headers
kwenu | 31 Aug 2011 17:00
Picon
Favicon

Re: Testing some policy/size-limit rules.

I agree hence why we are rebuilding 2.2.20 using non-bundled apr 1.4.5

Hopefully this will resume its predictable behaviour though  - however i the main reason for usign 1.3.12 was to solve the segmentation faults i was  getting

Using an external APR might greatly help



On 31/08/11 15:43, Reindl Harald wrote:
Am 31.08.2011 16:29, schrieb kwenu:
Still the same - im using crs_2.2.2 as directed by Ryan Ever since i recompiled against apache 2.2.19 ive had major problems with segmentation faults and now rules are behaving differently after compiling against apr v 1.3.12 and pcre v 8.x
do you not think your APR is a little bit old? ModSecurity: APR compiled version="1.4.5"; loaded version="1.4.5" ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/application-security.php 

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
Permalink | Reply | 0 comments |
headers
Ken Brucker | 31 Aug 2011 18:12

Re: Testing some policy/size-limit rules.

[ Resending from subscribed account ]

How does one get the generic rule (960209) to work though?

I was just experimenting with it as well and it has not been working.  I have the following in my config:

SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_name_length=90"

Looking at the related rule in modsecurity_crs_23_request_limits.conf, I think the problem is in the chained rule:

SecRule &ARGS_NAMES " <at> gt %{tx.arg_name_length}" ...

By my read of the docs &ARGS_NAMES is the count of how many ARGS_NAMES there are, not the length of each.

In my testing I've found that by removing '&' from the above syntax the rule behaves as expected.  There's another length based test in rule 960208 that will break in a similar way.

Using CRS 2.2.1 btw.

-- Ken

On Aug 30, 2011, at 10:03 AM, Ryan Barnett wrote:

Try -

SecRule ARGS:name " <at> gt 10" "phase:2,t:none,t:length,block,msg:'Name
Parameter Payload Too
Large.',id:'960209',severity:'4',rev:'2.2.1',setvar:'tx.msg=%{rule.msg}',se
tvar:tx.anomaly_score=+%{tx
.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},s
etvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"

-Ryan

On 8/30/11 10:59 AM, "Usman Waheed" <usmanw <at> opera.com> wrote:

Thats right, restrict the name_size of the parameter (name) to not more
than 10 characters long.

What are you trying to do here?  Create some custom rules that restrict
the size of the payload of the parameter named "name"?

-Ryan

On 8/30/11 10:33 AM, "Usman Waheed" <usmanw <at> opera.com> wrote:

Hi,

I am testing out the default rules that come with mod_security in my
test

setup and have the following below in my config files. For some reason
this rule does not trigger when i set the size of a text input field to
100+ characters.

For example in my test form (method: POST) i have:
<input type=text

name="unamebbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
bb

bbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
cc
cccccccc"></td>

Appreciate if i could get some pointers.

I also tried with ARGS_GET_NAMES instead of ARGS_NAMES but no luck.

Thanks,
Usman

## Limit argument name length (modsecurity_crs_10_config.conf)
SecAction
"phase:1,id:'981212',t:none,nolog,pass,setvar:tx.arg_name_length=100"

## modsecurity_crs_23_request_limits.conf
SecRule &TX:ARG_NAME_LENGTH " <at> eq 1"
"chain,phase:2,t:none,block,msg:'Argument name too
long',id:'960209',severity:'4',rev:'2.2.1'"
       SecRule &ARGS_NAMES " <at> gt %{tx.arg_name_length}"

"t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{
tx

.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score
},

setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var
}"









------------------------------------------------------------------------
--
----
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php



--
Using Opera's revolutionary email client: http://www.opera.com/mail/

--------------------------------------------------------------------------
----
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php



------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
Permalink | Reply | 1 comment |
headers
Ryan Barnett | 31 Aug 2011 18:20

Re: Testing some policy/size-limit rules.

Yep, good catch.  I have fixed these and they will be synced to SVN soon.

Thanks.

--
Ryan Barnett

From: Ken Brucker <Ken <at> pumastudios.com<mailto:Ken <at> pumastudios.com>>
Date: Wed, 31 Aug 2011 11:12:15 -0500
To: Ryan Barnett <ryan.barnett <at> owasp.org<mailto:ryan.barnett <at> owasp.org>>
Cc:
"mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>" <mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>>
Subject: Re: [mod-security-users] Testing some policy/size-limit rules.

[ Resending from subscribed account ]

How does one get the generic rule (960209) to work though?

I was just experimenting with it as well and it has not been working.  I have the following in my config:

SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_name_length=90"

Looking at the related rule in modsecurity_crs_23_request_limits.conf, I think the problem is in the
chained rule:

SecRule &ARGS_NAMES " <at> gt %{tx.arg_name_length}" ...

By my read of the docs &ARGS_NAMES is the count of how many ARGS_NAMES there are, not the length of each.

