Dan Goldberg | 17 Dec 20:12 2014
Picon

Follow up - 413 problems continue

Hi there,
Back in October I wrote [mod-security-users] inconsistent 413 status
codes and did not recieve many ideas. I have a new question in a
similar vain.

Modsecurity.conf has this:
SecRequestBodyLimit 62500
SecRequestBodyLimitAction Reject

When I upload a file greater than 62500 bytes, Modsecurity logs:
[Wed Dec 17 17:08:54 2014] [error] [client w.x.y.x] ModSecurity:
Request body (Content-Length) is larger than the configured limit
(62500). Deny with status (413) [hostname "foo.example.com"] [uri
"/documents/new"] [unique_id "foobar"]

What is the expected result at the client?
Should the client see a TCP segment with the reset bit set? or an HTTP
message with Status 413? I am seeing the RESET in operation, I would
prefer to see the HTTP status message.
Any suggestions?
Thanks Dan
--

-- 
--
Dan <at> madjic.net

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
(Continue reading)

Morris Taylor | 16 Dec 15:48 2014

Fully whitelist an argument

Dear All,
 
I found this question was answered before, however the solution provided in that email thread doesn't works on my side. Therefore, I would like to post my question here and looking forward to anyones help. I will appreciate your help!
 
My question is that I have a wordpress site and I would like to whitelist the query that made by a search action on the site. Thus, while the client try to search the strings like "1 or 1 '--" will trigger an alert and the request will be blocked. The request uri may be like as the following:
 
"http://domain.tld/?s=1+or+1+%27--"
 
I tried to use SecRuleUpdateTargetByTag to whitelist the tag "WEB_ATTACK/SQL_INJECTION" but found the block was still happened and was trigger by other rule:
 
[id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data "Matched Data: '-- found within ARGS:s: 1 or 1 '--"]
 
Therefore, I would like to ask if it is possible to full-whitelist the argument by the name and bypass all checking on it? Thanks for reading my question and hope there's a solution to solve this problem.
 
--
BR, Morris
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Felipe Costa | 16 Dec 01:35 2014

ModSecurity version 2.9.0-RC2 announcement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I am proud to announce our second release candidate for version 2.9.0.
The 2.9.0-RC2 contains fixes and improvements.

The source and binaries (and the respective hashes) are available at:

SHA256(modsecurity-2.9.0-RC2.tar.gz)= 62bfb04d459a8308bb6850102c9d8f0cca250207749ce5b9465344dda2419993
SHA256(ModSecurityIIS_2.9.0-RC2-32b.msi)= 364a55d2ff6981479694184eaec26404f294ac2131e8494ff478ae5e1aee33d6
SHA256(ModSecurityIIS_2.9.0-RC2-64b.msi)= c5c90fb5eae5d819f641989bcfb2b4230506fb4bb8065034ef0684b8694585dd

We would like to thank you all that helped to test the release candidate one,
you guys did a great job. Thanks!

The most important changes are listed bellow:

Bug fixes and improvements
==========================

* OpenSSL dependency was removed on MS Windows builds. ModSecurity is now using
  Curl with WinSSL.
  [Gregg Smith, Steffen and ModSecurity team]
* ModSecurity now informs about external resources loaded/failed while
  reloading Apache.
  [ModSecurity team]
* Adds missing 'ModSecurity:' prefix in some warnings messages.
  [Walter Hop and ModSecurity team]
* External resources download is now more verbose. Holding the message to be
  displayed when Apache is ready to write on the error_log.
  [ModSecurity team]
* Remote resources loading process is now failing in case of HTTP error.
  [Walter Hop and ModSecurity team]
* Fixed start up crash on Apache with mod_ssl configured. Crash was happening
  during the download of remote resources.
  [Christian Folini, Walter Hop and ModSecurity team]
* Curl is not a mandatory dependency to ModSecurity core anymore.
  [Rainer Jung and ModSecurity team]


Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
Comment: GPGTools - https://gpgtools.org

iEYEARECAAYFAlSPfQEACgkQ5t+wjOixEndhywCfeGQf+U7AyV4l/aqfD4cPRjg8
GiQAn186SW3FqpHo4BUxC+mdVkWY7eNk
=59mJ
-----END PGP SIGNATURE-----


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
sabin ran | 8 Dec 12:06 2014
Picon

malicious file not getting blocked in upload

hi,
I'm using modsecurity_crs_46_av_scanning to scan a file with clamav when user uploads a file. When i tested i did get the log regarding the modsecurity telling its malicious but did not block it from uploading into the server. The modsecurity was running in active mode.
How can be that configured? I got follow log:

