Winfried Neessen | 16 Apr 10:41 2014

Locking issue with enabled persistent collection

Hi,

 

I've been struggling with a problem with mod_security for a while now, and I have no idea what the

issue is and how to solve it.

 

Here a brief description of the problem…

 

I've built my own ruleset for mod_security, which is working fine. The basic ruleset doesn't use any

persistent collections. As we were in need of blocking IPs which are hitting us too hard, I introduced

an IP collection, so I can count the hits (and deprecate them as well) and block if a specific count is

reached. This is where the problem starts.

 

Once the IP collection is enabled in the ruleset (in addtion to the blocking rules), the server still runs

fine… at least for a couple of hours. But after approx. 5-12 hours the logs begin to throw messages

like this:

 

[Tue Apr 15 17:28:43 2014] [error] [client xxx.xxx.xxx.xxx] ModSecurity: collections_remove_stale: Failed deleting collection (name "ip", key "xxx.xxx.xxx.xxx"): Internal error [hostname "some.domain.com"] [uri "/some/path"] [unique_id "U01sSwoABzUAAH <at> Bf2wAAAD-"]

[Tue Apr 15 17:28:43 2014] [error] [client yyy.yyy.yyy.yyy] ModSecurity: collections_remove_stale: Failed deleting collection (name "ip", key "yyy.yyy.yyy.yyy"): Internal error [hostname "other.domain.com"] [uri "/some/other/path"] [unique_id "U01sSwoABzUAAJb6E1kAAAAU"]

[Tue Apr 15 17:28:43 2014] [error] [client zzz.zzz.zzz.zzz] ModSecurity: collections_remove_stale: Failed deleting collection (name "ip", key "yyy.yyy.yyy.yyy"): Internal error [hostname "even.other.domain.com"] [uri "/some/more/paths"] [unique_id "U01sSwoABzUAAKYLmMAAAAGQ"]

[Tue Apr 15 17:28:44 2014] [error] [client aaa.aaa.aaa.aaa] ModSecurity: collections_remove_stale: Failed deleting collection (name "ip", key "zzz.zzz.zzz.zzz"): Internal error [hostname "another.domain.com"] [uri "/another/path"] [unique_id "U01sSwoABzUAAH-BxoEAAABf"]

[Tue Apr 15 17:28:44 2014] [error] [client bbb.bbb.bbb.bbb] ModSecurity: collections_remove_stale: Failed deleting collection (name "ip", key "zzz.zzz.zzz.zzz"): Internal error [hostname "yep.another.domain.com"] [uri "/yep/another/path"] [unique_id "U01sSwoABzUAAH-n8Q8AAAF3"]

[Tue Apr 15 17:28:44 2014] [error] [client ccc.ccc.ccc.ccc] ModSecurity: collections_remove_stale: Failed deleting collection (name "ip", key "zzz.zzz.zzz.zzz"): Internal error [hostname "and.another.one.com"] [uri "/a/specific/file.pdf"] [unique_id "U01sSwoABzUAAIJMZ5kAAADw"]

sAAACZ"]

[…]

(Please note, that the client IPs don't match the key values for the IP collection)

 

At the same time, a couple of Apache processes start to use a lot of system time. The load of the processes

go up to 100% each- the CPU usage shows almost no interrups, no user or nice usage, but lots of system

usage. The Apache starts to become unresponsible and in the server-status page, you can see lots of "L"

processes. The state of the processes that eat all the CPU, show some locking state. I was once able to run

a "truss" on one of the procceses before the server died… it seemed to read the IP collection file. Lots of

Null-bytes and every once and a while, one of the collected IPs was read.

 

First I used a combination of REMOTE_ADDR and MD5(User-Agent) as identifier for the IP collection.

I noticed that the IP collection file grew very fast, given that we have a lot of traffic. But as this is a sparse

file, "ls" and "du" showed different sizes- so the actual file didn't really grow the shown size.

 

Still I thought this might be the issue. So I moved the file to be stored onto a Ramdisk. This didn' fix the issue.

Again the server ran fine for a couple of hour and then started to act as described above.

 

As next step I changed the IP collection to only collect the REMOTE_ADDR, no User-Agent hash. This kept the

IP collection file pretty decent in size. But again after a couple of hours, the same issue occurred.

 

I've tried several versions of mod_security. 2.7.2 thru 2.7.5 and currently 2.7.7- all with the same result.

I have no idea what to do next. So any hint is highly appreciated.

