Brian Rectanus | 1 Jun 04:38 2010

Re: End of file found

Resendig due to typo in address...

--
Brian Rectanus
Breach Security

-----Original Message-----
From: Brian Rectanus [brian.rectanus <at> breach.com]
Received: 5/31/10 7:35 PM
To: mod-security-users <at> lists.sourceforge.net. [mod-security-users <at> lists.sourceforge.net.]; werner <at> aloah-from-hell.de [werner <at> aloah-from-hell.de]
Subject: RE: [mod-security-users] End of file found

It is an Apache error/warning that is being reported by ModSecurity. It means that the client hung up before the request is complete. Most of the time it is the client hitting the stop button on the browser, but can also be cause by doubleclicking on a form submit button.

Nothing to really worry about, just ModSecurity being too verbose. There is an existing enhancement request to allow toggling this off.

-B


--
Brian Rectanus
Breach Security

-----Original Message-----
From: Werner [werner <at> aloah-from-hell.de]
Received: 5/31/10 3:30 AM
To: mod-security-users <at> lists.sourceforge.net. [mod-security-users <at> lists.sourceforge.net.]
Subject: [mod-security-users] End of file found

Hi ModSec Community,

we do experience the following messages in the Logfile:

[Mon May 31 11:57:27 2010] [error] [client aaa.bbb.ccc.ddd] ModSecurity: Error reading request body: End of file found [hostname "my.host.name"] [uri
"/somepath/index.php"] [unique_id "TAOH-8CoACUAAHR0KbBBBBBa"]

What does "End of file found" exactly mean in the ModSecurity-Context?

Thanks,
Werner




------------------------------------------------------------------------------

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
------------------------------------------------------------------------------

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
不告诉你 | 2 Jun 08:51 2010

rules-updater.pl

Hello  everyone of modsecurity-users!!!
 
i  want  to  use the  rules-updater.pl.
but i am not understand
./rules-updater.pl  -h
 
anyone  give me some  examples of real use.
or some document of the rules-updater.pl
 
thank you a lot  everyone.
--
pp.park


网易为中小企业免费提供企业邮箱(自主域名)
------------------------------------------------------------------------------

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
Gaurav Kumar | 2 Jun 11:58 2010

How to list loaded rules?

As per subject, is there a way (either programmatically or manually) to list rules which have been loaded by Mod Security? I understand that first “10” rules are loaded and then “15” and finally “20”- however, it will really help in debugging if there is a way to list these in the order mod security engine is parsing.

 

Thanks in advance,

Gaurav Kumar

------------------------------------------------------------------------------

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
Ryan Barnett | 2 Jun 13:09 2010

Re: How to list loaded rules?

The best way to do it today is to send a non-malicious request to the website and then grep the debug log as it will list each rule run.


Ryan C. Barnett
Director of Application Security Research
Breach Security, Inc.
Ryan.Barnett <at> Breach.com
www.Breach.com

From: Gaurav Kumar
To: mod-security-users <at> lists.sourceforge.net
Sent: Wed Jun 02 05:58:20 2010
Subject: [mod-security-users] How to list loaded rules?

As per subject, is there a way (either programmatically or manually) to list rules which have been loaded by Mod Security? I understand that first “10” rules are loaded and then “15” and finally “20”- however, it will really help in debugging if there is a way to list these in the order mod security engine is parsing.

 

Thanks in advance,

Gaurav Kumar

------------------------------------------------------------------------------

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
Ryan Barnett | 2 Jun 13:39 2010

Re: rules-updater.pl

We will be releasing the CRS rules repo with CRS v2.0.7 (later this week). We will provide an example conf file the points to the repo.