Message: Warning. File "/tmp//20141208-005725-VIVn9H8AAQEAADlz2AAAAAAG-file-pDG9cN" rejected by the approver script "/usr/share/modsecurity-crs/util/av-scanning/runav.pl": 0 clamscan: Suspect.PDF.EmbeddedExecutable-2 [file "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_46_av_scanning.conf"] [line "17"] [id "950115"] [msg "Virus found in uploaded file"] [severity "CRITICAL"] [tag "MALICIOUS_SOFTWARE/VIRUS"] [tag "PCI/5.1"]
Apache-Handler: application/x-httpd-php
Stopwatch: 1418029044999223 91983157 (- - -)
Stopwatch2: 1418029044999223 91983157; combined=90317213, p1=68, p2=90317138, p3=3, p4=0, p5=4, sr=0, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/).
Server: Apache/2.4.7 (Ubuntu)
Engine-Mode: "ENABLED"

--87cb1800-J--
3,755390,"evil.pdf","<Unknown ContentType>"
Total,755390


thanks
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Julius Tjaden | 5 Dec 21:58 2014
Picon

Logging but not Blocking

i have set up rules for slowloris attack for my centos 6 server using mod_security. It shows me in my log that the attack is being block, but when I try to reload my page while attacking the server it still hang.

here is error_log:
[warn] ModSecurity: Access denied with code 400. Too many threads [255] of 100 allowed in READ state from *****  - Possible DoS Consumption Attack [Rejected]

it clearly not blocking the attack.

here is rule:
SecConnReadStateLimit 100
SecConnWriteStateLimit 100

<IfModule reqtimeout_module>
RequestReadTimeout body=30
</IfModule>

SecRule RESPONSE_STATUS " <at> streq 408" "phase:5,id:'981051',t:none,nolog,pass,setvar:ip.slow_dos_counter=+1,expirevar:ip.slow_dos_counter=60"
SecRule IP:SLOW_DOS_COUNTER " <at> gt 5" "phase:1,id:'981052',t:none,log,drop,msg:'Client Connection Dropped due to high # of slow DoS alerts'"

I do have reqtimeout installed too.

I am running the latest apache version 2.2 with mod security version 2.8

is there something else that needs to be fixed?
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Reindl Harald | 5 Dec 16:21 2014
Picon

Autoreplies: christof.pieszkur <at> dsv-gruppe.de

*boah* - can somebody remove that address from the list before i explode 
when get a) autoreplies to list-messages in general and b) multiple 
replies within 24 hours

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Paolo Luise | 3 Dec 15:24 2014
Picon

Modsecurity best practices

Dear All,
I'm minding about the inheritance of modsecurity rules between main configuration and vhosts in an apache multi-vhost installation.

Searching through the web, I found this old mail http://sourceforge.net/p/mod-security/mailman/message/9860367/ written some time ago by Ryan Barnett. Do these recommendations are still valid or is there something else to give attention?

Thank you all
Paolo

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Picon

Looking For Instructions On How To Install on a Mac Mini Server

I have gone through the instructions for UNIX from the link below:


Apple has its own configuration for Apache.  I’m currently running version 2.2.26 on a Mac Mini Server running the latest version of Mavericks.  I tried to find files that contained httpd-2.2.26 and apxs and found none.

I’m really new when it comes to my knowledge of Apache other than making minor modifications in the main apache config file for Phusion Passenger located in /Library/Server/Web/Config/apache2/httpd_server_app.conf. I have also updated the virtual host configuration file to host my Ruby on Rails applications.

Has anyone on this list installed mod_security on a Mac computer?  If so I could use some help.  I have downloaded and unpacked the tar.gz file in ~/Downloads but cannot figure out how to (1) verify if I have satisfied all the prerequisites and (2) execute the following command since I cannot find this folder.

./configure --with-apxs=/path/to/httpd-2.x.y/bin/apxs

I also do not know how to get to my profile for this list.  Which link do I need to use to access my subscription profile?
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Felipe Costa | 18 Nov 14:34 2014

ModSecurity version 2.9.0-RC1 released


Hi,

I am proud to announce our first release candidate for version 2.9.0.
The 2.9.0-RC1 contains fixes and new features.

The documentation is available in our wikipage:
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual

The source and binaries (and the respective hashes) are available at:
https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0-rc1

SHA256(modsecurity-2.9.0-RC1.tar.gz)= 1a061e09bc7e3218a80bc2004b7e87c8f3a382323b09633e060c16bea5e23098
SHA256(ModSecurityIIS_2.9.0-RC1-32b.msi)= 68cd286612ca7026442ec3c409f33a2eaca428d9bb7a297d23a19043f5c31360
SHA256(ModSecurityIIS_2.9.0-RC1-64b.msi)= 948ffeda98684c569c22da95d600aca7998f20a85c9345a56086e1a85c1d8ab7

We would like to thank you all that helped out making this release: comments,
bug reports, and pull requests.

The most important changes are listed bellow:

New features
============

* `pmFromFile' and `ipMatchFromFile' operators are now accepting HTTPS served
   files as parameter.
* `SecRemoteRules' directive - allows you to specify a HTTPS served file that
  may contain rules in the SecRule format to be loaded into your ModSecurity
  instance.
* `SecRemoteRulesFailAction' directive - allows you to control whenever the
  user wants to Abort or just Warn when there is a problem while downloading
  rules specified with the directive: `SecRemoteRules'.
* `fuzzyHash' operator - allows to match contents using fuzzy hashes.
* `FILES_TMP_CONTENT' collection - make available the content of uploaded
  files.
* InsecureNoCheckCert - option to validate or not a chain of SSL certificates
  on mlogc connections.

