headers
Ryan Barnett | 3 Apr 15:37

Re: Binary packages for debian

I am putting the finishing touches on a 1.9 to 2.0 Migration Matrix that
will help users to translate directives/functionality between the Mod
versions.  It should be up on the Mod site soon (possibly later today).

-- 
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache

--------------
Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
Learn More About the Breach Webinar Series:
http://www.breach.com/webinars.asp
--------------

> -----Original Message-----
> From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-
> security-users-bounces <at> lists.sourceforge.net] On Behalf Of
> gotroot <at> sioban.net
> Sent: Tuesday, April 03, 2007 9:33 AM
> To: mod-security-users <at> lists.sourceforge.net
> Subject: Re: [mod-security-users] Binary packages for debian
> 
> Hi !
> 
> Is there any doc to help the migration between 1.9.x and 2.1.x ???
> 
> I'm somewhat lost
(Continue reading)

Permalink | Reply |
headers
Ofer Shezaf | 3 Apr 15:37

Re: Binary packages for debian

In addition, if you are looking for an example conf file for 2.x you can
use the Core Rule Set available as part of the ModSecurity distribution
on www.modsecurity.org

~ Ofer Shezaf
ModSecurity Core Rule Set project leader
CTO, Breach Security

> -----Original Message-----
> From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-
> security-users-bounces <at> lists.sourceforge.net] On Behalf Of Ryan
Barnett
> Sent: Tuesday, April 03, 2007 4:37 PM
> To: gotroot <at> sioban.net; mod-security-users <at> lists.sourceforge.net
> Subject: Re: [mod-security-users] Binary packages for debian
> 
> I am putting the finishing touches on a 1.9 to 2.0 Migration Matrix
> that
> will help users to translate directives/functionality between the Mod
> versions.  It should be up on the Mod site soon (possibly later
today).
> 
> --
> Ryan C. Barnett
> ModSecurity Community Manager
> Breach Security: Director of Application Security Training
> Web Application Security Consortium (WASC) Member
> Author: Preventing Web Attacks with Apache
> 
> --------------
(Continue reading)

Permalink | Reply |
headers
gotroot | 3 Apr 16:02

Re: Binary packages for debian

Ofer Shezaf a écrit :
> In addition, if you are looking for an example conf file for 2.x you can
> use the Core Rule Set available as part of the ModSecurity distribution
> on www.modsecurity.org
>   

I've finally found them... I'm somewhat dumb about this one... it's
included in the debian binary...

BTW I've got a lot of audit log since this new one with strange chars in
them :

Message: Access denied with code 400 (phase 1). Pattern match
"ÜÆØØdØØ.Å+$" at REQUEST_HEADERS:HOST. Æid "960017"Å Æmsg "Host header
is a numeric IP address"Å Æseverity "CRITICAL"Å

Any Idea why it is doing that ?

And one last thing I've noted, on our forum, by simply posting a new
thread I get warnings like that :
- PHP source code leakage
- ASP/JSP source code leakage

Thanks.

Sioban

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
(Continue reading)

Permalink | Reply |
headers
gotroot | 3 Apr 16:29

Re: Binary packages for debian

gotroot <at> sioban.net a écrit :
> BTW I've got a lot of audit log since this new one with strange chars in
> them :
>
> Message: Access denied with code 400 (phase 1). Pattern match
> "ÜÆØØdØØ.Å+$" at REQUEST_HEADERS:HOST. Æid "960017"Å Æmsg "Host header
> is a numeric IP address"Å Æseverity "CRITICAL"Å
>
> Any Idea why it is doing that ?
>   
I've found this one.

That's because I was tailing the audit logs while I got the 'C' part of
the logs printed on my console.
After that I got strange chars, but that's only relevant ot that
console, so no problems.

Hum BTW.

I didn't find how to tell to filter the post part, is 2.x doing it ?
I've got a phpbb forum hacked last week because I was not filtering POST.

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Permalink | Reply |
headers
gotroot | 3 Apr 17:25

Re: Binary packages for debian

I've installed the rules from GotRoot but I have a lot of problem with
that rule (in rules.conf):

SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"
"id:340000,severity:1,msg:'Bad HTTP Protocol'"

which locks out any request...

