gmane.comp.apache.mod-security.user

Re: Forum reply being blocked by mod_security

Ryan Barnett — 2012-05-22T12:37:11

From: "retired1af< at >gmail.com<mailto:retired1af< at >gmail.com>" <retired1af< at >gmail.com<mailto:retired1af< at >gmail.com>>
Date: Tue, 22 May 2012 07:17:57 -0500
To: "mod-security-users< at >lists.sourceforge.net<mailto:mod-security-users< at >lists.sourceforge.net>" <mod-security-users< at >lists.sourceforge.net<mailto:mod-security-users< at >lists.sourceforge.net>>
Subject: [mod-security-users] Forum reply being blocked by mod_security

I'm not getting very far with the software developers so I'm now appealing to the experts here to find a solution to my problem.

It appears mod_security is triggering on the word nmap within a forum post, preventing replies to the thread. Link is here: http://www.globalaffairs.org/forum/threads/nmap-6-released.68912/

The mod_security log shows the following:

Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:X-Ajax-Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "149"] [id "959006"] [msg "System Command Injection"] [data "/nmap-"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"]

This is the first time I've run across this, but it seems to be a common occurrence with the Xen Foro software package. If a post contains a key word as defined in the mod_security rules, replying to the thread is prevented.

Personally, I feel this is a software issue with Xen Foro. But I'm covering all my bases in my search for a fix.

What CRS rules version are you using?  You might want to upgrade - https://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/

The false positive is matching data in the REQUEST_HEADERS:X-Ajax-Referer data.  The rule you are using is probably already excluding the normal Referer field like this -

REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES …

What version of ModSecurity are you using?  If it is v2.6 you can use SecRuleUpdateTargetsById to prevent that variable from being inspected by that rule like this -

SecRuleUpdateTargetsById 959006 "!REQUEST_HEADERS:X-Ajax-Referer"

Hope this helps,
Ryan

________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: Forum reply being blocked by mod_security

Josh Amishav-Zlatin — 2012-05-22T12:34:29

Hi,

It might be better to post this on the CRS mailing list, as the problem
your having is due to a false positive in the core rule set. In any case,
there are a few ways you can whitelist this rule from firing, depending on
which version of ModSecurity your running. For details take a look at:
http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html

--
 - Josh


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Forum reply being blocked by mod_security

2012-05-22T12:17:57

I'm not getting very far with the software developers so I'm now appealing  
to the experts here to find a solution to my problem.

It appears mod_security is triggering on the word nmap within a forum post,  
preventing replies to the thread. Link is here:  
http://www.globalaffairs.org/forum/threads/nmap-6-released.68912/

The mod_security log shows the following:

Access denied with code 501 (phase 2). Pattern  
match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)| 
t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd| 
ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)| 
d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at  
REQUEST_HEADERS:X-Ajax-Referer.  
[file "/usr/local/apache/conf/modsec2.user.conf"] [line "149"]  
[id "959006"] [msg "System Command Injection"] [data "/nmap-"]  
[severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"]

This is the first time I've run across this, but it seems to be a common  
occurrence with the Xen Foro software package. If a post contains a key  
word as defined in the mod_security rules, replying to the thread is  
prevented.

Personally, I feel this is a software issue with Xen Foro. But I'm covering  
all my bases in my search for a fix.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

AuditConsole 0.4.6 released!

Christian Bockermann — 2012-05-22T06:28:52

Dear ModSecurity users,

I am happy to announce the release of the next version of AuditConsole, the
free log-management tool for ModSecurity.

This version comes with a clean-up of the web-interface, lots of bug-fixes,
support for OpenID authentication and an internal pipe-lining model that will
allow further customization of audit-event processing in the future.

The AuditConsole is available in multiple editions (debian package, RPM package,
standalone, WAR archive) at

http://download.jwall.org/AuditConsole/0.4.6/


For details see my blog-post at

       https://secure.jwall.org/blog/2012/05/22/1337638334497.html


Best regards,

    Chris
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

error when creating rule for op "rx"

daminto lee — 2012-05-22T01:26:38

Hi,

I am encountering some problem when trying to compile the latest version
mod_security-apache_2.6.5 onto my Ubuntu Server 12.04 LTS. When I run "make
CFLAGS=-DMSC_TEST test, I received the following error message:

ERROR: Failed to create rule for op "rx": Error creating rule: Error
compiling pattern (offset 2): unrecognized character after (? or (?-
make[2]: *** [check-TESTS] Error 1
make[1]: *** [check-am] Error 2

Below is a more detailed message contributing to the above error

Loaded 8 tests from ./op/rx.t
     1) op "rx": passed (Pattern match "" at UNIT_TEST.)
     2) op "rx": passed
     3) op "rx": passed (Pattern match "" at UNIT_TEST.)
     4) op "rx": passed (Pattern match "abc" at UNIT_TEST.)
     5) op "rx": passed (Pattern match "def" at UNIT_TEST.)
     6) op "rx": passed (Pattern match "ghi" at UNIT_TEST.)
     7) op "rx": passed
Test exited with signal 11.
Executed: ./msc_test "-t" "op" "-n" "rx" "-p"
"(?^i:^([^=])\s*=\s*((?:abc)+(?:def|ghi){2})$)" "-D" "0" "-r" "1"
     8) op "rx": failed
Passed:  7; Failed:  1

I run apache 2.2.22.

Any help would be greatly appreciated.

Thank you
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: Persistent collections and errors inApache error_log

Breno Silva — 2012-05-21T15:25:06

Hi Luca,

Looks like an old bug https://www.modsecurity.org/tracker/browse/MODSEC-97.
Marked as closed.
I will be traveling during next week. But i will contact you and try to
debug it.

Thanks

Breno

On Mon, May 21, 2012 at 10:12 AM, Luca <superpizza< at >bigfoot.com> wrote:

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Persistent collections and errors in Apache error_log

Luca — 2012-05-21T15:12:08

Hello everyone.
I'm getting a lot of error entries related to access to DBM file used to store 
collections data.
DBM file is huge, aroung 1GB, I think it never shrinks.
Here a couple of examples:
ModSecurity: Failed deleting collection (name "ip", key
 "93.57.22.65_c40a1a4c63dc22a36a4dacec0e35e80139000959"): Internal error
 [hostname  "XYZ"] [uri "XYZ"] [unique_id "T7pTQApRQSoAAH3H7OIAAABF"]

ModSecurity: Failed to access DBM file 
"/usr/local/apache/rproxyworker/logs/data/ip": Resource deadlock avoided
 [hostname  "XYZ"] [uri "XYZ"] [unique_id "T7nbtgpRQSoAACUgnxIAAAEH"]

Current installation is:
RHEL6, 64bit
Apache: 2.2.22
ModSec: 2.6.5
CRS: 2.2.4 

Configuration:
SecCollectionTimeout 180

I'm using the standar collections created in 2.2.4
Thank you for your help.
Luca



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: New to Modsecurity: I Need to allow directory traversal to a single virtual host

Ryan Barnett — 2012-05-19T21:26:31


On 5/19/12 4:58 PM, "mrnicholsb" <mrnicholsb< at >gmail.com> wrote:


The subject line says "Directory Traversal" but you are talking about
"Directory Indexing" which are two separate issues.  I am assuming, based
on the email body, that you are hitting the following rule in the
modsecurity_crs_50_outbound.conf file -

# Directory Listing
SecRule RESPONSE_BODY "(?:<(?:TITLE>Index of.*?<H|title>Index
of.*?<h)1>Index of|>[To Parent Directory]<\/[Aa]><br>)" \

"phase:4,rev:'2.2.5',t:none,capture,ctl:auditLogParts=+E,block,msg:'Directo
ry
Listing',id:'970013',tag:'LEAKAGE/INFO_DIRECTORY_LISTING',tag:'WASCTC/WASC-
13',tag:
'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',
setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anoma
ly_score=+%{tx.erro
r_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{tx
.0}"


If so, and you want to allow this for a specific vhost, then you could do
an exception like this in a local modsecurity_crs_15_custom.conf file -

SecRule REQUEST_HEADERS:HOST "< at >streq wwww.yourhost.com"
"id:'1',phase:1,t:none,nolog,pass,ctl:ruleRemoveById=970013"

Essentially, you are checking the Host header in the request (obviously
set to to the appropriate vhost/hostname alias) and then dynamically
disabling rule ID 970013 if it matches.

Let me know if that works for you.

Ryan






This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

New to Modsecurity: I Need to allow directory traversal to a single virtual host

mrnicholsb — 2012-05-19T20:58:22

Hello all, Im new to modsecurity and forgive me if this is a noobish 
question.