In my testing I've found that by removing '&' from the above syntax the rule behaves as expected.  There's
another length based test in rule 960208 that will break in a similar way.

Using CRS 2.2.1 btw.

-- Ken

On Aug 30, 2011, at 10:03 AM, Ryan Barnett wrote:

Try -

SecRule ARGS:name " <at> gt 10" "phase:2,t:none,t:length,block,msg:'Name
Parameter Payload Too
Large.',id:'960209',severity:'4',rev:'2.2.1',setvar:'tx.msg=%{rule.msg}',se
tvar:tx.anomaly_score=+%{tx
.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},s
etvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"

-Ryan

On 8/30/11 10:59 AM, "Usman Waheed" <usmanw <at> opera.com<mailto:usmanw <at> opera.com>> wrote:

Thats right, restrict the name_size of the parameter (name) to not more
than 10 characters long.

What are you trying to do here?  Create some custom rules that restrict
the size of the payload of the parameter named "name"?

-Ryan

On 8/30/11 10:33 AM, "Usman Waheed" <usmanw <at> opera.com<mailto:usmanw <at> opera.com>> wrote:

Hi,

I am testing out the default rules that come with mod_security in my
test

setup and have the following below in my config files. For some reason
this rule does not trigger when i set the size of a text input field to
100+ characters.

For example in my test form (method: POST) i have:
<input type=text

name="unamebbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
bb

bbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
cc
cccccccc"></td>

Appreciate if i could get some pointers.

I also tried with ARGS_GET_NAMES instead of ARGS_NAMES but no luck.

Thanks,
Usman

## Limit argument name length (modsecurity_crs_10_config.conf)
SecAction
"phase:1,id:'981212',t:none,nolog,pass,setvar:tx.arg_name_length=100"

## modsecurity_crs_23_request_limits.conf
SecRule &TX:ARG_NAME_LENGTH " <at> eq 1"
"chain,phase:2,t:none,block,msg:'Argument name too
long',id:'960209',severity:'4',rev:'2.2.1'"
       SecRule &ARGS_NAMES " <at> gt %{tx.arg_name_length}"

"t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{
tx

.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score
},

setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var
}"

------------------------------------------------------------------------
--
----
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php

--
Using Opera's revolutionary email client: http://www.opera.com/mail/

--------------------------------------------------------------------------
----
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php

________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
Permalink | Reply | 0 comments |
headers
Ryan Barnett | 31 Aug 2011 23:17

Implementing OWASP AppSensor Detection Points in the OWASP ModSecurity Core Rule Set

Please forgive the cross postings, but I wanted to make sure that all relevant parties were informed of this update.  I have begun the process of implementing the OWASP AppSensor Detection Points (https://www.owasp.org/index.php/AppSensor_DetectionPoints) within the OWASP ModSecurity Core Rule Set (https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project).  

I am pleased to announce that I have just made an update to the OWASP CRS SVN repository that fully implements the Request Exception (RE) category - https://www.owasp.org/index.php/AppSensor_DetectionPoints#RequestException.  See the following blog post for more details - http://blog.spiderlabs.com/2011/08/implementing-appsensor-detection-points-in-modsecurity.html

The major change in this version vs. the earlier one outlined in this blog post (http://blog.spiderlabs.com/2011/02/modsecurity-advanced-topic-of-the-week-real-time-application-profiling.html) is that both the profiling and detection logic has been moved to Lua scripts.  With the increased logic capabilities of Lua, we are now able to more accurately profile the application in real-time by analyzing traffic and automatically generating profiles for the following resource characteristics -
  • Enforcing the expected Request Method(s)
  • Enforce the number of expected parameters (min-max range)
  • Enforce parameter names 
  • Enforce parameter lengths (min-max range)
  • Enforce Character Classes
    • Flag (e.g. - /path/to/foo.php?param)
    • Digits  (e.g. - /path/to/foo.php?param=1234) 
    • Alpha  (e.g. - /path/to/foo.php?param=abcd)
    • AlphaNumeric  (e.g. - /path/to/foo.php?param=abcd1234)
    • Email  (e.g. - /path/to/foo.php?param=foo <at> bar.com)
    • Path  (e.g. - /path/to/foo.php?param=/dir/somefile.txt)
    • URL  (e.g. - /path/to/foo.php?param=http://somehost/dir/file.txt)
    • SafeText  (e.g. - /path/to/foo.php?param=some_data-12)
The updated rules files are in the /experimental_rules directory - http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/experimental_rules/
Look in the /lua folder to find the 2 scripts - http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/lua/

I encourage people to test out these new rules and to report back their experiences – both good and bad.

FYI – I also wanted to thank Josh Zlatin for assisting with the initial Lua script creation.

Cheers.

--
Ryan Barnett
OWASP ModSecurity Core Rule Set Project Leader 
------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
Permalink | Reply | 0 comments |

Gmane