[Owasp-modsecurity-core-rule-set] Help with false positives for Window Objuscation JavaScript.

David Taveras d3taveras38d3 at gmail.com
Mon Jan 11 14:44:44 EST 2010


Hello,

First of all, iam resending this post to the CRS mailing list. I
apologize the confusion.

Iam using the CRS 2.0.4 . What is the best way I have so that rules
dont match this as something wrong?

There seems to be a vast number of rules (Section K) that triggered
this, these so far have been my only false positives.

--c391310c-A--
[05/Jan/2010:10:37:49 --0600] S0Nq3NBXIpEAAFcl7VAAAAAW 1.1.1.1.1 65308
2.2.2.2 443
--c391310c-B--
POST /login.php HTTP/1.1
Host: secure.domain.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; es-ES;
rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://secure.domain.com/login.php
Cookie: PHPSESSID=mekfjfh54qu5vfbv8ct27c1d37;
DDCart[cartID]=mekfjfh54qu5vfbv8ct27c1d37; DDCart[country]=232
Content-Type: application/x-www-form-urlencoded
Content-Length: 134

--c391310c-C--
name=testuser%40test.com&password=12345&referer=https%3A%2F%2Fsecure.domain.com%2Fmy_account.php&submit.x=71&submit.y=8&submit=Submit
--c391310c-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: DDCart[cartID]=mekfjfh54qu5vfbv8ct27c1d37; expires=Wed,
06-Jan-2010 16:37:48 GMT; path=/; domain=.domain.com
Set-Cookie: DDCart[country]=232; expires=Wed, 06-Jan-2010 16:37:48
GMT; path=/; domain=.domain.com
Content-Length: 3294
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html


--c391310c-H--
Message: Operator GE matched 20 at TX:anomaly_score. [file
"/etc/apache2/crs-2.0.4/base_rules/modsecurity_crs_49_enforcement.conf"]
[line "25"] [msg "Anomaly Score Exceeded (score 23): Detects
JavaScript location/document property access and window access
obfuscation"]
Message: Operator GE matched 15 at TX:anomaly_score. [file
"/etc/apache2/crs-2.0.4/base_rules/modsecurity_crs_60_correlation.conf"]
[line "24"] [msg "Anomaly Score Exceeded (score 23): Detects
JavaScript location/document property access and window access
obfuscation"]
Message: Pattern match
"^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at
MATCHED_VAR_NAME. [file
"/etc/apache2/crs-2.0.4/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "104"] [id "phpids-61"] [msg "Detects url injections and RFE
attempts"] [data "Matched Location: REQUEST_BODY and Matched Payload:
name=testuser at test.com&password=12345&referer=https://secure.domain.com/my_account.php&submit.x=71&submit.y=8&submit=submit"]
[severity "CRITICAL"]
Message: Pattern match
"^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at
MATCHED_VAR_NAME. [file
"/etc/apache2/crs-2.0.4/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "279"] [id "phpids-2"] [msg "Detects JavaScript
location/document property access and window access obfuscation"]
[data "Matched Location: REQUEST_BODY and Matched Payload:
name=testuser at test.com&password=12345&referer=https://secure.domain.com/my_account.php&submit.x=71&submit.y=8&submit=submit"]
[severity "CRITICAL"]
Message: Pattern match
"^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at
MATCHED_VAR_NAME. [file
"/etc/apache2/crs-2.0.4/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "286"] [id "phpids-17"] [msg "Detects JavaScript object
properties and methods"] [data "Matched Location: REQUEST_BODY and
Matched Payload:
name=testuser at test.com&password=12345&referer=https://secure.domain.com/my_account.php&submit.x=71&submit.y=8&submit=submit"]
[severity "CRITICAL"]
Message: Pattern match
"^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at
MATCHED_VAR_NAME. [file
"/etc/apache2/crs-2.0.4/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "293"] [id "phpids-1"] [msg "Detects JavaScript object
properties and methods"] [data "Matched Location: REQUEST_BODY and
Matched Payload:
name=testuser at test.com&password=12345&referer=https://secure.domain.com/my_account.php&submit.x=71&submit.y=8&submit=submit"]
[severity "CRITICAL"]
Message: Pattern match
"^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at
MATCHED_VAR_NAME. [file
"/etc/apache2/crs-2.0.4/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "391"] [id "phpids-23"] [msg "Detects JavaScript
location/document property access and window access obfuscation"]
[data "Matched Location: REQUEST_BODY and Matched Payload:
name=testuser at test.com&password=12345&referer=https://secure.domain.com/my_account.php&submit.x=71&submit.y=8&submit=submit"]
[severity "CRITICAL"]
Message: Pattern match
"^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at
MATCHED_VAR_NAME. [file
"/etc/apache2/crs-2.0.4/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "405"] [id "phpids-6"] [msg "Detects url injections and RFE
attempts"] [data "Matched Location: REQUEST_BODY and Matched Payload:
name=testuser at test.com&password=12345&referer=https://secure.domain.com/my_account.php&submit.x=71&submit.y=8&submit=submit"]
[severity "CRITICAL"]
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file
"/etc/apache2/crs-2.0.4/base_rules/modsecurity_crs_60_correlation.conf"]
[line "46"] [msg "Transactional Anomaly Score (score 23): Detects
JavaScript location/document property access and window access
obfuscation"]
Apache-Handler: application/x-httpd-php
Stopwatch: 1262709468633074 583271 (844* 31090 581461)
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.5.11 (http://www.modsecurity.org/).
Server: Apache

