gmane.comp.apache.mod-security.user

Re: Basic question regarding usage

Josh Amishav-Zlatin — 2013-05-21T18:17:23

On Tue, May 21, 2013 at 5:52 PM, Thomas Eckert
<thomas.r.w.eckert< at >gmail.com>wrote:


Hi Thomas,

I suggest increasing your debug log level to 9 for you to better understand
what is happening. It sounds to me like rule 981176 isn't being executed,
perhaps because you enabled anomaly_score_blocking too late in the
processing.


When you set the default action to deny then the moment the first rule
matches the rule inherits the default action and denies with a 403 response
code. If you use anomaly mode then after a match the anomaly score is
increased and ModSecurity continues processing the rest of the rules. Using
the "classic" configuration, ModSecurity then makes a decision to block
with a 403 response code or not based on the 49 config file (for inbound
requests), assuming that that file is enabled and that the
anomaly_score_blocking variable is set before rule 981176 is executed. Does
that make sense?



Section K is what you want to look at. Feel free to send me a sanitized
version of the audit log priva

Re: Basic question regarding usage

Thomas Eckert — 2013-05-21T14:52:54

Hi Josh,

My setup is kind of hard to explain because there are so many external
components involved. Safe to say it's a non-standard setup but I am using
the OWASP CRS, though only parts of it. Due to this setup I have no
"modsecurity_crs_10_setup.conf" file but my equivalent (general
mod_security config file) contains
    SecDefaultAction "phase:2,pass

I checked the rule with id=900004 and interestingly I found no equivalent
in my configuration, at least nothing with "anomaly_score_blocking=on" in
it. So I added the rule in my general config, exactly as shipped with the
v2.2.7 owasp-crs. No change in behaviour though.

Looking at owasp-crs/modsecurity_crs_10_setup.conf I saw
    SecDefaultAction "phase:1,deny,log"
so I changed my default action from pass to deny. It started blocking and
the log only contains one message by mod_security about the matched rule
before apache logs a 403. I *think* this matches the behaviour described by
the documention in modsecurity_crs_10_setup.conf.example under "[[
Self-C

Re: Basic question regarding usage

Josh Amishav-Zlatin — 2013-05-21T13:48:51

On Tue, May 21, 2013 at 4:36 PM, Thomas Eckert
<thomas.r.w.eckert< at >gmail.com>wrote:

Hi Thomas,

Take a look at your modsecurity_crs_10_setup.conf config file, what is your
SecDefaultAction directive set to? If your using anomaly scoring is
rule 900004 enabled? If you provide us with an audit log (specifically
section H and K) that would probably shed some light as to what the
configuration error is exactly.

--
 - Josh


------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-securit

Re: Issue with TX macro expansion in SecRuleregexes

Breno Silva — 2013-05-21T13:40:11

Yes. We need to update the documentation. There are some old comments from
2.5.x series.

Thanks

Breno


On Tue, May 21, 2013 at 10:17 AM, Christian Folini <
christian.folini< at >time-machine.ch> wrote:

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Basic question regarding usage

Thomas Eckert — 2013-05-21T13:36:18

Hi folks,

I'm pretty new to this so please excuse my question about basics. Some time
ago I finished upgrading my test system from 2.5.12 to 2.7.3 along with a
CRS upgrade from 2.0.6 to 2.2.7. Aside from the unnerving "rule has no ID
issue" it went smoothly but now I'm facing unexpected behaviour. Instead of
blocking simple XSS and SQL injection attacks mod_security will only
complain about them in the logs but let the attack themselves pass.

