gmane.comp.apache.mod-security.user

Basic question regarding usage

Thomas Eckert — 2013-05-21T13:36:18

Hi folks,

I'm pretty new to this so please excuse my question about basics. Some time
ago I finished upgrading my test system from 2.5.12 to 2.7.3 along with a
CRS upgrade from 2.0.6 to 2.2.7. Aside from the unnerving "rule has no ID
issue" it went smoothly but now I'm facing unexpected behaviour. Instead of
blocking simple XSS and SQL injection attacks mod_security will only
complain about them in the logs but let the attack themselves pass.

For example, i can see the following in the logs (this is only the last
reported match, there's plenty more):

[Tue May 21 15:22:18.235587 2013] [:error] [pid 16304:tid 1194236784]
[client 10.10.10.10] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'][
]*(([^a-z0-9~_:\\\\'\\" ])|(in)).+?\\\\(.*?\\\\))" at ARGS:field1. [file
"/apache/conf/My.rules"] [line "187"] [id "973335"] [rev "2"] [msg "IE XSS
Filters - Attack Detected."] [data "Matched Data: \\x22/\\x22
onclick=\\x22alert('sample XSS attack') found within ARGS:field1: <a
href=\\x22/\\x22 onclick=\\x22alert('sample XSS attack')\\x22>click
me</a>"] [ver "OWASP_CRS/2.2.7"] [maturity "8"] [accuracy "8"] [tag
"OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"]
[tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"]
[hostname "mytest.local"] [uri "/php/echo_form.php"] [unique_id
"UZt1CgoIEYIAAD< at >w0Y8AAAAx"]

This "worked" before (meaning it got blocked correctly), so I guess I
forgot to adapt some configuration to match the upgrade to 2.7.3. Likely
some variables/config data are not initialized propperly - maybe some
threshold concerning the anomaly score ?

Would someone please point me at the right place to read about this stuff ?
As stated, I'm new to this and don't know where to start.

Thanks in advance!

Cheers,
  Thomas
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Nginx Configuration (confusion, observations)

Daniel Devine — 2013-05-20T03:45:57

Greetings,

I have very little (none) experience with ModSecurity but I decided I 
want to use it to protect my ownCloud instance. I have successfully 
installed 2.7.3 on CentOS 6 with Nginx 1.0.15 (old!) - and I've made an 
RPM package which I plan to get into EPEL once I have successfully 
gotten ModSecurity working for the task at hand. It looks like I have 
gotten ModSecurity *running* in DetectionOnly mode with the OWASP rule 
set.

Observations:
  * It was not clear that you must "Include" the rules from *within* 
modsecurity.conf for Nginx.
  * ModSecurity's "Include" != Nginx's "include". The ModSecurity 
directives are not parsed by Nginx (and so don't need ";" termination).
  * The documentation seems to assume that you are using ModSecurity on 
all of your virtual-hosts and thus refers to putting the 
ModSecurityConfig directive in nginx.conf rather than in a specific 
virtual host ("server" block). For use in a virtual hosting setup I 
assume you should create a separate modsecurity.conf for each virtual 
host - as you will have different rule sets for different applications 
right?

Also, as a note, if you are creating a package for ModSecurity with 
Nginx you probably can't run "make install" - but rather you need to run 
"make install-exec-hook" to activate the target that puts extra 
configuration into nginx/modsecurity/config so that compilation doesn't 
fail on some lua related errors. This took me all day to work out so I 
thought I'd mention it publicly.

Are any of these assumptions/observations incorrect? Does anybody have 
something to add?

I understand the Nginx port is quite new, so it's not surprising that 
the documentation is near non-existent.

log analysis tools

Avi Rosenblatt — 2013-05-19T09:08:06

Hi,
I'm looking for a good tool to analyze modsecurity concurrent audit logs. Any recommendations? It would be nice if it had a GUI and/or graphing abilities.

Thanx
Avi
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

IP Bypas for Mod security 2.7.3

Sushant Vengurlekar — 2013-05-16T18:18:24

I am trying to bypass one IP for a website from modsecurity ruleset.