--c391310c-K--
SecRule "REQUEST_METHOD" "@rx ^POST$"
"phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'POST
request must have a Content-Length
header',id:960012,tag:PROTOCOL_VIOLATION/EVASION,severity:4"
SecRule "REQUEST_HEADERS:Content-Type" "@rx
^application\\/x-www-form-urlencoded(?:;(?:\\s?charset\\s?=\\s?[\\w\\d\\-]{1,18})?)??$"
"phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'URL
Encoding Abuse Attack
Attempt',id:950108,tag:PROTOCOL_VIOLATION/EVASION,severity:5"
SecRule "REQUEST_METHOD" "!@rx ^(?:GET|HEAD|PROPFIND|OPTIONS)$"
"phase:2,chain,t:none,block,nolog,auditlog,status:501,msg:'Request
content type is not allowed by
policy',id:960010,tag:POLICY/ENCODING_NOT_ALLOWED,severity:4"
SecRule "ARGS_NAMES" "@rx .*"
"phase:2,chain,t:none,nolog,auditlog,pass,capture,id:hpp-1,setvar:tx.arg_name_%{tx.0}=+1,msg:'Possible
HTTP Parameter Pollution Attack: Multiple Parameters with the same
Name.'"
SecRule "ARGS_NAMES" "@rx .*"
"phase:2,chain,t:none,nolog,auditlog,pass,capture,id:hpp-1,setvar:tx.arg_name_%{tx.0}=+1,msg:'Possible
HTTP Parameter Pollution Attack: Multiple Parameters with the same
Name.'"
SecRule "ARGS_NAMES" "@rx .*"
"phase:2,chain,t:none,nolog,auditlog,pass,capture,id:hpp-1,setvar:tx.arg_name_%{tx.0}=+1,msg:'Possible
HTTP Parameter Pollution Attack: Multiple Parameters with the same
Name.'"
SecRule "ARGS_NAMES" "@rx .*"
"phase:2,chain,t:none,nolog,auditlog,pass,capture,id:hpp-1,setvar:tx.arg_name_%{tx.0}=+1,msg:'Possible
HTTP Parameter Pollution Attack: Multiple Parameters with the same
Name.'"
SecRule "ARGS_NAMES" "@rx .*"
"phase:2,chain,t:none,nolog,auditlog,pass,capture,id:hpp-1,setvar:tx.arg_name_%{tx.0}=+1,msg:'Possible
HTTP Parameter Pollution Attack: Multiple Parameters with the same
Name.'"
SecRule "ARGS_NAMES" "@rx .*"
"phase:2,chain,t:none,nolog,auditlog,pass,capture,id:hpp-1,setvar:tx.arg_name_%{tx.0}=+1,msg:'Possible
HTTP Parameter Pollution Attack: Multiple Parameters with the same
Name.'"
SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"
"@pmFromFile modsecurity_40_generic_attacks.data"
"phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"
"@pmFromFile modsecurity_40_generic_attacks.data"
"phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"
"@pmFromFile modsecurity_40_generic_attacks.data"
"phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"
"@pmFromFile modsecurity_40_generic_attacks.data"
"phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"
"@pmFromFile modsecurity_40_generic_attacks.data"
"phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_BODY|REQUEST_URI_RAW" "@rx
(?:\\w+]?(?<!href)(?<!src)(?<!longdesc)(?<!returnurl)=(?:https?|ftp):)|(?:\\{\\s*\\$\\s*\\{)"
"phase:2,auditlog,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,msg:'Detects
url injections and RFE
attempts',id:phpids-61,tag:WEB_ATTACK/ID,tag:WEB_ATTACK/RFE,tag:WEB_ATTACK/LFI,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.%{rule.id}-WEB_ATTACK/INJECTION-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_BODY|REQUEST_URI_RAW" "@rx
