Re: A Recommended Base Configuration - SecRuleEngine

On 04/01/2011 11:36 AM, Ryan Barnett wrote:
> Reference Manual:
> http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecRuleEngine
>
> Current setting:
>
> # Enable ModSecurity, attaching it to every transaction. Use detection
> # only to start with, because that minimises the chances of post-installation
> # disruption.
> #
> SecRuleEngine DetectionOnly
>
>
> Rationale:
> When first adding in ModSecurity, you want to minimize any disruptions to traffic until you get a handle on
how your configs/rules will respond to your traffic.  This setting allows SecRules to trigger events but
not take any disruptive actions.
+1

------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php

Re: A Recommended Base Configuration - SecRuleEngine

------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php

Re: [Console-users] mlogc issue?

Hi David,

I just had a glance at your script. Thanks for sharing!

If this is ok with you, then I'd include your script as a sample in the
next release of the jwall-tools.

Best regards,

    Chris

Am 04.04.2011 um 20:16 schrieb David Guimaraes:

> Hi,
> 
> I created something different, I made a bash script that runs on cron and reads the serial log file
(SecAuditLogType Serial) generated by ModSecurity and sends the data to an listener AuditConsole RPC
using the jwall tool. This solves the problem of mlogc(hang) we're going through.
> 
> # crontab -l
> */1 * * * * /root/modaudit-jwall-skys.sh 2>&1 >>/var/log/modaudit-jwall-skys.log
> 
> http://pastebin.com/vnEQquyv
> 
> 
> On Wed, Mar 9, 2011 at 6:25 PM, Christian Bockermann <chris <at> jwall.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi list,
> 
> since a couple of people lately had problems with the mlogc spinning
> wildly, I did include a simple alternative version into my jwall-tools.
> Basically this works similar to mlogc, uses the same config, BUT
> 
>  (1)  Does not run inside Apache, i.e. does not block the Apache
>       process when running wild (which it hopefully does not do )
> 
>  (2)  Is implemented in Java (since all the parsing is done using my
>       parser libraries)
> 
> Basically, it requires the mlogc-config and continuously reads a
> ModSecurity index-log file for new requests. These will then be send
> to the ModSecurity console or my AuditConsole.
> 
> The things that need to be changed in Apache:
> 
>   # OLD way using mlogc:
>   #
>   SecAuditLog "|mlogc /path/to/mlogc.conf"
>   SecAuditLogStorageDirectory /opt/modsecurity/var/audit
> 
> needs to be changed to
> 
>   # write the index-log to disk instead of piping it to mlogc:
>   #
>   SecAuditLog /opt/modsecurity/var/audit/index
>   SecAuditLogStorageDirectory /opt/modsecurity/var/audit
> 
> 
> Now, to start the sending process, simply download the latest jwall-tools-0.5.jar
> from
>       http://download.jwall.org/jwall-tools/0.5/jwall-tools-0.5.jar
> 
> and run:
> 
>    java -jar jwall-tools-0.5.jar mlogc /path/to/mlogc.conf /opt/modsecurity/var/audit/index
> 
> Now, the jwall-tools' mlogc implementation will jump to the end of the index-file
> and check for new data to arrive. It will then send any events to the receiver.
> 
> 
> There are a couple of things, which currently are not taken care of:
> 
>  (1)  Events, which failed to be sent, will be marked in a special file
>       and can be re-sent again later. This needs to be done manually. The
>       error-queue.idx is simply another index-file, which can be send
>       with the jwall-tools:
> 
>          java -Dsend-complete=true -jar jwall-tools-0.5.jar mlogc /path/to/mlogc.conf /path/to/error-queue.idx
> 
>  (2)  The index-file might grow pretty large over time. So it would need to
>       be re-set manually or via a cron-job, currently.
> 
> 
> I have to admit, this Java implementation of mlogc lacks some comfort over
> the original mlogc implementation, but if there is interest, I'd be happy
> to add new features to it.
> 
> (BTW: The sources of the jwall-tools are available, just drop me a line if
>      you're interested in contributing )
> 
> Best regards,
> 
>    Chris
> 

QUERY_STRING parsing error with some clients

Hi everyone,

on my Linux/Apache webserver, I get some requests with & of this form :
"GET /mypath?myparam1=A&myparam2=B HTTP/1.1"

I know that the request is malformed and the clients are the problem,
but Apache is responding correctly to the request.