For example, i can see the following in the logs (this is only the last
reported match, there's plenty more):

[Tue May 21 15:22:18.235587 2013] [:error] [pid 16304:tid 1194236784]
[client 10.10.10.10] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'][
]*(([^a-z0-9~_:\\\\'\\" ])|(in)).+?\\\\(.*?\\\\))" at ARGS:field1. [file
"/apache/conf/My.rules"] [line "187"] [id "973335"] [rev "2"] [msg "IE XSS
Filters - Attack Detected."] [data "Matched Data: \\x22/\\x22
onclick=\\x22alert('sample XSS attack') found within ARGS:field1: <a
href=\\x22/\\x22 onclick=\\x22alert('sam

Re: Issue with TX macro expansion in SecRule regexes

Christian Folini — 2013-05-21T13:17:16

Hello,

There has not been any feedback on this subject. I have looked into the
documentation again and thought I would provide some additional
information so the next person stumbling over this issue might at least
find something on google.

The Changelog lists "Added support to macro expansion for rx
operator." for 2.6.2-rc1.

The Reference Guide says
"You cannot use macro expansion for operators that are "compiled" such
as < at >pm, < at >rx, etc. as these operators have their values fixed at
configure time for efficiency."

That looks like a contradiction to me.

In my previous message, I noted, that the core-rules use macro expansion in
the operator part of the SecRule statement. Actully modsecurity_crs_30_http_policy.conf
only uses the TX macro expansion together with < at >within, which is
advertised in the Reference Guide under Macro Expansion.

The initial issue persists though. This works:
SecAction "phase:1,id:1,pass,nolog,setvar:'TX.cookielist=cookie1|cookie2'"
SecRule RESPONSE_HEADERS:/Set-Cookie/ "%{tx.cookie

Nginx Configuration (confusion, observations)

Daniel Devine — 2013-05-20T03:45:57

Greetings,

I have very little (none) experience with ModSecurity but I decided I 
want to use it to protect my ownCloud instance. I have successfully 
installed 2.7.3 on CentOS 6 with Nginx 1.0.15 (old!) - and I've made an 
RPM package which I plan to get into EPEL once I have successfully 
gotten ModSecurity working for the task at hand. It looks like I have 
gotten ModSecurity *running* in DetectionOnly mode with the OWASP rule 
set.

Observations:
  * It was not clear that you must "Include" the rules from *within* 
modsecurity.conf for Nginx.
  * ModSecurity's "Include" != Nginx's "include". The ModSecurity 
directives are not parsed by Nginx (and so don't need ";" termination).
  * The documentation seems to assume that you are using ModSecurity on 
all of your virtual-hosts and thus refers to putting the 
ModSecurityConfig directive in nginx.conf rather than in a specific 
virtual host ("server" block). For use in a virtual hosting setup I 
assume you should create a separate modsecurity.conf for each

Re: log analysis tools

Josh Amishav-Zlatin — 2013-05-19T18:38:11


Hi Avi,

Have you looked at AuditConsole?

--
 - Josh


------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

log analysis tools

Avi Rosenblatt — 2013-05-19T09:08:06

Hi,
I'm looking for a good tool to analyze modsecurity concurrent audit logs. Any recommendations? It would be nice if it had a GUI and/or graphing abilities.

Thanx
Avi
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: IP Bypas for Mod security 2.7.3

Josh Amishav-Zlatin — 2013-05-16T20:48:06

On Thu, May 16, 2013 at 11:35 PM, Sushant Vengurlekar <
svengurlekar< at >jnrcorp.com> wrote:


One way would be to have something like this in your config:

SecRule REMOTE_ADDR "^64\.58\.154\.194$"
phase:1,log,allow,ctl:ruleEngine=Off,id:999945

Include /etc/httpd/modsecurity.d/activated_rules/*conf

This way your whitelist rule is executed before any of the CRS rules are.

--
 - Josh


------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Tru

Re: IP Bypas for Mod security 2.7.3

Sushant Vengurlekar — 2013-05-16T20:35:16

Hi Josh

Can you suggest an option as to how I can prioritize the order of the rules?

