[Owasp-modsecurity-core-rule-set] CRS3-RC1 not working on Apache 2.2

Christian Folini christian.folini at netnea.com
Mon Aug 22 05:35:51 UTC 2016


Good morning Jens,

On Sun, Aug 21, 2016 at 12:48:32PM +0200, Jens Schleusener wrote:
> One reason for the "silence" may be also the very laborious log file
> analysis.
> 
> But to get just a first impression I found your script aliases collection at
> 
>  https://github.com/Apache-Labor/labor/blob/master/bin/.apache-modsec.alias
> 
> very useful.

Thanks. I should probably cover them in a blogpost. Right now they seem
to be a bit of a secret to those who have read my (German) tutorials.

> On the server that I manage (httpd 2.4.23, modsecurity 2.9.1)
> CRS3-RC1 is now for nearly a month in use and it works very well
> (big thanks to the CRS3 team!).

Glad it works!

> Although the server may be not
> "typical" since it uses itself neither PHP nor SQL but offers
> amongst others soure code browsing of FOSS software that contains
> for e.g. PHP, SQL and HTML files here an example output for 5 days
> (with roughly 200.000 page requests in total) using the script alias
> "melidmsg" (entries fom some special self-written rules are
> removed):
> 
> cat modsec_audit.log.16081[5-9] | melidmsg | sort | uniq -c | sort -nr

I guess you are aware of the alias 'sucs' and use the sort-uniq-c-sort
combination here to make it more comprehensive for the other readers.

>     347 921140 HTTP Header Injection Attack via headers
>     308 910000 Request from Known Malicious Client
>                (Based on previous traffic violations).
>     186 920350 Host header is a numeric IP address
>     105 932130 Remote Command Execution: Unix Shell Expression Found
> ...

All in all, this is quite a big collection of alerts for 200K requests.
Your site is special of course, but would this special content really
affect the requests that much. Would not that be more a problem with
the responses?

There are a rules which point to a  real positive. But with many others,
we might face false positives. Did you investigate further, or do you
think they point to malign requests?

> Found") in some cases seems to cause FPs (especially for the
> User-Agent "Go-http-client/1.1" that sends erroneously a
> "Connection: close, close" HTTP header).

Would you please be so kind and open an issue on the github site for
this false positive? Ideally including a full audit log entry for the
request.

Thank you for your detailed report.

Cheers,

Christian


-- 
If it could be proved that two plus two is five, then it could be 
proved that five is not five, and then there would be no claim that 
could not be proved, and math would be a lot of bunk.
-- George Boolos


More information about the Owasp-modsecurity-core-rule-set mailing list