****SPAM**** HIGH * Re: ****SPAM**** MEDIUM * Re: LOW * AW: [Modsecurity] A little problem with excludes

Cristian Livadaru cristian at livadaru.net
Thu Oct 11 11:01:04 EDT 2007 

So, if I got everything right my rules.conf has to be modified like  
this:

#Generic SQL sigs
SecFilterSelective REQUEST_URI "!(^/index\.php\? 
option=com_cmsrealty&Itemid=[0-9]&openrealty=)" "chain,id::300015,rev: 
1,severity:2,msg:'Generic SQL injection protection'"
SecFilterSelective ARGS "((alter|create|drop)[[:space:]]+(column| 
database|procedure|table)|delete[[:space:]]+from|update.+set.+=)"

But by this I am not able to use automatic updates anymore :( oh  
well, I will have to do them manually by doning a diff over everything.

Cris

On Oct 11, 2007, at 16:30 , Michael Shinn wrote:

> On Thu, 2007-10-11 at 14:08 +0000, Michael Shinn wrote:
>> Unfortunately, the exclude support is a little lacking in modsec  
>> right
>> now.  You can't exclude via Location matches with regexps, only  
>> literals
>> (index.php will work, index.php?foo=.*bar=.*)
> This should say:
>
>
> index.php will work, index.php?foo=.*bar=.* will not.
>
>>  What you have to do is
>> write a chained rule to exclude, like this:
>>
>> Say you have a rule (it sounds like you using 1.9.x, so I'll stick to
>> that syntax):
>>
>> SecFilterSelective ARGS "foo+bar"
>>
>> To exclude your case for this, you need to add this:
>>
>> SecFilterSelective REQUEST_URI "!(^/index\.php
>> \?option=com_cmsrealty&Itemid=[0-9]&openrealty=)" chain
>> SecFilterSelective ARGS "foo+bar"
>>
>> On Thu, 2007-10-11 at 11:55 +0200, Cristian Livadaru wrote:
>>> Hi, this doesn't seem to work with Version 1.9.4
>>>
>>>
>>> Invalid command 'SecRuleRemoveById', perhaps misspelled or  
>>> defined by
>>> a module not included in the server configuration
>>> It's the same way the original excludes.conf is configured.
>>> I somehow think my Location doesn't quite match but I don't see why.
>>>
>>>
>>> Cris
>>>
>>> On Oct 11, 2007, at 11:48 , Thomas Ammermann wrote:
>>>
>>>> Hi Christian,
>>>>
>>>>
>>>> I usually exclude rules like this:
>>>>
>>>>
>>>> <LocationMatch "xxx">
>>>>     SecRuleRemoveById 300018
>>>> </LocationMatch>
>>>>
>>>>
>>>> Maybe this helps ...
>>>>
>>>>
>>>> Kind regards,
>>>> Thomas
>>>>
>>>>
>>>>
>>>>
>>>> -----Ursprüngliche Nachricht-----
>>>> Von: modsecurity-bounces at gotroot.com
>>>> [mailto:modsecurity-bounces at gotroot.com] Im Auftrag von Cristian
>>>> Livadaru
>>>> Gesendet: Donnerstag, 11. Oktober 2007 11:29
>>>> An: modsecurity at gotroot.com
>>>> Betreff: [Modsecurity] A little problem with excludes
>>>>
>>>>
>>>> Hi modsecurity list,
>>>>
>>>>
>>>> I seem to have a little problem with the excludes
>>>>
>>>>
>>>> I have this in my Audit log:
>>>>
>>>>
>>>>
>>>>
>>>> ==6d394431==============================
>>>>
>>>>
>>>> Request: www.foo.com 127.0.0.1 - - [11/Oct/2007:09:25:57 +0200]
>>>> "POST
>>>> /index.php? 
>>>> option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f
>>>> 6c697374696e677326616d703b656469743d3336392661646d696e3d74727565
>>>> HTTP/1.1"
>>>> 403 285
>>>> "http://www.foo.com/component/option,com_cmsrealty/Itemid,4/ 
>>>> openrealty,61637
>>>> 4696f6e3d656469745f6c697374696e677326616d703b656469743d333639266164 
>>>> 6d696e3d7
>>>> 4727565/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.7)
>>>> Gecko/20070914 Firefox/2.0.0.7" - "-"