([^*:\\s\\w,.\\/?+-]\\s*)?(?<![a-z]\\s)(?<![a-z\\/_@>\\|])(\\s*return\\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\\w%\"]|(?:\\s*[^@\\/\\s\\w%,.+\\-]))"
"phase:2,auditlog,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,msg:'Detects
JavaScript object properties and
methods',id:phpids-17,tag:WEB_ATTACK/XSS,tag:WEB_ATTACK/CSRF,tag:WEB_ATTACK/ID,tag:WEB_ATTACK/RFE,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+4,setvar:tx.%{rule.id}-WEB_ATTACK/INJECTION-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_BODY|REQUEST_URI_RAW" "@rx
([^*:\\s\\w,.\\/?+-]\\s*)?(?<![a-z]\\s)(?<![a-z\\/_@>\\|])(\\s*return\\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\\w%\"]|(?:\\s*[^@\\/\\s\\w%,.+\\-]))"
"phase:2,auditlog,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,msg:'Detects
JavaScript object properties and
methods',id:phpids-17,tag:WEB_ATTACK/XSS,tag:WEB_ATTACK/CSRF,tag:WEB_ATTACK/ID,tag:WEB_ATTACK/RFE,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+4,setvar:tx.%{rule.id}-WEB_ATTACK/INJECTION-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_BODY|REQUEST_URI_RAW" "@rx
(?:\\.\\s*\\w+\\W*=)|(?:\\W\\s*(?:location|document)\\s*\\W[^({[;]+[({[;])|(?:\\(\\w+\\?[:\\w]+\\))|(?:\\w{2,}\\s*=\\s*\\d+[^&\\w]\\w+)|(?:\\]\\s*\\(\\s*\\w+)"
"phase:2,auditlog,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,msg:'Detects
JavaScript location/document property access and window access
obfuscation',id:phpids-23,tag:WEB_ATTACK/XSS,tag:WEB_ATTACK/CSRF,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.%{rule.id}-WEB_ATTACK/INJECTION-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_BODY|REQUEST_URI_RAW" "@rx
(?:\\.\\s*\\w+\\W*=)|(?:\\W\\s*(?:location|document)\\s*\\W[^({[;]+[({[;])|(?:\\(\\w+\\?[:\\w]+\\))|(?:\\w{2,}\\s*=\\s*\\d+[^&\\w]\\w+)|(?:\\]\\s*\\(\\s*\\w+)"
"phase:2,auditlog,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,msg:'Detects
JavaScript location/document property access and window access
obfuscation',id:phpids-23,tag:WEB_ATTACK/XSS,tag:WEB_ATTACK/CSRF,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.%{rule.id}-WEB_ATTACK/INJECTION-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}"
SecRule "&TX:/SQL_INJECTION/" "@eq 0"
"phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"
SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"
"@pm jscript onsubmit copyparentfolder javascript meta onchange onmove
onkeydown onkeyup activexobject onerror onmouseup ecmascript
bexpression onmouseover vbscript: <![cdata[ http: .innerhtml
settimeout shell: onabort asfunction: onkeypress onmousedown onclick
.fromcharcode background-image: .cookie x-javascript ondragdrop onblur
mocha: javascript: onfocus lowsrc getparentfolder onresize @import
alert script onselect onmouseout application onmousemove background
.execscript livescript: vbscript getspecialfolder .addimport iframe
onunload createtextrange <input onload"
"phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,skip:1,setvar:tx.pm_xss_data_%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"
"@pm jscript onsubmit copyparentfolder javascript meta onchange onmove
onkeydown onkeyup activexobject onerror onmouseup ecmascript
