gmane.comp.apache.mod-security.user

Own POST Rate Limit Rule not Working

Thomas Berger — 2012-05-11T12:45:10

Hi all, 

we have tried to write a  ModSecurity rule to limit POST Requests. But the limit does not work as expected.


Here is the rule:

 SecRule REQUEST_METHOD "^POST$" "phase:1,nolog,initcol:IP=%{REMOTE_ADDR},setvar:IP.pagecount=+1,expirevar:IP.pagecount=60"
 SecRule IP:PAGECOUNT "< at >gt 250" "phase:1,deny,status:403,msg:'Too many requests'"

The "pagecount" counter does not work correctly. as we have a few IP's with anly 10 requests and all requests are "GET" , with a pagecount of 250. 
Where is our error?

We are using ModSecurity on Debian 6, in Version 2.5.12


Regards,
------------------------------------------------------------------------ 
 Thomas Berger 
 - Certified Linux/Cisco Networking Engineer - 
 BOREUS Rechenzentrum GmbH 
 Zur Schwedenschanze 2 
 D - 18435 Stralsund 
 Germany 
 Phone:+49 (0) 38 31 - 36 76 415 
 Fax: +49 (0) 38 31 - 36 76 615 
 eMail: tbe< at >boreus.de 
 Internet: http://www.boreus.de/ 
 -------------------------------------------------------------------------- 
 Geschäftsführer

Re: 2.6.5 Compile Question

Breno Silva — 2012-05-10T22:37:45

Hello Dan,

The version 2.6.5 still have some issues with current Apache 2.4 code. The
2.7 version must fix it and will be released soon. If you want i can send
you a tarball for testing.

Thanks

Breno

On Thu, May 10, 2012 at 5:07 PM, Dan Denton <ddenton< at >remitpro.com> wrote:

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/comm

2.6.5 Compile Question

Dan Denton — 2012-05-10T22:07:44

I'm compiling modsec 2.6.5 against Apache 2.4.2, and during a "make CFLAGS=-DMSC_TEST test" I get the following:

msc_test-modsecurity.o: In function `modsecurity_init':
modsecurity.c:(.text+0x240): undefined reference to `ap_unixd_set_global_mutex_perms'
modsecurity.c:(.text+0x291): undefined reference to `ap_unixd_set_global_mutex_perms'
collect2: ld returned 1 exit status
make[2]: *** [msc_test] Error 1
make[2]: Leaving directory `/opt/modsecurity-apache_2.6.5/tests'
make[1]: *** [check-am] Error 2
make[1]: Leaving directory `/opt/modsecurity-apache_2.6.5/tests'
make: *** [check-recursive] Error 1

I'm having trouble finding a work-around or solution for this. Can anyone point me in the right direction?

Thanks,

Dan

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile

Re: ModSecurity starting, but not logging even with debug

Josh Amishav-Zlatin — 2012-05-10T17:03:45

Hi Steve,

Perhaps there's a configuration issue. Can you send me you config
files privately?

--
 - Josh




------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

SecRule 981317

Canell, Stephen E (2240 — 2012-05-10T16:40:21

In modsecurity_crs_41_sql_injection_attacks.conf, rule ID 981317 looks for
the following:

SecRule TX:SQLI_SELECT_STATEMENT_COUNT "< at >ge 3"
"phase:2,t:none,block,id:'981317'ŠŠŠ.


Which if the *_COUNT is equal to or greater the 3 of the list of SQL key
words, issue a 403 error.

I have two variable fields that consist of pure text fields where the SQL
key words will most likely be hit, i.e.: the count will equal 3 or greater
very easily.  These fields are not SQL in nature.

How can I perform the equivalent  of an if-else-then where if variables
coverLetterTxt or resumeTXT is scanned, to not perform the 981317 processŠ
I do not care if the word count reaches 20000 for these two variables
where SQL injection is concerned, but for the many other fields, I do want
these tests to be performed and permission denied in the event of an SQL
attack.

For these two fields, I do have a while list on the ASCII characters from
X01-X7F, allow.  Do I need another allow statement with the inclusion of
the SQL key words su

Re: ModSecurity starting, but not logging even with debug

2012-05-10T15:45:15

Another data point.  I have tried standard logging and logging with mlogc
(neither of which produce logs).   When I set it use mlogc, mlogc is not
showing up in the ps output so apache is not trying to run it (or is
failing to).  I have verified that the mlogc executable is in the location
pointed to by the config.

Steve




------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commerci

Re: ModSecurity starting, but not logging even with debug

2012-05-10T14:30:14

Yes.  Verified with lsof that it is being loaded.

