Ofer Shezaf | 1 May 12:41 2007

Re: Rule is not working.

 

This rule is worth further discussion:

 

The rule uses typical user agent strings to detect automation programs. Being cautious, I set this rule to detection only as many sites use themselves such an automated program, for example to monitor/ping the site on a regular basis. However, if the event does not alert on a regular basis on your system, or after you created an exception for your own automated program, it is worthwhile to switch it to blocking as it catches a lot of bad guys, as the case below shows.

 

~ Ofer Shezaf

Core Rules project leader

 

From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf Of Ryan Barnett
Sent: Monday, April 30, 2007 8:34 PM
To: Vince Tingey; mod-security-users <at> lists.sourceforge.net
Subject: Re: [mod-security-users] Rule is not working.

 

My guess is that Core Rule ID # 990011 is matching.  If you want your rule to trigger first, you will need to specify it in a file prior to the modsecurity_crs_35_bad_robots.conf file.   Follow the steps outlined here - http://www.modsecurity.org/blog/archives/2007/02/handling_false.html

 

--
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache

 

--------------

Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)

Learn More About the Breach Webinar Series:

http://www.breach.com/webinars.asp

--------------

 

From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf Of Vince Tingey
Sent: Monday, April 30, 2007 1:31 PM
To: mod-security-users <at> lists.sourceforge.net
Subject: [mod-security-users] Rule is not working.

 

Hi Everyone,

I have created the following rule to block a known web application vulnerability scan (getting TONS of these lately from what looks like bot nets) :

# This rule stops scans for a known web calendar vulnerability
# http://www.securityfocus.com/bid/14651
SecRule REQUEST_URI "tools/send_reminders\.php" "phase:1,deny,nolog"

It does not seem to be working though as I still get this showing up in my console:

1

990011

NOTICE (5)

Request Indicates an automated program explored the site    Warning. Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required.


What am I doing wrong?

--

 

Vince

 

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Picon

Mod_Security and Content-Encoding: gzip


Does anyone know if Mod_Security can be configured to handle
Content-Encoding: gzip?

The default rules evaulate for RESPONSE_BODY for code leakage. However, when
the Content-Encoding is gzip, the RESPONSE_BODY is all 8-bit characters and
the mod_security rule does not work correctly.

Here is the modsec_audit.log entry:

--5a7c556c-A--
[01/May/2007:05:47:21 --0500] U3Yd10VeaLQAACkuhwIAAAAU 66.249.65.146 43002
69.94.104.180 80
--5a7c556c-B--
GET /modules.php?name=Content&pa=showpage&pid=535 HTTP/1.1
Host: www.xxx.xxx
Connection: Keep-alive
Accept: */*
From: googlebot(at)googlebot.com
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1;
+http://www.google.com/bot.html)
Accept-Encoding: gzip
If-Modified-Since: Tue, 10 Apr 2007 11:41:45 GMT

--5a7c556c-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.0.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-Encoding: gzip
Vary: Accept-Encoding
Set-Cookie: PHPSESSID=rk9ed4ue5dgsc6nn455arvfkh4; path=/
Content-Length: 15062
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-2
Content-Language: hu

--5a7c556c-E--
[snip - bunch of 8-bit characters]

--5a7c556c-H--
Message: Warning. Match of "rx
(?:\\b(??:i(?:nterplay|hdr|d3)|m(?vi|thd)|(?:e
x|jf)if|f(?:lv|ws)|varg|cws)\\b|r(?:iff\\b|ar!B)|g if)|B(?:%pdf|\\.ra)\\b)"
against "RESPONSE_BODY" required. [id "970902"] [msg "PHP source code
leakage"] [severity "WARNING"]
Apache-Handler: cgi-script
Stopwatch: 1178016440262103 1195644 (14664 15950 1169708)
Response-Body-Transformed: Dechunked
Producer: ModSecurity v2.1.1 (Apache 2.x)
Server: Apache/2.0.54 (Fedora)

--5a7c556c-Z--
__________________
Jim Hermann
Ministering to the Web
UUism Networks
www.uuism.net

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Ryan Barnett | 1 May 19:42 2007

Re: Mod_Security and Content-Encoding: gzip

Very timely...  The short answer however is - No, Mod can not handle
compressed/gzipped data.  Ofer will be releasing an update to the Core
Rules shortly and there are some updates to address compressed content
(from an alerting perspective).  

This is from the CHANGES file -
ModSecurity does not support compressed content at the moment. Thus, the
following rules have been added:
- 960013 - Content-Encoding in request not supported
    Any incoming compressed request will be denied
- 960051 - Content-Encoding in response not suppoted
    An outgoing compressed response will be logged to alert, but ONLY
ONCE.

