[Owasp-modsecurity-core-rule-set] 900011 double-counting

Ryan Barnett rcbarnett at gmail.com
Thu Aug 5 17:37:52 EDT 2010


I believe this is caused be "paranoid_mode" being set to 1 in the 10
conf file.  This mode checks the sigs against variables that are prone
to higher false positive rates.

I am fixing the logic in the next phpids filters file version so that
it will skip the paparoind check if the initial rule matches.


On 8/5/10, MARTIN, JASON (ATTSI) <JM9991 at att.com> wrote:
> Hello, I am trying to figure out why arule 900011 rule seems to be being
> 'double-counted' against the anomaly score. Rule 900011 is triggering
> twice on the same value; /home/ appears once in the argument but it
> triggers twice. Any ideas why this is happening?
>
> When I add a counter-rule to reduce the score (as this behavior is ok
> for my site), it fires only once and so the score is too high.
>
> This is with CRS 2.0.7 (patched with
> https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2010-J
> une/000398.html) , mod_security  2.5.12, apache 2.2.15, Solaris 10
> SPARC.
>
> --00002f18-A--
> [05/Aug/2010:12:22:10 --0700] TFsPYQoWATMAAGRfQSYAAADP x.x.x.x x.x.x.x
> --00002f18-B--
> GET /foo?bar=/en_US/home/default.xml&modsecdebug=taps HTTP/1.1
> User-Agent: curl/7.19.4 (i386-pc-solaris2.11) libcurl/7.19.4
> OpenSSL/0.9.8a zlib/1.2.3 libidn/1.9
> Host: example.com
> Accept: */*
> Cache-Control: max-stale=0
> Connection: Keep-Alive
>
> --00002f18-F--
> HTTP/1.1 404 Not Found
> Content-Length: 201
> Keep-Alive: timeout=30, max=187
> Connection: Keep-Alive
> Content-Type: text/html; charset=iso-8859-1
>
> --00002f18-H--
> Message: Matched phrase "curl" at REQUEST_HEADERS:User-Agent. [file
> "/sites/www-site/APACHE/httpd-2.2.15-worker-niagara/conf/modsecurity2/mo
> dsecurity_crs_35_bad_robots.conf"] [line "26"] [id "990012"] [rev
> "2.0.7"] [msg "Rogue web site crawler"] [data "curl"] [severity
> "WARNING"] [tag "AUTOMATION/MALICIOUS"] [tag "WASCTC/WASC-21"] [tag
> "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
> Message: Pattern match
> "(?:%c0%ae\/)|(?:(?:\/|\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tm
> p|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\))
> |(?:(?:\/|\\)inetpub|localstart\.asp|boot\.ini)" at ARGS:bar. [file
> "/sites/www-site/APACHE/httpd-2.2.15-worker-niagara/conf/modsecurity2/mo
> dsecurity_crs_41_phpids_filters.conf"] [line "101"] [id "900011"] [msg
> "Detects specific directory and path traversal"] [data "/home/"]
> [severity "CRITICAL"] [tag "WEB_ATTACK/DT"] [tag "WEB_ATTACK/ID"] [tag
> "WEB_ATTACK/LFI"]
> Message: Pattern match
> "(?:%c0%ae\/)|(?:(?:\/|\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tm
> p|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\))
> |(?:(?:\/|\\)inetpub|localstart\.asp|boot\.ini)" at ARGS:bar. [file
> "/sites/www-site/APACHE/httpd-2.2.15-worker-niagara/conf/modsecurity2/mo
> dsecurity_crs_41_phpids_filters.conf"] [line "101"] [id "900011"] [msg
> "Detects specific directory and path traversal"] [data "/home/"]
> [severity "CRITICAL"] [tag "WEB_ATTACK/DT"] [tag "WEB_ATTACK/ID"] [tag
> "WEB_ATTACK/LFI"]
> Message: Operator GE matched 21 at TX:anomaly_score. [file
> "/sites/www-site/APACHE/httpd-2.2.15-worker-niagara/conf/modsecurity2/mo
> dsecurity_crs_49_inbound_blocking.conf"] [line "18"] [msg "Inbound
> Anomaly Score Exceeded (Total Score: 52, SQLi=, XSS=): 900011-Detects
> specific directory and path traversal"]
> Message: Warning. Operator GE matched 21 at TX:inbound_anomaly_score.
