[Owasp-modsecurity-core-rule-set] More Squirrelmail Denials

Arthur Dent misc.lists at blueyonder.co.uk
Wed Jan 13 14:18:26 EST 2010


On Wed, 2010-01-13 at 14:06 -0500, Ryan Barnett wrote:
> On Wednesday 13 January 2010 01:44:27 pm Arthur Dent wrote:
> > On Wed, 2010-01-13 at 13:31 -0500, Ryan Barnett wrote:
> > > On Wednesday 13 January 2010 01:17:35 pm Arthur Dent wrote:
> 
> Try this -
> 
> SecRule TX:'/^PHPIDS-30-(.*)-ARGS_NAMES:smaction/' "@contains ][" 
> "chain,phase:2,t:none,nolog,pass"
>        SecRule MATCHED_VAR_NAME "TX\:(.*)" "capture,t:none,setvar:!tx.
> %{tx.1},setvar:tx.anomaly_score=-4"
> 

Sorry Ryan...


--e104d910-H--
Message: Pattern match "^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at MATCHED_VAR_NAME. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "300"] [id "phpids-30"] [msg "Detects common XSS concatenation patterns 1/2"] [data "Matched Location: ARGS_NAMES:newidentities[1][signature] and Matched Payload: newidentities[1][signature]"] [severity "CRITICAL"]
Message: Pattern match "^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at MATCHED_VAR_NAME. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "412"] [id "phpids-3"] [msg "Detects common XSS concatenation patterns 1/2"] [data "Matched Location: ARGS_NAMES:newidentities[1][signature] and Matched Payload: newidentities[1][signature]"] [severity "CRITICAL"]
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "46"] [msg "Transactional Anomaly Score (score 32): Detects common XSS concatenation patterns 1/2"]
Action: Intercepted (phase 2)
Apache-Handler: php5-script
Stopwatch: 1263410126373598 161946 (11302* 146799 -)
Producer: ModSecurity for Apache/2.5.10 (http://www.modsecurity.org/); core ruleset/2.0.4.
Server: Apache/2.2.13 (Fedora)

I wish I knew how to do this myself but...

Thanks for your help so far...

Mark




More information about the Owasp-modsecurity-core-rule-set mailing list