I used this syntax for bypassing the IP
SecRule  REMOTE_ADDR "< at >ipMatch 64.58.154.194,107.9.211.160" 
"phase:1,pass,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off,id:123412345653451"

But I still get forbidden error.

I tried couple of below alternatives but still getting forbidden.
SecRule  REMOTE_ADDR  "^64\.58\.154\.194$" 
"allow,ctl:ruleEngine=off,id:123412345653451"

SecRule  REMOTE_ADDR "^64.58.154.194$" 
"phase:1,log,pass,ctl:ruleEngine=Off,id:'991045'"

SecRule  REMOTE_ADDR "^64\.58\.154\.194$" 
"phase:1,log,pass,ctl:ruleEngine=Off,id:'991045'"


------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

use MODSEC_ENABLE with mod_rewrite?

Todd Roseman — 2013-05-16T18:34:24

Hi,

I'm trying to use the environment variable MODSEC_ENABLE to 
turn off mod_security with certain query parameters.

Here's the apache rewrite rules (in a vhost section):

|RewriteCond %{QUERY_STRING} payment_method\=os_paypal [NC]
RewriteRule ^/index.php$ - [env=MODSEC_ENABLE:off]
|

But I get 406 Error and see mod_security is blocking when I 
send this: DOMAIN.TLD/index.php?payment_method=os_paypal%%%

With rewrite log on apache shows the rule matching and it 
shows turning on the environment variable.

Any ideas why mod_security is ignoring the environment 
variable? Is it an order of processing thing?

Is there a way to test a query string in httpd.conf and 
disable a rule using SecRuleRemoveById?

thanks!

---------------------------------------------------------------

Using: ModSecurity for Apache/2.7.3; OWASP_CRS/2.2.7.

rewrite log:

192.168.1.2 - - [16/May/2013:11:32:05 --0600] 
[www.DOMAIN.TLD/sid#2497428][rid#b737b860/initial] (3) 
applying pattern '^/index.php$' to uri '/index.php'

192.168.1.2 - - [16/May/2013:11:32:05 --0600] 
[www.DOMAIN.TLD/sid#2497428][rid#b737b860/initial] (4) 
RewriteCond: input='payment_method=os_paypal%%%' 
pattern='payment_method\=os_paypal' [NC] => matched

192.168.1.2 - - [16/May/2013:11:32:05 --0600] 
[www.DOMAIN.TLD/sid#2497428][rid#b737b860/initial] (5) 
setting env variable 'MODSEC_ENABLE' to 'off'

192.168.1.2 - - [16/May/2013:11:32:05 --0600] 
[www.DOMAIN.TLD/sid#2497428][rid#b737b860/initial] (1) pass 
through /index.php


------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Automated Updates for Windows

Ben Turner — 2013-05-14T20:42:37

Hi there,

Can anyone help me with the steps to enable automated updates to ModSec
Rules from Trustwave Spiderlabs?

Also is anyone successfully running modsec on Windows server 2012?

Thanks,

Ben
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

benjamesturner< at >gmail.com

Ben Turner — 2013-05-14T20:38:25

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

ruleRemoveTargetById question

Aaron Bedra — 2013-05-10T15:29:49

I have tried a few different ways to tune out something recently with no
success. I have the following rule in place:

SecRule ARGS "< at >contains partner_source"
"phase:1,id:320,t:none,pass,nolog,ctl:ruleRemoveTargetById=950001"

But I am still getting the match in the logs

--669ad847-H--
Message: Warning. Pattern match
"(/\\*!?|\\*/|[';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\x00)"
at ARGS:partner_source. [file
"/etc/apache2/mod_security_rules.d/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "49"] [id "981231"] [rev "2"] [msg "SQL Comment Sequence Detected."]
[data "Matched Data: --- found within ARGS:partner_source:
US_DT_SEA_GGL_TXT_RES_DEV_CPC_GW_NBR_m*_c*30323884667_k*authorize net
alternative_d*Competitors_g*Authorize.net---Compare-(p)_f*m_p*none"]
[severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "8"] [accuracy "8"]
[tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file
"/etc/apache2/mod_security_rules.d/modsecurity_crs_60_correlation.conf"]
[line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score:
5, SQLi=1, XSS=): SQL Comment Sequence Detected."]
Apache-Handler: proxy-server
Stopwatch: 1368199587900038 16136 (- - -)
Stopwatch2: 1368199587900038 16136; combined=3210, p1=234, p2=2795, p3=2,
p4=55, p5=123, sr=57, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/);
OWASP_CRS/2.2.7.
Server: Apache
Sanitised-Request-Headers: "Authorization".
Engine-Mode: "DETECTION_ONLY"

