headers
phill | 1 Feb 2008 01:37
Picon

Re: Rate Limit POST events

Hi Russ,
 
The following 4 lines should meet your needs. You can tweak params to suit, it's also efficient.
 
 
SecAction setuid:%{REMOTE_ADDR},phase:1,nolog,pass
SecRule REQUEST_METHOD "^((?:post))$" "phase:1,auditlog,msg:'BLOCKED',chain,redirect:http://mydom.com/blockwarn.html"
SecAction "setvar:ip.getpost=+1,deprecatevar:ip.getpost=30/60,nolog,chain"
SecRule IP:GETPOST " <at> gt 30" "nolog"
 
# Note that POST service will restore to IP after var deprecated below 30. Params should allow 30 posts per 60 secs. Calculates deprecation per request, not just every 60 secs. You can also add a regex to look for URLs in specific ARGS (and score these seperately). I mention it because urls are the most common form of web spam.
 
Hope it helps.
 
Phill Gillespie
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 1 comment |
headers
Ryan Barnett | 1 Feb 2008 02:44

Re: Rate Limit POST events

From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf Of phill <at> mediaaustralia.com.au
Sent: Thursday, January 31, 2008 7:37 PM
To: mod-security-users <at> lists.sourceforge.net
Subject: Re: [mod-security-users] Rate Limit POST events

 

Hi Russ,

 

The following 4 lines should meet your needs. You can tweak params to suit, it's also efficient.

[Ryan Barnett] Did you test these rules?  If it appeared to you (from the client’s perspective) that they worked, I would guess that these weren’t the only ones used in your configuration and that you have a rule somewhere that is using initcol to create an IP based collection.   See my comments below. 

 

SecAction setuid:%{REMOTE_ADDR},phase:1,nolog,pass

[Ryan Barnett] This line will create a USER collection using the REMOTE_ADDR as the key.  Here is a snippet from the debug log when this happens –

 

Resolved macro %{REMOTE_ADDR} to "192.168.10.16"

Creating collection (name "default_USER", key "192.168.10.16").

Added collection "default_USER" to the list as "USER".

 

Notice the name of this collection is “default_USER”.  So, in order add/update/decrement variables in this collection, you would need to access the user collection.

SecRule REQUEST_METHOD "^((?:post))$" "phase:1,auditlog,msg:'BLOCKED',chain,redirect:http://mydom.com/blockwarn.html"
SecAction "setvar:ip.getpost=+1,deprecatevar:ip.getpost=30/60,nolog,chain"

[Ryan Barnett] The line above is attempting to set/increase a variable called “getpost” in the IP collection, however this collection is not the one that was created on line 1.  The debug log shows this –

 

Setting variable: ip.getpost=+1

Could not set variable "ip.getpost" as the collection does not exist.

Could not deprecate variable "ip.getpost" as the collection does not exist.

 

You would need to use something like this – SecAction “setvar:user.getpost=+1,deprecatevar:user.getpost=30/60,nolog,chain”
SecRule IP:GETPOST " <at> gt 30" "nolog"

 

# Note that POST service will restore to IP after var deprecated below 30. Params should allow 30 posts per 60 secs. Calculates deprecation per request, not just every 60 secs. You can also add a regex to look for URLs in specific ARGS (and score these seperately). I mention it because urls are the most common form of web spam.

 

Hope it helps.

 

Phill Gillespie

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 0 comments |
headers
Phill | 1 Feb 2008 04:01
Picon

Re: Rate Limit POST events

Hi Russ,
 
The following 4 lines should meet your needs. You can tweak params to suit, it's also efficient.
 
 
SecAction setuid:%{REMOTE_ADDR},phase:1,nolog,pass
SecRule REQUEST_METHOD "^((?:post))$" "phase:1,auditlog,msg:'BLOCKED',chain,redirect:http://mydom.com/blockwarn.html"
SecAction "setvar:ip.getpost=+1,deprecatevar:ip.getpost=30/60,nolog,chain"
SecRule IP:GETPOST " <at> gt 30" "nolog"
 
# Note that POST service will restore to IP after var deprecated below 30. Params should allow 30 posts per 60 secs. Calculates deprecation per request, not just every 60 secs. You can also add a regex to look for URLs in specific ARGS (and score these seperately). I mention it because urls are the most common form of web spam.
 
Hope it helps.
 
