[Owasp-modsecurity-core-rule-set] More Squirrelmail Denials

Ryan Barnett ryan.barnett at breach.com
Wed Jan 13 14:06:35 EST 2010


On Wednesday 13 January 2010 01:44:27 pm Arthur Dent wrote:
> On Wed, 2010-01-13 at 13:31 -0500, Ryan Barnett wrote:
> > On Wednesday 13 January 2010 01:17:35 pm Arthur Dent wrote:
> >
> > Try this one instead -
> >
> > SecRule TX:'/PHPIDS-30-(.*)-ARGS_NAMES:smaction[save][1]/' "@contains ]["
> > "chain,phase:2,t:none,nolog,pass"
> >        SecRule MATCHED_VAR_NAME "TX\:(.*)" "capture,t:none,setvar:!tx.
> > %{tx.1},setvar:tx.anomaly_score=-4"
> 
> Thanks Ryan,
> 
> Httpd restarted without choking on that line, but unfortunately it still
> denies the action:
> 
> --2a0ca71f-H--
> Message: Pattern match
>  "^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at
>  MATCHED_VAR_NAME. [file
>  "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.con
> f"] [line "300"] [id "phpids-30"] [msg "Detects common XSS concatenation
>  patterns 1/2"] [data "Matched Location: ARGS_NAMES:smaction[save][1] and
>  Matched Payload: smaction[save][1]"] [severity "CRITICAL"] Message:
>  Pattern match "^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$"
>  at MATCHED_VAR_NAME. [file
>  "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.con
> f"] [line "412"] [id "phpids-3"] [msg "Detects common XSS concatenation
>  patterns 1/2"] [data "Matched Location: ARGS_NAMES:smaction[save][1] and
>  Matched Payload: smaction[save][1]"] [severity "CRITICAL"] Message:
>  Warning. Operator GE matched 5 at TX:anomaly_score. [file
>  "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"]
>  [line "46"] [msg "Transactional Anomaly Score (score 36): Detects common
>  XSS concatenation patterns 1/2"] Action: Intercepted (phase 2)
> Apache-Handler: php5-script
> Stopwatch: 1263407908264221 197197 (11462* 136221 -)
> Producer: ModSecurity for Apache/2.5.10 (http://www.modsecurity.org/); core
>  ruleset/2.0.4. Server: Apache/2.2.13 (Fedora)
> 
> The line-wrap in the above rule should have one space after the
> "@contains ][" and before the "chain... right?
> 

Try this -

SecRule TX:'/^PHPIDS-30-(.*)-ARGS_NAMES:smaction/' "@contains ][" 
"chain,phase:2,t:none,nolog,pass"
       SecRule MATCHED_VAR_NAME "TX\:(.*)" "capture,t:none,setvar:!tx.
%{tx.1},setvar:tx.anomaly_score=-4"

> Thanks again...
> 
> Mark
> 
> 
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
> 


More information about the Owasp-modsecurity-core-rule-set mailing list