Søren Christian Aarup | 26 May 14:53 2015
Picon

Whitelisting

Hi guys.

shouldn’t I be able to whitelist this:

2015/05/22 14:28:19 [error] 22629#0: [client 192.168.11.18] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\~\\!\\ <at> \\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" at XML. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "1605"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: : found within XML: SetReadState2015-05-22T12:00:54Ztrue"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname “test.waf.ru"] [uri "/owa/ev.Owa"] [unique_id "AcAcncAcvcAcAcMcAcScAwAg”]

With this:

SecRuleUpdateTargetById 981173 !XML:/^SetReadState/

?

All I get is 
"XPath error : Invalid expression
/^SetReadState/"


Med venlig hilsen/Regards

Søren Christian Aarup
DBA/System Administrator

LinkedIn: www.linkedin.com/in/aarup
 

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Dg Sdfg | 25 May 12:06 2015

How to log IP client on modSecurity!

Hi everyone!
I have a Lab: Client ---> HAproxy --> (Modsecurity & WebServer(apche))
I config HAProxy with option "option http-server-close" and "option forwardfor".
On Webserver, I've config https.conf with "LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common"
The log common on apache is correct with Client's IPs.
But Modsecurity log is the HAproxy's IP, How can I edit to correct log with client's IPs on Modsecurity.
My modsecurity.conf:
##############
SecAuditLogType Concurrent
SecAuditLogParts ABIDEFGHZ
SecAuditLog /var/log/httpd/modsec_audit.log
##############
Thanks all.
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Ehsan Mahdavi | 25 May 08:02 2015
Picon

Problem using nginx and mlogc

Hi all

Migrating from apache to nginx, I am experiencing some problems. One of them is that I can't use mlogc as a piped command in SecAuditLog directive like this:

SecAuditLog "|/path/to/mlogc     /path/to/mlogc.conf"
The error is like this ModSecurity: Failed to open the audit log pipe: /path/to/mlogc     /path/to/mlogc.conf

I am aware of mlogc-batch-load.pl and I think I must somehow utilize it.
What is the exact way of using mlogc in nginx?

P.S: Am using modsecurity 2.9.0 and nginx/1.6.3.

--
                    regards
                 Ehsan.Mahdavi

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Phil Daws | 24 May 11:56 2015
Picon

ModSecurity 2.9.0-refector and NGINX 1.9.0

Hello all:

Have been experimenting with ModSec and NGINX, instead of using Mod and Apache, for hosting my Wordpress
site but having real issues with performance.  Under Apache the site works fine but as soon as I switch to
NGINX then the dashboard becomes completely unusuable and end up with 500 errors and constant timeouts. 
Have even tried to disable NGINX for that area using:

location /wp-admin/ {
        ModSecurityEnabled off;
}

but that makes very little difference at all.  Any thoughts as to why ? This is what I have in modsecurity.conf:

SecRuleEngine On
SecStatusEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecServerSignature NGINX
SecComponentSignature 200911012341
SecUploadDir /var/cache/modsecurity/suspicious
SecUploadKeepFiles Off
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogType Concurrent
SecAuditLog /var/log/nginx/audit_log
SecAuditLogParts ABIFHKZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/cache/modsecurity/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/cache/modsecurity/audit
SecResponseBodyLimitAction ProcessPartial
SecRequestBodyLimit 134217728
SecConnReadStateLimit 8096
SecConnWriteStateLimit 8096
SecRequestBodyNoFilesLimit 1048576
SecRequestBodyInMemoryLimit 131072
SecAuditLogDirMode 0770
SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 150000
SecInterceptOnError on
SecResponseBodyAccess on

Include modsecurity.d/modsecurity_rules.conf

Thanks, Phil

(null)

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Williams, David A. | 22 May 19:06 2015

cleaning cookies

	We're seeing many SQL Inject rules triggered by cookies, often cookies we don't set or need.  For the
cookies we do need, we're tuning the rules to allow those cookies through.  The deeper I look into this the
odder it seems.  We're seeing many cookies presented that we don't need or use and they often have "fishy"
content.  Rather than blocking those users, I'd like to mask that content from our servers.
	Before I go too far down a dead end path: can I use rsub on headers or only body content.  And more importantly,
is there a better way to address this situation?  Any prefab rules to drop selected cookies or their payload
from the request.
	Thanks for any help or pointers you can offer,
	-David

--------------
David Williams
Chief, Website Management Branch
Information Management Services
U.S. Patent & Trademark Office
U.S. Department of Commerce
Madison West, 4D35
Alexandria, VA 22314
1-571-272-3877
david.williams <at> uspto.gov

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Jason Haar | 17 May 22:49 2015
Picon

howto add geoip and rbl results to headers?

