Breno Silva | 23 Aug 14:47 2011
Picon

Re: Rule causing Modsecurity to Segfault

Kwenu,

Another important stuff is to have the same PCRE library compiled with apache and modsecurity. The crashes we saw until now is 100% caused by different library versions.

What modsecurity version are u using ?

thanks

Breno

On Tue, Aug 23, 2011 at 7:32 AM, Breno Silva <breno.silva <at> gmail.com> wrote:
Hi Kwenu,

Did you set ?


On Tue, Aug 23, 2011 at 6:06 AM, kwenu <uzoka_a <at> yahoo.co.uk> wrote:
I cannot get a core dump - we have a customised build of apache using our own modules -

Im currently using ltrace as strace did not show anything other than mprotect call that was followed by a kill SIGSEGV

Ill ltrace this and send as soon as

On 22/08/11 18:24, Breno Silva wrote:
Hi Kwenu,

Please follow this  instructions and send me in private e-mail. What is your ModSecurity and Apache version ? if it is 2.6.x please send me the libraries versions you are using (you can get this info into error.log).

Make sure there is a core dump area with something like:

  CoreDumpDirectory /tmp

Make sure limits are set to dump core:

  ulimit -c unlimited

Restart and trigger the error.  A core file should be in the directory
you specified.

Then use gdb to get a backtrace:

1) gdb /path/to/httpd /path/to/core
2) within gdb enter:

  thread apply all bt full

You can get it into a file with something like:

gdb /path/to/httpd /path/to/core --batch --quiet \
  -ex "thread apply all bt full" > backtrace.log


Please send me back the backtrace.log

Thanks

Breno

On Mon, Aug 22, 2011 at 12:05 PM, kwenu <uzoka_a <at> yahoo.co.uk> wrote:
Hi

We are using a custom install of apache httpd compiled against APR 1.49 using MPM worker and PHP to server dynamic content

The following rule here is causing the web server not to return any images but text only for intermittent requests

The httpd error_log file emits the following error message

[notice] child pid 25571 exit signal Segmentation fault (11)

I have tried attaching gdb and strace (strace did provide some clues but not alot - "strace -v -f -p 12345 /tmp/httpd-strace" ) to it since i cannot get a coredump going at all even after setting CoreDumpDirectory /tmp and setting ulimit -c unlimited for the  user that the process runs under

When i remove the following line from modsecurity_crs_48_globalexceptions.conf web pages are returned correctly albeit error messages are still emitted

SecRule &TX:'/981173-WEB_ATTACK/RESTRICTED_SQLI_CHARS-TX:restricted_sqli_char_count/' " <at> gt 0" "setvar:tx.anomaly_score=-4"

The above rule was the  only way i could set the anomaly score for rule 981173.  I would have prefered updating the operator " <at> ge 4" instead but cannot find a way of doing this

modsecurity_crs_41_sql_injection_attacks.conf:
SecRule TX:RESTRICTED_SQLI_CHAR_COUNT " <at> ge 4" "phase:2,t:none,block,id:'981173',rev:'2.2.1',msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',logdata:'%{matched_var}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"

Is there a better way of updating the above rules operator " <at> ge 4"  so that i can increase count thereby dealing with the false positives that are created by this rule??





------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities and model
configuration take the hassle out of deploying and managing Subversion and
the tools developers use with it. Learn more about uberSVN and get a free
download at:  http://p.sf.net/sfu/wandisco-dev2dev

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php


------------------------------------------------------------------------------ uberSVN's rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev _______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/application-security.php



------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
Ryan Barnett | 23 Aug 20:49 2011

ModSecurity Advanced Topic of the Week: (Updated) Exception Handling

I updated the blog post to highlight the new exception handling capabilities of v2.6.0 with the
SecRuleUpdateTargetById directive (and it's ctl equivalent) -
http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html

These make local exceptions much easier.

--
Ryan Barnett
Senior Security Researcher
Trustwave - SpiderLabs

________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
kwenu | 24 Aug 12:50 2011
Picon

Re: Rule causing Modsecurity to Segfault

Im using modsecurity 2.6.1 and crs 2.2.1

I managed to figure out why dumps were not  being created and this was due to the init script that calls a external script that checks to see whether a variable for ulimit -c is set and if not defaults the setting to 0.

