headers
Vince | 4 Oct 23:43
Picon
Picon
Favicon

Making custom rules that use request header and method

Hi Everyone,

I'm having problems creating deny rules for the following kind of requests:

PROPFIND   /   HTTP/1.1
Depth: 0
translate: f
User-Agent: Microsoft-WebDAV-MiniRedir/5.1.2600

I want to create rules to deny and block anything with PROPFIND as the method or "translate: f" in the headers.  This is what I have currently in my modsecurity_crs_15_customrules.conf but its not working:

SecRule REQUEST_METHOD propfind "phase:1,deny,nolog"
SecRule REQUEST_HEADERS_NAMES:translate ^f$ "phase:1,deny,nolog"

I've tried variations like capitalizing PROPFIND, putting it in quotes "PROPFIND", using the start and end characters ^propfind$. These rules still keep getting triggered and I get alerts in my console. 
Any ideas? 

Thanks!
-- -- Vince | Michael Smith Laboratories Systems Network Manager | University of British Columbia 
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply |
headers
Ryan Barnett | 4 Oct 23:53

Re: Making custom rules that use request headerand method

Can you please clarify – is your intention to have rules that will “silently” block requests with the PROPFIND Request Method and/or the “Translate: f” Request Header?  By silent, I mean that you want to “deny” the request however you do NOT want to trigger an alert.  Is this correct?

 

First recommendation that you give is to selectively increase the debug log level (to perhaps just your source IP or something) then make a request with PROPFIND and then review the debug log to see what is happening.  See the relevant sections from my Blog post - http://www.modsecurity.org/blog/archives/2007/02/handling_false.html

 

--
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

Author: Preventing Web Attacks with Apache

 

 

From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf Of Vince
Sent: Thursday, October 04, 2007 5:43 PM
To: mod-security-users <at> lists.sourceforge.net
Subject: [mod-security-users] Making custom rules that use request headerand method

 

Hi Everyone,

I'm having problems creating deny rules for the following kind of requests:

PROPFIND   /   HTTP/1.1
Depth: 0
translate: f
User-Agent: Microsoft-WebDAV-MiniRedir/5.1.2600

I want to create rules to deny and block anything with PROPFIND as the method or "translate: f" in the headers.  This is what I have currently in my modsecurity_crs_15_customrules.conf but its not working:

SecRule REQUEST_METHOD propfind "phase:1,deny,nolog"
SecRule REQUEST_HEADERS_NAMES:translate ^f$ "phase:1,deny,nolog"

I've tried variations like capitalizing PROPFIND, putting it in quotes "PROPFIND", using the start and end characters ^propfind$. These rules still keep getting triggered and I get alerts in my console. 
Any ideas? 

Thanks!

--

 

Vince                  |  Michael Smith Laboratories

Systems Network Manager |  University of British Columbia

 
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply |
headers
Vince | 5 Oct 00:17
Picon
Picon
Favicon

Re: Making custom rules that use request headerand method

Hi Ryan,

Yes it is my intention to just block this silently.  I have identified that any requests using PROPFIND or translate: f (mostly webdav/webfolder enabled browsers) are not needed by our services.  We are doing this to try to trim down the amount of alerts that are showing up in the console.  Blocking unwanted behavior silently is a good way to do this no?  I did not want to disable the rules that are being triggered as they also alert other types of requests and I did not want to create my own modified rule as I am not a pro with the regex just yet. 

Thank you for the quick response,

Vince | Michael Smith Laboratories Systems Network Manager | University of British Columbia

Ryan Barnett wrote:

Can you please clarify – is your intention to have rules that will “silently” block requests with the PROPFIND Request Method and/or the “Translate: f” Request Header?  By silent, I mean that you want to “deny” the request however you do NOT want to trigger an alert.  Is this correct?

 

First recommendation that you give is to selectively increase the debug log level (to perhaps just your source IP or something) then make a request with PROPFIND and then review the debug log to see what is happening.  See the relevant sections from my Blog post - http://www.modsecurity.org/blog/archives/2007/02/handling_false.html

 

--
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

Author: Preventing Web Attacks with Apache

 

 

From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf Of Vince
Sent: Thursday, October 04, 2007 5:43 PM
To: mod-security-users <at> lists.sourceforge.net
Subject: [mod-security-users] Making custom rules that use request headerand method

 

Hi Everyone,

I'm having problems creating deny rules for the following kind of requests:

PROPFIND   /   HTTP/1.1
Depth: 0
translate: f
User-Agent: Microsoft-WebDAV-MiniRedir/5.1.2600

I want to create rules to deny and block anything with PROPFIND as the method or "translate: f" in the headers.  This is what I have currently in my modsecurity_crs_15_customrules.conf but its not working:

SecRule REQUEST_METHOD propfind "phase:1,deny,nolog"
SecRule REQUEST_HEADERS_NAMES:translate ^f$ "phase:1,deny,nolog"

I've tried variations like capitalizing PROPFIND, putting it in quotes "PROPFIND", using the start and end characters ^propfind$. These rules still keep getting triggered and I get alerts in my console. 
Any ideas? 

