Ben Turner | 22 May 2013 13:56
Picon

Modsec Install Help and Automation for IIS

Hi Folks,

I'm pretty new to this so please excuse these basic questions 

I've installed version 2.7.3 on a Windows 2012 Server running IIS. I'm using wget to download the files as such:$ wget -U "account and licencedetails)" --no-check-certificate https://www.modsecurity.org/autoupdate/repository/modsecurity-slr/slr_vuln_latest/slr_vuln_latest_1.0.0.zip > slr_vuln_latest_1.0.0.zip

Could anyone advise or point me to the right directi/doco for these:

1.       Where I should actually put the rules when I have done downloading them

2.       I see in the readme it says that once installed it will be active for all websites unless you remove. How do I verify the installation has succeeded and it actually working.

Cheers,

Ben
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Thomas Eckert | 21 May 2013 15:36
Picon

Basic question regarding usage

Hi folks,

I'm pretty new to this so please excuse my question about basics. Some time ago I finished upgrading my test system from 2.5.12 to 2.7.3 along with a CRS upgrade from 2.0.6 to 2.2.7. Aside from the unnerving "rule has no ID issue" it went smoothly but now I'm facing unexpected behaviour. Instead of blocking simple XSS and SQL injection attacks mod_security will only complain about them in the logs but let the attack themselves pass.

For example, i can see the following in the logs (this is only the last reported match, there's plenty more):

[Tue May 21 15:22:18.235587 2013] [:error] [pid 16304:tid 1194236784] [client 10.10.10.10] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'][ ]*(([^a-z0-9~_:\\\\'\\" ])|(in)).+?\\\\(.*?\\\\))" at ARGS:field1. [file "/apache/conf/My.rules"] [line "187"] [id "973335"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data: \\x22/\\x22 onclick=\\x22alert('sample XSS attack') found within ARGS:field1: <a href=\\x22/\\x22 onclick=\\x22alert('sample XSS attack')\\x22>click me</a>"] [ver "OWASP_CRS/2.2.7"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "mytest.local"] [uri "/php/echo_form.php"] [unique_id "UZt1CgoIEYIAAD <at> w0Y8AAAAx"]

This "worked" before (meaning it got blocked correctly), so I guess I forgot to adapt some configuration to match the upgrade to 2.7.3. Likely some variables/config data are not initialized propperly - maybe some threshold concerning the anomaly score ?

Would someone please point me at the right place to read about this stuff ? As stated, I'm new to this and don't know where to start.

Thanks in advance!

Cheers,
  Thomas
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Christian Folini | 21 May 2013 15:17
Picon

Re: Issue with TX macro expansion in SecRule regexes

Hello,

There has not been any feedback on this subject. I have looked into the
documentation again and thought I would provide some additional
information so the next person stumbling over this issue might at least
find something on google.

The Changelog lists "Added support to macro expansion for rx
operator." for 2.6.2-rc1.

The Reference Guide says
"You cannot use macro expansion for operators that are "compiled" such
as  <at> pm,  <at> rx, etc. as these operators have their values fixed at
configure time for efficiency."

That looks like a contradiction to me.

In my previous message, I noted, that the core-rules use macro expansion in
the operator part of the SecRule statement. Actully modsecurity_crs_30_http_policy.conf
only uses the TX macro expansion together with  <at> within, which is
advertised in the Reference Guide under Macro Expansion.

The initial issue persists though. This works:
SecAction "phase:1,id:1,pass,nolog,setvar:'TX.cookielist=cookie1|cookie2'"
SecRule RESPONSE_HEADERS:/Set-Cookie/ "%{tx.cookielist}"   "phase:3,id:2,t:none,pass,log,msg:'HIT'"

This does not work:
SecAction "phase:1,id:1,pass,nolog,setvar:'TX.cookielist=cookie1|cookie2'"
SecRule RESPONSE_HEADERS:/Set-Cookie/ "(%{tx.cookielist})"   "phase:3,id:2,t:none,pass,log,msg:'HIT'"

Now is the changelog wrong, the documentation or my reasoning?