That done the crash dumps were practically useless - urhhhhhh

Anyway im going to have to use apaches bundled version of pcre and hack it somewhat to work with our customised version of modsecurity spec file

Thats the only way around this since recompiling apaches against OS pcre is out of the question for now

Ill let you know if this works



On 23/08/11 13:47, Breno Silva wrote:
Kwenu,

Another important stuff is to have the same PCRE library compiled with apache and modsecurity. The crashes we saw until now is 100% caused by different library versions.

What modsecurity version are u using ?

thanks

Breno

On Tue, Aug 23, 2011 at 7:32 AM, Breno Silva <breno.silva <at> gmail.com> wrote:
Hi Kwenu,

Did you set ?


On Tue, Aug 23, 2011 at 6:06 AM, kwenu <uzoka_a <at> yahoo.co.uk> wrote:
I cannot get a core dump - we have a customised build of apache using our own modules -

Im currently using ltrace as strace did not show anything other than mprotect call that was followed by a kill SIGSEGV

Ill ltrace this and send as soon as

On 22/08/11 18:24, Breno Silva wrote:
Hi Kwenu,

Please follow this  instructions and send me in private e-mail. What is your ModSecurity and Apache version ? if it is 2.6.x please send me the libraries versions you are using (you can get this info into error.log).

Make sure there is a core dump area with something like:

  CoreDumpDirectory /tmp

Make sure limits are set to dump core:

  ulimit -c unlimited

Restart and trigger the error.  A core file should be in the directory
you specified.

Then use gdb to get a backtrace:

1) gdb /path/to/httpd /path/to/core
2) within gdb enter:

  thread apply all bt full

You can get it into a file with something like:

gdb /path/to/httpd /path/to/core --batch --quiet \
  -ex "thread apply all bt full" > backtrace.log


Please send me back the backtrace.log

Thanks

Breno

On Mon, Aug 22, 2011 at 12:05 PM, kwenu <uzoka_a <at> yahoo.co.uk> wrote:
Hi

We are using a custom install of apache httpd compiled against APR 1.49 using MPM worker and PHP to server dynamic content

The following rule here is causing the web server not to return any images but text only for intermittent requests

The httpd error_log file emits the following error message

[notice] child pid 25571 exit signal Segmentation fault (11)

I have tried attaching gdb and strace (strace did provide some clues but not alot - "strace -v -f -p 12345 /tmp/httpd-strace" ) to it since i cannot get a coredump going at all even after setting CoreDumpDirectory /tmp and setting ulimit -c unlimited for the  user that the process runs under

When i remove the following line from modsecurity_crs_48_globalexceptions.conf web pages are returned correctly albeit error messages are still emitted

SecRule &TX:'/981173-WEB_ATTACK/RESTRICTED_SQLI_CHARS-TX:restricted_sqli_char_count/' " <at> gt 0" "setvar:tx.anomaly_score=-4"

The above rule was the  only way i could set the anomaly score for rule 981173.  I would have prefered updating the operator " <at> ge 4" instead but cannot find a way of doing this

modsecurity_crs_41_sql_injection_attacks.conf:
SecRule TX:RESTRICTED_SQLI_CHAR_COUNT " <at> ge 4" "phase:2,t:none,block,id:'981173',rev:'2.2.1',msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',logdata:'%{matched_var}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"

Is there a better way of updating the above rules operator " <at> ge 4"  so that i can increase count thereby dealing with the false positives that are created by this rule??





------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities and model
configuration take the hassle out of deploying and managing Subversion and
the tools developers use with it. Learn more about uberSVN and get a free
download at:  http://p.sf.net/sfu/wandisco-dev2dev

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php


------------------------------------------------------------------------------ uberSVN's rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev _______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/application-security.php



------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 _______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/application-security.php

------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
Breno Silva | 24 Aug 14:45 2011
Picon

Re: Rule causing Modsecurity to Segfault

Ok kwenu,

Did you set the SecPcre*  directives i mention ?

Thanks

Breno

On Wed, Aug 24, 2011 at 5:50 AM, kwenu <uzoka_a <at> yahoo.co.uk> wrote:
Im using modsecurity 2.6.1 and crs 2.2.1

I managed to figure out why dumps were not  being created and this was due to the init script that calls a external script that checks to see whether a variable for ulimit -c is set and if not defaults the setting to 0.

