Thread: [mod-security-users] Whitelisting nightmare...
Brought to you by:
victorhora,
zimmerletw
From: rewt r. <re...@li...> - 2014-01-27 15:48:32
|
Dear All, I have to urgently secure a web application. Unfortunately it is not working as expected :( My problems are: - ARGS variable names change the only remaining part is "property" so i wanted to write something like .*property.* ... - When i write a chained rule it works, but it whitelist the full URL instead of the ARGS only (for information this ARG variable contains an SSL certificate which is considered as SQLi. I have tried tons of possibilites: This one fully whitelist the URL and does not consider the ARGS value (i have tried it in different orders ARGS_NAME before, then REQUEST_URI -> not whitelisting at all) SecRule REQUEST_URI "^/dir/mycgi.cgi.*" "phase:1,t:none,nolog,id:25,chain,pass,ctl:ruleEngine=off" SecRule ARGS_NAMES .*property.* "t:none" This one does the same: SecRule REQUEST_URI "^/dir/mycgi.cgi" "id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off" # i tried to match BEGIN and END of certificate SecRule ARGS:property_value_.* !BEGIN.*END.*$ "id:26,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPP issue'" SecRule ARGS:old_property_value_.* !BEGIN.*END.*$ "id:27,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPP issue'" # I also tried: SecRule REQUEST_URI "^/dir/mycgi.cgi" "id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off;ARGS:.*property.* Syntax error on line 95 of /etc/httpd/conf.d/reverse-mycgi.conf: Error parsing actions: Invalid setting for ctl name ruleEngine: off;ARGS:.*property.* (ARGS_NAMES does the same) Some help would be very much appreciated as i don't know what to do now :( I don't even find a way to fully whitelist this ARGS (with regular expression) inside my virtualhost. Kind regards, |
From: Jose P. V. L. <pab...@gm...> - 2014-01-27 16:56:45
|
Hi. In mod_security directive there is a example where you can whitelist args: whitelists args<https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-ARGS_NAMES> SecRule ARGS_NAMES "!^(p|a)$" "id:13" Have you tried with !^ and args?? Kind regards, 2014-01-27 rewt rewt <re...@li...> > Dear All, > I have to urgently secure a web application. > Unfortunately it is not working as expected :( > > My problems are: > - ARGS variable names change the only remaining part is "property" so i > wanted to write something like .*property.* ... > - When i write a chained rule it works, but it whitelist the full URL > instead of the ARGS only > > (for information this ARG variable contains an SSL certificate which is > considered as SQLi. > > I have tried tons of possibilites: > > This one fully whitelist the URL and does not consider the ARGS value > (i have tried it in different orders ARGS_NAME before, then REQUEST_URI -> > not whitelisting at all) > > SecRule REQUEST_URI "^/dir/mycgi.cgi.*" > "phase:1,t:none,nolog,id:25,chain,pass,ctl:ruleEngine=off" > SecRule ARGS_NAMES .*property.* "t:none" > > This one does the same: > SecRule REQUEST_URI "^/dir/mycgi.cgi" > "id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off" > > # i tried to match BEGIN and END of certificate > SecRule ARGS:property_value_.* !BEGIN.*END.*$ > "id:26,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPPissue'" > SecRule ARGS:old_property_value_.* !BEGIN.*END.*$ > "id:27,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPPissue'" > > # I also tried: > SecRule REQUEST_URI "^/dir/mycgi.cgi" > "id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off;ARGS:.*property.* > Syntax error on line 95 of /etc/httpd/conf.d/reverse-mycgi.conf: > Error parsing actions: Invalid setting for ctl name ruleEngine: > off;ARGS:.*property.* > > (ARGS_NAMES does the same) > > Some help would be very much appreciated as i don't know what to do now :( > > I don't even find a way to fully whitelist this ARGS (with regular > expression) inside my virtualhost. > > Kind regards, > > > > > > ------------------------------------------------------------------------------ > CenturyLink Cloud: The Leader in Enterprise Cloud Services. > Learn Why More Businesses Are Choosing CenturyLink Cloud For > Critical Workloads, Development Environments & Everything In Between. > Get a Quote or Start a Free Trial Today. > > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
From: Jose P. V. L. <pab...@gm...> - 2014-01-27 16:59:31
|
http://www.webhostingtalk.com/showthread.php?t=1024178 A rule like this? SecRule ARGS:variablename “Union” phase:1,nolog,allow,ctl:ruleEngine=off Kind regards 2014-01-27 Jose Pablo Valcárcel Lázaro <pab...@gm...> > Hi. > > In mod_security directive there is a example where you can whitelist args: whitelists > args<https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-ARGS_NAMES> > > SecRule ARGS_NAMES "!^(p|a)$" "id:13" > > Have you tried with !^ and args?? > > Kind regards, > > > > 2014-01-27 rewt rewt <re...@li...> > >> Dear All, >> I have to urgently secure a web application. >> Unfortunately it is not working as expected :( >> >> My problems are: >> - ARGS variable names change the only remaining part is "property" so i >> wanted to write something like .*property.* ... >> - When i write a chained rule it works, but it whitelist the full URL >> instead of the ARGS only >> >> (for information this ARG variable contains an SSL certificate which is >> considered as SQLi. >> >> I have tried tons of possibilites: >> >> This one fully whitelist the URL and does not consider the ARGS value >> (i have tried it in different orders ARGS_NAME before, then REQUEST_URI >> -> not whitelisting at all) >> >> SecRule REQUEST_URI "^/dir/mycgi.cgi.