Cheers,

Christian

On Fri, May 10, 2013 at 10:47:31AM +0000, christian.folini <at> post.ch wrote:
> Hi there,
> 
> ModSec 2.6.2 introduced macro expansion for SecRule regex matches. This is not really documented
> in the handbook, but it works and the core rules make good use of the feature. However, I hit a dead end, when
trying to extend the regex containing
> the macro. First it works, but as soon as I introduce brackets, the regex is being escaped in an
> undesired way.
> 
> My whole plan may sound crazy, but actually, it's not that queer. Let's build it up step
> by step:
> 
> Step 1 :
> The problem only occurs if we use macro expansion. The following works just fine, of course:
> SecRule RESPONSE_HEADERS:/Set-Cookie/ "(cookie1|cookie2)"   "phase:3,id:2,t:none,pass,log,msg:'HIT'"
> 
> Debug log:
> ... Executing operator "rx" with param "(cookie1|cookie2)" against RESPONSE_HEADERS:Set-Cookie.
> 
> Step 2 :
> Now let's introduce a simple macro expansion with a pipe character. Still works.
> SecAction "phase:1,id:1,pass,nolog,setvar:'TX.cookielist=cookie1|cookie2'"
> SecRule RESPONSE_HEADERS:/Set-Cookie/ "%{tx.cookielist}"   "phase:3,id:2,t:none,pass,log,msg:'HIT'"
> 
> The debug log documents the macro expansion and escaping as follows:
> ... Executing operator "rx" with param "%{tx.cookielist}" against RESPONSE_HEADERS:Set-Cookie.
> ...
> ... Resolved macro %{tx.cookielist} to: cookie1|cookie2
> ... Escaping pattern [cookie1|cookie2]
> 
> Step 3 :
> However, if we introduce brackets in the regex, they get escaped and the whole fun is thus spoiled
> SecAction "phase:1,id:1,pass,nolog,setvar:'TX.cookielist=cookie1|cookie2'"
> SecRule RESPONSE_HEADERS:/Set-Cookie/ "(%{tx.cookielist})"   "phase:3,id:2,t:none,pass,log,msg:'HIT'"
> 
> Debug log:
> ... Executing operator "rx" with param "(%{tx.cookielist})" against RESPONSE_HEADERS:Set-Cookie.
> ...
> ... Resolved macro %{tx.cookielist} to: cookie1|cookie2
> ... Escaping pattern [\(cookie1|cookie2\)]
> 
> 
> Maybe my brain is playing tricks on me or the problem is not within ModSec but
> in pcre. But when looking through the O'Reilly book I did not find an answer
> and playing around with more obscure things like regex modifiers only meant that the
> modifier would be escaped too. So I am at loss here. If one would be able to
> suppress that escaping function, it might work out.
> 
> Has anybody tried this before are can somebody think of a trick to make it work?
> 
> Regs,
> 
> Christian
> 
> 
> 
> Christian Folini
> Unix Engineer, Apache Security Specialist
> 
> Die Schweizerische Post
> Services
> Informationstechnologie
> Betrieb, IT 222 extern
> Webergutstrasse 12
> 3030 Bern (Zollikofen)
> Mobile +41 79 300 32 03
> E-Mail: christian.folini <at> post.ch<http://folini.tikon.ch>
> Internet: http://www.post.ch / http://folini.tikon.ch
> 
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and 
> their applications. This 200-page book is written by three acclaimed 
> leaders in the field. The early access version is available now. 
> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

--

-- 
Christian Folini - <christian.folini <at> netnea.com>

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Daniel Devine | 20 May 2013 05:45

Nginx Configuration (confusion, observations)

Greetings,

I have very little (none) experience with ModSecurity but I decided I 
want to use it to protect my ownCloud instance. I have successfully 
installed 2.7.3 on CentOS 6 with Nginx 1.0.15 (old!) - and I've made an 
RPM package which I plan to get into EPEL once I have successfully 
gotten ModSecurity working for the task at hand. It looks like I have 
gotten ModSecurity *running* in DetectionOnly mode with the OWASP rule 
set.

Observations:
  * It was not clear that you must "Include" the rules from *within* 
modsecurity.conf for Nginx.
  * ModSecurity's "Include" != Nginx's "include". The ModSecurity 
directives are not parsed by Nginx (and so don't need ";" termination).
  * The documentation seems to assume that you are using ModSecurity on 
all of your virtual-hosts and thus refers to putting the 
ModSecurityConfig directive in nginx.conf rather than in a specific 
virtual host ("server" block). For use in a virtual hosting setup I 
assume you should create a separate modsecurity.conf for each virtual 
host - as you will have different rule sets for different applications 
right?

Also, as a note, if you are creating a package for ModSecurity with 
Nginx you probably can't run "make install" - but rather you need to run 
"make install-exec-hook" to activate the target that puts extra 
configuration into nginx/modsecurity/config so that compilation doesn't 
fail on some lua related errors. This took me all day to work out so I 
thought I'd mention it publicly.

Are any of these assumptions/observations incorrect? Does anybody have 
something to add?

I understand the Nginx port is quite new, so it's not surprising that 
the documentation is near non-existent.

--

-- 
Daniel Devine

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Avi Rosenblatt | 19 May 2013 11:08

log analysis tools

Hi,
I'm looking for a good tool to analyze modsecurity concurrent audit logs. Any recommendations? It would be
nice if it had a GUI and/or graphing abilities.

Thanx
Avi
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Sushant Vengurlekar | 16 May 2013 20:18

IP Bypas for Mod security 2.7.3

I am trying to bypass one IP for a website from modsecurity ruleset.

I used this syntax for bypassing the IP
SecRule  REMOTE_ADDR " <at> ipMatch 64.58.154.194,107.9.211.160" 
"phase:1,pass,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off,id:123412345653451"

But I still get forbidden error.