-- 
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache

--------------
Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
Learn More About the Breach Webinar Series:
http://www.breach.com/webinars.asp
--------------

> -----Original Message-----
> From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-
> security-users-bounces <at> lists.sourceforge.net] On Behalf Of Jim Hermann
-
> UUN Hostmaster
> Sent: Tuesday, May 01, 2007 1:32 PM
> To: mod-security-users <at> lists.sourceforge.net
> Subject: [mod-security-users] Mod_Security and Content-Encoding: gzip
> 
> 
> Does anyone know if Mod_Security can be configured to handle
> Content-Encoding: gzip?
> 
> The default rules evaulate for RESPONSE_BODY for code leakage.
However,
> when
> the Content-Encoding is gzip, the RESPONSE_BODY is all 8-bit
characters
> and
> the mod_security rule does not work correctly.
> 
> Here is the modsec_audit.log entry:
> 
> --5a7c556c-A--
> [01/May/2007:05:47:21 --0500] U3Yd10VeaLQAACkuhwIAAAAU 66.249.65.146
43002
> 69.94.104.180 80
> --5a7c556c-B--
> GET /modules.php?name=Content&pa=showpage&pid=535 HTTP/1.1
> Host: www.xxx.xxx
> Connection: Keep-alive
> Accept: */*
> From: googlebot(at)googlebot.com
> User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1;
> +http://www.google.com/bot.html)
> Accept-Encoding: gzip
> If-Modified-Since: Tue, 10 Apr 2007 11:41:45 GMT
> 
> --5a7c556c-F--
> HTTP/1.1 200 OK
> X-Powered-By: PHP/5.0.4
> Expires: Thu, 19 Nov 1981 08:52:00 GMT
> Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
> pre-check=0
> Pragma: no-cache
> Content-Encoding: gzip
> Vary: Accept-Encoding
> Set-Cookie: PHPSESSID=rk9ed4ue5dgsc6nn455arvfkh4; path=/
> Content-Length: 15062
> Keep-Alive: timeout=15, max=100
> Connection: Keep-Alive
> Content-Type: text/html; charset=ISO-8859-2
> Content-Language: hu
> 
> --5a7c556c-E--
> [snip - bunch of 8-bit characters]
> 
> --5a7c556c-H--
> Message: Warning. Match of "rx
> (?:\\b(??:i(?:nterplay|hdr|d3)|m(?vi|thd)|(?:e
> x|jf)if|f(?:lv|ws)|varg|cws)\\b|r(?:iff\\b|ar!B)|g
> if)|B(?:%pdf|\\.ra)\\b)"
> against "RESPONSE_BODY" required. [id "970902"] [msg "PHP source code
> leakage"] [severity "WARNING"]
> Apache-Handler: cgi-script
> Stopwatch: 1178016440262103 1195644 (14664 15950 1169708)
> Response-Body-Transformed: Dechunked
> Producer: ModSecurity v2.1.1 (Apache 2.x)
> Server: Apache/2.0.54 (Fedora)
> 
> --5a7c556c-Z--
> __________________
> Jim Hermann
> Ministering to the Web
> UUism Networks
> www.uuism.net
> 
> 
>
------------------------------------------------------------------------
-
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Picon

Re: Mod_Security and Content-Encoding: gzip

How can I filter the RESPONSE_BODY so that mod_security does not receive it
when the Content-Encoding is gzip?

I like the idea of checking for code leakage when the Content-Encoding is
not gzip.

Thanks.