ModSecurity is parsing this with "amp;myparam" being the name of the
parameter. I saw that from a debug output :
Adding request argument (QUERY_STRING): name "amp;myparam2", value "B"

I've tried some modsecurity configurations, mostly htmlEntityDecode in
phase 1 and 2 without any luck. In fact I'm not sure if I can apply a
global transformation at this level that will stick for the QUERY_STRING
parsing.

I have a workaround that is to write my rules two times : with ARGS and
the QUERY_STRING directly. But this is impractical and is currently
making me crazy.

Someone have a solution?

Thanks,

- Jonathan

------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php

Re: QUERY_STRING parsing error with some clients

Jonathan,
Are you using any rules that are accessing specific ARGS by name?  If not then this should not really matter.

On Apr 12, 2011, at 6:17 PM, "Jonathan Marcil" <jonathan.marcil <at> pheromone.ca> wrote:

> Hi everyone,
>
> on my Linux/Apache webserver, I get some requests with &amp; of this form :
> "GET /mypath?myparam1=A&amp;myparam2=B HTTP/1.1"
>
> I know that the request is malformed and the clients are the problem,
> but Apache is responding correctly to the request.
>
> ModSecurity is parsing this with "amp;myparam" being the name of the
> parameter. I saw that from a debug output :
> Adding request argument (QUERY_STRING): name "amp;myparam2", value "B"
>
> I've tried some modsecurity configurations, mostly htmlEntityDecode in
> phase 1 and 2 without any luck. In fact I'm not sure if I can apply a
> global transformation at this level that will stick for the QUERY_STRING
> parsing.
>
> I have a workaround that is to write my rules two times : with ARGS and
> the QUERY_STRING directly. But this is impractical and is currently
> making me crazy.
>
> Someone have a solution?
>
> Thanks,
>
> - Jonathan
>
>
>
> ------------------------------------------------------------------------------
> Forrester Wave Report - Recovery time is now measured in hours and minutes
> not days. Key insights are discussed in the 2010 Forrester Wave Report as
> part of an in-depth evaluation of disaster recovery service providers.
> Forrester found the best-in-class provider in terms of services and vision.
> Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>

This transmission may contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php

Re: QUERY_STRING parsing error with some clients

Yes sure. In fact I'm using ARGS_GET.

If I do SecRule ARGS_GET:amp;myparam2 it works.

I'm seeing a lot of entry from bots with that behavior. Since I'm in a
positive security model for my project, it's kind of important. Maybe
also the bug comes from the website itself, but one of the reason that I
use ModSecurity is that I can't modify the website in question.

Thanks,

- Jonathan

On 11-04-12 06:41 PM, Ryan Barnett wrote:
> Jonathan,
> Are you using any rules that are accessing specific ARGS by name?  If not then this should not really matter.
> 
> On Apr 12, 2011, at 6:17 PM, "Jonathan Marcil" <jonathan.marcil <at> pheromone.ca> wrote:
> 
>> Hi everyone,
>>
>> on my Linux/Apache webserver, I get some requests with &amp; of this form :
>> "GET /mypath?myparam1=A&amp;myparam2=B HTTP/1.1"
>>
>> I know that the request is malformed and the clients are the problem,
>> but Apache is responding correctly to the request.
>>
>> ModSecurity is parsing this with "amp;myparam" being the name of the
>> parameter. I saw that from a debug output :
>> Adding request argument (QUERY_STRING): name "amp;myparam2", value "B"
>>
>> I've tried some modsecurity configurations, mostly htmlEntityDecode in
>> phase 1 and 2 without any luck. In fact I'm not sure if I can apply a
>> global transformation at this level that will stick for the QUERY_STRING
>> parsing.
>>
>> I have a workaround that is to write my rules two times : with ARGS and
>> the QUERY_STRING directly. But this is impractical and is currently
>> making me crazy.
>>
>> Someone have a solution?
>>
>> Thanks,
>>
>> - Jonathan
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Forrester Wave Report - Recovery time is now measured in hours and minutes
>> not days. Key insights are discussed in the 2010 Forrester Wave Report as
>> part of an in-depth evaluation of disaster recovery service providers.
>> Forrester found the best-in-class provider in terms of services and vision.
>> Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
>> _______________________________________________
>> mod-security-users mailing list
>> mod-security-users <at> lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
> 
> This transmission may contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
> 

