Riemann . | 18 Jul 20:07 2016
Picon

RBL lookup/block not working

I'm working on setting up a RBL using Christian Bockermann's jwall-rbld. I've turned off the Windows DNS Client service, installed Unbound locally (Windows) and used it to forward requests to jwall-rbld (which is running on localhost for now). The jwall config file allows localhost to update (e.g. block/unblock) via dig request. Everything with jwall-rbld works as expected when used manually (e.g. via dig/telnet from terminal).


I don't know if this is the issue, but instead of IP addresses or hostnames, I'm trying to add hexEncoded sha1 hashes to the RBL. I'm basically trying to create a way to share data between nodes without setting up a memcached server. Again, this all works manually (using telnet or dig I can lookup, block and unblock based on a hash entry).


An example of the rules I'm using look something like this:

...
SecRule ARGS:Foobar ".*" "phase:2,log,pass,msg:'Hashing data',t:sha1,t:hexEncode,setvar:tx.hash=%{matched_var},id:'1000805'"
SecRule tx:hash " <at> rbl rbl.localnet" "phase:2,log,pass,logdata:'%{tx.hash}',skipAfter:GO_TO_NEXT,id:'1000806'"
SecRule tx:hash " <at> rbl block-600.rbl.localnet" "phase:2,log,pass,id:'1000807'"
SecMarker GO_TO_NEXT
...

From the debug, I can see both lookups (1000806 and 1000807) fail. Using Microsoft Message Analyzer, it appears the requests is never being sent from ModSecurity.

------------------------ [[ debug log ]] --------------------------------------
[13/Jul/2016:17:07:22 --0500] [computer_name/sid#3caefa0][rid#41c5220][/C30008_tsa/tapp][9] Match -> mode NEXT_RULE.
[13/Jul/2016:17:07:22 --0500] [computer_name/sid#3caefa0][rid#41c5220][/C30008_tsa/tapp][4] Recipe: Invoking rule 2cad328; [file "C:/shared/Apache2x/conf/modsecurity/0-48/modsecurity_crs_15_customrules.conf"] [line "64"] [id "1000806"].
[13/Jul/2016:17:07:22 --0500] [computer_name/sid#3caefa0][rid#41c5220][/C30008_tsa/tapp][5] Rule 2cad328: SecRule "tx:hash" " <at> rbl rbl.localnet" "phase:2,log,logdata:%{tx.hash},skipAfter:GO_TO_NEXT,id:1000806"
[13/Jul/2016:17:07:22 --0500] [computer_name/sid#3caefa0][rid#41c5220][/C30008_tsa/tapp][4] Transformation completed in 0 usec.
[13/Jul/2016:17:07:22 --0500] [computer_name/sid#3caefa0][rid#41c5220][/C30008_tsa/tapp][4] Executing operator "rbl" with param "rbl.localnet" against TX:hash.
[13/Jul/2016:17:07:22 --0500] [computer_name/sid#3caefa0][rid#41c5220][/C30008_tsa/tapp][9] Target value: "febfe593c825cd16f1db113833eb02e0a4be4fe1"
[13/Jul/2016:17:07:22 --0500] [computer_name/sid#3caefa0][rid#41c5220][/C30008_tsa/tapp][5] RBL lookup of febfe593c825cd16f1db113833eb02e0a4be4fe1.rbl.localnet failed at TX:hash.
[13/Jul/2016:17:07:22 --0500] [computer_name/sid#3caefa0][rid#41c5220][/C30008_tsa/tapp][4] Operator completed in 117606 usec.
[13/Jul/2016:17:07:22 --0500] [computer_name/sid#3caefa0][rid#41c5220][/C30008_tsa/tapp][4] Rule returned 0.
[13/Jul/2016:17:07:22 --0500] [computer_name/sid#3caefa0][rid#41c5220][/C30008_tsa/tapp][9] No match, not chained -> mode NEXT_RULE.
[13/Jul/2016:17:07:22 --0500] [computer_name/sid#3caefa0][rid#41c5220][/C30008_tsa/tapp][4] Recipe: Invoking rule 2cae818; [file "C:/shared/Apache2x/conf/modsecurity/0-48/modsecurity_crs_15_customrules.conf"] [line "65"] [id "1000807"].
[13/Jul/2016:17:07:22 --0500] [computer_name/sid#3caefa0][rid#41c5220][/C30008_tsa/tapp][5] Rule 2cae818: SecRule "tx:hash" " <at> rbl block-600.rbl.localnet" "phase:2,log,pass,id:1000807"
[13/Jul/2016:17:07:22 --0500] [computer_name/sid#3caefa0][rid#41c5220][/C30008_tsa/tapp][4] Transformation completed in 0 usec.
[13/Jul/2016:17:07:22 --0500] [computer_name/sid#3caefa0][rid#41c5220][/C30008_tsa/tapp][4] Executing operator "rbl" with param "block-600.rbl.localnet" against TX:hash.
[13/Jul/2016:17:07:22 --0500] [computer_name/sid#3caefa0][rid#41c5220][/C30008_tsa/tapp][9] Target value: "febfe593c825cd16f1db113833eb02e0a4be4fe1"
[13/Jul/2016:17:07:22 --0500] [computer_name/sid#3caefa0][rid#41c5220][/C30008_tsa/tapp][5] RBL lookup of febfe593c825cd16f1db113833eb02e0a4be4fe1.block-600.rbl.localnet failed at TX:hash.
[13/Jul/2016:17:07:22 --0500] [computer_name/sid#3caefa0][rid#41c5220][/C30008_tsa/tapp][4] Operator completed in 127804 usec.
[13/Jul/2016:17:07:22 --0500] [computer_name/sid#3caefa0][rid#41c5220][/C30008_tsa/tapp][4] Rule returned 0.
---------------------- [[ end debug log ]] ------------------------------------

I realize this is not a typical use case. From the debug it appears the lookup is formed correctly, so I'm hoping it's a misconfiguration/error on my part and not just that ModSec is limited to using predefined server variables like REMOTE_ADDR. Any input or suggestions would be more than welcome. I've fought this for three days last week, before figuring I'd ask for help.