Jim

> -----Original Message-----
> From: Ryan Barnett [mailto:Ryan.Barnett <at> Breach.com] 
> Sent: Tuesday, May 01, 2007 12:42 PM
> To: Jim Hermann - UUN Hostmaster; 
> mod-security-users <at> lists.sourceforge.net
> Subject: RE: [mod-security-users] Mod_Security and 
> Content-Encoding: gzip
> 
> Very timely...  The short answer however is - No, Mod can not handle
> compressed/gzipped data.  Ofer will be releasing an update to the Core
> Rules shortly and there are some updates to address compressed content
> (from an alerting perspective).  
> 
> This is from the CHANGES file -
> ModSecurity does not support compressed content at the 
> moment. Thus, the
> following rules have been added:
> - 960013 - Content-Encoding in request not supported
>     Any incoming compressed request will be denied
> - 960051 - Content-Encoding in response not suppoted
>     An outgoing compressed response will be logged to alert, but ONLY
> ONCE.
> 
> -- 
> Ryan C. Barnett
> ModSecurity Community Manager
> Breach Security: Director of Application Security Training
> Web Application Security Consortium (WASC) Member
> Author: Preventing Web Attacks with Apache
>  
> --------------
> Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
> Learn More About the Breach Webinar Series:
> http://www.breach.com/webinars.asp
> --------------
>  
> 
> > -----Original Message-----
> > From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-
> > security-users-bounces <at> lists.sourceforge.net] On Behalf Of 
> Jim Hermann
> -
> > UUN Hostmaster
> > Sent: Tuesday, May 01, 2007 1:32 PM
> > To: mod-security-users <at> lists.sourceforge.net
> > Subject: [mod-security-users] Mod_Security and 
> Content-Encoding: gzip
> > 
> > 
> > Does anyone know if Mod_Security can be configured to handle
> > Content-Encoding: gzip?
> > 
> > The default rules evaulate for RESPONSE_BODY for code leakage.
> However,
> > when
> > the Content-Encoding is gzip, the RESPONSE_BODY is all 8-bit
> characters
> > and
> > the mod_security rule does not work correctly.
> > 
> > Here is the modsec_audit.log entry:
> > 
> > --5a7c556c-A--
> > [01/May/2007:05:47:21 --0500] U3Yd10VeaLQAACkuhwIAAAAU 66.249.65.146
> 43002
> > 69.94.104.180 80
> > --5a7c556c-B--
> > GET /modules.php?name=Content&pa=showpage&pid=535 HTTP/1.1
> > Host: www.xxx.xxx
> > Connection: Keep-alive
> > Accept: */*
> > From: googlebot(at)googlebot.com
> > User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1;
> > +http://www.google.com/bot.html)
> > Accept-Encoding: gzip
> > If-Modified-Since: Tue, 10 Apr 2007 11:41:45 GMT
> > 
> > --5a7c556c-F--
> > HTTP/1.1 200 OK
> > X-Powered-By: PHP/5.0.4
> > Expires: Thu, 19 Nov 1981 08:52:00 GMT
> > Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
> > pre-check=0
> > Pragma: no-cache
> > Content-Encoding: gzip
> > Vary: Accept-Encoding
> > Set-Cookie: PHPSESSID=rk9ed4ue5dgsc6nn455arvfkh4; path=/
> > Content-Length: 15062
> > Keep-Alive: timeout=15, max=100
> > Connection: Keep-Alive
> > Content-Type: text/html; charset=ISO-8859-2
> > Content-Language: hu
> > 
> > --5a7c556c-E--
> > [snip - bunch of 8-bit characters]
> > 
> > --5a7c556c-H--
> > Message: Warning. Match of "rx
> > (?:\\b(??:i(?:nterplay|hdr|d3)|m(?vi|thd)|(?:e
> > x|jf)if|f(?:lv|ws)|varg|cws)\\b|r(?:iff\\b|ar!B)|g
> > if)|B(?:%pdf|\\.ra)\\b)"
> > against "RESPONSE_BODY" required. [id "970902"] [msg "PHP 
> source code
> > leakage"] [severity "WARNING"]
> > Apache-Handler: cgi-script
> > Stopwatch: 1178016440262103 1195644 (14664 15950 1169708)
> > Response-Body-Transformed: Dechunked
> > Producer: ModSecurity v2.1.1 (Apache 2.x)
> > Server: Apache/2.0.54 (Fedora)
> > 
> > --5a7c556c-Z--
> > __________________
> > Jim Hermann
> > Ministering to the Web
> > UUism Networks
> > www.uuism.net
> > 
> > 
> >
> --------------------------------------------------------------
> ----------
> -
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and take
> > control of your XML. No limits. Just data. Click to get it now.
> > http://sourceforge.net/powerbar/db2/
> > _______________________________________________
> > mod-security-users mailing list
> > mod-security-users <at> lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 
> No virus found in this incoming message.
> Checked by AVG Free Edition. 
> Version: 7.5.467 / Virus Database: 269.6.2/782 - Release 
> Date: 05/01/07 02:10 AM
>  
> 

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Ryan Barnett | 2 May 00:58 2007

Re: Mod_Security and Content-Encoding: gzip

You should be able to use a rule similar to this identify any
Content-Encoding (for compression) and then disable Mod
inspection/logging for it -

SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" \
    "phase:3,t:none,nolog,pass,ctl:auditEngine=Off,ruleEngine=Off"

-- 
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache

--------------
Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
Learn More About the Breach Webinar Series:
http://www.breach.com/webinars.asp
--------------