I have tried several variations of the rule (using < at >pm instead of contains,
etc) but nothing has worked for me. Any ideas on how to properly tune this
out?

-Aaron
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Issue with TX macro expansion in SecRuleregexes

2013-05-10T10:47:31

Hi there,

ModSec 2.6.2 introduced macro expansion for SecRule regex matches. This is not really documented
in the handbook, but it works and the core rules make good use of the feature. However, I hit a dead end, when trying to extend the regex containing
the macro. First it works, but as soon as I introduce brackets, the regex is being escaped in an
undesired way.

My whole plan may sound crazy, but actually, it's not that queer. Let's build it up step
by step:

Step 1 :
The problem only occurs if we use macro expansion. The following works just fine, of course:
SecRule RESPONSE_HEADERS:/Set-Cookie/ "(cookie1|cookie2)" "phase:3,id:2,t:none,pass,log,msg:'HIT'"

Debug log:
... Executing operator "rx" with param "(cookie1|cookie2)" against RESPONSE_HEADERS:Set-Cookie.

Step 2 :
Now let's introduce a simple macro expansion with a pipe character. Still works.
SecAction "phase:1,id:1,pass,nolog,setvar:'TX.cookielist=cookie1|cookie2'"
SecRule RESPONSE_HEADERS:/Set-Cookie/ "%{tx.cookielist}" "phase:3,id:2,t:none,pass,log,msg:'HIT'"

The debug log documents the macro expansion and escaping as follows:
... Executing operator "rx" with param "%{tx.cookielist}" against RESPONSE_HEADERS:Set-Cookie.
...
... Resolved macro %{tx.cookielist} to: cookie1|cookie2
... Escaping pattern [cookie1|cookie2]

Step 3 :
However, if we introduce brackets in the regex, they get escaped and the whole fun is thus spoiled
SecAction "phase:1,id:1,pass,nolog,setvar:'TX.cookielist=cookie1|cookie2'"
SecRule RESPONSE_HEADERS:/Set-Cookie/ "(%{tx.cookielist})" "phase:3,id:2,t:none,pass,log,msg:'HIT'"

Debug log:
... Executing operator "rx" with param "(%{tx.cookielist})" against RESPONSE_HEADERS:Set-Cookie.
...
... Resolved macro %{tx.cookielist} to: cookie1|cookie2
... Escaping pattern [\(cookie1|cookie2\)]

Maybe my brain is playing tricks on me or the problem is not within ModSec but
in pcre. But when looking through the O'Reilly book I did not find an answer
and playing around with more obscure things like regex modifiers only meant that the
modifier would be escaped too. So I am at loss here. If one would be able to
suppress that escaping function, it might work out.

Has anybody tried this before are can somebody think of a trick to make it work?

Regs,

Christian

Christian Folini
Unix Engineer, Apache Security Specialist

Die Schweizerische Post
Services
Informationstechnologie
Betrieb, IT 222 extern
Webergutstrasse 12
3030 Bern (Zollikofen)
Mobile +41 79 300 32 03
E-Mail: christian.folini< at >post.ch<http://folini.tikon.ch>
Internet: http://www.post.ch / http://folini.tikon.ch

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Logging POST data

azurIt — 2013-05-09T09:13:55

Hi,

i'm having problems with logging POST data with mod_security version 2.5.12 (Debian Squeeze). This is my configuration:
SecRequestBodyAccess On
SecAuditEngine On
SecAuditLog /var/log/apache2/audit.log
SecAuditLogParts ABCZ

Logging is working but no POST data are logged (the whole 'C' part is missing). Any hints? Thanks.

azur

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

OUTBOUND_DATA_ERROR in reference guide

Christian Folini — 2013-05-07T09:57:30

Hello,

The Reference Guide recommends the use of OUTBOUND_DATA_ERROR:
"Your policies should always contain a rule to check this variable."