Phill Gillespie
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 2 comments |
headers
Oteng Michael Raesima | 2 Feb 2008 01:26
Picon

return IP address to client browser for rule match

Good day to you all

I am using ModSecurity v2.1.4. I am bew to ModSecurity and am experimenting. I would like to return client's IP address and a custom message to matches to certain rule ID's to their browser. Could anyone assist me as to how to do this given the directives in the core rule set and Apache.

Thank you

Oteng

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 1 comment |
headers
Ryan Barnett | 2 Feb 2008 20:24

Re: return IP address to client browser for rulematch

Is this for academic research purposes or do you have a specific issue you are trying to address?  The reason why I ask is that you can potentially provide a large amount of information to a client.  This could be both good and bad…  For non-malicious users, this information can be very help and it could speed along the trouble-shooting process.  For malicious users, however, this data could help them to try and evade detection.  

 

So, implement this with caution!

 

Check out pages 10-11 of this doc - http://www.modsecurity.org/documentation/ModSecurity2_Deployment.pdf  This will present the user with the mod_unique_id value of the current transaction.  They could then include this in their helpdesk email and it would allow the ModSecurity admin to pull up the correct transaction and inspect what happened.

 

So, let’s say that you have these lines set in your httpd.conf file so that you can execute SSI in the custom 403 forbidden doc -

 

ErrorDocument 403 /error/HTTP_FORBIDDEN.shtml

 

<Location "/error/">

Options +IncludesNoExec

</Location>

 

The contents of the HTTP_FORBIDDEN.shtml file is this –

 

<HTML>

<HEAD>

<TITLE>403 Forbidden</TITLE>

</HEAD>

<BODY>

<H1>Forbidden</H1>

You don't have permission to access the requested directory.

There is either no index document or the directory is read-protected.

<P>

The ModSecurity Transaction # is - <!--#echo var="UNIQUE_ID" -->

The ModSecurity Rule ID that matched is - <!--#echo var="REDIRECT_MOD_MSG" -->

<HR>

</BODY>

</HTML>

 

Now you would need to update the Core Rules to add the “setenv” action like this -

 

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \        "capture,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:403,msg:'

Remote File Access Attempt. Matched signature <%{TX.0}>',id:'950005',severity:'2',setenv:mod_msg=950005"

 

Now, if someone triggers this rule, the 403 status will be triggered and it will use the ErrorDocument setting.  The client would receive a page similar to this –

 

Forbidden

You don't have permission to access the requested directory. There is either no index document or the directory is read-protected.

The ModSecurity Transaction # is - 0yd9yMCoD4QAAB7FAqoAAAAA

The ModSecurity Rule ID that matched is - 950005

--
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Training

Web Application Security Consortium (WASC) Member

CIS Apache Benchmark Project Lead

SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

Author: Preventing Web Attacks with Apache

 

From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf Of Oteng Michael Raesima
Sent: Friday, February 01, 2008 7:26 PM
To: mod-security-users <at> lists.sourceforge.net
Subject: [mod-security-users] return IP address to client browser for rulematch

 

Good day to you all

I am using ModSecurity v2.1.4. I am bew to ModSecurity and am experimenting. I would like to return client's IP address and a custom message to matches to certain rule ID's to their browser. Could anyone assist me as to how to do this given the directives in the core rule set and Apache.

Thank you

Oteng

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 0 comments |
headers
Rupendra Butola | 5 Feb 2008 12:16
Favicon

Chunked Transfer Problem

Hi All,

I receive following error in modsec_audit.log with error code 500. I am using mod security version 2.1.4 with apache version 2.2.4. Can someone help me to get through this error