That done the crash dumps were practically useless - urhhhhhh

Anyway im going to have to use apaches bundled version of pcre and hack it somewhat to work with our customised version of modsecurity spec file

Thats the only way around this since recompiling apaches against OS pcre is out of the question for now

Ill let you know if this works




On 23/08/11 13:47, Breno Silva wrote:
Kwenu,

Another important stuff is to have the same PCRE library compiled with apache and modsecurity. The crashes we saw until now is 100% caused by different library versions.

What modsecurity version are u using ?

thanks

Breno

On Tue, Aug 23, 2011 at 7:32 AM, Breno Silva <breno.silva <at> gmail.com> wrote:
Hi Kwenu,

Did you set ?


On Tue, Aug 23, 2011 at 6:06 AM, kwenu <uzoka_a <at> yahoo.co.uk> wrote:
I cannot get a core dump - we have a customised build of apache using our own modules -

Im currently using ltrace as strace did not show anything other than mprotect call that was followed by a kill SIGSEGV

Ill ltrace this and send as soon as

On 22/08/11 18:24, Breno Silva wrote:
Hi Kwenu,

Please follow this  instructions and send me in private e-mail. What is your ModSecurity and Apache version ? if it is 2.6.x please send me the libraries versions you are using (you can get this info into error.log).

Make sure there is a core dump area with something like:

  CoreDumpDirectory /tmp

Make sure limits are set to dump core:

  ulimit -c unlimited

Restart and trigger the error.  A core file should be in the directory
you specified.

Then use gdb to get a backtrace:

1) gdb /path/to/httpd /path/to/core
2) within gdb enter:

  thread apply all bt full

You can get it into a file with something like:

gdb /path/to/httpd /path/to/core --batch --quiet \
  -ex "thread apply all bt full" > backtrace.log


Please send me back the backtrace.log

Thanks

Breno

On Mon, Aug 22, 2011 at 12:05 PM, kwenu <uzoka_a <at> yahoo.co.uk> wrote:
Hi

We are using a custom install of apache httpd compiled against APR 1.49 using MPM worker and PHP to server dynamic content

The following rule here is causing the web server not to return any images but text only for intermittent requests

The httpd error_log file emits the following error message

[notice] child pid 25571 exit signal Segmentation fault (11)

I have tried attaching gdb and strace (strace did provide some clues but not alot - "strace -v -f -p 12345 /tmp/httpd-strace" ) to it since i cannot get a coredump going at all even after setting CoreDumpDirectory /tmp and setting ulimit -c unlimited for the  user that the process runs under

When i remove the following line from modsecurity_crs_48_globalexceptions.conf web pages are returned correctly albeit error messages are still emitted

SecRule &TX:'/981173-WEB_ATTACK/RESTRICTED_SQLI_CHARS-TX:restricted_sqli_char_count/' " <at> gt 0" "setvar:tx.anomaly_score=-4"

The above rule was the  only way i could set the anomaly score for rule 981173.  I would have prefered updating the operator " <at> ge 4" instead but cannot find a way of doing this

modsecurity_crs_41_sql_injection_attacks.conf:
SecRule TX:RESTRICTED_SQLI_CHAR_COUNT " <at> ge 4" "phase:2,t:none,block,id:'981173',rev:'2.2.1',msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',logdata:'%{matched_var}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"

Is there a better way of updating the above rules operator " <at> ge 4"  so that i can increase count thereby dealing with the false positives that are created by this rule??





------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities and model
configuration take the hassle out of deploying and managing Subversion and
the tools developers use with it. Learn more about uberSVN and get a free
download at:  http://p.sf.net/sfu/wandisco-dev2dev

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php


------------------------------------------------------------------------------ uberSVN's rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev _______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/application-security.php



------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/application-security.php


------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
Ryan Barnett | 24 Aug 16:54 2011

Mitigation of Apache Range Header DoS Attack

FYI - http://blog.spiderlabs.com/2011/08/mitigation-of-apache-range-header-dos-attack.html

If you are concerned about this attack, I suggest that you download the latest
modsecurity_crs_20_protocol_violations.conf file from SVN as it has the new rules -
http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/base_rules/modsecurity_crs_20_protocol_violations.conf