Thanks
Sushant

On 5/16/13 1:31 PM, Josh Amishav-Zlatin wrote:

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: IP Bypas for Mod security 2.7.3

Josh Amishav-Zlatin — 2013-05-16T20:31:20

On Thu, May 16, 2013 at 11:14 PM, Sushant Vengurlekar <
svengurlekar< at >jnrcorp.com> wrote:

Hi Sushant,

The CRS rule 960032 is firing before your whitelist rule is executed, thus
when you send a request using the PROPFIND method you receive a 403
response. Can you include your whitelist rule before including the CRS?

--
 - Josh
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects

Re: IP Bypas for Mod security 2.7.3

Reindl Harald — 2013-05-16T20:27:16


Am 16.05.2013 22:14, schrieb Sushant Vengurlekar:

what i am missing in your first post and here too is a *simple* log entry
from apache error log instead a debug-output to see *what phase* is
triggered because as said you *can not* bypass phase 1 rules

/development][5] Rule 7f90a7f711c8: SecAction
"phase:1,id:900001,t:none,setvar:tx.critical_anomaly_score=5,setvar:tx.error_anomaly_score=4,setvar:tx.warning_anomaly_score=3,setvar:tx.notice_anomaly_score=2,nolog,pass"


------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourcefo

Re: IP Bypas for Mod security 2.7.3

Sushant Vengurlekar — 2013-05-16T20:14:16

Hi Josh

The IP bypass rule that I used is
SecRule REMOTE_ADDR "^64\.58\.154\.194$" 
phase:1,log,allow,ctl:ruleEngine=Off,id:999945

Below is the log output that you requested.

[16/May/2013:13:07:41 --0700] 
[svn.jnrdev.com/sid#7f90a7864fa8][rid#7f90a9115c48][/repos/connect2success/branches/development][4] 
Initialising transaction (txid UZU8jdjveO4AAEUSUtgAAAAE).
[16/May/2013:13:07:41 --0700] 
[svn.jnrdev.com/sid#7f90a7864fa8][rid#7f90a9115c48][/repos/connect2success/branches/development][4] 
Transaction context created (dcfg 7f90a85fbd70).
[16/May/2013:13:07:41 --0700] 
[svn.jnrdev.com/sid#7f90a7864fa8][rid#7f90a9115c48][/repos/connect2success/branches/development][4] 
Starting phase REQUEST_HEADERS.
[16/May/2013:13:07:41 --0700] 
[svn.jnrdev.com/sid#7f90a7864fa8][rid#7f90a9115c48][/repos/connect2success/branches/development][9] 
This phase consists of 51 rule(s).
[16/May/2013:13:07:41 --0700] 
[svn.jnrdev.com/sid#7f90a7864fa8][rid#7f90a9115c48][/repos/connect2success/branches/development][4] 
Recipe: Inv

Re: IP Bypas for Mod security 2.7.3

Josh Amishav-Zlatin — 2013-05-16T19:18:54

On Thu, May 16, 2013 at 9:18 PM, Sushant Vengurlekar <
svengurlekar< at >jnrcorp.com> wrote:

Hi Sushant,

Besides for the fact that the above rule contains two actions (pass and
allow) the rule should disable the rules and audit engine if your IP
matches. Can you increase your debug log to 9 and retest using the rule
above and show me the output?

Thanks,

--
 - Josh


------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLab

Re: use MODSEC_ENABLE with mod_rewrite?

Josh Amishav-Zlatin — 2013-05-16T19:11:45

Hi Todd,

Is there a reason your not implementing this rule using ModSecurity
directives instead, e.g.:

SecRule QUERY_STRING "payment_method=os_paypal" "phase:2,id:1,chain,pass"
  SecRule REQUEST_URI "index.php" ctl:ruleEngine=Off,ctl:auditEngine=Off

--
 - Josh

Here's the apache rewrite rules (in a vhost section):
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercia

Re: IP Bypas for Mod security 2.7.3

Reindl Harald — 2013-05-16T18:57:24


Am 16.05.2013 20:18, schrieb Sushant Vengurlekar:

SecRule REMOTE_ADDR "^64\.58\.154\.194" "id:'214',phase:1,pass,nolog,ctl:ruleRemoveById=80"

works to disable ID 80 (the 214 is the ID of this rule itself)
*but* you can *never* bypass phase:1 rules by design



------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial

IP Bypas for Mod security 2.7.3

Sushant Vengurlekar — 2013-05-16T18:18:24

I am trying to bypass one IP for a website from modsecurity ruleset.

