Thread: [mod-security-users] Activating rules to help prevent sql injection
Brought to you by:
victorhora,
zimmerletw
From: robert m. <rob...@gm...> - 2010-10-26 16:22:58
|
Hi, I noticed that mod_security comes with some rules for sql_injection but they seem to only generate warning out of the box so we can decide and active the correct ones by replacing the pass with drop (for example), right? I've searched the FAQs and tried to search the web (and the archives) for a set of trusted rules to activate before having to dig too much in the log files. If possible I'd like a few pointers to 'jump-start' my setup. Regards. |
From: Ryan B. <RBa...@tr...> - 2010-10-26 16:29:49
|
On 10/26/10 12:22 PM, "robert mena" <rob...@gm...> wrote: > Hi, > > I noticed that mod_security comes with some rules for sql_injection but they > seem to only generate warning out of the box so we can decide and active the > correct ones by replacing the pass with drop (for example), right? > While there is a version of the Core Rule Set (CRS) that is bundled with the modsecurity source archive, it is highly recommended that you using the current version from over at the OWASP Project site - http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Proj ect You can read a bit on the Setup/Documentation tabs for data. I would also recommend that you sign up for the OWASP CRS mail-list to stay up-to-date on rule updates and to ask rule-related questions there - https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -Ryan > I've searched the FAQs and tried to search the web (and the archives) for a > set of trusted rules to activate before having to dig too much in the log > files. > > If possible I'd like a few pointers to 'jump-start' my setup. > > Regards. > |
From: robert m. <rob...@gm...> - 2010-10-26 18:20:05
|
Hi Ryan, Thanks for the reply. I am reading that URL. If I understood correctly I'll have to enable the rules by switching the action from pass to drop for those rules that I consider OK to be used, right? Or is there other (better) way? On Tue, Oct 26, 2010 at 12:29 PM, Ryan Barnett <RBa...@tr...>wrote: > On 10/26/10 12:22 PM, "robert mena" <rob...@gm...> wrote: > > > Hi, > > > > I noticed that mod_security comes with some rules for sql_injection but > they > > seem to only generate warning out of the box so we can decide and active > the > > correct ones by replacing the pass with drop (for example), right? > > > > While there is a version of the Core Rule Set (CRS) that is bundled with > the > modsecurity source archive, it is highly recommended that you using the > current version from over at the OWASP Project site - > > http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Proj > ect > > You can read a bit on the Setup/Documentation tabs for data. I would also > recommend that you sign up for the OWASP CRS mail-list to stay up-to-date > on > rule updates and to ask rule-related questions there - > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > -Ryan > > > I've searched the FAQs and tried to search the web (and the archives) for > a > > set of trusted rules to activate before having to dig too much in the log > > files. > > > > If possible I'd like a few pointers to 'jump-start' my setup. > > > > Regards. > > > > > |
From: robert m. <rob...@gm...> - 2010-10-26 20:53:41
|
Hi Ryan, I've downloaded the latest pack. Do you recommend for me to remove all the /etc/httpd/modsecurity.d/base_rules/ rules and replace with the modsecurity-crs_2.0.8/base_rules ? I've noticed that in the action they all have the pass. should I change to something else? On Tue, Oct 26, 2010 at 12:29 PM, Ryan Barnett <RBa...@tr...>wrote: > On 10/26/10 12:22 PM, "robert mena" <rob...@gm...> wrote: > > > Hi, > > > > I noticed that mod_security comes with some rules for sql_injection but > they > > seem to only generate warning out of the box so we can decide and active > the > > correct ones by replacing the pass with drop (for example), right? > > > > While there is a version of the Core Rule Set (CRS) that is bundled with > the > modsecurity source archive, it is highly recommended that you using the > current version from over at the OWASP Project site - > > http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Proj > ect > > You can read a bit on the Setup/Documentation tabs for data. I would also > recommend that you sign up for the OWASP CRS mail-list to stay up-to-date > on > rule updates and to ask rule-related questions there - > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > -Ryan > > > I've searched the FAQs and tried to search the web (and the archives) for > a > > set of trusted rules to activate before having to dig too much in the log > > files. > > > > If possible I'd like a few pointers to 'jump-start' my setup. > > > > Regards. > > > > > |