--
Ryan Barnett
Senior Security Researcher
Trustwave - SpiderLabs

________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
Sergio | 24 Aug 17:36 2011
Picon

PCRE errors with modsec ver. 2.6.0

Hi all,
I know this question has been asked so many times before, but now that there is modsec ver. 2.6.0 (cPanel) is there a way to fix the error?
Execution error - PCRE limits exceeded (-8): (null).

modsec2.user.conf has the following directives on it:
 SecPcreMatchLimit 150000
 SecPcreMatchLimitRecursion 150000

Is there any other directive that has to be present? or is there a rule that I could implement that could be triggered when the PCRE error shows up?

Regards,

Sergio

------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
Reindl Harald | 24 Aug 21:29 2011
Picon

Re: Mitigation of Apache Range Header DoS Attack

nice - but are you guys really sure that REQUEST_HEADERS:Range " <at> beginsWith bytes=0-"
is a protocol conform rule with do not block legal requests?

http://labs.apache.org/webarch/http/draft-fielding-http/p5-range.html#byte.ranges

    The first 500 bytes (byte offsets 0-499, inclusive): bytes=0-499
    The second 500 bytes (byte offsets 500-999, inclusive): bytes=500-999
    The final 500 bytes (byte offsets 9500-9999, inclusive): bytes=-500
    Or bytes=9500-
    The first and last bytes only (bytes 0 and 9999): bytes=0-0,-1
    Several legal but not canonical specifications of the second 500 bytes (byte offsets 500-999, inclusive):
    bytes=500-600,601-999
    bytes=500-700,601-999

Am 24.08.2011 16:54, schrieb Ryan Barnett:
> FYI - http://blog.spiderlabs.com/2011/08/mitigation-of-apache-range-header-dos-attack.html
> 
> If you are concerned about this attack, I suggest that you download the latest
modsecurity_crs_20_protocol_violations.conf file from SVN as it has the new rules -
> http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/base_rules/modsecurity_crs_20_protocol_violations.conf
> 
> --
> Ryan Barnett
> Senior Security Researcher
> Trustwave - SpiderLabs
> 
> 
> ________________________________
> This transmission may contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
> 
> 
> ------------------------------------------------------------------------------
> EMC VNX: the world's simplest storage, starting under $10K
> The only unified storage solution that offers unified management 
> Up to 160% more powerful than alternatives and 25% more efficient. 
> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/application-security.php
> 

-- 

Mit besten Grüßen, Reindl Harald
the lounge interactive design GmbH
A-1060 Vienna, Hofmühlgasse 17
CTO / software-development / cms-solutions
p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40
icq: 154546673, http://www.thelounge.net/

http://www.thelounge.net/signature.asc.what.htm

------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
Ryan Barnett | 24 Aug 21:41 2011

Re: Mitigation of Apache Range Header DoS Attack


On 8/24/11 3:29 PM, "Reindl Harald" <h.reindl <at> thelounge.net> wrote:

>nice - but are you guys really sure that REQUEST_HEADERS:Range
>" <at> beginsWith bytes=0-"
>is a protocol conform rule with do not block legal requests?

This rule was included based upon data from Bad Behavior site -
http://bad-behavior.ioerror.us/documentation/how-it-works/.

In the Bad Behavior rules there is a file called "common_tests.inc.php"
which has the following info -

// Range: field exists and begins with 0
        // Real user-agents do not start ranges at 0
        // NOTE: this blocks the whois.sc bot. No big loss.
        // Exceptions: MT (not fixable); LJ (refuses to fix; may be
        // blocked again in the future); Facebook
        if ($settings['strict'] && array_key_exists('Range',
$package['headers_mixed']) && strpos($package['headers_mixed']['Range'],
"=0-") !== FALSE) {
                if (strncmp($ua, "MovableType", 11) && strncmp($ua, "URI::Fetch", 10) &&
strncmp($ua, "php-openid/", 11) && strncmp($ua, "facebookexternalhit",
19)) {
                        return "7ad04a8a";
                }
        }

So it seems that although this is legal per the RFC, it seems as though no
legitimate clients do this.

If you find this is not the case, please let us know and we will adjust
the rule or you can simply remove the rule locally with an exception.

