Apache mod-security

Ofer Shezaf | 1 May 2007 12:41

Re: Rule is not working.

This rule is worth further discussion:

The rule uses typical user agent strings to detect automation programs. Being cautious, I set this rule to detection only as many sites use themselves such an automated program, for example to monitor/ping the site on a regular basis. However, if the event does not alert on a regular basis on your system, or after you created an exception for your own automated program, it is worthwhile to switch it to blocking as it catches a lot of bad guys, as the case below shows.

~ Ofer Shezaf

Core Rules project leader

From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf Of Ryan Barnett
Sent: Monday, April 30, 2007 8:34 PM
To: Vince Tingey; mod-security-users <at> lists.sourceforge.net
Subject: Re: [mod-security-users] Rule is not working.

My guess is that Core Rule ID # 990011 is matching. If you want your rule to trigger first, you will need to specify it in a file prior to the modsecurity_crs_35_bad_robots.conf file. Follow the steps outlined here - http://www.modsecurity.org/blog/archives/2007/02/handling_false.html

--
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache

--------------

Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)

Learn More About the Breach Webinar Series:

http://www.breach.com/webinars.asp

--------------

From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf Of Vince Tingey
Sent: Monday, April 30, 2007 1:31 PM
To: mod-security-users <at> lists.sourceforge.net
Subject: [mod-security-users] Rule is not working.

Hi Everyone,

I have created the following rule to block a known web application vulnerability scan (getting TONS of these lately from what looks like bot nets) :

# This rule stops scans for a known web calendar vulnerability
# http://www.securityfocus.com/bid/14651
SecRule REQUEST_URI "tools/send_reminders\.php" "phase:1,deny,nolog"

It does not seem to be working though as I still get this showing up in my console:

990011

NOTICE (5)

Request Indicates an automated program explored the site Warning. Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required.

What am I doing wrong?

Vince

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

headers

Jim Hermann - UUN Hostmaster | 1 May 2007 19:31

Mod_Security and Content-Encoding: gzip


Does anyone know if Mod_Security can be configured to handle
Content-Encoding: gzip?

The default rules evaulate for RESPONSE_BODY for code leakage. However, when
the Content-Encoding is gzip, the RESPONSE_BODY is all 8-bit characters and
the mod_security rule does not work correctly.

Here is the modsec_audit.log entry:

--5a7c556c-A--
[01/May/2007:05:47:21 --0500] U3Yd10VeaLQAACkuhwIAAAAU 66.249.65.146 43002
69.94.104.180 80
--5a7c556c-B--
GET /modules.php?name=Content&pa=showpage&pid=535 HTTP/1.1
Host: www.xxx.xxx
Connection: Keep-alive
Accept: */*
From: googlebot(at)googlebot.com
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1;
+http://www.google.com/bot.html)
Accept-Encoding: gzip
If-Modified-Since: Tue, 10 Apr 2007 11:41:45 GMT

--5a7c556c-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.0.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-Encoding: gzip
Vary: Accept-Encoding
Set-Cookie: PHPSESSID=rk9ed4ue5dgsc6nn455arvfkh4; path=/
Content-Length: 15062
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-2
Content-Language: hu

--5a7c556c-E--
[snip - bunch of 8-bit characters]

--5a7c556c-H--
Message: Warning. Match of "rx
(?:\\b(??:i(?:nterplay|hdr|d3)|m(?vi|thd)|(?:e
x|jf)if|f(?:lv|ws)|varg|cws)\\b|r(?:iff\\b|ar!B)|g if)|B(?:%pdf|\\.ra)\\b)"
against "RESPONSE_BODY" required. [id "970902"] [msg "PHP source code
leakage"] [severity "WARNING"]
Apache-Handler: cgi-script
Stopwatch: 1178016440262103 1195644 (14664 15950 1169708)
Response-Body-Transformed: Dechunked
Producer: ModSecurity v2.1.1 (Apache 2.x)
Server: Apache/2.0.54 (Fedora)

--5a7c556c-Z--
__________________
Jim Hermann
Ministering to the Web
UUism Networks
www.uuism.net

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

headers

Ryan Barnett | 1 May 2007 19:42

Re: Mod_Security and Content-Encoding: gzip

Very timely...  The short answer however is - No, Mod can not handle
compressed/gzipped data.  Ofer will be releasing an update to the Core
Rules shortly and there are some updates to address compressed content
(from an alerting perspective).  

This is from the CHANGES file -
ModSecurity does not support compressed content at the moment. Thus, the
following rules have been added:
- 960013 - Content-Encoding in request not supported
    Any incoming compressed request will be denied
- 960051 - Content-Encoding in response not suppoted
    An outgoing compressed response will be logged to alert, but ONLY
ONCE.