*" >> "phase:1,t:none,nolog,id:25,chain,pass,ctl:ruleEngine=off" >> SecRule ARGS_NAMES .*property.* "t:none" >> >> This one does the same: >> SecRule REQUEST_URI "^/dir/mycgi.cgi" >> "id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off" >> >> # i tried to match BEGIN and END of certificate >> SecRule ARGS:property_value_.* !BEGIN.*END.*$ >> "id:26,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPPissue'" >> SecRule ARGS:old_property_value_.* !BEGIN.*END.*$ >> "id:27,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPPissue'" >> >> # I also tried: >> SecRule REQUEST_URI "^/dir/mycgi.cgi" >> "id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off;ARGS:.*property.* >> Syntax error on line 95 of /etc/httpd/conf.d/reverse-mycgi.conf: >> Error parsing actions: Invalid setting for ctl name ruleEngine: >> off;ARGS:.*property.* >> >> (ARGS_NAMES does the same) >> >> Some help would be very much appreciated as i don't know what to do now :( >> >> I don't even find a way to fully whitelist this ARGS (with regular >> expression) inside my virtualhost. >> >> Kind regards, >> >> >> >> >> >> ------------------------------------------------------------------------------ >> CenturyLink Cloud: The Leader in Enterprise Cloud Services. >> Learn Why More Businesses Are Choosing CenturyLink Cloud For >> Critical Workloads, Development Environments & Everything In Between. >> Get a Quote or Start a Free Trial Today. >> >> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> > |
From: Ryan B. <RBa...@tr...> - 2014-01-27 17:28:56
|
You don't want to do this. This is not the correct approach for whitelisting. What you showed below turns off ModSecurity as a whole if that data appears. You want to use the SecRuleRemoveByXX directives or the SecRuleUpdateTargetByXX directives instead. Ryan Barnett Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Jose Pablo Valcárcel Lázaro <pab...@gm...<mailto:pab...@gm...>> Reply-To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Date: Monday, January 27, 2014 11:59 AM To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Subject: Re: [mod-security-users] Whitelisting nightmare... http://www.webhostingtalk.com/showthread.php?t=1024178 A rule like this? SecRule ARGS:variablename “Union” phase:1,nolog,allow,ctl:ruleEngine=off Kind regards 2014-01-27 Jose Pablo Valcárcel Lázaro <pab...@gm...<mailto:pab...@gm...>> Hi. In mod_security directive there is a example where you can whitelist args: whitelists args<https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-ARGS_NAMES> SecRule ARGS_NAMES "!^(p|a)$" "id:13" Have you tried with !^ and args?? Kind regards, 2014-01-27 rewt rewt <re...@li...<mailto:re...@li...>> Dear All, I have to urgently secure a web application. Unfortunately it is not working as expected :( My problems are: - ARGS variable names change the only remaining part is "property" so i wanted to write something like .*property.* ... - When i write a chained rule it works, but it whitelist the full URL instead of the ARGS only (for information this ARG variable contains an SSL certificate which is considered as SQLi. I have tried tons of possibilites: This one fully whitelist the URL and does not consider the ARGS value (i have tried it in different orders ARGS_NAME before, then REQUEST_URI -> not whitelisting at all) SecRule REQUEST_URI "^/dir/mycgi.cgi.*" "phase:1,t:none,nolog,id:25,chain,pass,ctl:ruleEngine=off" SecRule ARGS_NAMES .*property.* "t:none" This one does the same: SecRule REQUEST_URI "^/dir/mycgi.cgi" "id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off" # i tried to match BEGIN and END of certificate SecRule ARGS:property_value_.* !BEGIN.*END.*$ "id:26,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPP issue'" SecRule ARGS:old_property_value_.* !BEGIN.*END.*$ "id:27,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPP issue'" # I also tried: SecRule REQUEST_URI "^/dir/mycgi.cgi" "id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off;ARGS:.*property.* Syntax error on line 95 of /etc/httpd/conf.d/reverse-mycgi.conf: Error parsing actions: Invalid setting for ctl name ruleEngine: off;ARGS:.*property.* (ARGS_NAMES does the same) Some help would be very much appreciated as i don't know what to do now :( I don't even find a way to fully whitelist this ARGS (with regular expression) inside my virtualhost. Kind regards, ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: David R. <re...@li...> - 2014-01-27 20:23:51
|
Ryan Barnett <RBarnett <at> trustwave.com> writes: > > > > You don't want to do this. This is not the correct approach for whitelisting. What you showed below turns off ModSecurity as a whole if that data appears. > > You want to use the SecRuleRemoveByXX directives or the SecRuleUpdateTargetByXX directives instead. > > > > Ryan Barnett > Lead Security Researcher, SpiderLabs > > Trustwave | SMART SECURITY ON DEMAND > www.trustwave.com > > > > > > > From: Jose Pablo Valcárcel Lázaro <pablo.valcarcel1980 <at> gmail.com>Reply-To: "mod-security-users <at> lists.sourceforge.net" <mod- security-users <at> lists.sourceforge.net>Date: Monday, January 27, 2014 11:59 AMTo: "mod-security-users <at> lists.sourceforge.net" <mod-security- users <at> lists.sourceforge.net>Subject: Re: [mod-security-users] Whitelisting nightmare... > > > > > > > http://www.webhostingtalk.com/showthread.php?t=1024178 > A rule like this? SecRule ARGS:variablename “Union” phase:1,nolog,allow,ctl:ruleEngine=off > > > Kind regards > > > > 2014-01-27 Jose Pablo Valcárcel Lázaro <pablo.valcarcel1980 <at> gmail.com> > Hi. > > In mod_security directive there is a example where you can whitelist args: whitelists args > > > > SecRule ARGS_NAMES "!