gmane.comp.apache.mod-security.user

nginx on modsecurity and images

Josh Berry — 2013-05-24T15:47:18

I have installed modsecurity 2.7.3 on Nginx 1.4.1 and just about everything
appears to work correctly with the exception of images over around 50K in
size.  I added some of the OWASP rules and started testing my site and found
that images larger that 50k wouldn't display.  

 

I checked the nginx and modsecurity rules and found no alerts when accessing
the pages that serve images larger than 50, so I started removing the rules.
I ended up removing all rules and still have the same problem.  All other
content works, blocking works, etc other than images > 50k in size.

 

I then tried just setting modsecurity to detection only mode with and
without any rules enabled with the same results.

 

What am I missing?

 

 

Thanks,

 

Josh Berry

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monito

Rule exception for specific hosts

Jan Phillip Greimann — 2013-05-24T12:21:19

Hi there,

I'm relatively new to mod_security, so sorry for maybe dumb questions.
I've built and installed mod_security2 2.7.3 on my webserver, included 
it with the OWASP CRS 2.2.7. So far no problems, it is running with the 
recommended configuration on "DETECTION_ONLY".

Now i try to correct false positives, so as the following one:

My nagios-server (Service observation) is checking if my robots.txt is 
readable. This gives an audit-warning because of missing Accept Header. 
(Audit-Log on the bottom)

I tried to create a rule especially for this host, which deactivates the 
problem-rule:

SecRule REMOTE_ADDR "< at >ipMatch 10.0.0.2" 
"chain,phase:2,id:'1001',t:none,pass,nolog"
SecRule REQUEST_HEADERS:User-Agent "^check_http.*\(nagios-plugins.*\)$" 
"t:none,ctl:ruleRemoveById=960015"


Unfortunately it doesn't work. :(
Maybe some experienced user could help me with this, thanks!

Best regards,
Jan Phillip Greimann


-----------------------------------------------------------


--1e454857-A--
[24/May/2013:13:38

Bypass a form element from modsecurity

Sushant Vengurlekar — 2013-05-23T23:01:38

Is there a way where a particular form element can be bypassed from 
modsecurity ruleset?



------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

2.7.3 ruleset loop

Alexandre Biancalana — 2013-05-23T22:37:46

Hi list,

  After update my mod_security from 2.6.7 to 2.7.3 and now I'm facing a
very weird behavior.

 Using the same ruleset (owasp-crs 2.2.5) and configuration, the request
time to process the same POST goes from
 0m1.575s (using ver 2.6.7) to 1m36.455s (using ver 2.7.3) !

 Looking at audit log I have the impression that rules are being evaluated
in loop when running version 2.7.3, the audit file is 140k lines long
against 99 lines when using 2.6.7.

 I've read the changelog and release notes from 2.6.7 to 2.7.3 and can´t
find anything that could explain this behavior.

 Did someone faced something like that ?

Regards,
Alexandre
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life s

anomaly scoring logging

Avi Rosenblatt — 2013-05-23T14:47:51

Hi,
I'm currently using anomaly scoring with owasp 2.2.6 (modsec 2.7.3) and I want the detailed audit log to contain all rules that the request hit. Right now the log only shows the rule that caused the 403 and none of the others that contributed to the score. Can anyone help with the config?

Thanx
Avi
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/comme

Modsecurity 2.7.2 Hangs are Phase 2

David Taulbee — 2013-05-23T12:27:33

ModSecurity is hanging whenever it tries to Read a Posted Body on RHEL6 and
Apache 2.2.24.  I have a simple pg1.html and pg2.html example where pg1
submits to pg2 and when method=post modsecurity hangs at starting phase 2.

I am using the recommended rules set as indicated by other request.

