[Owasp-modsecurity-core-rule-set] Questions about modsecurity rules

Ryan Barnett RBarnett at trustwave.com
Tue Mar 15 14:56:05 EDT 2011


On 3/15/11 2:38 PM, "Abdellah Tantan" <adtantan at paydq.com> wrote:

>
>Hi,
>
>Although I have read mod_security book by Ivan Restic, I feel I am still
>very new to Mod_Security.

Ivan's book is very good for understanding how ModSecurity works however
it does not covert rulesets such as the OWASP ModSecurity CRS.  Have you
read the project documentation?
http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Pro
ject#tab=Documentation
>

I also suggest that you review the comments in the
modsecurity_crs_10_config.conf file as it outlines what each section does
and the rationale.


>I am wondering why sending a simple request
>triggered all these rules (see raw data bellow)?
>if the request was marked
>as critical, why it was not blocked? Any help to understand this is
>appreciated,
>
>This is my main configuration file
>
>SecComponentSignature "core ruleset/2.1.1"
>SecRuleEngine On
>SecDefaultAction "phase:2,pass,nolog,auditlog"
>SecAction "phase:1,t:none,nolog,pass,setvar:tx.anomaly_score_blocking=on"
>SecAction "phase:1,t:none,nolog,pass, \
>setvar:tx.critical_anomaly_score=5, \
>setvar:tx.error_anomaly_score=4, \
>setvar:tx.warning_anomaly_score=3, \
>setvar:tx.notice_anomaly_score=2"
>SecAction
>"phase:1,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=5"
>SecAction
>"phase:1,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=4"

In the modsecurity_crs_10_config.conf file, you have the following section
for HTTP Policy settings -

#
# -=[ HTTP Policy Settings ]=-
#
# Set the following policy settings here and they will be propagated to
the 30 rules
# file (modsecurity_crs_30_http_policy.conf) by using macro expansion.
# If you run into false positves, you can adjust the settings here.
#
SecAction "phase:1,t:none,nolog,pass, \
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded
multipart/form-data text/xml application/xml application/x-amf', \
setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/
.bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/
.dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/
.key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/
.resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/
.xsd/ .xsx/', \
setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/
/Content-Range/ /Translate/ /via/ /if/'"


This is where you define the proper allowed http request methods for your
site.  One this is done, the rules in the
modsecurity_crs_30_http_policy.conf file enforces it using macro expansion
to inherit the settings you set in the 10 file -

# allow request methods
#
# TODO Most applications only use GET, HEAD, and POST request
#      methods. If that is not the case with your environment, you are
advised
#      to edit the line or uncomment it.
#
SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}"
"phase:2,t:none,block,msg:'Method is not allowed by policy',
severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED',tag:'WASCTC/WASC-1
5',tag:'OWASP_TOP_10/A6',tag:'OWASP_AppSensor/RE1',tag:'PCI/12.1',logdata:'
%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.w
arning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},s
etvar:tx.%{rule.id}-POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched
_var}"


In your case, since you were not using the full
modsecurity_crs_10_config.conf file, you had not defined these TX settings
and thus the 30 file rule matched.


Also - to your question about why this was not blocked, it looks like you
aren't using the modsecurity_49_inbound_blocking.conf file.

