****SPAM**** MEDIUM * Re: [Modsecurity] A little problem with excludes

Cristian Livadaru cristian at livadaru.net
Thu Oct 11 13:57:37 EDT 2007 

Tahnks. I will keep an eye on the audit log and tweek it as needed.  
Just needed a hint what I was doing wrong.
Would it work if I create a separate rules file and load it AFTER the  
original rules.conf and by that overwriting the original rule?
I want to be able to do automated updates but also overwrite rules  
that don't work for me.

Cris

On Oct 11, 2007, at 7:09 PM, Michael Shinn wrote:

> Yes, assuming thats the way your app works.  I can't tell you for sure
> if that the regexp is perfect, as I'm not sure what the variables do.
> You may have to tweak the regexp a little, for example, if Itemid is
> something other than 0-9, or if option is something other than
> com_cmsrealty.
>
> On Thu, 2007-10-11 at 17:01 +0200, Cristian Livadaru wrote:
>> So, if I got everything right my rules.conf has to be modified like
>> this:
>>
>>
>> #Generic SQL sigs
>> SecFilterSelective REQUEST_URI "!(^/index\.php
>> \?option=com_cmsrealty&Itemid=[0-9]&openrealty=)"
>> "chain,id::300015,rev:1,severity:2,msg:'Generic SQL injection
>> protection'"
>> SecFilterSelective ARGS "((alter|create|drop)[[:space:]]+(column|
>> database|procedure|table)|delete[[:space:]]+from|update.+set.+=)"
>>
>>
>>
>> But by this I am not able to use automatic updates anymore :( oh  
>> well,
>> I will have to do them manually by doning a diff over everything.
>>
>>
>> Cris
>>
>> On Oct 11, 2007, at 16:30 , Michael Shinn wrote:
>>
>>> On Thu, 2007-10-11 at 14:08 +0000, Michael Shinn wrote:
>>>> Unfortunately, the exclude support is a little lacking in modsec
>>>> right
>>>> now.  You can't exclude via Location matches with regexps, only
>>>> literals
>>>> (index.php will work, index.php?foo=.*bar=.*)
>>> This should say:
>>>
>>>
>>>
>>>
>>> index.php will work, index.php?foo=.*bar=.* will not.
>>>
>>>
>>>>  What you have to do is
>>>> write a chained rule to exclude, like this:
>>>>
>>>>
>>>> Say you have a rule (it sounds like you using 1.9.x, so I'll stick
>>>> to
>>>> that syntax):
>>>>
>>>>
>>>> SecFilterSelective ARGS "foo+bar"
>>>>
>>>>
>>>> To exclude your case for this, you need to add this:
>>>>
>>>>
>>>> SecFilterSelective REQUEST_URI "!(^/index\.php
>>>> \?option=com_cmsrealty&Itemid=[0-9]&openrealty=)" chain
>>>> SecFilterSelective ARGS "foo+bar"
>>>>
>>>>
>>>> On Thu, 2007-10-11 at 11:55 +0200, Cristian Livadaru wrote:
>>>>> Hi, this doesn't seem to work with Version 1.9.4
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Invalid command 'SecRuleRemoveById', perhaps misspelled or
>>>>> defined by
>>>>> a module not included in the server configuration
>>>>> It's the same way the original excludes.conf is configured.
>>>>> I somehow think my Location doesn't quite match but I don't see
>>>>> why.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Cris
>>>>>
>>>>>
>>>>> On Oct 11, 2007, at 11:48 , Thomas Ammermann wrote:
>>>>>
>>>>>
>>>>>> Hi Christian,
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> I usually exclude rules like this:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> <LocationMatch "xxx">
>>>>>>     SecRuleRemoveById 300018
>>>>>> </LocationMatch>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Maybe this helps ...
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Kind regards,
>>>>>> Thomas
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> -----Ursprüngliche Nachricht-----
>>>>>> Von: modsecurity-bounces at gotroot.com
>>>>>> [mailto:modsecurity-bounces at gotroot.com] Im Auftrag von
>>>>>> Cristian
>>>>>> Livadaru
>>>>>> Gesendet: Donnerstag, 11. Oktober 2007 11:29
>>>>>> An: modsecurity at gotroot.com
>>>>>> Betreff: [Modsecurity] A little problem with excludes
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Hi modsecurity list,
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> I seem to have a little problem with the excludes
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> I have this in my Audit log:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> ==6d394431==============================
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Request: www.foo.com 127.0.0.1 - - [11/Oct/2007:09:25:57
>>>>>> +0200]
>>>>>> "POST
>>>>>> /index.php? 
>>>>>> option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f
>>>>>> 6c697374696e677326616d703b656469743d3336392661646d696e3d74727565
>>>>>> HTTP/1.1"
>>>>>> 403 285
>>>>>> "http://www.foo.com/component/option,com_cmsrealty/Itemid,4/ 
