Jesús Alfredo Cambera | 17 Sep 00:15 2014
Picon

DOS rule

Hi everybody,

I'm trying to enable the "DoS Protection" rule availlable on "/usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf". I'm using debian testing with libapache2-mod-security2 ver 2.8.0-1 and modsecurity-crs ver 2.8.0-1.

To enable the rule I enable the following files on "/etc/apache2/mods-enabled/security2.conf":

IncludeOptional /etc/modsecurity/*.conf                                                   
IncludeOptional /usr/share/modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
IncludeOptional /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf

The first include contains "/etc/modsecurity/modsecurity.conf" with modsecurity recommended basics.

Here is the rule:

346                                                     
347 SecAction \                                         
348   "id:'900015', \                                   
349   phase:1, \                                         
350   t:none, \                                         
351   setvar:'tx.dos_burst_time_slice=60', \             
352   setvar:'tx.dos_counter_threshold=100', \           
353   setvar:'tx.dos_block_timeout=60', \               
354   nolog,auditlog, \                                 
355   pass"                                             
356                                                      


And this is the message that I'm getting on the audit log:
--e447956f-H--
Message: Unconditional match in SecAction. [file "/usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf"] [line "355"] [id "900015"]
Apache-Handler: application/x-httpd-php
Stopwatch: 1410905466683584 6921 (- - -)
Stopwatch2: 1410905466683584 6921; combined=673, p1=235, p2=15, p3=1, p4=1, p5=228, sr=83, sw=193, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/); OWASP_CRS/2.2.8.
Server: Apache
Engine-Mode: "ENABLED"

--e447956f-Z--


modsecurity its blocking every single request even when the "block_timeout" has elapsed. I'm really new into mod security and probably I'm missing something obvious.

Thanks in advance for your help,


Alfredo
------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce.
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Reindl Harald | 16 Sep 17:46 2014
Picon

RBL-Checks

Hi

since we have honeypots and a internal rbldnsd i consider using that
data not only for mailserver but also to secure webservers for recent
known zombies

startpoint was this:
http://blog.spiderlabs.com/2011/07/advanced-topic-of-the-week-updated-real-time-blacklist-lookups.html

somehow i don't understand that ruleset enough and my intention finally would be:
* block any requested froma listed IP unconditionally
* log any blocked request, but only blocked ones unconditionally
* in both cases - found and block, not found and pass the RBL
  request should happen only every 10 minutes per client IP to
  not make a DNS request for every http request

* in case of a listed IP it don't look like 981139 prevents from
  make the RBL request multiple times
* in case of a not listed IP 981139 is warend as un-conditional
  maybe that is correct
__________________________________________________________

# DNS-Blacklist (Honeypot)
SecRule IP:PREVIOUS_RBL_CHECK " <at> eq 1" "phase:1,id:'981137',t:none,pass,skipAfter:END_RBL_LOOKUP"
 SecRule REMOTE_ADDR " <at> rbl dnsbl-modsecurity.thelounge.net"
"phase:1,id:'981138',t:none,pass,msg:'Honeypot-RBL-Match',setvar:ip.spammer=1,expirevar:ip.spammer=600,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=600,skipAfter:END_RBL_CHECK"
 SecAction "phase:1,id:'981139',t:none,pass,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=600"
SecMarker END_RBL_LOOKUP
SecRule IP:SPAMMER " <at> eq 1" "phase:1,id:'981140',t:none,pass,msg:'Request from known RBL-Match(Honeypot-RBL-Match)'"
SecMarker END_RBL_CHECK
__________________________________________________________

not listed IP:

[Tue Sep 16 17:34:27.143328 2014] [:error] [pid 21776] [client 10.0.0.107] ModSecurity: Warning. Unconditional
match in SecAction. [file "/etc/httpd/modsecurity.d/99_devmachine_rules.conf"] [line "19"] [id
"981139"] [hostname
"www.test.rh"] [uri "/"] [unique_id "VBhYgwoAAGMAAFUQbz8AAAAk"]
[Tue Sep 16 17:34:27.147081 2014] [:error] [pid 21752] [client 10.0.0.107] ModSecurity: Warning. Unconditional
match in SecAction. [file "/etc/httpd/modsecurity.d/99_devmachine_rules.conf"] [line "19"] [id
"981139"] [hostname
"www.test.rh"] [uri "/"] [unique_id "VBhYgwoAAGMAAFT4dwQAAAAi"]
[Tue Sep 16 17:34:27.150032 2014] [:error] [pid 21770] [client 10.0.0.107] ModSecurity: Warning. Unconditional
match in SecAction. [file "/etc/httpd/modsecurity.d/99_devmachine_rules.conf"] [line "19"] [id
"981139"] [hostname
"www.test.rh"] [uri "/"] [unique_id "VBhYgwoAAGMAAFUKIDIAAAA2"]
__________________________________________________________

listed IP:

[Tue Sep 16 17:35:11.930747 2014] [:error] [pid 21749] [client 10.0.0.99] ModSecurity: Warning. RBL
lookup of
99.0.0.10.dnsbl-modsecurity.thelounge.net succeeded at REMOTE_ADDR. [file
"/etc/httpd/modsecurity.d/99_devmachine_rules.conf"] [line "18"] [id "981138"] [msg
"Honeypot-RBL-Match"] [hostname
"www.test.rh"] [uri "/show_content.php"] [unique_id "VBhYrwoAAGMAAFT16aIAAAAW"]
[Tue Sep 16 17:35:11.971688 2014] [:error] [pid 21767] [client 10.0.0.99] ModSecurity: Warning. RBL
lookup of
99.0.0.10.dnsbl-modsecurity.thelounge.net succeeded at REMOTE_ADDR. [file
"/etc/httpd/modsecurity.d/99_devmachine_rules.conf"] [line "18"] [id "981138"] [msg
"Honeypot-RBL-Match"] [hostname
"www.test.rh"] [uri "/formate/rhsw.css.php"] [unique_id "VBhYrwoAAGMAAFUHubYAAAAy"]
[Tue Sep 16 17:35:11.974033 2014] [:error] [pid 21773] [client 10.0.0.99] ModSecurity: Warning. RBL
lookup of
99.0.0.10.dnsbl-modsecurity.thelounge.net succeeded at REMOTE_ADDR. [file
"/etc/httpd/modsecurity.d/99_devmachine_rules.conf"] [line "18"] [id "981138"] [msg
"Honeypot-RBL-Match"] [hostname
"www.test.rh"] [uri "/scripts/functions.js"] [unique_id "VBhYrwoAAGMAAFUN5wMAAAAY"]
[Tue Sep 16 17:35:11.985910 2014] [:error] [pid 21729] [client 10.0.0.99] ModSecurity: Warning. RBL
lookup of
99.0.0.10.dnsbl-modsecurity.thelounge.net succeeded at REMOTE_ADDR. [file
"/etc/httpd/modsecurity.d/99_devmachine_rules.conf"] [line "18"] [id "981138"] [msg
"Honeypot-RBL-Match"] [hostname
"www.test.rh"] [uri "/captcha.php"] [unique_id "VBhYrwoAAGMAAFThfaAAAAAJ"]

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce.
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Ehsan Mahdavi | 12 Sep 14:17 2014
Picon

About SecDefaultAction

Hi,

I have a rule like this: SecRule "variable" "condition" "phase:1,block,...

Following the CRS10-example-file I have two consecutive default actions like this:

SecDefaultAction "phase:1,deny,log"
SecDefaultAction "phase:2,deny,log"

I need to know:
1. Are both SecDefaultActions are working or just the latter one?
2. If the answer of above question is NO and If the rule matches, will modsecurity deny the transaction? (I ask because the rule performs in phase:1 and the latter SecDefaultAction is defined over the 2nd phase).

P.S. CRS 2.2.9

--
                    regards
                 Ehsan.Mahdavi


------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Paul Beckett | 12 Sep 09:51 2014

Disable logging of specific rules

There are some rules, which for me to generate large numbers of false positives (eg. 960015 : Request Missing an Accept Header). I'm aware I could disable these rules easily with SecRemoveById. But, ideally I would like the rule to still be processed, so that it can be used in conjuction with other factors to contribute towards the Anomaly score. Is it possible to disable only the logging of specific rules?

Thanks,
Paul
------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Matthew Raymer | 11 Sep 03:25 2014

Failed to write to DBM file

ModSecurity: collection_store: Failed to write to DBM file "/var/log/modsecurity
/SecDataDir/global": Invalid argument

I've got mod security installed (2.7.7) installed under Ubuntu 14.04 with Apache 2.4.7

I have been getting the above error and seen it explained on the net as due to a limitation in libapr.

0) Is this actually a problem? Or, is it something I ought to fix in apache or my application?
1) Does anyone know if that is actually the problem?
2) Other than recompiling apache and libapr, is there a way resolve this problem?
3) If I do need to recompile, can I get away with recompiling libapr and replacing the existing one?

Thanks in advance!

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Abhijit Mitra | 9 Sep 19:48 2014
Picon

Event in audit log despite custom rule to address false positive

Hey all! ModSec newbie here so apologies in advance if this has been addressed already.

I am running ModSecurity version 2.7. I have the OWASP CRS 2.2 installed.

I have a false positive stemming from an OWASP CRS. I have (I believe) addressed it using the ctl:ruleRemoveTargetById directive in a custom rule.

It appears from the debug file that my custom rule is resulting in a match where it should and is getting invoked.

And yet, I continue to see 981173 violations in my audit log file.

Is this a feature or am I missing something?

Some more details, for background, follow:

OWASP rule id 981173 - "Restricted SQL Character Anomaly Detection Alert". It is in a file named modsecurity_crs_41_sql_injection_attacks.conf.

