[Owasp-modsecurity-core-rule-set] Question about REQUEST-920-PROTOCOL-ENFORCEMENT.conf

Chaim Sanders chaim at chaimsanders.com
Mon Jul 31 14:59:49 UTC 2017


Hello,
ModSecurity has it's own custom logging format. This can be changed to JSON
in ModSecurity 2.9 and greater. Generally though being able to understand
the log typically involves looking at the message that is generated, and
occasionally looking at the rule in question if this isn't enough. In this
case you have two rules listed.
The first rule, 920180, says that 'POST request missing Content-Length
Header'. Generally this means that the Content-Length header, which
typically specifies how much POST data is present was not provided. This
can be triggered by using non-standard user-agents. All browsers known will
provide this value as it is highly suggested by the RFC. This rule can be
found here:
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/e4e0497be4d598cce0e0a8fef20d1f1e5578c8d0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L292

The next rule you have highlighted is 920270. This indicates that a null
byte was passed to a cookie. Null bytes are used in various attacks but are
almost always avoided by legit applications. This rule can be found here:
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/e4e0497be4d598cce0e0a8fef20d1f1e5578c8d0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L564

To see whole requests when a rule triggers you should enable the audit
logging capability. For more details on this please see the following entry
in the reference manual:
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecAuditEngine



On Thu, Jul 27, 2017 at 7:16 AM, Пацев Антон <patsev.anton at gmail.com> wrote:

> Hello!
> Can some help about REQUEST-920-PROTOCOL-ENFORCEMENT.conf?
> Used: modsecurity v3 from master, nginx 1.10.2, core rules from github
>
> crs-setup.conf:
> SecDefaultAction "phase:1,log,auditlog,pass"
> SecDefaultAction "phase:2,log,auditlog,pass"
> SecAction \
>   "id:900000,\
>    phase:1,\
>    nolog,\
>    pass,\
>    t:none,\
>    setvar:tx.paranoia_level=1"
> SecAction \
>  "id:900110,\
>   phase:1,\
>   nolog,\
>   pass,\
>   t:none,\
>   setvar:tx.inbound_anomaly_score_threshold=5,\
>   setvar:tx.outbound_anomaly_score_threshold=4"
> SecCollectionTimeout 600
> SecAction \
>  "id:900990,\
>   phase:1,\
>   nolog,\
>   pass,\
>   t:none,\
>   setvar:tx.crs_setup_version=302"
>
>
> Log file have:
>
> ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against
> variable `REQUEST_HEADERS:Content-Length' (Value: `0' ) [file
> "/etc/nginx/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "258"]
> [id "920180"] [rev "1"] [msg "POST request missing Content-Length Header."]
> [data "0"] [severity "4"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy
> "9"] [tag "application-multi"] [tag "language-multi"] [tag
> "platform-multi"] [tag "attack-protocol"] [tag
> "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [tag "CAPEC-272"] [ref
> "o0,4v0,4"]
>
> ModSecurity: Warning. Matched "Operator `ValidadeByteRange' with parameter
> `1-255' against variable `REQUEST_HEADERS:Cookie' (Value:
> `JSESSIONID=XXXXXXXXXXXXXX; loggedin=true; hash=yyyyyyy; loggedUser=gggggg
> (781 characters omitted)' ) [file "/etc/nginx/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]
> [line "488"] [id "920270"] [rev "2"] [msg "Invalid character in request
> (null character)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.0.0"]
> [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag
> "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag
> "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"] [ref
> "o185,1o186,1o187,1o188,1o189,1o190,1o191,1o192,1o193,1o194,
> 1o195,1o196,1o197,1o198,1o199,1o200,1o201,1o202,1o313,1o314,
> 1o315,1o316,1o317,1o318,1o319,1o320,1o321,1o322,1o323,1o324,
> 1o325,1o326,1o327,1o328,1o329,1o330,1o331,1o332,1o333,1o334,
> 1o335,1o336,1o337,1o338,1o408,1o409,1o410,1o411,1o412,1o413,
> 1v479,881t:urlDecodeUni"]
>
> How understend this is log? How Write request to log?
>
>
>
> --
> С уважением, Антон Пацев.
> Best regards, Anton Patsev.
>
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
>


-- 
-- 
Chaim Sanders
http://www.ChaimSanders.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20170731/2b9fcf5d/attachment.html>


More information about the Owasp-modsecurity-core-rule-set mailing list