3 Jan 2011 22:21
Recently upgraded from 1.6.1 to 2.0.5 and I've got some questions/confusion.
Daniel Finn <Dan.Finn <at> ultradent.com>
2011-01-03 21:21:55 GMT
2011-01-03 21:21:55 GMT
As the subject says, I recently upgraded from 1.6.1 to 2.0.5 on one of our servers and I’m a little confused about the results. I’m running RHEL 5.5 and I got the mod_security package from the EPEL repo. According to RPM I am running version 2.5.12-1.el5 of mod_security and /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf says I’m running Core Rule Set ver. 2.0.5.
While looking over some things I noticed that this updated rule set came with SecDefaultAction set to "phase:2,pass". Previous to upgrading, I had SecDefaultAction set to "phase:2,log,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace". What I’m confused about is it seems like having it currently set to “phase:2,pass” should be allowing everything through but that is not the case.
Some of the tests I found online to determine whether or not mod_security is functioning properly work and some don’t. For example, www.example.com/?wget logs an error but passes the page through however www.domain.com/phpids?test=1+OR+1%3D1 logs an error and blocks the page. Why would that be?
Here’s my /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf:
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.0.5
# Copyright (C) 2006-2010 Breach Security Inc. All rights reserved.
#
# The ModSecurity Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
## -- Configuration ----------------------------------------------------------
#
# Specify CRS version in the audit logs.
#
SecComponentSignature "core ruleset/2.0.5"
#
# Create both Global and IP collections for rules to use
# There are some CRS rules that assume that these two collections
# have already been initiated.
#
SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}"
# You most likely already have a base ModSecurity configuration. The data
# presented in this file should work in conjunction with your configs.
# There are also some references to some directive settings that you will
# want to double check.
#
# -=[ Paranoid Mode ]=-
#
# There are many different transactional variables that can be inspected for
# attacks. Some variables, such as ARGS, has the best false negative/false
# positive ratio where it will catch the vast majority of attack payloads and
# not have a high false positive rate. This is also true for some security
# checks such as <at> validateByteRange checks where we are initially only inspecting
# for Nul Bytes.
#
# There are, however, some possibilities for false negative issues with inspecting
# parsed data and this could lead to missed attacks. If you
# want to lessen the chances for false negatives, then you should enable
# "Paranoid Mode" processing by setting the following line to 1. This will process
# additional rules that are inspecting variables with a higher false positive rate.
#
SecAction "phase:1,t:none,nolog,pass,setvar:tx.paranoid_mode=0"
#
# -=[ Anomaly Scoring Threshold Levels ]=-
#
# These variables are used in macro expansion in the 49 inbound blocking and 59
# outbound blocking files.
#
# **MUST HAVE** ModSecurity v2.5.12 or higher to use macro expansion in numeric
# operators. If you have an earlier version, edit the 49/59 files directly to
# set the appropriate anomaly score levels.
#
# You should set the score to the proper threshold you would prefer. If set to "5"
# it will work similarly to previous Mod CRS rules and will create an event in the error_log
# file if there are any rules that match. If you would like to lessen the number of events
# generated in the error_log file, you should increase the anomaly score threshold to
# something like "20". This would only generate an event in the error_log file if
# there are multiple lower severity rule matches or if any 1 higher severity item matches.
#
SecAction "phase:1,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=20"
SecAction "phase:1,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=15"
#
# -=[ Anomaly Scoring Severity Levels ]=-
#
# These are the default scoring points for each severity level. You may
# adjust these to you liking. These settings will be used in macro expansion
# in the rules to increment the anomaly scores when rules match.
#
# These are the default Severity ratings (with anomaly scores) of the individual rules -
#
# - 2: Critical - Anomaly Score of 20.
# Is the highest severity level possible without correlation. It is
# normally generated by the web attack rules (40 level files).
# - 3: Error - Anomaly Score of 15.
# Is generated mostly from outbound leakage rules (50 level files).
# - 4: Warning - Anomaly Score of 10.
# Is generated by malicious client rules (35 level files).
# - 5: Notice - Anomaly Score of 5.
# Is generated by the Protocol policy and anomaly files.
#
SecAction "phase:1,t:none,nolog,pass, \
setvar:tx.critical_anomaly_score=20, \
setvar:tx.error_anomaly_score=15, \
setvar:tx.warning_anomaly_score=10, \
setvar:tx.notice_anomaly_score=5"