> [file
> "/sites/www-site/APACHE/httpd-2.2.15-worker-niagara/conf/modsecurity2/mo
> dsecurity_crs_60_correlation.conf"] [line "35"] [msg "Inbound Anomaly
> Score Exceeded (Total Inbound Score: 52, SQLi=, XSS=): 900011-Detects
> specific directory and path traversal"]
> Apache-Error: [file "core.c"] [line 3648] [level 3] File does not exist:
> /sites/www-site/www/foo
> Stopwatch: 1281036129731407 461977 (5100 459965 -)
> Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/);
> core ruleset/2.0.7.
> Server: Apache
>
> --00002f18-K--
> SecAction
> "phase:1,auditlog,t:none,pass,nolog,initcol:global=global,initcol:ip=%{r
> emote_addr}"
> SecAction "phase:1,auditlog,t:none,nolog,pass,setvar:tx.paranoid_mode=0"
> SecAction
> "phase:1,auditlog,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_leve
> l=21"
> SecAction
> "phase:1,auditlog,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_lev
> el=15"
> SecAction
> "phase:1,auditlog,t:none,nolog,pass,setvar:tx.critical_anomaly_score=21,
> setvar:tx.error_anomaly_score=15,setvar:tx.warning_anomaly_score=10,setv
> ar:tx.notice_anomaly_score=5"
> SecAction
> "phase:1,auditlog,t:none,nolog,pass,setvar:tx.max_num_args=255"
> SecAction
> "phase:1,auditlog,t:none,nolog,pass,setvar:tx.max_file_size=1048576"
> SecAction
> "phase:1,auditlog,t:none,nolog,pass,setvar:tx.combined_file_sizes=104857
> 6"
> SecAction
> "phase:1,auditlog,t:none,nolog,pass,setvar:'tx.allowed_methods=GET HEAD
> POST',setvar:'tx.allowed_request_content_type=application/x-www-form-url
> encoded multipart/form-data text/xml
> application/xml',setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0
> HTTP/1.1',setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/
> .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/
> .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/
> .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/
> .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/
> .vsdisco/ .webinfo/ .xsd/
> .xsx/',setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/
> /Content-Range/ /Translate/ /via/ /if/'"
> SecRule "ARGS:modsecdebug" "@rx taps"
> "phase:2,log,auditlog,pass,ctl:debugLogLevel=9"
> SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$"
> "phase:2,chain,rev:2.0.7,t:none,pass,nolog,auditlog,msg:'GET or HEAD
> requests with
> bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION,tag:WASCTC/W
> ASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,tag:http://www.w3.org/Protocol
> s/rfc2616/rfc2616-sec4.html#sec4.3"
> SecRule "&REQUEST_HEADERS:Pragma" "@eq 1"
> "phase:2,chain,rev:2.0.7,t:none,pass,nolog,auditlog,msg:'Pragma Header
> requires Cache-Control Header for HTTP/1.1
> requests.',severity:5,id:960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ,tag:
> http://www.bad-behavior.ioerror.us/documentation/how-it-works/"
> SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0"
> "phase:2,pass,chain,rev:2.0.7,t:none,nolog,auditlog,msg:'Request
> Containing Content, but Missing Content-Type
> header',id:960904,severity:5"
> SecRule "&TX:MAX_NUM_ARGS" "@eq 1"
> "phase:2,chain,t:none,pass,nolog,auditlog,msg:'Too many arguments in
> request',id:960335,severity:4,rev:2.0.7"
> SecRule "&TX:MAX_FILE_SIZE" "@eq 1"
> "phase:2,chain,t:none,pass,nolog,auditlog,msg:'Uploaded file size too
> large',id:960342,severity:4,rev:2.0.7"
> SecRule "&TX:COMBINED_FILE_SIZES" "@eq 1"
> "phase:2,chain,t:none,pass,nolog,auditlog,msg:'Total uploaded files size
> too large',id:960343,severity:4,rev:2.0.7"
> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
> "phase:2,chain,t:none,pass,nolog,auditlog,msg:'HTTP header is restricted
> by
> policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLO
> WED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-
> 15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},ca
> pture,setvar:tx.header_name='/%{tx.0}/'"
> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
> "phase:2,chain,t:none,pass,nolog,auditlog,msg:'HTTP header is restricted
> by
> policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLO
> WED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-
> 15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},ca
> pture,setvar:tx.header_name='/%{tx.0}/'"
> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
> "phase:2,chain,t:none,pass,nolog,auditlog,msg:'HTTP header is restricted
> by
> policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLO
> WED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-