However, neither the recommended rules distributed with the code
nor the core-rules follow this recommendation.

I do not understand the general character of the recommendation, 
as ModSec will automatically add a note to the error log if the
limit is reached and the request is blocked.  It might make sense if 
you set "SecResponseBodyLimitAction ProcessPartial", or run in DetectionOnly
though.

The Reference Guide then continues with an example, which does not work:

SecRule OUTBOUND_DATA_ERROR "< at >eq 1" "phase:1,id:32,t:none,log,pass,msg:'Response Body Larger than SecResponseBodyLimit Setting'"

Obviously, this should be phase:5.

What would be the best policy to handle these contradictions / errors?

Best,

Christian

Logging in Apache's mod_log_config

Christian Folini — 2013-05-07T07:19:35

Hi there,

Looking through the reference guide, I noted that it lacked a
description of the use of Apache's mod_log_config. 

I have thus added a brief description with a straight example 
and an example using macro expansion.

Maybe somebody wants to check it. I have added it under
Miscellaneous Topics:
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-Logging_in_Apache_via_mod_log_config

Cheers,

Christian

ignore specific cookie

Avi Rosenblatt — 2013-05-06T10:17:15

Hi,
We are using a thirdparty service which gives our users a cookie under our domain. The cookie keeps triggering modsecurity rules. I have so far had to exclude it from 10 different rules. Since our app does not process this cookie anyways, is there a way to have mod security ignore it completely?

Thanx
Avi
------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

mlogc v2.5.7 push cpu 100%

Naim Shahidan — 2013-05-05T08:22:30

Hi all,

we have problem with mlogc v2.5.7 intalled with modsecurity v2.6.8. We are
using apache version 2.2.14 ubuntu.  After a few days, top result shows
100% cpu spike on mlogc.
Apache is used as waf server and redirect request to website hosted under
co-lo server. The waf server runs modsecurity and mlogc. mlogc push the log
to a management server which runs waf-fle application. Whenever mlogc push
cpu 100%, apache crashed and we have to reboot the server.  Can you help us
on this issue?


Environment information:

a.) uname -a

Linux  2.6.32-46-server #108-Ubuntu SMP Thu Apr 11 16:11:15 UTC 2013 x86_64
GNU/Linux

b.) cat /etc/issue.net

Ubuntu 10.04.4 LTS


c.) apache2 -V

Server version: Apache/2.2.14 (Ubuntu)
Server built:   Mar  8 2013 16:46:38
Server's Module Magic Number: 20051115:23
Server loaded:  APR 1.3.8, APR-Util 1.3.9
Compiled using: APR 1.3.8, APR-Util 1.3.9
Architecture:   64-bit
Server MPM:     Worker
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/worker"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT=""
 -D SUEXEC_BIN="/usr/lib/apache2/suexec"
 -D DEFAULT_PIDLOG="/var/run/apache2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types"
 -D SERVER_CONFIG_FILE="/etc/apache2/apache2.conf"




d.) apache -l


Compiled in modules:
  core.c
  mod_log_config.c
  mod_logio.c
  worker.c
  http_core.c
  mod_so.c


regards,
Shahidan
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Filenames with the hyphen (-) character resultin Access Denied

Arun Khan — 2013-05-03T13:56:11

CentOS 6.4 (amd64) LAMP setup.  PHP based CMS for web content.

I Installed mod_security from EPEL repo and activated it.  After
activating the module.  All filenames with the hyphen (-) character
result in Access Denied.

