Christian Folini | 28 Oct 06:42 2014
Picon

IIS: Logformat similar to Apache's Error-Log?

Hi there,

The Apache Error-Log is the center of my work with ModSecurity. Now
I am working with my first customer who runs ModSec on IIS. So far, I
have not been able to go on site. We are in email/phone support
mode. And we have not been able to find anything resembling the
Apache Error-Log with a format as follows:

[Tue Oct 28 22:01:07 2014] [error] [client xx.xx.xx.xx] ModSecurity:
Warning. Pattern match
"(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100
}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|
(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacre
at|prepar)e|execute(?:sql)?|makewebtask)|ql_(? ..." at ARGS:viewform.
[file
"/etc/apache2/modsecurity-core-rules/modsecurity_crs_40_generic_attac
ks.conf"] [line "66"] [id "950001"] [msg "SQL Injection Attack"] [data
"union select"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"]
[hostname "www.example.com"] [uri "/index.php"] [unique_id
"TKuEA8CosiYAAF28c7IAAAAF"]

The Audit-Log is there, and it can be grepped / transformed to give
the rule hits in a similar format, but the information in those events 
is not complete. The hostname, uri, unique_id etc are all missing for 
example and need to be extracted out of the context.
Before I write a big auditlog->errorlog tranformer, is there a
way to activate an apache error-log style thing in IIS? And if so, how?

(And while we are at it also the access-log?)

(Continue reading)

Sean Ezell | 27 Oct 20:18 2014

CRS version

If my server administrator is running Mod Security version 2.5.2, which version of the rule set should we be running?

 

Sean Ezell ‘05

sezell <at> linfield.edu x2720

Web Programmer

Linfield College

ITS WILL NEVER ASK YOU FOR YOUR PASSWORD.

PLEASE DON’T SHARE YOURS WITH ANYONE!

 

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Abhishek Bajpai | 27 Oct 18:31 2014
Picon

http post not getting scanned by mod-security2 with apache httpd and clamav


Hi ,

I am have configured mod-security2 module with apache httpd and have clamav
running.
I can see the mod security module loaded when i start the httpd.
However when i upload any document using the file upload option in my
application i do not see any log ,neither do i see it getting scanned.
Below is my mod security configuration :

SecRuleEngine On
SecRequestBodyAccess On
SecUploadDir /var/cache/upload
SecRule FILES_TMPNAMES
" <at> inspectFile /etc/apache2/modsecurity/util/runav.pl"
"id:159,phase:2,t:none,log,deny,msg:'Malicious Code Detected, access
denied'"
SecDebugLog /usr/local/apache/modsec_debug.log
SecAuditLog /usr/local/apache/modsec_audit.log

My requirement is to be able to scan the file upload payload coming along
with http request.

Thanks ,
abhishek

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Yogesh patel | 27 Oct 13:04 2014
Picon

Modsecurity Error: xml parsing error

HI

When i have content type as text/xml and dont have proper xml then it throws xml parsing error.
How can i bypass some kind of request for xml parsing?

is it proper solution?

SecRule REQUEST_HEADERS:Content-Type "text/xml" \
     "chain,id:'200000',phase:1,t:none,t:lowercase,pass,nolog"
    SecRule  REQUEST_FILENAME  " <at> contains /Test/" "ctl:requestBodyProcessor=XML"

Description: It will not parse xml for instance "/Test/"? Is this solution appropriate or any other good alternative?

--


Regards,

Yogesh Patel


------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
René Bauer | 24 Oct 11:19 2014
Picon

Problem with SLR rule 2200001

Hello,

starting today we have a problem with the SLR rule 2200001 from modsecurity_slr_50_malware_detection.conf. At the beginning of the file malware_payloads.txt which is used by that rule there is a line "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">". This line matches with the standard Apache mod_rewrite RewriteRule response and blocks all redirect traffic.
Can anybody tell me why this line and lines like "<h1>Service Temporarily Unavailable</h1>", "<p>The server is temporarily unable to service your", and "<title>503 Service Temporarily Unavailable</title>" are considered malicious code? 