--54d2d61b-A--
[03/Apr/2007:17:19:58 +0200] 3u2SKFt5CDgAAA8thm0AAAAF ww.xx.yy.zz 4630
aa.bb.cc.dd 80
--54d2d61b-B--
GET / HTTP/1.1
Host: www.domain.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3)
Gecko/20070309 Firefox/2.0.0.3
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: phpbb2mysql_data=...
Cache-Control: max-age=0

--54d2d61b-F--
HTTP/1.1 500 Internal Server Error
Content-Length: 538
Connection: close
(Continue reading)

Permalink | Reply |
headers
Ryan Barnett | 3 Apr 17:38

Re: Binary packages for debian

Take a look at the NOTE for the REQUEST_PROTOCOL variable in the
Reference Manual -
http://www.modsecurity.org/documentation/modsecurity-apache/2.1.0/modsec
urity2-apache-reference.html#N10B55

My guess is that the "t:lowercase" transformation function is being
inherited for this rule so it should be written with lowercase "http"
instead of "HTTP" -

SecRule REQUEST_PROTOCOL "!^http/(0\.9|1\.0|1\.1)$"

FYI - this is an example of an overlapping rule between the GotRoot
rules and the Core Rules.  Here is one rule from the
modsecurity_crs_30_http_policy.conf file that does the same thing
however it takes into account transformation functions (uses "t:none")
and also optimizes the RegEx a bit -

SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.[01])$" \
    "t:none, deny,log,auditlog,status:505,msg:'HTTP protocol version is
not allowed by policy', severity:'2',id:'9600
34'"

--

-- 
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache

--------------
(Continue reading)

Permalink | Reply |
headers
gotroot | 3 Apr 18:07

Re: Binary packages for debian

Ryan Barnett a écrit :
> My guess is that the "t:lowercase" transformation function is being
> inherited for this rule so it should be written with lowercase "http"
> instead of "HTTP" -
>
> SecRule REQUEST_PROTOCOL "!^http/(0\.9|1\.0|1\.1)$"
>   
Yes I've tried that, but even with the lowercase I get errors 500...

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Permalink | Reply |
headers
Ryan Barnett | 3 Apr 18:14

Re: Binary packages for debian

Did you see my recent Blog post on handling False Positives?
http://www.modsecurity.org/blog/archives/2007/02/handling_false.html

You most likely need to increase the debug log level and take a look at the debug log itself to see exactly what
is happening.  Once you have gone through all of those steps, then post any further questions or problems.

-- 
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache

--------------
Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
Learn More About the Breach Webinar Series:
http://www.breach.com/webinars.asp
--------------

> -----Original Message-----
> From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-
> security-users-bounces <at> lists.sourceforge.net] On Behalf Of
> gotroot <at> sioban.net
> Sent: Tuesday, April 03, 2007 12:08 PM
> To: mod-security-users <at> lists.sourceforge.net
> Subject: Re: [mod-security-users] Binary packages for debian
> 
> Ryan Barnett a écrit :
> > My guess is that the "t:lowercase" transformation function is being
> > inherited for this rule so it should be written with lowercase "http"
(Continue reading)

Permalink | Reply |
headers
gotroot | 4 Apr 14:16

Removing a rule without ID

Ryan Barnett a écrit :
> Did you see my recent Blog post on handling False Positives?
> http://www.modsecurity.org/blog/archives/2007/02/handling_false.html
> 
> You most likely need to increase the debug log level and take a look at the debug log itself to see exactly
what is happening.  Once you have gone through all of those steps, then post any further questions or problems.
> 

Ok I have one rule in the gotroot set that bother me :

SecRule REQUEST_URI|ARGS "(http|https|ftp)\:/.*\.free\.fr"