> 15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},ca
> pture,setvar:tx.header_name='/%{tx.0}/'"
> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
> "phase:2,chain,t:none,pass,nolog,auditlog,msg:'HTTP header is restricted
> by
> policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLO
> WED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-
> 15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},ca
> pture,setvar:tx.header_name='/%{tx.0}/'"
> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
> "phase:2,chain,t:none,pass,nolog,auditlog,msg:'HTTP header is restricted
> by
> policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLO
> WED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-
> 15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},ca
> pture,setvar:tx.header_name='/%{tx.0}/'"
> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
> "phase:2,chain,t:none,pass,nolog,auditlog,msg:'HTTP header is restricted
> by
> policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLO
> WED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-
> 15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},ca
> pture,setvar:tx.header_name='/%{tx.0}/'"
> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
> "phase:2,chain,t:none,pass,nolog,auditlog,msg:'HTTP header is restricted
> by
> policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLO
> WED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-
> 15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},ca
> pture,setvar:tx.header_name='/%{tx.0}/'"
> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
> "phase:2,chain,t:none,pass,nolog,auditlog,msg:'HTTP header is restricted
> by
> policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLO
> WED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-
> 15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},ca
> pture,setvar:tx.header_name='/%{tx.0}/'"
> SecRule "REQUEST_HEADERS:User-Agent" "@pmFromFile
> modsecurity_35_bad_robots.data"
> "phase:2,rev:2.0.7,t:none,pass,nolog,auditlog,msg:'Rogue web site
> crawler',id:990012,tag:AUTOMATION/MALICIOUS,tag:WASCTC/WASC-21,tag:OWASP
> _TOP_10/A7,tag:PCI/6.5.10,severity:4,capture,logdata:%{TX.0},setvar:tx.m
> sg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setv
> ar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}
> -AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
> SecRule "REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*" "@pmFromFile
> modsecurity_40_generic_attacks.data"
> "phase:2,rev:2.0.7,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowe
> rcase,nolog,pass,setvar:tx.pm_score=+1"
> SecRule "REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*" "@pmFromFile
> modsecurity_40_generic_attacks.data"
> "phase:2,rev:2.0.7,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowe
> rcase,nolog,pass,setvar:tx.pm_score=+1"
> SecRule "TX:PARANOID_MODE" "!@eq 1"
> "phase:2,t:none,nolog,skipAfter:END_SESSION_FIXATION"
> SecRule "TX:PARANOID_MODE" "!@eq 1"
> "phase:2,t:none,nolog,skipAfter:END_FILE_INJECTION"
> SecRule "TX:PARANOID_MODE" "!@eq 1"
> "phase:2,t:none,nolog,skipAfter:END_COMMAND_ACCESS"
> SecRule "TX:PARANOID_MODE" "!@eq 1"
> "phase:2,t:none,nolog,skipAfter:END_COMMAND_INJECTION"
> SecRule "ARGS|ARGS_NAMES|XML:/*" "@rx
> (?:%c0%ae\\/)|(?:(?:\\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev
> |tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\\/|
> \\\\))|(?:(?:\\/|\\\\)inetpub|localstart\\.asp|boot\\.ini)"
> "phase:2,capture,multiMatch,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDe
> code,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogPart
> s=+E,block,nolog,auditlog,msg:'Detects specific directory and path
> traversal',id:900011,tag:WEB_ATTACK/DT,tag:WEB_ATTACK/ID,tag:WEB_ATTACK/
> LFI,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setv
> ar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-WE
> B_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
> SecRule "ARGS|ARGS_NAMES|XML:/*" "@rx
> (?:%c0%ae\\/)|(?:(?:\\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev
> |tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\\/|
> \\\\))|(?:(?:\\/|\\\\)inetpub|localstart\\.asp|boot\\.ini)"
> "phase:2,capture,multiMatch,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDe
> code,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogPart
> s=+E,block,nolog,auditlog,msg:'Detects specific directory and path