--71780000-A--
[04/Feb/2008:05:38:45 +0000] iXSv58CoCnIAAAhgGI0AAAD1 192.168.10.170 57142 192.168.10.208 80
--71780000-B--
POST /dmsa/ExpControl HTTP/1.1
X-Forwarded-For: 192.168.100.60
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: https://dmstest.st46.asite.com/dmsa/ExpfControl
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705)
Host: dmstest.st46.asite.com
Content-Length: 121
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: space_type_id=1; CDTL=cjadav|asi001; HTTP_MSB_INUSE_LANG=en; USER_PROFILE=en|US|00.00|GBP; HTTP_MSB_TLEGAID0=e3YxfUdIQVpwTWdrY2VNPQ%3D%3D; HTTP_MSB_MPID=e3YxfS9Ba05tcUl2eHhNbXBOTFJjQjg2a3h6cXhaai9ROVJPOGZHZmlHYnBvT2ZRY0E2L0ZtK1JlQT09; SMSESSION=JkvbkWLLFpIYEf6G9qxbjOpSiMTn568Ke7kJGofKbrdWIdXLNa45QMANTl7O7pWHDPNCoZnk04kHkTejAjyLOpJeTQzxzFc0s1Ydg0CvLTbLVo3RU737HNNycNjJPr0WYp+dzH+WdJUfgnB39K3kVT4YoyXqimcYIaXP0HzLaXO5EaSbNU8u6vSwrGKiVCye/ygaq0yu6YkGk0SqMpg/XsM+xgh4TOC7fUyAZ8n0Otgo/kKmRXQNfYLtXZboza/j/8oD/MC2ecoPG5G3N/aRJd+EVCaGQLpQKgDpH0oWz0X1eRzduBtG3Z/eKAvqqxEkmA++qgNGxWBtlHN+99K1gSemymvUhmHvw2MKqcW9dLQsgb0oQFBaKQJH9HcL7UofNJ519pHkaa7Sl5T1wmmOqskye9oOlu94/6Vwh7tN5JwMs8gWcJdXd52+kWAGzoLJ+wOxt+ArkV0yokqXzJTsYQgv46yChv76oMG5swne4zJzWsJMeuF/vuexxUTBcDTMufCaZHqbn2X3tWPbEV78BvaEtIucGBdByFFj+l/BYXHvO3h0nkXMUS0QQ1W8rTn0/Q4rsArX99XibW3CJelsbs8vQzNUjXQQW1ge20gPV9mVQHTH48DZzE0P+u+soOfG0tk5jDnezH5h3eKTvFXytAB0Wyv//QaWgBSJtJVyeKAm/Id9cv1rM8MOi3qvIZdRiDVL6Tk3SDCVg6JmsoynU8nCIX5mxQFGphX9D9LjIX180fhRmgZNVLUDj8zqa0kCcoQAOW2Ov/7Kgr9uueHeW9tetDdNA9DlWIU62fAJmm1Yc8tY4qAuyf/v1toTt4WySmBQbGM4ec5fQEi+wpSvTSGI3mN9xowpWc7UMgv62QCRE0cJJzVuFkteQpgkGWfgtxZwqQ1MaW458tmwdsr96pnDfTv9bW/uopSzHwmixaVPPz9YFSpPMvARZClpRM5zkhf+HCqXkYcuRA+ASGBJBmhBF0DkLhDbb9f0lZtkRMU=; URL_TYPE=https; ASessionID=cjadavasi0011202103497063anifaqa; UserSessionProfile.user_id=H4sIAAAAAAAAAMu5/+Gg4kfPVQBFrjrFCAAAAA==; UserSessionProfile.org_id=H4sIAAAAAAAAAJufWiSS4/JsPwAuEB/MCAAAAA==; UserSessionProfile.userTypeId=1; servername=dmstest; branding_id=50; project_id=3$$qlZHOg; ckProjViewerID=0; ckBimEnabled=0; space_type_id=5; ATRC=cjadav|asi001; UserBean.tpdUserId=cjadav; UserBean.tpdOrgId=asi001; UserBean.projectId=3$$qlZHOg; UserBean.tenderId=848; applicationId=TENDER; UserBean.folderIdn=1; folderPermissionId0=49714|1020; JSESSIONID=FAB5026947DD5A1DFF2F42A5A92774A7

--71780000-F--
HTTP/1.1 500 Internal Server Error
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html;charset=utf-8

--71780000-H--
Apache-Handler: jakarta-servlet
Stopwatch: 1202103522734055 2656386 (0 15625 -)
Producer: ModSecurity v2.1.4 (Apache 2.x)
Server: Apache/2.2.4 (Win32) mod_jk/1.2.25 mod_ssl/2.2.4 OpenSSL/0.9.8d

 

Best Regards,

Butola Rupendrasingh

Systems Operations

T              +91 (0) 79 26871002/26871003
E              rbutola <at> asite.com
M             +91 9898132193

W             http://www.asite.com 

Good Things Come With Time But Great Things Happens At Once.

 
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 1 comment |
headers
Ivan Ristic | 5 Feb 2008 13:41
Picon

Re: Chunked Transfer Problem

Do you have a reason to believe the 500 status is coming from
ModSecurity? Because there are no ModSecurity error (nor warning)
messages in the audit log entry you provided.

Are there any clues in the error log?

