[Modsecurity] A little problem with excludes

Michael Shinn mike at gotroot.com
Thu Oct 11 13:09:30 EDT 2007 

Yes, assuming thats the way your app works.  I can't tell you for sure
if that the regexp is perfect, as I'm not sure what the variables do.
You may have to tweak the regexp a little, for example, if Itemid is
something other than 0-9, or if option is something other than
com_cmsrealty.

On Thu, 2007-10-11 at 17:01 +0200, Cristian Livadaru wrote:
> So, if I got everything right my rules.conf has to be modified like
> this: 
> 
> 
> #Generic SQL sigs
> SecFilterSelective REQUEST_URI "!(^/index\.php
> \?option=com_cmsrealty&Itemid=[0-9]&openrealty=)"
> "chain,id::300015,rev:1,severity:2,msg:'Generic SQL injection
> protection'"
> SecFilterSelective ARGS "((alter|create|drop)[[:space:]]+(column|
> database|procedure|table)|delete[[:space:]]+from|update.+set.+=)"
>                                                        
> 
> 
> But by this I am not able to use automatic updates anymore :( oh well,
> I will have to do them manually by doning a diff over everything. 
> 
> 
> Cris 
> 
> On Oct 11, 2007, at 16:30 , Michael Shinn wrote:
> 
> > On Thu, 2007-10-11 at 14:08 +0000, Michael Shinn wrote:
> > > Unfortunately, the exclude support is a little lacking in modsec
> > > right
> > > now.  You can't exclude via Location matches with regexps, only
> > > literals
> > > (index.php will work, index.php?foo=.*bar=.*) 
> > This should say:
> > 
> > 
> > 
> > 
> > index.php will work, index.php?foo=.*bar=.* will not.
> > 
> > 
> > >  What you have to do is
> > > write a chained rule to exclude, like this:
> > > 
> > > 
> > > Say you have a rule (it sounds like you using 1.9.x, so I'll stick
> > > to
> > > that syntax):
> > > 
> > > 
> > > SecFilterSelective ARGS "foo+bar"
> > > 
> > > 
> > > To exclude your case for this, you need to add this:
> > > 
> > > 
> > > SecFilterSelective REQUEST_URI "!(^/index\.php
> > > \?option=com_cmsrealty&Itemid=[0-9]&openrealty=)" chain
> > > SecFilterSelective ARGS "foo+bar"
> > > 
> > > 
> > > On Thu, 2007-10-11 at 11:55 +0200, Cristian Livadaru wrote:
> > > > Hi, this doesn't seem to work with Version 1.9.4
> > > > 
> > > > 
> > > > 
> > > > 
> > > > Invalid command 'SecRuleRemoveById', perhaps misspelled or
> > > > defined by
> > > > a module not included in the server configuration
> > > > It's the same way the original excludes.conf is configured. 
> > > > I somehow think my Location doesn't quite match but I don't see
> > > > why. 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > Cris
> > > > 
> > > > 
> > > > On Oct 11, 2007, at 11:48 , Thomas Ammermann wrote:
> > > > 
> > > > 
> > > > > Hi Christian,
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > I usually exclude rules like this:
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > <LocationMatch "xxx">
> > > > >     SecRuleRemoveById 300018
> > > > > </LocationMatch>
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > Maybe this helps ...
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > Kind regards,
> > > > > Thomas
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > -----Ursprüngliche Nachricht-----
> > > > > Von: modsecurity-bounces at gotroot.com
> > > > > [mailto:modsecurity-bounces at gotroot.com] Im Auftrag von
> > > > > Cristian
> > > > > Livadaru
> > > > > Gesendet: Donnerstag, 11. Oktober 2007 11:29
> > > > > An: modsecurity at gotroot.com
> > > > > Betreff: [Modsecurity] A little problem with excludes
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > Hi modsecurity list, 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > I seem to have a little problem with the excludes
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > I have this in my Audit log: 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > ==6d394431==============================
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > Request: www.foo.com 127.0.0.1 - - [11/Oct/2007:09:25:57
> > > > > +0200]
> > > > > "POST
> > > > > /index.php?option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f
> > > > > 6c697374696e677326616d703b656469743d3336392661646d696e3d74727565
> > > > > HTTP/1.1"
> > > > > 403 285
> > > > > "http://www.foo.com/component/option,com_cmsrealty/Itemid,4/openrealty,61637
> > > > > 4696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661646d696e3d7
> > > > > 4727565/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de;
> > > > > rv:1.8.1.7)
> > > > > Gecko/20070914 Firefox/2.0.0.7" - "-"