Thanks!
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Cristiano Galdino | 18 Jul 17:45 2016
Picon

Create SecRule with Regex in ARGS - CRS 2.2.8

Hi there,

I created this rule but also match events in ARGS name and name_[0-9].

SecRule REQUEST_FILENAME " <at> beginsWith /directory" \
"id:1100,phase:2,nolog,noauditlog,t:none,t:lowercase,msg:'Rules disabled',pass, \
ctl:ruleRemoveTargetById=973337;ARGS:/^name(_[0-9])?$/, \
ctl:ruleRemoveTargetById=973338;ARGS:/^
name(_[0-9])?$/, \
ctl:ruleRemoveTargetById=981319;ARGS:/^
name(_[0-9])?$/, \
ctl:ruleRemoveTargetById=950006;ARGS:/^
name(_[0-9])?$/, \
ctl:ruleRemoveTargetById=981260;ARGS:/^
name(_[0-9])?$/"

In the application I have arguments only name and name_1 to 9.

What is going on?

--
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Cristiano Galdino | 15 Jul 17:35 2016
Picon

How ignore static content? - OWASP/CRS

Hi there,

I'm using CRS 2.2.8 and activated all base_rules and optional_rules/modsecurity_crs_10_ignore_static.conf, but also match events in static content.


FILE
modsecurity_crs_10_ignore_static.conf:

SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:2,t:none,skip:1,pass,nolog,id:'900040',severity:'6'"
 SecRule &ARGS " <at> eq 0" "t:none,setvar:tx.no_parameters=1"
SecAction "phase:2,id:'900041',t:none,nolog,pass,skipAfter:END_STATIC_CONTENT_CHECK"
SecRule REQUEST_FILENAME "\.(?:(?:jpe?|pn)g|gif|ico)$" "phase:2,t:none,t:lowercase,allow,nolog,id:'900042',severity:'6'"
SecRule REQUEST_FILENAME "\.(?:doc|pdf|txt|xls)$" "phase:2,t:none,t:lowercase,setvar:tx.text_file_extension=1,allow:phase,nolog,id:'900043',severity:'6'"
SecRule REQUEST_FILENAME "\.(?:(?:cs|j)s|html?)$" "phase:2,t:none,t:lowercase,setvar:tx.text_file_extension=1,allow:phase,nolog,id:'999005',severity:'6'"
SecRule REQUEST_FILENAME "\.(?:mp(?:e?g|3)|avi|flv|swf|wma)$" "phase:2,t:none,t:lowercase,allow,nolog,id:'999006',severity:'6'"
SecMarker END_STATIC_CONTENT_CHECK



Example of request (Match rule 958291 [Range: field exists and begins with 0]):

GET /media/191.mp3? HTTP/1.1
Host: site.host.com.br
Connection: keep-alive
Accept-Encoding: identity;q=1, *;q=0
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Accept: */*
Referer: https://site.host.com.br/diope.jsf
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: JSESSIONID=session.undefined
Range: bytes=0-

Example of request (Match rule 960015 [Request Missing an Accept Header]):

​GET /img/icone/icon.ico? HTTP/1.1
Host: site.host.com.br
Connection: keep-alive
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_2 like Mac OS X) AppleWebKit/601.1 (KHTML, like Gecko) CriOS/51.0.2704.104 Mobile/13F69 Safari/601.1.46
Accept-Encoding: gzip, deflate, sdch
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.6,en;q=0.4
If-None-Match: W/"2238-1467411300000"
If-Modified-Since: Fri, 01 Jul 2016 22:15:00 GMT​


​How definitely ignore static content?

Best regards,​

--
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Waqas Ali Khan (47247 | 12 Jul 13:34 2016
Picon

Re: RESPONSE_BODY in chain rule not working

Hi Chris

So after discussing the issue with the developer, I have come up with the following rule to track
application users:

SecRule REQUEST_BODY "username=(.+?)&"
"t:none,t:urlDecodeUni,chain,phase:4,capture,id:150000026,sanitiseArg:login:pass,logdata:'Successful
login with username %{TX.1} having %{tx.sessionid} from %{geo.city}, %{geo.country_name}'"
SecRule REQUEST_HEADERS:Cookie "JSESSIONID=(.+?)" "chain,setvar:tx.sessionid=%{matched_var}"
SecRule RESPONSE_HEADERS:Location "https://www.domain.com/terms-and-conditions.html" "chain"
SecRule REMOTE_ADDR " <at> geoLookup"

The JSESSIONID is unique (I assume) and hence can be used. We are forwarding the logs to SIEM and have
extracted the timelined the logs through the JSESSIONID. Now the plan is to log specific actions such as
login, action1, action2, action3 and log all the three actions together with the JSESSIONID. This was
when the logs are timelined through the JESSIONID, it will give us a clear picture of what actions were
performed by a user.

Your thoughts are appreciated on the above solution.

Waqas Ali
------------------------------

Message: 4
Date: Tue, 12 Jul 2016 08:50:45 +0200
From: Christian Folini <christian.folini <at> netnea.com>
Subject: Re: [mod-security-users] RESPONSE_BODY in chain rule not
        working
To: mod-security-users <at> lists.sourceforge.net
Message-ID: <20160712065045.GA17102 <at> elias>
Content-Type: text/plain; charset=utf-8

Hey Waqas Ali,

No worries.

But I still do not understand how the server identifies the client
in order to:

> sessions are maintained at the server's end through session variable,

If the server can do it, then you can probably use the same mechanism.