Ryan C. Barnett
Director of Application Security Research
Breach Security, Inc.
Ryan.Barnett <at> Breach.com
www.Breach.com

From: 不告诉你
To: Mod Security
Sent: Wed Jun 02 02:51:40 2010
Subject: [mod-security-users] rules-updater.pl
Hello  everyone of modsecurity-users!!!
 
i  want  to  use the  rules-updater.pl.
but i am not understand
./rules-updater.pl  -h
 
anyone  give me some  examples of real use.
or some document of the rules-updater.pl
 
thank you a lot  everyone.
--
pp.park


网易为中小企业免费提供企业邮箱(自主域名)
------------------------------------------------------------------------------

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
Mark Lavi | 2 Jun 19:05 2010
Picon

Re: How to list loaded rules?

Here's an additional method to see what mod-security rules are loaded in Apache:

1) Enable mod_info
2) Browse to http://your-server/server-info?mod_security2.c

Cheers,

--Mark
Mark Lavi, Web/Surf Team <at> Silicon Graphics Int'l.
[ mailto:mlavi <at> sgi.com || phone:+1-510-933-5234 ]



-----Original Message-----
From: Ryan Barnett [mailto:Ryan.Barnett <at> breach.com]
Sent: Wed 6/2/2010 4:09 AM
To: gk <at> pivotalsecurity.com; mod-security-users <at> lists.sourceforge.net
Subject: Re: [mod-security-users] How to list loaded rules?

The best way to do it today is to send a non-malicious request to the website and then grep the debug log as it will list each rule run.


Ryan C. Barnett
Director of Application Security Research
Breach Security, Inc.
Ryan.Barnett <at> Breach.com
www.Breach.com

________________________________
From: Gaurav Kumar
To: mod-security-users <at> lists.sourceforge.net
Sent: Wed Jun 02 05:58:20 2010
Subject: [mod-security-users] How to list loaded rules?
As per subject, is there a way (either programmatically or manually) to list rules which have been loaded by Mod Security? I understand that first "10" rules are loaded and then "15" and finally "20"- however, it will really help in debugging if there is a way to list these in the order mod security engine is parsing.

Thanks in advance,
Gaurav Kumar

------------------------------------------------------------------------------

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
Brian Rectanus | 2 Jun 21:14 2010

Re: Modsecuirty 2.5.11 limit upload file size

And what happens without your ErrorDocument?  It seems to me that
something else is changing the normal 413 response that ModSecurity is
issuing as you can see this normal 413 in part 'F' of the audit log.

I suggest you use tcpdump or similar to look more at the traffic going
to the client.

