headers
Reindl Harald | 24 Aug 2011 21:29
Favicon

Re: Mitigation of Apache Range Header DoS Attack

nice - but are you guys really sure that REQUEST_HEADERS:Range " <at> beginsWith bytes=0-"
is a protocol conform rule with do not block legal requests?

http://labs.apache.org/webarch/http/draft-fielding-http/p5-range.html#byte.ranges

    The first 500 bytes (byte offsets 0-499, inclusive): bytes=0-499
    The second 500 bytes (byte offsets 500-999, inclusive): bytes=500-999
    The final 500 bytes (byte offsets 9500-9999, inclusive): bytes=-500
    Or bytes=9500-
    The first and last bytes only (bytes 0 and 9999): bytes=0-0,-1
    Several legal but not canonical specifications of the second 500 bytes (byte offsets 500-999, inclusive):
    bytes=500-600,601-999
    bytes=500-700,601-999

Am 24.08.2011 16:54, schrieb Ryan Barnett:
> FYI - http://blog.spiderlabs.com/2011/08/mitigation-of-apache-range-header-dos-attack.html
> 
> If you are concerned about this attack, I suggest that you download the latest
modsecurity_crs_20_protocol_violations.conf file from SVN as it has the new rules -
> http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/base_rules/modsecurity_crs_20_protocol_violations.conf
> 
> --
> Ryan Barnett
> Senior Security Researcher
> Trustwave - SpiderLabs
> 
> 
> ________________________________
> This transmission may contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any
(Continue reading)

Permalink | Reply | 2 comments |
headers
Ryan Barnett | 24 Aug 2011 21:41

Re: Mitigation of Apache Range Header DoS Attack


On 8/24/11 3:29 PM, "Reindl Harald" <h.reindl <at> thelounge.net> wrote:

>nice - but are you guys really sure that REQUEST_HEADERS:Range
>" <at> beginsWith bytes=0-"
>is a protocol conform rule with do not block legal requests?

This rule was included based upon data from Bad Behavior site -
http://bad-behavior.ioerror.us/documentation/how-it-works/.

In the Bad Behavior rules there is a file called "common_tests.inc.php"
which has the following info -

// Range: field exists and begins with 0
        // Real user-agents do not start ranges at 0
        // NOTE: this blocks the whois.sc bot. No big loss.
        // Exceptions: MT (not fixable); LJ (refuses to fix; may be
        // blocked again in the future); Facebook
        if ($settings['strict'] && array_key_exists('Range',
$package['headers_mixed']) && strpos($package['headers_mixed']['Range'],
"=0-") !== FALSE) {
                if (strncmp($ua, "MovableType", 11) && strncmp($ua, "URI::Fetch", 10) &&
strncmp($ua, "php-openid/", 11) && strncmp($ua, "facebookexternalhit",
19)) {
                        return "7ad04a8a";
                }
        }

So it seems that although this is legal per the RFC, it seems as though no
legitimate clients do this.
(Continue reading)

Permalink | Reply | 1 comment |
headers
Reindl Harald | 24 Aug 2011 21:49
Favicon

Re: Mitigation of Apache Range Header DoS Attack


Am 24.08.2011 21:41, schrieb Ryan Barnett:
> 
> On 8/24/11 3:29 PM, "Reindl Harald" <h.reindl <at> thelounge.net> wrote:
> 
>> nice - but are you guys really sure that REQUEST_HEADERS:Range
>> " <at> beginsWith bytes=0-"
>> is a protocol conform rule with do not block legal requests?
> 
> This rule was included based upon data from Bad Behavior site -
> http://bad-behavior.ioerror.us/documentation/how-it-works/.
> 
> In the Bad Behavior rules there is a file called "common_tests.inc.php"
> which has the following info -
> 
> // Range: field exists and begins with 0
>         // Real user-agents do not start ranges at 0
>         // NOTE: this blocks the whois.sc bot. No big loss.
>         // Exceptions: MT (not fixable); LJ (refuses to fix; may be
>         // blocked again in the future); Facebook
>         if ($settings['strict'] && array_key_exists('Range',
> $package['headers_mixed']) && strpos($package['headers_mixed']['Range'],
> "=0-") !== FALSE) {
>                 if (strncmp($ua, "MovableType", 11) && strncmp($ua, "URI::Fetch", 10) &&
> strncmp($ua, "php-openid/", 11) && strncmp($ua, "facebookexternalhit",
> 19)) {
>                         return "7ad04a8a";
>                 }
>         }
>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Thomas D. Dahlmann | 24 Aug 2011 22:45
Picon

Re: [Owasp-modsecurity-core-rule-set] ModSecurity Advanced Topic of the Week: (Updated) Exception Handling