 

 

Thanks

Winfried

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Felipe Costa | 16 Apr 03:39 2014

Announcing ModSecurity v2.8.0

Hi, 

It is a pleasure to announce ModSecurity v2.8.0. Besides the bug fixes and improvements, it comes with five important new features:
  • JSON request body parser.
  • SecConnReadStateLimit and SecConnWriteStateLimit directives.
  • FULL_REQUEST and FULL_REQUEST_LENGTH variables.
  • <at> detectXSS operator.
  • ModSecurity status reporting.
  • Append and prepend are now supported on nginx (Ref: #635).
  • SecServerSignature is now available on nginx (Ref: #637).
Complete list of modifications: https://github.com/SpiderLabs/ModSecurity/releases


Note: we are also modifying the name of our release tarball. We were labeling our release by: "modsecurity-apache_X.Y.Z.tar.gz", since we started to support Nginx, this name became outdated. Now we are labeling it as  "modsecurity-X.Y.Z.tar.gz". For those who are automagically generating packages, it won't be a problem, the old naming policy will be preserved on the modsecurity.org server.

As in the last release, this release will be stored in two different servers: modsecurity.org and GitHub. Hashes are provided for the tarball integrity verification. The release tags are also GPG-Signed.

Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs
m: +55 81 8706.5547

Trustwave | SMART SECURITY ON DEMAND



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Security Effect | 15 Apr 23:22 2014

How to whitelist a subnet?

I have found how to whitelist a single IP, but how could I whitelist the 
whole subnet?

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Robert Paprocki | 13 Apr 01:49 2014
Picon

nginx segfaulting with mod_security


Hello,

I have compiled nginx-1.5.13 with modsecurity-2.7.7 and am seeing
occasional segfaults when sending requests to the server. mod_security
was compiled as a standalone module per the instructions made available
at
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX.
The segfaults appear sporadic and do not seem to match up with any given
request. Below is my nginx configuration:

[root <at> poseidon src]# nginx -V
nginx version: nginx/1.5.13
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
--conf-path=/etc/nginx/nginx.conf
--error-log-path=/var/log/nginx/error.log
--http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid
--lock-path=/var/run/nginx.lock
--http-client-body-temp-path=/var/cache/nginx/client_temp
--http-proxy-temp-path=/var/cache/nginx/proxy_temp
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
--http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx
--group=nginx --with-debug --with-http_ssl_module
--with-http_realip_module --with-http_addition_module
--with-http_sub_module --with-http_dav_module --with-http_flv_module
--with-http_mp4_module --with-http_gunzip_module
--with-http_gzip_static_module --with-http_random_index_module
--with-http_secure_link_module --with-http_stub_status_module
--with-mail --with-mail_ssl_module --with-file-aio --with-ipv6
--with-cc-opt='-g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386
-mtune=generic -fasynchronous-unwind-tables -g -O0'
--add-module=../modsecurity-apache_2.7.7/nginx/modsecurity/