-- 
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache

--------------
Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
Learn More About the Breach Webinar Series:
http://www.breach.com/webinars.asp
--------------

> -----Original Message-----
> From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-
> security-users-bounces <at> lists.sourceforge.net] On Behalf Of Jim Hermann
-
> UUN Hostmaster
> Sent: Tuesday, May 01, 2007 1:32 PM
> To: mod-security-users <at> lists.sourceforge.net
> Subject: [mod-security-users] Mod_Security and Content-Encoding: gzip
> 
> 
> Does anyone know if Mod_Security can be configured to handle
> Content-Encoding: gzip?
> 
> The default rules evaulate for RESPONSE_BODY for code leakage.
However,
> when
> the Content-Encoding is gzip, the RESPONSE_BODY is all 8-bit
characters
> and
> the mod_security rule does not work correctly.
> 
> Here is the modsec_audit.log entry:
> 
> --5a7c556c-A--
> [01/May/2007:05:47:21 --0500] U3Yd10VeaLQAACkuhwIAAAAU 66.249.65.146
43002
> 69.94.104.180 80
> --5a7c556c-B--
> GET /modules.php?name=Content&pa=showpage&pid=535 HTTP/1.1
> Host: www.xxx.xxx
> Connection: Keep-alive
> Accept: */*
> From: googlebot(at)googlebot.com
> User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1;
> +http://www.google.com/bot.html)
> Accept-Encoding: gzip
> If-Modified-Since: Tue, 10 Apr 2007 11:41:45 GMT
> 
> --5a7c556c-F--
> HTTP/1.1 200 OK
> X-Powered-By: PHP/5.0.4
> Expires: Thu, 19 Nov 1981 08:52:00 GMT
> Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
> pre-check=0
> Pragma: no-cache
> Content-Encoding: gzip
> Vary: Accept-Encoding
> Set-Cookie: PHPSESSID=rk9ed4ue5dgsc6nn455arvfkh4; path=/
> Content-Length: 15062
> Keep-Alive: timeout=15, max=100
> Connection: Keep-Alive
> Content-Type: text/html; charset=ISO-8859-2
> Content-Language: hu
> 
> --5a7c556c-E--
> [snip - bunch of 8-bit characters]
> 
> --5a7c556c-H--
> Message: Warning. Match of "rx
> (?:\\b(??:i(?:nterplay|hdr|d3)|m(?vi|thd)|(?:e
> x|jf)if|f(?:lv|ws)|varg|cws)\\b|r(?:iff\\b|ar!B)|g
> if)|B(?:%pdf|\\.ra)\\b)"
> against "RESPONSE_BODY" required. [id "970902"] [msg "PHP source code
> leakage"] [severity "WARNING"]
> Apache-Handler: cgi-script
> Stopwatch: 1178016440262103 1195644 (14664 15950 1169708)
> Response-Body-Transformed: Dechunked
> Producer: ModSecurity v2.1.1 (Apache 2.x)
> Server: Apache/2.0.54 (Fedora)
> 
> --5a7c556c-Z--
> __________________
> Jim Hermann
> Ministering to the Web
> UUism Networks
> www.uuism.net
> 
> 
>
------------------------------------------------------------------------
-
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

headers

Jim Hermann - UUN Hostmaster | 2 May 2007 00:50

Re: Mod_Security and Content-Encoding: gzip

How can I filter the RESPONSE_BODY so that mod_security does not receive it
when the Content-Encoding is gzip?

I like the idea of checking for code leakage when the Content-Encoding is
not gzip.

Thanks.