Hi there

I want to enable the geoip and rbl lookups on our modsecurity server and
instead of blocking, make their results known to any backend servers via
putting their values into X-WAF-XXXX HTTP headers. I'm afraid I haven't
played with modsecurity for several years and I can't figure out how to
do this? I found google-references for blocking  - but not tagging

Can anyone help me out please? :-)

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Ehsan Mahdavi | 16 May 07:54 2015
Picon

Problem using mlogc with Nginx

Hi all

Migrating from apache to nginx, I am experiencing some problems. One of them is that I can't use mlogc as a piped command in SecAuditLog directive like this:

SecAuditLog "|/path/to/mlogc     /path/to/mlogc.conf"
The error is like this ModSecurity: Failed to open the audit log pipe: /path/to/mlogc     /path/to/mlogc.conf

I am aware of mlogc-batch-load.pl and I think I must somehow utilize it.
What is the exact way of using mlogc in nginx?

P.S: Am using modsecurity 2.9.0 and nginx/1.6.3.


--
                    regards
                 Ehsan.Mahdavi

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
J son | 15 May 17:58 2015
Picon

Outbound rules not working


Hi all

I am running Ubuntu 14.04 and carried out a vanilla install of modsec through apt-get.  I have activated all the base-rules.  It is in detection only mode and I have chosen Anomaly scoring.

I have made minimal changes to the vanilla install which are:

in /etc/modsecurity/modsecurity.conf
- SecAuditLogType Concurrent
in /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf
- SecDefaultAction "phase:2,pass,log"

The website is internal and vulnerable while we test out ModSec.  This setup works well in many counts.  I get modsec alerts in error.log such as SQL Injection and Remote File Access attempt.  These alerts are Inbound alerts followed by a Correlated alert.

However I never get any Outbound alerts (leaked data etc).  Do I have to do something special to enable outbound rules or data processing?

I have checked and "SecResponseBodyAccess On" is set in modsecurity.conf
modsecurity_crs_50_outbound.conf & modsecurity_crs_59_outbound_blocking.conf are activated rules.

I think ModSec is great - thanks to all the contributors.  Regards

Jay
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Ehsan Mahdavi | 13 May 14:28 2015
Picon

Which content types are avialable?

Hi all

I need to know the exact and complete list of content types that might be used with tx.allowed_request_content_type in the CRS.

P.S. : SecAction id: 900012

--
                    regards
                 Ehsan.Mahdavi

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Søren Christian Aarup | 11 May 14:46 2015
Picon

Sanitising

Hi all.

The following is returned from my upstreams upon a POST request, and it contains carddata which I want to sanitise from the audit log.

<input type="hidden" name="cardno" value=“XXXXXXXXXXXXXXXX” ….

How would you do that? I have looked at sanitiseMatchedBytes, but that is a regular expression on a variable (https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#sanitiseMatchedBytes) – which variable is that?


Med venlig hilsen/Regards

Søren Christian Aarup
DBA/System Administrator

LinkedIn: www.linkedin.com/in/aarup
 

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Piyush Misra | 10 May 01:52 2015
Picon

New to mod security. Experiencing issues with ModSecurity and Nginx Config

Hello Team,

I have installed Modsecurity and Nginx in a box using the following method
1. git clone git://github.com/SpiderLabs/ModSecurity.git
2. cd mod_security
3. ./autogen.sh
4. ./configure --enable-standalone-module --disable-mlogc
5. make
-----------(No Errors)
wget http://www.nginx.org/download/nginx-1.8.0.tar.gz
tar -xvpzf nginx-1.8.0.tar.gz
cd nginx-1.8.0
./configure --add-module=../mod_security/nginx/modsecurity --with-http_ssl_module
make
make install
--------(No Errors)

My Nginx.conf file contents are as below:
server {
listen 80;
server_name xx.yy.com;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
ModSecurityEnabled on;
ModSecurityConfig /usr/local/nginx/conf/modsecurity.conf;
root html;
index index.html index.htm;
proxy_pass http://mysite.mydomain.com:8080;
}
}
When I start my nginx server and opens xx.yy.com in a browser it gives me the following response:
The connection was reset
The connection to the server was reset while the page was loading.
The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer's network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

The error log just says:
2015/05/08 00:32:04 [alert] 27771#0: worker process 27772 exited on signal 11
2015/05/08 00:32:04 [alert] 27771#0: worker process 27773 exited on signal 11
2015/05/08 00:56:11 [alert] 27771#0: worker process 27774 exited on signal 11

Where as if I write ModSecurityEnabled off;
everything works fine.

I have a simple setup for testing this.
In one box I have nginx+modsecurity > haproxy > webserver 1 and webserver 2
webserver 1 and 2 contains apache serving a simple html file which outputs to browser a text being "Server 1" or "Server 2"


Could you please help me out in this? As this is urgent to test this for my project work.

Thanks,

Piyush



------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Gmane