thanks,
-B

On 05/27/2010 07:48 PM, jaylam <at> jetco.com.hk wrote:
> 
> Hi all,
> 
> I want to limit the file upload size from my website by Modsecuirty 2.5.11.
> 
> So i added
> 
>  # Maximum request body size we will
> # accept for buffering
> SecRequestBodyLimit 131072
> 
> in my modsecurity_crs_10_config.conf
> 
> And i config my ErrorDocument for the status code 413  (Anything over this
> limit will be rejected with status code 413 Request Entity Too Large.)
> 
> I expect a response page with status code 413 will be return to the
> browser.
> 
> However, "The connection was reset" is return from my browser.
> 
> And i can find the HTTP/1.1 413 Request Entity Too Large in the audit log.
> 
> I am sure that my customize error document is fine cause the can access it
> by typing the URL in browser.
> And the error documents for other staus code such as 400, 403, 500 work
> fine.
> 
> I really wonder what happen on the 413 status code.
> 
> I have try to find another way to limit my file upload size, and i found a
> rule seems suitable to do this:
> 
> ## -- File upload limits --
> 
> # Individual file size is limited
> #SecRule FILES_SIZES " <at> gt 1048576"
> "phase:2,t:none,block,log,auditlog,status:403,msg:'Uploaded file size too
> large',id:'960342',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
> 
> However, it doesn't block anything when i uplaod  a 2 MB file.
> 
> Is this rule work?
> 
> Or i have anything wrong?
> 
> Please help!!!!!
> 
> Thanks a lot!!!
> 
> Here are my logging:
> 
> modsecuirty audit log:
> 
> --dd60e76b-A--
> [28/May/2010:02:16:05 +0000] Fuaas38AAAEAAGKWBNgAAAAB 192.168.185.75 4580
> 192.168.51.111 7700
> --dd60e76b-B--
> POST <mysite>/merchanteditgeneral.do HTTP/1.1
> Host: 192.168.51.111:7700
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9)
> Gecko/20100315 Firefox/3.5.9 ( .NET CLR 3.5.30729)
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: <mysite>/merchanteditgeneral.prepare?merchantID=123
> Cookie: JSESSIONID=00004I1ku6XOBJX5mhowCIhnURk:110esvoc9
> Content-Type: multipart/form-data;
> boundary=---------------------------1766167231251
> Content-Length: 2165009
> 
> --dd60e76b-F--
> HTTP/1.1 413 Request Entity Too Large
> Last-Modified: Tue, 25 May 2010 03:04:05 GMT
> ETag: "35e40-1de3-69001340"
> Accept-Ranges: bytes
> Content-Length: 7651
> Connection: close
> Content-Type: text/html
> 
> --dd60e76b-H--
> Message: Request body (Content-Length) is larger than the configured limit
> (131072).
> Stopwatch: 1275012965636787 2317 (- - -)
> Producer: ModSecurity for Apache/2.5.11 (http://www.modsecurity.org/); core
> ruleset/2.0.3.
> Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8m
> 
> --dd60e76b-K--
> SecAction
> "phase:1,status:403,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}"
> 
> --dd60e76b-Z--
> 
> modsecuirty debug log:
> 
> [28/May/2010:02:30:56 +0000] [192.168.11.111
> /sid#9ad0668][rid#b0cde88][/Bank/secure/Merchant/merchantedit/merchanteditgeneral.do][1]
>  Request body (Content-Length) is larger than the configured limit
> (131072).
> 
> Error log:
> 
> [Fri May 28 02:30:56 2010] [error] [client 192.168.11.72] ModSecurity:
> Request body (Content-Length) is larger than the configured limit (131072).
> [hostname "192.168.11.111"] [uri "<mysite>/merchanteditgeneral.do"]
> [unique_id "TAdbtn8AAAEAAGLMUroAAAAN"]
> 
> This e-mail is intended solely for the addressee.  If you have received
> this e-mail in error, please notify the sender by reply e-mail and
> immediately delete it from your system.
> 
> 
> ------------------------------------------------------------------------------
> 
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html

--

-- 
Brian Rectanus
Breach Security

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Brian Rectanus | 2 Jun 21:14 2010

Re: Can not start up after add REQUEST_URI_RAW

You did not mention which version of ModSecurity, nor the actual error
you are getting.  Please give us this required info.