Ahoj,

Christian

On Tue, Jul 12, 2016 at 06:36:47AM +0000, Waqas Ali Khan (47247) wrote:
> Hi Chris
>
> Apologies for delay in response as I was traveling. At that time my
> only requirement was logging the successful logins. However, due to
> the fact that no session cookies are passed to the client side and
> sessions are maintained at the server's end through session variable,
> we were unable to track each request to the corresponding username. I
> can take a look at the SSL session IDs as you suggested, however, I am
> not sure how I am going to match it with the corresponding usernames.
>
> Waqas Ali
> ----------------------------------------------------------------------
>
> Message: 1 Date: Wed, 29 Jun 2016 07:06:49 +0200 From: Christian
> Folini <christian.folini <at> netnea.com> Subject: Re: [mod-security-users]
> RESPONSE_BODY in chain rule not working To:
> mod-security-users <at> lists.sourceforge.net Message-ID:
> <20160629050649.GB25047 <at> elias> Content-Type: text/plain; charset=utf-8
>
> Hi Waqas Ali,
>
> On Tue, Jun 28, 2016 at 03:40:21PM +0000, Waqas Ali Khan (47247)
> wrote:
> >  <at> Barry The application don't set any cookie that is why I can't
> > detect that in the response. Sessions are maintained server side in
> > the session variable. I could check for the terms and conditions
> > page separately (and I have done that for testing and it is working
> > fine) however at that time I lose the option of logging the
> > username.
>
> How do you link a request to a session then? It does not look as if
> you were using a query-string parameter. Are you hooking on the SSL
> session id?
>
> > Thanks a lot guys once again. I am going to test this tomorrow
> > morning and let you know.
>
> I would be interested to hear of any development on your side.
>
> Best,
>
> Christian
>
> -- ModSecurity Training in London: Sep 22/23, 2016
> https://www.feistyduck.com/training/modsecurity-training-course
> mailto:christian.folini <at> netnea.com twitter:  <at> ChrFolini
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic patterns at an interface-level. Reveals which users, apps, and
> protocols are consuming the most bandwidth. Provides multi-vendor
> support for NetFlow, J-Flow, sFlow and other flows. Make informed
> decisions using capacity planning reports.http://sdm.link/zohodev2dev
> _______________________________________________ mod-security-users
> mailing list mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

--
https://www.feistyduck.com/training/modsecurity-training-course
mailto:christian.folini <at> netnea.com
twitter:  <at> ChrFolini

------------------------------

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev

------------------------------

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

End of mod-security-users Digest, Vol 122, Issue 2
**************************************************

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Waqas Ali Khan (47247 | 12 Jul 08:36 2016
Picon

Re: RESPONSE_BODY in chain rule not working

Hi Chris

Apologies for delay in response as I was traveling. At that time my only requirement was logging the
successful logins. However, due to the fact that no session cookies are passed to the client side and
sessions are maintained at the server's end through session variable, we were unable to track each
request to the corresponding username. I can take a look at the SSL session IDs as you suggested, however, I
am not sure how I am going to match it with the corresponding usernames.

Waqas Ali
----------------------------------------------------------------------

Message: 1
Date: Wed, 29 Jun 2016 07:06:49 +0200
From: Christian Folini <christian.folini <at> netnea.com>
Subject: Re: [mod-security-users] RESPONSE_BODY in chain rule not
        working
To: mod-security-users <at> lists.sourceforge.net
Message-ID: <20160629050649.GB25047 <at> elias>
Content-Type: text/plain; charset=utf-8

Hi Waqas Ali,

On Tue, Jun 28, 2016 at 03:40:21PM +0000, Waqas Ali Khan (47247) wrote:
>  <at> Barry
> The application don't set any cookie that is why I can't detect that
> in the response. Sessions are maintained server side in the session
> variable. I could check for the terms and conditions page separately
> (and I have done that for testing and it is working fine) however at
> that time I lose the option of logging the username.

How do you link a request to a session then? It does not look as if
you were using a query-string parameter. Are you hooking on the SSL
session id?

> Thanks a lot guys once again. I am going to test this tomorrow morning
> and let you know.

I would be interested to hear of any development on your side.

Best,

Christian

--
ModSecurity Training in London: Sep 22/23, 2016
https://www.feistyduck.com/training/modsecurity-training-course
mailto:christian.folini <at> netnea.com
twitter:  <at> ChrFolini
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Loudly Soft | 11 Jul 21:10 2016

Online Interactive Tool for Log Auditing

Hello,

To simplify the task of log auditing, I created an online interactive tool for inspecting ModSecurity audit log at www.reconity.com.  In a nutshell, the tool is written in JavaScript so no software installation is required, log data stays in your computer and processing is done in your browser.  In its current state without optimization, the tool can handle 100K events from a 200 MB log responsively.  You're welcome to give it a try.

Cheers,
LoudlySoft

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Altgilbers, Ian M | 8 Jul 22:24 2016
Picon

initcol with value from XML parser?

I sent this to mod-security-developers by mistake earlier, sorry if you’re seeing this again..



Is it possible to use values from the XML parser with initcol?

I have a WordPress server that is getting hit from distributed IPs, attempting to brute force a few accounts via xmlrpc.php.   These are domain accounts, so the users end up with locked accounts, unable to do other work.  There are some unsophisticated rules out there would that block brute force attackers by IP, but I need to block by username as well.

I can use the XML parser to get variables to evaluate…  This rule properly blocks requests with username “admin”:
SecRule XML:/methodCall/params/param[1]/value "admin" "phase:2,id:19302,deny,log,msg:'XMLRPC - admin not allowed'"

But  I’m not having any luck using initcol…
SecAction "initcol:user=%{XML:/methodCall/params/param[1]/value},phase:2,pass,nolog,id:000001"
gives me:
Failed to resolve macro %{xml:/methodcall/params/param[1]/value}: Unknown variable: xml:/methodcall/params/param[1]/value


If I leave off the Xpath query, I don’t get an error, but the user object ends up being the whole XML document, which doesn’t help.   Any ideas?






Ian Altgilbers
Senior Systems Administrator
Educational Technology Services
Tufts Technology Services
Tufts University

Phone: 617.627.0388
http://it.tufts.edu/ests

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Christian Folini | 6 Jul 09:44 2016

Rule Writing Exercise: chaining

Hello,

This message is going to the ModSec users ML and the CRS ML. It's a
new rule idea I have for the CRS, but maybe the wider audience has a
solution.

It is fairly simple to do a rule which takes a parameter, runs a
transformation and checks if the transformation changed anything.
Here a simple example with t:lowercase on parameter a.