Jim

> -----Original Message-----
> From: Ryan Barnett [mailto:Ryan.Barnett <at> Breach.com] 
> Sent: Tuesday, May 01, 2007 12:42 PM
> To: Jim Hermann - UUN Hostmaster; 
> mod-security-users <at> lists.sourceforge.net
> Subject: RE: [mod-security-users] Mod_Security and 
> Content-Encoding: gzip
> 
> Very timely...  The short answer however is - No, Mod can not handle
> compressed/gzipped data.  Ofer will be releasing an update to the Core
> Rules shortly and there are some updates to address compressed content
> (from an alerting perspective).  
> 
> This is from the CHANGES file -
> ModSecurity does not support compressed content at the 
> moment. Thus, the
> following rules have been added:
> - 960013 - Content-Encoding in request not supported
>     Any incoming compressed request will be denied
> - 960051 - Content-Encoding in response not suppoted
>     An outgoing compressed response will be logged to alert, but ONLY
> ONCE.
> 
> -- 
> Ryan C. Barnett
> ModSecurity Community Manager
> Breach Security: Director of Application Security Training
> Web Application Security Consortium (WASC) Member
> Author: Preventing Web Attacks with Apache
>  
> --------------
> Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
> Learn More About the Breach Webinar Series:
> http://www.breach.com/webinars.asp
> --------------
>  
> 
> > -----Original Message-----
> > From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-
> > security-users-bounces <at> lists.sourceforge.net] On Behalf Of 
> Jim Hermann
> -
> > UUN Hostmaster
> > Sent: Tuesday, May 01, 2007 1:32 PM
> > To: mod-security-users <at> lists.sourceforge.net
> > Subject: [mod-security-users] Mod_Security and 
> Content-Encoding: gzip
> > 
> > 
> > Does anyone know if Mod_Security can be configured to handle
> > Content-Encoding: gzip?
> > 
> > The default rules evaulate for RESPONSE_BODY for code leakage.
> However,
> > when
> > the Content-Encoding is gzip, the RESPONSE_BODY is all 8-bit
> characters
> > and
> > the mod_security rule does not work correctly.
> > 
> > Here is the modsec_audit.log entry:
> > 
> > --5a7c556c-A--
> > [01/May/2007:05:47:21 --0500] U3Yd10VeaLQAACkuhwIAAAAU 66.249.65.146
> 43002
> > 69.94.104.180 80
> > --5a7c556c-B--
> > GET /modules.php?name=Content&pa=showpage&pid=535 HTTP/1.1
> > Host: www.xxx.xxx
> > Connection: Keep-alive
> > Accept: */*
> > From: googlebot(at)googlebot.com
> > User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1;
> > +http://www.google.com/bot.html)
> > Accept-Encoding: gzip
> > If-Modified-Since: Tue, 10 Apr 2007 11:41:45 GMT
> > 
> > --5a7c556c-F--
> > HTTP/1.1 200 OK
> > X-Powered-By: PHP/5.0.4
> > Expires: Thu, 19 Nov 1981 08:52:00 GMT
> > Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
> > pre-check=0
> > Pragma: no-cache
> > Content-Encoding: gzip
> > Vary: Accept-Encoding
> > Set-Cookie: PHPSESSID=rk9ed4ue5dgsc6nn455arvfkh4; path=/
> > Content-Length: 15062
> > Keep-Alive: timeout=15, max=100
> > Connection: Keep-Alive
> > Content-Type: text/html; charset=ISO-8859-2
> > Content-Language: hu
> > 
> > --5a7c556c-E--
> > [snip - bunch of 8-bit characters]
> > 
> > --5a7c556c-H--
> > Message: Warning. Match of "rx
> > (?:\\b(??:i(?:nterplay|hdr|d3)|m(?vi|thd)|(?:e
> > x|jf)if|f(?:lv|ws)|varg|cws)\\b|r(?:iff\\b|ar!B)|g
> > if)|B(?:%pdf|\\.ra)\\b)"
> > against "RESPONSE_BODY" required. [id "970902"] [msg "PHP 
> source code
> > leakage"] [severity "WARNING"]
> > Apache-Handler: cgi-script
> > Stopwatch: 1178016440262103 1195644 (14664 15950 1169708)
> > Response-Body-Transformed: Dechunked
> > Producer: ModSecurity v2.1.1 (Apache 2.x)
> > Server: Apache/2.0.54 (Fedora)
> > 
> > --5a7c556c-Z--
> > __________________
> > Jim Hermann
> > Ministering to the Web
> > UUism Networks
> > www.uuism.net
> > 
> > 
> >
> --------------------------------------------------------------
> ----------
> -
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and take
> > control of your XML. No limits. Just data. Click to get it now.
> > http://sourceforge.net/powerbar/db2/
> > _______________________________________________
> > mod-security-users mailing list
> > mod-security-users <at> lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 
> No virus found in this incoming message.
> Checked by AVG Free Edition. 
> Version: 7.5.467 / Virus Database: 269.6.2/782 - Release 
> Date: 05/01/07 02:10 AM
>  
> 

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

headers

Ryan Barnett | 2 May 2007 00:58

Re: Mod_Security and Content-Encoding: gzip

You should be able to use a rule similar to this identify any
Content-Encoding (for compression) and then disable Mod
inspection/logging for it -

SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" \
    "phase:3,t:none,nolog,pass,ctl:auditEngine=Off,ruleEngine=Off"

-- 
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache

--------------
Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
Learn More About the Breach Webinar Series:
http://www.breach.com/webinars.asp
--------------