Bug fixes
=========

* ModSecurityIIS: ModSecurity event ID was changed from 0 to 0x1.
  [Issue #676 - Kris Kater and ModSecurity team]
* Fixed signature on "status call": ModSecurity is now using the original
  server signature.
  [Issues #702 - Linas and ModSecurity team]
* YAJL version is printed while ModSecurity initialization.
  [Issue #703 - Steffen (Apache Lounge) and Mauro Faccenda]
* Fixed subnet representation using slash notation on the  <at> ipMatch operator.
  [Issue #706 - Walter Hop and ModSecurity team]
* Limited the length of a status call.
  [Issue #714 - 'cpanelkurt' and ModSecurity team]
* Added the missing -P option to nginx regression tests.
  [Issue #720 - Paul Yang]
* Fixed automake scripts to do not use features which will be deprecated in the
  upcoming releases of automake.
  [Issue #760 - ModSecurity team]
* apr-utils's LDFALGS is now considered while building ModSecurity.
  [Issue #782 - Daniel J. Luke]
* IIS installer is not considering IIS 6 as compatible anymore.
  [Issue #790 - ModSecurity team]
* Fixed yajl build script: now looking for the correct header file.
  [Issue #804 - 'rpfilomeno' and ModSecurity team]
* mlgoc is now forced to use TLS 1.x.
  [Issue #806 - Josh Amishav-Zlatin and ModSecurity team]

Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>

Christian Folini | 18 Nov 11:29 2014
Picon

Getting my feet wet with ModSec on IIS

Hi there,

Recently I touched on a ModSec installation on IIS. This was an
interesting experience. There is very little documentation on practical
ModSec on IIS out there. So I thought I would post some insights here.
I also have two questions, which somebody might know an answer to.

There are four types of logs with ModSec in IIS.

ModSec controlled logfiles:
- debug.log
- audit.log 

IIS controlled logfile:
- Webserverlog - sort of an abbreviated access log

Windows controlled logfile:
- Eventlog - this matches the information ModSec presents in Apache's 
  error log

Now logging is the base to tuning and my method uses the anomaly scores
of every request as a starting point and guideline for the tuning 
process (see a recent blogpost on the topic:
http://www.netnea.com/cms/2014/11/18/summary-of-modsecurity-talk-owasp-ch/)
but I was not able to add the anomaly scores to IIS's version of
the access log. Is there a way to do that?

The Eventlog is helpful. Even more so as you can export it easily,
transform it a bit and you end up with a logfile, which can be handled
by standard unix scripts written to handle Apache's Error-Log.

(A sidenote: It's a good practice to push events into one of the
ModSec event consoles. But this is not how I work.)

Now the problem I encountered with the EventLog was abbreviated events
like the following:

[client 0.0.0.0:00000] ModSecurity: Warning. Pattern match
"(?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\*.+(?:x?or|div|like|between|and|id)\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\d)|(?:\\^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:^[\\w\\s\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98-]+(?<=and\\s)(?<=or|xor
..." at ARGS:formdata. [file "C:\/Program Files/ModSecurity
IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "245"] [id "981243"] [msg "Detects classic SQL injection
probings 2/2"] [data "Matched Data: '1.0' found within ARGS:formdata:
<xxxxPacket version='1.0'><header/><data><struct><var
name='group376'><string>0</string></var><var
name='group375'><string>0</string></var><var
name='group374'><string>0</string></var><var
name='group373'><string>0</string></var><var
name='group570'><string>0</string></var><var
name='group379'><string>0</string></var><var
name='group471'><string>0</string></var><var
name='group470'><string>0</string></var><var
name='group478'><string>0</string></var><var na..."] [severity "CR
[hostname "CHSPSR0350"] [uri
"/security/w_useredit.cfm?id=4145&tab=4"] [unique_id
"16068843472605438573"]

The funny abbreviation occurred in the severity field. CRITICAL is
abbreviated to CR. I do not know what else is missing, but the final
fields of the entry seem to be intact. Puzzled.

Is this a bug, an EventLog characteristic or something that can be 
fixed within the ModSec configuration?

My best bet on logging the anomaly scores is a phase:5 rule and writing
it to the EventLog. Somehow this did not work out. The scores were
0 despite rules having triggered. This means they are initialized but
not available correctly in phase 5. Probably my mistake. But is there a
better to achieve this?

So the two questions again:
 - Best way to log anomaly scores of every request in IIS
 - What to do about event log omissions

Ahoj,

Christian

--

-- 
The art of victory is learned in defeat.
-- Simón Bolívar

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Ronald.Ploeger | 18 Nov 08:26 2014
Picon

Where is the raw data of an event stored in auditconsole

Hi,

 

on the events view of auditconsole one has the option to look at the raw ModSecurity data of an event.

 

I was wondering where does auditconsole gets this data from/stores this data?

 

Thanks,

Ronald

 

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Gmane