[Owasp-modsecurity-core-rule-set] redirect with Apache

Ryan Barnett RBarnett at trustwave.com
Sun Jul 17 10:22:41 EDT 2011


You might want to try using a mod_rewrite rule for your redirect instead as ModSecurity rules can run before them.

Ryan

On Jul 16, 2011, at 10:23 PM, "Michael Haas" <michael.haas10 at gmail.com<mailto:michael.haas10 at gmail.com>> wrote:

Hi,

is it normal that if a redirect is configured in apache that mod_security is not blocking according to it's rules? It logs the request but the Client is redirected.

GET /..%5c../ HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/security-layer, application/security-capsule, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: de-at,en-us;q=0.5
User-Agent: Mozilla/4.0 (compatible; MSIE......)
Accept-Encoding: gzip, deflate
Host: XXX.xxxx
Connection: Keep-Alive

--ac9b0025-F--
HTTP/1.1 302 Found
Location: <https://XXX.xxxx/> https://XXX.xxxx/
Content-Length: 208
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--ac9b0025-H--
Message: Pattern match "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" at REQUEST_FILENAME. [file "/test/modsecurity_crs/modsecurity_crs_15_exception.conf"] [line "19"] [id "1000"] [rev "2.1.2"] [msg "Path Traversal Attack"] [severity "CRITICAL"]
Stopwatch: 1310867782439547 587 (- - -)
Producer: ModSecurity for Apache/2.5.13 (<http://www.modsecurity.org/>http://www.modsecurity.org/); core ruleset/2.1.2.<http://2.1.2.>
Server: Apache


If i do this without redirect the Rule blocks with 403.

Thats the Rule

SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:1,rev:'2.1.2',t:none,ctl:auditLogParts=+E,block,msg:'Path Traversal Attack',id:'1000',severity:'2'"
        SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" \
                "t:none,t:lowercase,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id<http://rule.id>}-WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"

Thanks in Advance
Michael

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.


More information about the Owasp-modsecurity-core-rule-set mailing list