> -----Original Message-----
> From: Jim Hermann - UUN Hostmaster [mailto:hostmaster <at> uuism.net]
> Sent: Tuesday, May 01, 2007 6:50 PM
> To: Ryan Barnett; mod-security-users <at> lists.sourceforge.net
> Subject: RE: [mod-security-users] Mod_Security and Content-Encoding:
gzip
> 
> How can I filter the RESPONSE_BODY so that mod_security does not
receive
> it
> when the Content-Encoding is gzip?
> 
> I like the idea of checking for code leakage when the Content-Encoding
is
> not gzip.
> 
> Thanks.
> 
> Jim
> 
> > -----Original Message-----
> > From: Ryan Barnett [mailto:Ryan.Barnett <at> Breach.com]
> > Sent: Tuesday, May 01, 2007 12:42 PM
> > To: Jim Hermann - UUN Hostmaster;
> > mod-security-users <at> lists.sourceforge.net
> > Subject: RE: [mod-security-users] Mod_Security and
> > Content-Encoding: gzip
> >
> > Very timely...  The short answer however is - No, Mod can not handle
> > compressed/gzipped data.  Ofer will be releasing an update to the
Core
> > Rules shortly and there are some updates to address compressed
content
> > (from an alerting perspective).
> >
> > This is from the CHANGES file -
> > ModSecurity does not support compressed content at the
> > moment. Thus, the
> > following rules have been added:
> > - 960013 - Content-Encoding in request not supported
> >     Any incoming compressed request will be denied
> > - 960051 - Content-Encoding in response not suppoted
> >     An outgoing compressed response will be logged to alert, but
ONLY
> > ONCE.
> >
> > --
> > Ryan C. Barnett
> > ModSecurity Community Manager
> > Breach Security: Director of Application Security Training
> > Web Application Security Consortium (WASC) Member
> > Author: Preventing Web Attacks with Apache
> >
> > --------------
> > Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
> > Learn More About the Breach Webinar Series:
> > http://www.breach.com/webinars.asp
> > --------------
> >
> >
> > > -----Original Message-----
> > > From: mod-security-users-bounces <at> lists.sourceforge.net
[mailto:mod-
> > > security-users-bounces <at> lists.sourceforge.net] On Behalf Of
> > Jim Hermann
> > -
> > > UUN Hostmaster
> > > Sent: Tuesday, May 01, 2007 1:32 PM
> > > To: mod-security-users <at> lists.sourceforge.net
> > > Subject: [mod-security-users] Mod_Security and
> > Content-Encoding: gzip
> > >
> > >
> > > Does anyone know if Mod_Security can be configured to handle
> > > Content-Encoding: gzip?
> > >
> > > The default rules evaulate for RESPONSE_BODY for code leakage.
> > However,
> > > when
> > > the Content-Encoding is gzip, the RESPONSE_BODY is all 8-bit
> > characters
> > > and
> > > the mod_security rule does not work correctly.
> > >
> > > Here is the modsec_audit.log entry:
> > >
> > > --5a7c556c-A--
> > > [01/May/2007:05:47:21 --0500] U3Yd10VeaLQAACkuhwIAAAAU
66.249.65.146
> > 43002
> > > 69.94.104.180 80
> > > --5a7c556c-B--
> > > GET /modules.php?name=Content&pa=showpage&pid=535 HTTP/1.1
> > > Host: www.xxx.xxx
> > > Connection: Keep-alive
> > > Accept: */*
> > > From: googlebot(at)googlebot.com
> > > User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1;
> > > +http://www.google.com/bot.html)
> > > Accept-Encoding: gzip
> > > If-Modified-Since: Tue, 10 Apr 2007 11:41:45 GMT
> > >
> > > --5a7c556c-F--
> > > HTTP/1.1 200 OK
> > > X-Powered-By: PHP/5.0.4
> > > Expires: Thu, 19 Nov 1981 08:52:00 GMT
> > > Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
> > > pre-check=0
> > > Pragma: no-cache
> > > Content-Encoding: gzip
> > > Vary: Accept-Encoding
> > > Set-Cookie: PHPSESSID=rk9ed4ue5dgsc6nn455arvfkh4; path=/
> > > Content-Length: 15062
> > > Keep-Alive: timeout=15, max=100
> > > Connection: Keep-Alive
> > > Content-Type: text/html; charset=ISO-8859-2
> > > Content-Language: hu
> > >
> > > --5a7c556c-E--
> > > [snip - bunch of 8-bit characters]
> > >
> > > --5a7c556c-H--
> > > Message: Warning. Match of "rx
> > > (?:\\b(??:i(?:nterplay|hdr|d3)|m(?vi|thd)|(?:e
> > > x|jf)if|f(?:lv|ws)|varg|cws)\\b|r(?:iff\\b|ar!B)|g
> > > if)|B(?:%pdf|\\.ra)\\b)"
> > > against "RESPONSE_BODY" required. [id "970902"] [msg "PHP
> > source code
> > > leakage"] [severity "WARNING"]
> > > Apache-Handler: cgi-script
> > > Stopwatch: 1178016440262103 1195644 (14664 15950 1169708)
> > > Response-Body-Transformed: Dechunked
> > > Producer: ModSecurity v2.1.1 (Apache 2.x)
> > > Server: Apache/2.0.54 (Fedora)
> > >
> > > --5a7c556c-Z--
> > > __________________
> > > Jim Hermann
> > > Ministering to the Web
> > > UUism Networks
> > > www.uuism.net
> > >
> > >
> > >
> > --------------------------------------------------------------
> > ----------
> > -
> > > This SF.net email is sponsored by DB2 Express
> > > Download DB2 Express C - the FREE version of DB2 express and take
> > > control of your XML. No limits. Just data. Click to get it now.
> > > http://sourceforge.net/powerbar/db2/
> > > _______________________________________________
> > > mod-security-users mailing list
> > > mod-security-users <at> lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> >
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.5.467 / Virus Database: 269.6.2/782 - Release
> > Date: 05/01/07 02:10 AM
> >
> >

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Avi Aminov | 2 May 08:24 2007

Re: Mod_Security and Content-Encoding: gzip

Ryan, this rule will not work, because Apache generates the response
headers just before it sends the response, only in phase 5 - logging.
The only headers available at this point are the ones generated by the
web application. In the new core rule set (should be available very
soon), the rule for logging outgoing compressed response is applied only
in phase:5, and this is the reason. 