^(p|a)$" "id:13" > > > Have you tried with !^ and args?? > > > Kind regards, > > > > 2014-01-27 rewt rewt <rewt <at> linux-elite.org> > > > Dear All, > I have to urgently secure a web application. > Unfortunately it is not working as expected :( > > My problems are: > - ARGS variable names change the only remaining part is "property" so i wanted to write something like .*property.* ... > - When i write a chained rule it works, but it whitelist the full URL instead of the ARGS only > > (for information this ARG variable contains an SSL certificate which is considered as SQLi. > > I have tried tons of possibilites: > > This one fully whitelist the URL and does not consider the ARGS value > (i have tried it in different orders ARGS_NAME before, then REQUEST_URI -> not whitelisting at all) > > > SecRule REQUEST_URI "^/dir/mycgi.cgi.*" "phase:1,t:none,nolog,id:25,chain,pass,ctl:ruleEngine=off" > SecRule ARGS_NAMES .*property.* "t:none" > > > This one does the same: > > SecRule REQUEST_URI "^/dir/mycgi.cgi" "id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off" > > # i tried to match BEGIN and END of certificate > SecRule ARGS:property_value_.* !BEGIN.*END.*$ "id:26,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPP issue'" > SecRule ARGS:old_property_value_.* !BEGIN.*END.*$ "id:27,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPP issue'" > > > # I also tried: > SecRule REQUEST_URI "^/dir/mycgi.cgi" "id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off;ARGS:.*property.* > > > Syntax error on line 95 of /etc/httpd/conf.d/reverse-mycgi.conf: > Error parsing actions: Invalid setting for ctl name ruleEngine: off;ARGS:.*property.* > > > (ARGS_NAMES does the same) > > Some help would be very much appreciated as i don't know what to do now :( > > I don't even find a way to fully whitelist this ARGS (with regular expression) inside my virtualhost. > > Kind regards, > > > > > > > > -------------------------------------------------------------------------- ---- > CenturyLink Cloud: The Leader in Enterprise Cloud Services. > Learn Why More Businesses Are Choosing CenturyLink Cloud For > Critical Workloads, Development Environments & Everything In Between. > Get a Quote or Start a Free Trial Today.http://pubads.g.doubleclick.net/gampad/clk? id=119420431&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing listmod-security-users <at> lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/mod- security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:http://www.modsecurity.org/projects/commercial/rules/http://www.m odsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information > contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. > > > -------------------------------------------------------------------------- ---- > CenturyLink Cloud: The Leader in Enterprise Cloud Services. > Learn Why More Businesses Are Choosing CenturyLink Cloud For > Critical Workloads, Development Environments & Everything In Between. > Get a Quote or Start a Free Trial Today. > http://pubads.g.doubleclick.net/gampad/clk? id=119420431&iu=/4140/ostg.clktrk > > _______________________________________________ > mod-security-users mailing list > mod-security-users <at> lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > Dear Ryan, Unfortunately the SecRuleUpdateTargetByXX did not worked at all. Worse, when i tried to use them inside LocationMatch i got segmentation fault from Apache on service restart :( I tried these approachs: SecRuleUpdateTargetById 960024 "!ARGS:/.*property.*/" --> no effect SecRuleUpdateTargetByTag etc... none of them were able to whitelist using a .*property.* even with ARGS_NAMES specified. Any idea ? |
From: David R <re...@li...> - 2014-01-27 20:55:46
|
rewt rewt <rewt <at> linux-elite.org> writes: > > Dear All,I have to urgently secure a web application. > Unfortunately it is not working as expected :( > > My problems are: > - ARGS variable names change the only remaining part is "property" so i wanted to write something like .*property.* ... > > - When i write a chained rule it works, but it whitelist the full URL instead of the ARGS only > > (for information this ARG variable contains an SSL certificate which is considered as SQLi. > > > I have tried tons of possibilites: > > This one fully whitelist the URL and does not consider the ARGS value > (i have tried it in different orders ARGS_NAME before, then REQUEST_URI -> not whitelisting at all) > > > > SecRule REQUEST_URI "^/dir/mycgi.cgi.*" "phase:1,t:none,nolog,id:25,chain,pass,ctl:ruleEngine=off" > SecRule ARGS_NAMES .*property.* "t:none" > > > > > > This one does the same: > > SecRule REQUEST_URI "^/dir/mycgi.cgi" "id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off" > > # i tried to match BEGIN and END of certificate > > SecRule ARGS:property_value_.* !BEGIN.*END.*$ "id:26,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPP issue'" > SecRule ARGS:old_property_value_.* !BEGIN.*END.*$ "id:27,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPP issue'" > > > > # I also tried: > SecRule REQUEST_URI "^/dir/mycgi.cgi" "id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off;ARGS:.*property.* > > > Syntax error on line 95 of /etc/httpd/conf.d/reverse-mycgi.conf: > > Error parsing actions: Invalid setting for ctl name ruleEngine: off;ARGS:.*property.