[Owasp-modsecurity-core-rule-set] More Squirrelmail Denials

Ryan Barnett ryan.barnett at breach.com
Wed Jan 13 10:54:22 EST 2010


On Wednesday 13 January 2010 07:10:55 am Arthur Dent wrote:
> On Mon, 2010-01-11 at 22:22 +0000, Arthur Dent wrote:
> > On Wed, 2010-01-06 at 09:57 +0000, Arthur Dent wrote:
> > > Hello all,
> > >
> > > Following a previous thread in which I described some denials related
> > > to my squirrelmail web mail implementation (which were partially solved
> > > by an upgrade to CRS 2.0.4) I still have some outstanding issues...
> > >
> > > Firstly, accessing squirrelmail is fine, but trying to read an
> > > individual email causes the following:
> > >
> > > --501b5102-H--
> > > Message: Pattern match
> > > "^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at
> > > MATCHED_VAR_NAME. [file
> > > "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.
> > >conf"] [line "62"] [id "phpids-18"] [msg "Detects JavaScript array
> > > properties and methods"] [data "Matched Location: REQUEST_URI_RAW and
> > > Matched Payload:
> > > /mywm/src/right_main.php?pg_showall=0&sort=0&startmessage=1&mailbox=fd/
> > >flr"] [severity "CRITICAL"] Message: Pattern match
> > > "^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at
> > > MATCHED_VAR_NAME. [file
> > > "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.
> > >conf"] [line "293"] [id "phpids-1"] [msg "Detects JavaScript array
> > > properties and methods"] [data "Matched Location: REQUEST_URI_RAW and
> > > Matched Payload:
> > > /mywm/src/right_main.php?pg_showall=0&sort=0&startmessage=1&mailbox=fd/
> > >flr"] [severity "CRITICAL"] Message: Warning. Operator GE matched 5 at
> > > TX:anomaly_score. [file
> > > "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.con
> > >f"] [line "46"] [msg "Transactional Anomaly Score (score 8): Detects
> > > JavaScript array properties and methods"] Apache-Handler: php5-script
> > > Stopwatch: 1261498951073512 929285 (5949 35341 892372)
> > > Response-Body-Transformed: Dechunked
> > > Producer: ModSecurity for Apache/2.5.10 (http://www.modsecurity.org/);
> > > core ruleset/2.0.4. Server: Apache/2.2.13 (Fedora)
> > >
> > > Secondly, attempting to add a new identity to my user within SM is
> > > outright blocked and gives the following:
> > >
> > > --f71bbe54-H--
> > > Message: Pattern match
> > > "^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at
> > > MATCHED_VAR_NAME. [file
> > > "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.
> > >conf"] [line "300"] [id "phpids-30"] [msg "Detects common XSS
> > > concatenation patterns 1/2"] [data "Matched Location:
> > > ARGS_NAMES:smaction[save][1] and Matched Payload: smaction[save][1]"]
> > > [severity "CRITICAL"] Message: Pattern match
> > > "^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at
> > > MATCHED_VAR_NAME. [file
> > > "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.
> > >conf"] [line "412"] [id "phpids-3"] [msg "Detects common XSS
> > > concatenation patterns 1/2"] [data "Matched Location:
> > > ARGS_NAMES:smaction[save][1] and Matched Payload: smaction[save][1]"]
> > > [severity "CRITICAL"] Message: Warning. Operator GE matched 5 at
> > > TX:anomaly_score. [file
> > > "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.con
> > >f"] [line "46"] [msg "Transactional Anomaly Score (score 36): Detects
> > > common XSS concatenation patterns 1/2"] Action: Intercepted (phase 2)
> > > Apache-Handler: php5-script
> > > Stopwatch: 1262715119800440 148552 (17244* 143302 -)
> > > Producer: ModSecurity for Apache/2.5.10 (http://www.modsecurity.org/);
> > > core ruleset/2.0.4. Server: Apache/2.2.13 (Fedora)
> > >
> > > I notice that they are similar, but not identical.
> > >
> > > What steps should I take to get this application working properly?
> > >
> > > Thanks in advance for any help / guidance...
> > >
> > > Mark
> >
> > I am still no nearer solving this. Any ideas? (gentle bump!)
> >
> > Mark
> 
> Am I asking this question in the wrong way, or have I not provided
> sufficient information?
> 
> Hoping for some guidance...
> 

Hey Mark,
Sorry for the delay.  

There is always a delicate balance between false negatives and false positives with 
developing these rules :(    If you look in the CHANGES file for the 2.0.2/2.0.3 updates, 
we were addressing false negative/bypass issues that were reported to us.  We chose to 
become a bit more aggressive in our detection.  While our updates helped to address those 
issues, they result in a higher false positive rate.  The main issue here is when we are 
applying these negative security regexs to an unparsed variable such as REQUEST_URI_RAW or 
REQUEST_BODY.  This data is essentially a blob of text and includes the = character for 
separating the parameter name from the parameter payload.  This results in a higher number 
of matches.  We are going to keep on tweaking these rules however as I am sure we do 
better.

Now, for your specific issue, what you want to do is to add some exceptions to the 48 local 
exceptions file.  Take a look at some of the examples in the file.  What you want to do is 
to create rules that will inspect the saved TX variable data from these PHPIDS rules that 
triggered.  If these exact matches occur, then you want to remove them and adjust the 
anomaly score.  Looks like there are 4 different phpids rule matches -
phpids-18
phpids-1
phpids-30
phpids-3

I tested your payloads with my current (newer) phpids filter file and only the phpids-18 and 
phpids-30 rules matched.  I believe that the other two matches will be fixed with the 
updated phpids filter in CRS 2.0.5.

Here are some examples (untested) based on the error_log snippets you showed above for 
phpids-18 and phpids-30 matches -

SecRule TX:'/PHPIDS-18-(.*)REQUEST_URI_RAW/' "@contains &sort=" 
"chain,phase:2,t:none,nolog,pass"
       SecRule MATCHED_VAR_NAME "TX\:(.*)" "capture,t:none,setvar:!tx.
%{tx.1},setvar:tx.anomaly_score=-4"

SecRule "TX:PHPIDS-30-WEB_ATTACK/INJECTION-2-Detects common XSS concatenation patterns 
1/2-ARGS_NAMES:smaction[save][1]" "@contains ][" "chain,phase:2,t:none,nolog,pass"
       SecRule MATCHED_VAR_NAME "TX\:(.*)" "capture,t:none,setvar:!tx.
%{tx.1},setvar:tx.anomaly_score=-4"


Let me know if these help.
Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20100113/33713524/attachment-0001.html 


More information about the Owasp-modsecurity-core-rule-set mailing list