Hi Ryan

I've tried using the SecRuleUpdateTargetById directive as you describe 
in your blog. However I've got problems getting it working when I want 
to exclude a specific file that is being caught:

--dfd6c026-A--
[24/Aug/2011:22:10:37 +0200] TlVavH8AAQEAAEaWBogAAAAA 10.30.255.126 
54271 2.2.2.2 80
--dfd6c026-B--
GET /lib/images/license/button/cc-by-sa.png HTTP/1.1
Host: wiki.example.org
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.1 (KHTML, like 
Gecko) Chrome/13.0.782.215 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

--dfd6c026-F--
HTTP/1.1 403 Forbidden
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 201
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
(Continue reading)

Permalink | Reply | 4 comments |
headers
Ryan Barnett | 24 Aug 2011 23:12

Re: [Owasp-modsecurity-core-rule-set] ModSecurity Advanced Topic of the Week: (Updated) Exception Handling


On 8/24/11 4:45 PM, "Thomas D. Dahlmann" <domingo <at> domingo.dk> wrote:

>Hi Ryan
>
>I've tried using the SecRuleUpdateTargetById directive as you describe
>in your blog. However I've got problems getting it working when I want
>to exclude a specific file that is being caught:
>
>--dfd6c026-A--
>[24/Aug/2011:22:10:37 +0200] TlVavH8AAQEAAEaWBogAAAAA 10.30.255.126
>54271 2.2.2.2 80
>--dfd6c026-B--
>GET /lib/images/license/button/cc-by-sa.png HTTP/1.1
>Host: wiki.example.org
>Connection: keep-alive
>Cache-Control: max-age=0
>User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.1 (KHTML, like
>Gecko) Chrome/13.0.782.215 Safari/535.1
>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>Accept-Encoding: gzip,deflate,sdch
>Accept-Language: en-US,en;q=0.8
>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
>
>--dfd6c026-F--
>HTTP/1.1 403 Forbidden
>Vary: Accept-Encoding
>Content-Encoding: gzip
>Content-Length: 201
>Keep-Alive: timeout=15, max=100
(Continue reading)

Permalink | Reply | 3 comments |
headers
Thomas D. Dahlmann | 24 Aug 2011 23:47
Picon

Re: [Owasp-modsecurity-core-rule-set] ModSecurity Advanced Topic of the Week: (Updated) Exception Handling

On 2011-08-24 23:12, Ryan Barnett wrote:
> SecRuleUpdateTargetById 950907 !REQUEST_FILENAME
If I go with the above will it then bypass any file request unconditionally?

/T

------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
Permalink | Reply | 2 comments |
headers
Breno Silva | 25 Aug 2011 03:45
Picon

Re: Rule causing Modsecurity to Segfault

Hey Kwenu,

Another user sent me informations in the same thread you open and i think it was you. So my suggestions is not for you :)
Sorry for that confusion ...

Please if you can send me your dump i will help you

thanks

Breno

On Wed, Aug 24, 2011 at 7:45 AM, Breno Silva <breno.silva <at> gmail.com> wrote:
Ok kwenu,

Did you set the SecPcre*  directives i mention ?

Thanks

Breno


On Wed, Aug 24, 2011 at 5:50 AM, kwenu <uzoka_a <at> yahoo.co.uk> wrote:
Im using modsecurity 2.6.1 and crs 2.2.1

I managed to figure out why dumps were not  being created and this was due to the init script that calls a external script that checks to see whether a variable for ulimit -c is set and if not defaults the setting to 0.

That done the crash dumps were practically useless - urhhhhhh

Anyway im going to have to use apaches bundled version of pcre and hack it somewhat to work with our customised version of modsecurity spec file

Thats the only way around this since recompiling apaches against OS pcre is out of the question for now

Ill let you know if this works




On 23/08/11 13:47, Breno Silva wrote:
Kwenu,

Another important stuff is to have the same PCRE library compiled with apache and modsecurity. The crashes we saw until now is 100% caused by different library versions.

What modsecurity version are u using ?

thanks

Breno

On Tue, Aug 23, 2011 at 7:32 AM, Breno Silva <breno.silva <at> gmail.com> wrote:
Hi Kwenu,

Did you set ?


On Tue, Aug 23, 2011 at 6:06 AM, kwenu <uzoka_a <at> yahoo.co.uk> wrote:
I cannot get a core dump - we have a customised build of apache using our own modules -

Im currently using ltrace as strace did not show anything other than mprotect call that was followed by a kill SIGSEGV

Ill ltrace this and send as soon as

On 22/08/11 18:24, Breno Silva wrote:
Hi Kwenu,

Please follow this  instructions and send me in private e-mail. What is your ModSecurity and Apache version ? if it is 2.6.x please send me the libraries versions you are using (you can get this info into error.log).