-Ryan

>
>http://labs.apache.org/webarch/http/draft-fielding-http/p5-range.html#byte
>.ranges
>
>    The first 500 bytes (byte offsets 0-499, inclusive): bytes=0-499
>    The second 500 bytes (byte offsets 500-999, inclusive): bytes=500-999
>    The final 500 bytes (byte offsets 9500-9999, inclusive): bytes=-500
>    Or bytes=9500-
>    The first and last bytes only (bytes 0 and 9999): bytes=0-0,-1
>    Several legal but not canonical specifications of the second 500
>bytes (byte offsets 500-999, inclusive):
>    bytes=500-600,601-999
>    bytes=500-700,601-999
>
>Am 24.08.2011 16:54, schrieb Ryan Barnett:
>> FYI -
>>http://blog.spiderlabs.com/2011/08/mitigation-of-apache-range-header-dos-
>>attack.html
>>
>> If you are concerned about this attack, I suggest that you download the
>>latest modsecurity_crs_20_protocol_violations.conf file from SVN as it
>>has the new rules -
>>
>>http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/bas
>>e_rules/modsecurity_crs_20_protocol_violations.conf
>>
>> --
>> Ryan Barnett
>> Senior Security Researcher
>> Trustwave - SpiderLabs
>>
>>
>> ________________________________
>> This transmission may contain information that is privileged,
>>confidential, and/or exempt from disclosure under applicable law. If you
>>are not the intended recipient, you are hereby notified that any
>>disclosure, copying, distribution, or use of the information contained
>>herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
>>received this transmission in error, please immediately contact the
>>sender and destroy the material in its entirety, whether in electronic
>>or hard copy format.
>>
>>
>>
>>-------------------------------------------------------------------------
>>-----
>> EMC VNX: the world's simplest storage, starting under $10K
>> The only unified storage solution that offers unified management
>> Up to 160% more powerful than alternatives and 25% more efficient.
>> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
>> _______________________________________________
>> mod-security-users mailing list
>> mod-security-users <at> lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/application-security.php
>>
>
>--
>
>Mit besten Grüßen, Reindl Harald
>the lounge interactive design GmbH
>A-1060 Vienna, Hofmühlgasse 17
>CTO / software-development / cms-solutions
>p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40
>icq: 154546673, http://www.thelounge.net/
>
>http://www.thelounge.net/signature.asc.what.htm
>
>--------------------------------------------------------------------------
>----
>EMC VNX: the world's simplest storage, starting under $10K
>The only unified storage solution that offers unified management
>Up to 160% more powerful than alternatives and 25% more efficient.
>Guaranteed.
>http://p.sf.net/sfu/emc-vnx-dev2dev_______________________________________
>________
>mod-security-users mailing list
>mod-security-users <at> lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/mod-security-users
>ModSecurity Services from Trustwave's SpiderLabs:
>https://www.trustwave.com/application-security.php

This transmission may contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php

Reindl Harald | 24 Aug 21:49 2011
Picon

Re: Mitigation of Apache Range Header DoS Attack


Am 24.08.2011 21:41, schrieb Ryan Barnett:
> 
> On 8/24/11 3:29 PM, "Reindl Harald" <h.reindl <at> thelounge.net> wrote:
> 
>> nice - but are you guys really sure that REQUEST_HEADERS:Range
>> " <at> beginsWith bytes=0-"
>> is a protocol conform rule with do not block legal requests?
> 
> This rule was included based upon data from Bad Behavior site -
> http://bad-behavior.ioerror.us/documentation/how-it-works/.
> 
> In the Bad Behavior rules there is a file called "common_tests.inc.php"
> which has the following info -
> 
> // Range: field exists and begins with 0
>         // Real user-agents do not start ranges at 0
>         // NOTE: this blocks the whois.sc bot. No big loss.
>         // Exceptions: MT (not fixable); LJ (refuses to fix; may be
>         // blocked again in the future); Facebook
>         if ($settings['strict'] && array_key_exists('Range',
> $package['headers_mixed']) && strpos($package['headers_mixed']['Range'],
> "=0-") !== FALSE) {
>                 if (strncmp($ua, "MovableType", 11) && strncmp($ua, "URI::Fetch", 10) &&
> strncmp($ua, "php-openid/", 11) && strncmp($ua, "facebookexternalhit",
> 19)) {
>                         return "7ad04a8a";
>                 }
>         }
> 
> So it seems that although this is legal per the RFC, it seems as though no
> legitimate clients do this.
> 
> If you find this is not the case, please let us know and we will adjust
> the rule or you can simply remove the rule locally with an exception

i have removed this rule some minutes ago because it is triggered way to often
and we should NOT violet RFC's in a rule-file called "procotl_violations"

maybe all of that was not normal browsers but should we really block
anything even if it is RFC-conform because it is not a browser or
are we a "application firewall" to protect against attacks?

