Reindl Harald | 29 Sep 14:21 2014
Picon

"Generic" ShellShock Rules

well, no whitespaces in var names was a good decision long ago

SecRule REQUEST_COOKIES_NAMES|ARGS_NAMES " "
"id:'76',phase:1,capture,logdata:'%{TX.0}',multiMatch,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhitespace,t:replaceNulls,block,msg:'variable
name contains disallowed whitespace'"
SecRule ARGS_NAMES " "
"id:'85',capture,logdata:'%{TX.0}',multiMatch,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhitespace,t:replaceNulls,block,msg:'variable
name contains disallowed whitespace'"
____________________________________

[Mon Sep 29 13:29:54.645534 2014] [:error] [pid 11876] [client 62.210.75.170] ModSecurity: Access
denied with code
400 (phase 1). Pattern match " " at REQUEST_COOKIES_NAMES:() { :. [file
"/etc/httpd/modsecurity.d/99_protected_vars.conf"] [line "15"] [id "76"] [msg "variable name
contains disallowed
whitespace"] [data " "] [hostname "kundendomain"] [uri "/cgi-bin-sdb/printenv"] [unique_id "VClCsgoAAAYAAC5knyQAAAAP"]

------------------------------------------------------------------------------
Slashdot TV.  Videos for Nerds.  Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
(Continue reading)

Vladimir | 29 Sep 07:32 2014
Picon

XML XSD schema validation


Hello,

I set up Modsecurity with Apache as a reverse proxy. I check only POST requests with XML payload.

In my situation a request is consist of 2 XML. One XML is included in another one. 

The XML markup in the inner XML is encoded (   "<" substituted to  "&lt"  ,  ">"   to   "&gt "   and so on), but the outer XML is not (see examle below).

My question is: Can Modsecurity validate such payload against XSD schema using <at> validateSchema rule?

I have tried different ways, spent many days but without success.

MANY thanks for any help.

Example:

<?xml version="1.0" encoding="UTF-8"?>
<OUTERMESSAGE>
<DATA>
&lt;?xml version="1.0" encoding="UTF-8"?&gt;
&lt;InnerMessage&gt;
&lt;Contact&gt;
&lt;Name&gt;Test&lt;/Name&gt;
&lt;/Contact&gt;
&lt;/InnerMessage&gt;
</DATA>
</OUTERMESSAGE>

------------------------------------------------------------------------------
Slashdot TV.  Videos for Nerds.  Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
CatchesA Star | 28 Sep 07:05 2014
Picon

Passing IP to script via exec


Hi, I am interested in using mod_security to detect some HTTP floods.Currently, Cloudflare is in front of
mod_security, and I have no desire to remove it.

Instead, I have constructed a script to add an IP to Cloudflare's IP Blacklist to block IPs when
mod_security detects floods.

I know I can fetch the IP of the client connecting to Cloudflare with SecRule REQUEST_HEADERS_NAMES, but
how can I pass on the IP to the script with exec?

Thanks,
CatchesAStar

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Jeremiah Brock | 25 Sep 22:01 2014

modsecurity 2.8 mlogc using 100% cpu bug

Hi Everyone,

    Experiencing some interesting lock ups on one of our Ubuntu 1204 servers.

    Twice this week mlogc has blocked all traffic to Apache while using 100% of a single processor.

    Logs haven't been very helpful...

    gdb provided the following but the entry shows for 6:50am however the lockup occurred at 9am.

    
(gdb) bt
#0  0x00007f849ce06e1b in ?? () from /usr/lib/libapr-1.so.0
#1  0x00007f849ce05be2 in apr_pool_destroy () from /usr/lib/libapr-1.so.0
#2  0x00007f849ce05c00 in apr_pool_destroy () from /usr/lib/libapr-1.so.0
#3  0x0000000000404aa9 in create_new_worker (lock=0) at mlogc.c:1796
#4  0x0000000000404c27 in add_entry (
    data=0x7f849d210028 "www.everettcc.edu 192.168.1.10 - - [25/Sep/2014:06:50:50 --0700] \"GET /enrollment/current-students/ HTTP/1.0\" 200 34129 \"-\" \"-\" VCQdun8AAAEAABmPtTIAAAAL \"-\" /20140925/20140925-0650/20140925-065050-VC"..., start_worker=1) at mlogc.c:409
#5  0x00000000004052e6 in receive_loop () at mlogc.c:2065
#6  0x0000000000402535 in main (argc=<optimized out>, argv=0x7fff3bf055a8) at mlogc.c:2306
(gdb) 
    