* > > > (ARGS_NAMES does the same) > > Some help would be very much appreciated as i don't know what to do now :( > > I don't even find a way to fully whitelist this ARGS (with regular expression) inside my virtualhost. > > Kind regards, > > > > > > -------------------------------------------------------------------------- ---- > CenturyLink Cloud: The Leader in Enterprise Cloud Services. > Learn Why More Businesses Are Choosing CenturyLink Cloud For > Critical Workloads, Development Environments & Everything In Between. > Get a Quote or Start a Free Trial Today. > http://pubads.g.doubleclick.net/gampad/clk? id=119420431&iu=/4140/ostg.clktrk > > _______________________________________________ > mod-security-users mailing list > mod-security-users <at> lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > Just for a proof that the SecRuleUpdateTargetById didnt worked in my case (even with the correct ARGS name (not the regexp) My config: SecRuleUpdateTargetById 960024 !ARGS:old_property_value_74_inst0_882538 SecRuleUpdateTargetById 960024 !ARGS:property_value_74_inst0_882538 SecRuleUpdateTargetById 981173 !ARGS:old_property_value_74_inst0_882538 SecRuleUpdateTargetById 981173 !ARGS:property_value_74_inst0_882538 SecRuleUpdateTargetById 960024 !ARGS:property_value_73_inst0_882537 SecRuleUpdateTargetById 981173 !ARGS:property_value_73_inst0_882537 SecRuleUpdateTargetById 960024 !ARGS:old_property_value_73_inst0_882537 SecRuleUpdateTargetById 981173 !ARGS:old_property_value_73_inst0_882537 Below is the output of the log... and as you can see all the ARGS with the rule number are still catched... [Mon Jan 27 21:50:47 2014] [error] [client 1.2.3.4] ModSecurity: [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_a ttacks.conf"] [line "154"] [id "960024"] [rev "2"] [msg "SQL Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data "Ma.comed Data: ----- found within ARGS:property_value_74_inst0_882538: -----BEGIN CERTIFICATE-----\\x0dpY2F0..."] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] Warning. Pattern ma.com "\\\\W{4,}" at ARGS:property_value_74_inst0_882538. [hostname "myapp.com"] [uri "/cgi/myapp.cgi"] [unique_id "UubGpn8AAAEAAEeEFbMAAAAA"] [Mon Jan 27 21:50:47 2014] [error] [client 1.2.3.4] ModSecurity: [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_a ttacks.conf"] [line "170"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special.comaracters exceeded"] [data "Ma.comed Data: - found within ARGS:old_property_value_73_inst0_882537: -----BEGIN RSA PRIVATE KEY-----\\8C ItK 8Bkw nzjpz 8v4XbvLwID..."] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] Warning. Pattern ma.com " ([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\ {\\\\}\\\\ [\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80 \\x98\\\\`\\\\<\\\\>].*?){4,}" at ARGS:old_property_value_73_inst0_882537. [hostname "myapp.com"] [uri "/cgi/myapp.cgi"] [unique_id "UubGpn8AAAEAAEeEFbMAAAAA"] [Mon Jan 27 21:50:47 2014] [error] [client 1.2.3.4] ModSecurity: [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_a ttacks.conf"] [line "170"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special.comaracters exceeded"] [data "Ma.comed Data: - found within ARGS:property_value_73_inst0_882537: -----BEGIN RSA PRIVATE KEY----- \\x0d\\x0aMIIEpAIBAAKCAQEA3JX3s918B4PDtrRKG6R3gxSNpNHqZ9tKX z3EB 837 Hu9WE4hXQmdA/IMnQUaaNLE\\x0d\\x0aoVVyMcDpnu3d8C ItK 8Bkw nzjpz 8v4XbvLwIDAQAB..."] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] Warning. Pattern ma.com "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\ (\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\ [\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80 \\x98\\\\`\\\\<\\\\>].*?){4,}" at ARGS:property_value_73_inst0_882537. [hostname "myapp.com"] [uri "/cgi/myapp.cgi"] [unique_id "UubGpn8AAAEAAEeEFbMAAAAA"] [Mon Jan 27 21:50:47 2014] [error] [client 1.2.3.4] ModSecurity: [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_a ttacks.conf"] [line "170"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special.comaracters exceeded"] [data "Ma.comed Data: - found within ARGS:old_property_value_74_inst0_882538: -----BEGIN CERTIFICATE----- \\x0d\\x0aMIIE5jCCA86gAwIBAgIQXnfyOUt/DZXmEkIdbVXJnjANBgkqhkiG9w0BAQUFADBe\\ x2F0..."] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] Warning. Pattern ma.com "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\ (\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\ [\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80 \\x98\\\\`\\\\<\\\\>].*?){4,}" at ARGS:old_property_value_74_inst0_882538. [hostname "myapp.com"] [uri "/cgi/myapp.cgi"] [unique_id "UubGpn8AAAEAAEeEFbMAAAAA"] [Mon Jan 27 21:50:47 2014] [error] [client 1.2.3.4] ModSecurity: [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_a ttacks.conf"] [line "170"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special.comaracters exceeded"] [data "Ma.comed Data: - found within ARGS:property_value_74_inst0_882538: -----BEGIN CERTIFICATE-----TEZ..."] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] Warning. Pattern ma.com "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\- \\\\+\\\\=\\\\{\\\\}\\\\ [\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80 \\x98\\\\`\\\\<\\\\>].*?){4,}" at ARGS:property_value_74_inst0_882538. [hostname "myapp.com"] [uri "/cgi/myapp.cgi"] [unique_id "UubGpn8AAAEAAEeEFbMAAAAA"] [Mon Jan 27 21:50:47 2014] [error] [client 1.2.3.4] ModSecurity: [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_49_inbound_blockin g.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 44, SQLi=12, XSS=): Last Ma.comed Message: Restricted SQL Character Anomaly Detection Alert - Total # of special.comaracters exceeded"] [data "Last Ma.comed Data: ---"] Access denied with code 403 (phase 2). Pattern ma.com "(.*)" at TX:981231- OWASP_CRS/WEB_ATTACK/SQL_INJECTION-ARGS:old_property_value_73_inst0_882537. [hostname "myapp.com"] [uri "/cgi/myapp.cgi"] [unique_id "UubGpn8AAAEAAEeEFbMAAAAA"] [Mon Jan 27 21:50:47 2014] [error] [client 1.2.3.4] ModSecurity: [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_60_correlation.con f"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 44, SQLi=12, XSS=): Restricted SQL Character Anomaly Detection Alert - Total # of special.comaracters exceeded"] Warning. Operator GE ma.comed 15 at TX:inbound_anomaly_score. [hostname "myapp.com"] [uri "/cgi/myapp.cgi"] [unique_id "UubGpn8AAAEAAEeEFbMAAAAA"] |
