Christian Folini | 18 Nov 11:29 2014
Picon

Getting my feet wet with ModSec on IIS

Hi there,

Recently I touched on a ModSec installation on IIS. This was an
interesting experience. There is very little documentation on practical
ModSec on IIS out there. So I thought I would post some insights here.
I also have two questions, which somebody might know an answer to.

There are four types of logs with ModSec in IIS.

ModSec controlled logfiles:
- debug.log
- audit.log 

IIS controlled logfile:
- Webserverlog - sort of an abbreviated access log

Windows controlled logfile:
- Eventlog - this matches the information ModSec presents in Apache's 
  error log

Now logging is the base to tuning and my method uses the anomaly scores
of every request as a starting point and guideline for the tuning 
process (see a recent blogpost on the topic:
http://www.netnea.com/cms/2014/11/18/summary-of-modsecurity-talk-owasp-ch/)
but I was not able to add the anomaly scores to IIS's version of
the access log. Is there a way to do that?

The Eventlog is helpful. Even more so as you can export it easily,
transform it a bit and you end up with a logfile, which can be handled
by standard unix scripts written to handle Apache's Error-Log.
(Continue reading)

Ronald.Ploeger | 18 Nov 08:26 2014
Picon

Where is the raw data of an event stored in auditconsole

Hi,

 

on the events view of auditconsole one has the option to look at the raw ModSecurity data of an event.

 

I was wondering where does auditconsole gets this data from/stores this data?

 

Thanks,

Ronald

 

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Abhijit Mitra | 15 Nov 21:12 2014
Picon

log entry getting truncated?

It looks like log entries get truncated? I assume there is a limit to how long they can be, which is fine, but I'd prefer it if ModSecurity wrote a message out somewhere when this happened.

Below is a (sanitized) message block from section H of my audit log, and below that is the corresponding entry to my Apache error log. At the bottom of the audit log entry is this: "[ta" which clearly was beginning of a another [tag] section.

SECTION H, AUDIT LOG:
Message: Warning. Pattern match "(?i:(?:\\A|[^\\d])0x[a-f\\d]{3,}[a-f\\d]*)+" at ARGS:SAMLRequest. [file "/directoryname/mod_security2.d/rules/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "55"] [id "981260"] [rev "2"] [msg "SQL Hex Encoding Identified"] [data "Matched Data: L0x6a0F found within ARGS:SAMLRequest: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlVVJMPSJodHRwczovL2Nvbm5leC5jaHViYi5jb20vc2FtbC9zc28iIERlc3RpbmF0aW9uPSJodHRwczovL3BmZWQuY2h1YmIuY29tL2lkcC9TU08uc2FtbDIiIEZvcmNlQXV0aG49ImZhbHNlIiBJRD0iYTQ4ZWg3OTNnYjg1MmoxaTFiODJoNGZhYzRkN2YwMyIgSXNQYXNzaXZlPSJmYWxzZSIgSXNzdWVJbnN0YW50PSIyMDE0LTExLTEyVDE5OjQzOjI3LjcxMFoiIFBy..."] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [ta

APACHE ERROR LOG:
[Wed Nov 12 14:43:06 2014] [error] [client ww.xx.yy.zz] ModSecurity: Warning. Pattern match "(?i:(?:\\\\A|[^\\\\d])0x[a-f\\\\d]{3,}[a-f\\\\d]*)+" at ARGS:SAMLRequest. [file "/directoryname/mod_security2.d/rules/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "55"] [id "981260"] [rev "2"] [msg "SQL Hex Encoding Identified"] [data "Matched Data: L0x6a0F found within ARGS:SAMLRequest: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlVVJMPSJodHRwczovL2Nvbm5leC5jaHViYi5jb20vc2FtbC9zc28iIERlc3RpbmF0aW9uPSJodHRwczovL3BmZWQuY2h1YmIuY29tL2lkcC9TU08uc2FtbDIiIEZvcmNlQXV0aG49ImZhbHNlIiBJRD0iYTQ4ZWg3OTNnYjg1MmoxaTFiODJoNGZhYzRkN2YwMyIgSXNQYXNzaXZlPSJmYWxzZSIgSXNzdWVJbnN0YW50PSIyMDE0LTExLTEyVDE5OjQzOjI3LjcxMFoiIFBy..."] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [ta [hostname "host.company.com"] [uri "/contextroot/filename"] [unique_id "randomalphanumericstring"]

--
Abhi Mitra
GSEC, ITIL
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Robert Mark Morley | 15 Nov 18:00 2014

ipMatchFromFile vs RBL performance

Hi all,

I have an IP/CIDR blacklist of over 35,000 entries (over 500KB) and I'm currently using ipMatchFromFile.

At the moment I'm using ipMatchFromFile, but I'm wondering if it would be better to run a local (on the lan) RBL list.

Certainly it would reduce the memory footprint of Apache a bit, but how do they two options compare as far as lookup speed is concerned? 

And on a related note...  when using ipMatchFromFile, will modsecurity notice a change in the data file and reload it automatically or is it necessary to restart apache?

