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name.'" > SecRule "ARGS_NAMES" "@rx .*" "phase:2,chain,t:none,nolog,auditlog,pass,capture,setvar:tx.arg_name_%{tx.0}=+1,msg:'Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name.'" > SecRule "ARGS_NAMES" "@rx .*" "phase:2,chain,t:none,nolog,auditlog,pass,capture,setvar:tx.arg_name_%{tx.0}=+1,msg:'Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name.'" > SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer" "@pmFromFile modsecurity_40_generic_attacks.data" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}" > SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer" "@pmFromFile modsecurity_40_generic_attacks.data" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}" > SecRule "REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/*" "@rx (?:\\.\\s*\\w+\\W*=)|(?:\\W\\s*(?:location|document)\\s*\\W[^({[;]+[({[;])|(?:\\(\\w+\\?[:\\w]+\\))|(?:\\w{2,}\\s*=\\s*\\d+[^&\\w]\\w+)|(?:\\]\\s*\\(\\s*\\w+)" "phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript location/document property access and window access obfuscation',id:phpids-23,tag:WEB_ATTACK,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}" > SecRule "REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/*" "@rx (?:\\.\\s*\\w+\\W*=)|(?:\\W\\s*(?:location|document)\\s*\\W[^({[;]+[({[;])|(?:\\(\\w+\\?[:\\w]+\\))|(?:\\w{2,}\\s*=\\s*\\d+[^&\\w]\\w+)|(?:\\]\\s*\\(\\s*\\w+)" "phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript location/document property access and window access obfuscation',id:phpids-23,tag:WEB_ATTACK,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}" > SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK" > SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer" "@pm jscript onsubmit copyparentfolder javascript meta onchange onmove onkeydown onkeyup activexobject onerror onmouseup ecmascript bexpression onmouseover vbscript: <![cdata[ http: .innerhtml settimeout shell: onabort asfunction: onkeypress onmousedown onclick .fromcharcode background-image: .cookie x-javascript ondragdrop onblur mocha: javascript: onfocus lowsrc getparentfolder onresize @import alert script onselect onmouseout application onmousemove background .execscript livescript: vbscript getspecialfolder .addimport iframe onunload createtextrange <input onload" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,skip:1,setvar:tx.pm_xss_data_%{matched_var_name}=%{matched_var}" > SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES" > SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES" > SecRule "TX:ANOMALY_SCORE" "@ge 20" "phase:2,t:none,nolog,auditlog,deny,msg:'Anomaly Score Exceeded (score %{TX.ANOMALY_SCORE}): %{tx.msg}',setvar:tx.inbound_tx_msg=%{tx.msg}" > SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'" > > --3cead863-Z-- > > > > > > > Am 22.12.2009 um 20:15 schrieb argolnx: > >> My server is a CentOS updated server, running mod_security 2.5.9 (using EPEL yum >> repo). >> >> After installing this i've found that a call from a provider (i think is made >> using a http call from .NET) don't pass anymore the paramters in the POST scope. >> >> I've found that even including only modsecurity_crs_10_config.conf the problem >> appears, so I've created a whitelist entry on the top of the file for source IP >> but I want to understand what is the problem. >> >> Could someone help me? >> >> I've taken some examples using post_log apache module: >> Without mod_security (i've marked some XXX for privacy) >> ==70370b74============================== >> Request: 84.55.xx.xx 212.249.xx.xx - - [22/Dec/2009:19:05:42 +0100] "POST >> /gateway/mobilex.cfm HTTP/1.1" 200 5313 "-" "NTH Gateway/5.43.1" >> DejKlFQ3wEsAACZVMBAAAAAA "-" >> Handler: jrun-handler >> ---------------------------------------- >> POST /gateway/mobilex.cfm HTTP/1.1 >> User-Agent: NTH Gateway/5.43.1 >> Connection: Close >> Content-Type: application/x-www-form-urlencoded >> Host: 84.55.xx.xx >> Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 >> Content-Length: 142 >> >> 142 >> destination=5555&messageid=6740368&keyword=FFF&sender=0041795244021&time=2009.12.22+19%3A06%3A04&text=fff+lungo+50+test&provider=22802&header= >> >> HTTP/1.1 200 OK >> Connection: close >> Transfer-Encoding: chunked >> Content-Type: text/html; charset=UTF-8 >> >> With mod_security: >> ==1c8fee30============================== >> Request: 84.55.xx.xx 212.249.xx.xx - - [22/Dec/2009:18:56:42 +0100] "POST >> /gateway/mobilex.cfm HTTP/1.1" 500 8467 "-" "NTH Gateway/5.43.1" >> 7bMmnFQ3wEsAACS@MF4AAAAB "-" >> Handler: jrun-handler >> ---------------------------------------- >> POST /gateway/mobilex.cfm HTTP/1.1 >> User-Agent: NTH Gateway/5.43.1 >> Connection: Close >> Content-Type: application/x-www-form-urlencoded >> Host: 84.55.xx.xx >> Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 >> Content-Length: 142 >> >> 0 >> >> >> HTTP/1.1 500 The required parameter DESTINATION was not provided. >> server-error: true >> Content-Length: 8467 >> Connection: close >> Content-Type: text/html; charset=UTF-8 >> >> ------------------------------------------------------------------------------ >> This SF.Net email is sponsored by the Verizon Developer Community >> Take advantage of Verizon's best-in-class app development support >> A streamlined, 14 day to market process makes app distribution fast and easy >> Join now and get one step closer to millions of Verizon customers >> http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Appliances, Rule Sets and Support: >> http://www.modsecurity.org/breach/index.html > > > ------------------------------------------------------------------------------ > This SF.Net email is sponsored by the Verizon Developer Community > Take advantage of Verizon's best-in-class app development support > A streamlined, 14 day to market process makes app distribution fast and easy > Join now and get one step closer to millions of Verizon customers > http://p.sf.net/sfu/verizon-dev2dev > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > -- Ivan Ristic ModSecurity Handbook [https://www.feistyduck.com] SSL Labs [https://www.ssllabs.com/ssldb/] |
From: argo <ar...@gm...> - 2010-01-04 16:22:25
|
<argolnx <at> gmail.com> writes: > > My server is a CentOS updated server, running mod_security 2.5.9 (using EPEL yumrepo).After installing this i've found that a call from a provider (i think is madeusing a http call from .NET) don't pass anymore the paramters in the POST scope.I've found that even including only modsecurity_crs_10_config.conf the problemappears, so I've created a whitelist entry on the top of the file for source IPbut I want to understand what is the problem.Could someone help me?I've taken some examples using post_log apache module:Without mod_security (i've marked some XXX for privacy)==70370b74==============================Request: 84.55.xx.xx 212.249.xx.xx - - [22/Dec/2009:19:05:42 +0100] "POST > /gateway/mobilex.cfm HTTP/1.1" 200 5313 "-" "NTH Gateway/5.43.1"DejKlFQ3wEsAACZVMBAAAAAA "-"Handler: jrun-handler---------------- ------------------------POST /gateway/mobilex.cfm HTTP/1.1 > User-Agent: NTH Gateway/5.43.1Connection: CloseContent-Type: application/x- www-form-urlencodedHost: 84.55.xx.xxAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Content-Length: 142142 > destination=5555&messageid=6740368&keyword=FFF&sender=0041795244021&time=2009.12 .22+19%3A06%3A04&text=fff+lungo+50+test&provider=22802&header=HTTP/1.1 200 OKConnection: closeTransfer-Encoding: chunked > Content-Type: text/html; charset=UTF-8With mod_security:==1c8fee30==============================Request: 84.55.xx.xx 212.249.xx.xx - - [22/Dec/2009:18:56:42 +0100] "POST/gateway/mobilex.cfm HTTP/1.1" 500 8467 "-" "NTH Gateway/5.43.1" > 7bMmnFQ3wEsAACS <at> MF4AAAAB "-"Handler: jrun-handler------------------------ ----------------POST /gateway/mobilex.cfm HTTP/1.1User-Agent: NTH Gateway/5.43.1Connection: CloseContent-Type: application/x-www-form-urlencoded > Host: 84.55.xx.xxAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Content-Length: 1420HTTP/1.1 500 The required parameter DESTINATION was not provided.server-error: trueContent-Length: 8467 > Connection: closeContent-Type: text/html; charset=UTF-8 > > ------------------------------------------------------------------------------ > This SF.Net email is sponsored by the Verizon Developer Community > Take advantage of Verizon's best-in-class app development support > A streamlined, 14 day to market process makes app distribution fast and easy > Join now and get one step closer to millions of Verizon customers > http://p.sf.net/sfu/verizon-dev2dev > > _______________________________________________ > mod-security-users mailing list > mod-security-users <at> lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > Finally i've found the problem. post_log is not fully compatible with mod_security; after post_log was removed the system runs fine. But it's not the end... you have to check out that mlogc is not the same on both of the 2 rpm releases (one for CentOS and the other for Fedora). On my CentOS 5.4 the CentOS' release is not working fine (mlogc is freezing and I have to kill it from another term). So finally I've installed on CentOS the Fedora release without post_log and all is working fine. Bye |