From: Ryan B. <RBa...@tr...> - 2014-01-27 21:15:16
|
On 1/27/14 3:55 PM, "David R" <re...@li...> wrote: >rewt rewt <rewt <at> linux-elite.org> writes: > >> >> Dear All,I have to urgently secure a web application. >> Unfortunately it is not working as expected :( >> >> My problems are: >> - ARGS variable names change the only remaining part is "property" so i >wanted to write something like .*property.* ... >> >> - When i write a chained rule it works, but it whitelist the full URL >instead of the ARGS only >> >> (for information this ARG variable contains an SSL certificate which is >considered as SQLi. >> >> >> I have tried tons of possibilites: >> >> This one fully whitelist the URL and does not consider the ARGS value >> (i have tried it in different orders ARGS_NAME before, then REQUEST_URI >>-> >not whitelisting at all) >> >> >> >> SecRule REQUEST_URI "^/dir/mycgi.cgi.*" >"phase:1,t:none,nolog,id:25,chain,pass,ctl:ruleEngine=off" >> SecRule ARGS_NAMES .*property.* "t:none" >> >> >> >> >> >> This one does the same: >> >> SecRule REQUEST_URI "^/dir/mycgi.cgi" >"id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off" >> >> # i tried to match BEGIN and END of certificate >> >> SecRule ARGS:property_value_.* !BEGIN.*END.*$ >"id:26,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPP >issue'" >> SecRule ARGS:old_property_value_.* !BEGIN.*END.*$ >"id:27,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPP >issue'" >> >> >> >> # I also tried: >> SecRule REQUEST_URI "^/dir/mycgi.cgi" >"id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off;ARGS:.*property.* >> >> >> Syntax error on line 95 of /etc/httpd/conf.d/reverse-mycgi.conf: >> >> Error parsing actions: Invalid setting for ctl name ruleEngine: >off;ARGS:.*property.* >> >> >> (ARGS_NAMES does the same) >> >> Some help would be very much appreciated as i don't know what to do now >>:( >> >> I don't even find a way to fully whitelist this ARGS (with regular >expression) inside my virtualhost. >> >> Kind regards, >> >> >> >> >> >> >>------------------------------------------------------------------------- >>- >---- >> CenturyLink Cloud: The Leader in Enterprise Cloud Services. >> Learn Why More Businesses Are Choosing CenturyLink Cloud For >> Critical Workloads, Development Environments & Everything In Between. >> Get a Quote or Start a Free Trial Today. >> http://pubads.g.doubleclick.net/gampad/clk? >id=119420431&iu=/4140/ostg.clktrk >> >> _______________________________________________ >> mod-security-users mailing list >> mod-security-users <at> lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > >Just for a proof that the SecRuleUpdateTargetById didnt worked in my >case >(even with the correct ARGS name (not the regexp) > >My config: >SecRuleUpdateTargetById 960024 !ARGS:old_property_value_74_inst0_882538 >SecRuleUpdateTargetById 960024 !ARGS:property_value_74_inst0_882538 >SecRuleUpdateTargetById 981173 !ARGS:old_property_value_74_inst0_882538 >SecRuleUpdateTargetById 981173 !ARGS:property_value_74_inst0_882538 > >SecRuleUpdateTargetById 960024 !ARGS:property_value_73_inst0_882537 >SecRuleUpdateTargetById 981173 !ARGS:property_value_73_inst0_882537 >SecRuleUpdateTargetById 960024 !ARGS:old_property_value_73_inst0_882537 >SecRuleUpdateTargetById 981173 !ARGS:old_property_value_73_inst0_882537 > >Below is the output of the log... and as you can see all the ARGS with >the >rule number are still catched... Where did you put these new exception directives? Did you place them within a local custom rules file that is Included *after* the normal OWASP CRS rules? -Ryan ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: David R <re...@li...> - 2014-01-28 08:50:02
|
Hi Ryan, I pushed them in the virtualhost config at first (just to be sure that the rules will be pushed only for the domain) Then i tried the following in crs_999_exclude.conf: SecRuleUpdateTargetByTag "WEB_ATTACK/SQL_INJECTION" !ARGS:.*property.* SecRuleUpdateTargetByTag "WEB_ATTACK/RESTRICTED_SQLI_CHARS" !ARGS:.*property.* SecRuleUpdateTargetByTag "WEB_ATTACK/SQL_INJECTION" !ARGS_NAMES:.*property.* SecRuleUpdateTargetByTag "WEB_ATTACK/RESTRICTED_SQLI_CHARS" !ARGS_NAMES:.*property.* SecRuleUpdateTargetByTag "WEB_ATTACK/SQL_INJECTION" !ARGS_NAMES:/.*property.*/ SecRuleUpdateTargetByTag "WEB_ATTACK/RESTRICTED_SQLI_CHARS" !ARGS_NAMES:/.*property.*/ SecRuleUpdateTargetByTag "WEB_ATTACK/SQL_INJECTION" !ARGS_NAMES:/property/ SecRuleUpdateTargetByTag "WEB_ATTACK/RESTRICTED_SQLI_CHARS" !ARGS_NAMES:/property/ All these combinatgions gave me the same result -> Score 44 on the ARGS ARGS:property_value_74_inst0_882538. property_value_74_inst0_882538 Any idea ? |
From: Jose P. V. L. <pab...@gm...> - 2014-01-28 09:07:26
|
