Thread: Re: [mod-security-users] Bug: PCRE limit triggered by ruleUpdateTargetById=973020
Brought to you by:
victorhora,
zimmerletw
From: kwenu <uz...@ya...> - 2011-08-30 14:17:28
|
Thanks for the reply Was thinking id have had this sussed by now Rules are not added to vhosts but are globally used The CRS rules being used are modsecurity_35_bad_robots.data modsecurity_35_scanners.data modsecurity_40_generic_attacks.data modsecurity_41_sql_injection_attacks.data modsecurity_46_slr_et_lfi.data modsecurity_46_slr_et_rfi.data modsecurity_46_slr_et_sqli.data modsecurity_46_slr_et_xss.data modsecurity_46_slr_lfi.data modsecurity_46_slr_rfi.data modsecurity_46_slr_sqli.data modsecurity_46_slr_xss.data modsecurity_crs_10_config.conf modsecurity_crs_10_ignore_static.conf modsecurity_crs_11_avs_traffic.conf modsecurity_crs_11_proxy_abuse.conf modsecurity_crs_13_xml_enabler.conf modsecurity_crs_15_customrules.conf modsecurity_crs_20_protocol_violations.conf modsecurity_crs_21_protocol_anomalies.conf modsecurity_crs_23_request_limits.conf modsecurity_crs_25_cc_known.conf modsecurity_crs_25_cc_track_pan.conf modsecurity_crs_30_http_policy.conf modsecurity_crs_35_bad_robots.conf modsecurity_crs_40_generic_attacks.conf modsecurity_crs_41_sql_injection_attacks.conf modsecurity_crs_41_xss_attacks.conf modsecurity_crs_45_trojans.conf modsecurity_crs_46_lfi_attacks.conf modsecurity_crs_46_rfi_attacks.conf modsecurity_crs_46_slr_et_lfi_attacks.conf modsecurity_crs_46_slr_et_rfi_attacks.conf modsecurity_crs_46_slr_et_sqli_attacks.conf modsecurity_crs_46_slr_et_xss_attacks.conf modsecurity_crs_46_xss_attacks.conf modsecurity_crs_47_common_exceptions.conf modsecurity_crs_48_global_exceptions.conf modsecurity_crs_49_inbound_blocking.conf modsecurity_crs_60_correlation.conf the custom rules used are modsecurity_crs_15_customrules.conf SecRule REQUEST_HEADERS:Host "!@rx (^$)" \ "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981211;!REQUEST_COOKIES:s_sess" SecRule REQUEST_HEADERS:Host "!@rx (^$)" \ "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=950901;!REQUEST_COOKIES:s_pers" SecRule REQUEST_HEADERS:Host "!@rx (^$)" \ "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981211;!REQUEST_COOKIES:s_pers" SecRule REQUEST_HEADERS:Host "!@rx (^$)" \ "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=973020;!REQUEST_COOKIES:s_pers" SecRule REQUEST_HEADERS:Host "!@rx (^$)" \ "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=973020;!REQUEST_COOKIES:s_sess" modsecurity_crs_48_global_exceptions.conf #SecRule &TX:'/981173-WEB_ATTACK/RESTRICTED_SQLI_CHARS-TX:restricted_sqli_char_count/' "@gt 0,msg:'Adjusting FP Score'" "setvar:tx.anomaly_score=-4" #SecRule &TX:'/981173-WEB_ATTACK/RESTRICTED_SQLI_CHARS-TX:restricted_sqli_char_count/' "@gt 0" "setvar:tx.anomaly_score=-4" #SecRule REQUEST_FILENAME ".*/navlid_div\.gif$" "chain,phase:2,t:none,log,pass,msg:'Adjusting FP Score'" # SecRule &TX:'981173-WEB_ATTACK/RESTRICTED_SQLI_CHARS-TX:restricted_sqli_char_count' "@gt 0" "setvar:tx.anomaly_score=-7" SecRule REQUEST_FILENAME ".*/navlid_div\.gif$" "chain,phase:2,t:none,log,pass,msg:'Adjusting FP Score'" SecRule &TX:'/981242-Detects.*1/2-WEB_ATTACK/SQLI-REQUEST_FILENAME/' "@gt 0" "setvar:tx.anomaly_score=-6" SecRule REQUEST_FILENAME ".*/navlid_div\.gif$" "chain,phase:2,t:none,log,pass,msg:'Adjusting FP Score'" SecRule &TX:'/981243-Detects.*2/2-WEB_ATTACK/ID-REQUEST_FILENAME/' "@gt 0" "setvar:tx.anomaly_score=-6" SecRule REQUEST_FILENAME ".*/navlid_div\.gif$" "chain,phase:2,t:none,log,pass,msg:'Adjusting FP Score'" SecRule &TX:'/981244-Detects.*1/3-WEB_ATTACK/LFI-REQUEST_FILENAME/' "@gt 0" "setvar:tx.anomaly_score=-7" SecRule REQUEST_FILENAME ".*/navlid_div\.gif$" "chain,phase:2,t:none,log,pass,msg:'Adjusting FP Score'" SecRule &TX:'/981248-Detects.*1/2-WEB_ATTACK/SQLI-REQUEST_FILENAME/' "@gt 0" "setvar:tx.anomaly_score=-6" On 30/08/11 14:17, Ryan Barnett wrote: > On 8/30/11 9:14 AM, "kwenu"<uz...@ya...> wrote: > >> I pulled crs rules using the following >> >> svn co >> https://mod-security.svn.sourceforge.net/svnroot/mod-security/crs/trunk >> crs >> >> however i am still getting those errors >> >> And the anomaly score has increased because rule ids have changed that i >> negated >> >> Will the rule ids remain the same or will they change after every new >> crs release ? If it chnages then that negates the point of using >> secupdatetarget and like rules > They normally stay the same but not always. We need a better method of > ruleID management... > > Question for you - how are you adding in these rule exceptions to your > configs? It looks like to me like these rules might be included multiple > times within different vhost configs and that is why they are being > triggered multiple time. > > -Ryan > >> >> >> On 30/08/11 13:19, Ryan Barnett wrote: >>> I would suggest that you update your rules to the SVN version as we >>> ended up replacing those rules with the following - >>> >>> # >>> # [ SQL Injection Character Anomaly Usage ] >>> # >>> # These rules attempted to gauge when there is an exccesive use of >>> # meta-characters within a single parameter payload. >>> # >>> # The most likely false positive instances will be free-form text >>> fields. >>> # Adjust the the @ge operator value appropriately for your site. >>> Increasing >>> # the score will reduce false positives but may also decrease detection >>> of >>> # obfuscated attack payloads. >>> # >>> SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES >>> "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\¹\Œ\`\<\>].*){6,}" >>> "phase:2,t:none,t:urlDecodeUni,block,id:'981172',rev:'[% VERSION >>> %]',msg:'Restricted SQL Character Anomaly Detection Alert - Total # of >>> special characters >>> exceeded',capture,logdata:'%{tx.1}',setvar:tx.anomaly_score=+%{tx.warning >>> _anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.ms >>> g}',setvar:tx.