thanks,
-B

On 05/28/2010 05:32 AM, Ma Fai wrote:
> I try to comment 'modsecurity_crs_10_config.conf'.
> But still halt, because apache halt, there is no error message in apache
> log and mod security log. Seems hard to find out the reason. 
> 
> 
> SecDebugLog /var/log/modsec-debug.log
> SecDebugLogLevel 9
> SecRule REQUEST_URI_RAW "http:/"
> "phase:1,t:none,t:urlDecode,t:lowercase,t:normalisePath"
> 
> 
> 
> On Fri, May 28, 2010 at 8:12 PM, Ma Fai <mafai26 <at> gmail.com
> <mailto:mafai26 <at> gmail.com>> wrote:
> 
>     I tried the following but still can not start the apache. One
>     interesting things, if I start up the apache then I change the
>     httpd.conf to add this rule. I can not stop the apache.
> 
>     I tried this (with double quote in action list)
> 
>     SecRule REQUEST_URI_RAW "http://" "log,drop,phase:1,msg:'Possible
>     Attack'"
> 
>     Then I change to this.
> 
> 
>     SecRule REQUEST_URI_RAW "http:/"
>     "phase:1,t:none,t:urlDecode,t:lowercase,t:normalisePath"
> 
> 
> 
>     I try this without problem, it works fine. Only the REQUEST_URI_RAW
>     has problem.
> 
>     SecRule REQUEST_HEADERS:User-Agent "^Mozilla"
>     "log,drop,phase:1,msg:'Possible Brute Force Attack'"
> 
> 
> 
>     For my apache, I only install the --with-unique-id, without extra
>     modules.
> 
> 
> 
> 
>     On Fri, May 28, 2010 at 7:19 PM, Ryan Barnett
>     <Ryan.Barnett <at> breach.com <mailto:Ryan.Barnett <at> breach.com>> wrote:
> 
>         Try putting double quotes around your action list.
> 
> 
>         Ryan C. Barnett
>         Director of Application Security Research
>         Breach Security, Inc.
>         Ryan.Barnett <at> Breach.com
>         www.Breach.com <http://www.Breach.com>
> 
>         ------------------------------------------------------------------------
>         *From*: Ma Fai
>         *To*: mod-security-users <at> lists.sourceforge.net
>         <mailto:mod-security-users <at> lists.sourceforge.net>
>         *Sent*: Fri May 28 06:57:03 2010
>         *Subject*: [mod-security-users] Can not start up after add
>         REQUEST_URI_RAW
>         I use the based modsecurity_crs_10_config.conf
> 
> 
>         #Httpd.conf
>         Include conf/modsecurity_crs/*.conf
> 
>         SecRule REQUEST_URI_RAW "http:/"
>         phase:1,t:none,t:urlDecode,t:lowercase,t:normalisePath
> 
> 
>         after I add SecRule REQUEST_URI_RAW, then the apache can not
>         start up, halt & no response. The httpd can not start it up.
> 
>         Any one has experience on it?
> 
> 
> 

--

-- 
Brian Rectanus
Breach Security

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Hubert Demercado | 2 Jun 22:10 2010
Picon

Fwd: Can not start up after add REQUEST_URI_RAW


Hi  i was wondering if mod_Security  can cover al aspect of wafec matrix ?
Can you help me with that please

2010/6/2 Brian Rectanus <Brian.Rectanus <at> breach.com>

You did not mention which version of ModSecurity, nor the actual error
you are getting.  Please give us this required info.

thanks,
-B

On 05/28/2010 05:32 AM, Ma Fai wrote:
> I try to comment 'modsecurity_crs_10_config.conf'.
> But still halt, because apache halt, there is no error message in apache
> log and mod security log. Seems hard to find out the reason.
>
>
> SecDebugLog /var/log/modsec-debug.log
> SecDebugLogLevel 9
> SecRule REQUEST_URI_RAW "http:/"
> "phase:1,t:none,t:urlDecode,t:lowercase,t:normalisePath"
>
>
>
> On Fri, May 28, 2010 at 8:12 PM, Ma Fai <mafai26 <at> gmail.com
> <mailto:mafai26 <at> gmail.com>> wrote:
>
>     I tried the following but still can not start the apache. One
>     interesting things, if I start up the apache then I change the
>     httpd.conf to add this rule. I can not stop the apache.
>
>     I tried this (with double quote in action list)
>
>     SecRule REQUEST_URI_RAW "http://" "log,drop,phase:1,msg:'Possible
>     Attack'"
>
>     Then I change to this.
>
>
>     SecRule REQUEST_URI_RAW "http:/"
>     "phase:1,t:none,t:urlDecode,t:lowercase,t:normalisePath"
>
>
>
>     I try this without problem, it works fine. Only the REQUEST_URI_RAW
>     has problem.
>
>     SecRule REQUEST_HEADERS:User-Agent "^Mozilla"
>     "log,drop,phase:1,msg:'Possible Brute Force Attack'"
>
>
>
>     For my apache, I only install the --with-unique-id, without extra
>     modules.
>
>
>
>
>     On Fri, May 28, 2010 at 7:19 PM, Ryan Barnett
>     <Ryan.Barnett <at> breach.com <mailto:Ryan.Barnett <at> breach.com>> wrote:
>
>         Try putting double quotes around your action list.
>
>
>         Ryan C. Barnett
>         Director of Application Security Research
>         Breach Security, Inc.
>         Ryan.Barnett <at> Breach.com
>         www.Breach.com <http://www.Breach.com>
>
>         ------------------------------------------------------------------------
>         *From*: Ma Fai
>         *To*: mod-security-users <at> lists.sourceforge.net
>         <mailto:mod-security-users <at> lists.sourceforge.net>
>         *Sent*: Fri May 28 06:57:03 2010
>         *Subject*: [mod-security-users] Can not start up after add
>         REQUEST_URI_RAW
>         I use the based modsecurity_crs_10_config.conf
>
>
>         #Httpd.conf
>         Include conf/modsecurity_crs/*.conf
>
>         SecRule REQUEST_URI_RAW "http:/"
>         phase:1,t:none,t:urlDecode,t:lowercase,t:normalisePath
>
>
>         after I add SecRule REQUEST_URI_RAW, then the apache can not
>         start up, halt & no response. The httpd can not start it up.
>
>         Any one has experience on it?
>
>
>