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecRuleUpdateTargetByTag *Example Usage:* SecRuleUpdateTargetByTag "WEB_ATTACK/XSS" "!ARGS:foo" So I understand with that sample you shoud use doble quotations? SecRuleUpdateTargetByTag "WEB_ATTACK/SQL_INJECTION" "!ARGS_NAMES:/property/" SecRuleUpdateTargetByTag "WEB_ATTACK/RESTRICTED_SQLI_CHARS" " !ARGS_NAMES:/property/" Kind regards 2014-01-28 David R <re...@li...> > > > Hi Ryan, > I pushed them in the virtualhost config at first (just to be sure that the > rules will be pushed only for the domain) > > > Then i tried the following in crs_999_exclude.conf: > > SecRuleUpdateTargetByTag "WEB_ATTACK/SQL_INJECTION" !ARGS:.*property.* > SecRuleUpdateTargetByTag "WEB_ATTACK/RESTRICTED_SQLI_CHARS" > !ARGS:.*property.* > > SecRuleUpdateTargetByTag "WEB_ATTACK/SQL_INJECTION" > !ARGS_NAMES:.*property.* > SecRuleUpdateTargetByTag "WEB_ATTACK/RESTRICTED_SQLI_CHARS" > !ARGS_NAMES:.*property.* > > SecRuleUpdateTargetByTag "WEB_ATTACK/SQL_INJECTION" > !ARGS_NAMES:/.*property.*/ > SecRuleUpdateTargetByTag "WEB_ATTACK/RESTRICTED_SQLI_CHARS" > !ARGS_NAMES:/.*property.*/ > > SecRuleUpdateTargetByTag "WEB_ATTACK/SQL_INJECTION" !ARGS_NAMES:/property/ > SecRuleUpdateTargetByTag "WEB_ATTACK/RESTRICTED_SQLI_CHARS" > !ARGS_NAMES:/property/ > > All these combinatgions gave me the same result -> Score 44 on the ARGS > ARGS:property_value_74_inst0_882538. > property_value_74_inst0_882538 > > Any idea ? > > > > > > > ------------------------------------------------------------------------------ > WatchGuard Dimension instantly turns raw network data into actionable > security intelligence. It gives you real-time visual feedback on key > security issues and trends. Skip the complicated setup - simply import > a virtual appliance and go from zero to informed in seconds. > > http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
From: David R <re...@li...> - 2014-01-28 14:04:41
|
rewt rewt <rewt <at> linux-elite.org> writes: > > Dear All,I have to urgently secure a web application. > Unfortunately it is not working as expected :( > > My problems are: > - ARGS variable names change the only remaining part is "property" so i wanted to write something like .*property.* ... > > - When i write a chained rule it works, but it whitelist the full URL instead of the ARGS only > > (for information this ARG variable contains an SSL certificate which is considered as SQLi. > > > I have tried tons of possibilites: > > This one fully whitelist the URL and does not consider the ARGS value > (i have tried it in different orders ARGS_NAME before, then REQUEST_URI -> not whitelisting at all) > > > > SecRule REQUEST_URI "^/dir/mycgi.cgi.*" "phase:1,t:none,nolog,id:25,chain,pass,ctl:ruleEngine=off" > SecRule ARGS_NAMES .*property.* "t:none" > > > > > > This one does the same: > > SecRule REQUEST_URI "^/dir/mycgi.cgi" "id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off" > > # i tried to match BEGIN and END of certificate > > SecRule ARGS:property_value_.* !BEGIN.*END.*$ "id:26,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPP issue'" > SecRule ARGS:old_property_value_.* !BEGIN.*END.*$ "id:27,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPP issue'" > > > > # I also tried: > SecRule REQUEST_URI "^/dir/mycgi.cgi" "id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off;ARGS:.*property.* > > > Syntax error on line 95 of /etc/httpd/conf.d/reverse-mycgi.conf: > > Error parsing actions: Invalid setting for ctl name ruleEngine: off;ARGS:.*property.* > > > (ARGS_NAMES does the same) > > Some help would be very much appreciated as i don't know what to do now :( > > I don't even find a way to fully whitelist this ARGS (with regular expression) inside my virtualhost. > > Kind regards, > > > > > > -------------------------------------------------------------------------- ---- > CenturyLink Cloud: The Leader in Enterprise Cloud Services. > Learn Why More Businesses Are Choosing CenturyLink Cloud For > Critical Workloads, Development Environments & Everything In Between. > Get a Quote or Start a Free Trial Today. > http://pubads.g.doubleclick.net/gampad/clk? id=119420431&iu=/4140/ostg.clktrk > > _______________________________________________ > mod-security-users mailing list > mod-security-users <at> lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > Same problem with double quotes "" Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within ARGS:property_value_74_inst0_882538: ... |
From: Ryan B. <RBa...@tr...> - 2014-01-28 14:31:44
|
On 1/28/14 9:03 AM, "David R" <re...@li...> wrote: >rewt rewt <rewt <at> linux-elite.org> writes: > >> >> Dear All,I have to urgently secure a web application. >> Unfortunately it is not working as expected :( >> >> My problems are: >> - ARGS variable names change the only remaining part is "property" so i >wanted to write something like .*property.* ... >> >> - When i write a chained rule it works, but it whitelist the full URL >instead of the ARGS only >> >> (for information this ARG variable contains an SSL certificate which is >considered as SQLi. >> >> >> I have tried tons of possibilites: >> >> This one fully whitelist the URL and does not consider the ARGS value >> (i have tried it in different orders ARGS_NAME before, then REQUEST_URI >>-> >not whitelisting at all) >> >> >> >> SecRule REQUEST_URI "^/dir/mycgi.cgi.*" >"phase:1,t:none,nolog,id:25,chain,pass,ctl:ruleEngine=off" >> SecRule ARGS_NAMES .*property.* "t:none" >> >> >> >> >> >> This one does the same: >> >> SecRule REQUEST_URI "^/dir/mycgi.cgi" >"id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off" >> >> # i tried to match BEGIN and END of certificate >> >> SecRule ARGS:property_value_.