%{rule.id}-WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_n >>> ame}=%{tx.0}" >>> >>> SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* >>> "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\¹\Œ\`\<\>].*){4,}" >>> "phase:2,t:none,t:urlDecodeUni,block,id:'981173',rev:'[% VERSION >>> %]',msg:'Restricted SQL Character Anomaly Detection Alert - Total # of >>> special characters >>> exceeded',capture,logdata:'%{tx.1}',setvar:tx.anomaly_score=+%{tx.warning >>> _anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.ms >>> g}',setvar:tx.%{rule.id}-WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_n >>> ame}=%{tx.0}" >>> >>> >>> -Ryan >>> >>> >>> From: kwenu<uz...@ya...<mailto:uz...@ya...>> >>> Date: Tue, 30 Aug 2011 07:08:25 -0500 >>> To: >>> "mod...@li...<mailto:mod-security-users@lists >>> .sourceforge.net>"<mod...@li...<mailto:mod-se >>> cur...@li...>> >>> Subject: [mod-security-users] Bug: PCRE limit triggered by >>> ruleUpdateTargetById=973020 >>> >>> I have compiled apache and modsecurity against pcre and apr to fix a >>> segmentation problem >>> >>> error_log >>> >>> [Tue Aug 30 11:58:34 2011] [notice] ModSecurity for Apache/2.6.1 >>> (http://www.modsecurity.org/) configured. >>> [Tue Aug 30 11:58:34 2011] [notice] ModSecurity: APR compiled >>> version="1.3.12"; loaded version="1.3.12" >>> [Tue Aug 30 11:58:34 2011] [notice] ModSecurity: PCRE compiled >>> version="8.12"; loaded version="8.12 2011-01-15" >>> [Tue Aug 30 11:58:34 2011] [notice] ModSecurity: LIBXML compiled >>> version="2.6.23" >>> >>> >>> Now im stomped with another issue PCRE limits being reached - >>> >>> The rule below is doing some wacky things >>> >>> SecRule REQUEST_HEADERS:Host "!@rx (^$)" \ >>> >>> "phase:1,t:none,nolog,pass,ctl:ruleUpdateTargetById=973020;!REQUEST_COOKI >>> ES:s_pers" >>> >>> SecRule REQUEST_HEADERS:Host "!@rx (^$)" \ >>> >>> "phase:1,t:none,nolog,pass,ctl:ruleUpdateTargetById=973020;!REQUEST_COOKI >>> ES:s_sess" >>> >>> It appears the above rule is being called every time it checks a >>> request for potential "Restricted SQL Character Anomaly Detection Alert >>> - Total # of special characters exceeded" >>> >>> This is generating PCRE limit exceeded errors >>> >>> modsec_audit_log >>> >>> SecRule >>> "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|X >>> ML:/*|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_ >>> pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_s >>> ess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pe >>> rs|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_ses >>> s|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers >>> |!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess| >>> !REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|! >>> REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!R >>> EQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!RE >>> QUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQ >>> UEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQU >>> EST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUE >>> ST_COOKIES:s_pers|!REQUEST_COOKIES: >>> s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s >>> _pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_ >>> sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_p >>> ers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_se >>> ss|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_per >>> s|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess >>> |!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers| >>> !REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|! >>> REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!R >>> EQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!RE >>> QUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQ >>> UEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQU >>> EST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess" "@pm ~ ! @ # $ % ^& * ( ) - >>> + = { } [ ] | : ; \" ' \xc2\xb4 \xe2\x80\x99 \xe2\x80\x98 `< >" >>> "phase:2,auditlog,id:973020,t:none,t:urlDecodeUni,nolog,pass,setvar:tx.re >>> stricted_sqli_char_payloads_%{matched_var_name}=%{matched_var}" >>> >>> As you can witness theres a loop going on >>> >>> Can anyone help here >>> >>> -- >>> Senior Sys Admin >>> >>> ________________________________ >>> This transmission may contain information that is privileged, >>> confidential, and/or exempt from disclosure under applicable law. If you >>> are not the intended recipient, you are hereby notified that any >>> disclosure, copying, distribution, or use of the information contained >>> herein (including any reliance thereon) is STRICTLY PROHIBITED. If you >>> received this transmission in error, please immediately contact the >>> sender and destroy the material in its entirety, whether in electronic >>> or hard copy format. >>> >>> >> >> > > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. > > |
From: Usman W. <us...@op...> - 2011-08-30 14:33:25
|
Hi, I am testing out the default rules that come with mod_security in my test setup and have the following below in my config files. For some reason this rule does not trigger when i set the size of a text input field to 100+ characters. For example in my test form (method: POST) i have: <input type=text name="unamebbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc"></td> Appreciate if i could get some pointers. I also tried with ARGS_GET_NAMES instead of ARGS_NAMES but no luck. Thanks, Usman ## Limit argument name length (modsecurity_crs_10_config.conf) SecAction "phase:1,id:'981212',t:none,nolog,pass,setvar:tx.arg_name_length=100" ## modsecurity_crs_23_request_limits.conf SecRule &TX:ARG_NAME_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Argument name too long',id:'960209',severity:'4',rev:'2.2.1'" SecRule &ARGS_NAMES "@gt %{tx.arg_name_length}" "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" |
