[Owasp-modsecurity-core-rule-set] Blocking Apache dummy conections

Lucas Ferreira listas at sapao.net
Tue Oct 20 11:37:06 EDT 2009 

Ok. Thanks for your help.

Lucas

On Tue, Oct 20, 2009 at 13:30, Ryan Barnett <Ryan.Barnett at breach.com> wrote:

>  Looks like the "block" action is missing.  We will update this in our
> rules and it will be fixed in the next release.
>
> Please update your rules like this -
>
> SecMarker BEGIN_HOST_CHECK
>
>         SecRule &REQUEST_HEADERS:Host "@eq 0" \
>                 "skipAfter:END_HOST_CHECK,phase:2,t:none,*block*,nolog,auditlog,msg:'Request
> Missing a Host
> Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar
> :tx.%{rule.id
> }-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
>         SecRule REQUEST_HEADERS:Host "^$" \
>                 "phase:2,t:none,*block*,nolog,auditlog,msg:'Request
> Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',s
>
> everity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{
> rule.id
> }-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
>
> SecMarker END_HOST_CHECK
>
>  ------------------------------
> *From:* lucas.ferreira at gmail.com [lucas.ferreira at gmail.com] On Behalf Of
> Lucas Ferreira [listas at sapao.net]
> *Sent:* Tuesday, October 20, 2009 11:02 AM
> *To:* Ryan Barnett
> *Cc:* Ryan Barnett; Brian Rectanus;
> owasp-modsecurity-core-rule-set at lists.owasp.org
>
> *Subject:* Re: [Owasp-modsecurity-core-rule-set] Blocking Apache dummy
> conections
>
>  Hello Ryan,
>
> these are the rules, from file modsecurity_crs_21_protocol_anomalies.conf
>
> SecMarker BEGIN_HOST_CHECK
>
>         SecRule &REQUEST_HEADERS:Host "@eq 0" \
>
> "skipAfter:END_HOST_CHECK,phase:2,t:none,nolog,auditlog,msg:'Request Missing
> a Host Header',id:'960008',tag:'PROTOCOL_VI
>
> OLATION/MISSING_HEADER',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar
> :tx.%{rule.id
> }-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
>         SecRule REQUEST_HEADERS:Host "^$" \
>                 "phase:2,t:none,nolog,auditlog,msg:'Request Missing a Host
> Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',s
>
> everity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{
> rule.id}-PROTOCOL_V
> IOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
>
> SecMarker END_HOST_CHECK
>
> Regards,
>
> Lucas
>
> On Mon, Oct 19, 2009 at 22:03, Ryan Barnett <rcbarnett at gmail.com> wrote:
>
>> Hmm... Can you paste in that specific protocol anomaly rule that
>> triggered?  There should be a block action.
>>
>>
>>
>> On 10/19/09, Lucas Ferreira <listas at sapao.net> wrote:
>> > Hello Ryan,
>> >
>> > my SecDefaultAction is:
>> >
>> > SecDefaultAction "phase:2,pass"
>> >
>> > Regards,
>> >
>> > Lucas
>> >
>> > On Mon, Oct 19, 2009 at 18:46, Ryan Barnett <Ryan.Barnett at breach.com>
>> wrote:
>> >
>> >>  The issue seems to be that you have updated the SecDefaultAction to
>> deny
>> >> and issue a 400 status code.  If you set the SecDefaultAction to block
>> >> instead of the default of pass, then the rules are essentially working
>> the
>> >> way they did > v2.  That is if a rule matches it will block.  You need
>> to
>> >> have the SecDefaultAction set to pass so the block action in each rule
>> >> will
>> >> inherit this setting.
>> >>
>> >> In this case, that protocol anomaly rule is triggering and then denying
>> >> and
>> >> therefore the other rules (including the local exceptions file) does
>> not
>> >> get