SecRule ARGS:foo     "^."  "id:1001,phase:2,deny,\
   msg:'%{MATCHED_VAR_NAME} : Transformation revealed difference',chain"
   SecRule ARGS:foo  "! <at> streq %{MATCHED_VARS}"  "t:lowercase"

I have tried to get this working for _all_ ARGS. Thus a generic rule
working no matter what parameters are sent to the server. But to no
avail.

The problem is that chains are execute in the order of the rules,
not the order of the parameters. In other words: First all the
parameters are matched against the first SecRule. Then all the
parameters are matched against the 2nd SecRule. A match on the first
SecRule on parameter #1 will thus be overwritten by the match on
parameter #2 when ModSec reaches the 2nd rule for parameter #1.
This behaviour is a bit counterintuitive and it kills many interesting
rule ideas (it probably also allows many interesting rule ideas, but
who cares about things that work, if you can complain about things
that don't). It's also killing this idea. Or let's say I have been
grinding my teeth into this problem on and off for a few days and
I have not found a solution.

So the question is: Is there a way around this limitation?
Can we create a SecRule as above that works for all parameters?

Ahoj,

Christian

-- 
https://www.feistyduck.com/training/modsecurity-training-course
mailto:christian.folini <at> netnea.com
twitter:  <at> ChrFolini

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Waqas Ali Khan (47247 | 29 Jun 07:33 2016
Picon

Re: RESPONSE_BODY in chain rule not working


Hi

The RESPONSE_HEADERS:Location did the trick!

This is the rule which is able to identify successful logins:

SecRule REQUEST_BODY "login:usrnam=(.+?)&"
"t:none,t:urlDecodeUni,chain,phase:4,capture,id:xxxxxxx,sanitiseArg:login:pass,logdata:'Successful
login with username %{TX.1} from %{geo.city}, %{geo.country}'"
SecRule RESPONSE_HEADERS:Location "https://domain.com/terms-and-conditions.html" "chain"
SecRule REMOTE_ADDR " <at> geoLookup"

Now we have the option to identify the brute forcing IP addresses quite easily as well. Thanks a lot Chris for
your excellent support. Appreciate the help from Barry as well.

Waqas Ali
----------------------------------------------------------------------

Message: 1
Date: Tue, 28 Jun 2016 15:40:21 +0000
From: "Waqas Ali Khan (47247)" <waqas.khan <at> nadra.gov.pk>
Subject: Re: [mod-security-users] RESPONSE_BODY in chain rule not
        working
To: "mod-security-users <at> lists.sourceforge.net"
        <mod-security-users <at> lists.sourceforge.net>
Message-ID: <1467128411102.20409 <at> nadra.gov.pk>
Content-Type: text/plain; charset="iso-8859-1"

Hello Barry and Chris

First of all I would really like to thank both of you for your excellent suggestions.

 <at> Barry
The application don't set any cookie that is why I can't detect that in the response. Sessions are
maintained server side in the session variable. I could check for the terms and conditions page
separately (and I have done that for testing and it is working fine) however at that time I lose the option of
logging the username.

I think Chris' suggestion is very much valid here. I am going to check where the redirect leads to and then
check for that in that in the RESPONSE_HEADER:Location.

Thanks a lot guys once again. I am going to test this tomorrow morning and let you know.

Waqas Ali
________________________________________

Message: 2
Date: Tue, 28 Jun 2016 06:36:41 +0000
From: Barry Pollard <barry_pollard <at> hotmail.com>
Subject: Re: [mod-security-users] RESPONSE_BODY in chain rule not
        working
To: "mod-security-users <at> lists.sourceforge.net"
        <mod-security-users <at> lists.sourceforge.net>
Message-ID:
        <VI1PR06MB1471D5C8DD0E233D1BAE2D1282220 <at> VI1PR06MB1471.eurprd06.prod.outlook.com>

Content-Type: text/plain; charset="us-ascii"

If the response for that request is a 302 and then the browser redirects in a separate request, then doing
this within one rule is impossible as each rule works on one request.

Theoretically it would be possibly by setting a collection for the first response and then checking it for
the third. But that's quite complicated and collections in ModSecurity aren't that reliable in my
experience so would advise against.

Are you over complicating this? Isn't there some other way to test this from the original response (e.g. the
302 URL sent back and/or a set-cookie header sent) to confirm successfullogin? Alternatively can't you
just check if the Terms and Conditions page has been loaded (potentially setting up a separate one only
available to logged in users if necessary)?