Also, a backtrace of the core dump:
(gdb) bt
#0  0x080a1827 in ngx_http_write_filter (r=0x83bb078, in=0x8baaa6c) at
src/http/ngx_http_write_filter_module.c:121
#1  0x080bc0d4 in ngx_http_chunked_body_filter (r=0x83bb078, in=0x8baaa6c)
    at src/http/modules/ngx_http_chunked_filter_module.c:111
#2  0x080c462b in ngx_http_gzip_body_filter (r=0x83bb078, in=0x8baaa6c)
    at src/http/modules/ngx_http_gzip_filter_module.c:325
#3  0x080c5fb3 in ngx_http_postpone_filter (r=0x83bb078, in=0x8baaa6c)
    at src/http/ngx_http_postpone_filter_module.c:82
#4  0x080c6581 in ngx_http_ssi_body_filter (r=0x83bb078, in=0x8baaa6c)
    at src/http/modules/ngx_http_ssi_filter_module.c:408
#5  0x080cc021 in ngx_http_charset_body_filter (r=0x83bb078, in=0x8baaa6c)
    at src/http/modules/ngx_http_charset_filter_module.c:553
#6  0x080ce31f in ngx_http_sub_body_filter (r=0x83bb078, in=0x8baaa6c)
    at src/http/modules/ngx_http_sub_filter_module.c:201
#7  0x080cf730 in ngx_http_addition_body_filter (r=0x83bb078, in=0x8baaa6c)
    at src/http/modules/ngx_http_addition_filter_module.c:147
#8  0x080cfc78 in ngx_http_gunzip_body_filter (r=0x83bb078, in=0x8baaa6c)
    at src/http/modules/ngx_http_gunzip_filter_module.c:184
#9  0x081146bd in ngx_http_modsecurity_body_filter (r=0x83bb078,
in=0xbf7ff8b4)
    at
../modsecurity-apache_2.7.7/nginx/modsecurity//ngx_http_modsecurity.c:1252
#10 0x08055381 in ngx_output_chain (ctx=0x8baa9b8, in=0xbf7ff8b4) at
src/core/ngx_output_chain.c:66
#11 0x080a253c in ngx_http_copy_filter (r=0x83bb078, in=0xbf7ff8b4) at
src/http/ngx_http_copy_filter_module.c:143
#12 0x080bd477 in ngx_http_range_body_filter (r=0x83bb078, in=0xbf7ff8b4)
    at src/http/modules/ngx_http_range_filter_module.c:594
#13 0x0808e81e in ngx_http_output_filter (r=0x83bb078, in=0xbf7ff8b4) at
src/http/ngx_http_core_module.c:1964
#14 0x0809c72f in ngx_http_send_special (r=0x83bb078, flags=1) at
src/http/ngx_http_request.c:3332
#15 0x080b5737 in ngx_http_upstream_finalize_request (r=0x83bb078,
u=0x83bbab0, rc=0)
    at src/http/ngx_http_upstream.c:3551
#16 0x080b4a77 in ngx_http_upstream_process_request (r=0x83bb078) at
src/http/ngx_http_upstream.c:3159
#17 0x080b477e in ngx_http_upstream_process_upstream (r=0x83bb078,
u=0x83bbab0) at src/http/ngx_http_upstream.c:3090
#18 0x080b329a in ngx_http_upstream_send_response (r=0x83bb078,
u=0x83bbab0) at src/http/ngx_http_upstream.c:2493
#19 0x080b1937 in ngx_http_upstream_process_header (r=0x83bb078,
u=0x83bbab0) at src/http/ngx_http_upstream.c:1735
#20 0x080b02ef in ngx_http_upstream_handler (ev=0x8b31f5c) at
src/http/ngx_http_upstream.c:977
#21 0x080726fd in ngx_event_process_posted (cycle=0x83b45a8,
posted=0x81c495c) at src/event/ngx_event_posted.c:40
#22 0x080708c2 in ngx_process_events_and_timers (cycle=0x83b45a8) at
src/event/ngx_event.c:275
#23 0x0807c629 in ngx_worker_process_cycle (cycle=0x83b45a8, data=0x0)
at src/os/unix/ngx_process_cycle.c:816
#24 0x080795a4 in ngx_spawn_process (cycle=0x83b45a8, proc=0x807c48e
<ngx_worker_process_cycle>, data=0x0,
    name=0x815e33b "worker process", respawn=-3) at
src/os/unix/ngx_process.c:198
#25 0x0807b720 in ngx_start_worker_processes (cycle=0x83b45a8, n=2,
type=-3) at src/os/unix/ngx_process_cycle.c:364
#26 0x0807aecf in ngx_master_process_cycle (cycle=0x83b45a8) at
src/os/unix/ngx_process_cycle.c:136
#27 0x080500c5 in main (argc=3, argv=0xbf7ffe54) at src/core/nginx.c:407

Unfortunately I am not skilled at reading c backtraces. I was going to
attach the debug log but it's very large and I don't want to make thi
message much larger :p Below is my nginx coniguration:

user  nginx;
worker_processes  2;

error_log  /var/log/nginx/error.log debug;
pid        /var/run/nginx.pid;
worker_rlimit_core  500M;
working_directory   /tmp;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local]
"$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
    fastcgi_buffers 256 4k;
    client_max_body_size 64m;
    #client_body_buffer_size 16m;
    server_tokens off;
}

server {
    listen       23.226.226.175:80;
    server_name  cryptobells.com www.cryptobells.com;
    root /var/www/cryptobells;
    rewrite     ^   https://$server_name$request_uri? permanent;
    location / {
        index  index.php index.html index.htm;
        try_files $uri $uri/ /index.php?$args;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    location ~* \.php$ {
        fastcgi_index   index.php;
        fastcgi_pass	unix:/var/run/php-fpm/php-fpm.sock;
        include         fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME
$document_root$fastcgi_script_name;
        fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;
    }
}

server {
    listen       23.226.226.175:443 ssl;
    server_name  cryptobells.com www.cryptobells.com;

    ssl_certificate      /etc/ssl/certs/cryptobells.com.crt;
    ssl_certificate_key  /etc/ssl/certs/cryptobells.com.key;