> traversal',id:900011,tag:WEB_ATTACK/DT,tag:WEB_ATTACK/ID,tag:WEB_ATTACK/
> LFI,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setv
> ar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-WE
> B_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
> SecRule "TX:PARANOID_MODE" "!@eq 1"
> "phase:2,rev:2.0.7,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"
> SecRule "TX:PARANOID_MODE" "!@eq 1"
> "phase:2,t:none,nolog,skipAfter:END_XSS_CHECK"
> SecRule "TX:ANOMALY_SCORE" "@gt 0"
> "phase:2,chain,t:none,nolog,auditlog,block,msg:'Inbound Anomaly Score
> Exceeded (Total Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQLI_SCORE},
> XSS=%{TX.XSS_SCORE}):
> %{tx.msg}',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly_
> score=%{tx.anomaly_score}"
> SecRule "TX:ANOMALY_SCORE" "@ge %{tx.inbound_anomaly_score_level}"
> SecRule "TX:INBOUND_ANOMALY_SCORE" "@gt 0"
> "phase:5,chain,t:none,log,noauditlog,pass,msg:'Inbound Anomaly Score
> (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE},
> SQLi=%{TX.SQLI_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'"
> SecRule "TX:INBOUND_ANOMALY_SCORE" "@ge
> %{tx.inbound_anomaly_score_level}"
> "phase:5,t:none,log,noauditlog,pass,msg:'Inbound Anomaly Score Exceeded
> (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE},
> SQLi=%{TX.SQLI_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'"
>
> --00002f18-Z-
>
>
> Section of the debug log showing the duplicate:
>
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][4] Recipe: Invoking rule
> f2bea8; [file
> "/sites/www-site/APACHE/httpd-2.2.15-worker-niagara/conf/modsecurity2/mo
> dsecurity_crs_41_phpids_filters.conf"] [line "101"] [id "900011"].
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][5] Rule f2bea8: SecRule
> "ARGS|ARGS_NAMES|XML:/*" "@rx
> (?:%c0%ae\\/)|(?:(?:\\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev
> |tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\\/|
> \\\\))|(?:(?:\\/|\\\\)inetpub|localstart\\.asp|boot\\.ini)"
> "phase:2,capture,m
> ultiMatch,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComm
> ents,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,a
> uditlog,msg:'Detects specific directory and path
> traversal',id:900011,tag:WEB_ATTACK/DT,tag:WEB_ATTACK/ID,tag:WEB_ATTACK/
> LFI,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setv
> ar:tx.anomaly_score=+%{tx.cr
> itical_anomaly_score},setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched
> _var_name}=%{tx.0}"
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][4] Expanded
> "ARGS|ARGS_NAMES|XML:/*" to
> "ARGS:bar|ARGS:modsecdebug|ARGS_NAMES:bar|ARGS_NAMES:modsecdebug".
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][4] Transformation completed
> in 2 usec.
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][4] Executing operator "rx"
> with param
> "(?:%c0%ae\\/)|(?:(?:\\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|de
> v|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\\/
> |\\\\))|(?:(?:\\/|\\\\)inetpub|localstart\\.asp|boot\\.ini)" against
> ARGS:bar.
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Target value:
> "/en_US/home/default.xml"
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Added regex subexpression
> to TX.0: /home/
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Added regex subexpression
> to TX.1: home
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][4] Operator completed in 62
> usec.
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][4] Ctl: Set auditLogParts to
> ABIFHKZE.
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Setting variable:
> tx.msg=%{rule.id}-%{rule.msg}
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro %{rule.id}
> to: 900011
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro %{rule.msg}
> to: Detects specific directory and path traversal
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Set variable "tx.msg" to
> "900011-Detects specific directory and path traversal".
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Setting variable:
> tx.anomaly_score=+%{tx.critical_anomaly_score}
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Original collection
> variable: tx.anomaly_score = "10"
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro
> %{tx.critical_anomaly_score} to: 21
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Relative change:
> anomaly_score=10+21
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Set variable
> "tx.anomaly_score" to "31".