>>>> ----------------------------------------
>>>> POST
>>>> /index.php? 
>>>> option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f
>>>> 6c697374696e677326616d703b656469743d3336392661646d696e3d74727565
>>>> HTTP/1.1
>>>> Host: www.foo.com
>>>> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv: 
>>>> 1.8.1.7)
>>>> Gecko/20070914 Firefox/2.0.0.7
>>>> Accept:
>>>> text/xml,application/xml,application/xhtml
>>>> +xml,text/html;q=0.9,text/plain;q=
>>>> 0.8,image/png,*/*;q=0.5
>>>> Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
>>>> Accept-Encoding: gzip,deflate
>>>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>>>> Keep-Alive: 300
>>>> Connection: keep-alive
>>>> Referer:
>>>> http://www.foo.com/component/option,com_cmsrealty/Itemid,4/ 
>>>> openrealty,616374
>>>> 696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661646 
>>>> d696e3d74
>>>> 727565/
>>>> Content-Type: application/x-www-form-urlencoded
>>>> Content-Length: 510
>>>> mod_security-action: 403
>>>> mod_security-message: Access denied with code 403. Pattern match
>>>> "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|
>>>> delete[[:
>>>> space:]]+from|update.+set.+=)" at POST_PAYLOAD [id "300015"] [rev
>>>> "1"] [msg
>>>> "Generic SQL injection protection"] [severity "CRITICAL"]
>>>>
>>>>
>>>> 510
>>>> action=update_listing&edit=369&title=Altbau-Miete&pclass%5B%
>>>> 5D=4&featured=no
>>>> &edit_active=yes&mlsexport=no&or_owner=9&notes=&Adresse=Staudgasse& 
>>>> Stadt=Wie
>>>> n&Postleitzahl=1180&Preis=530&betr_kosten=&miete=&full_desc=Nette
>>>> +Kleine+Zim
>>>> mer+und+Kabinett+Wohnung%2C+Einbauk%FCche%2C+sehr+ger%E4umig%2C
>>>> +Fliesenbad%2
>>>> C+Toilette+Etagenheizung.Ruhelage+und+AKH+N%
>>>> E4he&Zimmer=2&Badezimmer=1&year_
>>>> built=1970&sq_feet=45&status=Aktiv&home_features%5B%5D=Einbauk%
>>>> FCche&home_fe
>>>> atures%5B%5D=Gasetagenheizung&home_features%5B%5D=Lift
>>>>
>>>>
>>>> HTTP/1.1 403 Forbidden
>>>> Content-Length: 285
>>>> Keep-Alive: timeout=15, max=89
>>>> Connection: Keep-Alive
>>>> Content-Type: text/html; charset=iso-8859-1
>>>> --6d394431--
>>>>
>>>>
>>>>
>>>>
>>>> but in excludes.conf I have added:
>>>>
>>>>
>>>> # cms_realty
>>>> <LocationMatch "/index.php\?option=com_cmsrealty.*">
>>>> SecFilterRemove 300015
>>>> </LocationMatch>
>>>>
>>>>
>>>> I don't understand why this is still blocking. What am I doing
>>>> wrong?
>>>>
>>>>
>>>> Regards, Cristian
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Cristian Livadaru
>>>> http://livadaru.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Modsecurity mailing list
>>>> Modsecurity at gotroot.com
>>>> http://lists.gotroot.com/mailman/listinfo/modsecurity
>>>>
>>>>
>>>
>>> --
>>> Cristian Livadaru
>>> http://livadaru.net
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Modsecurity mailing list
>>> Modsecurity at gotroot.com
>>> http://lists.gotroot.com/mailman/listinfo/modsecurity
> -- 
> Michael T. Shinn                                    KeyID:0xDAE2EC86
> Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
> SANS Advisory Board Member
>
> Got Root?  http://www.gotroot.com
> modsecurity rules: http://www.modsecurityrules.com
> Troubleshooting Firewalls:  http://troubleshootingfirewalls.com
>
>

--
Cristian Livadaru
http://livadaru.net




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20071011/6256aa49/attachment.html

More information about the Modsecurity mailing list