Ciao,
Rene
--

Mit freundlichen Grüßen
René Bauer

on-collect solutions AG
Standorte:
Karlstraße 3 in 89073 Ulm
Marktplatz 20 in 89257 Illertissen

Telefon: +49 (0) 73 03 – 95 28 94 - 550
Fax: +49 (0) 73 03 – 95 28 94 - 511
E-Mail: r.bauer <at> on-collect.de
Web: www.on-collect.de

Vorstand Dr. Joachim Schmid
Vorsitzender des Aufsichtsrates Dr. Georg Nüßlein
Amtsgericht Ulm HRB 730793  -  Steuernummer: DE246631672

_____________________________________________________________
Diese E-Mail enthält vertrauliche und rechtlich geschützte Informationen und gilt ohne Unterschrift. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten diese Nachricht. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.
_____________________________________________________________
This e-mail is confidential and may well also be legally privileged. If you have received it in error, you are on notice of its status. Please notify us immediately by reply e-mail and then delete this message from your system.
Please do not copy it or use it for any purposes, or disclose its contents to any other person: to do so could be a breach of confidence. Thank you for your cooperation.
_____________________________________________________________

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Tom Chiverton | 23 Oct 14:05 2014

Can't seem to prevent matches being listed in Apache error_log

Hi,

I have a production machine where we're using mod_security in front of largely static applications.

We don't need matched rules to be logged to the Apache error_log, but I can't seem to turn this off.

This is a standard install on Ubuntu, with /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf set to
SecDefaultAction deny,nolog,auditlog

I've tried both
SecDebugLogLevel 0
and
LogLevel security2_module:crit
but I'm still getting output in the error_log.

Am I going about this in the wrong way ?

--
extravision Signature
Tom Chiverton | Lead Developer | Extravision
T: 0161 817 2922 | W: www.extravision.com | T: twitter.com/extravision | E: tchiverton <at> extravision.com
.
.
 A fresh approach to email marketing 
.
Registered in the UK at : 107 Timber Wharf, 33 Worsley Street, Manchester, M15 4LD. Registration number: 05017214 VAT: GB 824 5386 19

Disclaimer: This e-mail is intended solely for the person to whom it is addressed and may contain confidential or privileged information. If you have received it in error please notify us immediately and destroy this e-mail and any attachments. In addition, you must not disclose, copy, distribute or take any action in reliance on this e-mail or any attachments. Any views or opinions presented in this e-mail are solely of the author and do not necessarily represent those of Extravision Ltd. E-mail may be susceptible to data corruption, interception, unauthorised amendment, viruses and delays or the consequences thereof. Accordingly, this e-mail and any attachments are opened at your own risk.
------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Ryan Barnett | 22 Oct 23:57 2014

Welcoming Chaim Sanders to the SpiderLabs Research Team

I wanted to send a note out to the ModSecurity community to introduce Chaim Sanders - https://www.linkedin.com/pub/chaim-sanders/13/237/a7a.  He is joining the SpiderLabs Research team where he will be focusing on supporting the ModSecurity project and community.  This means he will help out answering emails from the community on these mail-lists, help Felipe Costa with development on our Github repos, creating new signatures for OWASP CRS/Commercial Rules and also helping to delivery professional services from Trustwave for our commercial customers.  Needless to say, we have a lot of work for Chaim and we are thrilled to have him on the team.  His background in web application pentration testing gives him a great "Know Your Enemy" perspective to bring to web application defenses like ModSecurity.

Please join me in welcoming Chaim.

Thanks.

Ryan Barnett

Senior Lead Security Researcher, SpiderLabs

 

Trustwave | SMART SECURITY ON DEMAND

www.trustwave.com



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Brian Clark | 21 Oct 04:34 2014

Troubleshooting ModSecurity IIS Module Conflicts

I found the source of my ModSecurity/AJAX/CORS issue‹it is some kind of
conflict between IIS and a custom IIS module I have running in my web app.

Any advice on troubleshooting issues between ModSecurity and custom IIS
Modules?

Thanks,
Brian

Restaurant.com - Best Deal. Every Meal.