On Feb 5, 2008 11:16 AM, Rupendra Butola <rbutola <at> asite.com> wrote:
>
>
>
> Hi All,
>
> I receive following error in modsec_audit.log with error code 500. I am
> using mod security version 2.1.4 with apache version 2.2.4. Can someone help
> me to get through this error
>
> --71780000-A--
> [04/Feb/2008:05:38:45 +0000] iXSv58CoCnIAAAhgGI0AAAD1 192.168.10.170 57142
> 192.168.10.208 80
> --71780000-B--
> POST /dmsa/ExpControl HTTP/1.1
> X-Forwarded-For: 192.168.100.60
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
> application/x-shockwave-flash, application/vnd.ms-excel,
> application/vnd.ms-powerpoint, application/msword, */*
> Referer: https://dmstest.st46.asite.com/dmsa/ExpfControl
> Accept-Language: en-us
> Content-Type: application/x-www-form-urlencoded
> UA-CPU: x86
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
> 1.0.3705)
> Host: dmstest.st46.asite.com
> Content-Length: 121
> Connection: Keep-Alive
> Cache-Control: no-cache
> Cookie: space_type_id=1; CDTL=cjadav|asi001; HTTP_MSB_INUSE_LANG=en;
> USER_PROFILE=en|US|00.00|GBP;
> HTTP_MSB_TLEGAID0=e3YxfUdIQVpwTWdrY2VNPQ%3D%3D;
> HTTP_MSB_MPID=e3YxfS9Ba05tcUl2eHhNbXBOTFJjQjg2a3h6cXhaai9ROVJPOGZHZmlHYnBvT2ZRY0E2L0ZtK1JlQT09;
> SMSESSION=JkvbkWLLFpIYEf6G9qxbjOpSiMTn568Ke7kJGofKbrdWIdXLNa45QMANTl7O7pWHDPNCoZnk04kHkTejAjyLOpJeTQzxzFc0s1Ydg0CvLTbLVo3RU737HNNycNjJPr0WYp+dzH+WdJUfgnB39K3kVT4YoyXqimcYIaXP0HzLaXO5EaSbNU8u6vSwrGKiVCye/ygaq0yu6YkGk0SqMpg/XsM+xgh4TOC7fUyAZ8n0Otgo/kKmRXQNfYLtXZboza/j/8oD/MC2ecoPG5G3N/aRJd+EVCaGQLpQKgDpH0oWz0X1eRzduBtG3Z/eKAvqqxEkmA++qgNGxWBtlHN+99K1gSemymvUhmHvw2MKqcW9dLQsgb0oQFBaKQJH9HcL7UofNJ519pHkaa7Sl5T1wmmOqskye9oOlu94/6Vwh7tN5JwMs8gWcJdXd52+kWAGzoLJ+wOxt+ArkV0yokqXzJTsYQgv46yChv76oMG5swne4zJzWsJMeuF/vuexxUTBcDTMufCaZHqbn2X3tWPbEV78BvaEtIucGBdByFFj+l/BYXHvO3h0nkXMUS0QQ1W8rTn0/Q4rsArX99XibW3CJelsbs8vQzNUjXQQW1ge20gPV9mVQHTH48DZzE0P+u+soOfG0tk5jDnezH5h3eKTvFXytAB0Wyv//QaWgBSJtJVyeKAm/Id9cv1rM8MOi3qvIZdRiDVL6Tk3SDCVg6JmsoynU8nCIX5mxQFGphX9D9LjIX180fhRmgZNVLUDj8zqa0kCcoQAOW2Ov/7Kgr9uueHe
 W9tetDdNA9DlWIU62fAJmm1Yc8tY4qAuyf/v1toTt4WySmBQbGM4ec5fQEi+wpSvTSGI3mN9xowpWc7UMgv62QCRE0cJJzVuFkteQpgkGWfgtxZwqQ1MaW458tmwdsr96pnDfTv9bW/uopSzHwmixaVPPz9YFSpPMvARZClpRM5zkhf+HCqXkYcuRA+ASG
 BJBmhBF0DkLhDbb9f0lZtkRMU=;
> URL_TYPE=https; ASessionID=cjadavasi0011202103497063anifaqa;
> UserSessionProfile.user_id=H4sIAAAAAAAAAMu5/+Gg4kfPVQBFrjrFCAAAAA==;
> UserSessionProfile.org_id=H4sIAAAAAAAAAJufWiSS4/JsPwAuEB/MCAAAAA==;
> UserSessionProfile.userTypeId=1; servername=dmstest; branding_id=50;
> project_id=3$$qlZHOg; ckProjViewerID=0; ckBimEnabled=0; space_type_id=5;
> ATRC=cjadav|asi001; UserBean.tpdUserId=cjadav; UserBean.tpdOrgId=asi001;
> UserBean.projectId=3$$qlZHOg; UserBean.tenderId=848; applicationId=TENDER;
> UserBean.folderIdn=1; folderPermissionId0=49714|1020;
> JSESSIONID=FAB5026947DD5A1DFF2F42A5A92774A7
>
> --71780000-F--
> HTTP/1.1 500 Internal Server Error
> Connection: close
> Transfer-Encoding: chunked
> Content-Type: text/html;charset=utf-8
>
> --71780000-H--
> Apache-Handler: jakarta-servlet
> Stopwatch: 1202103522734055 2656386 (0 15625 -)
> Producer: ModSecurity v2.1.4 (Apache 2.x)
> Server: Apache/2.2.4 (Win32) mod_jk/1.2.25 mod_ssl/2.2.4 OpenSSL/0.9.8d
>
>
>
> Best Regards,
>
> Butola Rupendrasingh
>
> Systems Operations
>
> T              +91 (0) 79 26871002/26871003
> E              rbutola <at> asite.com
> M             +91 9898132193
>
> W             http://www.asite.com
>
> Good Things Come With Time But Great Things Happens At Once.
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
>