From: Ryan B. <RBa...@tr...> - 2010-10-26 20:57:52
|
On 10/26/10 4:53 PM, "robert mena" <rob...@gm...> wrote: > Hi Ryan, > > I've downloaded the latest pack. Do you recommend for me to remove all > the /etc/httpd/modsecurity.d/base_rules/ rules and replace with the > modsecurity-crs_2.0.8/base_rules ? > Yes, however you will want to probably keep your base/main config file. This is the one that you have customized for the SecAuditEngine, Debug Log Levels, etc... > I've noticed that in the action they all have the pass. should I change to > something else? > Robert - read the README and the comments in the modsecurity_crs_10_config.conf file. The CRS currently runs in an anomaly scoring mode. Yes, the individual rules are set to pass, however that is because they are all contributing to an anomaly score that is then evaluated at the end of the request phase (in the modsecurity_crs_49_inbound_blocking.conf file). Set the appropriate levels/actions if the 10 config file and you should be good. -Ryan > > > On Tue, Oct 26, 2010 at 12:29 PM, Ryan Barnett <RBa...@tr...> wrote: >> On 10/26/10 12:22 PM, "robert mena" <rob...@gm...> wrote: >> >>> Hi, >>> >>> I noticed that mod_security comes with some rules for sql_injection but they >>> seem to only generate warning out of the box so we can decide and active the >>> correct ones by replacing the pass with drop (for example), right? >>> >> >> While there is a version of the Core Rule Set (CRS) that is bundled with the >> modsecurity source archive, it is highly recommended that you using the >> current version from over at the OWASP Project site - >> http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Proj >> ect >> >> You can read a bit on the Setup/Documentation tabs for data. I would also >> recommend that you sign up for the OWASP CRS mail-list to stay up-to-date on >> rule updates and to ask rule-related questions there - >> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >> >> -Ryan >> >>> I've searched the FAQs and tried to search the web (and the archives) for a >>> set of trusted rules to activate before having to dig too much in the log >>> files. >>> >>> If possible I'd like a few pointers to 'jump-start' my setup. >>> >>> Regards. >>> |
From: robert m. <rob...@gm...> - 2010-10-26 21:22:27
|
Ok. I've read the README and the crs10. I understand that all rules should be in pass (base_rules) but if I understood correctly I should change the SecDefaultAction "phase:2,pass" to "phase:2,drop". Is this correct? Otherwise I still do not understand where do I actually have to change. 59 and 49 were supposed to block it the scores are high enough (as set in the crs_10) but in my case they are not. On Tue, Oct 26, 2010 at 4:57 PM, Ryan Barnett <RBa...@tr...>wrote: > > On 10/26/10 4:53 PM, "robert mena" <rob...@gm...> wrote: > > > Hi Ryan, > > > > I've downloaded the latest pack. Do you recommend for me to remove all > > the /etc/httpd/modsecurity.d/base_rules/ rules and replace with the > > modsecurity-crs_2.0.8/base_rules ? > > > > Yes, however you will want to probably keep your base/main config file. > This is the one that you have customized for the SecAuditEngine, Debug Log > Levels, etc... > > > I've noticed that in the action they all have the pass. should I change > to > > something else? > > > > Robert - read the README and the comments in the > modsecurity_crs_10_config.conf file. The CRS currently runs in an anomaly > scoring mode. Yes, the individual rules are set to pass, however that is > because they are all contributing to an anomaly score that is then > evaluated > at the end of the request phase (in the > modsecurity_crs_49_inbound_blocking.conf file). Set the appropriate > levels/actions if the 10 config file and you should be good. > > -Ryan > > > > > > > On Tue, Oct 26, 2010 at 12:29 PM, Ryan Barnett <RBa...@tr...> > wrote: > >> On 10/26/10 12:22 PM, "robert mena" <rob...