    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_ciphers
ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;
    ssl_prefer_server_ciphers   on;

    root /var/www/cryptobells;
	ModSecurityEnabled on;
        ModSecurityConfig /etc/modsecurity/modsecurity.conf;

    location / {
        index  index.php index.html index.htm;
        try_files $uri $uri/ /index.php?$args;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    location ~* \.php$ {
        fastcgi_index   index.php;
        fastcgi_pass	unix:/var/run/php-fpm/php-fpm.sock;
        include         fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME
$document_root$fastcgi_script_name;
        fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;
    }

My modsec configuration is identical as described in
http://blog.spiderlabs.com/2012/09/announcing-the-availability-of-modsecurity-extension-for-nginx.html,
with the exception that I am using concurrent instead of serial logging.
Please let me know if anyone is able to help identify what could be
causing segfaults, or if there is any more information I can provide.
Thank you!

------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Doug Strick | 11 Apr 01:28 2014
Picon

Inspecting body content and substitution

Hello,

I'm currently stuck in a situation where content creators aren't adhering to proper procedure and using HTTP links in the source of pages that are served up HTTPS.  This of course means the end user is getting HTTP links on an HTTPS connection.  The developers/publishers have already stated the content has grown too large to go through and fix all the bad pages.  It's now been delegated to my team to look at ways to change the content in the response on the fly.  We're using apache and I'm looking into mod_substitute.  I've heard WAF apps can do this as well.  When going through the mod_security documentation I'm not sure I'm seeing that option or if it just doesn't exist.  Basically, I'm looking for a way for apache to take the body content it receives from the backend and replace all HTTP links to HTTPS when it serves the response to the customer.  Is anyone using mod_security for a function like this currently?  Any experience with this type of functionality is appreciated.  Thanks
------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Edson Pereira Jr | 10 Apr 04:46 2014
Picon

HeartBleed

Hi!
My name is Edson and I am an enthusiast for the area of ​​security.

If ModSecurity would be able to mitigate the attack using technical heartbleed CVE-2014-0160

Sorry for my english. :/

Att.

Edson Pereira Jr.
https://www.linkedin.com/profile/view?id=28372785


------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Security Effect | 8 Apr 11:36 2014

Missing configuration files

Hello everybody,

I installed mod_security 2.6.7 in RedHat 5, but although neither the "configure" nor the "make" nor the "make install" reported error, all the config files are missing.

Any idea why? First time setting up mod_security...
------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Christian Mehlmauer | 1 Apr 17:29 2014
Picon

Question regarding load order and vhosts

Hi,
I am currently setting up a mod_security installation and I have a few question about the load order, VHOSTS and why the following exceptions are not working.

Currently we are running mod_security 2.7.7 with OWASP CRS in logging only mode on apache 2.7.7 (Redhat). Apache is configured on a VHOST basis with 80+ VHOSTs.

Our load order currently looks like this:
httpd.conf
  --> Include mod_security.conf
      --> mod_security.conf: SecRuleEngine DetectionOnly and other basic options
  --> Include pre_vhost.inc
      --> Include modsecurity.d/modsecurity_crs_10_setup.conf
      --> Include modsecurity.d/modsecurity_crs_15_customrules.conf
      --> Include modsecurity.d/owasp-modsecurity-crs/base_rules/xxxxxxx.conf (some base rules)
  --> Include vhost/*.conf
      --> Vhost specific Apache configuration (VirtualHost *:port)
      --> Vhost A contains another "Include vhost/A_exceptions.conf" with mod_security rules only for this vhost (there are 80+ VHOSTs, each vhost has it's own exception file)
          --> A_exceptions.conf Exceptions for false positives triggered on this VHOST
          --> B_exceptions.conf
              --> Include: inc/application.conf (exception for an application running on multiple vhosts, so you can include the only once defined exceptions file on seperate VHOSTs)
          --> C_exceptions.conf
              --> Include: inc/application.conf (same application as on VHOST B)
  --> Include post_vhost.inc
      --> Include modsecurity.d/modsecurity_crs_48_local_exceptions.conf
      --> Include modsecurity.d/owasp-modsecurity-crs/base_rules/modsecurity_crs_49_inbound_blocking.conf
      --> Include modsecurity.d/owasp-modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf

So as you can see we have the basic CRS applied to all VHOSTs and a per VHOST based false postive exception configuration. The file modsecurity_crs_48_local_exceptions.conf contains exceptions applied to all VHOSTs, modsecurity_crs_15_customrules.conf contains rules like disabling mod_security for specific IPs.