>>>>>> openrealty,61637
>>>>>> 4696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661 
>>>>>> 646d696e3d7
>>>>>> 4727565/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de;
>>>>>> rv:1.8.1.7)
>>>>>> Gecko/20070914 Firefox/2.0.0.7" - "-"
>>>>>> ----------------------------------------
>>>>>> POST
>>>>>> /index.php? 
>>>>>> option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f
>>>>>> 6c697374696e677326616d703b656469743d3336392661646d696e3d74727565
>>>>>> HTTP/1.1
>>>>>> Host: www.foo.com
>>>>>> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de;
>>>>>> rv:1.8.1.7)
>>>>>> Gecko/20070914 Firefox/2.0.0.7
>>>>>> Accept:
>>>>>> text/xml,application/xml,application/xhtml
>>>>>> +xml,text/html;q=0.9,text/plain;q=
>>>>>> 0.8,image/png,*/*;q=0.5
>>>>>> Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
>>>>>> Accept-Encoding: gzip,deflate
>>>>>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>>>>>> Keep-Alive: 300
>>>>>> Connection: keep-alive
>>>>>> Referer:
>>>>>> http://www.foo.com/component/option,com_cmsrealty/Itemid,4/ 
>>>>>> openrealty,616374
>>>>>> 696f6e3d656469745f6c697374696e677326616d703b656469743d33363926616 
>>>>>> 46d696e3d74
>>>>>> 727565/
>>>>>> Content-Type: application/x-www-form-urlencoded
>>>>>> Content-Length: 510
>>>>>> mod_security-action: 403
>>>>>> mod_security-message: Access denied with code 403. Pattern
>>>>>> match
>>>>>> "((alter|create|drop)[[:space:]]+(column|database|procedure|
>>>>>> table)|
>>>>>> delete[[:
>>>>>> space:]]+from|update.+set.+=)" at POST_PAYLOAD [id "300015"]
>>>>>> [rev
>>>>>> "1"] [msg
>>>>>> "Generic SQL injection protection"] [severity "CRITICAL"]
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> 510
>>>>>> action=update_listing&edit=369&title=Altbau-Miete&pclass%5B%
>>>>>> 5D=4&featured=no
>>>>>> &edit_active=yes&mlsexport=no&or_owner=9&notes=&Adresse=Staudgass 
>>>>>> e&Stadt=Wie
>>>>>> n&Postleitzahl=1180&Preis=530&betr_kosten=&miete=&full_desc=Nette
>>>>>> +Kleine+Zim
>>>>>> mer+und+Kabinett+Wohnung%2C+Einbauk%FCche%2C+sehr+ger%E4umig%
>>>>>> 2C
>>>>>> +Fliesenbad%2
>>>>>> C+Toilette+Etagenheizung.Ruhelage+und+AKH+N%
>>>>>> E4he&Zimmer=2&Badezimmer=1&year_
>>>>>> built=1970&sq_feet=45&status=Aktiv&home_features%5B%5D=Einbauk
>>>>>> %
>>>>>> FCche&home_fe
>>>>>> atures%5B%5D=Gasetagenheizung&home_features%5B%5D=Lift
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> HTTP/1.1 403 Forbidden
>>>>>> Content-Length: 285
>>>>>> Keep-Alive: timeout=15, max=89
>>>>>> Connection: Keep-Alive
>>>>>> Content-Type: text/html; charset=iso-8859-1
>>>>>> --6d394431--
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> but in excludes.conf I have added:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> # cms_realty
>>>>>> <LocationMatch "/index.php\?option=com_cmsrealty.*">
>>>>>> SecFilterRemove 300015
>>>>>> </LocationMatch>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> I don't understand why this is still blocking. What am I doing
>>>>>> wrong?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Regards, Cristian
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Cristian Livadaru
>>>>>> http://livadaru.net
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Modsecurity mailing list
>>>>>> Modsecurity at gotroot.com
>>>>>> http://lists.gotroot.com/mailman/listinfo/modsecurity
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Cristian Livadaru
>>>>> http://livadaru.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Modsecurity mailing list
>>>>> Modsecurity at gotroot.com
>>>>> http://lists.gotroot.com/mailman/listinfo/modsecurity
>>> -- 
>>> Michael T. Shinn                                    KeyID:0xDAE2EC86
>>> Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
>>> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
>>> SANS Advisory Board Member
>>>
>>>
>>> Got Root?  http://www.gotroot.com
>>> modsecurity rules: http://www.modsecurityrules.com
>>> Troubleshooting Firewalls:  http://troubleshootingfirewalls.com
>>>
>>>
>>>
>>>
>>
>> --
>> Cristian Livadaru
>> http://livadaru.net
>>
>>
>>
>>
>>
>>
>>
>>
> -- 
> Michael T. Shinn                                    KeyID:0xDAE2EC86
> Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
> SANS Advisory Board Member
>
> Got Root?  http://www.gotroot.com
> modsecurity rules: http://www.modsecurityrules.com
> Troubleshooting Firewalls:  http://troubleshootingfirewalls.com
>
>

--
Cristian Livadaru
http://livadaru.net

More information about the Modsecurity mailing list