bexpression onmouseover vbscript: <![cdata[ http: .innerhtml
settimeout shell: onabort asfunction: onkeypress onmousedown onclick
.fromcharcode background-image: .cookie x-javascript ondragdrop onblur
mocha: javascript: onfocus lowsrc getparentfolder onresize @import
alert script onselect onmouseout application onmousemove background
.execscript livescript: vbscript getspecialfolder .addimport iframe
onunload createtextrange <input onload"
"phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,skip:1,setvar:tx.pm_xss_data_%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_URI_RAW" "@rx (?i:\\/login\\.php)"
"phase:2,chain,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:%{TX.0},id:sid2006496,rev:4,msg:'ET
WEB_SPECIFIC Jasmine CMS SQL Injection Attempt -- login.php
login_username ',tag:web-application-attack,tag:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Jasmine_CMS"
SecRule "REQUEST_URI_RAW" "@rx (?i:\\.php)"
"phase:2,chain,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:%{TX.0},id:sid2003156,rev:3,msg:'ET
WEB Crewbox Proxy
Scan',tag:attempted-recon,tag:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy"
SecRule "QUERY_STRING|REQUEST_BODY" "@contains ="
"phase:2,chain,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:%{TX.0},id:sid2001090,rev:7,msg:'ET
WEB-MISC cross site scripting stealth attempt to execute Javascript
code',tag:web-application-attack,tag:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS"
SecRule "QUERY_STRING|REQUEST_BODY" "@contains ="
"phase:2,chain,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:%{TX.0},id:sid2001091,rev:7,msg:'ET
WEB-MISC cross site scripting stealth attempt to execute VBScript
code',tag:web-application-attack,tag:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS"
SecRule "REQUEST_URI_RAW" "@rx (?i:\\.php)"
"phase:2,chain,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:%{TX.0},id:sid2002997,rev:4,msg:'ET
WEB PHP Remote File Inclusion (monster list
http)',tag:web-application-attack,tag:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP"
SecRule "REQUEST_URI_RAW" "@rx (?i:\\.php)"
"phase:2,chain,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:%{TX.0},id:sid2003098,rev:4,msg:'ET
WEB PHP Remote File Inclusion (monster list
ftp)',tag:web-application-attack,tag:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP"
SecRule "REQUEST_URI_RAW" "@rx (?i:\\.php)"
"phase:2,chain,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:%{TX.0},id:sid2003935,rev:3,msg:'ET
WEB PHP Remote File Inclusion (monster list
php)',tag:web-application-attack,tag:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP"
SecRule "REQUEST_URI_RAW" "@rx (?i:\\.php)"
"phase:2,chain,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:%{TX.0},id:sid2009152,rev:4,msg:'ET
WEB PHP Generic Remote File Include Attempt
(HTTPS)',tag:web-application-attack,tag:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_RFI_Generic"
SecRule "REQUEST_URI_RAW" "@rx (?i:\\.php)"
"phase:2,chain,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:%{TX.0},id:sid2009153,rev:4,msg:'ET
WEB PHP Generic Remote File Include Attempt