> > > > > ----------------------------------------
> > > > > POST
> > > > > /index.php?option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f
> > > > > 6c697374696e677326616d703b656469743d3336392661646d696e3d74727565
> > > > > HTTP/1.1
> > > > > Host: www.foo.com
> > > > > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de;
> > > > > rv:1.8.1.7)
> > > > > Gecko/20070914 Firefox/2.0.0.7
> > > > > Accept:
> > > > > text/xml,application/xml,application/xhtml
> > > > > +xml,text/html;q=0.9,text/plain;q=
> > > > > 0.8,image/png,*/*;q=0.5
> > > > > Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
> > > > > Accept-Encoding: gzip,deflate
> > > > > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> > > > > Keep-Alive: 300
> > > > > Connection: keep-alive
> > > > > Referer:
> > > > > http://www.foo.com/component/option,com_cmsrealty/Itemid,4/openrealty,616374
> > > > > 696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661646d696e3d74
> > > > > 727565/
> > > > > Content-Type: application/x-www-form-urlencoded
> > > > > Content-Length: 510
> > > > > mod_security-action: 403
> > > > > mod_security-message: Access denied with code 403. Pattern
> > > > > match
> > > > > "((alter|create|drop)[[:space:]]+(column|database|procedure|
> > > > > table)|
> > > > > delete[[:
> > > > > space:]]+from|update.+set.+=)" at POST_PAYLOAD [id "300015"]
> > > > > [rev
> > > > > "1"] [msg
> > > > > "Generic SQL injection protection"] [severity "CRITICAL"]
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 510
> > > > > action=update_listing&edit=369&title=Altbau-Miete&pclass%5B%
> > > > > 5D=4&featured=no
> > > > > &edit_active=yes&mlsexport=no&or_owner=9&notes=&Adresse=Staudgasse&Stadt=Wie
> > > > > n&Postleitzahl=1180&Preis=530&betr_kosten=&miete=&full_desc=Nette
> > > > > +Kleine+Zim
> > > > > mer+und+Kabinett+Wohnung%2C+Einbauk%FCche%2C+sehr+ger%E4umig%
> > > > > 2C
> > > > > +Fliesenbad%2
> > > > > C+Toilette+Etagenheizung.Ruhelage+und+AKH+N%
> > > > > E4he&Zimmer=2&Badezimmer=1&year_
> > > > > built=1970&sq_feet=45&status=Aktiv&home_features%5B%5D=Einbauk
> > > > > %
> > > > > FCche&home_fe
> > > > > atures%5B%5D=Gasetagenheizung&home_features%5B%5D=Lift
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > HTTP/1.1 403 Forbidden
> > > > > Content-Length: 285
> > > > > Keep-Alive: timeout=15, max=89
> > > > > Connection: Keep-Alive
> > > > > Content-Type: text/html; charset=iso-8859-1
> > > > > --6d394431--
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > but in excludes.conf I have added:
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > # cms_realty
> > > > > <LocationMatch "/index.php\?option=com_cmsrealty.*">
> > > > > SecFilterRemove 300015
> > > > > </LocationMatch>
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > I don't understand why this is still blocking. What am I doing
> > > > > wrong? 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > Regards, Cristian
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > --
> > > > > Cristian Livadaru
> > > > > http://livadaru.net
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > _______________________________________________
> > > > > Modsecurity mailing list
> > > > > Modsecurity at gotroot.com
> > > > > http://lists.gotroot.com/mailman/listinfo/modsecurity
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > 
> > > > 
> > > > --
> > > > Cristian Livadaru
> > > > http://livadaru.net
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > _______________________________________________
> > > > Modsecurity mailing list
> > > > Modsecurity at gotroot.com
> > > > http://lists.gotroot.com/mailman/listinfo/modsecurity
> > -- 
> > Michael T. Shinn                                    KeyID:0xDAE2EC86
> > Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
> > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
> > SANS Advisory Board Member
> > 
> > 
> > Got Root?  http://www.gotroot.com
> > modsecurity rules: http://www.modsecurityrules.com
> > Troubleshooting Firewalls:  http://troubleshootingfirewalls.com
> > 
> > 
> > 
> > 
> 
> --
> Cristian Livadaru
> http://livadaru.net
> 
> 
> 
> 
> 
> 
> 
> 
-- 
Michael T. Shinn                                    KeyID:0xDAE2EC86
Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
SANS Advisory Board Member
  
Got Root?  http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls:  http://troubleshootingfirewalls.com

More information about the Modsecurity mailing list