-Ryan


>
>
>raw data bellow.
>
>
>--342fe054-A--
>[15/Mar/2011:13:23:56 --0500] iAJfIgoAygIAAGstEDsAAAAC 66.37.224.199 52567
>10.0.202.2 80
>--342fe054-B--
>GET /lpandl/images/buttons/login.gif HTTP/1.1
>Host: 98.142.93.2
>User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.15)
>Gecko/20110303 Firefox/3.6.15
>Accept: image/png,image/*;q=0.8,*/*;q=0.5
>Accept-Language: en-us,en;q=0.5
>Accept-Encoding: gzip,deflate
>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>Connection: keep-alive
>Referer:
>https://98.142.93.2/lpandl/Logon.do;jsessionid=2D2A0F2EC20B323DEFE7901DB48
>00
>52E
>Cookie: JSESSIONID=2D2A0F2EC20B323DEFE7901DB480052E
>X-Forwarded-For: 66.37.224.199
>Front-End-Https: On
>
>--342fe054-E--
>
>--342fe054-F--
>HTTP/1.1 200 OK
>ETag: W/"929-1272484876000"
>Last-Modified: Wed, 28 Apr 2010 20:01:16 GMT
>Content-Length: 929
>Connection: close
>Content-Type: image/gif
>
>--342fe054-H--
>Message: Warning. Match of "within %{tx.allowed_methods}" against
>"REQUEST_METHOD" required. [file
>"/etc/httpd/conf/modsecurity/rules/base_rules/modsecurity_crs_30_http_poli
>cy
>.conf"] [line "30"] [id "960032"] [msg "Method is not allowed by policy"]
>[data "GET"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [tag
>"WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag
>"PCI/12.1"]
>Message: Warning. Match of "within %{tx.allowed_http_versions}" against
>"REQUEST_PROTOCOL" required. [file
>"/etc/httpd/conf/modsecurity/rules/base_rules/modsecurity_crs_30_http_poli
>cy
>.conf"] [line "77"] [id "960034"] [msg "HTTP protocol version is not
>allowed
>by policy"] [data "HTTP/1.1"] [severity "CRITICAL"] [tag
>"POLICY/PROTOCOL_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag
>"OWASP_TOP_10/A6"] [tag "PCI/6.5.10"]
>Apache-Handler: jakarta-servlet
>Stopwatch: 1300213436407586 8794 (450 5600 -)
>Response-Body-Transformed: Dechunked
>Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/).
>Server: Apache/2.2.3 (CentOS)
>
>--342fe054-K--
>SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$"
>"phase:1,log,auditlog,chain,rev:2.1.1,t:none,block,msg:'GET or HEAD
>requests
>with
>bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION,tag:WASCTC/WAS
>C-
>21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,tag:http://www.w3.org/Protocols/rfc2
>61
>6/rfc2616-sec4.html#sec4.3"
>SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$"
>"phase:2,log,auditlog,chain,rev:2.1.1,t:none,block,msg:'Request Missing an
>Accept
>Header',severity:2,id:960015,tag:PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT,
>ta
>g:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10"
>SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0"
>"phase:2,log,auditlog,chain,rev:2.1.1,t:none,block,msg:'Request Containing
>Content, but Missing Content-Type header',id:960904,severity:5"
>SecRule "REQUEST_METHOD" "!@within %{tx.allowed_methods}"
>"phase:2,log,auditlog,t:none,block,msg:'Method is not allowed by
>policy',severity:2,id:960032,tag:POLICY/METHOD_NOT_ALLOWED,tag:WASCTC/WASC
>-1
>5,tag:OWASP_TOP_10/A6,tag:OWASP_AppSensor/RE1,tag:PCI/12.1,logdata:%{match
>ed
>_var},setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anom
>al
>y_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{r
>ul
>e.id}-POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
>SecRule "REQUEST_PROTOCOL" "!@within %{tx.allowed_http_versions}"
>"phase:2,log,auditlog,t:none,block,msg:'HTTP protocol version is not
>allowed
>by
>policy',severity:2,id:960034,tag:POLICY/PROTOCOL_NOT_ALLOWED,tag:WASCTC/WA
>SC
>-21,tag:OWASP_TOP_10/A6,tag:PCI/6.5.10,logdata:%{matched_var},setvar:tx.ms
>g=
>%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx
>.p
>olicy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/PROTO
>CO
>L_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
>SecRule "REQUEST_BASENAME" "@rx \\.(.*)$"
>"phase:2,log,auditlog,chain,capture,setvar:tx.extension=.%{tx.1}/,t:none,t
>:u
>rlDecodeUni,t:lowercase,block,msg:'URL file extension is restricted by
>policy',severity:2,id:960035,tag:POLICY/EXT_RESTRICTED,tag:WASCTC/WASC-15,
>ta
>g:OWASP_TOP_10/A7,tag:PCI/6.5.10,logdata:%{TX.0}"
>SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
>"phase:2,log,auditlog,chain,t:none,block,msg:'HTTP header is restricted by
>policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLOWE
>D,
>tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag
>:O
>WASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setv
>ar
>:tx.header_name='/%{tx.0}/'"
>SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
>"phase:2,log,auditlog,chain,t:none,block,msg:'HTTP header is restricted by
>policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLOWE
>D,
>tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag
>:O
>WASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setv
>ar
>:tx.header_name='/%{tx.0}/'"
>SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
>"phase:2,log,auditlog,chain,t:none,block,msg:'HTTP header is restricted by
>policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLOWE
>D,
>tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag
>:O
>WASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setv
>ar
>:tx.header_name='/%{tx.0}/'"
>SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
>"phase:2,log,auditlog,chain,t:none,block,msg:'HTTP header is restricted by
>policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLOWE
>D,
>tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag
>:O
>WASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setv
>ar
>:tx.header_name='/%{tx.0}/'"
>SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
>"phase:2,log,auditlog,chain,t:none,block,msg:'HTTP header is restricted by
>policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLOWE
>D,
>tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag
>:O
>WASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setv
>ar
>:tx.header_name='/%{tx.0}/'"
>SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
>"phase:2,log,auditlog,chain,t:none,block,msg:'HTTP header is restricted by
>policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLOWE
>D,
>tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag
>:O
>WASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setv
>ar
>:tx.header_name='/%{tx.0}/'"
>SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
>"phase:2,log,auditlog,chain,t:none,block,msg:'HTTP header is restricted by
>policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLOWE
>D,
>tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag
>:O
>WASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setv
>ar
>:tx.header_name='/%{tx.0}/'"
>SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
>"phase:2,log,auditlog,chain,t:none,block,msg:'HTTP header is restricted by
>policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLOWE
>D,
>tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag
>:O
>WASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setv
>ar
>:tx.header_name='/%{tx.0}/'"
>SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
>"phase:2,log,auditlog,chain,t:none,block,msg:'HTTP header is restricted by
>policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLOWE
>D,
>tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag
>:O
>WASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setv
>ar
>:tx.header_name='/%{tx.0}/'"
>SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
>"phase:2,log,auditlog,chain,t:none,block,msg:'HTTP header is restricted by
>policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLOWE
>D,
>tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag
>:O
>WASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setv
>ar
>:tx.header_name='/%{tx.0}/'"
>SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
>"phase:2,log,auditlog,chain,t:none,block,msg:'HTTP header is restricted by
>policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLOWE
>D,
>tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag
>:O
>WASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setv
>ar
>:tx.header_name='/%{tx.0}/'"
>SecRule "RESPONSE_BODY" "!@pm iframe"
>"phase:4,auditlog,rev:2.1.1,t:none,capture,t:urlDecodeUni,t:htmlEntityDeco
>de
>,t:lowercase,nolog,skipAfter:END_IFRAME_CHECK"
>SecRule "RESPONSE_BODY" "!@pmFromFile modsecurity_50_outbound.data"
>"phase:4,auditlog,rev:2.1.1,t:none,capture,t:urlDecodeUni,t:htmlEntityDeco
>de
>,nolog,skipAfter:END_OUTBOUND_CHECK"
>
>--342fe054-Z--
>
>
>
>_______________________________________________
>Owasp-modsecurity-core-rule-set mailing list
>Owasp-modsecurity-core-rule-set at lists.owasp.org
>https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.



More information about the Owasp-modsecurity-core-rule-set mailing list