headers
Albert E. Whale | 1 Jan 16:01

Permitting access nolog for Yahoo! MyBlog API

I recently started to see the following connection attempt for rule 990011:

SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:(?:indy
librar|snoop)y|microsoft url control|lynx)\b|mozilla\/2\.0 \(compatible;
newt activex; win32\)|w(?:3mirror|get)|download
demon|l(?:ibwww|wp)|p(?:avuk|erl)|big
brother|autohttp|netants|eCatch|curl)" \
        "chain,phase:2,t:none,t:lowercase,log,auditlog,msg:'Request
Indicates an automated program explored the
site',id:'990011',tag:'AUTOMATION/MISC',severity:'5'"

I want to modify this rule to not log for:

User-Agent: Yahoo! MyBlogLog API Client (curl) 5.2.5

Is this the correct syntax for the customized rule:

SecRule REQUEST_HEADERS:User-Agent '/Yahoo$/'
"phase:1,t:none,nolog,pass,ctl:ruleRemoveById=990011"

Is there a guide to assist in creating these rules?

Thank you.

--

-- 
Albert E. Whale, CHS CISA CISSP
Sr. Security, Network and Systems Consultant
------------------------------------------------------------------------
ABS Computer Technology, Inc. <http://www.ABS-CompTech.com> - Email,
Internet and Security Consultants
(Continue reading)

Permalink | Reply | 0 comments |
headers
Ali Hamad | 4 Jan 10:12
Picon

Multipart parsing error

Hi :

I found the tmp directory full of files like :

/tmp/20090103-042141-SV69pUt <at> DhMAADt2alEAAAHC-file-P9b14z

after looking to audit_log , I found the following :

--36af743d-A--
[03/Jan/2009:04:21:47 +0300] SV69pUt <at> DhMAADt2alEAAAHC 212.107.116.246 
29188 75.126.3.244 80
--36af743d-B--
POST /vb/upld.php HTTP/1.1
Accept: */*
Referer: http://www.DOMAIN/vb/upld.php
Accept-Language: ar-sa
Content-Type: multipart/form-data; 
boundary=---------------------------7d98c241a50550
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 
InfoPath.2; FDM)
Host: www.DOMAIN
Content-Length: 86518
Cache-Control: no-cache
Cookie: _ratteb=1; _rattteb=1230945489359; lastscrollerpos=-6774px; 
vbulletin_collapse=forumstats; guest=1223629410%7Cg%7Cvista; 
IDstack=%2C6058%2C%2C7985%2C; bblastvisit=1230860160; bblastactivity=0; 
bbsessionhash=25a35361476e60b7d3a39a9c22ee4b52; bbuserid=6058; 
bbpassword=ad1f5b118dd20268741818e9cca2341a;
(Continue reading)

Permalink | Reply | 1 comment |
headers
Brian Rectanus | 5 Jan 19:00

Re: Multipart parsing error

Ali Hamad wrote:
> Hi :
> 
> I found the tmp directory full of files like :
> 
> /tmp/20090103-042141-SV69pUt <at> DhMAADt2alEAAAHC-file-P9b14z

Looks like the request was a file upload and this was a temp file for
the uploaded file (or possibly just temp file because the content length
was above whatever your SecRequestBodyInMemoryLimit is set to.  Perhaps
/tmp filled up and caused an error writing there?

There is a bug for what this may be here:

https://www.modsecurity.org/tracker/browse/MODSEC-1

If you can confirm that it was some sort of I/O error that cause the
lack of cleanup , that would be gread (perhaps attach an audit/error log
entry to the ticket if it is relevant.

thanks,
-B

> 
> after looking to audit_log , I found the following :
> 
> --36af743d-A--
> [03/Jan/2009:04:21:47 +0300] SV69pUt <at> DhMAADt2alEAAAHC 212.107.116.246
> 29188 75.126.3.244 80
> --36af743d-B--
(Continue reading)

Permalink | Reply | 0 comments |
headers
Brian Rectanus | 5 Jan 19:11

Re: Hooking order

Marc Stern wrote:
> Hello,
> 
> I have a question about hooking order, leading to interaction with some
> modules.
> If I look to the code, and compare the hooking orders with some other
> common modules, I see the following:
> 
> 1. ap_hook_fixups
> - mod_env & mod_setenvif are loaded as APR_HOOK_MIDDLE
> - MS is loaded as APR_HOOK_REALLY_FIRST
> Does this mean that environment variables we set up with SetEnv/SetEnvIf
> are only be available in phase 2 ?
> Shouldn't MS be called after environment modifications, to allow rules
> depending on environment variables set with SetEnv/SetEnvIf ?
> Could it present a risk to use SetEnv/SetEnvIf with input not yet
> processed by MS ?

