[Owasp-modsecurity-core-rule-set] 900011 double-counting

Ryan Barnett rbarnett at trustwave.com
Thu Aug 5 18:34:12 EDT 2010


Hmm right I see that now in your audit log.  This may actually be due to the use of "multiMatch" in the action settings along with the fact that it probably inheriting the "pass" action from block.  This means that even if/when a match is found, it is going to do re-checks after each transformation function is applied.

We were trying to balance false positives with false negatives with the phpids rules.  The issue we found previously was that if we only apply the operator check *after* all tfns are run then there is a false negative issue with say SQLi attacks that use SQL comments.  So, we tried to combat that with applying many tfns and using multiMatch however it appears that there are some issues as you are encountering.  We will take a closer look at the concept of normalization of input data before applying operators.

I have actually started playing a bit with Lua in order to try and apply the same types of normalization that is done in the PHPIDS project.  I hope to have some BETA code out for everyone to test soon.

-Ryan


________________________________________
From: owasp-modsecurity-core-rule-set-bounces at lists.owasp.org [owasp-modsecurity-core-rule-set-bounces at lists.owasp.org] On Behalf Of MARTIN, JASON (ATTSI) [JM9991 at att.com]
Sent: Thursday, August 05, 2010 5:41 PM
To: Ryan Barnett; owasp-modsecurity-core-rule-set at lists.owasp.org
Subject: Re: [Owasp-modsecurity-core-rule-set] 900011 double-counting

In my 10 config I have:

SecAction "phase:1,t:none,nolog,pass,setvar:tx.paranoid_mode=0"

-Jason Martin


-----Original Message-----
From: Ryan Barnett [mailto:rcbarnett at gmail.com]
Sent: Thursday, August 05, 2010 2:38 PM
To: MARTIN, JASON (ATTSI);
owasp-modsecurity-core-rule-set at lists.owasp.org
Subject: Re: [Owasp-modsecurity-core-rule-set] 900011 double-counting

I believe this is caused be "paranoid_mode" being set to 1 in the 10
conf file.  This mode checks the sigs against variables that are prone
to higher false positive rates.

I am fixing the logic in the next phpids filters file version so that
it will skip the paparoind check if the initial rule matches.