> -----Original Message-----
> From: Jim Hermann - UUN Hostmaster [mailto:hostmaster <at> uuism.net]
> Sent: Tuesday, May 01, 2007 6:50 PM
> To: Ryan Barnett; mod-security-users <at> lists.sourceforge.net
> Subject: RE: [mod-security-users] Mod_Security and Content-Encoding:
gzip
> 
> How can I filter the RESPONSE_BODY so that mod_security does not
receive
> it
> when the Content-Encoding is gzip?
> 
> I like the idea of checking for code leakage when the Content-Encoding
is
> not gzip.
> 
> Thanks.
> 
> Jim
> 
> > -----Original Message-----
> > From: Ryan Barnett [mailto:Ryan.Barnett <at> Breach.com]
> > Sent: Tuesday, May 01, 2007 12:42 PM
> > To: Jim Hermann - UUN Hostmaster;
> > mod-security-users <at> lists.sourceforge.net
> > Subject: RE: [mod-security-users] Mod_Security and
> > Content-Encoding: gzip
> >
> > Very timely...  The short answer however is - No, Mod can not handle
> > compressed/gzipped data.  Ofer will be releasing an update to the
Core
> > Rules shortly and there are some updates to address compressed
content
> > (from an alerting perspective).
> >
> > This is from the CHANGES file -
> > ModSecurity does not support compressed content at the
> > moment. Thus, the
> > following rules have been added:
> > - 960013 - Content-Encoding in request not supported
> >     Any incoming compressed request will be denied
> > - 960051 - Content-Encoding in response not suppoted
> >     An outgoing compressed response will be logged to alert, but
ONLY
> > ONCE.
> >
> > --
> > Ryan C. Barnett
> > ModSecurity Community Manager
> > Breach Security: Director of Application Security Training
> > Web Application Security Consortium (WASC) Member
> > Author: Preventing Web Attacks with Apache
> >
> > --------------
> > Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
> > Learn More About the Breach Webinar Series:
> > http://www.breach.com/webinars.asp
> > --------------
> >
> >
> > > -----Original Message-----
> > > From: mod-security-users-bounces <at> lists.sourceforge.net
[mailto:mod-
> > > security-users-bounces <at> lists.sourceforge.net] On Behalf Of
> > Jim Hermann
> > -
> > > UUN Hostmaster
> > > Sent: Tuesday, May 01, 2007 1:32 PM
> > > To: mod-security-users <at> lists.sourceforge.net
> > > Subject: [mod-security-users] Mod_Security and
> > Content-Encoding: gzip
> > >
> > >
> > > Does anyone know if Mod_Security can be configured to handle
> > > Content-Encoding: gzip?
> > >
> > > The default rules evaulate for RESPONSE_BODY for code leakage.
> > However,
> > > when
> > > the Content-Encoding is gzip, the RESPONSE_BODY is all 8-bit
> > characters
> > > and
> > > the mod_security rule does not work correctly.
> > >
> > > Here is the modsec_audit.log entry:
> > >
> > > --5a7c556c-A--
> > > [01/May/2007:05:47:21 --0500] U3Yd10VeaLQAACkuhwIAAAAU
66.249.65.146
> > 43002
> > > 69.94.104.180 80
> > > --5a7c556c-B--
> > > GET /modules.php?name=Content&pa=showpage&pid=535 HTTP/1.1
> > > Host: www.xxx.xxx
> > > Connection: Keep-alive
> > > Accept: */*
> > > From: googlebot(at)googlebot.com
> > > User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1;
> > > +http://www.google.com/bot.html)
> > > Accept-Encoding: gzip
> > > If-Modified-Since: Tue, 10 Apr 2007 11:41:45 GMT
> > >
> > > --5a7c556c-F--
> > > HTTP/1.1 200 OK
> > > X-Powered-By: PHP/5.0.4
> > > Expires: Thu, 19 Nov 1981 08:52:00 GMT
> > > Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
> > > pre-check=0
> > > Pragma: no-cache
> > > Content-Encoding: gzip
> > > Vary: Accept-Encoding
> > > Set-Cookie: PHPSESSID=rk9ed4ue5dgsc6nn455arvfkh4; path=/
> > > Content-Length: 15062
> > > Keep-Alive: timeout=15, max=100
> > > Connection: Keep-Alive
> > > Content-Type: text/html; charset=ISO-8859-2
> > > Content-Language: hu
> > >
> > > --5a7c556c-E--
> > > [snip - bunch of 8-bit characters]
> > >
> > > --5a7c556c-H--
> > > Message: Warning. Match of "rx
> > > (?:\\b(??:i(?:nterplay|hdr|d3)|m(?vi|thd)|(?:e
> > > x|jf)if|f(?:lv|ws)|varg|cws)\\b|r(?:iff\\b|ar!B)|g
> > > if)|B(?:%pdf|\\.ra)\\b)"
> > > against "RESPONSE_BODY" required. [id "970902"] [msg "PHP
> > source code
> > > leakage"] [severity "WARNING"]
> > > Apache-Handler: cgi-script
> > > Stopwatch: 1178016440262103 1195644 (14664 15950 1169708)
> > > Response-Body-Transformed: Dechunked
> > > Producer: ModSecurity v2.1.1 (Apache 2.x)
> > > Server: Apache/2.0.54 (Fedora)
> > >
> > > --5a7c556c-Z--
> > > __________________
> > > Jim Hermann
> > > Ministering to the Web
> > > UUism Networks
> > > www.uuism.net
> > >
> > >
> > >
> > --------------------------------------------------------------
> > ----------
> > -
> > > This SF.net email is sponsored by DB2 Express
> > > Download DB2 Express C - the FREE version of DB2 express and take
> > > control of your XML. No limits. Just data. Click to get it now.
> > > http://sourceforge.net/powerbar/db2/
> > > _______________________________________________
> > > mod-security-users mailing list
> > > mod-security-users <at> lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> >
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.5.467 / Virus Database: 269.6.2/782 - Release
> > Date: 05/01/07 02:10 AM
> >
> >

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

headers

Avi Aminov | 2 May 2007 08:24

Re: Mod_Security and Content-Encoding: gzip

Ryan, this rule will not work, because Apache generates the response
headers just before it sends the response, only in phase 5 - logging.
The only headers available at this point are the ones generated by the
web application. In the new core rule set (should be available very
soon), the rule for logging outgoing compressed response is applied only
in phase:5, and this is the reason. 

When your rule is applied, the variable
<RESPONSE_HEADERS:Content-Encoding> doesn't exist, and the rule will
never satisfy (that is in modSec2. In modSec 1.9, however, it will
ALWAYS satisfy).

This means, unfortunately, that we cannot make an interruptive action
based on response-headers. I'm sure we will find a way to overcome this
in the future.

Apache stores this information in the variable r->content_encoding, but
I have no idea how to reach it from modSecurity.