Currently a few rules seem to be ignored and I hope you can help me with it.

Question 1:
I included the following Rule in the file inc/application.conf (which is included in a <VirtualHost> directive):

SecRule REQUEST_FILENAME "^/path$"chain, phase:1, id:'99', rev:'1', t:none, t:normalizePath, nolog"
    SecRule REQUEST_METHOD "^POST$"\
        ctl:ruleRemoveById=960010,\
        ctl:ruleRemoveById=960015,\
        ctl:ruleRemoveById=990012"

It seems like this rule is never triggered. The audit log still contains the entry:
[modsecurity] [client xx.xx.xx.xx] [domain xx.xx.xx] [200] [/20140401/xxxxx]  [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/base_rules/modsecurity_crs_30_http_policy.conf"] [line "64"] [id "960010"] [rev "2"] [msg "Request content type is not allowed by policy"] [data "application/octet-stream"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] Warning. Match of "rx ^%{tx.allowed_request_content_type}$ against "TX:0" required.


If I specify the rule in modsecurity_crs_15_customrules.conf before the VHOST and the base rules are loaded, the rule works correctly. The reference manual says:

ruleRemoveById - since this action us triggered at run time, it should be specified before the rule in which it is disabling.

So this would make sense. I tried to change the load order, so the CRS base rules are loaded AFTER the vhost rules and exceptions (in post_vhost.inc before crs_48). Then I put the exception back into the application.conf. This was also not working alltough the exclude was specified before the CRS rules. Is there a difference in the VHOST loading scheme? Also the file application.conf contains ctl:ruleRemoveById:xxx and ctl:UpdateTargetById:xxxx statements. Is it possible to keep this way of defining exceptions, so we can simply include it in other vhosts? An example for application.conf would be piwik which can be enabled on multiple VHOSTs and all exceptions need to be the same.

Question 2:
As said before piwik is an example for an application.conf. Currently the content of the piwik tracking cookie triggers some SQLI rules. The following rule is included in an application.inc which is included in a specific VHOST

# ignore piwik tracking cookies _pk_ref.1.ea53
# 981172: Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
# 981257: Detects MySQL comment-/space-obfuscated injections and backtick termination
# 981243: Detects classic SQL injection probings 2/2
SecRule &REQUEST_COOKIES_NAMES:/_pk_ref\./ " <at> gt 0" "phase:1, id:'48', rev:'1', t:none, t:normalizePath, nolog,\
    ctl:ruleRemoveTargetById=981172;REQUEST_COOKIES:/^_pk_ref\./,\
    ctl:ruleRemoveTargetById=981257;REQUEST_COOKIES:/^_pk_ref\./,\
    ctl:ruleRemoveTargetById=981243;REQUEST_COOKIES:/^_pk_ref\./"

The exceptions defined here are also not working correctly. If I change the rule from "nolog" to "log" I can see that the expression matchted greater 0, but the excluded rules are sill firing and blocking the requests.

I hope I described my problem so anyone can understand and someone here on this list can help me.

Chris
------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Reindl Harald | 1 Apr 11:00 2014
Picon

problems with session-id protection

Hi

i have some issues with session-id-protection

session.use_only_cookies = 1
session.hash_function = 1
session.hash_bits_per_character = 6

http://www.php.net/manual/de/session.configuration.php#ini.session.hash-bits-per-character
'6' (0-9, a-z, A-Z, "-", ",")

well the rules below in theory would restrict the session-id perfectly
in reality there is at least a % char, i guess some escaping for the
comma and possibly a plus sign, that would lead to "[^-a-z0-9,%\+]" but
at the same exceed 27 chars

is there any option to decode the param before the regexp?
__________________________________________________

SecRule REQUEST_COOKIES:PHPSESSID|ARGS:PHPSESSID "[^-a-z0-9,]"
"id:'138',phase:2,capture,logdata:'%{TX.0}',t:lowercase,block,msg:'Unexpected value for PHPSESSID'"

SecRule REQUEST_COOKIES:PHPSESSID|ARGS:PHPSESSID " <at> gt 27"
"id:'139',phase:2,capture,logdata:'%{TX.0}',t:length,block,msg:'PHPSESSID exceeds 27 chars'"