On 8/5/10, MARTIN, JASON (ATTSI) <JM9991 at att.com> wrote:
> Hello, I am trying to figure out why arule 900011 rule seems to be
being
> 'double-counted' against the anomaly score. Rule 900011 is triggering
> twice on the same value; /home/ appears once in the argument but it
> triggers twice. Any ideas why this is happening?
>
> When I add a counter-rule to reduce the score (as this behavior is ok
> for my site), it fires only once and so the score is too high.
>
> This is with CRS 2.0.7 (patched with
>
https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2010-J
> une/000398.html) , mod_security  2.5.12, apache 2.2.15, Solaris 10
> SPARC.
>
> --00002f18-A--
> [05/Aug/2010:12:22:10 --0700] TFsPYQoWATMAAGRfQSYAAADP x.x.x.x x.x.x.x
> --00002f18-B--
> GET /foo?bar=/en_US/home/default.xml&modsecdebug=taps HTTP/1.1
> User-Agent: curl/7.19.4 (i386-pc-solaris2.11) libcurl/7.19.4
> OpenSSL/0.9.8a zlib/1.2.3 libidn/1.9
> Host: example.com
> Accept: */*
> Cache-Control: max-stale=0
> Connection: Keep-Alive
>
> --00002f18-F--
> HTTP/1.1 404 Not Found
> Content-Length: 201
> Keep-Alive: timeout=30, max=187
> Connection: Keep-Alive
> Content-Type: text/html; charset=iso-8859-1
>
> --00002f18-H--
> Message: Matched phrase "curl" at REQUEST_HEADERS:User-Agent. [file
>
"/sites/www-site/APACHE/httpd-2.2.15-worker-niagara/conf/modsecurity2/mo
> dsecurity_crs_35_bad_robots.conf"] [line "26"] [id "990012"] [rev
> "2.0.7"] [msg "Rogue web site crawler"] [data "curl"] [severity
> "WARNING"] [tag "AUTOMATION/MALICIOUS"] [tag "WASCTC/WASC-21"] [tag
> "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
> Message: Pattern match
>
"(?:%c0%ae\/)|(?:(?:\/|\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tm
>
p|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\))
> |(?:(?:\/|\\)inetpub|localstart\.asp|boot\.ini)" at ARGS:bar. [file
>
"/sites/www-site/APACHE/httpd-2.2.15-worker-niagara/conf/modsecurity2/mo
> dsecurity_crs_41_phpids_filters.conf"] [line "101"] [id "900011"] [msg
> "Detects specific directory and path traversal"] [data "/home/"]
> [severity "CRITICAL"] [tag "WEB_ATTACK/DT"] [tag "WEB_ATTACK/ID"] [tag
> "WEB_ATTACK/LFI"]
> Message: Pattern match
>
"(?:%c0%ae\/)|(?:(?:\/|\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tm
>
p|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\))
> |(?:(?:\/|\\)inetpub|localstart\.asp|boot\.ini)" at ARGS:bar. [file
>
"/sites/www-site/APACHE/httpd-2.2.15-worker-niagara/conf/modsecurity2/mo
> dsecurity_crs_41_phpids_filters.conf"] [line "101"] [id "900011"] [msg
> "Detects specific directory and path traversal"] [data "/home/"]
> [severity "CRITICAL"] [tag "WEB_ATTACK/DT"] [tag "WEB_ATTACK/ID"] [tag
> "WEB_ATTACK/LFI"]
> Message: Operator GE matched 21 at TX:anomaly_score. [file
>
"/sites/www-site/APACHE/httpd-2.2.15-worker-niagara/conf/modsecurity2/mo
> dsecurity_crs_49_inbound_blocking.conf"] [line "18"] [msg "Inbound
> Anomaly Score Exceeded (Total Score: 52, SQLi=, XSS=): 900011-Detects
> specific directory and path traversal"]
> Message: Warning. Operator GE matched 21 at TX:inbound_anomaly_score.
> [file
>
"/sites/www-site/APACHE/httpd-2.2.15-worker-niagara/conf/modsecurity2/mo
> dsecurity_crs_60_correlation.conf"] [line "35"] [msg "Inbound Anomaly
> Score Exceeded (Total Inbound Score: 52, SQLi=, XSS=): 900011-Detects
> specific directory and path traversal"]
> Apache-Error: [file "core.c"] [line 3648] [level 3] File does not
exist:
> /sites/www-site/www/foo
> Stopwatch: 1281036129731407 461977 (5100 459965 -)
> Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/);
> core ruleset/2.0.7.
> Server: Apache
>
> --00002f18-K--
> SecAction
>
"phase:1,auditlog,t:none,pass,nolog,initcol:global=global,initcol:ip=%{r
> emote_addr}"
> SecAction
"phase:1,auditlog,t:none,nolog,pass,setvar:tx.paranoid_mode=0"
> SecAction
>
"phase:1,auditlog,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_leve
> l=21"
> SecAction
>
"phase:1,auditlog,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_lev
> el=15"
> SecAction
>
"phase:1,auditlog,t:none,nolog,pass,setvar:tx.critical_anomaly_score=21,
>
setvar:tx.error_anomaly_score=15,setvar:tx.warning_anomaly_score=10,setv
> ar:tx.notice_anomaly_score=5"
> SecAction
> "phase:1,auditlog,t:none,nolog,pass,setvar:tx.max_num_args=255"
> SecAction
> "phase:1,auditlog,t:none,nolog,pass,setvar:tx.max_file_size=1048576"
> SecAction
>
"phase:1,auditlog,t:none,nolog,pass,setvar:tx.combined_file_sizes=104857
> 6"
> SecAction
> "phase:1,auditlog,t:none,nolog,pass,setvar:'tx.allowed_methods=GET
HEAD
>
POST',setvar:'tx.allowed_request_content_type=application/x-www-form-url
> encoded multipart/form-data text/xml
> application/xml',setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0
> HTTP/1.1',setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/
> .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/
.cs/
> .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/
> .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/
> .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/
.vbproj/
> .vsdisco/ .webinfo/ .xsd/
> .xsx/',setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/
> /Content-Range/ /Translate/ /via/ /if/'"
> SecRule "ARGS:modsecdebug" "@rx taps"
> "phase:2,log,auditlog,pass,ctl:debugLogLevel=9"
> SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$"
> "phase:2,chain,rev:2.0.7,t:none,pass,nolog,auditlog,msg:'GET or HEAD
> requests with
>
bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION,tag:WASCTC/W
>
ASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,tag:http://www.w3.org/Protocol