Thanks,
Steve




------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: REQUEST_BODY has some XML

Usman Waheed — 2012-05-10T11:59:47

Just wanted to share with the rest, Ryan's pointer worked for me.

In my modsecurity_crs_10_config.conf i set:

SecRule REQUEST_FILENAME "< at >streq /cgi-bin/form.pl" \
"chain,phase:1,id:'981053',t:none,t:lowercase,pass,nolog"
SecRule REQBODY_PROCESSOR "!< at >streq XML" "ctl:requestBodyProcessor=XML"

In my modsecurity_crs_15_customrules.conf i set:

SecRule XML "< at >validateSchema /etc/apache2/xsd/test.xsd" \
"phase:2,log,auditlog,deny,status:403,msg:'XSD check failed',tag:'MOD  
SECURITY  
TEST',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},id:'500001',severity:2"

With the above settings, i was able to test a request (to:  
/cgi/bin/form.pl) with REQUEST_HEADER = Content-type:  
application/x-www-form-urlencoded and changed the xml values in my post to  
make the xsd check fail.

Thanks much,
-Usman

Re: ModSecurity starting,but not logging even with debug

Christian Bockermann — 2012-05-10T06:52:06

Hi Steve,

do you have the mod_unique_id module loaded? This is required by ModSecurity
to work properly. I stumbled over this a few times... :-)

Chris


Am 09.05.2012 um 20:54 schrieb mjs< at >terabox.org:



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

ModSecurity starting,but not logging even with debug

2012-05-09T18:54:21

I have installed ModSecurity 2.6.5 on Apache httpd 2.0.52 and I see it  
load in the error_log, but I get nothing from the ModSecurity logs.  I  
have set SecDebugLogLevel to 9.  I have turned debug logs on in apache  
as well, but am seeing nothing in the logs about ModSecurity failing.   
Apache is writing to it's own logs as it should and the ModSecurity  
logs are set to be in the same directory as the Apache logs.  I have  
rules linked in to the activated_rules directory.  I copied the  
error_log from apache below.

I have ModSecurity running great with the same configuration on a  
newer httpd 2.2.3, but am unable to upgrade this older server at the  
moment.

Thanks in advance for your time and help,
Steve


... caught SIGTERM, shutting down
... suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
... ModSecurity for Apache/2.6.5 (http://www.modsecurity.org/) configured.
... ModSecurity: APR compiled version="0.9.4"; loaded version="0.9.4"
... ModSecurity: PCRE compiled version="4.5"; loaded version

Re: REQUEST_BODY has some XML

Usman Waheed — 2012-05-09T15:16:39

Thanks for the pointer, will check it out.

Re: REQUEST_BODY has some XML

Ryan Barnett — 2012-05-09T13:49:44

On 5/9/12 9:14 AM, "Usman Waheed" <usmanw< at >opera.com> wrote:


Hey Usman,
Yes, you can create a different custom rule that will force the XML
request body processor.  If you know which URL (REQUEST_FILENAME) accepts
XML, you could do this -

SecRule REQUEST_FILENAME "< at >streq /path/to/file.php" \
        "chain,phase:1,id:'1',t:none,t:lowercase,pass,nolog"
        SecRule REQBODY_PROCESSOR "!< at >streq XML"
"ctl:requestBodyProcessor=XML"

Hope this helps.


Ryan




This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.


------------------------------------------------------

REQUEST_BODY has some XML

Usman Waheed — 2012-05-09T13:14:40

Hi,

I am new to mod security and have an application that POSTS XML data in  
the REQUEST_BODY.

The REQUEST_HEADER Content-type is set to  
application/x-www-form-urlencoded and NOT to text/xml.

A sample of my XML POST data in the REQUEST_BODY looks like:

<?xml version="1.0" encoding="utf-8"?><oau:versioncheck  
schema-version="1.0" update-level="3" main="1" xmlns:oau="urn:myupdate">
<legend><product>test777</product><version>1.0</version><build-number>1347</build-number></legend>

What i am trying to do is sanitize the inputs within this XML i receive  
using mod security rules.

I could write a regular expression that checks the validity of the inputs  
in the REQUEST_BODY but then i saw this example where
one can use validateSchema and the XML processor. My problem is that the  
REQUEST_HEADER Content-type: is set to application/x-www-form-urlencoded
which does not allow me to fire the XML processor.