    
Here are my specs if they can shed light on any incompatibilities :

Linux production1 3.2.0-68-generic #102-Ubuntu SMP Tue Aug 12 22:02:15 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

Server version: Apache/2.2.22 (Ubuntu)
Server built:   Jul 22 2014 14:35:25

apache2                          2.2.22-1ubuntu1.7                  Apache HTTP Server metapackage
apache2-mpm-prefork              2.2.22-1ubuntu1.7                  Apache HTTP Server - traditional non-threaded model
apache2-threaded-dev             2.2.22-1ubuntu1.7                  Apache development headers - threaded MPM
apache2-utils                    2.2.22-1ubuntu1.7                  utility programs for webservers
apache2.2-bin                    2.2.22-1ubuntu1.7                  Apache HTTP Server common binary files
iapache2.2-common                 2.2.22-1ubuntu1.7                  Apache HTTP Server common files

ModSecurity Log Collector (mlogc) v2.8.0
   APR: compiled="1.4.6"; loaded="1.4.6"
  PCRE: compiled="8.12"; loaded="8.12 2011-01-15"
  cURL: compiled="7.22.0"; loaded="libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3"


Thanks in advance for any pointers,

~Jeremy
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Ryan Barnett | 24 Sep 22:14 2014

Bash ENV Vuln - CVE-2014-6271

You may have heard of the Bash ENV vuln - http://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x/108521.  We validated that the attack works against an example older "test-cgi" script in the Apache /cgi-bin/ by passing the attack payload in Header data.

The RedHat team has put some example ModSecurity rules to identify attacks - https://access.redhat.com/articles/1200223

FYI – we have also added some similar signatures to our commercial rules feed - http://www.modsecurity.org/commercial-rules.html

Ryan Barnett

Senior Lead Security Researcher, SpiderLabs

 

Trustwave | SMART SECURITY ON DEMAND

www.trustwave.com



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Jesús Alfredo Cambera | 24 Sep 00:06 2014
Picon

DOS rule blocking IP and User Agent not IP

Hi everybody,

I loaded the required rules to make DOS 900015 rule to work:

modsecurity.conf
modsecurity_crs_10_setup.conf -> /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf
modsecurity_crs_11_dos_protection.conf -> /usr/share/modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf


The problem now is that modsecurity blocks recurring request from certain IP using the same agent. If I try to make a request to the while "blacklist" but using a different user agent, modsecurity allows the request.

I'm reading debug logs (9) and audit logs (K included) but I can't see any reference to User Agent.

Here is my testing 900015 rule:
---------------------------------------------------------------
SecAction \
  "id:'900015', \
  phase:1, \
  t:none, \
  setvar:'tx.dos_burst_time_slice=60', \
  setvar:'tx.dos_counter_threshold=10', \
  setvar:'tx.dos_block_timeout=60', \
  nolog,auditlog, \
  pass"
---------------------------------------------------------------

Any ideas?

Thanks in advance,





Alfredo
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Jesús Alfredo Cambera | 17 Sep 00:15 2014
Picon

DOS rule

Hi everybody,

I'm trying to enable the "DoS Protection" rule availlable on "/usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf". I'm using debian testing with libapache2-mod-security2 ver 2.8.0-1 and modsecurity-crs ver 2.8.0-1.

To enable the rule I enable the following files on "/etc/apache2/mods-enabled/security2.conf":

IncludeOptional /etc/modsecurity/*.conf                                                   
IncludeOptional /usr/share/modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
IncludeOptional /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf

The first include contains "/etc/modsecurity/modsecurity.conf" with modsecurity recommended basics.