From: Ivan R. <iva...@gm...> - 2010-01-04 18:48:06
|
I am glad you've solved your problem. I am not familiar with the post_log module you mention. Where did you get it from? On Mon, Jan 4, 2010 at 4:21 PM, argo <ar...@gm...> wrote: > <argolnx <at> gmail.com> writes: > >> >> My server is a CentOS updated server, running mod_security 2.5.9 (using EPEL > yumrepo).After installing this i've found that a call from a provider (i think > is madeusing a http call from .NET) don't pass anymore the paramters in the POST > scope.I've found that even including only modsecurity_crs_10_config.conf the > problemappears, so I've created a whitelist entry on the top of the file for > source IPbut I want to understand what is the problem.Could someone help me?I've > taken some examples using post_log apache module:Without mod_security (i've > marked some XXX for privacy)==70370b74==============================Request: > 84.55.xx.xx 212.249.xx.xx - - [22/Dec/2009:19:05:42 +0100] "POST >> /gateway/mobilex.cfm HTTP/1.1" 200 5313 "-" "NTH > Gateway/5.43.1"DejKlFQ3wEsAACZVMBAAAAAA "-"Handler: jrun-handler---------------- > ------------------------POST /gateway/mobilex.cfm HTTP/1.1 >> User-Agent: NTH Gateway/5.43.1Connection: CloseContent-Type: application/x- > www-form-urlencodedHost: 84.55.xx.xxAccept: text/html, image/gif, image/jpeg, *; > q=.2, */*; q=.2Content-Length: 142142 >> > destination=5555&messageid=6740368&keyword=FFF&sender=0041795244021&time=2009.12 > .22+19%3A06%3A04&text=fff+lungo+50+test&provider=22802&header=HTTP/1.1 200 > OKConnection: closeTransfer-Encoding: chunked >> Content-Type: text/html; charset=UTF-8With > mod_security:==1c8fee30==============================Request: 84.55.xx.xx > 212.249.xx.xx - - [22/Dec/2009:18:56:42 +0100] "POST/gateway/mobilex.cfm > HTTP/1.1" 500 8467 "-" "NTH Gateway/5.43.1" >> 7bMmnFQ3wEsAACS <at> MF4AAAAB "-"Handler: jrun-handler------------------------ > ----------------POST /gateway/mobilex.cfm HTTP/1.1User-Agent: NTH > Gateway/5.43.1Connection: CloseContent-Type: application/x-www-form-urlencoded >> Host: 84.55.xx.xxAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; > q=.2Content-Length: 1420HTTP/1.1 500 The required parameter DESTINATION was not > provided.server-error: trueContent-Length: 8467 >> Connection: closeContent-Type: text/html; charset=UTF-8 >> >> ------------------------------------------------------------------------------ >> This SF.Net email is sponsored by the Verizon Developer Community >> Take advantage of Verizon's best-in-class app development support >> A streamlined, 14 day to market process makes app distribution fast and easy >> Join now and get one step closer to millions of Verizon customers >> http://p.sf.net/sfu/verizon-dev2dev >> >> _______________________________________________ >> mod-security-users mailing list >> mod-security-users <at> lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Appliances, Rule Sets and Support: >> http://www.modsecurity.org/breach/index.html >> > > > Finally i've found the problem. > post_log is not fully compatible with mod_security; after post_log was removed > the system runs fine. > > But it's not the end... you have to check out that mlogc is not the same on both > of the 2 rpm releases (one for CentOS and the other for Fedora). > > On my CentOS 5.4 the CentOS' release is not working fine (mlogc is freezing and > I have to kill it from another term). So finally I've installed on CentOS the > Fedora release without post_log and all is working fine. > > Bye > > > ------------------------------------------------------------------------------ > This SF.Net email is sponsored by the Verizon Developer Community > Take advantage of Verizon's best-in-class app development support > A streamlined, 14 day to market process makes app distribution fast and easy > Join now and get one step closer to millions of Verizon customers > http://p.sf.net/sfu/verizon-dev2dev > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > -- Ivan Ristic ModSecurity Handbook [https://www.feistyduck.com] SSL Labs [https://www.ssllabs.com/ssldb/] |