(FTP)',tag:web-application-attack,tag:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_RFI_Generic"
SecRule "REQUEST_URI_RAW" "@rx (?i:\\.php)"
"phase:2,chain,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:%{TX.0},id:sid2009155,rev:5,msg:'ET
WEB PHP Generic Remote File Include Attempt
(FTPS)',tag:web-application-attack,tag:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_RFI_Generic"
SecRule "TX:ANOMALY_SCORE" "@ge 20"
"phase:2,t:none,nolog,auditlog,deny,msg:'Anomaly Score Exceeded (score
%{TX.ANOMALY_SCORE}): %{tx.msg}',setvar:tx.inbound_tx_msg=%{tx.msg}"
SecRule "RESPONSE_BODY" "!@pmFromFile modsecurity_50_outbound.data"
"phase:4,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,nolog,allow"
SecRule "TX:ANOMALY_SCORE" "@ge 15"
"phase:4,t:none,nolog,auditlog,deny,msg:'Anomaly Score Exceeded (score
%{TX.ANOMALY_SCORE}): %{tx.msg}'"
SecRule "TX:/^PHPIDS-61/" "@rx ."
"phase:5,chain,t:none,pass,nolog,auditlog,id:phpids-61,severity:2,setvar:tx.phpids_matched_payload=%{matched_var},msg:%{tx.3},logdata:'Matched
Location: %{tx.4} and Matched Payload: %{tx.phpids_matched_payload}'"
SecRule "MATCHED_VAR_NAME" "@rx
^TX:phpids-(\\d{1,2})-WEB_ATTACK/INJECTION-(\\d)-(.*?)-(.*)$"
"capture"
SecRule "TX:/^PHPIDS-2/" "@rx ."
"phase:5,chain,t:none,pass,nolog,auditlog,id:phpids-2,severity:2,setvar:tx.phpids_matched_payload=%{matched_var},msg:%{tx.3},logdata:'Matched
Location: %{tx.4} and Matched Payload: %{tx.phpids_matched_payload}'"
SecRule "MATCHED_VAR_NAME" "@rx
^TX:phpids-(\\d{1,2})-WEB_ATTACK/INJECTION-(\\d)-(.*?)-(.*)$"
"capture"
SecRule "TX:/^PHPIDS-17/" "@rx ."
"phase:5,chain,t:none,pass,nolog,auditlog,id:phpids-17,severity:2,setvar:tx.phpids_matched_payload=%{matched_var},msg:%{tx.3},logdata:'Matched
Location: %{tx.4} and Matched Payload: %{tx.phpids_matched_payload}'"
SecRule "MATCHED_VAR_NAME" "@rx
^TX:phpids-(\\d{1,2})-WEB_ATTACK/INJECTION-(\\d)-(.*?)-(.*)$"
"capture"
SecRule "TX:/^PHPIDS-1/" "@rx ."
"phase:5,chain,t:none,pass,nolog,auditlog,id:phpids-1,severity:2,setvar:tx.phpids_matched_payload=%{matched_var},msg:%{tx.3},logdata:'Matched
Location: %{tx.4} and Matched Payload: %{tx.phpids_matched_payload}'"
SecRule "MATCHED_VAR_NAME" "@rx
^TX:phpids-(\\d{1,2})-WEB_ATTACK/INJECTION-(\\d)-(.*?)-(.*)$"
"capture"
SecRule "TX:/^PHPIDS-23/" "@rx ."
"phase:5,chain,t:none,pass,nolog,auditlog,id:phpids-23,severity:2,setvar:tx.phpids_matched_payload=%{matched_var},msg:%{tx.3},logdata:'Matched
Location: %{tx.4} and Matched Payload: %{tx.phpids_matched_payload}'"
SecRule "MATCHED_VAR_NAME" "@rx
^TX:phpids-(\\d{1,2})-WEB_ATTACK/INJECTION-(\\d)-(.*?)-(.*)$"
"capture"
SecRule "TX:/^PHPIDS-6/" "@rx ."
"phase:5,chain,t:none,pass,nolog,auditlog,id:phpids-6,severity:2,setvar:tx.phpids_matched_payload=%{matched_var},msg:%{tx.3},logdata:'Matched
Location: %{tx.4} and Matched Payload: %{tx.phpids_matched_payload}'"
SecRule "MATCHED_VAR_NAME" "@rx
^TX:phpids-(\\d{1,2})-WEB_ATTACK/INJECTION-(\\d)-(.*?)-(.*)$"
"capture"
SecRule "TX:ANOMALY_SCORE" "@ge 5"
"phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score
(score %{TX.ANOMALY_SCORE}): %{tx.msg}'"