But I have a virtual host that I have a lot of iso files on that I would 
like to have directory indexing allowed on just that host.

I have my .htaccess file as follows

Options +Indexes

But ever since I got mod_security running its being ignored, is there a 
way to tell
modsecurity to respect .htaccess files?

Should I just forget about .htaccess all together while running 
mod_security?

And how would I go about adding an exception to modsecurity to allow 
indexing on this virtual host?

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: Capturing Internal Server Errors

Usman — 2012-05-17T11:54:29

Thanks Ryan, switched to use phase:3 and now it works :).
Cheers !!!

I have:

SecRule RESPONSE_STATUS "^[5]" \
"phase:3,t:none,log,pass,id:'500002',tag:'INTERNAL SERVER ERROR  
5xx',msg:'Internal Server Error  
5xx.',setvar:tx.anomaly_score=+%{tx.critical_anomaly     
_score},logdata:'%{response_status}',severity:1"

Re: Capturing Internal Server Errors

Ryan Barnett — 2012-05-17T11:45:14

Gotta use phase 3 4 or 5 to access the RESPONSE_STATUS var. It is not available yet in phases 1 and 2.

Ryan

On May 17, 2012, at 7:37 AM, "Usman" <usmanw< at >opera.com> wrote:


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Capturing Internal Server Errors

Usman — 2012-05-17T11:33:02

Hi,

I have the following directive in my crs_10 file:

SecAuditLogRelevantStatus "^(?:5|0(?!04))"

This logs 500 internal server errors when they happen.

I would like to set some attributes like tag, msg, severity etc for the  
above when viewing the alert in the AuditConsole.

I tried using the following rule but no luck:

SecRule RESPONSE_STATUS "< at >eq 500" \
"phase:2,t:none,log,pass,id:'500002',tag:'INTERNAL SERVER ERROR  
500',msg:'Internal Server Error  
500.',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},logdata:'%{response_status}',severity:1"

Based on the docs i found the below which does not give me the desired  
result:

SecRule RESPONSE_STATUS "^[5]" \
"phase:2,t:none,log,pass,id:'500002',tag:'INTERNAL SERVER ERROR  
5xx',msg:'Internal Server Error  
5xx.',setvar:tx.anomaly_score=+%{tx.critical_anomaly_s     
core},logdata:'%{response_status}',severity:1"

but then there was a note in the docs saying:

"This directive may not work as expected in embedded-mode as Apache  
handles many of the
stock response codes (404, 401, etc...) earlier in Phase 2. This variable  
should work as expec-
ted in a proxy-mode deployment."

Can i not use the above?

Thanks,
Usman

Own POST Rate Limit Rule not Working

Thomas Berger — 2012-05-11T12:45:10

Hi all, 

we have tried to write a  ModSecurity rule to limit POST Requests. But the limit does not work as expected.


Here is the rule:

 SecRule REQUEST_METHOD "^POST$" "phase:1,nolog,initcol:IP=%{REMOTE_ADDR},setvar:IP.pagecount=+1,expirevar:IP.pagecount=60"
 SecRule IP:PAGECOUNT "< at >gt 250" "phase:1,deny,status:403,msg:'Too many requests'"

The "pagecount" counter does not work correctly. as we have a few IP's with anly 10 requests and all requests are "GET" , with a pagecount of 250. 
Where is our error?

We are using ModSecurity on Debian 6, in Version 2.5.12


Regards,
------------------------------------------------------------------------ 
 Thomas Berger 
 - Certified Linux/Cisco Networking Engineer - 
 BOREUS Rechenzentrum GmbH 
 Zur Schwedenschanze 2 
 D - 18435 Stralsund 
 Germany 
 Phone:+49 (0) 38 31 - 36 76 415 
 Fax: +49 (0) 38 31 - 36 76 615 
 eMail: tbe< at >boreus.de 
 Internet: http://www.boreus.de/ 
 -------------------------------------------------------------------------- 
 Geschäftsführer: André Jahns, Holger Lebrecht 
 Handelsregister: Amtsgericht Stralsund HRB 5750 
 Sitz der Gesellschaft: Stralsund

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: 2.6.5 Compile Question

Breno Silva — 2012-05-10T22:37:45

Hello Dan,

The version 2.6.5 still have some issues with current Apache 2.4 code. The
2.7 version must fix it and will be released soon. If you want i can send
you a tarball for testing.