--
Brian Rectanus
Breach Security

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit.  See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html



--
Ingeniero  Hubert Demercado Lewis
CISSP,CCAI,CCNA,LPIC-3,CCNP,GIHC,GIFW,CEH,Novell Certified Linux Administrator (CLA)
Cel 65754137
hdemercado <at> solu-technology.com



--
Ingeniero  Hubert Demercado Lewis
CISSP,CCAI,CCNA,LPIC-3,CCNP,GIHC,GIFW,CEH,Novell Certified Linux Administrator (CLA)
Cel 65754137
hdemercado <at> solu-technology.com
------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
Ryan Barnett | 4 Jun 20:51 2010

Announcing CRS v2.0.7

http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project#tab=Download

This update has a number of improvements, most notably the inclusion of new experimental protection rules for CSRF and Application Defects (missing HTTPOnly flag and identifying apps that are not properly output encoding/escaping user-supplied data). See my previous Blackhat presos for more info -

http://www.blackhat.com/html/bh-dc-09/bh-dc-09-archives.html#Barnett

Note that this release includes the rules-updater.pl script in the /util directory and we have activated the CRS rules repository on the www.modsecurity.org site so you can now auto-download the rules. Read the README file in the /util directory for usage info.

--------------------------

Version 2.0.7 - 06/4/2010

--------------------------

Improvements:

- Added CSRF Protection Ruleset which will use Content Injection to add javascript to

specific outbound data and then validate the csrf token on subsequent requests.

- Added new Application Defect Ruleset which will identify/fix missing HTTPOnly cookie

flags

- Added Experimental XSS/Missing Output Escaping Ruleset which looks for user supplied

data being echoed back to user unchanged.

- Added rules-updater.pl script and configuration file to allow users to automatically

download CRS rules from the CRS rules repository.

- Added new SQLi keyword for ciel() and reverse() functions.

- Updated the PHPIDS filters

Bug Fixes:

- Fixed false positives for Request Header Name matching in the 30 file by

adding boundary characters.

- Added missing pass actions to <at> pmFromFile prequalifier rules

- Added backslash to SQLi regex

https://www.modsecurity.org/tracker/browse/CORERULES-41

- Fixed hard coded anomaly score in PHPIDS filter file

https://www.modsecurity.org/tracker/browse/CORERULES-45

- Fixed restricted_extension false positive by adding boundary characters

--

Ryan C. Barnett

WASC Web Hacking Incident Database Project Leader

WASC Distributed Open Proxy Honeypot Project Leader

OWASP ModSecurity Core Rule Set Project Leader

http://tacticalwebappsec.blogspot.com

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Gmane