* !BEGIN.*END.*$ >"id:26,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPP >issue'" >> SecRule ARGS:old_property_value_.* !BEGIN.*END.*$ >"id:27,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPP >issue'" >> >> >> >> # I also tried: >> SecRule REQUEST_URI "^/dir/mycgi.cgi" >"id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off;ARGS:.*property.* >> >> >> Syntax error on line 95 of /etc/httpd/conf.d/reverse-mycgi.conf: >> >> Error parsing actions: Invalid setting for ctl name ruleEngine: >off;ARGS:.*property.* >> >> >> (ARGS_NAMES does the same) >> >> Some help would be very much appreciated as i don't know what to do now >>:( >> >> I don't even find a way to fully whitelist this ARGS (with regular >expression) inside my virtualhost. >> >> Kind regards, >> >> >> >> >> >> >>------------------------------------------------------------------------- >>- >---- >> CenturyLink Cloud: The Leader in Enterprise Cloud Services. >> Learn Why More Businesses Are Choosing CenturyLink Cloud For >> Critical Workloads, Development Environments & Everything In Between. >> Get a Quote or Start a Free Trial Today. >> http://pubads.g.doubleclick.net/gampad/clk? >id=119420431&iu=/4140/ostg.clktrk >> >> _______________________________________________ >> mod-security-users mailing list >> mod-security-users <at> lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > >Same problem with double quotes "" > >Restricted SQL Character Anomaly Detection Alert - Total # of special >characters exceeded"] [data "Matched Data: - found within >ARGS:property_value_74_inst0_882538: >... Have you reviewed the debug log? -Ryan ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Jose P. V. L. <pab...@gm...> - 2014-01-28 14:27:09
|
Sorry, I read a directive example I think your policies were right . I have seen how it uses tags on that directive at the same link: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bmail\b" \ "phase:2,rev:'2.1.1',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'958895',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=% {tx.0}" SecRuleUpdateTargetByTag "WASCTC/WASC-31" !ARGS:email If you take a look at SecRuleUpdateTargetByTag is using tag tag:'WASCTC/WASC-31' instead of tag:'WEB_ATTACK/COMMAND_INJECTION' and uses simple quotation and keeps rule format as you wrote at the beginning: SecRuleUpdateTargetByTag "WEB_ATTACK/SQL_INJECTION" !ARGS_NAMES:/property/ Try it with SecRuleUpdateTargetByTag "WASCTC/WASC-31" !ARGS_NAMES:\/property\/ The backslash character is to scape / character. Kind regards 2014-01-28 David R <re...@li...> > rewt rewt <rewt <at> linux-elite.org> writes: > > > > > Dear All,I have to urgently secure a web application. > > Unfortunately it is not working as expected :( > > > > My problems are: > > - ARGS variable names change the only remaining part is "property" so i > wanted to write something like .*property.* ... > > > > - When i write a chained rule it works, but it whitelist the full URL > instead of the ARGS only > > > > (for information this ARG variable contains an SSL certificate which is > considered as SQLi. > > > > > > I have tried tons of possibilites: > > > > This one fully whitelist the URL and does not consider the ARGS value > > (i have tried it in different orders ARGS_NAME before, then REQUEST_URI > -> > not whitelisting at all) > > > > > > > > SecRule REQUEST_URI "^/dir/mycgi.cgi.*" > "phase:1,t:none,nolog,id:25,chain,pass,ctl:ruleEngine=off" > > SecRule ARGS_NAMES .*property.* "t:none" > > > > > > > > > > > > This one does the same: > > > > SecRule REQUEST_URI "^/dir/mycgi.cgi" > "id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off" > > > > # i tried to match BEGIN and END of certificate > > > > SecRule ARGS:property_value_.* !BEGIN.*END.*$ > "id:26,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPPissue'" > > SecRule ARGS:old_property_value_.* !BEGIN.*END.*$ > "id:27,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPPissue'" > > > > > > > > # I also tried: > > SecRule REQUEST_URI "^/dir/mycgi.cgi" > "id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off;ARGS:.*property.* > > > > > > Syntax error on line 95 of /etc/httpd/conf.d/reverse-mycgi.conf: > > > > Error parsing actions: Invalid setting for ctl name ruleEngine: > off;ARGS:.*property.* > > > > > > (ARGS_NAMES does the same) > > > > Some help would be very much appreciated as i don't know what to do now > :( > > > > I don't even find a way to fully whitelist this ARGS (with regular > expression) inside my virtualhost. > > > > Kind regards, > > > > > > > > > > > > > -------------------------------------------------------------------------- > ---- > > CenturyLink Cloud: The Leader in Enterprise Cloud Services. > > Learn Why More Businesses Are Choosing CenturyLink Cloud For > > Critical Workloads, Development Environments & Everything In Between. > > Get a Quote or Start a Free Trial Today. > > http://pubads.g.doubleclick.net/gampad/clk? > id=119420431&iu=/4140/ostg.clktrk > > > > _______________________________________________ > > mod-security-users mailing list > > mod-security-users <at> lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > Same problem with double quotes "" > > Restricted SQL Character Anomaly Detection Alert - Total # of special > characters exceeded"] [data "Matched Data: - found within > ARGS:property_value_74_inst0_882538: > ... > > > > > ------------------------------------------------------------------------------ > WatchGuard Dimension instantly turns raw network data into actionable > security intelligence. It gives you real-time visual feedback on key > security issues and trends. Skip the complicated setup - simply import > a virtual appliance and go from zero to informed in seconds. > > http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