Make sure there is a core dump area with something like:

  CoreDumpDirectory /tmp

Make sure limits are set to dump core:

  ulimit -c unlimited

Restart and trigger the error.  A core file should be in the directory
you specified.

Then use gdb to get a backtrace:

1) gdb /path/to/httpd /path/to/core
2) within gdb enter:

  thread apply all bt full

You can get it into a file with something like:

gdb /path/to/httpd /path/to/core --batch --quiet \
  -ex "thread apply all bt full" > backtrace.log


Please send me back the backtrace.log

Thanks

Breno

On Mon, Aug 22, 2011 at 12:05 PM, kwenu <uzoka_a <at> yahoo.co.uk> wrote:
Hi

We are using a custom install of apache httpd compiled against APR 1.49 using MPM worker and PHP to server dynamic content

The following rule here is causing the web server not to return any images but text only for intermittent requests

The httpd error_log file emits the following error message

[notice] child pid 25571 exit signal Segmentation fault (11)

I have tried attaching gdb and strace (strace did provide some clues but not alot - "strace -v -f -p 12345 /tmp/httpd-strace" ) to it since i cannot get a coredump going at all even after setting CoreDumpDirectory /tmp and setting ulimit -c unlimited for the  user that the process runs under

When i remove the following line from modsecurity_crs_48_globalexceptions.conf web pages are returned correctly albeit error messages are still emitted

SecRule &TX:'/981173-WEB_ATTACK/RESTRICTED_SQLI_CHARS-TX:restricted_sqli_char_count/' " <at> gt 0" "setvar:tx.anomaly_score=-4"

The above rule was the  only way i could set the anomaly score for rule 981173.  I would have prefered updating the operator " <at> ge 4" instead but cannot find a way of doing this

modsecurity_crs_41_sql_injection_attacks.conf:
SecRule TX:RESTRICTED_SQLI_CHAR_COUNT " <at> ge 4" "phase:2,t:none,block,id:'981173',rev:'2.2.1',msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',logdata:'%{matched_var}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"

Is there a better way of updating the above rules operator " <at> ge 4"  so that i can increase count thereby dealing with the false positives that are created by this rule??





------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities and model
configuration take the hassle out of deploying and managing Subversion and
the tools developers use with it. Learn more about uberSVN and get a free
download at:  http://p.sf.net/sfu/wandisco-dev2dev

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php


------------------------------------------------------------------------------ uberSVN's rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev _______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/application-security.php



------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/application-security.php 



------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
Permalink | Reply | 1 comment |
headers
Ryan Barnett | 25 Aug 2011 15:13

Re: [Owasp-modsecurity-core-rule-set] ModSecurity Advanced Topic of the Week: (Updated) Exception Handling


On 8/24/11 5:47 PM, "Thomas D. Dahlmann" <domingo <at> domingo.dk> wrote:

>On 2011-08-24 23:12, Ryan Barnett wrote:
>> SecRuleUpdateTargetById 950907 !REQUEST_FILENAME
>If I go with the above will it then bypass any file request
>unconditionally?

Correct, if you use this directive, it will modify the TARGET list for
rule ID 950907 and will not inspect the REQUEST_FILENAME variable at all.

-Ryan

>
>/T
>

This transmission may contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
Permalink | Reply | 1 comment |
headers
Thomas D. Dahlmann | 25 Aug 2011 15:26
Picon

Re: [Owasp-modsecurity-core-rule-set] ModSecurity Advanced Topic of the Week: (Updated) Exception Handling

Ok thanks.

Both solutions work but I think I stick with the custom 15 solution to 
be as specific as possible.

/T

>>> SecRuleUpdateTargetById 950907 !REQUEST_FILENAME
>> If I go with the above will it then bypass any file request
>> unconditionally?
> Correct, if you use this directive, it will modify the TARGET list for
> rule ID 950907 and will not inspect the REQUEST_FILENAME variable at all.
>
> -Ryan
>
>

------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
Permalink | Reply | 0 comments |
headers
Organic Spider | 26 Aug 2011 16:46
Picon
Favicon

Cookie tripping modsec

Hello, we are having a problem where a cookie being set is tripping rule 981173 due to the number of special
characters. I have created a modsecurity_crs_15_customrules.conf file with the following content:

# Ignore tracker cookie
SecRule REQUEST_HEADERS \
   "phase:1,t:none,nolog,pass,ctl:ruleUpdateTargetById=981173:!REQUEST_COOKIES:tracker"

Yet when I reload HTTPD and test the cookie is still being reported as a warning. How would one override it
please ? Do I have it set to early in the processing ?
--

-- 
Thank you, OS
------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
Permalink | Reply | 9 comments |

Gmane