From: Ryan B. <rya...@ow...> - 2011-08-30 15:15:46
|
What are you trying to do here? Create some custom rules that restrict the size of the payload of the parameter named "name"? -Ryan On 8/30/11 10:33 AM, "Usman Waheed" <us...@op...> wrote: >Hi, > >I am testing out the default rules that come with mod_security in my test > >setup and have the following below in my config files. For some reason >this rule does not trigger when i set the size of a text input field to >100+ characters. > >For example in my test form (method: POST) i have: ><input type=text >name="unamebbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb >bbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc >cccccccc"></td> > >Appreciate if i could get some pointers. > >I also tried with ARGS_GET_NAMES instead of ARGS_NAMES but no luck. > >Thanks, >Usman > >## Limit argument name length (modsecurity_crs_10_config.conf) >SecAction >"phase:1,id:'981212',t:none,nolog,pass,setvar:tx.arg_name_length=100" > >## modsecurity_crs_23_request_limits.conf >SecRule &TX:ARG_NAME_LENGTH "@eq 1" >"chain,phase:2,t:none,block,msg:'Argument name too >long',id:'960209',severity:'4',rev:'2.2.1'" > SecRule &ARGS_NAMES "@gt %{tx.arg_name_length}" >"t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx >.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score}, >setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" > > > > > > > > >-------------------------------------------------------------------------- >---- >Special Offer -- Download ArcSight Logger for FREE! >Finally, a world-class log management solution at an even better >price-free! And you'll get a free "Love Thy Logs" t-shirt when you >download Logger. Secure your free ArcSight Logger TODAY! >http://p.sf.net/sfu/arcsisghtdev2dev >_______________________________________________ >mod-security-users mailing list >mod...@li... >https://lists.sourceforge.net/lists/listinfo/mod-security-users >ModSecurity Services from Trustwave's SpiderLabs: >https://www.trustwave.com/application-security.php |
From: Usman W. <us...@op...> - 2011-08-30 14:58:54
|
Thats right, restrict the name_size of the parameter (name) to not more than 10 characters long. > What are you trying to do here? Create some custom rules that restrict > the size of the payload of the parameter named "name"? > > -Ryan > > On 8/30/11 10:33 AM, "Usman Waheed" <us...@op...> wrote: > >> Hi, >> >> I am testing out the default rules that come with mod_security in my >> test >> >> setup and have the following below in my config files. For some reason >> this rule does not trigger when i set the size of a text input field to >> 100+ characters. >> >> For example in my test form (method: POST) i have: >> <input type=text >> name="unamebbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb >> bbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc >> cccccccc"></td> >> >> Appreciate if i could get some pointers. >> >> I also tried with ARGS_GET_NAMES instead of ARGS_NAMES but no luck. >> >> Thanks, >> Usman >> >> ## Limit argument name length (modsecurity_crs_10_config.conf) >> SecAction >> "phase:1,id:'981212',t:none,nolog,pass,setvar:tx.arg_name_length=100" >> >> ## modsecurity_crs_23_request_limits.conf >> SecRule &TX:ARG_NAME_LENGTH "@eq 1" >> "chain,phase:2,t:none,block,msg:'Argument name too >> long',id:'960209',severity:'4',rev:'2.2.1'" >> SecRule &ARGS_NAMES "@gt %{tx.arg_name_length}" >> "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx >> .notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score}, >> setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" >> >> >> >> >> >> >> >> >> -------------------------------------------------------------------------- >> ---- >> Special Offer -- Download ArcSight Logger for FREE! >> Finally, a world-class log management solution at an even better >> price-free! And you'll get a free "Love Thy Logs" t-shirt when you >> download Logger. Secure your free ArcSight Logger TODAY! >> http://p.sf.net/sfu/arcsisghtdev2dev >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> ModSecurity Services from Trustwave's SpiderLabs: >> https://www.trustwave.com/application-security.php > -- Using Opera's revolutionary email client: http://www.opera.com/mail/ |
From: Ryan B. <rya...@ow...> - 2011-08-30 16:09:24
|
Try - SecRule ARGS:name "@gt 10" "phase:2,t:none,t:length,block,msg:'Name Parameter Payload Too Large.',id:'960209',severity:'4',rev:'2.2.1',setvar:'tx.msg=%{rule.msg}',se tvar:tx.anomaly_score=+%{tx .notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},s etvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" -Ryan On 8/30/11 10:59 AM, "Usman Waheed" <us...@op...> wrote: >Thats right, restrict the name_size of the parameter (name) to not more >than 10 characters long. > >> What are you trying to do here? Create some custom rules that restrict >> the size of the payload of the parameter named "name"? >> >> -Ryan >> >> On 8/30/11 10:33 AM, "Usman Waheed" <us...@op...> wrote: >> >>> Hi, >>> >>> I am testing out the default rules that come with mod_security in my >>> test >>> >>> setup and have the following below in my config files. For some reason >>> this rule does not trigger when i set the size of a text input field to >>> 100+ characters. >>> >>> For example in my test form (method: POST) i have: >>> <input type=text >>> >>>name="unamebbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb >>>bb >>> >>>bbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc >>>cc >>> cccccccc"></td> >>> >>> Appreciate if i could get some pointers. >>> >>> I also tried with ARGS_GET_NAMES instead of ARGS_NAMES but no luck. >>> >>> Thanks, >>> Usman >>> >>> ## Limit argument name length (modsecurity_crs_10_config.conf) >>> SecAction >>> "phase:1,id:'981212',t:none,nolog,pass,setvar:tx.arg_name_length=100" >>> >>> ## modsecurity_crs_23_request_limits.conf >>> SecRule &TX:ARG_NAME_LENGTH "@eq 1" >>> "chain,phase:2,t:none,block,msg:'Argument name too >>> long',id:'960209',severity:'4',rev:'2.2.1'" >>> SecRule &ARGS_NAMES "@gt %{tx.arg_name_length}" >>> >>>"t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{ >>>tx >>> >>>.