Avi.

-----Original Message-----
From: mod-security-users-bounces <at> lists.sourceforge.net
[mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf Of
Ryan Barnett
Sent: Wednesday, May 02, 2007 1:58 AM
To: Jim Hermann - UUN Hostmaster;
mod-security-users <at> lists.sourceforge.net
Subject: Re: [mod-security-users] Mod_Security and Content-Encoding:
gzip

You should be able to use a rule similar to this identify any
Content-Encoding (for compression) and then disable Mod
inspection/logging for it -

SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" \
    "phase:3,t:none,nolog,pass,ctl:auditEngine=Off,ruleEngine=Off"

-- 
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache

--------------
Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
Learn More About the Breach Webinar Series:
http://www.breach.com/webinars.asp
--------------

> -----Original Message-----
> From: Jim Hermann - UUN Hostmaster [mailto:hostmaster <at> uuism.net]
> Sent: Tuesday, May 01, 2007 6:50 PM
> To: Ryan Barnett; mod-security-users <at> lists.sourceforge.net
> Subject: RE: [mod-security-users] Mod_Security and Content-Encoding:
gzip
> 
> How can I filter the RESPONSE_BODY so that mod_security does not
receive
> it
> when the Content-Encoding is gzip?
> 
> I like the idea of checking for code leakage when the Content-Encoding
is
> not gzip.
> 
> Thanks.
> 
> Jim
> 
> > -----Original Message-----
> > From: Ryan Barnett [mailto:Ryan.Barnett <at> Breach.com]
> > Sent: Tuesday, May 01, 2007 12:42 PM
> > To: Jim Hermann - UUN Hostmaster;
> > mod-security-users <at> lists.sourceforge.net
> > Subject: RE: [mod-security-users] Mod_Security and
> > Content-Encoding: gzip
> >
> > Very timely...  The short answer however is - No, Mod can not handle
> > compressed/gzipped data.  Ofer will be releasing an update to the
Core
> > Rules shortly and there are some updates to address compressed
content
> > (from an alerting perspective).
> >
> > This is from the CHANGES file -
> > ModSecurity does not support compressed content at the
> > moment. Thus, the
> > following rules have been added:
> > - 960013 - Content-Encoding in request not supported
> >     Any incoming compressed request will be denied
> > - 960051 - Content-Encoding in response not suppoted
> >     An outgoing compressed response will be logged to alert, but
ONLY
> > ONCE.
> >
> > --
> > Ryan C. Barnett
> > ModSecurity Community Manager
> > Breach Security: Director of Application Security Training
> > Web Application Security Consortium (WASC) Member
> > Author: Preventing Web Attacks with Apache
> >
> > --------------
> > Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
> > Learn More About the Breach Webinar Series:
> > http://www.breach.com/webinars.asp
> > --------------
> >
> >
> > > -----Original Message-----
> > > From: mod-security-users-bounces <at> lists.sourceforge.net
[mailto:mod-
> > > security-users-bounces <at> lists.sourceforge.net] On Behalf Of
> > Jim Hermann
> > -
> > > UUN Hostmaster
> > > Sent: Tuesday, May 01, 2007 1:32 PM
> > > To: mod-security-users <at> lists.sourceforge.net
> > > Subject: [mod-security-users] Mod_Security and
> > Content-Encoding: gzip
> > >
> > >
> > > Does anyone know if Mod_Security can be configured to handle
> > > Content-Encoding: gzip?
> > >
> > > The default rules evaulate for RESPONSE_BODY for code leakage.
> > However,
> > > when
> > > the Content-Encoding is gzip, the RESPONSE_BODY is all 8-bit
> > characters
> > > and
> > > the mod_security rule does not work correctly.
> > >
> > > Here is the modsec_audit.log entry:
> > >
> > > --5a7c556c-A--
> > > [01/May/2007:05:47:21 --0500] U3Yd10VeaLQAACkuhwIAAAAU
66.249.65.146
> > 43002
> > > 69.94.104.180 80
> > > --5a7c556c-B--
> > > GET /modules.php?name=Content&pa=showpage&pid=535 HTTP/1.1
> > > Host: www.xxx.xxx
> > > Connection: Keep-alive
> > > Accept: */*
> > > From: googlebot(at)googlebot.com
> > > User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1;
> > > +http://www.google.com/bot.html)
> > > Accept-Encoding: gzip
> > > If-Modified-Since: Tue, 10 Apr 2007 11:41:45 GMT
> > >
> > > --5a7c556c-F--
> > > HTTP/1.1 200 OK
> > > X-Powered-By: PHP/5.0.4
> > > Expires: Thu, 19 Nov 1981 08:52:00 GMT
> > > Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
> > > pre-check=0
> > > Pragma: no-cache
> > > Content-Encoding: gzip
> > > Vary: Accept-Encoding
> > > Set-Cookie: PHPSESSID=rk9ed4ue5dgsc6nn455arvfkh4; path=/
> > > Content-Length: 15062
> > > Keep-Alive: timeout=15, max=100
> > > Connection: Keep-Alive
> > > Content-Type: text/html; charset=ISO-8859-2
> > > Content-Language: hu
> > >
> > > --5a7c556c-E--
> > > [snip - bunch of 8-bit characters]
> > >
> > > --5a7c556c-H--
> > > Message: Warning. Match of "rx
> > > (?:\\b(??:i(?:nterplay|hdr|d3)|m(?vi|thd)|(?:e
> > > x|jf)if|f(?:lv|ws)|varg|cws)\\b|r(?:iff\\b|ar!B)|g
> > > if)|B(?:%pdf|\\.ra)\\b)"
> > > against "RESPONSE_BODY" required. [id "970902"] [msg "PHP
> > source code
> > > leakage"] [severity "WARNING"]
> > > Apache-Handler: cgi-script
> > > Stopwatch: 1178016440262103 1195644 (14664 15950 1169708)
> > > Response-Body-Transformed: Dechunked
> > > Producer: ModSecurity v2.1.1 (Apache 2.x)
> > > Server: Apache/2.0.54 (Fedora)
> > >
> > > --5a7c556c-Z--
> > > __________________
> > > Jim Hermann
> > > Ministering to the Web
> > > UUism Networks
> > > www.uuism.net
> > >
> > >
> > >
> > --------------------------------------------------------------
> > ----------
> > -
> > > This SF.net email is sponsored by DB2 Express
> > > Download DB2 Express C - the FREE version of DB2 express and take
> > > control of your XML. No limits. Just data. Click to get it now.
> > > http://sourceforge.net/powerbar/db2/
> > > _______________________________________________
> > > mod-security-users mailing list
> > > mod-security-users <at> lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> >
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.5.467 / Virus Database: 269.6.2/782 - Release
> > Date: 05/01/07 02:10 AM
> >
> >