It blocks users which have a link to a picture hosted by free.fr

[04/Apr/2007:13:59:53 +0200]
[www.domain.net/sid#931d508][rid#943db68][/plouf/plop.php][9] T (0)
urlDecodeUni:
[img:6e43630c46]http://bpaint.free.fr/screen_bpaint/ban03.jpg[/img:6e43630c46]
[04/Apr/2007:13:59:53 +0200]
[www.domain.net/sid#931d508][rid#943db68][/plouf/plop.php][9] T (0)
htmlEntityDecode:
[img:6e43630c46]http://bpaint.free.fr/screen_bpaint/ban03.jpg[/img:6e43630c46]
[04/Apr/2007:13:59:53 +0200]
[www.domain.net/sid#931d508][rid#943db68][/plouf/plop.php][9] T (0)
lowercase:
[img:6e43630c46]http://bpaint.free.fr/screen_bpaint/ban03.jpg[/img:6e43630c46]
[04/Apr/2007:13:59:53 +0200]
[www.domain.net/sid#931d508][rid#943db68][/plouf/plop.php][4] Executing
operator rx with param "(http|https|ftp)\\:/.*\\.free\\.fr" against
ARGS:edituser_signature.
(Continue reading)

Permalink | Reply |
headers
Ryan Barnett | 4 Apr 16:37

Re: Removing a rule without ID

You could use a phase:1 rule like this -

SecRule REQUEST_URI "^/plouf/plop.php$" "phase:1,chain,nolog,allow,ctl:ruleEngine=Off"
SecRule ARGS:edituser_signature "^http\:\/\/.*\.free\.fr" phase:1

While this rule uses "allow" it only effects the current processing phase, so any rules that match in
phase:2 would still block it.  This is why you would need to include the "ctl:ruleEngine=Off" action so
that the request is allowed through the rest of the phases/rulesets.  As Christian pointed out in his
email, this may open a door for signature evasion if an attacker includes legit attacks with this ARG that
is allowed through.

To prevent this scenario, you could instead add a rule ID number to that GotRoot rule and then use
SecRuleRemoveByID to disable it.  Then again, if you were going that route and editing these rules then you
could just go ahead and delete it entirely if it conflicts with your env.  Since most of these rules are
missing rule IDs and/or error messages, it makes it challenging to manipulate them dynamically.  

--

-- 
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache

--------------
Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
Learn More About the Breach Webinar Series:
http://www.breach.com/webinars.asp
--------------

 > -----Original Message-----
(Continue reading)

Permalink | Reply |
headers
Christian Bockermann | 4 Apr 14:41

Re: Removing a rule without ID


Am 04.04.2007 um 14:16 schrieb gotroot <at> sioban.net:
> Ok I have one rule in the gotroot set that bother me :
>
> SecRule REQUEST_URI|ARGS "(http|https|ftp)\:/.*\.free\.fr"
>
> It blocks users which have a link to a picture hosted by free.fr
> ....
> So I would like to permit it, but instead of removing the rule I would
> like to do it in the clean way.
>
> I've tried :
>
> - SecRule ARGS "free.fr" nolog,phase:1,allow
> - SecRuleRemoveByMsg "free"
> - in global
> - in virtual host
> - in a location match "<LocationMatch "/plouf/plop.php"
>
> but none of them match ...

How did you include the gotroot-rules?
If you include them first and they fire a disruptive action in phase: 
1, then your
rule "SecRule ARGS... phase:1,allow" will not get executed. If you  
define your rule
BEFORE including the gotroot-rules it should solve your problem as  
the allow-action
itself should turn off the rule-engine and thus stop executing other  
rules. However
(Continue reading)

Permalink | Reply |
headers
gotroot | 4 Apr 15:10

Re: Removing a rule without ID

This is very interesting, I better understand the process now.

The gotroot rules are defined AFTER the exclude one.

But what about if the rule is removed in the virtualhost (with or
without a location macth) ?
Does it been declared before or after the gotroot includes ?
BTW they are called in a .conf which resides in mods-enabled of apache2
(Debian specific).
This conf call a exclude.conf.local, the core rules and then the gotroot
rules.

> If the gotroot-ruleset defines the DefaultAction to contain "phase:1"  
>   
That's maybe my problem, I will try again.
>      SecRule ARGS "free.fr" phase:1,auditlog,msg:'FOO'
>      ...
>      SecRemoveRuleByMsg "FOO"
>   
I had some problems to understand how it works, so for me that's not an
option.

I should use a SecRule redefinition I think.

Thanks.

Sioban

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
(Continue reading)

Permalink | Reply |

Gmane