Is there an alternate way to go about running the XML processor on the  
REQUEST_BODY where the REQUE

Re: SecFilter rules

Ryan Barnett — 2012-05-06T19:22:54

Yes. Refer to the documentation -
http://www.modsecurity.org/documentation/

Migration Matrix from v1 to v2 -
https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Migration_Matrix

Ryan

On May 6, 2012, at 3:05 PM, "solarflow99" <solarflow99< at >gmail.com> wrote:


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. D

SecFilter rules

solarflow99 — 2012-05-06T19:01:19

Have the SecFilter directives become obsolete?    The RHEL5 NSA
security guide mentions them but they don't see to exist anymore.


Thanks,

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: Modsecurity super slow when SecRequestBodyAccess On

Shashank Kumar — 2012-05-05T12:31:59

hello everyone
Need latest set of rules for mod security. current rule sets are too strict
and at times blocks genuine users as well. any help is appreciated.
regards


On Thu, May 3, 2012 at 7:46 PM, Ryan Barnett <RBarnett< at >trustwave.com> wrote:

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: how to turn off rule checking for specificfield

chris derham — 2012-05-04T12:51:25

cc'ing to mailing list

On Fri, May 4, 2012 at 9:50 AM, chris derham <chris< at >derham.me.uk> wrote:

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: how to turn off rule checking forspecificfield

Ryan Barnett — 2012-05-04T11:38:18

Try -

SecRule REQUEST_FILENAME "< at >streq /loginURL" \
"phase:1,id:'1',t:none,nolog,pass,ctl:ruleUpdateTargetById=950109;!ARGS:password"

See this for reference -
http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecRuleUpdateTargetById

Ryan

On May 4, 2012, at 4:27 AM, "chris derham" <chris< at >derham.me.uk<mailto:chris< at >derham.me.uk>> wrote:

All,

So we have a user that has put a % symbol in their password. This is tripping up mod_security when the user tries to login. The relevant entry is


Message: Pattern match "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:j_password. [file "D:/apps/Apache2.2/conf/modsecurity2/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "185"] [id "950109"] [rev "2.1.1"] [msg "Multiple URL Encoding Detected"] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/EVASION"]

So what I want to do is convince this rule to now check this parameter for the specific url. I am guessing something along the lines of

    <Locati

how to turn off rule checking for specificfield

chris derham — 2012-05-04T11:21:04

All,

So we have a user that has put a % symbol in their password. This is
tripping up mod_security when the user tries to login. The relevant entry
is


Message: Pattern match "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"
at ARGS:j_password. [file
"D:/apps/Apache2.2/conf/modsecurity2/base_rules/modsecurity_crs_20_protocol_violations.conf"]
[line "185"] [id "950109"] [rev "2.1.1"] [msg "Multiple URL Encoding
Detected"] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/EVASION"]

So what I want to do is convince this rule to now check this parameter for
the specific url. I am guessing something along the lines of

    <LocationMatch "/loginUrl">
        update 950109 such that it doesn't check j_password ARG
    </LocationMatch>

Unfortunately my google skills only work when I know what key term to look
for. Any hints appreciated

Thanks

Chris
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's securit

Re: Modsecurity super slow when SecRequestBodyAccess On

Ryan Barnett — 2012-05-03T14:16:04

From: Breno Silva <breno.silva< at >gmail.com<mailto:breno.silva< at >gmail.com>>
Date: Thu, 3 May 2012 07:23:16 -0500
To: Gil Vidals <gvidals< at >gmail.com<mailto:gvidals< at >gmail.com>>
Cc: "mod-security-users< at >lists.sourceforge.net<mailto:mod-security-users< at >lists.sourceforge.net>" <mod-security-users< at >lists.sourceforge.net<mailto:mod-security-users< at >lists.sourceforge.net>>
Subject: Re: [mod-security-users] Modsecurity super slow when SecRequestBodyAccess On

Cool... sounds better now. Can you send this rule id and problem to Ryan Barnett in CRS mail-list ? He can take a look and fix the issue.

I see them.  I will be updating all of these SQLi rules soon to fix the RegEx greediness issues which should alleviate these errors.

-Ryan

Thanks

Breno

On Wed, May 2, 2012 at 10:36 PM, Gil Vidals <gvidals< at >gmail.com<mailto:gvidals< at >gmail.com>> wrote:
I upgraded to modsecurity-apache_2.6.5 just now. And I found out more precisely what the problem is.

With these settings, the sign up HTML form never seems to finish processing. The S

Re: Modsecurity super slow when SecRequestBodyAccess On

Breno Silva — 2012-05-03T12:23:16

Cool... sounds better now. Can you send this rule id and problem to Ryan
Barnett in CRS mail-list ? He can take a look and fix the issue.

Thanks

Breno

On Wed, May 2, 2012 at 10:36 PM, Gil Vidals <gvidals< at >gmail.com> wrote:

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/