From: Ryan B. <RBa...@tr...> - 2014-01-28 14:35:26
|
Those directives can work on any TAG within a rule. Also, when using a regular expression to specify an ARGS name, you do not escape the /. !ARGS:/property/ means do NOT inspect any parameter value shows name contains "property" in it. Ryan Barnett Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Jose Pablo Valcárcel Lázaro <pab...@gm...<mailto:pab...@gm...>> Reply-To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Date: Tuesday, January 28, 2014 9:26 AM To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Subject: Re: [mod-security-users] Whitelisting nightmare... Sorry, I read a directive example I think your policies were right . I have seen how it uses tags on that directive at the same link: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bmail\b" \ "phase:2,rev:'2.1.1',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'958895',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id<http://rule.id>}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=% {tx.0}" SecRuleUpdateTargetByTag "WASCTC/WASC-31" !ARGS:email If you take a look at SecRuleUpdateTargetByTag is using tag tag:'WASCTC/WASC-31' instead of tag:'WEB_ATTACK/COMMAND_INJECTION' and uses simple quotation and keeps rule format as you wrote at the beginning: SecRuleUpdateTargetByTag "WEB_ATTACK/SQL_INJECTION" !ARGS_NAMES:/property/ Try it with SecRuleUpdateTargetByTag "WASCTC/WASC-31" !ARGS_NAMES:\/property\/ The backslash character is to scape / character. Kind regards 2014-01-28 David R <re...@li...<mailto:re...@li...>> rewt rewt <rewt <at> linux-elite.org<http://linux-elite.org>> writes: > > Dear All,I have to urgently secure a web application. > Unfortunately it is not working as expected :( > > My problems are: > - ARGS variable names change the only remaining part is "property" so i wanted to write something like .*property.* ... > > - When i write a chained rule it works, but it whitelist the full URL instead of the ARGS only > > (for information this ARG variable contains an SSL certificate which is considered as SQLi. > > > I have tried tons of possibilites: > > This one fully whitelist the URL and does not consider the ARGS value > (i have tried it in different orders ARGS_NAME before, then REQUEST_URI -> not whitelisting at all) > > > > SecRule REQUEST_URI "^/dir/mycgi.cgi.*" "phase:1,t:none,nolog,id:25,chain,pass,ctl:ruleEngine=off" > SecRule ARGS_NAMES .*property.* "t:none" > > > > > > This one does the same: > > SecRule REQUEST_URI "^/dir/mycgi.cgi" "id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off" > > # i tried to match BEGIN and END of certificate > > SecRule ARGS:property_value_.* !BEGIN.*END.*$ "id:26,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPP issue'" > SecRule ARGS:old_property_value_.* !BEGIN.*END.*$ "id:27,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPP issue'" > > > > # I also tried: > SecRule REQUEST_URI "^/dir/mycgi.cgi" "id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off;ARGS:.*property.* > > > Syntax error on line 95 of /etc/httpd/conf.d/reverse-mycgi.conf: > > Error parsing actions: Invalid setting for ctl name ruleEngine: off;ARGS:.*property.* > > > (ARGS_NAMES does the same) > > Some help would be very much appreciated as i don't know what to do now :( > > I don't even find a way to fully whitelist this ARGS (with regular expression) inside my virtualhost. > > Kind regards, > > > > > > -------------------------------------------------------------------------- ---- > CenturyLink Cloud: The Leader in Enterprise Cloud Services. > Learn Why More Businesses Are Choosing CenturyLink Cloud For > Critical Workloads, Development Environments & Everything In Between. > Get a Quote or Start a Free Trial Today. > http://pubads.g.doubleclick.net/gampad/clk? id=119420431&iu=/4140/ostg.clktrk > > _______________________________________________ > mod-security-users mailing list > mod-security-users <at> lists.sourceforge.net<http://lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > Same problem with double quotes "" Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within ARGS:property_value_74_inst0_882538: ... ------------------------------------------------------------------------------ WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: David R <re...@li...> - 2014-01-28 15:40:13
|
Ryan Barnett <RBarnett <at> trustwave.com> writes: Hi All, many many thanks for your help on that issue. I had a look at the debug log but i didn t get easily readable information just seen that /property/ doesn t seem to be matched as a regexp. I finally GOT IT ! Using the following: ecRule REQUEST_URI "^/cgi/myap.cgi.*" "chain,phase:1,t:none,nolog,id:25,pass,ctl:ruleRemoveById=960024;ARGS_NAMES: property" SecRule REQUEST_HEADERS:Host ^(host1|host2|host3) "t:none" SecRule REQUEST_URI "^/cgi/myap.cgi.*" "chain,phase:1,t:none,nolog,id:26,pass,ctl:ruleRemoveById=981173;ARGS_NAMES: property" SecRule REQUEST_HEADERS:Host ^(host1|host2|host3) "t:none" SecRule REQUEST_URI "^/cgi/myap.cgi.*" "chain,phase:1,t:none,nolog,id:27,pass,ctl:ruleRemoveById=981231;ARGS_NAMES: property" SecRule REQUEST_HEADERS:Host ^(host1|host2|host3) "t:none" Ryan, what do you think of these rules ? Thanks again to all! |