I used this syntax for bypassing the IP
SecRule  REMOTE_ADDR "< at >ipMatch 64.58.154.194,107.9.211.160" 
"phase:1,pass,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off,id:123412345653451"

But I still get forbidden error.

I tried couple of below alternatives but still getting forbidden.
SecRule  REMOTE_ADDR  "^64\.58\.154\.194$" 
"allow,ctl:ruleEngine=off,id:123412345653451"

SecRule  REMOTE_ADDR "^64.58.154.194$" 
"phase:1,log,pass,ctl:ruleEngine=Off,id:'991045'"

SecRule  REMOTE_ADDR "^64\.58\.154\.194$" 
"phase:1,log,pass,ctl:ruleEngine=Off,id:'991045'"


------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienv

use MODSEC_ENABLE with mod_rewrite?

Todd Roseman — 2013-05-16T18:34:24

Hi,

I'm trying to use the environment variable MODSEC_ENABLE to 
turn off mod_security with certain query parameters.

Here's the apache rewrite rules (in a vhost section):

|RewriteCond %{QUERY_STRING} payment_method\=os_paypal [NC]
RewriteRule ^/index.php$ - [env=MODSEC_ENABLE:off]
|

But I get 406 Error and see mod_security is blocking when I 
send this: DOMAIN.TLD/index.php?payment_method=os_paypal%%%

With rewrite log on apache shows the rule matching and it 
shows turning on the environment variable.

Any ideas why mod_security is ignoring the environment 
variable? Is it an order of processing thing?

Is there a way to test a query string in httpd.conf and 
disable a rule using SecRuleRemoveById?

thanks!

---------------------------------------------------------------

Using: ModSecurity for Apache/2.7.3; OWASP_CRS/2.2.7.

rewrite log:

192.168.1.2 - - [16/May/2013:11:32:05 --0600] 
[www.DOMAIN.TLD/sid#2497428][rid#b737b860/initial] (3) 
applying pattern '^/index.php$' to uri '/index.php'

192.168.1

Re: Automated Updates for Windows

Ryan Barnett — 2013-05-14T20:50:25

From: Ben Turner <benjamesturner< at >gmail.com<mailto:benjamesturner< at >gmail.com>>
Date: Tuesday, May 14, 2013 4:42 PM
To: "mod-security-users< at >lists.sourceforge.net<mailto:mod-security-users< at >lists.sourceforge.net>" <mod-security-users< at >lists.sourceforge.net<mailto:mod-security-users< at >lists.sourceforge.net>>
Subject: [mod-security-users] Automated Updates for Windows

Hi there,

Can anyone help me with the steps to enable automated updates to ModSec Rules from Trustwave Spiderlabs?

Ben – have you purchases license(s) for the commercial rules?  The FAQ is here - https://www.trustwave.com/modsecurity-rules-support.php and Shopping Cart here - https://ssl.trustwave.com/web-application-firewall.  After you purchase the rules, you will be given your license key data and information on how to access our rules repository site.

Also is anyone successfully running modsec on Windows server 2012?

Yes, see info here - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-Installation_for_Microsoft_IIS

Tha

Automated Updates for Windows

Ben Turner — 2013-05-14T20:42:37

Hi there,

Can anyone help me with the steps to enable automated updates to ModSec
Rules from Trustwave Spiderlabs?

Also is anyone successfully running modsec on Windows server 2012?

Thanks,

Ben
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/