Debug Log shows:

[23/May/2013:07:36:27 --0400]
[micasetest/sid#1917150][rid#1aad7c8][/dmtwww/pg2.html][4] Starting phase
REQUEST_HEADERS.
[23/May/2013:07:36:27 --0400]
[micasetest/sid#1917150][rid#1aad7c8][/dmtwww/pg2.html][4] Recipe: Invoking
rule 1938340; [file "/mw01/jboss/mt/httpd/conf.d/mod_sec_v02.conf"] [line
"30"] [id "200000"].
[23/May/2013:07:36:27 --0400]
[micasetest/sid#1917150][rid#1aad7c8][/dmtwww/pg2.html][5] Rule 1938340:
SecRule "REQUEST_HEADERS:Content-Type" "< at >rx text/xml"
"phase:1,auditlog,id:200000,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
[23/May/2013:07:36:27 --0400]
[micasetest/sid#1917150][rid#1aad7c8][/dmtwww/pg2.html][4] Transformation
completed in 12 usec.
[23/May/2013:07:36:

Modsec Install Help and Automation for IIS

Ben Turner — 2013-05-22T11:56:54

Hi Folks,

I'm pretty new to this so please excuse these basic questions

I've installed version 2.7.3 on a Windows 2012 Server running IIS. I'm
using wget to download the files as such:$ wget -U "account and
licencedetails)<accounts< at >canningvale.com%20(91bbe19285689adcf4b9ef091c2cde2c9f4ea9a7)>"
--no-check-certificate
https://www.modsecurity.org/autoupdate/repository/modsecurity-slr/slr_vuln_latest/slr_vuln_latest_1.0.0.zip
slr_vuln_latest_1.0.0.zip

Could anyone advise or point me to the right directi/doco for these:

1.       Where I should actually put the rules when I have done downloading
them

2.       I see in the readme it says that once installed it will be active
for all websites unless you remove. How do I verify the installation has
succeeded and it actually working.
Cheers,

Ben
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers

Basic question regarding usage

Thomas Eckert — 2013-05-21T13:36:18

Hi folks,

I'm pretty new to this so please excuse my question about basics. Some time
ago I finished upgrading my test system from 2.5.12 to 2.7.3 along with a
CRS upgrade from 2.0.6 to 2.2.7. Aside from the unnerving "rule has no ID
issue" it went smoothly but now I'm facing unexpected behaviour. Instead of
blocking simple XSS and SQL injection attacks mod_security will only
complain about them in the logs but let the attack themselves pass.

For example, i can see the following in the logs (this is only the last
reported match, there's plenty more):

[Tue May 21 15:22:18.235587 2013] [:error] [pid 16304:tid 1194236784]
[client 10.10.10.10] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'][
]*(([^a-z0-9~_:\\\\'\\" ])|(in)).+?\\\\(.*?\\\\))" at ARGS:field1. [file
"/apache/conf/My.rules"] [line "187"] [id "973335"] [rev "2"] [msg "IE XSS
Filters - Attack Detected."] [data "Matched Data: \\x22/\\x22
onclick=\\x22alert('sample XSS attack') found within ARGS:field1: <a
href=\\x22/\\x22 onclick=\\x22alert('sam

Nginx Configuration (confusion, observations)

Daniel Devine — 2013-05-20T03:45:57

Greetings,

I have very little (none) experience with ModSecurity but I decided I 
want to use it to protect my ownCloud instance. I have successfully 
installed 2.7.3 on CentOS 6 with Nginx 1.0.15 (old!) - and I've made an 
RPM package which I plan to get into EPEL once I have successfully 
gotten ModSecurity working for the task at hand. It looks like I have 
gotten ModSecurity *running* in DetectionOnly mode with the OWASP rule 
set.

Observations:
  * It was not clear that you must "Include" the rules from *within* 
modsecurity.conf for Nginx.
  * ModSecurity's "Include" != Nginx's "include". The ModSecurity 
directives are not parsed by Nginx (and so don't need ";" termination).
  * The documentation seems to assume that you are using ModSecurity on 
all of your virtual-hosts and thus refers to putting the 
ModSecurityConfig directive in nginx.conf rather than in a specific 
virtual host ("server" block). For use in a virtual hosting setup I 
assume you should create a separate modsecurity.conf for each

log analysis tools

Avi Rosenblatt — 2013-05-19T09:08:06

Hi,
I'm looking for a good tool to analyze modsecurity concurrent audit logs. Any recommendations? It would be nice if it had a GUI and/or graphing abilities.