--

-- 
Ivan Ristic

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Permalink | Reply | 0 comments |
headers
Christian Bockermann | 5 Feb 2008 16:52

Passively "Auditing" Web-Applications

Hi all,

a little time ago, I announced my Java based web-audit library (http://www.jwall.org/web/audit/ 
), useful for parsing ModSecurity audit-log data. Since for auditing  
an application you might want to record the whole HTTP traffic on a  
separate machine in order not to cause too much I/O work on your web- 
server. Therefore I started developing a small HTTP-oriented monitor,  
which basically wraps a Java HTTP-parser around a tcp-stream based  
packet-sniffer (tcpick).

The resulting monitor is called "WebTap" and a first release can be  
found at http://www.jwall.org/web/tap/

Currently, this works on Unix/Linux only, as the tcpick-sniffer is  
only available on Unix systems (that is, the monitoring system needs  
to be a Unix-system). This restriction might drop in the future...

The audit-log data, recorded by the WebTap monitor can be read with  
the AuditViewer or be sent to the ModSecurity console using either the  
Java-based console-sender that is provided with the web-audit library  
or the mlogc tool contained within the ModSecurity distribution.

Perhaps anyone is interested in trying out WebTap for monitoring his  
application. I'd especially be interested in some heavy-loaded  
environments ;-)  Feature-requests/bug-reports or any other feedback  
is of course welcome.

As for the "Auditing" within the subject, I am currently working on a  
profiling-application that tries to extract rulesets for a specific  
application based on the recorded audit-data. However, the profiling  
has not yet reached an acceptable state, so that'll take some more  
time to be released.

Regards,
   Chris

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Permalink | Reply | 0 comments |
headers
Ryan Barnett | 5 Feb 2008 16:57

Re: Project: Analyzing/Handling Audit-Log Data

Hey Chris,
I will second Brian's sentiments - nice work!  I am going to play around
with this utility a bit more to see if I find any other areas for
improvement.

One suggestion I do have after testing out the obfuscation feature.  It
looks as though it is changing the source IP address to A.B.C.D and the
destination address to E.F.G.H and it will change all Hostname data to
"www.example.com".  One other place where you will want to look at is
response headers such as Location and also domain paths in Set-Cookies.

Example -

HTTP/1.1 302 Redirect
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Location: http://www.foo.com/login/login.php
Content-Type: text/html; charset=UTF-8
Set-Cookie: lpUASrackuid=USf6f2itq1klrlfr9tm0ea5shoa6; expires=Sat,
07-Jun-2008 17:07:49 GMT; path=/; domain=http://www.foo.com
Content-Length: 22477
Keep-Alive: timeout=5, max=50
Connection: Keep-Alive