Restaurant.com is the trusted and valued source connecting diners, restaurants, businesses and
communities since 1999. The company offers savings at thousands of restaurants nationwide with more
than 30,000 gift certificate options. The Restaurant.com Independent Consultant program offers
thousands of self-employment opportunities to individuals that want to earn money while helping
Restaurant.com to expand to more restaurants, businesses and communities nationwide. To date,
Restaurant.com customers have saved more than $1 billion through the gift certificate program filling
more than 3.5 million tables annually. Restaurant.com is a pioneer in the restaurant deal space and is
headquartered in Arlington Heights, IL.

Smartphone and iPad users: download our app -
iPhone<https://itunes.apple.com/us/app/restaurant.com/id488860392?ls=1&mt=8>,
iPad<https://itunes.apple.com/us/app/restaurant.com/id488860392?ls=1&mt=8> and Android<https://play.google.com/store/apps/details?id=com.restaurant.mobile>

Learn more about Restaurant.com https://sales.restaurant.com/Overview
Find dining deals near you http://www.restaurant.com
Make money with Restaurant.com https://sales.restaurant.com/MakeMoney

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Brian Clark | 18 Oct 20:59 2014

Blocking AJAX CORS requests?

Hello,

We use AJAX and CORS as part of a login form on our website. For some
reason, ModSecurity 2.8.0 for Windows seems to be preventing this from
working properly. However, nothing shows up in the debug logs (level = 9)
showing that anything had been blocked. I can see in the logs that
ModSecurity is receiving the HTTP Post with the email/password login
values. The debug.log does not show any any positive rule hits. Also, I¹m
in detect-only mode so it shouldn¹t be dropping anything.

My thought was that something in the outbound rule set is modifying the
response in some way, but I disabled it and still had the issue. When I
disable ModSecurity entirely, login works just fine.

I am using the base CRS rules that are installed by default by the
ModSecurity installer.

Any thoughts on how to troubleshoot this? Without anything showing up in
the debug.log I am lost.

Brian Clark

Restaurant.com - Best Deal. Every Meal.

Restaurant.com is the trusted and valued source connecting diners, restaurants, businesses and
communities since 1999. The company offers savings at thousands of restaurants nationwide with more
than 30,000 gift certificate options. The Restaurant.com Independent Consultant program offers
thousands of self-employment opportunities to individuals that want to earn money while helping
Restaurant.com to expand to more restaurants, businesses and communities nationwide. To date,
Restaurant.com customers have saved more than $1 billion through the gift certificate program filling
more than 3.5 million tables annually. Restaurant.com is a pioneer in the restaurant deal space and is
headquartered in Arlington Heights, IL.

Smartphone and iPad users: download our app -
iPhone<https://itunes.apple.com/us/app/restaurant.com/id488860392?ls=1&mt=8>,
iPad<https://itunes.apple.com/us/app/restaurant.com/id488860392?ls=1&mt=8> and Android<https://play.google.com/store/apps/details?id=com.restaurant.mobile>

Learn more about Restaurant.com https://sales.restaurant.com/Overview
Find dining deals near you http://www.restaurant.com
Make money with Restaurant.com https://sales.restaurant.com/MakeMoney

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Abhijit Mitra | 17 Oct 02:01 2014
Picon

Same audit log directory for multiple ModSec installations?

Can I have the same audit log directory for multiple ModSec installations? Assume concurrent logging, in which case I am assuming no conflicts writing files unless 2 installs pick the same transaction ID. Is that right?

Thanks.

--
Abhi Mitra
GSEC, ITIL
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Dan Goldberg | 16 Oct 19:53 2014
Picon

inconsistent 413 status codes

Hi,
I have an interesting (to me) issue with some basic modsecurity
settings on Ubuntu servers.

I have SecRequestBodyAccess On and SecRequestBodyLimit set to
something small (for testing).
When a file upload exceeds that size
Apache logs the expected:
"ModSecurity: Request body (Content-Length) is larger than the
configured limit (16384000). Deny with status (413)"

The application in this case is a ruby web app, and it never indicates
to the user that anything has happened, watching the traffic show the
client received: "net::ERR_CONNECTION_RESET" which is not a status
413. We have trapped the code and never see anything back from the
server.

So Modsecurity claims to send a specific status, and the client never sees it.
Does anyone have and ideas what is going on or how to troubleshoot
this on the modsecurity side?

thanks Dan

--

-- 
--
Dan <at> madjic.net

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/


Gmane