The fixup phase is used to collect the request body, so it was done
ASAP.  I agree, though, that it may make more sense to do it MIDDLE or
even REALLY_LAST instead (ie right before the content handler).

> 
> 2. ap_hook_fixups
> - mod_rewrite is loaded as APR_HOOK_REALLY_FIRST, like MS
> During phase 1, the order of processing is not specified.
> Which module will be called first ? The last one in the conf file, right ?
> Shouldn't we add mod_rewrite in the known modules list, before or after MS ?
> Same question as above: should MS be called before or after mod_rewrite
> ? Functionality vs. security ?
(Continue reading)

Permalink | Reply | 0 comments |
headers
Albert E. Whale | 6 Jan 00:14

Odd behaviour - First time is good, but not the second

Ok, I am attempting to secure an application called movable type (some
blogging software that is written in PHP).

To improve security, and permit the application to complete it's
processing, I have added the following three statements to
modsecurity_crs_61_customrules.conf

# Guestbook authenticated login.
SecRule &REQUEST_COOKIES_NAMES:'/commenter_name$/' "@ge 1"
"phase:1,t:none,nolog,pass,ctl:auditEngine=Off"
# Moveable Type authenticated login.
SecRule &REQUEST_COOKIES_NAMES:'/mt_user$/' "@ge 1"
"phase:1,t:none,nolog,pass,ctl:auditEngine=Off"
SecRule &REQUEST_COOKIES_NAMES:'/mt_commenter$/' "@ge 1"
"phase:1,t:none,nolog,pass,ctl:auditEngine=Off"

These three cookies are set when the user authenticates for the first
time, and then begins to use the application.

After completing the first cycle, the author cannot complete the entry
the second time. (or the third or more ....), I encounter the following:

[05/Jan/2009:17:48:20 --0500]
[Givemebackmycredit.com/sid#8840970][rid#89663a8][/cgi-bin/mt/mt.cgi][1]
Access denied with code 400 (phase 2). Pattern match "(http:\/.*?){4}"
at ARGS:text. [file
"/etc/httpd/conf/modsecurity/modsecurity_crs_42_comment_spam.conf"]
[line "29"] [id "950020"] [msg "Comment Spam"] [severity "ERROR"]

None of these are appearing in the ModSecurity Console, so I cannot
(Continue reading)

Permalink | Reply | 3 comments |
headers
Christian Bockermann | 6 Jan 09:00

Re: Odd behaviour - First time is good, but not the second

Hi Albert!

Am 06.01.2009 um 00:14 schrieb Albert E. Whale:
> # Guestbook authenticated login.
> SecRule &REQUEST_COOKIES_NAMES:'/commenter_name$/' "@ge 1"
> "phase:1,t:none,nolog,pass,ctl:auditEngine=Off"
> # Moveable Type authenticated login.
> SecRule &REQUEST_COOKIES_NAMES:'/mt_user$/' "@ge 1"
> "phase:1,t:none,nolog,pass,ctl:auditEngine=Off"
> SecRule &REQUEST_COOKIES_NAMES:'/mt_commenter$/' "@ge 1"
> "phase:1,t:none,nolog,pass,ctl:auditEngine=Off"
>

Do you really only want the auditEngine to be turned off? This is only
really to logging. If you want to switch off the rule processing for
authenticated users, you might want to change this to

	ctl:ruleEngine=Off

Otherwise the rules get processed and will kick off authorized users
as well.

> These three cookies are set when the user authenticates for the first
> time, and then begins to use the application.
>
> After completing the first cycle, the author cannot complete the entry
> the second time. (or the third or more ....), I encounter the  
> following:
>
> [05/Jan/2009:17:48:20 --0500]
(Continue reading)

Permalink | Reply | 1 comment |
headers
MPaule Torre | 6 Jan 12:35
Picon
Favicon

how to avoid warning on request method & request header

Dear all

I use modsecurity and have some problems with configuration file. I do not
know how to avoid those messages in rules .