Thanks,
Barry

> On 28 Jun 2016, at 07:20, Waqas Ali Khan (47247) <waqas.khan <at> nadra.gov.pk> wrote:
>
> Hi Chris
>
> Thanks a lot for your response. So as per your suggestion to move the rule from phase 2 to phase 4, I changed
the rules as follows:
>
> SecGeoLookupDb /etc/httpd/modsecurity.d/GeoCity.dat SecRule
> REQUEST_BODY "login:usrnam=(.+?)&"
"t:none,t:urlDecodeUni,chain,phase:4,capture,id:xxxxxxxx,sanitiseArg:login:pass,logdata:'Successful
login with username %{TX.1} from %{geo.city}, %{geo.country}'"
> SecRule RESPONSE_BODY " <at> contains Terms and Conditions" "chain"
> SecRule REMOTE_ADDR " <at> geoLookup"
>
> However, it didn't work. The debug log shows:
>
> Recipe: Invoking rule 7f1796134348; [file
"/etc/httpd/modsecurity.d/activated_rules/test.conf"] [line "3"] [id "150000026"].
> Rule 7f1796134348: SecRule "REQUEST_BODY" " <at> rx login:usrnam=(.+?)&"
"phase:4,log,auditlog,pass,t:none,t:urlDecodeUni,chain,capture,id:150000026,sanitiseArg:login:pass,logdata:'Login
with username %{TX.1} from %{geo.city}, %{geo.country_name}'"
> [9] T (0) urlDecodeUni: "login=login&login:usrnam=test <at> test.com&login:pass=xxx
> [4] Transformation completed in 27 usec.
> Executing operator "rx" with param "login:usrnam=(.+?)&" against REQUEST_BODY.
> [9] Target value: "login=login&login:usrnam=test <at> test.com&login:pass=xxx
> [9] Added regex subexpression to TX.0: login:usrnam=test <at> test.com&
> [9] Added regex subexpression to TX.1: test <at> test.com
> [4] Operator completed in 33 usec.
> [4] Rule returned 1.
> [9] Match -> mode NEXT_RULE.
> [4] Recipe: Invoking rule 7f1796136098; [file
"/etc/httpd/modsecurity.d/activated_rules/test.conf"] [line "5"].
> [5] Rule 7f1796136098: SecRule "RESPONSE_BODY" " <at> contains Terms and Conditions" "chain"
> [4] Transformation completed in 0 usec.
> [4] Executing operator "contains" with param "Terms and Conditions" against RESPONSE_BODY.
> [9] Target value: ""
> [4] Operator completed in 1 usec.
> [4] Rule returned 0.
> [9] No match, chained -> mode NEXT_CHAIN.
>
> If you check the target value for RESPONSE_BODY, it is empty and that is expected because as I previously
mentioned, upon a successful login, the application initially generates an HTTP 302 (twice) and then the
response body is generated. However I don't know how to configure the rule so that it rules when the
response body is available.
>
> A heads up will be really appreciated. I don't want to take too much of your time, however, in this
particular case I have prior experience that a SecRule only works in its intended phase.
>
> Appreciate the help you have provided so far.
>
> __________________________________________________________________
> Message: 2
> Date: Mon, 27 Jun 2016 10:15:28 +0200
> From: Christian Folini <christian.folini <at> netnea.com>
> Subject: Re: [mod-security-users] RESPONSE_BODY in chain rule not
>        working
> To: mod-security-users <at> lists.sourceforge.net
> Message-ID: <20160627081528.GA28329 <at> elias>
> Content-Type: text/plain; charset=utf-8
>
> Hi there,
>
>> On Mon, Jun 27, 2016 at 07:28:28AM +0000, Waqas Ali Khan (47247) wrote:
>> We have an application which upon successful logins generate two HTTP
>> 302 status messages and then transfer to the terms and conditions
>> page. I want to detect the terms and conditions page in order to
>> determine if the login is successful or not. I have configured the
>> following rule:
>>
>>
>> SecGeoLookupDb /etc/httpd/modsecurity.d/GeoCity.dat SecRule
>> REQUEST_BODY "login:usrnam=(.+?)&"
>> "t:none,t:urlDecodeUni,chain,phase:2,capture,id:xxxxxxxx,sanitiseArg:login:pass,logdata:'Successful
>> login with username %{TX.1} from %{geo.city}, %{geo.country}'" SecRule
>> RESPONSE_BODY " <at> contains Terms and Conditions" "chain" SecRule
>> REMOTE_ADDR " <at> geoLookup"
>
> This rule runs in phase 2, but RESPONSE_BODY is only available from
> phase 4. Moving the rule to phase 4 should work.
>
> Good luck,
>
> Christian
>
>
> --
> It is well that there is no one without a fault; for he would not have
> a friend in the world.
> -- William Hazlitt
>
>
> ------------------------------------------------------------------------------
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

------------------------------

Message: 3
Date: Tue, 28 Jun 2016 08:39:50 +0200
From: Christian Folini <christian.folini <at> netnea.com>
Subject: Re: [mod-security-users] RESPONSE_BODY in chain rule not
        working
To: mod-security-users <at> lists.sourceforge.net
Message-ID: <20160628063950.GB27375 <at> elias>
Content-Type: text/plain; charset=utf-8

Hello,

On Tue, Jun 28, 2016 at 06:15:20AM +0000, Waqas Ali Khan (47247) wrote:
> SecGeoLookupDb /etc/httpd/modsecurity.d/GeoCity.dat SecRule
> REQUEST_BODY "login:usrnam=(.+?)&"
> "t:none,t:urlDecodeUni,chain,phase:4,capture,id:xxxxxxxx,sanitiseArg:login:pass,logdata:'Successful
> login with username %{TX.1} from %{geo.city}, %{geo.country}'" SecRule
> RESPONSE_BODY " <at> contains Terms and Conditions" "chain" SecRule
> REMOTE_ADDR " <at> geoLookup"
>
> ...
>
> If you check the target value for RESPONSE_BODY, it is empty and that
> is expected because as I previously mentioned, upon a successful
> login, the application initially generates an HTTP 302 (twice) and
> then the response body is generated. However I don't know how to
> configure the rule so that it rules when the response body is
> available.

I see, we are getting there.

Your redirects will have the browser issue a new request.
With the new request, ModSec runs anew and the request body
variables are all gone.

You could save them in a session and retrieve it later, etc. etc.
But that's a bit advanced.

Where does your 302 lead to? If the 302 redirects to an URL which
is different or successful and failed login attempts, then I think
it is best to check for that redirect upon the initial post request.

Like in this adapted example.

> SecRule REQUEST_BODY "login:usrnam=(.+?)&"
> "t:none,t:urlDecodeUni,chain,phase:4,capture,id:xxxxxxxx,sanitiseArg:login:pass,logdata:'Successful
> login with username %{TX.1} from %{geo.city}, %{geo.country}'" SecRule
> RESPONSE_HEADERS:Location "http://example.com/.../target.do" "chain"
> SecRule REMOTE_ADDR " <at> geoLookup"

> A heads up will be really appreciated. I don't want to take too much
> of your time, however, in this particular case I have prior experience
> that a SecRule only works in its intended phase.
>
> Appreciate the help you have provided so far.

You are welcome. Glad to be of assistance, but you are correct that time
is scarce. :)

I like your rule and the message it writes to the Apache error log.
I would probably try and have the information written to an additional
CustomLog named "login.log" or something. But let's leave that as
an exercise for the time after the one above works.