--c391310c-Z--

_________________________________________________________________________________________________________________________________-


--54901d14-A--
[05/Jan/2010:14:01:56 --0600] S0OatNBXIpEAAHtCLOEAAAAS 1.1.1.1.1 64837
2.2.2.2 443
--54901d14-B--
GET /scripts/Action.php?ticket=0&act=switchTickets&sid=0.5598969757684985
HTTP/1.1
Host: secure.domain.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; es-ES;
rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://secure.domain.com/my_account.php

--54901d14-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 1540
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html




--54901d14-H--
Message: Pattern match
"^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at
MATCHED_VAR_NAME. [file
"/etc/apache2/crs-2.0.4/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "279"] [id "phpids-2"] [msg "Detects JavaScript
location/document property access and window access obfuscation"]
[data "Matched Location: REQUEST_URI_RAW and Matched Payload:
/scripts/dashaction.php?ticket=0&act=switchtickets&sid=0.5598969757684985"]
[severity "CRITICAL"]
Message: Pattern match
"^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at
MATCHED_VAR_NAME. [file
"/etc/apache2/crs-2.0.4/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "391"] [id "phpids-23"] [msg "Detects JavaScript
location/document property access and window access obfuscation"]
[data "Matched Location: REQUEST_URI_RAW and Matched Payload:
/scripts/dashaction.php?ticket=0&act=switchtickets&sid=0.5598969757684985"]
[severity "CRITICAL"]
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file
"/etc/apache2/crs-2.0.4/base_rules/modsecurity_crs_60_correlation.conf"]
[line "46"] [msg "Transactional Anomaly Score (score 10): Detects
JavaScript location/document property access and window access
obfuscation"]
Apache-Error: [file
"/usr/ports/obj/php5-core-5.2.11/php-5.2.11/sapi/apache2handler/sapi_apache2.c"]
[line 291] [level 3] PHP Notice:  Use of undefined constant NONE -
assumed 'NONE' in /domain.com/secure/includes/dashboard.php on line 3,
referer: https://secure.domain.com/myccount.php
Apache-Handler: application/x-httpd-php
Stopwatch: 1262721716289823 325701 (753 17216 324539)
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.5.11 (http://www.modsecurity.org/).
Server: Apache