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score >>>}, >>> >>>setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var >>>}" >>> >>> >>> >>> >>> >>> >>> >>> >>> >>>------------------------------------------------------------------------ >>>-- >>> ---- >>> Special Offer -- Download ArcSight Logger for FREE! >>> Finally, a world-class log management solution at an even better >>> price-free! And you'll get a free "Love Thy Logs" t-shirt when you >>> download Logger. Secure your free ArcSight Logger TODAY! >>> http://p.sf.net/sfu/arcsisghtdev2dev >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> ModSecurity Services from Trustwave's SpiderLabs: >>> https://www.trustwave.com/application-security.php >> > > >-- >Using Opera's revolutionary email client: http://www.opera.com/mail/ > >-------------------------------------------------------------------------- >---- >Special Offer -- Download ArcSight Logger for FREE! >Finally, a world-class log management solution at an even better >price-free! And you'll get a free "Love Thy Logs" t-shirt when you >download Logger. Secure your free ArcSight Logger TODAY! >http://p.sf.net/sfu/arcsisghtdev2dev >_______________________________________________ >mod-security-users mailing list >mod...@li... >https://lists.sourceforge.net/lists/listinfo/mod-security-users >ModSecurity Services from Trustwave's SpiderLabs: >https://www.trustwave.com/application-security.php |
From: Usman W. <us...@op...> - 2011-08-31 10:34:06
|
Thanks Ryan, that worked on the value to the arg: name. I then tried with ARGS_POST_NAMES to restrict the length_size of the params (not their values) and that worked as well. Cheers. > Try - > > SecRule ARGS:name "@gt 10" "phase:2,t:none,t:length,block,msg:'Name > Parameter Payload Too > Large.',id:'960209',severity:'4',rev:'2.2.1',setvar:'tx.msg=%{rule.msg}',se > tvar:tx.anomaly_score=+%{tx > .notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},s > etvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" > > -Ryan > > On 8/30/11 10:59 AM, "Usman Waheed" <us...@op...> wrote: > >> Thats right, restrict the name_size of the parameter (name) to not more >> than 10 characters long. >> >>> What are you trying to do here? Create some custom rules that restrict >>> the size of the payload of the parameter named "name"? >>> >>> -Ryan >>> >>> On 8/30/11 10:33 AM, "Usman Waheed" <us...@op...> wrote: >>> >>>> Hi, >>>> >>>> I am testing out the default rules that come with mod_security in my >>>> test >>>> >>>> setup and have the following below in my config files. For some reason >>>> this rule does not trigger when i set the size of a text input field >>>> to >>>> 100+ characters. >>>> >>>> For example in my test form (method: POST) i have: >>>> <input type=text >>>> >>>> name="unamebbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb >>>> bb >>>> >>>> bbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc >>>> cc >>>> cccccccc"></td> >>>> >>>> Appreciate if i could get some pointers. >>>> >>>> I also tried with ARGS_GET_NAMES instead of ARGS_NAMES but no luck. >>>> >>>> Thanks, >>>> Usman >>>> >>>> ## Limit argument name length (modsecurity_crs_10_config.conf) >>>> SecAction >>>> "phase:1,id:'981212',t:none,nolog,pass,setvar:tx.arg_name_length=100" >>>> >>>> ## modsecurity_crs_23_request_limits.conf >>>> SecRule &TX:ARG_NAME_LENGTH "@eq 1" >>>> "chain,phase:2,t:none,block,msg:'Argument name too >>>> long',id:'960209',severity:'4',rev:'2.2.1'" >>>> SecRule &ARGS_NAMES "@gt %{tx.arg_name_length}" >>>> >>>> "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{ >>>> tx >>>> >>>> .notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score >>>> }, >>>> >>>> setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var >>>> }" >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> -- >>>> ---- >>>> Special Offer -- Download ArcSight Logger for FREE! >>>> Finally, a world-class log management solution at an even better >>>> price-free! And you'll get a free "Love Thy Logs" t-shirt when you >>>> download Logger. Secure your free ArcSight Logger TODAY! >>>> http://p.sf.net/sfu/arcsisghtdev2dev >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> ModSecurity Services from Trustwave's SpiderLabs: >>>> https://www.trustwave.com/application-security.php >>> >> >> >> -- >> Using Opera's revolutionary email client: http://www.opera.com/mail/ >> >> -------------------------------------------------------------------------- >> ---- >> Special Offer -- Download ArcSight Logger for FREE! >> Finally, a world-class log management solution at an even better >> price-free! And you'll get a free "Love Thy Logs" t-shirt when you >> download Logger. Secure your free ArcSight Logger TODAY! >> http://p.sf.net/sfu/arcsisghtdev2dev >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> ModSecurity Services from Trustwave's SpiderLabs: >> https://www.trustwave.com/application-security.php > -- Using Opera's revolutionary email client: http://www.opera.com/mail/ |
From: Ken B. <Ke...@pu...> - 2011-08-31 16:12:29
|