Thanks,

Mark

 
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Winfried Neessen | 13 Nov 17:35 2014

Error parsing rule targets to append variable

Hi everyone,

I just ran into an issue with my mod_sec configuration. I've tried to exclude some
Google Analytics Cookies from being checked for XSS. I have a list of rules which
are all tagged with "Web_Attacks/XSS", so my try was to add this rule to my
exceptions config file:

## Google Analytics cookies shouldn't be blocked
SecRuleUpdateTargetByTag "Web_Attacks/XSS" !REQUEST_COOKIES_NAMES:/^(utm(?:c(?:[im]d|[st]r|c[nt])|gclid))$/

Once active, a "apachectl configtest" results in:
[Thu Nov 13 16:27:35 2014] [error] ModSecurity: Error parsing rule targets to append variable
[Thu Nov 13 16:27:35 2014] [error] ModSecurity: Error parsing rule targets to append variable
[Thu Nov 13 16:27:35 2014] [error] ModSecurity: Error parsing rule targets to append variable
[Thu Nov 13 16:27:35 2014] [error] ModSecurity: Error parsing rule targets to append variable


(For each rule, that is tagged with Web_Attacks/XSS)

Any idea why this is happening or what I am doing wrong?


Thanks
Winni
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Ronald.Ploeger | 10 Nov 12:37 2014
Picon

AuditConsole TX:ANOMALY_SCORE is always -1

Hi,

 

I have already tried this question on the AuditConsole Mailinig List, but maybe the audience here is bigger:

 

I am using AuditConsole Version 0.4.6-13 and I am wondering why the TX:ANOMALY_SCORE is always -1.

 

Is there anything I have to configure? Any hint is appreciated.

 

Thanks and best regards,

Ronald

 

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
donnanian | 6 Nov 00:30 2014
Picon

Upgrading ModSecurity

Hello,

I installed mod security from source on my server and I would like to upgrade to the latest version. 

Do I have to uninstall(remove) the previous version first because upgrading to the latest? If so, what would be the best way to uninstall?

Thank you.
------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Christopher Stanley | 5 Nov 18:33 2014
Picon

PCRE Compiled Version less than Loaded Version

Hey,

I am getting a warning about:
[notice] ModSecurity: PCRE compiled version="4.5 "; loaded version="5.0 13-Sep-2004"

What is the best course of action? Should I install PCRE 8? Can PCRE 8 even be compatible with RHEL4?

I just don't see how the loaded version could be greater than the compiled version, unless the loaded version is what ModSecurity was compiled with, and the compiled version is the library that is installed on the system.

Just want to see what your all's suggestion would be on the matter

Thanks again.
------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Ewald Dieterich | 4 Nov 15:36 2014

Rule 960016 leads to 413 instead of 403

I'm using modsecurity 2.8.0 with Apache httpd 2.4.10 and CRS 2.2.9 on 
Debian unstable.

When I send a POST request with an invalid Content-Length header, rule 
960016 triggers as expected. Here's the log entry (it's the only log 
entry created for that request):

[...] ModSecurity: Access denied with code 403 (phase 1). Match of "rx 
^\\\\d+$" against "REQUEST_HEADERS:Content-Length" required. [...] [id 
"960016"] [...]

But other than stated in the log entry, the request leads to a 413 
instead of the expected 403:

$ curl -i -d "param1=value1" -H "Content-Length: a" 
http://localhost/post/show.php
HTTP/1.1 413 Request Entity Too Large
[...]

For testing purposes I removed the regex negation from rule 960016 (note 
the missing ! in front of the regex):

SecRule REQUEST_HEADERS:Content-Length "^\d+$" \

Now every request with a valid Content-Length header is blocked, this 
time with the expected 403:

$ curl -i -d "param1=value1" http://localhost/post/show.php
HTTP/1.1 403 Forbidden

What's so special about the regex negation that the first request is not 
blocked correctly?

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Ayhan Soner Koca | 4 Nov 04:50 2014
Picon

Activating individual rules after deactivating a group of rules with SecRuleRemoveByTag does not work

Hi list,

i try to activate some rules after deactivating a group of rules with
SecRuleRemoveByTag it seems not to work.

modsecurity_crs_48_local_exceptions.conf:

# Disable entire group of rules based on WEB_ATTACK/SQL_INJECTION tag data
SecRuleRemoveByTag "WEB_ATTACK/SQL_INJECTION"

#Activate some sqli rules
SecRuleUpdateActionByID 981272 "pass,ctl:RuleEngine=On"
SecRuleUpdateActionByID 981244 "pass,ctl:RuleEngine=On"

Is there another way to disable a group of rules and then activate
individual rules, does anyone have a suggestion?

Regards

Ayhan

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Reindl Harald | 3 Nov 21:48 2014
Picon

Re: UNSUBSCRIBE


Am 03.11.2014 um 21:17 schrieb ➠Dave Roe ►Direct 202-369-1455:
> UNSUBSCRIBE
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

what about click on the link in the list-footer?

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Gmane