[Owasp-modsecurity-core-rule-set] More Squirrelmail Denials

Ryan Barnett ryan.barnett at breach.com
Wed Jan 13 15:31:34 EST 2010


On Wednesday 13 January 2010 02:31:05 pm Arthur Dent wrote:
> On Wed, 2010-01-13 at 14:20 -0500, Ryan Barnett wrote:
> > On Wednesday 13 January 2010 02:18:26 pm Arthur Dent wrote:
> > > On Wed, 2010-01-13 at 14:06 -0500, Ryan Barnett wrote:
> > > > On Wednesday 13 January 2010 01:44:27 pm Arthur Dent wrote:
> > > > > On Wed, 2010-01-13 at 13:31 -0500, Ryan Barnett wrote:
> > > > > > On Wednesday 13 January 2010 01:17:35 pm Arthur Dent wrote:
> > > >
> > > > Try this -
> > > >
> > > > SecRule TX:'/^PHPIDS-30-(.*)-ARGS_NAMES:smaction/' "@contains ]["
> > > > "chain,phase:2,t:none,nolog,pass"
> > > >        SecRule MATCHED_VAR_NAME "TX\:(.*)"
> > > > "capture,t:none,setvar:!tx. %{tx.1},setvar:tx.anomaly_score=-4"
> > >
> > > Sorry Ryan...
> > >
> > >
> > > --e104d910-H--
> > > Message: Pattern match
> > >  "^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at
> > >  MATCHED_VAR_NAME. [file
> > > 
> > > "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.
> > >con f"] [line "300"] [id "phpids-30"] [msg "Detects common XSS
> > > concatenation patterns 1/2"] [data "Matched Location:
> > >  ARGS_NAMES:newidentities[1][signature] and Matched Payload:
> > >  newidentities[1][signature]"] [severity "CRITICAL"] Message: Pattern
> > > match "^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at
> > > MATCHED_VAR_NAME. [file
> > > 
> > > "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.
> > >con f"] [line "412"] [id "phpids-3"] [msg "Detects common XSS
> > > concatenation patterns 1/2"] [data "Matched Location:
> > >  ARGS_NAMES:newidentities[1][signature] and Matched Payload:
> > >  newidentities[1][signature]"] [severity "CRITICAL"] Message: Warning.
> > >  Operator GE matched 5 at TX:anomaly_score. [file
> > > 
> > > "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.con
> > >f"] [line "46"] [msg "Transactional Anomaly Score (score 32): Detects
> > > common XSS concatenation patterns 1/2"] Action: Intercepted (phase 2)
> > > Apache-Handler: php5-script
> > > Stopwatch: 1263410126373598 161946 (11302* 146799 -)
> > > Producer: ModSecurity for Apache/2.5.10 (http://www.modsecurity.org/);
> > > core ruleset/2.0.4. Server: Apache/2.2.13 (Fedora)
> > >
> > > I wish I knew how to do this myself but...
> > >
> > > Thanks for your help so far...
> >
> > Try this -
> >
> > SecRule TX:'/^PHPIDS-30-(.*)-ARGS_NAMES/' "@contains ]["
> > "chain,phase:2,t:none,nolog,pass"
> >        SecRule MATCHED_VAR_NAME "TX\:(.*)" "capture,t:none,setvar:!tx.
> > %{tx.1},setvar:tx.anomaly_score=-4"
> 
> Still no joy I'm afraid...
> 
> --a5791e36-H--
> Message: Pattern match
>  "^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at
>  MATCHED_VAR_NAME. [file
>  "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.con
> f"] [line "300"] [id "phpids-30"] [msg "Detects common XSS concatenation
>  patterns 1/2"] [data "Matched Location:
>  ARGS_NAMES:newidentities[1][signature] and Matched Payload:
>  newidentities[1][signature]"] [severity "CRITICAL"] Message: Pattern match
>  "^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at
>  MATCHED_VAR_NAME. [file
>  "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.con
> f"] [line "412"] [id "phpids-3"] [msg "Detects common XSS concatenation
>  patterns 1/2"] [data "Matched Location:
>  ARGS_NAMES:newidentities[1][signature] and Matched Payload:
>  newidentities[1][signature]"] [severity "CRITICAL"] Message: Warning.
>  Operator GE matched 5 at TX:anomaly_score. [file
>  "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"]
>  [line "46"] [msg "Transactional Anomaly Score (score 32): Detects common
>  XSS concatenation patterns 1/2"] Action: Intercepted (phase 2)
> Apache-Handler: php5-script
> Stopwatch: 1263410955616417 131367 (5935* 126523 -)
> Producer: ModSecurity for Apache/2.5.10 (http://www.modsecurity.org/); core
>  ruleset/2.0.4. Server: Apache/2.2.13 (Fedora)
> 
> Sorry to put you to all this trouble ryan...
> 


This works on my install.  You would need to create a modsecurity debug log and send it to 
me.  If you don't have much live production traffic/lots of users, then just update the 
SecDebugLogLevel to 9 and then restart and send the same request.  Send me the debug log.

-Ryan


More information about the Owasp-modsecurity-core-rule-set mailing list