Morris Taylor | 16 Apr 06:14 2015

Detecting MS15-034 attack

Dear All,

    Has anyone wrote the customized rule for detecting the attacks
    focused on MS15-034 vulnerability? It seems to be impossible to
    directly compare the first byte with last byte and block the request
    when last byte is less than first byte, where the integer overflow
    may also occurred inside mod security..Looking for advices for
    writing the rule to block the malicious request targeted MS15-034
    vulnerability. Thanks!.

--

-- 
BR, Morris

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Gaurav Agarwal | 15 Apr 09:30 2015
Picon

Testing ModSecurity ?

Dear fellow experts,

Is there any open-source testing framework available to test all the rules provided by ModSecurity?

Really don't want to write a script to test all the rules individually :(.

Thanks,
Gaurav
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Latimer, Jeff | 15 Apr 03:06 2015
Picon

Modsecurity IIS - Slow HTTP Post

I am running Modsecurity 2.8.0 on a Windows 2008 R2 server with IIS 7.5.

 

An attacker ran a slow HTTP Post attack against a site and it hung the application pool rendering the site unresponsive. I replicated the behavior using Switchblade 4.01 (http://www.proactiverisk.com/switchblade/). If I hit the site with modsecurity installed it hangs, if i uninstall modsecurity the site handles the Slow HTTP POST with ease.

 

Has anyone else experienced this.

 

Possibly of note I set the SecStreamInBodyInspection On directive as per https://github.com/SpiderLabs/ModSecurity/issues/562

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Jean Renaud | 13 Apr 12:49 2015
Picon

White-listing specific Rule for Specific domain name on Shared hosting

Hi everybody,

Let's say I'm the owner of a shared hosting company (i'm not, but let's say i am).  I have several customers sharing the same IP, for example "123456foo.com" and "123456bar.com".

One of them, 123456foo.com, have an html editor on their web site, but having issue because mod_security blocks some html tags.  So they would like this rule to be disabled.

Is there some way of disablig a specific rule for a specific domain name on a shared IP ?  For sure, we cannot disable the rule for the IP itself because the other customer will not be protected anymore...

I've seen in the documentation that the SERVER_NAME variable will show the server name, so "123456foo.com", but this could be spoofed. But how can a spoofed request header reach the customer if the real server name is needed (since this is the only way because of the shared ip) ?

Maybe we should white-list the php file the customer is using ?  For example, white-listing "\home\123456foo\public_html\htmleditor.php" for one specific rule ?

Thanks.
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Phil Daws | 9 Apr 16:12 2015
Picon

Modsecurity & NGINX

Hello:

we are switching from Apache to NGINX and evaluating the use of ModSec; so far so good.  What we have found
though is that previously the Apache error logs would show the rule numbers that modsecurity triggered
on.  With NGINX we are not seeing those at all ?  Probably goofed something in the configuration so any help
appreciated please.

Thank you.
(null)
(null)

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Jonathan Snowe | 9 Apr 08:52 2015
Picon

XML DTD

Hi guys,

I'm currently working on a Web Service gateway (dealing with SOAP requests) powered by ModSecurity and I need to filter some  attack types (SQLi, XXE, XML bomb etc)
I am working with Modsecurity 2.7.3 on CentOS 6.6.
I already implemented some personal rules and the CRS ruleset for SQLi, and it works nice.

Now I want to deal with XXE and XML bombs. I think CRS does not handle these attacks, so I have to write them myself.
I noticed these 2 attacks use DTD references, so I tried different things:

- XSD schema validation. I can't get it working, it may be my XSD schemas, I tried different generators but none seems effective. I keep having some parsing errors and this solution doesn't sound very handy to me.
- REQUEST_BODY parsing to match DTD references (<!DOCTYPE, ENTITY...). From what I read the REQUEST_BODY variable is not filled when XML processor has matched so I tried to fill it by adding ctl:forceRequestBodyVariable, but it doesn't seem to be better.

I don't know if you guys know how to solve these problems or have better ideas to filter these attacks.

Thank you,

--
Jon.
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Swonk, Glenn | 9 Apr 01:45 2015

Problem enabling ModSecurity in IIS

I have installed the x64 version on a Win7 (x64) system and am not able to process the rules in IIS (7.5).

 

The event log indicates that the ModSecurity module has been loaded (several lines of status).

 

However, after I added the following rule (modsecurity.conf) and attempt to exercise the rule, nothing happens.

 

   SecRule REQUEST_URI|ARGS|REQUEST_BODY "zzz" "phase:1,log,deny,status:503,id:1"

 

The Web.Config file has the following entry:

 

   <ModSecurity enabled="true" configFile="C:\Program Files\ModSecurity IIS\modsecurity_iis.conf" />

 

Any suggestions on how to troubleshoot the installation/configuration?

 

Thanks,

glenn

________________________________

This message may contain confidential information. If you are not the intended recipient of this e-mail, do not disseminate, distribute or copy this e-mail and delete this e-mail from your system.
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Morris Taylor | 8 Apr 05:43 2015

Unable to build mlogc from latest tarball

Hi there,

    I tried to follow the instructions on Modsecurity's reference manual
    to build mlogc. While I hit "make mlogc" under the root folder of
    Modsecurity source, the make told me the following message:

"make: Nothing to be done for `mlogc'."