-- 
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache

> -----Original Message-----
> From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-
> security-users-bounces <at> lists.sourceforge.net] On Behalf Of Brian
Rectanus
> Sent: Monday, January 28, 2008 12:23 PM
> To: Christian Bockermann
> Cc: Mod Security
> Subject: Re: [mod-security-users] Project: Analyzing/Handling
Audit-Log
> Data
> 
> Hi Christian.
> 
> I was looking at your AuditViewer.  I like the obfuscator and the
> re-injector.
> 
> I had a suggestion, though...
> 
> It does not handle newer audit log parts.  For 2.5.x there is a part
'K'
> which contains a list of rules that matched.  I suggest you handle
> unknown parts that are in the correct format and just ignore them, or
> perhaps display them in-the-raw so that the utility does not break on
> newer versions of ModSecurity.
> 
> Additionally, a nice feature would be to split the view pane into tabs
> for request (with option to show the parsed/decoded version of the
query
> string and application/x-www-form-urlencoded or multipart/form-data),
> the response, and the modsec data (part H).
> 
> Thanks for the utility, Christian!
> -B
> 
> Christian Bockermann wrote:
> > Hi list!
> >
> > A few months ago I started working on a Java based framework for
> > handling ModSecurity audit-logs. By now this has become a small
> > library for parsing serial logs of ModSecurity 1.x and 2.x as well
as
> > concurrent audit-log data. Using the library allows for an easy
> > implementation of related tools as a Java-based collector for
sending
> > logs to the remote console.
> >
> > The library is available via  http://www.jwall.org/web/audit/
> > It currently features:
> >
> >    * Reading/Writing audit-log data in serial and concurrent
log-format
> >    * Java-base collector for sending events to the console
> >    * A small AuditServer for notifying remote clients of new events
> > (SSL-based, see the AuditViewer below for details).
> >    * A Java-API for easy integration into you own applications
> >
> > On top of the library I built a small application called AuditViewer
> > for handling local audit-log file which provides some features for
> > debugging rulesets or creating obfuscated events that can be sent to
> > the list without revealing sensitive information.
> >
> > AuditViewer features:
> >
> >    * Re-inject audit-events to a specific server (for simply
debugging
> > ModSecurity rulesets)
> >    * Manipulation of events before re-injection
> >    * Obfuscating audit-events to files or the clipboard
> >    * "Remote-listening" for events via an SSL channel
> >
> > Future features:
> > The "remote-viewer" part is very well tested, though already usable.
> > Its intended use is ruleset testing/debugging as it allows for a
> > "remote-tail" on an audit-log file while re-injecting audit-events,
> > which make debugging/testing of rulesets even more convenient. A
small
> > sketch on how such debugging might work out can be found on
> http://www.jwall.org/debugging_rulesets.jsp
> >
> > Perhaps the AuditViewer or the library is useful for anyone on the
> > list. If so, I'd appreciate any comments/feature-suggestions/bug-
> > reports.
> >
> > Regards,
> >      Chris
> >
> >
------------------------------------------------------------------------
> -
> > This SF.net email is sponsored by: Microsoft
> > Defy all challenges. Microsoft(R) Visual Studio 2008.
> > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > _______________________________________________
> > mod-security-users mailing list
> > mod-security-users <at> lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 
> 
> --
> Brian Rectanus
> Breach Security
> 
>
------------------------------------------------------------------------
-
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Permalink | Reply | 0 comments |
headers
Corey Bobb | 5 Feb 2008 21:59
Picon

SecRule 950107

Greetings,

 

I recently began running into these error messages in my apache logs, and have tracked the blocking of the traffic to this rule-set.  This has not been happening until recently and it appears that clearing cookies resolves the problem. 

 

My question is if it is in fact a cookie that is causing the problem, how do I narrow down what Cookie it is?

 

I am trying to get to the root cause instead of just disabling Rule Sets, but I am not sure how this one is working or what cookies could be causing the problem.  I have looked on the web but have not found much information other then shutting the rule off.

 

 

[Tue Feb 05 09:48:49 2008] [error] [client 65.206.42.2] ModSecurity: Access denied with code 400 (phase 2). Pattern match "\\\\%(?!$|\\\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at REQUEST_HEADERS:Cookie. [id "950107"] [

 

 

# Check decodings

#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer " <at> validateUrlEncoding" \

#       "chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',,id:'950107',severity:'4'"

#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"

 

 

 

Corey M. Bobb

Data Center Manager

Cygnus eTransactions Group Inc.

300 Colonial Center Parkway

Suite 150

Lake Mary, FL  32746

Phone: 321.445.2150

www.cygnus.com

 

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 5 comments |

Gmane