Cheers,

Christian

>
> __________________________________________________________________
> Message: 2 Date: Mon, 27 Jun 2016 10:15:28 +0200 From: Christian
> Folini <christian.folini <at> netnea.com> Subject: Re: [mod-security-users]
> RESPONSE_BODY in chain rule not working To:
> mod-security-users <at> lists.sourceforge.net Message-ID:
> <20160627081528.GA28329 <at> elias> Content-Type: text/plain; charset=utf-8
>
> Hi there,
>
> On Mon, Jun 27, 2016 at 07:28:28AM +0000, Waqas Ali Khan (47247)
> wrote:
> > We have an application which upon successful logins generate two
> > HTTP 302 status messages and then transfer to the terms and
> > conditions page. I want to detect the terms and conditions page in
> > order to determine if the login is successful or not. I have
> > configured the following rule:
> >
> >
> > SecGeoLookupDb /etc/httpd/modsecurity.d/GeoCity.dat SecRule
> > REQUEST_BODY "login:usrnam=(.+?)&"
> > "t:none,t:urlDecodeUni,chain,phase:2,capture,id:xxxxxxxx,sanitiseArg:login:pass,logdata:'Successful
> > login with username %{TX.1} from %{geo.city}, %{geo.country}'"
> > SecRule RESPONSE_BODY " <at> contains Terms and Conditions" "chain"
> > SecRule REMOTE_ADDR " <at> geoLookup"
>
> This rule runs in phase 2, but RESPONSE_BODY is only available from
> phase 4. Moving the rule to phase 4 should work.
>
> Good luck,
>
> Christian
>
>
> -- It is well that there is no one without a fault; for he would not
> have a friend in the world.  -- William Hazlitt
>
>
> ------------------------------------------------------------------------------
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in
> San Francisco, CA to explore cutting-edge tech and listen to tech
> luminaries present their vision of the future. This family event has
> something for everyone, including kids. Get more information and
> register today.  http://sdm.link/attshape
> _______________________________________________ mod-security-users
> mailing list mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

--
ModSecurity Training in London: Sep 22/23, 2016
https://www.feistyduck.com/training/modsecurity-training-course
mailto:christian.folini <at> netnea.com
twitter:  <at> ChrFolini

------------------------------

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Waqas Ali Khan (47247 | 28 Jun 17:40 2016
Picon

Re: RESPONSE_BODY in chain rule not working

Hello Barry and Chris

First of all I would really like to thank both of you for your excellent suggestions. 

 <at> Barry
The application don't set any cookie that is why I can't detect that in the response. Sessions are
maintained server side in the session variable. I could check for the terms and conditions page
separately (and I have done that for testing and it is working fine) however at that time I lose the option of
logging the username. 

I think Chris' suggestion is very much valid here. I am going to check where the redirect leads to and then
check for that in that in the RESPONSE_HEADER:Location. 

Thanks a lot guys once again. I am going to test this tomorrow morning and let you know.

Waqas Ali
________________________________________

Message: 2
Date: Tue, 28 Jun 2016 06:36:41 +0000
From: Barry Pollard <barry_pollard <at> hotmail.com>
Subject: Re: [mod-security-users] RESPONSE_BODY in chain rule not
        working
To: "mod-security-users <at> lists.sourceforge.net"
        <mod-security-users <at> lists.sourceforge.net>
Message-ID:
        <VI1PR06MB1471D5C8DD0E233D1BAE2D1282220 <at> VI1PR06MB1471.eurprd06.prod.outlook.com>

Content-Type: text/plain; charset="us-ascii"

If the response for that request is a 302 and then the browser redirects in a separate request, then doing
this within one rule is impossible as each rule works on one request.

Theoretically it would be possibly by setting a collection for the first response and then checking it for
the third. But that's quite complicated and collections in ModSecurity aren't that reliable in my
experience so would advise against.

Are you over complicating this? Isn't there some other way to test this from the original response (e.g. the
302 URL sent back and/or a set-cookie header sent) to confirm successfullogin? Alternatively can't you
just check if the Terms and Conditions page has been loaded (potentially setting up a separate one only
available to logged in users if necessary)?