@gm...> wrote: > >> > >>> Hi, > >>> > >>> I noticed that mod_security comes with some rules for sql_injection but > they > >>> seem to only generate warning out of the box so we can decide and > active the > >>> correct ones by replacing the pass with drop (for example), right? > >>> > >> > >> While there is a version of the Core Rule Set (CRS) that is bundled with > the > >> modsecurity source archive, it is highly recommended that you using the > >> current version from over at the OWASP Project site - > >> > http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Proj > >> ect > >> > >> You can read a bit on the Setup/Documentation tabs for data. I would > also > >> recommend that you sign up for the OWASP CRS mail-list to stay > up-to-date on > >> rule updates and to ask rule-related questions there - > >> > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > >> > >> -Ryan > >> > >>> I've searched the FAQs and tried to search the web (and the archives) > for a > >>> set of trusted rules to activate before having to dig too much in the > log > >>> files. > >>> > >>> If possible I'd like a few pointers to 'jump-start' my setup. > >>> > >>> Regards. > >>> > > > |
From: Ryan B. <RBa...@tr...> - 2010-10-26 21:34:11
|
On 10/26/10 5:22 PM, "robert mena" <rob...@gm...> wrote: > Ok. > > I've read the README and the crs10. I understand that all rules should be in > pass (base_rules) but if I understood correctly I should change the > SecDefaultAction "phase:2,pass" to "phase:2,drop". > > Is this correct? Otherwise I still do not understand where do I actually > have to change. 59 and 49 were supposed to block it the scores are high > enough (as set in the crs_10) but in my case they are not. > That is correct. The rule(s) in the modsecurity_crs_49_inbound_blocking.conf file use the "block" action which will inherit the disruptive action specified in the SecDefaultAction directive. -Ryan > On Tue, Oct 26, 2010 at 4:57 PM, Ryan Barnett <RBa...@tr...> wrote: >> >> On 10/26/10 4:53 PM, "robert mena" <rob...@gm...> wrote: >> >>> Hi Ryan, >>> >>> I've downloaded the latest pack. Do you recommend for me to remove all >>> the /etc/httpd/modsecurity.d/base_rules/ rules and replace with the >>> modsecurity-crs_2.0.8/base_rules ? >>> >> >> Yes, however you will want to probably keep your base/main config file. >> This is the one that you have customized for the SecAuditEngine, Debug Log >> Levels, etc... >> >>> I've noticed that in the action they all have the pass. should I change to >>> something else? >>> >> >> Robert - read the README and the comments in the >> modsecurity_crs_10_config.conf file. The CRS currently runs in an anomaly >> scoring mode. Yes, the individual rules are set to pass, however that is >> because they are all contributing to an anomaly score that is then evaluated >> at the end of the request phase (in the >> modsecurity_crs_49_inbound_blocking.conf file). Set the appropriate >> levels/actions if the 10 config file and you should be good. >> >> -Ryan >> >>> >>> >>> On Tue, Oct 26, 2010 at 12:29 PM, Ryan Barnett <RBa...@tr...> >>> wrote: >>>> On 10/26/10 12:22 PM, "robert mena" <rob...@gm...> wrote: >>>> >>>>> Hi, >>>>> >>>>> I noticed that mod_security comes with some rules for sql_injection but >>>>> they >>>>> seem to only generate warning out of the box so we can decide and active >>>>> the >>>>> correct ones by replacing the pass with drop (for example), right? >>>>> >>>> >>>> While there is a version of the Core Rule Set (CRS) that is bundled with >>>> the >>>> modsecurity source archive, it is highly recommended that you using the >>>> current version from over at the OWASP Project site - >>>> http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Pro>>>> j >>>> ect >>>> >>>> You can read a bit on the Setup/Documentation tabs for data. I would also >>>> recommend that you sign up for the OWASP CRS mail-list to stay up-to-date >>>> on >>>> rule updates and to ask rule-related questions there - >>>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >>>> >>>> -Ryan >>>> >>>>> I've searched the FAQs and tried to search the web (and the archives) for >>>>> a >>>>> set of trusted rules to activate before having to dig too much in the log >>>>> files. >>>>> >>>>> If possible I'd like a few pointers to 'jump-start' my setup. >>>>> >>>>> Regards. >>>>> |