[ Resending from subscribed account ] How does one get the generic rule (960209) to work though? I was just experimenting with it as well and it has not been working. I have the following in my config: SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_name_length=90" Looking at the related rule in modsecurity_crs_23_request_limits.conf, I think the problem is in the chained rule: SecRule &ARGS_NAMES "@gt %{tx.arg_name_length}" ... By my read of the docs &ARGS_NAMES is the count of how many ARGS_NAMES there are, not the length of each. In my testing I've found that by removing '&' from the above syntax the rule behaves as expected. There's another length based test in rule 960208 that will break in a similar way. Using CRS 2.2.1 btw. -- Ken On Aug 30, 2011, at 10:03 AM, Ryan Barnett wrote: > Try - > > SecRule ARGS:name "@gt 10" "phase:2,t:none,t:length,block,msg:'Name > Parameter Payload Too > Large.',id:'960209',severity:'4',rev:'2.2.1',setvar:'tx.msg=%{rule.msg}',se > tvar:tx.anomaly_score=+%{tx > .notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},s > etvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" > > -Ryan > > On 8/30/11 10:59 AM, "Usman Waheed" <us...@op...> wrote: > >> Thats right, restrict the name_size of the parameter (name) to not more >> than 10 characters long. >> >>> What are you trying to do here? Create some custom rules that restrict >>> the size of the payload of the parameter named "name"? >>> >>> -Ryan >>> >>> On 8/30/11 10:33 AM, "Usman Waheed" <us...@op...> wrote: >>> >>>> Hi, >>>> >>>> I am testing out the default rules that come with mod_security in my >>>> test >>>> >>>> setup and have the following below in my config files. For some reason >>>> this rule does not trigger when i set the size of a text input field to >>>> 100+ characters. >>>> >>>> For example in my test form (method: POST) i have: >>>> <input type=text >>>> >>>> name="unamebbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb >>>> bb >>>> >>>> bbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc >>>> cc >>>> cccccccc"></td> >>>> >>>> Appreciate if i could get some pointers. >>>> >>>> I also tried with ARGS_GET_NAMES instead of ARGS_NAMES but no luck. >>>> >>>> Thanks, >>>> Usman >>>> >>>> ## Limit argument name length (modsecurity_crs_10_config.conf) >>>> SecAction >>>> "phase:1,id:'981212',t:none,nolog,pass,setvar:tx.arg_name_length=100" >>>> >>>> ## modsecurity_crs_23_request_limits.conf >>>> SecRule &TX:ARG_NAME_LENGTH "@eq 1" >>>> "chain,phase:2,t:none,block,msg:'Argument name too >>>> long',id:'960209',severity:'4',rev:'2.2.1'" >>>> SecRule &ARGS_NAMES "@gt %{tx.arg_name_length}" >>>> >>>> "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{ >>>> tx >>>> >>>> .notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score >>>> }, >>>> >>>> setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var >>>> }" >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> -- >>>> ---- >>>> Special Offer -- Download ArcSight Logger for FREE! >>>> Finally, a world-class log management solution at an even better >>>> price-free! And you'll get a free "Love Thy Logs" t-shirt when you >>>> download Logger. Secure your free ArcSight Logger TODAY! >>>> http://p.sf.net/sfu/arcsisghtdev2dev >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> ModSecurity Services from Trustwave's SpiderLabs: >>>> https://www.trustwave.com/application-security.php >>> >> >> >> -- >> Using Opera's revolutionary email client: http://www.opera.com/mail/ >> >> -------------------------------------------------------------------------- >> ---- >> Special Offer -- Download ArcSight Logger for FREE! >> Finally, a world-class log management solution at an even better >> price-free! And you'll get a free "Love Thy Logs" t-shirt when you >> download Logger. Secure your free ArcSight Logger TODAY! >> http://p.sf.net/sfu/arcsisghtdev2dev >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> ModSecurity Services from Trustwave's SpiderLabs: >> https://www.trustwave.com/application-security.php > > > > ------------------------------------------------------------------------------ > Special Offer -- Download ArcSight Logger for FREE! > Finally, a world-class log management solution at an even better > price-free! And you'll get a free "Love Thy Logs" t-shirt when you > download Logger. Secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsisghtdev2dev > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/application-security.php |
From: Ryan B. <RBa...@tr...> - 2011-08-31 16:20:36
|
Yep, good catch. I have fixed these and they will be synced to SVN soon. Thanks. -- Ryan Barnett From: Ken Brucker <Ke...@pu...<mailto:Ke...@pu...>> Date: Wed, 31 Aug 2011 11:12:15 -0500 To: Ryan Barnett <rya...@ow...<mailto:rya...@ow...>> Cc: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Subject: Re: [mod-security-users] Testing some policy/size-limit rules. [ Resending from subscribed account ] How does one get the generic rule (960209) to work though? I was just experimenting with it as well and it has not been working. I have the following in my config: SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_name_length=90" Looking at the related rule in modsecurity_crs_23_request_limits.conf, I think the problem is in the chained rule: SecRule &ARGS_NAMES "@gt %{tx.arg_name_length}" ... By my read of the docs &ARGS_NAMES is the count of how many ARGS_NAMES there are, not the length of each. In my testing I've found that by removing '&' from the above syntax the rule behaves as expected. There's another length based test in rule 960208 that will break in a similar way. Using CRS 2.2.1 btw. -- Ken On Aug 30, 2011, at 10:03 AM, Ryan Barnett wrote: Try - SecRule ARGS:name "@gt 10" "phase:2,t:none,t:length,block,msg:'Name Parameter Payload Too Large.',id:'960209',severity:'4',rev:'2.2.1',setvar:'tx.msg=%{rule.msg}',se tvar:tx.anomaly_score=+%{tx .notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},s etvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" -Ryan On 8/30/11 10:59 AM, "Usman Waheed" <us...@op...<mailto:us...@op...