------------------------------------------------------------------------
-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

headers

Markus | 2 May 2007 09:01

must-have features in mod_security 2.x vs. 1.9.2

Hi,

I'm using the Oracle Application / Http Server which includes mod_security 1.9.2

I'm not sure if I should use this module or use Apache 2 and mod_security 2.x
as a proxy.

Are there any must-have features in mod_security 2.x?

If 1.9.2 is sufficient to prevent basic attacks like XSS and SQL injection,
I'd rather avoid installing an extra proxy layer just for mod_security.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

headers

Ryan Barnett | 2 May 2007 14:25

Re: Mod_Security and Content-Encoding: gzip

Good points, this is correct for embedded mode installations.  I guess I
am used to assuming that people are running Mod in a Reverse Proxy mode
and that is not always the case.  In the Reverse Proxy mode, these
headers should be present.

-- 
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache

--------------
Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
Learn More About the Breach Webinar Series:
http://www.breach.com/webinars.asp
--------------

> -----Original Message-----
> From: Avi Aminov
> Sent: Wednesday, May 02, 2007 2:24 AM
> To: Ryan Barnett; Jim Hermann - UUN Hostmaster; mod-security-
> users <at> lists.sourceforge.net
> Subject: RE: [mod-security-users] Mod_Security and Content-Encoding:
gzip
> 
> Ryan, this rule will not work, because Apache generates the response
> headers just before it sends the response, only in phase 5 - logging.
The
> only headers available at this point are the ones generated by the web
> application. In the new core rule set (should be available very soon),
the
> rule for logging outgoing compressed response is applied only in
phase:5,
> and this is the reason.
> 
> When your rule is applied, the variable <RESPONSE_HEADERS:Content-
> Encoding> doesn't exist, and the rule will never satisfy (that is in
> modSec2. In modSec 1.9, however, it will ALWAYS satisfy).
> 
> This means, unfortunately, that we cannot make an interruptive action
> based on response-headers. I'm sure we will find a way to overcome
this in
> the future.
> 
> Apache stores this information in the variable r->content_encoding,
but I
> have no idea how to reach it from modSecurity.
> 
> Avi.
> 
> -----Original Message-----
> From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-
> security-users-bounces <at> lists.sourceforge.net] On Behalf Of Ryan
Barnett
> Sent: Wednesday, May 02, 2007 1:58 AM
> To: Jim Hermann - UUN Hostmaster;
mod-security-users <at> lists.sourceforge.net
> Subject: Re: [mod-security-users] Mod_Security and Content-Encoding:
gzip
> 
> You should be able to use a rule similar to this identify any
> Content-Encoding (for compression) and then disable Mod
> inspection/logging for it -
> 
> SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" \
>     "phase:3,t:none,nolog,pass,ctl:auditEngine=Off,ruleEngine=Off"
> 
> --
> Ryan C. Barnett
> ModSecurity Community Manager
> Breach Security: Director of Application Security Training
> Web Application Security Consortium (WASC) Member
> Author: Preventing Web Attacks with Apache
> 
> --------------
> Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
> Learn More About the Breach Webinar Series:
> http://www.breach.com/webinars.asp
> --------------
> 
> 
> > -----Original Message-----
> > From: Jim Hermann - UUN Hostmaster [mailto:hostmaster <at> uuism.net]
> > Sent: Tuesday, May 01, 2007 6:50 PM
> > To: Ryan Barnett; mod-security-users <at> lists.sourceforge.net
> > Subject: RE: [mod-security-users] Mod_Security and Content-Encoding:
> gzip
> >
> > How can I filter the RESPONSE_BODY so that mod_security does not
> receive
> > it
> > when the Content-Encoding is gzip?
> >
> > I like the idea of checking for code leakage when the
Content-Encoding
> is
> > not gzip.
> >
> > Thanks.
> >
> > Jim
> >
> > > -----Original Message-----
> > > From: Ryan Barnett [mailto:Ryan.Barnett <at> Breach.com]
> > > Sent: Tuesday, May 01, 2007 12:42 PM
> > > To: Jim Hermann - UUN Hostmaster;
> > > mod-security-users <at> lists.sourceforge.net
> > > Subject: RE: [mod-security-users] Mod_Security and
> > > Content-Encoding: gzip
> > >
> > > Very timely...  The short answer however is - No, Mod can not
handle
> > > compressed/gzipped data.  Ofer will be releasing an update to the
> Core
> > > Rules shortly and there are some updates to address compressed
> content
> > > (from an alerting perspective).