> s/rfc2616/rfc2616-sec4.html#sec4.3"
> SecRule "&REQUEST_HEADERS:Pragma" "@eq 1"
> "phase:2,chain,rev:2.0.7,t:none,pass,nolog,auditlog,msg:'Pragma Header
> requires Cache-Control Header for HTTP/1.1
>
requests.',severity:5,id:960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ,tag:
> http://www.bad-behavior.ioerror.us/documentation/how-it-works/"
> SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0"
> "phase:2,pass,chain,rev:2.0.7,t:none,nolog,auditlog,msg:'Request
> Containing Content, but Missing Content-Type
> header',id:960904,severity:5"
> SecRule "&TX:MAX_NUM_ARGS" "@eq 1"
> "phase:2,chain,t:none,pass,nolog,auditlog,msg:'Too many arguments in
> request',id:960335,severity:4,rev:2.0.7"
> SecRule "&TX:MAX_FILE_SIZE" "@eq 1"
> "phase:2,chain,t:none,pass,nolog,auditlog,msg:'Uploaded file size too
> large',id:960342,severity:4,rev:2.0.7"
> SecRule "&TX:COMBINED_FILE_SIZES" "@eq 1"
> "phase:2,chain,t:none,pass,nolog,auditlog,msg:'Total uploaded files
size
> too large',id:960343,severity:4,rev:2.0.7"
> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
> "phase:2,chain,t:none,pass,nolog,auditlog,msg:'HTTP header is
restricted
> by
>
policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLO
>
WED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-
>
15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},ca
> pture,setvar:tx.header_name='/%{tx.0}/'"
> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
> "phase:2,chain,t:none,pass,nolog,auditlog,msg:'HTTP header is
restricted
> by
>
policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLO
>
WED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-
>
15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},ca
> pture,setvar:tx.header_name='/%{tx.0}/'"
> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
> "phase:2,chain,t:none,pass,nolog,auditlog,msg:'HTTP header is
restricted
> by
>
policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLO
>
WED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-
>
15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},ca
> pture,setvar:tx.header_name='/%{tx.0}/'"
> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
> "phase:2,chain,t:none,pass,nolog,auditlog,msg:'HTTP header is
restricted
> by
>
policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLO
>
WED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-
>
15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},ca
> pture,setvar:tx.header_name='/%{tx.0}/'"
> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
> "phase:2,chain,t:none,pass,nolog,auditlog,msg:'HTTP header is
restricted
> by
>
policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLO
>
WED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-
>
15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},ca
> pture,setvar:tx.header_name='/%{tx.0}/'"
> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
> "phase:2,chain,t:none,pass,nolog,auditlog,msg:'HTTP header is
restricted
> by
>
policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLO
>
WED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-
>
15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},ca
> pture,setvar:tx.header_name='/%{tx.0}/'"
> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
> "phase:2,chain,t:none,pass,nolog,auditlog,msg:'HTTP header is
restricted
> by
>
policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLO
>
WED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-
>
15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},ca
> pture,setvar:tx.header_name='/%{tx.0}/'"
> SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
> "phase:2,chain,t:none,pass,nolog,auditlog,msg:'HTTP header is
restricted
> by
>
policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLO
>
WED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-
>
15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},ca
> pture,setvar:tx.header_name='/%{tx.0}/'"
> SecRule "REQUEST_HEADERS:User-Agent" "@pmFromFile
> modsecurity_35_bad_robots.data"
> "phase:2,rev:2.0.7,t:none,pass,nolog,auditlog,msg:'Rogue web site
>
crawler',id:990012,tag:AUTOMATION/MALICIOUS,tag:WASCTC/WASC-21,tag:OWASP
>
_TOP_10/A7,tag:PCI/6.5.10,severity:4,capture,logdata:%{TX.0},setvar:tx.m
>
sg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setv
>
ar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}
> -AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
> SecRule "REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*" "@pmFromFile
> modsecurity_40_generic_attacks.data"
>
"phase:2,rev:2.0.7,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowe
> rcase,nolog,pass,setvar:tx.pm_score=+1"
> SecRule "REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*" "@pmFromFile
> modsecurity_40_generic_attacks.data"
>
"phase:2,rev:2.0.7,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowe
> rcase,nolog,pass,setvar:tx.pm_score=+1"
> SecRule "TX:PARANOID_MODE" "!@eq 1"
> "phase:2,t:none,nolog,skipAfter:END_SESSION_FIXATION"
> SecRule "TX:PARANOID_MODE" "!@eq 1"
> "phase:2,t:none,nolog,skipAfter:END_FILE_INJECTION"
> SecRule "TX:PARANOID_MODE" "!@eq 1"
> "phase:2,t:none,nolog,skipAfter:END_COMMAND_ACCESS"
> SecRule "TX:PARANOID_MODE" "!@eq 1"
> "phase:2,t:none,nolog,skipAfter:END_COMMAND_INJECTION"
> SecRule "ARGS|ARGS_NAMES|XML:/*" "@rx
>
(?:%c0%ae\\/)|(?:(?:\\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev
>
|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\\/|
> \\\\))|(?:(?:\\/|\\\\)inetpub|localstart\\.asp|boot\\.ini)"