>> wrote: Thats right, restrict the name_size of the parameter (name) to not more than 10 characters long. What are you trying to do here? Create some custom rules that restrict the size of the payload of the parameter named "name"? -Ryan On 8/30/11 10:33 AM, "Usman Waheed" <us...@op...<mailto:us...@op...>> wrote: Hi, I am testing out the default rules that come with mod_security in my test setup and have the following below in my config files. For some reason this rule does not trigger when i set the size of a text input field to 100+ characters. For example in my test form (method: POST) i have: <input type=text name="unamebbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb bb bbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc cc cccccccc"></td> Appreciate if i could get some pointers. I also tried with ARGS_GET_NAMES instead of ARGS_NAMES but no luck. Thanks, Usman ## Limit argument name length (modsecurity_crs_10_config.conf) SecAction "phase:1,id:'981212',t:none,nolog,pass,setvar:tx.arg_name_length=100" ## modsecurity_crs_23_request_limits.conf SecRule &TX:ARG_NAME_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Argument name too long',id:'960209',severity:'4',rev:'2.2.1'" SecRule &ARGS_NAMES "@gt %{tx.arg_name_length}" "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{ tx .notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score }, setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var }" ------------------------------------------------------------------------ -- ---- Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/application-security.php -- Using Opera's revolutionary email client: http://www.opera.com/mail/ -------------------------------------------------------------------------- ---- Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/application-security.php ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/application-security.php ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: kwenu <uz...@ya...> - 2011-08-31 10:17:06
|
Since compiling apache and modsecurity to use external PCRE library version 1.3.12 I have suffered from PCRE limit detections on rule 950901 This i disabled putting the following "SecRuleRemoveById 950901" in modsecurity_crs_60_customrules.conf Now the following rules are in file modsecurity_crs_15_customrules.conf SecRule REQUEST_HEADERS:Host "!@rx (^$)" \ "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=950901;!REQUEST_COOKIES:s_pers" SecRule REQUEST_HEADERS:Host "!@rx (^$)" \ "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981172;!REQUEST_COOKIES:s_sess" SecRule REQUEST_HEADERS:Host "!@rx (^$)" \ "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981172;!REQUEST_COOKIES:s_pers" SecRule REQUEST_HEADERS:Host "!@rx (^$)" \ "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981211;!REQUEST_COOKIES:s_sess" SecRule REQUEST_HEADERS:Host "!@rx (^$)" \ "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981211;!REQUEST_COOKIES:s_pers" Are appending targets as below taken from modsec_debug.log Rule a93fb08: SecRule "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers| Rather than append once and once only its behaving recursively - what im I doing wrong ???? On 30/08/11 15:53, Ryan Barnett wrote: > What are you trying to do here? Create some custom rules that restrict > the size of the payload of the parameter named "name"? > > -Ryan > > On 8/30/11 10:33 AM, "Usman Waheed"<us...@op...> wrote: > >> Hi, >> >> I am testing out the default rules that come with mod_security in my test >> >> setup and have the following below in my config files. For some reason >> this rule does not trigger when i set the size of a text input field to >> 100+ characters. >> >> For example in my test form (method: POST) i have: >> <input type=text >> name="unamebbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb >> bbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc >> cccccccc"></td> >> >> Appreciate if i could get some pointers. >> >> I also tried with ARGS_GET_NAMES instead of ARGS_NAMES but no luck. >> >> Thanks, >> Usman >> >> ## Limit argument name length (modsecurity_crs_10_config.conf) >> SecAction >> "phase:1,id:'981212',t:none,nolog,pass,setvar:tx.arg_name_length=100" >> >> ## modsecurity_crs_23_request_limits.conf >> SecRule&TX:ARG_NAME_LENGTH "@eq 1" >> "chain,phase:2,t:none,block,msg:'Argument name too >> long',id:'960209',severity:'4',rev:'2.2.1'" >> SecRule&ARGS_NAMES "@gt %{tx.arg_name_length}" >> "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx >> .notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score}, >> setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" >> >> >> >> >> >> >> >> >> -------------------------------------------------------------------------- >> ---- >> Special Offer -- Download ArcSight Logger for FREE! >> Finally, a world-class log management solution at an even better >> price-free! And you'll get a free "Love Thy Logs" t-shirt when you >> download Logger. Secure your free ArcSight Logger TODAY! >> http://p.sf.net/sfu/arcsisghtdev2dev >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> ModSecurity Services from Trustwave's SpiderLabs: >> https://www.trustwave.com/application-security.php > > > ------------------------------------------------------------------------------ > Special Offer -- Download ArcSight Logger for FREE! > Finally, a world-class log management solution at an even better > price-free! And you'll get a free "Love Thy Logs" t-shirt when you > download Logger. Secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsisghtdev2dev > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/application-security.php > |
From: Breno S. <bre...@gm...> - 2011-08-31 12:55:28
|