> > >
> > > This is from the CHANGES file -
> > > ModSecurity does not support compressed content at the
> > > moment. Thus, the
> > > following rules have been added:
> > > - 960013 - Content-Encoding in request not supported
> > >     Any incoming compressed request will be denied
> > > - 960051 - Content-Encoding in response not suppoted
> > >     An outgoing compressed response will be logged to alert, but
> ONLY
> > > ONCE.
> > >
> > > --
> > > Ryan C. Barnett
> > > ModSecurity Community Manager
> > > Breach Security: Director of Application Security Training
> > > Web Application Security Consortium (WASC) Member
> > > Author: Preventing Web Attacks with Apache
> > >
> > > --------------
> > > Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
> > > Learn More About the Breach Webinar Series:
> > > http://www.breach.com/webinars.asp
> > > --------------
> > >
> > >
> > > > -----Original Message-----
> > > > From: mod-security-users-bounces <at> lists.sourceforge.net
> [mailto:mod-
> > > > security-users-bounces <at> lists.sourceforge.net] On Behalf Of
> > > Jim Hermann
> > > -
> > > > UUN Hostmaster
> > > > Sent: Tuesday, May 01, 2007 1:32 PM
> > > > To: mod-security-users <at> lists.sourceforge.net
> > > > Subject: [mod-security-users] Mod_Security and
> > > Content-Encoding: gzip
> > > >
> > > >
> > > > Does anyone know if Mod_Security can be configured to handle
> > > > Content-Encoding: gzip?
> > > >
> > > > The default rules evaulate for RESPONSE_BODY for code leakage.
> > > However,
> > > > when
> > > > the Content-Encoding is gzip, the RESPONSE_BODY is all 8-bit
> > > characters
> > > > and
> > > > the mod_security rule does not work correctly.
> > > >
> > > > Here is the modsec_audit.log entry:
> > > >
> > > > --5a7c556c-A--
> > > > [01/May/2007:05:47:21 --0500] U3Yd10VeaLQAACkuhwIAAAAU
> 66.249.65.146
> > > 43002
> > > > 69.94.104.180 80
> > > > --5a7c556c-B--
> > > > GET /modules.php?name=Content&pa=showpage&pid=535 HTTP/1.1
> > > > Host: www.xxx.xxx
> > > > Connection: Keep-alive
> > > > Accept: */*
> > > > From: googlebot(at)googlebot.com
> > > > User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1;
> > > > +http://www.google.com/bot.html)
> > > > Accept-Encoding: gzip
> > > > If-Modified-Since: Tue, 10 Apr 2007 11:41:45 GMT
> > > >
> > > > --5a7c556c-F--
> > > > HTTP/1.1 200 OK
> > > > X-Powered-By: PHP/5.0.4
> > > > Expires: Thu, 19 Nov 1981 08:52:00 GMT
> > > > Cache-Control: no-store, no-cache, must-revalidate,
post-check=0,
> > > > pre-check=0
> > > > Pragma: no-cache
> > > > Content-Encoding: gzip
> > > > Vary: Accept-Encoding
> > > > Set-Cookie: PHPSESSID=rk9ed4ue5dgsc6nn455arvfkh4; path=/
> > > > Content-Length: 15062
> > > > Keep-Alive: timeout=15, max=100
> > > > Connection: Keep-Alive
> > > > Content-Type: text/html; charset=ISO-8859-2
> > > > Content-Language: hu
> > > >
> > > > --5a7c556c-E--
> > > > [snip - bunch of 8-bit characters]
> > > >
> > > > --5a7c556c-H--
> > > > Message: Warning. Match of "rx
> > > > (?:\\b(??:i(?:nterplay|hdr|d3)|m(?vi|thd)|(?:e
> > > > x|jf)if|f(?:lv|ws)|varg|cws)\\b|r(?:iff\\b|ar!B)|g
> > > > if)|B(?:%pdf|\\.ra)\\b)"
> > > > against "RESPONSE_BODY" required. [id "970902"] [msg "PHP
> > > source code
> > > > leakage"] [severity "WARNING"]
> > > > Apache-Handler: cgi-script
> > > > Stopwatch: 1178016440262103 1195644 (14664 15950 1169708)
> > > > Response-Body-Transformed: Dechunked
> > > > Producer: ModSecurity v2.1.1 (Apache 2.x)
> > > > Server: Apache/2.0.54 (Fedora)
> > > >
> > > > --5a7c556c-Z--
> > > > __________________
> > > > Jim Hermann
> > > > Ministering to the Web
> > > > UUism Networks
> > > > www.uuism.net
> > > >
> > > >
> > > >
> > > --------------------------------------------------------------
> > > ----------
> > > -
> > > > This SF.net email is sponsored by DB2 Express
> > > > Download DB2 Express C - the FREE version of DB2 express and
take
> > > > control of your XML. No limits. Just data. Click to get it now.
> > > > http://sourceforge.net/powerbar/db2/
> > > > _______________________________________________
> > > > mod-security-users mailing list
> > > > mod-security-users <at> lists.sourceforge.net
> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > >
> > > No virus found in this incoming message.
> > > Checked by AVG Free Edition.
> > > Version: 7.5.467 / Virus Database: 269.6.2/782 - Release
> > > Date: 05/01/07 02:10 AM
> > >
> > >
> 
> 
>
------------------------------------------------------------------------
-
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