------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php

REQUEST_BODY question (2.5.11)

good day!

i am trying to parse REQUEST_BODY but it does not work

i want to catch CC numbers in body so i have rules

SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType text/xml text/plain text/html

SecRule REQUEST_BODY " <at> verifyCC \d{13,16}" "phase:2,deny,status:500,capture,msg:'CC number detected'"

still the rule does not work. no detection.  

response rule works:

SecRule RESPONSE_BODY " <at> verifyCC \d{13,16}" "phase:4,deny,status:500,capture,msg:'CC number detected'"

what am i missing on REQUEST_BODY rule? 

thanks

------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php

Re: QUERY_STRING parsing error with some clients

On Tue, Apr 12, 2011 at 10:55 PM, Jonathan Marcil
<jonathan.marcil <at> pheromone.ca> wrote:
> Hi everyone,
>
> on my Linux/Apache webserver, I get some requests with &amp; of this form :
> "GET /mypath?myparam1=A&amp;myparam2=B HTTP/1.1"
>
> I know that the request is malformed and the clients are the problem,
> but Apache is responding correctly to the request.

Apache does not normally parse query string parameters (although you
may have a configuration that does).

The real question here is, does the target application treat "&amp;"
as "&". If it does not, then ModSecurity is not in error either. If it
does, then ModSecurity may need to be expanded to handle that case.

> ModSecurity is parsing this with "amp;myparam" being the name of the
> parameter. I saw that from a debug output :
> Adding request argument (QUERY_STRING): name "amp;myparam2", value "B"
>
> I've tried some modsecurity configurations, mostly htmlEntityDecode in
> phase 1 and 2 without any luck. In fact I'm not sure if I can apply a
> global transformation at this level that will stick for the QUERY_STRING
> parsing.
>
> I have a workaround that is to write my rules two times : with ARGS and
> the QUERY_STRING directly. But this is impractical and is currently
> making me crazy.
>
> Someone have a solution?
>
> Thanks,
>
> - Jonathan
>
>
>
> ------------------------------------------------------------------------------
> Forrester Wave Report - Recovery time is now measured in hours and minutes
> not days. Key insights are discussed in the 2010 Forrester Wave Report as
> part of an in-depth evaluation of disaster recovery service providers.
> Forrester found the best-in-class provider in terms of services and vision.
> Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>

--

-- 
Ivan Ristić

------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php

Re: QUERY_STRING parsing error with some clients

On 11-04-13 12:50 PM, Ivan Ristic wrote:
> On Tue, Apr 12, 2011 at 10:55 PM, Jonathan Marcil
> <jonathan.marcil <at> pheromone.ca> wrote:
>> Hi everyone,
>>
>> on my Linux/Apache webserver, I get some requests with &amp; of this form :
>> "GET /mypath?myparam1=A&amp;myparam2=B HTTP/1.1"
>>
>> I know that the request is malformed and the clients are the problem,
>> but Apache is responding correctly to the request.
> 
> Apache does not normally parse query string parameters (although you
> may have a configuration that does).
> 
> The real question here is, does the target application treat "&amp;"
> as "&". If it does not, then ModSecurity is not in error either. If it
> does, then ModSecurity may need to be expanded to handle that case.
> 
Yes it does.

My goal is to protect the application not changing its behavior. Also, I
have tested it in RAW HTTP (telnet, not by using the browser).

But I do think that the odd behavior is from my application only. If
it's the only way possible, I'll look into ModSecurity source code to
see if I could fix it easily.

If anyone have the same problem with their applications send me an email
and I'll gladly share any informations or patches.