Thanks,
Barry

> On 28 Jun 2016, at 07:20, Waqas Ali Khan (47247) <waqas.khan <at> nadra.gov.pk> wrote:
>
> Hi Chris
>
> Thanks a lot for your response. So as per your suggestion to move the rule from phase 2 to phase 4, I changed
the rules as follows:
>
> SecGeoLookupDb /etc/httpd/modsecurity.d/GeoCity.dat SecRule
> REQUEST_BODY "login:usrnam=(.+?)&"
"t:none,t:urlDecodeUni,chain,phase:4,capture,id:xxxxxxxx,sanitiseArg:login:pass,logdata:'Successful
login with username %{TX.1} from %{geo.city}, %{geo.country}'"
> SecRule RESPONSE_BODY " <at> contains Terms and Conditions" "chain"
> SecRule REMOTE_ADDR " <at> geoLookup"
>
> However, it didn't work. The debug log shows:
>
> Recipe: Invoking rule 7f1796134348; [file
"/etc/httpd/modsecurity.d/activated_rules/test.conf"] [line "3"] [id "150000026"].
> Rule 7f1796134348: SecRule "REQUEST_BODY" " <at> rx login:usrnam=(.+?)&"
"phase:4,log,auditlog,pass,t:none,t:urlDecodeUni,chain,capture,id:150000026,sanitiseArg:login:pass,logdata:'Login
with username %{TX.1} from %{geo.city}, %{geo.country_name}'"
> [9] T (0) urlDecodeUni: "login=login&login:usrnam=test <at> test.com&login:pass=xxx
> [4] Transformation completed in 27 usec.
> Executing operator "rx" with param "login:usrnam=(.+?)&" against REQUEST_BODY.
> [9] Target value: "login=login&login:usrnam=test <at> test.com&login:pass=xxx
> [9] Added regex subexpression to TX.0: login:usrnam=test <at> test.com&
> [9] Added regex subexpression to TX.1: test <at> test.com
> [4] Operator completed in 33 usec.
> [4] Rule returned 1.
> [9] Match -> mode NEXT_RULE.
> [4] Recipe: Invoking rule 7f1796136098; [file
"/etc/httpd/modsecurity.d/activated_rules/test.conf"] [line "5"].
> [5] Rule 7f1796136098: SecRule "RESPONSE_BODY" " <at> contains Terms and Conditions" "chain"
> [4] Transformation completed in 0 usec.
> [4] Executing operator "contains" with param "Terms and Conditions" against RESPONSE_BODY.
> [9] Target value: ""
> [4] Operator completed in 1 usec.
> [4] Rule returned 0.
> [9] No match, chained -> mode NEXT_CHAIN.
>
> If you check the target value for RESPONSE_BODY, it is empty and that is expected because as I previously
mentioned, upon a successful login, the application initially generates an HTTP 302 (twice) and then the
response body is generated. However I don't know how to configure the rule so that it rules when the
response body is available.
>
> A heads up will be really appreciated. I don't want to take too much of your time, however, in this
particular case I have prior experience that a SecRule only works in its intended phase.
>
> Appreciate the help you have provided so far.
>
> __________________________________________________________________
> Message: 2
> Date: Mon, 27 Jun 2016 10:15:28 +0200
> From: Christian Folini <christian.folini <at> netnea.com>
> Subject: Re: [mod-security-users] RESPONSE_BODY in chain rule not
>        working
> To: mod-security-users <at> lists.sourceforge.net
> Message-ID: <20160627081528.GA28329 <at> elias>
> Content-Type: text/plain; charset=utf-8
>
> Hi there,
>
>> On Mon, Jun 27, 2016 at 07:28:28AM +0000, Waqas Ali Khan (47247) wrote:
>> We have an application which upon successful logins generate two HTTP
>> 302 status messages and then transfer to the terms and conditions
>> page. I want to detect the terms and conditions page in order to
>> determine if the login is successful or not. I have configured the
>> following rule:
>>
>>
>> SecGeoLookupDb /etc/httpd/modsecurity.d/GeoCity.dat SecRule
>> REQUEST_BODY "login:usrnam=(.+?)&"
>> "t:none,t:urlDecodeUni,chain,phase:2,capture,id:xxxxxxxx,sanitiseArg:login:pass,logdata:'Successful
>> login with username %{TX.1} from %{geo.city}, %{geo.country}'" SecRule
>> RESPONSE_BODY " <at> contains Terms and Conditions" "chain" SecRule
>> REMOTE_ADDR " <at> geoLookup"
>
> This rule runs in phase 2, but RESPONSE_BODY is only available from
> phase 4. Moving the rule to phase 4 should work.
>
> Good luck,
>
> Christian
>
>
> --
> It is well that there is no one without a fault; for he would not have
> a friend in the world.
> -- William Hazlitt
>
>
> ------------------------------------------------------------------------------
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

------------------------------

Message: 3
Date: Tue, 28 Jun 2016 08:39:50 +0200
From: Christian Folini <christian.folini <at> netnea.com>
Subject: Re: [mod-security-users] RESPONSE_BODY in chain rule not
        working
To: mod-security-users <at> lists.sourceforge.net
Message-ID: <20160628063950.GB27375 <at> elias>
Content-Type: text/plain; charset=utf-8

Hello,

On Tue, Jun 28, 2016 at 06:15:20AM +0000, Waqas Ali Khan (47247) wrote:
> SecGeoLookupDb /etc/httpd/modsecurity.d/GeoCity.dat SecRule
> REQUEST_BODY "login:usrnam=(.+?)&"
> "t:none,t:urlDecodeUni,chain,phase:4,capture,id:xxxxxxxx,sanitiseArg:login:pass,logdata:'Successful
> login with username %{TX.1} from %{geo.city}, %{geo.country}'" SecRule
> RESPONSE_BODY " <at> contains Terms and Conditions" "chain" SecRule
> REMOTE_ADDR " <at> geoLookup"
>
> ...
>
> If you check the target value for RESPONSE_BODY, it is empty and that
> is expected because as I previously mentioned, upon a successful
> login, the application initially generates an HTTP 302 (twice) and
> then the response body is generated. However I don't know how to
> configure the rule so that it rules when the response body is
> available.

I see, we are getting there.

Your redirects will have the browser issue a new request.
With the new request, ModSec runs anew and the request body
variables are all gone.

You could save them in a session and retrieve it later, etc. etc.
But that's a bit advanced.

Where does your 302 lead to? If the 302 redirects to an URL which
is different or successful and failed login attempts, then I think
it is best to check for that redirect upon the initial post request.

Like in this adapted example.

> SecRule REQUEST_BODY "login:usrnam=(.+?)&"
> "t:none,t:urlDecodeUni,chain,phase:4,capture,id:xxxxxxxx,sanitiseArg:login:pass,logdata:'Successful
> login with username %{TX.1} from %{geo.city}, %{geo.country}'" SecRule
> RESPONSE_HEADERS:Location "http://example.com/.../target.do" "chain"
> SecRule REMOTE_ADDR " <at> geoLookup"

> A heads up will be really appreciated. I don't want to take too much
> of your time, however, in this particular case I have prior experience
> that a SecRule only works in its intended phase.
>
> Appreciate the help you have provided so far.

You are welcome. Glad to be of assistance, but you are correct that time
is scarce. :)

I like your rule and the message it writes to the Apache error log.
I would probably try and have the information written to an additional
CustomLog named "login.log" or something. But let's leave that as
an exercise for the time after the one above works.