Thanks

Breno

On Thu, May 10, 2012 at 5:07 PM, Dan Denton <ddenton< at >remitpro.com> wrote:

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

2.6.5 Compile Question

Dan Denton — 2012-05-10T22:07:44

I'm compiling modsec 2.6.5 against Apache 2.4.2, and during a "make CFLAGS=-DMSC_TEST test" I get the following:

msc_test-modsecurity.o: In function `modsecurity_init':
modsecurity.c:(.text+0x240): undefined reference to `ap_unixd_set_global_mutex_perms'
modsecurity.c:(.text+0x291): undefined reference to `ap_unixd_set_global_mutex_perms'
collect2: ld returned 1 exit status
make[2]: *** [msc_test] Error 1
make[2]: Leaving directory `/opt/modsecurity-apache_2.6.5/tests'
make[1]: *** [check-am] Error 2
make[1]: Leaving directory `/opt/modsecurity-apache_2.6.5/tests'
make: *** [check-recursive] Error 1

I'm having trouble finding a work-around or solution for this. Can anyone point me in the right direction?

Thanks,

Dan

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: ModSecurity starting, but not logging even with debug

Josh Amishav-Zlatin — 2012-05-10T17:03:45

Hi Steve,

Perhaps there's a configuration issue. Can you send me you config
files privately?

--
 - Josh




------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

SecRule 981317

Canell, Stephen E (2240 — 2012-05-10T16:40:21

In modsecurity_crs_41_sql_injection_attacks.conf, rule ID 981317 looks for
the following:

SecRule TX:SQLI_SELECT_STATEMENT_COUNT "< at >ge 3"
"phase:2,t:none,block,id:'981317'ŠŠŠ.


Which if the *_COUNT is equal to or greater the 3 of the list of SQL key
words, issue a 403 error.

I have two variable fields that consist of pure text fields where the SQL
key words will most likely be hit, i.e.: the count will equal 3 or greater
very easily.  These fields are not SQL in nature.

How can I perform the equivalent  of an if-else-then where if variables
coverLetterTxt or resumeTXT is scanned, to not perform the 981317 processŠ
I do not care if the word count reaches 20000 for these two variables
where SQL injection is concerned, but for the many other fields, I do want
these tests to be performed and permission denied in the event of an SQL
attack.

For these two fields, I do have a while list on the ASCII characters from
X01-X7F, allow.  Do I need another allow statement with the inclusion of
the SQL key words such as select|Š..

Thank you
-Steve

Re: ModSecurity starting, but not logging even with debug

2012-05-10T15:45:15

Another data point.  I have tried standard logging and logging with mlogc
(neither of which produce logs).   When I set it use mlogc, mlogc is not
showing up in the ps output so apache is not trying to run it (or is
failing to).  I have verified that the mlogc executable is in the location
pointed to by the config.

Steve




------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: ModSecurity starting, but not logging even with debug

2012-05-10T14:30:14

Yes.  Verified with lsof that it is being loaded.

Thanks,
Steve




------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: REQUEST_BODY has some XML

Usman Waheed — 2012-05-10T11:59:47

Just wanted to share with the rest, Ryan's pointer worked for me.

In my modsecurity_crs_10_config.conf i set:

SecRule REQUEST_FILENAME "< at >streq /cgi-bin/form.pl" \
"chain,phase:1,id:'981053',t:none,t:lowercase,pass,nolog"
SecRule REQBODY_PROCESSOR "!< at >streq XML" "ctl:requestBodyProcessor=XML"

In my modsecurity_crs_15_customrules.conf i set:

SecRule XML "< at >validateSchema /etc/apache2/xsd/test.xsd" \
"phase:2,log,auditlog,deny,status:403,msg:'XSD check failed',tag:'MOD  
SECURITY  
TEST',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},id:'500001',severity:2"

With the above settings, i was able to test a request (to:  
/cgi/bin/form.pl) with REQUEST_HEADER = Content-type:  
application/x-www-form-urlencoded and changed the xml values in my post to  
make the xsd check fail.

Thanks much,
-Usman

Re: ModSecurity starting,but not logging even with debug

Christian Bockermann — 2012-05-10T06:52:06

Hi Steve,

do you have the mod_unique_id module loaded? This is required by ModSecurity
to work properly. I stumbled over this a few times... :-)

Chris


Am 09.05.2012 um 20:54 schrieb mjs< at >terabox.org:



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/