Thanx
Avi
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

IP Bypas for Mod security 2.7.3

Sushant Vengurlekar — 2013-05-16T18:18:24

I am trying to bypass one IP for a website from modsecurity ruleset.

I used this syntax for bypassing the IP
SecRule  REMOTE_ADDR "< at >ipMatch 64.58.154.194,107.9.211.160" 
"phase:1,pass,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off,id:123412345653451"

But I still get forbidden error.

I tried couple of below alternatives but still getting forbidden.
SecRule  REMOTE_ADDR  "^64\.58\.154\.194$" 
"allow,ctl:ruleEngine=off,id:123412345653451"

SecRule  REMOTE_ADDR "^64.58.154.194$" 
"phase:1,log,pass,ctl:ruleEngine=Off,id:'991045'"

SecRule  REMOTE_ADDR "^64\.58\.154\.194$" 
"phase:1,log,pass,ctl:ruleEngine=Off,id:'991045'"


------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienv

use MODSEC_ENABLE with mod_rewrite?

Todd Roseman — 2013-05-16T18:34:24

Hi,

I'm trying to use the environment variable MODSEC_ENABLE to 
turn off mod_security with certain query parameters.

Here's the apache rewrite rules (in a vhost section):

|RewriteCond %{QUERY_STRING} payment_method\=os_paypal [NC]
RewriteRule ^/index.php$ - [env=MODSEC_ENABLE:off]
|

But I get 406 Error and see mod_security is blocking when I 
send this: DOMAIN.TLD/index.php?payment_method=os_paypal%%%

With rewrite log on apache shows the rule matching and it 
shows turning on the environment variable.

Any ideas why mod_security is ignoring the environment 
variable? Is it an order of processing thing?

Is there a way to test a query string in httpd.conf and 
disable a rule using SecRuleRemoveById?

thanks!

---------------------------------------------------------------

Using: ModSecurity for Apache/2.7.3; OWASP_CRS/2.2.7.

rewrite log:

192.168.1.2 - - [16/May/2013:11:32:05 --0600] 
[www.DOMAIN.TLD/sid#2497428][rid#b737b860/initial] (3) 
applying pattern '^/index.php$' to uri '/index.php'

192.168.1

Automated Updates for Windows

Ben Turner — 2013-05-14T20:42:37

Hi there,

Can anyone help me with the steps to enable automated updates to ModSec
Rules from Trustwave Spiderlabs?

Also is anyone successfully running modsec on Windows server 2012?

Thanks,

Ben
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

benjamesturner< at >gmail.com

Ben Turner — 2013-05-14T20:38:25

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

ruleRemoveTargetById question

Aaron Bedra — 2013-05-10T15:29:49

I have tried a few different ways to tune out something recently with no
success. I have the following rule in place:

SecRule ARGS "< at >contains partner_source"
"phase:1,id:320,t:none,pass,nolog,ctl:ruleRemoveTargetById=950001"

But I am still getting the match in the logs

--669ad847-H--
Message: Warning. Pattern match
"(/\\*!?|\\*/|[';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\x00)"
at ARGS:partner_source. [file
"/etc/apache2/mod_security_rules.d/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "49"] [id "981231"] [rev "2"] [msg "SQL Comment Sequence Detected."]
[data "Matched Data: --- found within ARGS:partner_source:
US_DT_SEA_GGL_TXT_RES_DEV_CPC_GW_NBR_m*_c*30323884667_k*authorize net
alternative_d*Competitors_g*Authorize.net---Compare-(p)_f*m_p*none"]
[severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "8"] [accuracy "8"]
[tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message:

Issue with TX macro expansion in SecRuleregexes

2013-05-10T10:47:31

Hi there,

ModSec 2.6.2 introduced macro expansion for SecRule regex matches. This is not really documented
in the handbook, but it works and the core rules make good use of the feature. However, I hit a dead end, when trying to extend the regex containing
the macro. First it works, but as soon as I introduce brackets, the regex is being escaped in an
undesired way.