#
# -=[ HTTP Policy Settings ]=-
# Set the following policy settings here and they will be propagated to the 23 rules
# file (modsecurity_common_23_request_limits.conf) by using macro expansion.
# If you run into false positives, you can adjust the settings here.
#
# Only the max number of args is uncommented by default as there are a high rate
# of false positives. Uncomment the items you wish to set.
#
## Maximum number of arguments in request limited
SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_num_args=255"
## Limit argument name length
#SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_name_length=100"
## Limit value name length
#SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_length=400"
## Limit arguments total length
#SecAction "phase:1,t:none,nolog,pass,setvar:tx.total_arg_length=64000"
## Individual file size is limited
#SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_file_size=1048576"
## Combined file size is limited
#SecAction "phase:1,t:none,nolog,pass,setvar:tx.combined_file_sizes=1048576"
# Set the following policy settings here and they will be propagated to the 30 rules
# file (modsecurity_crs_30_http_policy.conf) by using macro expansion.
# If you run into false positves, you can adjust the settings here.
#
SecAction "phase:1,t:none,nolog,pass, \
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded multipart/form-data text/xml application/xml', \
setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
setvar:'tx.restricted_extensions=.asa .asax .ascx .axd .backup .bak .bat .cdx .cer .cfg .cmd .com .config .conf .cs .csproj .csr .dat .db .dbf .dll .dos .htr .htw .ida .idc .idq .inc .ini .key .licx .lnk .log .mdb .old .pass .pdb .pol .printer .pwd .resources .resx .sql .sys .vb .vbs .vbproj .vsdisco .webinfo .xsd .xsx', \
setvar:'tx.restricted_headers=Proxy-Connection Lock-Token Content-Range Translate via if'"
#
#
# -=[ Blocking Action ]=-
# What to do when the anomaly score threshold is exceeded.
#
# The default is to log the error and let the request go through.
# This is a reasonable setting to start with because you do not
# want to reject legitimate requests with an untuned rule set.
#
# The following line's settings will be inherited by rules that
# do blocking in the 49 inbound and 59 outbound blocking files.
#
# Change to a disruptive action such as deny, drop or redirect if you
# want to block the transaction.
#
SecDefaultAction "phase:2,pass"
#
# Review your SecRuleEngine settings. If you want to
# allow blocking, then set it to On however check your SecDefaultAction setting
# to ensure that it is set appropriately.
#
SecRuleEngine On
SecDataDir /tmp/
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
# You can select to log all events to a single log file (set SecAuditLogType to
# TODO Set the SecAuditLog (for "Serial" logging) or SecAuditLogStorageDir (for
# SecAuditLogStorageDir directive and make sure the direcory specified
SecAuditLogType Serial
SecAuditLog logs/modsec_audit.log
# SecAuditLogStorageDir logs/modsec_audit
SecAuditLogParts "ABIFHKZ"
SecAuditEngine RelevantOnly
#SecDefaultAction "phase:2,log,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace"
And here’s the modules that it’s using:
modsecurity_35_bad_robots.data
modsecurity_35_scanners.data
modsecurity_40_generic_attacks.data
modsecurity_41_sql_injection_attacks.data
modsecurity_42_comment_spam.data
modsecurity_46_et_sql_injection.data
modsecurity_46_et_web_rules.data
modsecurity_50_outbound.data
modsecurity_50_outbound_malware.data
modsecurity_crs_20_protocol_violations.conf
modsecurity_crs_21_protocol_anomalies.conf
modsecurity_crs_23_request_limits.conf
modsecurity_crs_30_http_policy.conf
modsecurity_crs_35_bad_robots.conf
modsecurity_crs_40_generic_attacks.conf
modsecurity_crs_41_phpids_converter.conf
modsecurity_crs_41_phpids_filters.conf
modsecurity_crs_41_sql_injection_attacks.conf
modsecurity_crs_41_xss_attacks.conf
modsecurity_crs_42_tight_security.conf
modsecurity_crs_45_trojans.conf
modsecurity_crs_47_common_exceptions.conf
modsecurity_crs_48_local_exceptions.conf
modsecurity_crs_49_enforcement.conf
modsecurity_crs_49_inbound_blocking.conf
modsecurity_crs_50_outbound.conf
modsecurity_crs_59_outbound_blocking.conf
modsecurity_crs_60_correlation.conf
Any help or pointers would be really appreciated.