My custom rule is in a file in the same directory, named modsecurity_crs_61_customlast.conf.

My custom rule looks like this (sanitized):

SecRule REQUEST_LINE " <at> beginsWith GET /appcontextroot/directory/filename" \
"id:999005,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetById=981173;ARGS:nameofargument"

This is what shows up in my debug file, running at debug level 5.

[09/Sep/2014:12:35:04 --0400] [subsytem.hostname.com/sid#7f70fb7267c0][rid#7f70fbe922c8][/appcontextroot/directory/filename][4] Executing operator "beginsWith" with param "GET /appcontextroot/directory/filename" against REQUEST_LINE.
[09/Sep/2014:12:35:04 --0400] [subsytem.hostname.com/sid#7f70fb7267c0][rid#7f70fbe922c8][/appcontextroot/directory/filename][4] Ctl: ruleRemoveTargetById id=981173 targets=ARGS:nameofargument
[09/Sep/2014:12:35:04 --0400] [subsytem.hostname.com/sid#7f70fb7267c0][rid#7f70fbe922c8][/appcontextroot/directory/filename][4] Warning. String match "GET /appcontextroot/directory/filename" at REQUEST_LINE. [file "/rules/activated_rules/modsecurity_crs_61_customlast.conf"] [line "27"] [id "999005"]
[09/Sep/2014:12:35:04 --0400] [subsytem.hostname.com/sid#7f70fb7267c0][rid#7f70fbe922c8][/appcontextroot/directory/filename][4] Recipe: Invoking rule 7f70fb662978; [file "/rules/activated_rules/modsecurity_crs_61_customlast.conf"] [line "30"] [id "999006"].
[09/Sep/2014:12:35:04 --0400] [subsytem.hostname.com/sid#7f70fb7267c0][rid#7f70fbe922c8][/appcontextroot/directory/filename][4] Transformation completed in 0 usec.


And this is rule # 981173, for reference:

SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\ <at> \#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){4,}" "phase:2,t:none,t:urlDecodeUni,block,id:'981173',rev:'2',ver:'OWASP_CRS/2.2.7',maturity:'9',accuracy:'8',msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',capture,logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"


Thanks.

--
Abhi Mitra
GSEC, ITIL
------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce.
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Kentaro Kan | 8 Sep 15:02 2014
Picon

AUTO: Kentaro Kan is out of the office. (returning 2014/09/24)


I am out of the office until 2014/09/24.

I will respond to your message when I return.

Note: This is an automated response to your message  "Re:
[mod-security-users] ModSecurity: JSON support was not enabled" sent on
2014/09/08 16:15:46.

This is the only notification you will receive while this person is away.

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Ronald.Ploeger | 8 Sep 12:30 2014
Picon

SecPcreMatchLimit: Sensible Values

Hi,

 

The default PCRE match limit of ModSecurity is 1500, which can be changed by using “SecPcreMatchLimit”.

 

I was wondering if you could share your experience which values can be sensibly used for this.

 

Thanks and all the best,

Ronald Plöger

 

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Bhanu Mohanty | 6 Sep 16:59 2014
Picon

ModSecurity: JSON support was not enabled

Hi,
modSecurity 2.8 - JSON parsing not working.

I get an error message 

ModSecurity: JSON support was not enabledI installed YAJL 2.1.0My config log does show , that it found YAJL 2.1.0 But when I do ldd mod_security2.so , I can not find libyajlWhat am I doing wrong ? Is there a special configuration option ? Thanks and RegardsBhanu
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Guillermo Caminer | 5 Sep 16:44 2014
Picon

AMF filter

Hi! There is an AMF filter for ModSec? Is it possible to write one? Would it work with the actual
CRS? Or would we have to re-write the rules adapting them to AMF messages also? I'm not sure if the
semantics of AMF would be that different from HTTP to CRS to understand and analyze.

Thanks in advance!

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Ronald.Ploeger | 4 Sep 13:54 2014
Picon

SecPcreMatchLimit - Default value

Hi,

 

I am using Modsecurity 2.8 and the Core Ruleset 2.2.9.

 

I was getting „PCRE limits exceeded (-8)“ errors: [04/Sep/2014:13:34:55 +0200] [xxx/sid#1039020][rid#213b7c0][/xxx][3] Rule c26eb0 [id "973302"] [file "xxx /owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"][line "309"] - Execution error - PCRE limits exceeded (-8): (null).

 

I started setting the PCRE match limit using SecPcreMatchLimit. The documentation (https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecPcreMatchLimit) says that the default is 1500.

 

The funny thing is when I explicitly set

SecPcreMatchLimit 1500

Or even

SecPcreMatchLimit 1300

 

the error goes away. Does this mean the documentation is incorrect or is something happening which I do not understand?

 

 

Thanks and best regards,

Ronald

 

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Gmane