--54901d14-K--
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$"
"phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD
requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0"
"phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing
Content, but Missing Content-Type header',id:960904,severity:5"
SecRule "ARGS_NAMES" "@rx .*"
"phase:2,chain,t:none,nolog,auditlog,pass,capture,id:hpp-1,setvar:tx.arg_name_%{tx.0}=+1,msg:'Possible
HTTP Parameter Pollution Attack: Multiple Parameters with the same
Name.'"
SecRule "ARGS_NAMES" "@rx .*"
"phase:2,chain,t:none,nolog,auditlog,pass,capture,id:hpp-1,setvar:tx.arg_name_%{tx.0}=+1,msg:'Possible
HTTP Parameter Pollution Attack: Multiple Parameters with the same
Name.'"
SecRule "ARGS_NAMES" "@rx .*"
"phase:2,chain,t:none,nolog,auditlog,pass,capture,id:hpp-1,setvar:tx.arg_name_%{tx.0}=+1,msg:'Possible
HTTP Parameter Pollution Attack: Multiple Parameters with the same
Name.'"
SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"
"@pmFromFile modsecurity_40_generic_attacks.data"
"phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"
"@pmFromFile modsecurity_40_generic_attacks.data"
"phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"
"@pmFromFile modsecurity_40_generic_attacks.data"
"phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"
"@pmFromFile modsecurity_40_generic_attacks.data"
"phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_BODY|REQUEST_URI_RAW" "@rx
(?:\\.\\s*\\w+\\W*=)|(?:\\W\\s*(?:location|document)\\s*\\W[^({[;]+[({[;])|(?:\\(\\w+\\?[:\\w]+\\))|(?:\\w{2,}\\s*=\\s*\\d+[^&\\w]\\w+)|(?:\\]\\s*\\(\\s*\\w+)"
"phase:2,auditlog,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,msg:'Detects
JavaScript location/document property access and window access
obfuscation',id:phpids-23,tag:WEB_ATTACK/XSS,tag:WEB_ATTACK/CSRF,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.%{rule.id}-WEB_ATTACK/INJECTION-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_BODY|REQUEST_URI_RAW" "@rx
(?:\\.\\s*\\w+\\W*=)|(?:\\W\\s*(?:location|document)\\s*\\W[^({[;]+[({[;])|(?:\\(\\w+\\?[:\\w]+\\))|(?:\\w{2,}\\s*=\\s*\\d+[^&\\w]\\w+)|(?:\\]\\s*\\(\\s*\\w+)"
"phase:2,auditlog,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,msg:'Detects
JavaScript location/document property access and window access
obfuscation',id:phpids-23,tag:WEB_ATTACK/XSS,tag:WEB_ATTACK/CSRF,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.%{rule.id}-WEB_ATTACK/INJECTION-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}"
SecRule "&TX:/SQL_INJECTION/" "@eq 0"
"phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"
SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"
"@pm jscript onsubmit copyparentfolder javascript meta onchange onmove
onkeydown onkeyup activexobject onerror onmouseup ecmascript
bexpression onmouseover vbscript: <![cdata[ http: .innerhtml
settimeout shell: onabort asfunction: onkeypress onmousedown onclick
.fromcharcode background-image: .cookie x-javascript ondragdrop onblur
mocha: javascript: onfocus lowsrc getparentfolder onresize @import
alert script onselect onmouseout application onmousemove background
.execscript livescript: vbscript getspecialfolder .addimport iframe
onunload createtextrange <input onload"
"phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,skip:1,setvar:tx.pm_xss_data_%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"
"@pm jscript onsubmit copyparentfolder javascript meta onchange onmove
onkeydown onkeyup activexobject onerror onmouseup ecmascript
bexpression onmouseover vbscript: <![cdata[ http: .innerhtml
settimeout shell: onabort asfunction: onkeypress onmousedown onclick
.fromcharcode background-image: .cookie x-javascript ondragdrop onblur
mocha: javascript: onfocus lowsrc getparentfolder onresize @import
alert script onselect onmouseout application onmousemove background
.execscript livescript: vbscript getspecialfolder .addimport iframe
onunload createtextrange <input onload"
"phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,skip:1,setvar:tx.pm_xss_data_%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_FILENAME" "!@pmFromFile
modsecurity_46_et_sql_injection.data"
"phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"