headers

Russ Lavoie | 2 May 2007 14:47

Throttling

Is there a way inside modsecurity that can throttle IP addresses.
Meaning, IPs are only allowed 2,000 hits per day and then denied...

I went through the reference manual and saw nothing there regarding
this.

Thanks

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

headers

Christian Bockermann | 2 May 2007 15:06

Re: Throttling

You can do this using ModSecurity's collection-capabilities.
First you initalize a collection wrt the ip-address

	SecAction initcol:ip=%{REMOTE_ADDR},nolog

Now you have a collection called "IP" that you can use to save  
variables.
The following rule will check if there exists a variable "count"  
within the
ip-collection. If not, it will initialize such a variable to 0 and tell
ModSecurity to expire it after 1 hour (3600 seconds).

	SecRule &IP:COUNT " <at> eq 0" "setvar:ip.count=0,expirevar:ip.count=3600"

Then you can "count" the accesses using this collection

	SecAction setvar:ip.count=+1

For example within a certain location (then you need to add a "phase: 
2" to
the actions). This will increment the variable "count" within the  
collection
IP (which is assiciated with the REMOTE_ADDR) by one.

You can then use this variable to block an IP:

	SecRule IP:COUNT " <at> gt 2000" "deny,status:500"

Not the different cases when setting and querying collection-variables.

For a more bandwidth-oriented throttling you should probably have a look
at mod_throttle, which also supports IP-based throttling, IIRC.

Regards,
    Chris

Am 02.05.2007 um 14:47 schrieb Russ Lavoie:

> Is there a way inside modsecurity that can throttle IP addresses.
> Meaning, IPs are only allowed 2,000 hits per day and then denied...
>
> I went through the reference manual and saw nothing there regarding
> this.
>
> Thanks
>
> ---------------------------------------------------------------------- 
> ---
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

70	June 2013
114	May 2013
69	April 2013
107	March 2013
96	February 2013
96	January 2013
60	December 2012
42	November 2012
52	October 2012
62	September 2012
64	August 2012
95	July 2012
60	June 2012
39	May 2012
11	April 2012
46	March 2012
123	February 2012
80	January 2012
44	December 2011
51	November 2011
78	October 2011
108	September 2011
104	August 2011
111	July 2011
66	June 2011
185	May 2011
54	April 2011
72	March 2011
69	February 2011
76	January 2011
26	December 2010
51	November 2010
69	October 2010
79	September 2010
67	August 2010
67	July 2010
59	June 2010
88	May 2010
59	April 2010
130	March 2010
117	February 2010
99	January 2010
80	December 2009
156	November 2009
112	October 2009
73	September 2009
134	August 2009
92	July 2009
78	June 2009
132	May 2009
104	April 2009
127	March 2009
131	February 2009
137	January 2009
85	December 2008
82	November 2008
84	October 2008
154	September 2008
167	August 2008
187	July 2008
95	June 2008
115	May 2008
89	April 2008
97	March 2008
134	February 2008
159	January 2008
56	December 2007
205	November 2007
135	October 2007
97	September 2007
162	August 2007
130	July 2007
250	June 2007
191	May 2007
150	April 2007
181	March 2007
161	February 2007
166	January 2007
104	December 2006
172	November 2006
103	October 2006
83	September 2006
101	August 2006
92	July 2006
116	June 2006
65	May 2006
139	April 2006
82	March 2006
148	February 2006
61	January 2006
74	December 2005
104	November 2005
49	October 2005
28	September 2005
51	August 2005
27	July 2005
71	June 2005
26	May 2005
53	April 2005
82	March 2005
61	February 2005
67	January 2005
12	December 2004
22	November 2004
28	October 2004
31	September 2004
24	August 2004
36	July 2004
20	June 2004
15	May 2004
47	April 2004
21	March 2004
13	February 2004
44	January 2004
18	December 2003
13	November 2003
11	October 2003
9	September 2003
7	August 2003
16	July 2003
1	June 2003

Mon	Tue	Wed	Thu	Fri	Sat	Sun

	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31