SecRule REQUEST_COOKIES:PHPSESSID|ARGS:PHPSESSID " <at> lt 27"
"id:'140',phase:2,capture,logdata:'%{TX.0}',t:length,block,msg:'PHPSESSID needs to be at least
27 chars'"
__________________________________________________

finally i would like to have the ccokie-value in the logs
that works for rule 138 but not 139 and 140

ModSecurity: Access denied with code 400 (phase 2). Operator LT matched 27 at
REQUEST_COOKIES:PHPSESSID. [file
"/etc/httpd/modsecurity.d/99_local_rules.conf"] [line "233"] [id "140"] [msg "PHPSESSID needs to be
at least 27
chars"] [data ""]

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Felipe Costa | 1 Apr 05:16 2014

ModSecurity v2.8.0-RC1

Hi,

It is a pleasure to announce that ModSecurity version 2.8.0-RC1 is now ready!

This release candidate contains new features, bug fixes and improvements. The new features are:
  • JSON Parser is no longer under tests. Now it is part of our mainline.
  • Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit) now support white and suspicious list.
  • New variables: FULL_REQUEST and FULL_REQUEST_LENGTH were added, allowing the rules to access the full content of a request.
  • ModSecurity status is now part of our mainline.
  • New operator: <at> detectXSS was added. It makes usage of the newest libinjection XSS detection functionality.
  • Append and prepend are now supported on nginx (Ref: #635).
  • SecServerSignature is now available on nginx (Ref: #637).
Check out the full list of changes straight from GitHub:


Besides the listed changes we are also modifying the name of our release tarball. We were labeling our release by: "modsecurity-apache_X.Y.Z.tar.gz", since we started to support Nginx, this name became outdated. Now we are labeling it as  "modsecurity-X.Y.Z.tar.gz". For those who are automagically generating packages, it won't be a problem, the old naming policy will be preserved on the modsecurity.org server.

As in the last release, this will be stored in two different servers: modsecurity.org and GitHub. Hashes will be provided for the tarball integrity verification. The release tags are also GPG-Signed.


Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Stephan Gomes Higuti | 31 Mar 20:22 2014
Picon

Writing rules.

Hi all.

I've been reading about get rid of my false-positives, i saw a lot of people recomending to use the "SecRuleRemoveById", but I'm not sure if using the SecRuleRemoveById is the best way to do it.
I'm trying to write whitelist rules, however I've got some doubts about it.

Allow x Pass Disruptive Action:
For what I understood, if I use allow as the disruptive action, modsecurity will match my whitelist rule and after that will just allow the request without passing through the other rules.
But if I use "pass", modsecurity should only ignore that rule, and forward the request to the next rule.
I guess the best way for doing it is using pass, right?
However, when I use it, modsec matches the rule, send me a warning, but it still get blocked by the original rule.
How am I supposed to create a whitelist rule and ignore the rule that is blocking the request?
For example:

My whitelist rule is:

SecRule REQUEST_URI "((?i)^/report/)" chain,id:321321321,log,phase:1,t:lowercase,pass
SecRule SERVER_NAME "test\.mydomain\.com"

and I got the following log message:


[Mon Mar 31 15:03:20.881149 2014] [:error] [pid 12176] [client 172.16.15.230] ModSecurity: Warning. Pattern match "test\\\\.mydomain\\\\.com" at SERVER_NAME. [file "/etc/apache2/owasp-crs/activated_rules/modsecurity_crs_01_mydomain_whitelist_rules.conf"] [line "19"] [id "321321321"] [hostname "test.mydomain.com"] [uri "/report/"] [unique_id "Uzmt6KwQD8oAAC <at> QFr0AAAAB"]


But, it still getting blocked by the other rule:


[Mon Mar 31 15:03:20.882708 2014] [:error] [pid 12176] [client 172.16.15.230] ModSecurity: Access denied with code 403 (phase 1). Operator EQ matched 1 at SESSION:IS_NEW. [file "/etc/apache2/owasp-crs/activated_rules/modsecurity_crs_16_session_hijacking.conf"] [line "24"] [id "981054"] [msg "Invalid SessionID Submitted."] [hostname "test.mydomain.com"] [uri "/report/"] [unique_id "Uzmt6KwQD8oAAC <at> QFr0AAAAB"]

What should I do to make modsecurity ignore the old rule and only act accordind to my new whitelist rule?
Is it possible to set the new rule for allowing a specific rule for a specific domain and a specific URI? Like, configure the new whitelist rule for just ignore the rule 981054 for my hostname "test.mydomain.com" for the URI "/report/"
?

Regards,

Stephan Gomes Higuti
------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Gmane