the really interesting rule is SecRule
REQUEST_HEADERS:Range
"^bytes=(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\," (id:'958231')
which goes daccord with
the following from the httpd-devel-list

 # drop Range header when more than 5 ranges.
 # CVE-2011-3192

------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
Thomas D. Dahlmann | 24 Aug 22:45 2011
Picon

Re: [Owasp-modsecurity-core-rule-set] ModSecurity Advanced Topic of the Week: (Updated) Exception Handling

Hi Ryan

I've tried using the SecRuleUpdateTargetById directive as you describe 
in your blog. However I've got problems getting it working when I want 
to exclude a specific file that is being caught:

--dfd6c026-A--
[24/Aug/2011:22:10:37 +0200] TlVavH8AAQEAAEaWBogAAAAA 10.30.255.126 
54271 2.2.2.2 80
--dfd6c026-B--
GET /lib/images/license/button/cc-by-sa.png HTTP/1.1
Host: wiki.example.org
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.1 (KHTML, like 
Gecko) Chrome/13.0.782.215 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

--dfd6c026-F--
HTTP/1.1 403 Forbidden
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 201
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--dfd6c026-E--

--dfd6c026-H--
Message: Pattern match 
"(?:(?:[\\;\\|\\`]\\W*?\\bcc|\\b(wget|curl))\\b|\\/cc(?:[\\'\"\\|\\;\\`\\-\\s]|$))" 
at REQUEST_FILENAME. [file 
"/etc/apache2/modsecurity_crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] 
[line "25"] [id "950907"] [rev "2.2.1"] [msg "System Command Injection"] 
[data "/cc-"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] 
[tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"]
Message: Access denied with code 403 (phase 2). Pattern match "(.*)" at 
TX:0. [file 
"/etc/apache2/modsecurity_crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] 
[line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total 
Score: 5, SQLi=1, XSS=): Last Matched Message: System Command 
Injection"] [data "Last Matched Data: /cc-"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. 
[file 
"/etc/apache2/modsecurity_crs/activated_rules/modsecurity_crs_60_correlation.conf"] 
[line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total 
Inbound Score: 5, SQLi=1, XSS=): System Command Injection"]
Action: Intercepted (phase 2)
Stopwatch: 1314216636950566 737732 (- - -)
Stopwatch2: 1314216636950566 737732; combined=727772, p1=10398, 
p2=711987, p3=0, p4=0, p5=5384, sr=1238, sw=3, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.1 (http://www.modsecurity.org/); 
core ruleset/2.2.1.
Server: Apache/2.2.14 (Ubuntu)

--dfd6c026-Z--

This is what I've tried to put into  modsecurity_crs_61_customrules.conf:
SecRuleUpdateTargetById 950907 !REQUEST_FILENAME "/cc-by-sa.png"

or

SecRuleUpdateTargetById 950907 !REQUEST_BASENAME "cc-by-sa.png"

or

SecRuleUpdateTargetById 950907 !REQUEST_FILENAME " <at> streq /cc-by-sa.png"

or

SecRuleUpdateTargetById 950907 !REQUEST_FILENAME "cc-by-sa.png$"

but it doesn't work the file is still being blocked.

What am I missing?

/Thomas

On 2011-08-23 20:49, Ryan Barnett wrote:
> I updated the blog post to highlight the new exception handling capabilities of v2.6.0 with the
SecRuleUpdateTargetById directive (and it's ctl equivalent) -
> http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html
>
> These make local exceptions much easier.
>
> --
> Ryan Barnett
> Senior Security Researcher
> Trustwave - SpiderLabs
>
>
> ________________________________
> This transmission may contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
>
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set <at> lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php


Gmane