SecRule "REQUEST_URI_RAW" "@rx (?i:\\.php)"
"phase:2,chain,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:%{TX.0},id:sid2003156,rev:3,msg:'ET
WEB Crewbox Proxy
Scan',tag:attempted-recon,tag:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy"
SecRule "QUERY_STRING|REQUEST_BODY" "@contains ="
"phase:2,chain,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:%{TX.0},id:sid2001090,rev:7,msg:'ET
WEB-MISC cross site scripting stealth attempt to execute Javascript
code',tag:web-application-attack,tag:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS"
SecRule "QUERY_STRING|REQUEST_BODY" "@contains ="
"phase:2,chain,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:%{TX.0},id:sid2001091,rev:7,msg:'ET
WEB-MISC cross site scripting stealth attempt to execute VBScript
code',tag:web-application-attack,tag:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS"
SecRule "REQUEST_URI_RAW" "@rx (?i:\\.php)"
"phase:2,chain,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:%{TX.0},id:sid2002997,rev:4,msg:'ET
WEB PHP Remote File Inclusion (monster list
http)',tag:web-application-attack,tag:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP"
SecRule "REQUEST_URI_RAW" "@rx (?i:\\.php)"
"phase:2,chain,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:%{TX.0},id:sid2003098,rev:4,msg:'ET
WEB PHP Remote File Inclusion (monster list
ftp)',tag:web-application-attack,tag:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP"
SecRule "REQUEST_URI_RAW" "@rx (?i:\\.php)"
"phase:2,chain,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:%{TX.0},id:sid2003935,rev:3,msg:'ET
WEB PHP Remote File Inclusion (monster list
php)',tag:web-application-attack,tag:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP"
SecRule "REQUEST_URI_RAW" "@rx (?i:\\.php)"
"phase:2,chain,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:%{TX.0},id:sid2009152,rev:4,msg:'ET
WEB PHP Generic Remote File Include Attempt
(HTTPS)',tag:web-application-attack,tag:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_RFI_Generic"
SecRule "REQUEST_URI_RAW" "@rx (?i:\\.php)"
"phase:2,chain,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:%{TX.0},id:sid2009153,rev:4,msg:'ET
WEB PHP Generic Remote File Include Attempt
(FTP)',tag:web-application-attack,tag:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_RFI_Generic"
SecRule "REQUEST_URI_RAW" "@rx (?i:\\.php)"
"phase:2,chain,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:%{TX.0},id:sid2009155,rev:5,msg:'ET
WEB PHP Generic Remote File Include Attempt
(FTPS)',tag:web-application-attack,tag:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_RFI_Generic"
SecRule "RESPONSE_BODY" "!@pmFromFile modsecurity_50_outbound.data"
"phase:4,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,nolog,allow"
SecRule "TX:/^PHPIDS-2/" "@rx ."
"phase:5,chain,t:none,pass,nolog,auditlog,id:phpids-2,severity:2,setvar:tx.phpids_matched_payload=%{matched_var},msg:%{tx.3},logdata:'Matched
Location: %{tx.4} and Matched Payload: %{tx.phpids_matched_payload}'"
SecRule "MATCHED_VAR_NAME" "@rx
^TX:phpids-(\\d{1,2})-WEB_ATTACK/INJECTION-(\\d)-(.*?)-(.*)$"
"capture"
SecRule "TX:/^PHPIDS-23/" "@rx ."
"phase:5,chain,t:none,pass,nolog,auditlog,id:phpids-23,severity:2,setvar:tx.phpids_matched_payload=%{matched_var},msg:%{tx.3},logdata:'Matched
Location: %{tx.4} and Matched Payload: %{tx.phpids_matched_payload}'"
SecRule "MATCHED_VAR_NAME" "@rx
^TX:phpids-(\\d{1,2})-WEB_ATTACK/INJECTION-(\\d)-(.*?)-(.*)$"
"capture"
SecRule "TX:ANOMALY_SCORE" "@ge 5"
"phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score
(score %{TX.ANOMALY_SCORE}): %{tx.msg}'"

--54901d14-Z--



Actually i just found out that the mod_debug_log actually shows ALL of
the false positives similar to this:

[04/Jan/2010:13:57:20 --0600]
[www.domain.com/sid#7f1dc200][rid#86a94050][/scripts/cartAction.php][2]
Warning. Operator GE matched 5 at TX:ano
maly_score. [file
"/etc/apache2/crs-2.0.4/base_rules/modsecurity_crs_60_correlation.conf"]
[line "46"] [msg "Transactional Anomaly Score (score 10
): Detects JavaScript location/document property access and window
access obfuscation"]


Feedback is much appreciated.

Regards,
David


More information about the Owasp-modsecurity-core-rule-set mailing list