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Setting variable:
> tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro %{tx.msg}
> to: 900011-Detects specific directory and path traversal
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro
> %{matched_var_name} to: ARGS:bar
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro %{tx.0} to:
> /home/
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Set variable
> "tx.900011-Detects specific directory and path
> traversal-WEB_ATTACK/INJECTION-ARGS:bar" to "/home/".
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro %{TX.0} to:
> /home/
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro %{TX.0} to:
> /home/
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][4] Warning. Pattern match
> "(?:%c0%ae\/)|(?:(?:\/|\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tm
> p|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\))
> |(?:(?:\/|\\)inetpub|localstart\.asp|boot\.ini)" at ARGS:bar. [file
> "/sites/www-site/APACHE/httpd-2.2.15-w
> orker-niagara/conf/modsecurity2/modsecurity_crs_41_phpids_filters.conf"]
> [line "101"] [id "900011"] [msg "Detects specific directory and path
> traversal"] [data "/home/"] [severity "CRITICAL"] [tag "WEB_ATTACK/DT"]
> [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] T (1) cssDecode:
> "/en_US/home/default.xml"
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] T (1) jsDecode:
> "/en_US/home/default.xml"
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] T (1) htmlEntityDecode:
> "/en_US/home/default.xml"
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] T (1) replaceComments:
> "/en_US/home/default.xml"
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] T (1) compressWhitespace:
> "/en_US/home/default.xml"
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] T (1) lowercase:
> "/en_us/home/default.xml"
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][4] Transformation completed
> in 1969 usec.
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][4] Executing operator "rx"
> with param
> "(?:%c0%ae\\/)|(?:(?:\\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|de
> v|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\\/
> |\\\\))|(?:(?:\\/|\\\\)inetpub|localstart\\.asp|boot\\.ini)" against
> ARGS:bar.
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Target value:
> "/en_us/home/default.xml"
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Added regex subexpression
> to TX.0: /home/
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Added regex subexpression
> to TX.1: home
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][4] Operator completed in 64
> usec.
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][4] Ctl: Set auditLogParts to
> ABIFHKZEE.
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Setting variable:
> tx.msg=%{rule.id}-%{rule.msg}
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro %{rule.id}
> to: 900011
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro %{rule.msg}
> to: Detects specific directory and path traversal
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Set variable "tx.msg" to
> "900011-Detects specific directory and path traversal".
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Setting variable:
> tx.anomaly_score=+%{tx.critical_anomaly_score}
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Original collection
> variable: tx.anomaly_score = "31"
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro
> %{tx.critical_anomaly_score} to: 21
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Relative change:
> anomaly_score=31+21
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Set variable
> "tx.anomaly_score" to "52".
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Setting variable:
> tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro %{tx.msg}
> to: 900011-Detects specific directory and path traversal
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro
> %{matched_var_name} to: ARGS:bar
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro %{tx.0} to:
> /home/
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Set variable
> "tx.900011-Detects specific directory and path
> traversal-WEB_ATTACK/INJECTION-ARGS:bar" to "/home/".
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro %{TX.0} to:
> /home/
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro %{TX.0} to:
> /home/
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][4] Warning. Pattern match
> "(?:%c0%ae\/)|(?:(?:\/|\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tm
> p|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\))
> |(?:(?:\/|\\)inetpub|localstart\.asp|boot\.ini)" at ARGS:bar. [file
> "/sites/www-site/APACHE/httpd-2.2.15-w
> orker-niagara/conf/modsecurity2/modsecurity_crs_41_phpids_filters.conf"]
> [line "101"] [id "900011"] [msg "Detects specific directory and path
> traversal"] [data "/home/"] [severity "CRITICAL"] [tag "WEB_ATTACK/DT"]
> [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][4] Transformation completed
> in 2 usec.
>
> Thank you,
> -Jason Martin
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>

-- 
Sent from my mobile device

Ryan C. Barnett
SANS Certified Instructor
WASC Web Hacking Incident Database Project Leader
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
http://tacticalwebappsec.blogspot.com/


More information about the Owasp-modsecurity-core-rule-set mailing list