When your rule is applied, the variable
<RESPONSE_HEADERS:Content-Encoding> doesn't exist, and the rule will
never satisfy (that is in modSec2. In modSec 1.9, however, it will
ALWAYS satisfy).

This means, unfortunately, that we cannot make an interruptive action
based on response-headers. I'm sure we will find a way to overcome this
in the future.

Apache stores this information in the variable r->content_encoding, but
I have no idea how to reach it from modSecurity.

Avi.

-----Original Message-----
From: mod-security-users-bounces <at> lists.sourceforge.net
[mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf Of
Ryan Barnett
Sent: Wednesday, May 02, 2007 1:58 AM
To: Jim Hermann - UUN Hostmaster;
mod-security-users <at> lists.sourceforge.net
Subject: Re: [mod-security-users] Mod_Security and Content-Encoding:
gzip

You should be able to use a rule similar to this identify any
Content-Encoding (for compression) and then disable Mod
inspection/logging for it -

SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" \
    "phase:3,t:none,nolog,pass,ctl:auditEngine=Off,ruleEngine=Off"

-- 
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache

--------------
Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
Learn More About the Breach Webinar Series:
http://www.breach.com/webinars.asp
--------------

> -----Original Message-----
> From: Jim Hermann - UUN Hostmaster [mailto:hostmaster <at> uuism.net]
> Sent: Tuesday, May 01, 2007 6:50 PM
> To: Ryan Barnett; mod-security-users <at> lists.sourceforge.net
> Subject: RE: [mod-security-users] Mod_Security and Content-Encoding:
gzip
> 
> How can I filter the RESPONSE_BODY so that mod_security does not
receive
> it
> when the Content-Encoding is gzip?
> 
> I like the idea of checking for code leakage when the Content-Encoding
is
> not gzip.
> 
> Thanks.
> 
> Jim
> 
> > -----Original Message-----
> > From: Ryan Barnett [mailto:Ryan.Barnett <at> Breach.com]
> > Sent: Tuesday, May 01, 2007 12:42 PM
> > To: Jim Hermann - UUN Hostmaster;
> > mod-security-users <at> lists.sourceforge.net
> > Subject: RE: [mod-security-users] Mod_Security and
> > Content-Encoding: gzip
> >
> > Very timely...  The short answer however is - No, Mod can not handle
> > compressed/gzipped data.  Ofer will be releasing an update to the
Core
> > Rules shortly and there are some updates to address compressed
content
> > (from an alerting perspective).
> >
> > This is from the CHANGES file -
> > ModSecurity does not support compressed content at the
> > moment. Thus, the
> > following rules have been added:
> > - 960013 - Content-Encoding in request not supported
> >     Any incoming compressed request will be denied
> > - 960051 - Content-Encoding in response not suppoted
> >     An outgoing compressed response will be logged to alert, but
ONLY
> > ONCE.
> >
> > --
> > Ryan C. Barnett
> > ModSecurity Community Manager
> > Breach Security: Director of Application Security Training
> > Web Application Security Consortium (WASC) Member
> > Author: Preventing Web Attacks with Apache
> >
> > --------------
> > Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
> > Learn More About the Breach Webinar Series:
> > http://www.breach.com/webinars.asp
> > --------------
> >
> >
> > > -----Original Message-----
> > > From: mod-security-users-bounces <at> lists.sourceforge.net
[mailto:mod-
> > > security-users-bounces <at> lists.sourceforge.net] On Behalf Of
> > Jim Hermann
> > -
> > > UUN Hostmaster
> > > Sent: Tuesday, May 01, 2007 1:32 PM
> > > To: mod-security-users <at> lists.sourceforge.net
> > > Subject: [mod-security-users] Mod_Security and
> > Content-Encoding: gzip
> > >
> > >
> > > Does anyone know if Mod_Security can be configured to handle
> > > Content-Encoding: gzip?
> > >
> > > The default rules evaulate for RESPONSE_BODY for code leakage.
> > However,
> > > when
> > > the Content-Encoding is gzip, the RESPONSE_BODY is all 8-bit
> > characters
> > > and
> > > the mod_security rule does not work correctly.
> > >
> > > Here is the modsec_audit.log entry:
> > >
> > > --5a7c556c-A--
> > > [01/May/2007:05:47:21 --0500] U3Yd10VeaLQAACkuhwIAAAAU
66.249.65.146
> > 43002
> > > 69.94.104.180 80
> > > --5a7c556c-B--
> > > GET /modules.php?name=Content&pa=showpage&pid=535 HTTP/1.1
> > > Host: www.xxx.xxx
> > > Connection: Keep-alive
> > > Accept: */*
> > > From: googlebot(at)googlebot.com
> > > User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1;
> > > +http://www.google.com/bot.html)
> > > Accept-Encoding: gzip
> > > If-Modified-Since: Tue, 10 Apr 2007 11:41:45 GMT
> > >
> > > --5a7c556c-F--
> > > HTTP/1.1 200 OK
> > > X-Powered-By: PHP/5.0.4
> > > Expires: Thu, 19 Nov 1981 08:52:00 GMT
> > > Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
> > > pre-check=0
> > > Pragma: no-cache
> > > Content-Encoding: gzip
> > > Vary: Accept-Encoding
> > > Set-Cookie: PHPSESSID=rk9ed4ue5dgsc6nn455arvfkh4; path=/
> > > Content-Length: 15062
> > > Keep-Alive: timeout=15, max=100
> > > Connection: Keep-Alive
> > > Content-Type: text/html; charset=ISO-8859-2
> > > Content-Language: hu
> > >
> > > --5a7c556c-E--
> > > [snip - bunch of 8-bit characters]
> > >
> > > --5a7c556c-H--
> > > Message: Warning. Match of "rx
> > > (?:\\b(??:i(?:nterplay|hdr|d3)|m(?vi|thd)|(?:e
> > > x|jf)if|f(?:lv|ws)|varg|cws)\\b|r(?:iff\\b|ar!B)|g
> > > if)|B(?:%pdf|\\.ra)\\b)"
> > > against "RESPONSE_BODY" required. [id "970902"] [msg "PHP
> > source code
> > > leakage"] [severity "WARNING"]
> > > Apache-Handler: cgi-script
> > > Stopwatch: 1178016440262103 1195644 (14664 15950 1169708)
> > > Response-Body-Transformed: Dechunked
> > > Producer: ModSecurity v2.1.1 (Apache 2.x)
> > > Server: Apache/2.0.54 (Fedora)
> > >
> > > --5a7c556c-Z--
> > > __________________
> > > Jim Hermann
> > > Ministering to the Web
> > > UUism Networks
> > > www.uuism.net
> > >
> > >
> > >
> > --------------------------------------------------------------
> > ----------
> > -
> > > This SF.net email is sponsored by DB2 Express
> > > Download DB2 Express C - the FREE version of DB2 express and take
> > > control of your XML. No limits. Just data. Click to get it now.
> > > http://sourceforge.net/powerbar/db2/
> > > _______________________________________________
> > > mod-security-users mailing list
> > > mod-security-users <at> lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> >
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.5.467 / Virus Database: 269.6.2/782 - Release
> > Date: 05/01/07 02:10 AM
> >
> >