Log entry sample from the virtual host error log (site name + file
name modified, no. of hyphen occurrences preserved)

<log entry>
[Thu May 02 10:48:57 2013] [error] [client 1.2.3.4] ModSecurity:
Access denied with code 403 (phase 2). Pattern match
"([\\\\~\\\\!\\\\< at >\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){4,}"
at ARGS:src. [file
"/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "170"] [id "981173"] [rev "2"] [msg "Restricted SQL Character
Anomaly Detection Alert - Total # of special characters exceeded"]
[data "Matched Data: - found within ARGS:src:
http://www.example.com/example-adm-access/product/abc-xyz.jpg"] [ver
"OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] [hostname
"www.example.com"] [uri "/timthumb.php"] [unique_id
"UYH3QdziuhcAAKAIf7gAAAAD"]
</log entry>

I guess, the problem is with the hypen (-), going by what is in the
log entry "Total # of special characters exceeded"

I am new to mod_security. I looked through the files under
/etc/httpd/modsecurity.d/ but have no idea what to change.

I would appreciate suggestion on how to fix this issue.

Thanks

ModSecurity and IIS 6

Seth Dunn — 2013-05-01T22:06:14

Does ModSecurity work on IIS 6?
If so, how?

Can I include the ModSecuritIIS.dll I the ISAPI filters?

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Tagging Thoughts

2013-05-01T08:54:03

Dear all,

Last week, I've attended a workshop where the local security operations team, the server operators and the engineering team talked about ModSecurity tuning.

During the session, I had an idea: it would really help the security operations team to get the alerts enriched with meta-data about the service. This could be interesting for all setups, but I believe that especially hosting providers / ISPs would benefit from this feature.

Right now, our security operations team gets the errorlog entry and a link to the auditlog in their SIEM.

As you know, a typical errorlog entry looks as follows:
[Wed May 01 02:00:28 2013] [error] [client 98.154.171.101] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/.../modsecurity-rules/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "2.2.3"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "www.example.com "] [uri "/.../application.do"] [unique_id "UYBk2x5RkRSAbHkhE9IAAXDQ"]

I would like every entry to be extended with the following tags:
[tag: "Safety Class: 3"] [tag "Service License Agreement: 24/7"] [tag "Service-ID: 38475"] [tag "Documentation https://ourwiki/.../ExampleComService"]
or
[tag: "Metadata: Safety Class 3; Service License Agreement 24/7; service-id: 38475"; documentation https://ourwiki/.../ExampleComService"]
with a strong preference for the former.

It would be possible to configure the SIEM to add this data itself. But the SIEM is operated by the Security Operations and they would have to look up all this information. Besides, I think it should be part of the error-log of the server generally.

If I get the ModSec tagging system correctly, the tags are always bound to a rule. Tags are a property of the rule. Additionally, I would like to see tags as a request property or even a service-property.
Obviously, I could update all the rules (right now, most of them are shared between different services) or I could write UpdateRules, that add the tag to every rule at request time. Both variants seem quite inefficient to me.

What would be efficient is a directive resembling the following ones:
SecAction "id:'10001',pass,nolog,addtag:'Safety Class: 3',addtag:'Service License Agreement: 24/7',addtag:'Service-ID: 38475',addtag:'Documentation https://ourwiki/.../ExampleComService'"
or
SecTag "Safety Class: 3"
SecTag "Service License Agreement: 24/7"
SecTag "Service-ID: 38475"
SecTag "Documentation https://ourwiki/.../ExampleComService"

Now I do not know if this is feasible or even possible from a development viewpoint. But it sure looks desirable to me as a person configuring ModSec in corporate environments.

Sorry for crossposting this to developers and users. I think both groups might have something to say. Feedback / support from other users would be especially welcome.

Best regards,

Christian

Christian Folini
Unix Engineer, Apache Security Specialist

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Starting to work with mod_security

Thomas Eckert — 2013-04-29T13:37:14

Hi folks,

basically I'm trying to pick up working with mod_security and I'm wondering
if
  http://sourceforge.net/projects/mod-security/files/modsecurity-crs/
is no longer in use / updated. I ask since I found
  https://github.com/SpiderLabs/owasp-modsecurity-crs
where there are committed changes as recent as 13 days ago.