>> >> a chance to run.  Try setting the SecDefaultAction back to the default.
>> >> You
>> >> can then control blocking in the 49 enforcement file - based on the
>> >> anomaly
>> >> score.
>> >>
>> >> -Ryan
>> >>  ------------------------------
>> >> *From:* owasp-modsecurity-core-rule-set-bounces at lists.owasp.org [
>> >> owasp-modsecurity-core-rule-set-bounces at lists.owasp.org] On Behalf Of
>> >> Lucas Ferreira [listas at sapao.net]
>> >> *Sent:* Monday, October 19, 2009 4:41 PM
>> >> *To:* Brian Rectanus
>> >> *Cc:* owasp-modsecurity-core-rule-set at lists.owasp.org
>> >> *Subject:* Re: [Owasp-modsecurity-core-rule-set] Blocking Apache dummy
>> >> conections
>> >>
>> >>  Hello Brian,
>> >>
>> >> this file is anebled, but I still get errors like this in the audit
>> log:
>> >>
>> >> --650c7926-A--
>> >> [19/Oct/2009:15:05:16 --0200] v-ErhX8AAAEAAEqfn2kAAACn ::1 53272 ::1 80
>> >> --650c7926-B--
>> >> OPTIONS * HTTP/1.0
>> >> User-Agent: mysite (internal dummy connection)
>> >>
>> >> --650c7926-F--
>> >> HTTP/1.1 400 Bad Request
>> >> Vary: accept-language,accept-charset
>> >> Accept-Ranges: bytes
>> >> Connection: close
>> >> Content-Type: text/html; charset=iso-8859-1
>> >> Content-Language: en
>> >> Expires: Mon, 19 Oct 2009 17:05:16 GMT
>> >>
>> >> --650c7926-H--
>> >> Message:  [file
>> >>
>> "/etc/httpd/modsecurity.d/optional_rules/modsecurity_crs_21_protocol_anomalies.conf"]
>> >> [line "35"] [id "960008"] [msg "Re
>> >> quest Missing a Host Header"] [severity "WARNING"] [tag
>> >> "PROTOCOL_VIOLATION/MISSING_HEADER"] Access denied with code 400 (phase
>> >> 2).
>> >> Oper
>> >> ator EQ matched 0 at REQUEST_HEADERS.
>> >> Message:  [file
>> >>
>> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"]
>> >> [line "41"] [msg "Transactional Anomaly Score
>> >>  (score 5): Request Missing a Host Header"] Warning. Operator GE
>> matched 5
>> >> at TX:anomaly_score.
>> >> Action: Intercepted (phase 2)
>> >> Apache-Handler: type-map
>> >> Stopwatch: 1255971916688261 2329 (568 1401 -)
>> >> Producer: ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/);
>> core
>> >> ruleset/2.0.1; core ruleset/2.0.1.
>> >> Server: Apache/2.2.3 (Red Hat)
>> >>
>> >> --650c7926-Z--
>> >>
>> >> Thanks,
>> >>
>> >> Lucas
>> >>
>> >> On Mon, Oct 19, 2009 at 16:22, Brian Rectanus
>> >> <Brian.Rectanus at breach.com>wrote:
>> >>
>> >>>  Lucas Ferreira wrote:
>> >>>
>> >>>> Hello,
>> >>>>
>> >>>> I am using CRS 2.0.1 and am getting messagens like these in error_log
>> >>>> several times a day:
>> >>>>
>> >>>> Oct 19 15:05:14 server httpd[19282]: [error] [client ::1]
>> ModSecurity:
>> >>>> [file
>> >>>>
>> >>>>
>> "/etc/httpd/modsecurity.d/optional_rules/modsecurity_crs_21_protocol_anomalies.conf"]
>> >>>> [line "35"] [id "960008"] [msg "Request Missing a Host Header"]
>> >>>> [severity "WARNING"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] Access
>> >>>> denied with code 400 (phase 2). Operator EQ matched 0 at
>> >>>> REQUEST_HEADERS. [hostname "server"] [uri "*"] [unique_id
>> >>>> "v9KnRH8AAAEAAEtS7SUAAACo"]
>> >>>> Oct 19 15:05:14 server httpd[19282]: [error] [client ::1]
>> ModSecurity:
>> >>>> [file
>> >>>>
>> >>>>
>> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"]
>> >>>> [line "41"] [msg "Transactional Anomaly Score (score 5): Request
>> Missing
>> >>>> a Host Header"] Warning. Operator GE matched 5 at TX:anomaly_score.
>> >>>> [hostname "server"] [uri "/error/HTTP_BAD_REQUEST.html.var"]