------------------------------------------------------------------------
-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Markus | 2 May 09:01 2007

must-have features in mod_security 2.x vs. 1.9.2

Hi,

I'm using the Oracle Application / Http Server which includes mod_security 1.9.2

I'm not sure if I should use this module or use Apache 2 and mod_security 2.x
as a proxy.

Are there any must-have features in mod_security 2.x?

If 1.9.2 is sufficient to prevent basic attacks like XSS and SQL injection,
I'd rather avoid installing an extra proxy layer just for mod_security.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Ryan Barnett | 2 May 14:25 2007

Re: Mod_Security and Content-Encoding: gzip

Good points, this is correct for embedded mode installations.  I guess I
am used to assuming that people are running Mod in a Reverse Proxy mode
and that is not always the case.  In the Reverse Proxy mode, these
headers should be present.

-- 
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache

--------------
Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
Learn More About the Breach Webinar Series:
http://www.breach.com/webinars.asp
--------------

> -----Original Message-----
> From: Avi Aminov
> Sent: Wednesday, May 02, 2007 2:24 AM
> To: Ryan Barnett; Jim Hermann - UUN Hostmaster; mod-security-
> users <at> lists.sourceforge.net
> Subject: RE: [mod-security-users] Mod_Security and Content-Encoding:
gzip
> 
> Ryan, this rule will not work, because Apache generates the response
> headers just before it sends the response, only in phase 5 - logging.
The
> only headers available at this point are the ones generated by the web
> application. In the new core rule set (should be available very soon),
the
> rule for logging outgoing compressed response is applied only in
phase:5,
> and this is the reason.
> 
> When your rule is applied, the variable <RESPONSE_HEADERS:Content-
> Encoding> doesn't exist, and the rule will never satisfy (that is in
> modSec2. In modSec 1.9, however, it will ALWAYS satisfy).
> 
> This means, unfortunately, that we cannot make an interruptive action
> based on response-headers. I'm sure we will find a way to overcome
this in
> the future.
> 
> Apache stores this information in the variable r->content_encoding,
but I
> have no idea how to reach it from modSecurity.
> 
> Avi.
> 
> -----Original Message-----
> From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-
> security-users-bounces <at> lists.sourceforge.net] On Behalf Of Ryan
Barnett
> Sent: Wednesday, May 02, 2007 1:58 AM
> To: Jim Hermann - UUN Hostmaster;
mod-security-users <at> lists.sourceforge.net
> Subject: Re: [mod-security-users] Mod_Security and Content-Encoding:
gzip
> 
> You should be able to use a rule similar to this identify any
> Content-Encoding (for compression) and then disable Mod
> inspection/logging for it -
> 
> SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" \
>     "phase:3,t:none,nolog,pass,ctl:auditEngine=Off,ruleEngine=Off"
> 
> --
> Ryan C. Barnett
> ModSecurity Community Manager
> Breach Security: Director of Application Security Training
> Web Application Security Consortium (WASC) Member
> Author: Preventing Web Attacks with Apache
> 
> --------------
> Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
> Learn More About the Breach Webinar Series:
> http://www.breach.com/webinars.asp
> --------------
> 
> 
> > -----Original Message-----
> > From: Jim Hermann - UUN Hostmaster [mailto:hostmaster <at> uuism.net]
> > Sent: Tuesday, May 01, 2007 6:50 PM
> > To: Ryan Barnett; mod-security-users <at> lists.sourceforge.net
> > Subject: RE: [mod-security-users] Mod_Security and Content-Encoding:
> gzip
> >
> > How can I filter the RESPONSE_BODY so that mod_security does not
> receive
> > it
> > when the Content-Encoding is gzip?
> >
> > I like the idea of checking for code leakage when the
Content-Encoding
> is
> > not gzip.
> >
> > Thanks.
> >
> > Jim
> >
> > > -----Original Message-----
> > > From: Ryan Barnett [mailto:Ryan.Barnett <at> Breach.com]
> > > Sent: Tuesday, May 01, 2007 12:42 PM
> > > To: Jim Hermann - UUN Hostmaster;
> > > mod-security-users <at> lists.sourceforge.net
> > > Subject: RE: [mod-security-users] Mod_Security and
> > > Content-Encoding: gzip
> > >
> > > Very timely...  The short answer however is - No, Mod can not
handle
> > > compressed/gzipped data.  Ofer will be releasing an update to the
> Core
> > > Rules shortly and there are some updates to address compressed
> content
> > > (from an alerting perspective).
> > >