Cheers,

Christian

>
> __________________________________________________________________
> Message: 2 Date: Mon, 27 Jun 2016 10:15:28 +0200 From: Christian
> Folini <christian.folini <at> netnea.com> Subject: Re: [mod-security-users]
> RESPONSE_BODY in chain rule not working To:
> mod-security-users <at> lists.sourceforge.net Message-ID:
> <20160627081528.GA28329 <at> elias> Content-Type: text/plain; charset=utf-8
>
> Hi there,
>
> On Mon, Jun 27, 2016 at 07:28:28AM +0000, Waqas Ali Khan (47247)
> wrote:
> > We have an application which upon successful logins generate two
> > HTTP 302 status messages and then transfer to the terms and
> > conditions page. I want to detect the terms and conditions page in
> > order to determine if the login is successful or not. I have
> > configured the following rule:
> >
> >
> > SecGeoLookupDb /etc/httpd/modsecurity.d/GeoCity.dat SecRule
> > REQUEST_BODY "login:usrnam=(.+?)&"
> > "t:none,t:urlDecodeUni,chain,phase:2,capture,id:xxxxxxxx,sanitiseArg:login:pass,logdata:'Successful
> > login with username %{TX.1} from %{geo.city}, %{geo.country}'"
> > SecRule RESPONSE_BODY " <at> contains Terms and Conditions" "chain"
> > SecRule REMOTE_ADDR " <at> geoLookup"
>
> This rule runs in phase 2, but RESPONSE_BODY is only available from
> phase 4. Moving the rule to phase 4 should work.
>
> Good luck,
>
> Christian
>
>
> -- It is well that there is no one without a fault; for he would not
> have a friend in the world.  -- William Hazlitt
>
>
> ------------------------------------------------------------------------------
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in
> San Francisco, CA to explore cutting-edge tech and listen to tech
> luminaries present their vision of the future. This family event has
> something for everyone, including kids. Get more information and
> register today.  http://sdm.link/attshape
> _______________________________________________ mod-security-users
> mailing list mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

--
ModSecurity Training in London: Sep 22/23, 2016
https://www.feistyduck.com/training/modsecurity-training-course
mailto:christian.folini <at> netnea.com
twitter:  <at> ChrFolini

------------------------------

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Waqas Ali Khan (47247 | 28 Jun 08:15 2016
Picon

Re: RESPONSE_BODY in chain rule not working

Hi Chris

Thanks a lot for your response. So as per your suggestion to move the rule from phase 2 to phase 4, I changed the
rules as follows:

SecGeoLookupDb /etc/httpd/modsecurity.d/GeoCity.dat SecRule
 REQUEST_BODY "login:usrnam=(.+?)&"
"t:none,t:urlDecodeUni,chain,phase:4,capture,id:xxxxxxxx,sanitiseArg:login:pass,logdata:'Successful
login with username %{TX.1} from %{geo.city}, %{geo.country}'" 
SecRule RESPONSE_BODY " <at> contains Terms and Conditions" "chain"
SecRule REMOTE_ADDR " <at> geoLookup"

However, it didn't work. The debug log shows:

Recipe: Invoking rule 7f1796134348; [file "/etc/httpd/modsecurity.d/activated_rules/test.conf"]
[line "3"] [id "150000026"].
Rule 7f1796134348: SecRule "REQUEST_BODY" " <at> rx login:usrnam=(.+?)&"
"phase:4,log,auditlog,pass,t:none,t:urlDecodeUni,chain,capture,id:150000026,sanitiseArg:login:pass,logdata:'Login
with username %{TX.1} from %{geo.city}, %{geo.country_name}'"
[9] T (0) urlDecodeUni: "login=login&login:usrnam=test <at> test.com&login:pass=xxx
[4] Transformation completed in 27 usec.
Executing operator "rx" with param "login:usrnam=(.+?)&" against REQUEST_BODY.
[9] Target value: "login=login&login:usrnam=test <at> test.com&login:pass=xxx
[9] Added regex subexpression to TX.0: login:usrnam=test <at> test.com&
[9] Added regex subexpression to TX.1: test <at> test.com
[4] Operator completed in 33 usec.
[4] Rule returned 1.
[9] Match -> mode NEXT_RULE.
[4] Recipe: Invoking rule 7f1796136098; [file
"/etc/httpd/modsecurity.d/activated_rules/test.conf"] [line "5"].
[5] Rule 7f1796136098: SecRule "RESPONSE_BODY" " <at> contains Terms and Conditions" "chain"
[4] Transformation completed in 0 usec.
[4] Executing operator "contains" with param "Terms and Conditions" against RESPONSE_BODY.
[9] Target value: ""
[4] Operator completed in 1 usec.
[4] Rule returned 0.
[9] No match, chained -> mode NEXT_CHAIN.

If you check the target value for RESPONSE_BODY, it is empty and that is expected because as I previously
mentioned, upon a successful login, the application initially generates an HTTP 302 (twice) and then the
response body is generated. However I don't know how to configure the rule so that it rules when the
response body is available.

A heads up will be really appreciated. I don't want to take too much of your time, however, in this particular
case I have prior experience that a SecRule only works in its intended phase.  

Appreciate the help you have provided so far. 

__________________________________________________________________
Message: 2
Date: Mon, 27 Jun 2016 10:15:28 +0200
From: Christian Folini <christian.folini <at> netnea.com>
Subject: Re: [mod-security-users] RESPONSE_BODY in chain rule not
        working
To: mod-security-users <at> lists.sourceforge.net
Message-ID: <20160627081528.GA28329 <at> elias>
Content-Type: text/plain; charset=utf-8

Hi there,

On Mon, Jun 27, 2016 at 07:28:28AM +0000, Waqas Ali Khan (47247) wrote:
> We have an application which upon successful logins generate two HTTP
> 302 status messages and then transfer to the terms and conditions
> page. I want to detect the terms and conditions page in order to
> determine if the login is successful or not. I have configured the
> following rule:
>
>
> SecGeoLookupDb /etc/httpd/modsecurity.d/GeoCity.dat SecRule
> REQUEST_BODY "login:usrnam=(.+?)&"
> "t:none,t:urlDecodeUni,chain,phase:2,capture,id:xxxxxxxx,sanitiseArg:login:pass,logdata:'Successful
> login with username %{TX.1} from %{geo.city}, %{geo.country}'" SecRule
> RESPONSE_BODY " <at> contains Terms and Conditions" "chain" SecRule
> REMOTE_ADDR " <at> geoLookup"

This rule runs in phase 2, but RESPONSE_BODY is only available from
phase 4. Moving the rule to phase 4 should work.

Good luck,

Christian

--
It is well that there is no one without a fault; for he would not have
a friend in the world.
-- William Hazlitt

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/


Gmane