Here is the rule:

346                                                     
347 SecAction \                                         
348   "id:'900015', \                                   
349   phase:1, \                                         
350   t:none, \                                         
351   setvar:'tx.dos_burst_time_slice=60', \             
352   setvar:'tx.dos_counter_threshold=100', \           
353   setvar:'tx.dos_block_timeout=60', \               
354   nolog,auditlog, \                                 
355   pass"                                             
356                                                      


And this is the message that I'm getting on the audit log:
--e447956f-H--
Message: Unconditional match in SecAction. [file "/usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf"] [line "355"] [id "900015"]
Apache-Handler: application/x-httpd-php
Stopwatch: 1410905466683584 6921 (- - -)
Stopwatch2: 1410905466683584 6921; combined=673, p1=235, p2=15, p3=1, p4=1, p5=228, sr=83, sw=193, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/); OWASP_CRS/2.2.8.
Server: Apache
Engine-Mode: "ENABLED"

--e447956f-Z--


modsecurity its blocking every single request even when the "block_timeout" has elapsed. I'm really new into mod security and probably I'm missing something obvious.

Thanks in advance for your help,


Alfredo
------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce.
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Reindl Harald | 16 Sep 17:46 2014
Picon

RBL-Checks

Hi

since we have honeypots and a internal rbldnsd i consider using that
data not only for mailserver but also to secure webservers for recent
known zombies

startpoint was this:
http://blog.spiderlabs.com/2011/07/advanced-topic-of-the-week-updated-real-time-blacklist-lookups.html

somehow i don't understand that ruleset enough and my intention finally would be:
* block any requested froma listed IP unconditionally
* log any blocked request, but only blocked ones unconditionally
* in both cases - found and block, not found and pass the RBL
  request should happen only every 10 minutes per client IP to
  not make a DNS request for every http request

* in case of a listed IP it don't look like 981139 prevents from
  make the RBL request multiple times
* in case of a not listed IP 981139 is warend as un-conditional
  maybe that is correct
__________________________________________________________

# DNS-Blacklist (Honeypot)
SecRule IP:PREVIOUS_RBL_CHECK " <at> eq 1" "phase:1,id:'981137',t:none,pass,skipAfter:END_RBL_LOOKUP"
 SecRule REMOTE_ADDR " <at> rbl dnsbl-modsecurity.thelounge.net"
"phase:1,id:'981138',t:none,pass,msg:'Honeypot-RBL-Match',setvar:ip.spammer=1,expirevar:ip.spammer=600,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=600,skipAfter:END_RBL_CHECK"
 SecAction "phase:1,id:'981139',t:none,pass,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=600"
SecMarker END_RBL_LOOKUP
SecRule IP:SPAMMER " <at> eq 1" "phase:1,id:'981140',t:none,pass,msg:'Request from known RBL-Match(Honeypot-RBL-Match)'"
SecMarker END_RBL_CHECK
__________________________________________________________

not listed IP:

[Tue Sep 16 17:34:27.143328 2014] [:error] [pid 21776] [client 10.0.0.107] ModSecurity: Warning. Unconditional
match in SecAction. [file "/etc/httpd/modsecurity.d/99_devmachine_rules.conf"] [line "19"] [id
"981139"] [hostname
"www.test.rh"] [uri "/"] [unique_id "VBhYgwoAAGMAAFUQbz8AAAAk"]
[Tue Sep 16 17:34:27.147081 2014] [:error] [pid 21752] [client 10.0.0.107] ModSecurity: Warning. Unconditional
match in SecAction. [file "/etc/httpd/modsecurity.d/99_devmachine_rules.conf"] [line "19"] [id
"981139"] [hostname
"www.test.rh"] [uri "/"] [unique_id "VBhYgwoAAGMAAFT4dwQAAAAi"]
[Tue Sep 16 17:34:27.150032 2014] [:error] [pid 21770] [client 10.0.0.107] ModSecurity: Warning. Unconditional
match in SecAction. [file "/etc/httpd/modsecurity.d/99_devmachine_rules.conf"] [line "19"] [id
"981139"] [hostname
"www.test.rh"] [uri "/"] [unique_id "VBhYgwoAAGMAAFUKIDIAAAA2"]
__________________________________________________________

listed IP:

[Tue Sep 16 17:35:11.930747 2014] [:error] [pid 21749] [client 10.0.0.99] ModSecurity: Warning. RBL
lookup of
99.0.0.10.dnsbl-modsecurity.thelounge.net succeeded at REMOTE_ADDR. [file
"/etc/httpd/modsecurity.d/99_devmachine_rules.conf"] [line "18"] [id "981138"] [msg
"Honeypot-RBL-Match"] [hostname
"www.test.rh"] [uri "/show_content.php"] [unique_id "VBhYrwoAAGMAAFT16aIAAAAW"]
[Tue Sep 16 17:35:11.971688 2014] [:error] [pid 21767] [client 10.0.0.99] ModSecurity: Warning. RBL
lookup of
99.0.0.10.dnsbl-modsecurity.thelounge.net succeeded at REMOTE_ADDR. [file
"/etc/httpd/modsecurity.d/99_devmachine_rules.conf"] [line "18"] [id "981138"] [msg
"Honeypot-RBL-Match"] [hostname
"www.test.rh"] [uri "/formate/rhsw.css.php"] [unique_id "VBhYrwoAAGMAAFUHubYAAAAy"]
[Tue Sep 16 17:35:11.974033 2014] [:error] [pid 21773] [client 10.0.0.99] ModSecurity: Warning. RBL
lookup of
99.0.0.10.dnsbl-modsecurity.thelounge.net succeeded at REMOTE_ADDR. [file
"/etc/httpd/modsecurity.d/99_devmachine_rules.conf"] [line "18"] [id "981138"] [msg
"Honeypot-RBL-Match"] [hostname
"www.test.rh"] [uri "/scripts/functions.js"] [unique_id "VBhYrwoAAGMAAFUN5wMAAAAY"]
[Tue Sep 16 17:35:11.985910 2014] [:error] [pid 21729] [client 10.0.0.99] ModSecurity: Warning. RBL
lookup of
99.0.0.10.dnsbl-modsecurity.thelounge.net succeeded at REMOTE_ADDR. [file
"/etc/httpd/modsecurity.d/99_devmachine_rules.conf"] [line "18"] [id "981138"] [msg
"Honeypot-RBL-Match"] [hostname
"www.test.rh"] [uri "/captcha.php"] [unique_id "VBhYrwoAAGMAAFThfaAAAAAJ"]

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce.
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Ehsan Mahdavi | 12 Sep 14:17 2014
Picon

About SecDefaultAction

Hi,

I have a rule like this: SecRule "variable" "condition" "phase:1,block,...

Following the CRS10-example-file I have two consecutive default actions like this:

SecDefaultAction "phase:1,deny,log"
SecDefaultAction "phase:2,deny,log"

I need to know:
1. Are both SecDefaultActions are working or just the latter one?
2. If the answer of above question is NO and If the rule matches, will modsecurity deny the transaction? (I ask because the rule performs in phase:1 and the latter SecDefaultAction is defined over the 2nd phase).

P.S. CRS 2.2.9

--
                    regards
                 Ehsan.Mahdavi


------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Paul Beckett | 12 Sep 09:51 2014

Disable logging of specific rules

There are some rules, which for me to generate large numbers of false positives (eg. 960015 : Request Missing an Accept Header). I'm aware I could disable these rules easily with SecRemoveById. But, ideally I would like the rule to still be processed, so that it can be used in conjuction with other factors to contribute towards the Anomaly score. Is it possible to disable only the logging of specific rules?

Thanks,
Paul
------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Matthew Raymer | 11 Sep 03:25 2014

Failed to write to DBM file

ModSecurity: collection_store: Failed to write to DBM file "/var/log/modsecurity
/SecDataDir/global": Invalid argument

I've got mod security installed (2.7.7) installed under Ubuntu 14.04 with Apache 2.4.7

I have been getting the above error and seen it explained on the net as due to a limitation in libapr.

0) Is this actually a problem? Or, is it something I ought to fix in apache or my application?
1) Does anyone know if that is actually the problem?
2) Other than recompiling apache and libapr, is there a way resolve this problem?
3) If I do need to recompile, can I get away with recompiling libapr and replacing the existing one?

Thanks in advance!

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Gmane