Regards
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Problem with mlogc - Transaction log growingfastly

Daniel Almendra — 2013-04-29T12:22:15

Hi all,

We have Apache v2.2.22 + Modsecurity v2.6.7 running on some servers. We use
mlogc to send the logs to our web console (Waf-fle). We've scheduled
push-mlogc.sh to run every 5 minutes (in crontab). It calls /usr/local/sbin/
mlogc-batch-load.pl and /usr/local/sbin/mlogc, killing their processes if
they were previously running.

One of this servers is presenting the following problem:

The mlogc-transaction.log file is growing untill the /var partition is
full. Every 5 minutes, mlogc is dumping lots of entries on this log file,
and it seems the entries are logged repeatedly (let's say we have about 1
million lines that, each 5 minutes, are inserted again in the transaction
log).

We tried restarting Apache, and even rebooting the server, but the behavior
didn't change. A strange thing is that our mlogc-queue.log file currently
is 852MB large, but its last modified time is Apr 2nd. Is this normal
behaviour? On another server (without the problem), mlogc-queue.log is also
800+MB large, but its modified date is today.

When the server's disk becomes almost full, we have to gzip the transaction
log file, and minutes later the file is created again.

Anyone can help us fix this problem?

Thanks a lot in advance.
Daniel
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

block SEOkicks-Robot

Leonardo Bacha Abrantes — 2013-04-26T14:09:43

Hi guys!

I tried to block the SEOkicks-Robot, so I added "SEOkicks-Robot" into
modsecurity_35_bad_robots.data and reloaded apache, however it didn't work.


192.168.11.19 - - [26/Apr/2013:11:04:39 -0300] "GET /11-de-julho-de-1973
HTTP/1.1" 200 46191 "http://www.mysite.com/data/decretos?page=4"
"Mozilla/5.0 (compatible; SEOkicks-Robot +http://www.seokicks.de/robot.html
)"

I also tried to add the lines below into robots.txt, but also didn't work.

User-agent: SEOkicks-Robot
Disallow: /


Can you help me please ?
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Version 0.6.0 (final) is available

Klaubert Herr da Silveira — 2013-04-25T20:48:01

ModSecurity users,

Is released today the WAF-FLE version 0.6.0 (final), with many bugs
fixed and some documentation improvement.
I'd like to thanks to all that report bugs, and some corrections,
making this version better.

WAF-FLE is a OpenSource console for events of ModSecurity.

Check in README and ChangeLog files for a complete list of features
and corrections.

Some new features (compared to 0.5.x):

. Filter enabled Dashboard: Now you can use the filter in dashboard,
all charts and tables are clickable, enabling the drill-down data on
dashboard, updating the charts and tables to reflect the filter.

. Delete events by filter: now you can use the filter to delete events
at once, turning much more easier, for example exclude false positive
events.

. Compression of full events: You can choice if you want to compress
full events (used to download raw events), make a huge difference in
disk space used by database (saving around 60% of space).

. Usage of X-Forwarded-For or X-Real-IP header as source ip address in
events. Very useful when you have a reverse proxy in front of
ModSecurity. You can customize which header should be used.

. Support to ModSecurity 2.7 Engine-Mode variable, to let you know if
an event has allowed (but logged) or if the sensor are in
detection-only mode.

. GeoIP support in dashboard, event and filter.

. Setup script: to help in dependencies check, database
creation/migration, making much more quick a setup in platforms where
installation dependencies are not easily known.

. mlog2waffle: a daemon to work as a replacement to mlogc. It is
written in perl, and can work as service feeding events to WAF-FLE in
real time or scheduled in crontab. It must to be considered in beta
stage, but seen to be reliable and fast.

. Sensors and users management interface much improved, with more
information and options.

. Improved ModSecurity events parsing, supporting some new fields like
stopwatch2.


All users should considering upgrade to this version once it corrected
many bugs (from version 0.5.x and 0.6.0-rcX).

To download http://www.waf-fle.org/wp-content/uploads/2013/04/waf-fle_0.6.0.tar.gz


Best regards,

Klaubert Herr
WAF-FLE Project

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/