Thanks,
Dan
Email Policy - Unauthorized review, use, disclosure, or distribution of this e-mail is strictly prohibited. This e-mail transmission, and any documents, files or previous e-mail messages attached to it, is intended solely for the individual or individuals to whom it is specifically addressed. If the recipient of this email is not the intended recipient, do not read, copy or distribute it or any of the information it contains. Please delete it immediately and notify us by return email or by telephone 801.572.4200.
While looking over some things I noticed that this updated rule set came with SecDefaultAction set to "phase:2,pass". Previous to upgrading, I had SecDefaultAction set to "phase:2,log,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace". What I’m confused about is it seems like having it currently set to “phase:2,pass” should be allowing everything through but that is not the case.
Some of the tests I found online to determine whether or not mod_security is functioning properly work and some don’t. For example, www.example.com/?wget logs an error but passes the page through however www.domain.com/phpids?test=1+OR+1%3D1 logs an error and blocks the page. Why would that be?
Here’s my /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf:
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.0.5
# Copyright (C) 2006-2010 Breach Security Inc. All rights reserved.
#
# The ModSecurity Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
## -- Configuration ----------------------------------------------------------
#
# Specify CRS version in the audit logs.
#
SecComponentSignature "core ruleset/2.0.5"
#
# Create both Global and IP collections for rules to use
# There are some CRS rules that assume that these two collections
# have already been initiated.
#
SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}"
# You most likely already have a base ModSecurity configuration. The data
# presented in this file should work in conjunction with your configs.
# There are also some references to some directive settings that you will
# want to double check.
#
# -=[ Paranoid Mode ]=-
#
# There are many different transactional variables that can be inspected for
# attacks. Some variables, such as ARGS, has the best false negative/false
# positive ratio where it will catch the vast majority of attack payloads and
# not have a high false positive rate. This is also true for some security
# checks such as <at> validateByteRange checks where we are initially only inspecting
# for Nul Bytes.
#
# There are, however, some possibilities for false negative issues with inspecting
# parsed data and this could lead to missed attacks. If you
# want to lessen the chances for false negatives, then you should enable
# "Paranoid Mode" processing by setting the following line to 1. This will process
# additional rules that are inspecting variables with a higher false positive rate.
#
SecAction "phase:1,t:none,nolog,pass,setvar:tx.paranoid_mode=0"
#
# -=[ Anomaly Scoring Threshold Levels ]=-
#
# These variables are used in macro expansion in the 49 inbound blocking and 59
# outbound blocking files.
#
# **MUST HAVE** ModSecurity v2.5.12 or higher to use macro expansion in numeric
# operators. If you have an earlier version, edit the 49/59 files directly to
# set the appropriate anomaly score levels.
#
# You should set the score to the proper threshold you would prefer. If set to "5"
# it will work similarly to previous Mod CRS rules and will create an event in the error_log
# file if there are any rules that match. If you would like to lessen the number of events
# generated in the error_log file, you should increase the anomaly score threshold to
# something like "20". This would only generate an event in the error_log file if
# there are multiple lower severity rule matches or if any 1 higher severity item matches.
#
SecAction "phase:1,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=20"
SecAction "phase:1,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=15"
#
# -=[ Anomaly Scoring Severity Levels ]=-
#
# These are the default scoring points for each severity level. You may
# adjust these to you liking. These settings will be used in macro expansion
# in the rules to increment the anomaly scores when rules match.
#
# These are the default Severity ratings (with anomaly scores) of the individual rules -
#
# - 2: Critical - Anomaly Score of 20.
# Is the highest severity level possible without correlation. It is
# normally generated by the web attack rules (40 level files).
# - 3: Error - Anomaly Score of 15.
# Is generated mostly from outbound leakage rules (50 level files).
# - 4: Warning - Anomaly Score of 10.
# Is generated by malicious client rules (35 level files).
# - 5: Notice - Anomaly Score of 5.
# Is generated by the Protocol policy and anomaly files.
#
SecAction "phase:1,t:none,nolog,pass, \
setvar:tx.critical_anomaly_score=20, \
setvar:tx.error_anomaly_score=15, \
setvar:tx.warning_anomaly_score=10, \
setvar:tx.notice_anomaly_score=5"