Kwenu, Try this ctl:ruleUpdateTargetById=950901;!REQUEST_COOKIES:s_pers; !REQUEST_COOKIES:s_pers Breno On Wed, Aug 31, 2011 at 5:16 AM, kwenu <uz...@ya...> wrote: > ** > Since compiling apache and modsecurity to use external PCRE library version > 1.3.12 > > I have suffered from PCRE limit detections on rule 950901 > > This i disabled putting the following "SecRuleRemoveById 950901" in > modsecurity_crs_60_customrules.conf > > Now the following rules are in file modsecurity_crs_15_customrules.conf > > SecRule REQUEST_HEADERS:Host "!@rx (^$)" \ > > "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=950901;!REQUEST_COOKIES:s_pers" > > SecRule REQUEST_HEADERS:Host "!@rx (^$)" \ > > "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981172;!REQUEST_COOKIES:s_sess" > > > SecRule REQUEST_HEADERS:Host "!@rx (^$)" \ > > "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981172;!REQUEST_COOKIES:s_pers" > > SecRule REQUEST_HEADERS:Host "!@rx (^$)" \ > > "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981211;!REQUEST_COOKIES:s_sess" > > > SecRule REQUEST_HEADERS:Host "!@rx (^$)" \ > > "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981211;!REQUEST_COOKIES:s_pers" > > > Are appending targets as below taken from modsec_debug.log > > Rule a93fb08: SecRule > "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers > | > > Rather than append once and once only its behaving recursively - what im I > doing wrong ???? > > > On 30/08/11 15:53, Ryan Barnett wrote: > > What are you trying to do here? Create some custom rules that restrict > the size of the payload of the parameter named "name"? > > -Ryan > > On 8/30/11 10:33 AM, "Usman Waheed" <us...@op...> <us...@op...> wrote: > > > Hi, > > I am testing out the default rules that come with mod_security in my test > > setup and have the following below in my config files. For some reason > this rule does not trigger when i set the size of a text input field to > 100+ characters. > > For example in my test form (method: POST) i have: > <input type=text > name="unamebbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb > bbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc > cccccccc"></td> > > Appreciate if i could get some pointers. > > I also tried with ARGS_GET_NAMES instead of ARGS_NAMES but no luck. > > Thanks, > Usman > > ## Limit argument name length (modsecurity_crs_10_config.conf) > SecAction > "phase:1,id:'981212',t:none,nolog,pass,setvar:tx.arg_name_length=100" > > ## modsecurity_crs_23_request_limits.conf > SecRule &TX:ARG_NAME_LENGTH "@eq 1" > "chain,phase:2,t:none,block,msg:'Argument name too > long',id:'960209',severity:'4',rev:'2.2.1'" > SecRule &ARGS_NAMES "@gt %{tx.arg_name_length}" > "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx > .notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score}, > setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" > > > > > > > > > -------------------------------------------------------------------------- > ---- > Special Offer -- Download ArcSight Logger for FREE! > Finally, a world-class log management solution at an even better > price-free! And you'll get a free "Love Thy Logs" t-shirt when you > download Logger. Secure your free ArcSight Logger TODAY!http://p.sf.net/sfu/arcsisghtdev2dev > _______________________________________________ > mod-security-users mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/mod-security-users > ModSecurity Services from Trustwave's SpiderLabs:https://www.trustwave.com/application-security.php > > ------------------------------------------------------------------------------ > Special Offer -- Download ArcSight Logger for FREE! > Finally, a world-class log management solution at an even better > price-free! And you'll get a free "Love Thy Logs" t-shirt when you > download Logger. Secure your free ArcSight Logger TODAY!http://p.sf.net/sfu/arcsisghtdev2dev > _______________________________________________ > mod-security-users mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/mod-security-users > ModSecurity Services from Trustwave's SpiderLabs:https://www.trustwave.com/application-security.php > > > > > ------------------------------------------------------------------------------ > Special Offer -- Download ArcSight Logger for FREE! > Finally, a world-class log management solution at an even better > price-free! And you'll get a free "Love Thy Logs" t-shirt when you > download Logger. Secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsisghtdev2dev > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/application-security.php > > |
From: kwenu <uz...@ya...> - 2011-08-31 14:29:57
|
Still the same - im using crs_2.2.2 as directed by Ryan Ever since i recompiled against apache 2.2.19 ive had major problems with segmentation faults and now rules are behaving differently after compiling against apr v 1.3.12 and pcre v 8.x I cant see what the issue is - im using the same files from crs_2.2.1 but im getting PCRE exceptions on rule 950901 Im on holiday tomo and friday and have a meeting today to update on the status of this Is there anything you can suggest here - does secruleupdatetarget etc work when using anomaly mode ?? On 31/08/11 13:55, Breno Silva wrote: > Kwenu, > > Try this > ctl:ruleUpdateTargetById=950901;!REQUEST_COOKIES:s_pers;!REQUEST_COOKIES:s_pers > > Breno > > On Wed, Aug 31, 2011 at 5:16 AM, kwenu <uz...@ya... > <mailto:uz...@ya...>> wrote: > > Since compiling apache and modsecurity to use external PCRE > library version 1.3.12 > > I have suffered from PCRE limit detections on rule 950901 > > This i disabled putting the following "SecRuleRemoveById 950901" > in modsecurity_crs_60_customrules.conf > > Now the following rules are in file > modsecurity_crs_15_customrules.conf > > SecRule REQUEST_HEADERS:Host "!@rx (^$)" \ > > "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=950901;!REQUEST_COOKIES:s_pers" > > SecRule REQUEST_HEADERS:Host "!