Thanks

> 
>> ModSecurity is parsing this with "amp;myparam" being the name of the
>> parameter. I saw that from a debug output :
>> Adding request argument (QUERY_STRING): name "amp;myparam2", value "B"
>>
>> I've tried some modsecurity configurations, mostly htmlEntityDecode in
>> phase 1 and 2 without any luck. In fact I'm not sure if I can apply a
>> global transformation at this level that will stick for the QUERY_STRING
>> parsing.
>>
>> I have a workaround that is to write my rules two times : with ARGS and
>> the QUERY_STRING directly. But this is impractical and is currently
>> making me crazy.
>>
>> Someone have a solution?
>>
>> Thanks,
>>
>> - Jonathan
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Forrester Wave Report - Recovery time is now measured in hours and minutes
>> not days. Key insights are discussed in the 2010 Forrester Wave Report as
>> part of an in-depth evaluation of disaster recovery service providers.
>> Forrester found the best-in-class provider in terms of services and vision.
>> Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
>> _______________________________________________
>> mod-security-users mailing list
>> mod-security-users <at> lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
> 
> 
> 

------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php

Re: QUERY_STRING parsing error with some clients

If you end up changing the source code, what you're looking for is
parse_arguments() in msc_parsers.c Once a separator is identified and
assuming the separator is & (because it can be changed), you need to
do a forward looking scan to see if the following characters are
"amp;". If so, you need to skip over them.

There may be other places, just search for "argument_separator" to see
where it is references.

The above should be a configuration parameter, so that it can be
active only when needed.

On Wed, Apr 13, 2011 at 8:48 PM, Jonathan Marcil
<jonathan.marcil <at> pheromone.ca> wrote:
> On 11-04-13 12:50 PM, Ivan Ristic wrote:
>> On Tue, Apr 12, 2011 at 10:55 PM, Jonathan Marcil
>> <jonathan.marcil <at> pheromone.ca> wrote:
>>> Hi everyone,
>>>
>>> on my Linux/Apache webserver, I get some requests with &amp; of this form :
>>> "GET /mypath?myparam1=A&amp;myparam2=B HTTP/1.1"
>>>
>>> I know that the request is malformed and the clients are the problem,
>>> but Apache is responding correctly to the request.
>>
>> Apache does not normally parse query string parameters (although you
>> may have a configuration that does).
>>
>> The real question here is, does the target application treat "&amp;"
>> as "&". If it does not, then ModSecurity is not in error either. If it
>> does, then ModSecurity may need to be expanded to handle that case.
>>
> Yes it does.
>
> My goal is to protect the application not changing its behavior. Also, I
> have tested it in RAW HTTP (telnet, not by using the browser).
>
> But I do think that the odd behavior is from my application only. If
> it's the only way possible, I'll look into ModSecurity source code to
> see if I could fix it easily.
>
> If anyone have the same problem with their applications send me an email
> and I'll gladly share any informations or patches.
>
> Thanks
>
>>
>>> ModSecurity is parsing this with "amp;myparam" being the name of the
>>> parameter. I saw that from a debug output :
>>> Adding request argument (QUERY_STRING): name "amp;myparam2", value "B"
>>>
>>> I've tried some modsecurity configurations, mostly htmlEntityDecode in
>>> phase 1 and 2 without any luck. In fact I'm not sure if I can apply a
>>> global transformation at this level that will stick for the QUERY_STRING
>>> parsing.
>>>
>>> I have a workaround that is to write my rules two times : with ARGS and
>>> the QUERY_STRING directly. But this is impractical and is currently
>>> making me crazy.
>>>
>>> Someone have a solution?
>>>
>>> Thanks,
>>>
>>> - Jonathan
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Forrester Wave Report - Recovery time is now measured in hours and minutes
>>> not days. Key insights are discussed in the 2010 Forrester Wave Report as
>>> part of an in-depth evaluation of disaster recovery service providers.
>>> Forrester found the best-in-class provider in terms of services and vision.
>>> Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
>>> _______________________________________________
>>> mod-security-users mailing list
>>> mod-security-users <at> lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>> ModSecurity Services from Trustwave's SpiderLabs:
>>> https://www.trustwave.com/spiderLabs.php
>>>
>>
>>
>>
>

--

-- 
Ivan Ristić

------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php