I tried couple of below alternatives but still getting forbidden.
SecRule  REMOTE_ADDR  "^64\.58\.154\.194$" 
"allow,ctl:ruleEngine=off,id:123412345653451"

SecRule  REMOTE_ADDR "^64.58.154.194$" 
"phase:1,log,pass,ctl:ruleEngine=Off,id:'991045'"

SecRule  REMOTE_ADDR "^64\.58\.154\.194$" 
"phase:1,log,pass,ctl:ruleEngine=Off,id:'991045'"

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Todd Roseman | 16 May 2013 20:34
Picon

use MODSEC_ENABLE with mod_rewrite?

Hi,

I'm trying to use the environment variable MODSEC_ENABLE to turn off mod_security with certain query parameters.

Here's the apache rewrite rules (in a vhost section):
RewriteCond %{QUERY_STRING} payment_method\=os_paypal [NC] RewriteRule ^/index.php$ - [env=MODSEC_ENABLE:off]

But I get 406 Error and see mod_security is blocking when I send this: DOMAIN.TLD/index.php?payment_method=os_paypal%%%

With rewrite log on apache shows the rule matching and it shows turning on the environment variable.

Any ideas why mod_security is ignoring the environment variable? Is it an order of processing thing?

Is there a way to test a query string in httpd.conf and disable a rule using SecRuleRemoveById?

thanks!

---------------------------------------------------------------

Using: ModSecurity for Apache/2.7.3; OWASP_CRS/2.2.7.

rewrite log:

192.168.1.2 - - [16/May/2013:11:32:05 --0600] [www.DOMAIN.TLD/sid#2497428][rid#b737b860/initial] (3) applying pattern '^/index.php$' to uri '/index.php'

192.168.1.2 - - [16/May/2013:11:32:05 --0600] [www.DOMAIN.TLD/sid#2497428][rid#b737b860/initial] (4) RewriteCond: input='payment_method=os_paypal%%%' pattern='payment_method\=os_paypal' [NC] => matched

192.168.1.2 - - [16/May/2013:11:32:05 --0600] [www.DOMAIN.TLD/sid#2497428][rid#b737b860/initial] (5) setting env variable 'MODSEC_ENABLE' to 'off'

192.168.1.2 - - [16/May/2013:11:32:05 --0600] [www.DOMAIN.TLD/sid#2497428][rid#b737b860/initial] (1) pass through /index.php


------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Ryan Barnett | 14 May 2013 22:50

Re: Automated Updates for Windows


From: Ben Turner <benjamesturner <at> gmail.com>
Date: Tuesday, May 14, 2013 4:42 PM
To: "mod-security-users <at> lists.sourceforge.net" <mod-security-users <at> lists.sourceforge.net>
Subject: [mod-security-users] Automated Updates for Windows

Hi there,

Can anyone help me with the steps to enable automated updates to ModSec Rules from Trustwave Spiderlabs? 

Ben – have you purchases license(s) for the commercial rules?  The FAQ is here - https://www.trustwave.com/modsecurity-rules-support.php and Shopping Cart here - https://ssl.trustwave.com/web-application-firewall.  After you purchase the rules, you will be given your license key data and information on how to access our rules repository site.



Also is anyone successfully running modsec on Windows server 2012?


Thanks,
Ryan


Thanks,

Ben
------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d_______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Ben Turner | 14 May 2013 22:42
Picon

Automated Updates for Windows

Hi there,

Can anyone help me with the steps to enable automated updates to ModSec Rules from Trustwave Spiderlabs? 

Also is anyone successfully running modsec on Windows server 2012?

Thanks,

Ben
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Ben Turner | 14 May 2013 22:38
Picon

benjamesturner <at> gmail.com


------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Reindl Harald | 10 May 2013 18:39
Favicon

Re: New SecRemoteAddrDefine (httpd-dev CCed)

Hi

will this be the release version of mod_security-2.7.4?

as confirmed all works as expected but i hestitate to update
the production servers while all my configs are well prepared
for the migration from Apache 2.2 to Apache 2.4 and the not
business-critical machines are already there

Apache 2.4 brings a lot of improvements and after rolled
out the first major update to the webservers after 7 years
i can die in peace and our company will still survive :-)

Am 06.05.2013 16:34, schrieb Breno Silva:
> Reindl,
> 
> Final implementaion is here https://github.com/SpiderLabs/ModSecurity/tree/remotes/trunk
> Without SecDefineRemoteAddr. Could you run make CFLAGS=-DMSC_TEST test to check if it is all fine ?
> 
> On Mon, May 6, 2013 at 11:00 AM, Reindl Harald <h.reindl <at> thelounge.net
<mailto:h.reindl <at> thelounge.net>> wrote:
> 
>     works fine
> 
>     both tested, proxy listed in "RemoteIPInternalProxy" and without
> 
>     * listed: SecRule REMOTE_ADDR "^10\.0\.0\.99" works
>     * not listed: access with nessus-useragent denied as expected
> 
>     thank you!

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Gmane