> > > This is from the CHANGES file -
> > > ModSecurity does not support compressed content at the
> > > moment. Thus, the
> > > following rules have been added:
> > > - 960013 - Content-Encoding in request not supported
> > >     Any incoming compressed request will be denied
> > > - 960051 - Content-Encoding in response not suppoted
> > >     An outgoing compressed response will be logged to alert, but
> ONLY
> > > ONCE.
> > >
> > > --
> > > Ryan C. Barnett
> > > ModSecurity Community Manager
> > > Breach Security: Director of Application Security Training
> > > Web Application Security Consortium (WASC) Member
> > > Author: Preventing Web Attacks with Apache
> > >
> > > --------------
> > > Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
> > > Learn More About the Breach Webinar Series:
> > > http://www.breach.com/webinars.asp
> > > --------------
> > >
> > >
> > > > -----Original Message-----
> > > > From: mod-security-users-bounces <at> lists.sourceforge.net
> [mailto:mod-
> > > > security-users-bounces <at> lists.sourceforge.net] On Behalf Of
> > > Jim Hermann
> > > -
> > > > UUN Hostmaster
> > > > Sent: Tuesday, May 01, 2007 1:32 PM
> > > > To: mod-security-users <at> lists.sourceforge.net
> > > > Subject: [mod-security-users] Mod_Security and
> > > Content-Encoding: gzip
> > > >
> > > >
> > > > Does anyone know if Mod_Security can be configured to handle
> > > > Content-Encoding: gzip?
> > > >
> > > > The default rules evaulate for RESPONSE_BODY for code leakage.
> > > However,
> > > > when
> > > > the Content-Encoding is gzip, the RESPONSE_BODY is all 8-bit
> > > characters
> > > > and
> > > > the mod_security rule does not work correctly.
> > > >
> > > > Here is the modsec_audit.log entry:
> > > >
> > > > --5a7c556c-A--
> > > > [01/May/2007:05:47:21 --0500] U3Yd10VeaLQAACkuhwIAAAAU
> 66.249.65.146
> > > 43002
> > > > 69.94.104.180 80
> > > > --5a7c556c-B--
> > > > GET /modules.php?name=Content&pa=showpage&pid=535 HTTP/1.1
> > > > Host: www.xxx.xxx
> > > > Connection: Keep-alive
> > > > Accept: */*
> > > > From: googlebot(at)googlebot.com
> > > > User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1;
> > > > +http://www.google.com/bot.html)
> > > > Accept-Encoding: gzip
> > > > If-Modified-Since: Tue, 10 Apr 2007 11:41:45 GMT
> > > >
> > > > --5a7c556c-F--
> > > > HTTP/1.1 200 OK
> > > > X-Powered-By: PHP/5.0.4
> > > > Expires: Thu, 19 Nov 1981 08:52:00 GMT
> > > > Cache-Control: no-store, no-cache, must-revalidate,
post-check=0,
> > > > pre-check=0
> > > > Pragma: no-cache
> > > > Content-Encoding: gzip
> > > > Vary: Accept-Encoding
> > > > Set-Cookie: PHPSESSID=rk9ed4ue5dgsc6nn455arvfkh4; path=/
> > > > Content-Length: 15062
> > > > Keep-Alive: timeout=15, max=100
> > > > Connection: Keep-Alive
> > > > Content-Type: text/html; charset=ISO-8859-2
> > > > Content-Language: hu
> > > >
> > > > --5a7c556c-E--
> > > > [snip - bunch of 8-bit characters]
> > > >
> > > > --5a7c556c-H--
> > > > Message: Warning. Match of "rx
> > > > (?:\\b(??:i(?:nterplay|hdr|d3)|m(?vi|thd)|(?:e
> > > > x|jf)if|f(?:lv|ws)|varg|cws)\\b|r(?:iff\\b|ar!B)|g
> > > > if)|B(?:%pdf|\\.ra)\\b)"
> > > > against "RESPONSE_BODY" required. [id "970902"] [msg "PHP
> > > source code
> > > > leakage"] [severity "WARNING"]
> > > > Apache-Handler: cgi-script
> > > > Stopwatch: 1178016440262103 1195644 (14664 15950 1169708)
> > > > Response-Body-Transformed: Dechunked
> > > > Producer: ModSecurity v2.1.1 (Apache 2.x)
> > > > Server: Apache/2.0.54 (Fedora)
> > > >
> > > > --5a7c556c-Z--
> > > > __________________
> > > > Jim Hermann
> > > > Ministering to the Web
> > > > UUism Networks
> > > > www.uuism.net
> > > >
> > > >
> > > >
> > > --------------------------------------------------------------
> > > ----------
> > > -
> > > > This SF.net email is sponsored by DB2 Express
> > > > Download DB2 Express C - the FREE version of DB2 express and
take
> > > > control of your XML. No limits. Just data. Click to get it now.
> > > > http://sourceforge.net/powerbar/db2/
> > > > _______________________________________________
> > > > mod-security-users mailing list
> > > > mod-security-users <at> lists.sourceforge.net
> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > >
> > > No virus found in this incoming message.
> > > Checked by AVG Free Edition.
> > > Version: 7.5.467 / Virus Database: 269.6.2/782 - Release
> > > Date: 05/01/07 02:10 AM
> > >
> > >
> 
> 
>
------------------------------------------------------------------------
-
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Russ Lavoie | 2 May 14:47 2007