@rx (^$)" \ > > "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981172;!REQUEST_COOKIES:s_sess" > > > SecRule REQUEST_HEADERS:Host "!@rx (^$)" \ > > "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981172;!REQUEST_COOKIES:s_pers" > > SecRule REQUEST_HEADERS:Host "!@rx (^$)" \ > > "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981211;!REQUEST_COOKIES:s_sess" > > > SecRule REQUEST_HEADERS:Host "!@rx (^$)" \ > > "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981211;!REQUEST_COOKIES:s_pers" > > > Are appending targets as below taken from modsec_debug.log > > Rule a93fb08: SecRule > "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers > | > > Rather than append once and once only its behaving recursively - > what im I doing wrong ???? > > > On 30/08/11 15:53, Ryan Barnett wrote: >> What are you trying to do here? Create some custom rules that restrict >> the size of the payload of the parameter named "name"? >> >> -Ryan >> >> On 8/30/11 10:33 AM, "Usman Waheed"<us...@op...> <mailto:us...@op...> wrote: >> >>> Hi, >>> >>> I am testing out the default rules that come with mod_security in my test >>> >>> setup and have the following below in my config files. For some reason >>> this rule does not trigger when i set the size of a text input field to >>> 100+ characters. >>> >>> For example in my test form (method: POST) i have: >>> <input type=text >>> name="unamebbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb >>> bbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc >>> cccccccc"></td> >>> >>> Appreciate if i could get some pointers. >>> >>> I also tried with ARGS_GET_NAMES instead of ARGS_NAMES but no luck. >>> >>> Thanks, >>> Usman >>> >>> ## Limit argument name length (modsecurity_crs_10_config.conf) >>> SecAction >>> "phase:1,id:'981212',t:none,nolog,pass,setvar:tx.arg_name_length=100" >>> >>> ## modsecurity_crs_23_request_limits.conf >>> SecRule&TX:ARG_NAME_LENGTH "@eq 1" >>> "chain,phase:2,t:none,block,msg:'Argument name too >>> long',id:'960209',severity:'4',rev:'2.2.1'" >>> SecRule&ARGS_NAMES "@gt %{tx.arg_name_length}" >>> "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx >>> .notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score}, >>> setvar:tx.%{rule.id <http://rule.id>}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" >>> >>> >>> >>> >>> >>> >>> >>> >>> -------------------------------------------------------------------------- >>> ---- >>> Special Offer -- Download ArcSight Logger for FREE! >>> Finally, a world-class log management solution at an even better >>> price-free! And you'll get a free "Love Thy Logs" t-shirt when you >>> download Logger. Secure your free ArcSight Logger TODAY! >>> http://p.sf.net/sfu/arcsisghtdev2dev >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... <mailto:mod...@li...> >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> ModSecurity Services from Trustwave's SpiderLabs: >>> https://www.trustwave.com/application-security.php >> ------------------------------------------------------------------------------ >> Special Offer -- Download ArcSight Logger for FREE! >> Finally, a world-class log management solution at an even better >> price-free! And you'll get a free "Love Thy Logs" t-shirt when you >> download Logger. Secure your free ArcSight Logger TODAY! >> http://p.sf.net/sfu/arcsisghtdev2dev >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... <mailto:mod...@li...> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> ModSecurity Services from Trustwave's SpiderLabs: >> https://www.trustwave.com/application-security.php >> > > > ------------------------------------------------------------------------------ > Special Offer -- Download ArcSight Logger for FREE! > Finally, a world-class log management solution at an even better > price-free! And you'll get a free "Love Thy Logs" t-shirt when you > download Logger. Secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsisghtdev2dev > _______________________________________________ > mod-security-users mailing list > mod...@li... > <mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/application-security.php > > |
From: Reindl H. <h.r...@th...> - 2011-08-31 14:43:58
Attachments:
signature.asc
|
Am 31.08.2011 16:29, schrieb kwenu: > Still the same - im using crs_2.2.2 as directed by Ryan > > Ever since i recompiled against apache 2.2.19 ive had major problems with segmentation faults and now rules are > behaving differently after compiling against apr v 1.3.12 and pcre v 8.x do you not think your APR is a little bit old? ModSecurity: APR compiled version="1.4.5"; loaded version="1.4.5" |
From: kwenu <uz...@ya...> - 2011-08-31 15:01:01
|
I agree hence why we are rebuilding 2.2.20 using non-bundled apr 1.4.5 Hopefully this will resume its predictable behaviour though - however i the main reason for usign 1.3.12 was to solve the segmentation faults i was getting Using an external APR might greatly help On 31/08/11 15:43, Reindl Harald wrote: > Am 31.08.2011 16:29, schrieb kwenu: >> Still the same - im using crs_2.2.2 as directed by Ryan >> >> Ever since i recompiled against apache 2.2.19 ive had major problems with segmentation faults and now rules are >> behaving differently after compiling against apr v 1.3.12 and pcre v 8.x > do you not think your APR is a little bit old? > ModSecurity: APR compiled version="1.4.5"; loaded version="1.4.5" > > > > > ------------------------------------------------------------------------------ > Special Offer -- Download ArcSight Logger for FREE! > Finally, a world-class log management solution at an even better > price-free! And you'll get a free "Love Thy Logs" t-shirt when you > download Logger. Secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsisghtdev2dev > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/application-security.php |