>
"phase:2,capture,multiMatch,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDe
>
code,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogPart
> s=+E,block,nolog,auditlog,msg:'Detects specific directory and path
>
traversal',id:900011,tag:WEB_ATTACK/DT,tag:WEB_ATTACK/ID,tag:WEB_ATTACK/
>
LFI,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setv
>
ar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-WE
> B_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
> SecRule "ARGS|ARGS_NAMES|XML:/*" "@rx
>
(?:%c0%ae\\/)|(?:(?:\\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev
>
|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\\/|
> \\\\))|(?:(?:\\/|\\\\)inetpub|localstart\\.asp|boot\\.ini)"
>
"phase:2,capture,multiMatch,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDe
>
code,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogPart
> s=+E,block,nolog,auditlog,msg:'Detects specific directory and path
>
traversal',id:900011,tag:WEB_ATTACK/DT,tag:WEB_ATTACK/ID,tag:WEB_ATTACK/
>
LFI,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setv
>
ar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-WE
> B_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
> SecRule "TX:PARANOID_MODE" "!@eq 1"
> "phase:2,rev:2.0.7,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"
> SecRule "TX:PARANOID_MODE" "!@eq 1"
> "phase:2,t:none,nolog,skipAfter:END_XSS_CHECK"
> SecRule "TX:ANOMALY_SCORE" "@gt 0"
> "phase:2,chain,t:none,nolog,auditlog,block,msg:'Inbound Anomaly Score
> Exceeded (Total Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQLI_SCORE},
> XSS=%{TX.XSS_SCORE}):
>
%{tx.msg}',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly_
> score=%{tx.anomaly_score}"
> SecRule "TX:ANOMALY_SCORE" "@ge %{tx.inbound_anomaly_score_level}"
> SecRule "TX:INBOUND_ANOMALY_SCORE" "@gt 0"
> "phase:5,chain,t:none,log,noauditlog,pass,msg:'Inbound Anomaly Score
> (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE},
> SQLi=%{TX.SQLI_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'"
> SecRule "TX:INBOUND_ANOMALY_SCORE" "@ge
> %{tx.inbound_anomaly_score_level}"
> "phase:5,t:none,log,noauditlog,pass,msg:'Inbound Anomaly Score
Exceeded
> (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE},
> SQLi=%{TX.SQLI_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'"
>
> --00002f18-Z-
>
>
> Section of the debug log showing the duplicate:
>
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][4] Recipe: Invoking rule
> f2bea8; [file
>
"/sites/www-site/APACHE/httpd-2.2.15-worker-niagara/conf/modsecurity2/mo
> dsecurity_crs_41_phpids_filters.conf"] [line "101"] [id "900011"].
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][5] Rule f2bea8: SecRule
> "ARGS|ARGS_NAMES|XML:/*" "@rx
>
(?:%c0%ae\\/)|(?:(?:\\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev
>
|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\\/|
> \\\\))|(?:(?:\\/|\\\\)inetpub|localstart\\.asp|boot\\.ini)"
> "phase:2,capture,m
>
ultiMatch,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComm
>
ents,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,a
> uditlog,msg:'Detects specific directory and path
>
traversal',id:900011,tag:WEB_ATTACK/DT,tag:WEB_ATTACK/ID,tag:WEB_ATTACK/
>
LFI,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setv
> ar:tx.anomaly_score=+%{tx.cr
>
itical_anomaly_score},setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched
> _var_name}=%{tx.0}"
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][4] Expanded
> "ARGS|ARGS_NAMES|XML:/*" to
> "ARGS:bar|ARGS:modsecdebug|ARGS_NAMES:bar|ARGS_NAMES:modsecdebug".
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][4] Transformation completed
> in 2 usec.
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][4] Executing operator "rx"
> with param
>
"(?:%c0%ae\\/)|(?:(?:\\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|de
>
v|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\\/
> |\\\\))|(?:(?:\\/|\\\\)inetpub|localstart\\.asp|boot\\.ini)" against
> ARGS:bar.
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Target value:
> "/en_US/home/default.xml"
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Added regex
subexpression
> to TX.0: /home/
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Added regex
subexpression
> to TX.1: home
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][4] Operator completed in 62
> usec.
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][4] Ctl: Set auditLogParts
to
> ABIFHKZE.
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Setting variable:
> tx.msg=%{rule.id}-%{rule.msg}
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro
%{rule.id}
> to: 900011
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro
%{rule.msg}
> to: Detects specific directory and path traversal
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Set variable "tx.msg" to
> "900011-Detects specific directory and path traversal".
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Setting variable:
> tx.anomaly_score=+%{tx.critical_anomaly_score}
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Original collection
> variable: tx.anomaly_score = "10"
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro
> %{tx.critical_anomaly_score} to: 21
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Relative change:
> anomaly_score=10+21
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Set variable
> "tx.anomaly_score" to "31".
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Setting variable:
> tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro %{tx.msg}
> to: 900011-Detects specific directory and path traversal
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro
> %{matched_var_name} to: ARGS:bar
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro %{tx.0}
to:
> /home/
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Set variable
> "tx.900011-Detects specific directory and path
> traversal-WEB_ATTACK/INJECTION-ARGS:bar" to "/home/".
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro %{TX.0}
to:
> /home/
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro %{TX.0}
to:
> /home/
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][4] Warning. Pattern match
>
"(?:%c0%ae\/)|(?:(?:\/|\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tm
>
p|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\))
> |(?:(?:\/|\\)inetpub|localstart\.asp|boot\.ini)" at ARGS:bar. [file
> "/sites/www-site/APACHE/httpd-2.2.15-w
>
orker-niagara/conf/modsecurity2/modsecurity_crs_41_phpids_filters.conf"]
> [line "101"] [id "900011"] [msg "Detects specific directory and path
> traversal"] [data "/home/"] [severity "CRITICAL"] [tag
"WEB_ATTACK/DT"]
> [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] T (1) cssDecode:
> "/en_US/home/default.xml"
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] T (1) jsDecode:
> "/en_US/home/default.xml"
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] T (1) htmlEntityDecode:
> "/en_US/home/default.xml"
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] T (1) replaceComments:
> "/en_US/home/default.xml"
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] T (1)
compressWhitespace:
> "/en_US/home/default.xml"
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] T (1) lowercase:
> "/en_us/home/default.xml"
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][4] Transformation completed
> in 1969 usec.
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][4] Executing operator "rx"
> with param
>
"(?:%c0%ae\\/)|(?:(?:\\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|de
>
v|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\\/
> |\\\\))|(?:(?:\\/|\\\\)inetpub|localstart\\.asp|boot\\.ini)" against
> ARGS:bar.
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Target value:
> "/en_us/home/default.xml"
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Added regex
subexpression
> to TX.0: /home/
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Added regex
subexpression
> to TX.1: home
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][4] Operator completed in 64
> usec.
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][4] Ctl: Set auditLogParts
to
> ABIFHKZEE.
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Setting variable:
> tx.msg=%{rule.id}-%{rule.msg}
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro
%{rule.id}
> to: 900011
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro
%{rule.msg}
> to: Detects specific directory and path traversal
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Set variable "tx.msg" to
> "900011-Detects specific directory and path traversal".
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Setting variable:
> tx.anomaly_score=+%{tx.critical_anomaly_score}
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Original collection
> variable: tx.anomaly_score = "31"
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro
> %{tx.critical_anomaly_score} to: 21
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Relative change:
> anomaly_score=31+21
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Set variable
> "tx.anomaly_score" to "52".
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Setting variable:
> tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro %{tx.msg}
> to: 900011-Detects specific directory and path traversal
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro
> %{matched_var_name} to: ARGS:bar
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro %{tx.0}
to:
> /home/
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Set variable
> "tx.900011-Detects specific directory and path
> traversal-WEB_ATTACK/INJECTION-ARGS:bar" to "/home/".
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro %{TX.0}
to:
> /home/
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][9] Resolved macro %{TX.0}
to:
> /home/
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][4] Warning. Pattern match
>
"(?:%c0%ae\/)|(?:(?:\/|\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tm
>
p|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\))
> |(?:(?:\/|\\)inetpub|localstart\.asp|boot\.ini)" at ARGS:bar. [file
> "/sites/www-site/APACHE/httpd-2.2.15-w
>
orker-niagara/conf/modsecurity2/modsecurity_crs_41_phpids_filters.conf"]
> [line "101"] [id "900011"] [msg "Detects specific directory and path
> traversal"] [data "/home/"] [severity "CRITICAL"] [tag
"WEB_ATTACK/DT"]
> [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
> [05/Aug/2010:12:22:09 --0700]
> [example.com/sid#9bbf8][rid#1ab32d8][/foo][4] Transformation completed
> in 2 usec.
>
> Thank you,
> -Jason Martin
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
>
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>

--
Sent from my mobile device

Ryan C. Barnett
SANS Certified Instructor
WASC Web Hacking Incident Database Project Leader
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
http://tacticalwebappsec.blogspot.com/
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set


More information about the Owasp-modsecurity-core-rule-set mailing list