>> [unique_id
>> >>>> "v9KnRH8AAAEAAEtS7SUAAACo"]
>> >>>> Oct 19 15:05:15 server httpd[19010]: [error] [client ::1]
>> ModSecurity:
>> >>>> [file
>> >>>>
>> >>>>
>> "/etc/httpd/modsecurity.d/optional_rules/modsecurity_crs_21_protocol_anomalies.conf"]
>> >>>> [line "35"] [id "960008"] [msg "Request Missing a Host Header"]
>> >>>> [severity "WARNING"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] Access
>> >>>> denied with code 400 (phase 2). Operator EQ matched 0 at
>> >>>> REQUEST_HEADERS. [hostname "server"] [uri "*"] [unique_id
>> >>>> "v at HpNH8AAAEAAEpCcrMAAAAe"]
>> >>>> Oct 19 15:05:15 server httpd[19010]: [error] [client ::1]
>> ModSecurity:
>> >>>> [file
>> >>>>
>> >>>>
>> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"]
>> >>>> [line "41"] [msg "Transactional Anomaly Score (score 5): Request
>> Missing
>> >>>> a Host Header"] Warning. Operator GE matched 5 at TX:anomaly_score.
>> >>>> [hostname "server"] [uri "/error/HTTP_BAD_REQUEST.html.var"]
>> [unique_id
>> >>>> "v at HpNH8AAAEAAEpCcrMAAAAe"]
>> >>>> Oct 19 15:05:16 server httpd[19103]: [error] [client ::1]
>> ModSecurity:
>> >>>> [file
>> >>>>
>> >>>>
>> "/etc/httpd/modsecurity.d/optional_rules/modsecurity_crs_21_protocol_anomalies.conf"]
>> >>>> [line "35"] [id "960008"] [msg "Request Missing a Host Header"]
>> >>>> [severity "WARNING"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] Access
>> >>>> denied with code 400 (phase 2). Operator EQ matched 0 at
>> >>>> REQUEST_HEADERS. [hostname "server"] [uri "*"] [unique_id
>> >>>> "v-ErhX8AAAEAAEqfn2kAAACn"]
>> >>>> Oct 19 15:05:16 server httpd[19103]: [error] [client ::1]
>> ModSecurity:
>> >>>> [file
>> >>>>
>> >>>>
>> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"]
>> >>>> [line "41"] [msg "Transactional Anomaly Score (score 5): Request
>> Missing
>> >>>> a Host Header"] Warning. Operator GE matched 5 at TX:anomaly_score.
>> >>>> [hostname "server"] [uri "/error/HTTP_BAD_REQUEST.html.var"]
>> [unique_id
>> >>>> "v-ErhX8AAAEAAEqfn2kAAACn"]
>> >>>>
>> >>>> In older rule sets, I made some rules to ruleRemoveById in requests
>> from
>> >>>> localhost with the dummy user agent. Is this the best way to go or is
>> >>>> there a more elegant solution?
>> >>>>
>> >>>>
>> >>>  make sure you have enabled this file which has the exceptions for the
>> >>> dummy connection in it:
>> >>>
>> >>> base_rules/modsecurity_crs_47_common_exceptions.conf
>> >>>
>> >>> -B
>> >>>
>> >>> --
>> >>> Brian Rectanus
>> >>> Breach Security
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >> If a tree falls in the forest and no one is around to see it, do the
>> other
>> >> trees make fun of it?
>> >>
>> >
>> >
>> >
>> > --
>> > If a tree falls in the forest and no one is around to see it, do the
>> other
>> > trees make fun of it?
>> >
>>
>>  --
>> Sent from my mobile device
>>
>> Ryan C. Barnett
>> WASC Distributed Open Proxy Honeypot Project Leader
>> OWASP ModSecurity Core Rule Set Project Leader
>> Tactical Web Application Security
>> http://tacticalwebappsec.blogspot.com/
>>
>
>
>
> --
> If a tree falls in the forest and no one is around to see it, do the other
> trees make fun of it?
>



-- 
If a tree falls in the forest and no one is around to see it, do the other
trees make fun of it?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20091020/c5af153e/attachment.html

More information about the Owasp-modsecurity-core-rule-set mailing list