Thanks!

--

 

 Vince                  |  Michael Smith Laboratories

 Systems Network Manager |  University of British Columbia

 
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply |
headers
Ryan Barnett | 5 Oct 00:42

Re: Making custom rules that use request headerand method

Ideally you should keep audit logs of all transactions (especially those that are blocked) however I realize that this is not feasible for many organizations.  This is most probably also an issue if you are attempting to use the open source, free ModSecurity Console as it was not designed for heavy use.  The commercial ModSecurity Management Appliance (http://www.breach.com/products/modsecurity-management.html) doesn’t have these issues.  

 

You really have two different aspects to consider – audit logging for historical purposes vs. real-time alert management.  A possible middle-ground you could use would be to update the “Automatic Stale Alert Removal” settings under the Administration -> Alert Management page.  If you decrease the “Stale Alert Interval” setting to something like 600 seconds and the “Maximal stale severity” level to “5 – Notice” the net result would be that you could still capture these audit logs however the lower severity items such as this would be auto-archived to the database every 10 minutes so they won’t clutter up the Alert viewer page.

 

If that doesn’t work for you, then you could update your custom rules a bit.  It looks as though there are a few issues (case-sensitivity, variable name).  It is a good idea to make sure that you specify all of the proper actions on your individual rules so that they don’t inherit and unintended settings.  Try these rules -

 

SecRule REQUEST_METHOD “^PROPFIND$” "phase:1,t:none,deny,nolog"

SecRule REQUEST_HEADERS:translate “^f$” "phase:1,t:none,deny,nolog"

 

--
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

Author: Preventing Web Attacks with Apache

 

 

From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf Of Vince
Sent: Thursday, October 04, 2007 6:18 PM
To: mod-security-users <at> lists.sourceforge.net
Subject: Re: [mod-security-users] Making custom rules that use request headerand method

 

Hi Ryan,

Yes it is my intention to just block this silently.  I have identified that any requests using PROPFIND or translate: f (mostly webdav/webfolder enabled browsers) are not needed by our services.  We are doing this to try to trim down the amount of alerts that are showing up in the console.  Blocking unwanted behavior silently is a good way to do this no?  I did not want to disable the rules that are being triggered as they also alert other types of requests and I did not want to create my own modified rule as I am not a pro with the regex just yet. 

Thank you for the quick response,


Vince                   |  Michael Smith Laboratories

Systems Network Manager |  University of British Columbia



Ryan Barnett wrote:

Can you please clarify – is your intention to have rules that will “silently” block requests with the PROPFIND Request Method and/or the “Translate: f” Request Header?  By silent, I mean that you want to “deny” the request however you do NOT want to trigger an alert.  Is this correct?

 

First recommendation that you give is to selectively increase the debug log level (to perhaps just your source IP or something) then make a request with PROPFIND and then review the debug log to see what is happening.  See the relevant sections from my Blog post - http://www.modsecurity.org/blog/archives/2007/02/handling_false.html

 

--
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

Author: Preventing Web Attacks with Apache

 

 

From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf Of Vince
Sent: Thursday, October 04, 2007 5:43 PM
To: mod-security-users <at> lists.sourceforge.net
Subject: [mod-security-users] Making custom rules that use request headerand method

 

Hi Everyone,

I'm having problems creating deny rules for the following kind of requests:

PROPFIND   /   HTTP/1.1
Depth: 0
translate: f
User-Agent: Microsoft-WebDAV-MiniRedir/5.1.2600

I want to create rules to deny and block anything with PROPFIND as the method or "translate: f" in the headers.  This is what I have currently in my modsecurity_crs_15_customrules.conf but its not working:

SecRule REQUEST_METHOD propfind "phase:1,deny,nolog"
SecRule REQUEST_HEADERS_NAMES:translate ^f$ "phase:1,deny,nolog"

I've tried variations like capitalizing PROPFIND, putting it in quotes "PROPFIND", using the start and end characters ^propfind$. These rules still keep getting triggered and I get alerts in my console. 
Any ideas? 

Thanks!


--

 

Vince                  |  Michael Smith Laboratories

Systems Network Manager |  University of British Columbia

 
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply |

Gmane