Throttling

Is there a way inside modsecurity that can throttle IP addresses.
Meaning, IPs are only allowed 2,000 hits per day and then denied...

I went through the reference manual and saw nothing there regarding
this.

Thanks

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Christian Bockermann | 2 May 15:06 2007

Re: Throttling

You can do this using ModSecurity's collection-capabilities.
First you initalize a collection wrt the ip-address

	SecAction initcol:ip=%{REMOTE_ADDR},nolog

Now you have a collection called "IP" that you can use to save  
variables.
The following rule will check if there exists a variable "count"  
within the
ip-collection. If not, it will initialize such a variable to 0 and tell
ModSecurity to expire it after 1 hour (3600 seconds).

	SecRule &IP:COUNT " <at> eq 0" "setvar:ip.count=0,expirevar:ip.count=3600"

Then you can "count" the accesses using this collection

	SecAction setvar:ip.count=+1

For example within a certain location (then you need to add a "phase: 
2" to
the actions). This will increment the variable "count" within the  
collection
IP (which is assiciated with the REMOTE_ADDR) by one.

You can then use this variable to block an IP:

	SecRule IP:COUNT " <at> gt 2000" "deny,status:500"

Not the different cases when setting and querying collection-variables.

For a more bandwidth-oriented throttling you should probably have a look
at mod_throttle, which also supports IP-based throttling, IIRC.

Regards,
    Chris

Am 02.05.2007 um 14:47 schrieb Russ Lavoie:

> Is there a way inside modsecurity that can throttle IP addresses.
> Meaning, IPs are only allowed 2,000 hits per day and then denied...
>
> I went through the reference manual and saw nothing there regarding
> this.
>
> Thanks
>
> ---------------------------------------------------------------------- 
> ---
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Gmane