My whole plan may sound crazy, but actually, it's not that queer. Let's build it up step
by step:

Step 1 :
The problem only occurs if we use macro expansion. The following works just fine, of course:
SecRule RESPONSE_HEADERS:/Set-Cookie/ "(cookie1|cookie2)"   "phase:3,id:2,t:none,pass,log,msg:'HIT'"

Debug log:
... Executing operator "rx" with param "(cookie1|cookie2)" against RESPONSE_HEADERS:Set-Cookie.

Step 2 :
Now let's introduce a simple macro expansion with a pipe character. Still works.
SecAction "phase:1,id:1,pass,nolog,setvar:'TX.cookielist=cookie1|cookie2'"
SecRule RESPONSE_HEADERS:/Set-Cookie/ "%{tx.cookielist}"   "phase:3,id:2,t:no

Logging POST data

azurIt — 2013-05-09T09:13:55

Hi,

i'm having problems with logging POST data with mod_security version 2.5.12 (Debian Squeeze). This is my configuration:
SecRequestBodyAccess On
SecAuditEngine On
SecAuditLog /var/log/apache2/audit.log
SecAuditLogParts ABCZ

Logging is working but no POST data are logged (the whole 'C' part is missing). Any hints? Thanks.

azur

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/pr

OUTBOUND_DATA_ERROR in reference guide

Christian Folini — 2013-05-07T09:57:30

Hello,

The Reference Guide recommends the use of OUTBOUND_DATA_ERROR:
"Your policies should always contain a rule to check this variable."

However, neither the recommended rules distributed with the code
nor the core-rules follow this recommendation.

I do not understand the general character of the recommendation, 
as ModSec will automatically add a note to the error log if the
limit is reached and the request is blocked.  It might make sense if 
you set "SecResponseBodyLimitAction ProcessPartial", or run in DetectionOnly
though.

The Reference Guide then continues with an example, which does not work:

SecRule OUTBOUND_DATA_ERROR "< at >eq 1" "phase:1,id:32,t:none,log,pass,msg:'Response Body Larger than SecResponseBodyLimit Setting'"

Obviously, this should be phase:5.

What would be the best policy to handle these contradictions / errors?

Best,

Christian

Logging in Apache's mod_log_config

Christian Folini — 2013-05-07T07:19:35

Hi there,

Looking through the reference guide, I noted that it lacked a
description of the use of Apache's mod_log_config. 

I have thus added a brief description with a straight example 
and an example using macro expansion.

Maybe somebody wants to check it. I have added it under
Miscellaneous Topics:
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-Logging_in_Apache_via_mod_log_config

Cheers,

Christian

ignore specific cookie

Avi Rosenblatt — 2013-05-06T10:17:15

Hi,
We are using a thirdparty service which gives our users a cookie under our domain. The cookie keeps triggering modsecurity rules. I have so far had to exclude it from 10 different rules. Since our app does not process this cookie anyways, is there a way to have mod security ignore it completely?

Thanx
Avi
------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecu

mlogc v2.5.7 push cpu 100%

Naim Shahidan — 2013-05-05T08:22:30

Hi all,

we have problem with mlogc v2.5.7 intalled with modsecurity v2.6.8. We are
using apache version 2.2.14 ubuntu.  After a few days, top result shows
100% cpu spike on mlogc.
Apache is used as waf server and redirect request to website hosted under
co-lo server. The waf server runs modsecurity and mlogc. mlogc push the log
to a management server which runs waf-fle application. Whenever mlogc push
cpu 100%, apache crashed and we have to reboot the server.  Can you help us
on this issue?


Environment information:

a.) uname -a

Linux  2.6.32-46-server #108-Ubuntu SMP Thu Apr 11 16:11:15 UTC 2013 x86_64
GNU/Linux

b.) cat /etc/issue.net

Ubuntu 10.04.4 LTS


c.) apache2 -V

Server version: Apache/2.2.14 (Ubuntu)
Server built:   Mar  8 2013 16:46:38
Server's Module Magic Number: 20051115:23
Server loaded:  APR 1.3.8, APR-Util 1.3.9
Compiled using: APR 1.3.8, APR-Util 1.3.9
Architecture:   64-bit
Server MPM:     Worker
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Se