Warning. Match of "rx ^OPTIO
NS$" against "REQUEST_METHOD" required

Message: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required.
Message: Warning. Match of "rx ^apache.*perl" against
"REQUEST_HEADERS:User-Agent" required.

modsecurity_crs_35_bad_robots.conf
-------------------------------------
SecRule REQUEST_HEADERS:User-Agent "!^apache.*perl"

ModSecurity v2.1.3 (Apache 2.x)
Apache/2.2.6 (Fedora)

More thanks for your help

mpaule
----------------------------------------------------------------------------
--------------------
MPaule TORRE

    Observatoire Océanologique
    Base de Données LEFE-CYBER
    Quai de la Darse, BP 8
    06238 VILLEFRANCHE s/Mer
(Continue reading)

Permalink | Reply | 0 comments |
headers
Albert E. Whale | 6 Jan 15:15

Re: Odd behaviour - First time is good, but not the second

Chris, Many thanks for your response, as it gives me important food for
thought.

Christian Bockermann wrote:

> Hi Albert!
>
> Am 06.01.2009 um 00:14 schrieb Albert E. Whale:
>   
>> # Guestbook authenticated login.
>> SecRule &REQUEST_COOKIES_NAMES:'/commenter_name$/' "@ge 1"
>> "phase:1,t:none,nolog,pass,ctl:auditEngine=Off"
>> # Moveable Type authenticated login.
>> SecRule &REQUEST_COOKIES_NAMES:'/mt_user$/' "@ge 1"
>> "phase:1,t:none,nolog,pass,ctl:auditEngine=Off"
>> SecRule &REQUEST_COOKIES_NAMES:'/mt_commenter$/' "@ge 1"
>> "phase:1,t:none,nolog,pass,ctl:auditEngine=Off"
>>
>>     
>
> Do you really only want the auditEngine to be turned off? This is only
> really to logging. If you want to switch off the rule processing for
> authenticated users, you might want to change this to
>
> 	ctl:ruleEngine=Off
>
> Otherwise the rules get processed and will kick off authorized users
> as well.
>   
Thank you, this is more to what I need.  If the user is authenticated, I
(Continue reading)

Permalink | Reply | 0 comments |
headers
Christian Bockermann | 6 Jan 17:14

Re: Odd behaviour - First time is good, but not the second

Hi Albert!

(I did Cc the list, may be interesting for others as well).

Am 06.01.2009 um 15:58 schrieb Albert E. Whale:

> Christian - quick question.

Long answer :-)

>> Using your rule in that way, everybody can switch off rule-processing
>> by simply adding a cookie to his request with name that matches one  
>> of
>> your rules.
> Is this to mean that I should employ this rule, instead?
>
> # Guestbook authenticated login.
> SecRule &REQUEST_COOKIES_NAMES:'/commenter_name$/' "@ge 1"
> "phase:3,t:none,nolog,pass,ctl:ruleEngine=Off"
>
> And work with phase:3 instead of phase:1??

No. :-)

Just using phase:3 is not enough as you need to use the Cookie sent in  
the
SERVER RESPONSE. Unfortunately ModSecurity does not have a directive for
RESPONSE_COOKIE_NAMES.

You can use the line above in phase:1, but you need to make sure that
(Continue reading)

Permalink | Reply | 3 comments |
headers
Ryan Barnett | 6 Jan 18:29

Re: Odd behaviour - First time is good, but not the second

-----Original Message-----
From: Albert E. Whale [mailto:aewhale <at> ABS-CompTech.com]
Sent: Monday, January 05, 2009 6:15 PM
To: mod-security-users <at> lists.sourceforge.net
Subject: [mod-security-users] Odd behaviour - First time is good, but not the second

Ok, I am attempting to secure an application called movable type (some
blogging software that is written in PHP).

--CUT--

After completing the first cycle, the author cannot complete the entry
the second time. (or the third or more ....), I encounter the following:

[05/Jan/2009:17:48:20 --0500]
[Givemebackmycredit.com/sid#8840970][rid#89663a8][/cgi-bin/mt/mt.cgi][1]
Access denied with code 400 (phase 2). Pattern match "(http:\/.*?){4}"
at ARGS:text. [file
"/etc/httpd/conf/modsecurity/modsecurity_crs_42_comment_spam.conf"]
[line "29"] [id "950020"] [msg "Comment Spam"] [severity "ERROR"]

--CUT--

As a temporary solution, I have added:

<LocationMatch "^/cgi-bin/mt/mt.cgi">
     SecRuleRemoveByID 950020
</LocationMatch>

[Ryan Barnett] The error you are encountering with Movable Types is that CRS Rule ID # 950020 is generically
(Continue reading)

Permalink | Reply | 0 comments |

Gmane