#
# -=[ HTTP Policy Settings ]=-
# Set the following policy settings here and they will be propagated to the 23 rules
# file (modsecurity_common_23_request_limits.conf) by using macro expansion.
# If you run into false positives, you can adjust the settings here.
#
# Only the max number of args is uncommented by default as there are a high rate
# of false positives. Uncomment the items you wish to set.
#
## Maximum number of arguments in request limited
SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_num_args=255"
## Limit argument name length
#SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_name_length=100"
## Limit value name length
#SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_length=400"
## Limit arguments total length
#SecAction "phase:1,t:none,nolog,pass,setvar:tx.total_arg_length=64000"
## Individual file size is limited
#SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_file_size=1048576"
## Combined file size is limited
#SecAction "phase:1,t:none,nolog,pass,setvar:tx.combined_file_sizes=1048576"
# Set the following policy settings here and they will be propagated to the 30 rules
# file (modsecurity_crs_30_http_policy.conf) by using macro expansion.
# If you run into false positves, you can adjust the settings here.
#
SecAction "phase:1,t:none,nolog,pass, \
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded multipart/form-data text/xml application/xml', \
setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
setvar:'tx.restricted_extensions=.asa .asax .ascx .axd .backup .bak .bat .cdx .cer .cfg .cmd .com .config .conf .cs .csproj .csr .dat .db .dbf .dll .dos .htr .htw .ida .idc .idq .inc .ini .key .licx .lnk .log .mdb .old .pass .pdb .pol .printer .pwd .resources .resx .sql .sys .vb .vbs .vbproj .vsdisco .webinfo .xsd .xsx', \
setvar:'tx.restricted_headers=Proxy-Connection Lock-Token Content-Range Translate via if'"
#
#
# -=[ Blocking Action ]=-
# What to do when the anomaly score threshold is exceeded.
#
# The default is to log the error and let the request go through.
# This is a reasonable setting to start with because you do not
# want to reject legitimate requests with an untuned rule set.
#
# The following line's settings will be inherited by rules that
# do blocking in the 49 inbound and 59 outbound blocking files.
#
# Change to a disruptive action such as deny, drop or redirect if you
# want to block the transaction.
#
SecDefaultAction "phase:2,pass"
#
# Review your SecRuleEngine settings. If you want to
# allow blocking, then set it to On however check your SecDefaultAction setting
# to ensure that it is set appropriately.
#
SecRuleEngine On
SecDataDir /tmp/
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
# You can select to log all events to a single log file (set SecAuditLogType to
# TODO Set the SecAuditLog (for "Serial" logging) or SecAuditLogStorageDir (for
# SecAuditLogStorageDir directive and make sure the direcory specified
SecAuditLogType Serial
SecAuditLog logs/modsec_audit.log
# SecAuditLogStorageDir logs/modsec_audit
SecAuditLogParts "ABIFHKZ"
SecAuditEngine RelevantOnly
#SecDefaultAction "phase:2,log,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace"
And here’s the modules that it’s using:
modsecurity_35_bad_robots.data
modsecurity_35_scanners.data
modsecurity_40_generic_attacks.data
modsecurity_41_sql_injection_attacks.data
modsecurity_42_comment_spam.data
modsecurity_46_et_sql_injection.data
modsecurity_46_et_web_rules.data
modsecurity_50_outbound.data
modsecurity_50_outbound_malware.data
modsecurity_crs_20_protocol_violations.conf
modsecurity_crs_21_protocol_anomalies.conf
modsecurity_crs_23_request_limits.conf
modsecurity_crs_30_http_policy.conf
modsecurity_crs_35_bad_robots.conf
modsecurity_crs_40_generic_attacks.conf
modsecurity_crs_41_phpids_converter.conf
modsecurity_crs_41_phpids_filters.conf
modsecurity_crs_41_sql_injection_attacks.conf
modsecurity_crs_41_xss_attacks.conf
modsecurity_crs_42_tight_security.conf
modsecurity_crs_45_trojans.conf
modsecurity_crs_47_common_exceptions.conf
modsecurity_crs_48_local_exceptions.conf
modsecurity_crs_49_enforcement.conf
modsecurity_crs_49_inbound_blocking.conf
modsecurity_crs_50_outbound.conf
modsecurity_crs_59_outbound_blocking.conf
modsecurity_crs_60_correlation.conf
Any help or pointers would be really appreciated.
Thanks,
Dan
Email Policy - Unauthorized review, use, disclosure, or distribution of this e-mail is strictly prohibited. This e-mail transmission, and any documents, files or previous e-mail messages attached to it, is intended solely for the individual or individuals to whom it is specifically addressed. If the recipient of this email is not the intended recipient, do not read, copy or distribute it or any of the information it contains. Please delete it immediately and notify us by return email or by telephone 801.572.4200.
------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Appliances, Rule Sets and Support: http://www.modsecurity.org/breach/index.html
RSS Feed