The desired output is quite different with that on the manual, can
anyone help me to overcome the problem? Thanks!

--

-- 
BR, Morris

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Pallavi | 7 Apr 15:33 2015
Picon

Many web pages getting blocked!

Hi,

 

Our many web pages are getting blocked by the following rules defined in the base_rules/modsecurity_crs_50_outbound.conf file:

 

#

# IFrame Injection

#

SecRule RESPONSE_BODY "! <at> pm iframe" \

                                "phase:4,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'6',id:'981177',t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skipAfter:END_IFRAME_CHECK"

#SecRule RESPONSE_BODY "<\W*iframe[^>]+?\b(?:width|height)\b\W*?=\W*?[\"']?[^\"'1-9]*?(?:(?:20|1?\d(?:\.\d*)?)(?![\d%.])|[0-3](?:\.\d*)?%)" \

                                "t:replaceComments,phase:4,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Possibly malicious iframe tag in output',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'981000',tag:'OWASP_CRS/OWASP_CRS/MALICIOUS_IFRAME',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_IFRAME-%{matched_var_name}=%{tx.0}"

SecRule RESPONSE_BODY "<\W*iframe[^>]+?\bstyle\W*?=\W*?[\"']?\W*?\bdisplay\b\W*?:\W*?\bnone\b" \

                                "t:replaceComments,phase:4,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'8',ctl:auditLogParts=+E,block,msg:'Possibly malicious iframe tag in output',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'981001',tag:'OWASP_CRS/OWASP_CRS/MALICIOUS_IFRAME',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_IFRAME-%{matched_var_name}=%{tx.0}"

 

SecRule RESPONSE_BODY "(?i:<\s*IFRAME\s*?[^>]*?src=\"javascript:)" \

                                "t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Malicious iframe+javascript tag in output',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'981003',tag:'OWASP_CRS/OWASP_CRS/MALICIOUS_IFRAME',tag:'bugtraq,13544',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_IFRAME-%{matched_var_name}=%{tx.0}"

 

SecMarker END_IFRAME_CHECK

 

 

Following is the error log which we get:

 

ModSecurity: Access denied with code 403 (phase 4). Pattern match "<\\\\W*iframe[^>]+?\\\\b(?:width|height)\\\\b\\\\W*?=\\\\W*?[\\"']?[^\\"'1-9]*?(?:(?:20|1?\\\\d(?:\\\\.\\\\d*)?)(?![\\\\d%.])|[0-3](?:\\\\.\\\\d*)?%)" at RESPONSE_BODY. [file "/opt/modsecurity/etc/crs/base_rules/modsecurity_crs_50_outbound.conf"] [line "71"] [id "981000"] [rev "2"] [msg "Possibly malicious iframe tag in output"] [data "Matched Data: <iframe src=\\x22//www.googletagmanager.com/ns.html?id=GTM-PXKNDQ\\x22 height=\\x220 found within RESPONSE_BODY: <!doctype html>\\x0d\\x0a<!--[if lt IE 7]><html class=\\x22lt-ie9 lt-ie8 lt-ie7\\x22 xmlns=http://www.w3.org/1999/xhtml xml:lang=en><![endif]-->\\x0d\\x0a<!--[if IE 7]><html class=\\x22lt-ie9 lt-ie8\\x22 xmlns=http://www.w3.org/1999/xhtml xml:lang=en><![endif]-->\\x0d\\x0a<!--[if IE 8]><html class=lt-ie9 xmlns=http://www.w3.org/1999/xhtml xml:lang=en><![endif]-->\\x0d\\x0a<!--[if gt IE 8]><!-->..."] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/OWASP_CRS/MALICIOUS_IFRAME"] [hostname "1atesting.in"] [uri "/index.html"] [unique_id "VSPU-cCoqoMAAGAEfNAAAADL"]

 

 

Is this a false positive and we should comment this rule from mod-security or our script is containing a pattern which is considered malicious?

Please help.

 

Thanks,

Pallavi


This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received it by mistake, please let us know by e-mail reply and delete it from your system.  Any unauthorized copying, disclosure or distribution of this e-mail, or the material in this e-mail is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of OneAssist. E-mail transmission cannot be guaranteed to be secured or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.

 

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
support | 4 Apr 15:20 2015
Picon

FALSE POSITIVES


We suffer Mod Security false positives from time to time when website users legitimately upload plain non
threatening text via 
CGI / Perl Scripts (eg: Childrens-Stories.net)

The BIG ISSUE is our hosting provider (Ace-Host.com reseller accounts) claims it's impossible to enable
notifications when Mod 
Security rules are triggered, thus we never find out that new unknown customers are locked out, the
negative experience puts 
new customers off straight away, not good for business or our reputation.

Can anyone suggest a potential future solution for notifications on shared servers etc so the nominated
website account holder 
receives notifications?

Thanks, Simon

 <at>  WWW Support Services
UK Tel: 0845 475 3625

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

nagasawamg | 3 Apr 08:49 2015
Picon
Picon

ECCN of mod_security

Hi,

 

I want an Export Control Classification Number (ECCN) of mod_security.

I couldn't find any information on the internet.

Can anyone help me ?

 

Sorry if I'm posting to a wrong address.

 

--

Megumi Nagasawa

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Gmane