ModSecurity

Hello,

Is there anyway to tell what rule comes from which file easily or do you have 
to manually search for the rule in all the files?

Cheers.

From,

noob Jack

One thing that you can do is to use the "id" action to create unique
ID's for each and every rule that you create.  This way, when you see
the mod_security-message in your audit/error logs, you then just grep
for the id # in your rules file to identify the exact rule that
trigger the alert.

-- 
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache

On 7/24/06, Jack Farley <jackf@...> wrote:
> Hello,
>
> Is there anyway to tell what rule comes from which file easily or do you have
> to manually search for the rule in all the files?
>
> Cheers.
>
> From,
>
> noob Jack
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys -- and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>

Everyone,

I have sticked at this problem. 
Help is greatly appreciated.

The part of modsecurity debug log
########
[20/Nov/2007:15:24:19 +0900] [localhost/sid#3dc320][rid#2aa6d08][/securitytest.html][2] Checking signature "(\"|').*[<>]|<[\\s]*input" at ARGS_SELECTIVE
[20/Nov/2007:15:24:19 +0900] [localhost/sid#3dc320][rid#2aa6d08][/securitytest.html][4] Checking against "hid_RouteValue='1;;?miiqj;Ht;2007/11/16;09:01;2007/11/16;09:03;;JR;iqe?;130;;9;on;on'&PCodeNameGetKind=&PCodeNameGetIndex=&PCodeNameGetType=&PCodeNameGetCode=&PCodePattern1=*[0-9,A-Z]&PCodePattern2=@[A-Z]&PCodePattern3=$[0-9]&FormerBusiness=&hidCalledform=&hidinterYear=&hidinterMonth=&hidinterDays=&DivAdjust=&DaysTrip=ON&chkDivAdjust=&chkDaysTrip=ON&cboBusinTripDiv=001;?oinj;1;1;0;&dtxtBusinTripPerStart=20071116&dtxtBusinTripPerEnd=20071116&dtxtAdjustPeriodStart=20071116&dtxtAdjustPeriodEnd=20071116&DefAdjustPeriodStart=20071116&DefAdjustPeriodEnd=20071116&isHrDispControl=true&TehainaiyouDispFlag=OFF&TehaiInfoCounter=0&KYU_TRAVEL_BIGIN_DATE=&NumberOfDaysFlg1=0&chkDaysTrip1=on&DivisionRouteCheck1=&NumberOfDaysFlg2=1&SeisanInfoCounter1=2&TrafficSyohyoKubun1=0&TrafficSyohyoKubun2=0&
TrafficSyohyoKubun3=1&TrafficSyohyoKubun4=1&TrafficSyohyoKubun5=1&TrafficSyohyoKubun6=1&TrafficSyohyoKubun7=0&OutboxAccountStartDate=&LastAdmitDate=&SlipNo=2293&SameArrangeNo=1&AccountSplitCorrectNo=1&AccountSplitCo
[20/Nov/2007:15:24:19 +0900] [localhost/sid#3dc320][rid#2aa6d08][/securitytest.html][9] Check took 0 usec
[20/Nov/2007:15:24:19 +0900] [localhost/sid#3dc320][rid#2aa6d08][/securitytest.html][1] Warning. Pattern match "(\"|').*[<>]|<[\\s]*input" at ARGS_SELECTIVE [msg "XSS attack"] [severity "EMERGENCY"]
[20/Nov/2007:15:24:19 +0900] [localhost/sid#3dc320][rid#2aa6d08][/securitytest.html][9] Signature check returned 0
########

My request HTTP postbody is like below. Full length is 1632.
########
hid_RouteValue='1;;?miiqj;Ht;2007/11/16;09:01;2007/11/16;09:03;;JR;iqe?;130;;9;on;on'&PCodeNameGetKind=&PCodeNameGetIndex=&PCodeNameGetType=&PCodeNameGetCode=&PCodePattern1=*[0-9,A-Z]&PCodePattern2=@[A-Z]&PCodePattern3=$[0-9]&FormerBusiness=&hidCalledform=&hidinterYear=&hidinterMonth=&hidinterDays=&DivAdjust=&DaysTrip=ON&chkDivAdjust=&chkDaysTrip=ON&cboBusinTripDiv=001;?oinj;1;1;0;&dtxtBusinTripPerStart=20071116&dtxtBusinTripPerEnd=20071116&dtxtAdjustPeriodStart=20071116&dtxtAdjustPeriodEnd=20071116&DefAdjustPeriodStart=20071116&DefAdjustPeriodEnd=20071116&isHrDispControl=true&TehainaiyouDispFlag=OFF&TehaiInfoCounter=0&KYU_TRAVEL_BIGIN_DATE=&NumberOfDaysFlg1=0&chkDaysTrip1=on&DivisionRouteCheck1=&NumberOfDaysFlg2=1&SeisanInfoCounter1=2&TrafficSyohyoKubun1=0&TrafficSyohyoKubun2=0&TrafficSyohyoKubun3=1&TrafficSyohyoKubun4=1&TrafficSyohyoKubun5=1&TrafficSyohyoKubun6=1&TrafficSyohyoKubun
7=0&OutboxAccountStartDate=&LastAdmitDate=&SlipNo=2293&SameArrangeNo=1&AccountSplitCorrectNo=1&AccountSplitCorrectNoOld=&AccountSplitCorrectFmNo=&SlipNoNewCreationFlag=ON&LastAdmitDateStr=&CorrectNoFlag=ON&ArrangeSplitNo=1&AdjustStatus=&SaishuDispFlag=ON&DivisionRouteCheck=&toa_status=&toa_action=&SLIP_NO=&SAME_ARRANGE_NO=&PARTY_ARRANGE_NO=&companyCode=023060&T13_TRAVEL_BIGIN_DATE=20071116&T13_TRAVEL_END_DATE=20071116&inputFlg=ON&toa_scheduleBeginYear=&toa_scheduleBeginMonth=&toa_scheduleBeginDay=&toa_scheduleEndYear=&toa_scheduleEndMonth=&toa_scheduleEndDay=&toa_prefectures=&toa_city=&toa_distination=&toa_purpose=&toa_interview=&optSubject1=&AdmitRoute=A&AdmitRouteBefore=&AdmitRouteAfter=&nbsp;->&nbsp;x?(F)&nbsp;->&nbsp;v?(F)
########

My rule
########
SecFilterSelective ARGS_VALUES|!ARG_hidSeisanInputData "(\"|\').*[<>]|<[\s]*input"
########

My question:
1, Regarding the second line in modsecurity debug log, the postbody string was cutoff in "Checking against" part.
   Why modsecurity did not check full postbody string by this rule?
2, I want to check parameters other than "hidSeisanInputData" in my rule, but the debug log says I have a RE pattern "(\"|').*[<>]|<[\\s]*input".
   I can not find any value in my postbody included this type of string. What am I missing?

I use ModSecurity v1.9.4 and Apache 2.2.4.0. for test. 
Above log information is recorded in Windows XP Pro. Also, the same problem occured in Linux AS 4.0.

Best Regards,
-------
He

Thanks for helping keep SourceForge clean.

ModSecurity

Brought to you by: victorhora, zimmerletw

mod-security-users