[Owasp-modsecurity-core-rule-set] Error in optional_rules/modsecurity_crs_43_csrf_protection.conf

Jeronimo Zucco jczucco at gmail.com
Tue Nov 30 14:36:25 EST 2010


2010/11/30 Ryan Barnett <RBarnett at trustwave.com>:
> On 11/30/10 2:05 PM, "Jeronimo Zucco" <jczucco at gmail.com> wrote:
>
>> I am upgrading my servers to the ModSecurity 2.5.13 and core
>> ruleset/2.0.10 and got this error in my config:
>>
>>  ModSecurity: Could not set variable "session.sessionid" as the
>> collection does not exist.
>>
>
> This error is generated when a rule is using setvar:session.... However the
> SESSION collection has not yet been initialized with the setsid action.
>
>
>>
>> In the default optional_rules/modsecurity_crs_43_csrf_protection.conf has:
>>
>
> Is this happening all the time or only when you initially started ModSec
> with the new CRS 43 csrf rules?

All the time, each access I do in the browser, got this error in
apache error_log. Even with files in the apache does not exist or
exist.


>
>> SecMarker BEGIN_SESSION_STARTUP
>>
>> SecRule
>> REQUEST_COOKIES:'/(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|c
>> f(id|token)|sid)/'
>> ".*" "chain,phase:1,t:none,pass,nolog,auditlog,msg:'Invalid SessionID
>> Submitted.',setsid:%{matched_var},setvar:tx.sessionid=%{matched_var},skipAfter
>> :END_SESSION_STARTUP"
>>        SecRule SESSION:VALID "!@eq 1" "t:none"
>>
>> SecAction
>> "phase:1,t:none,nolog,pass,setuid:%{session.username},setvar:session.sessionid
>> =%{tx.sessionid}"
>>
>> SecMarker END_SESSION_STARTUP
>>
>
> This initial section is checking to see if the client is submitting a
> SESSIONID cookie value.  If they are, then it is using setsid to initialize
> the collection with the session id being submitted by the client as the key.
> The 2nd part of the chained rule is then looking to see if the SESSION
> collection has a variable set called VALID, which is previously set by
> ModSecurity (in the rules below) when the application is initially handing
> out the SESSIONID in a Set-Cookie response header.  If the VALID variable is
> not present, then the client has submitted a bogus SESSIONID value.
>
> If the SESSIONID submitted is VALID, then it proceeds as normal.
>
>>
>> SecRule RESPONSE_HEADERS:/Set-Cookie2?/
>> "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|s
>> id)=([^\s]+)\;\s?)"
>> "chain,phase:3,t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.session
>> id=%{TX.6},setvar:session.valid=1"
>>        SecRule SESSION:SESSIONID "(.*)"
>> "t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}"
>>
>>
>
> This ruleset is inspecting the response headers looking for Set-Cookie
> headers that are sending common SessionID names.  If this is found, then a
> SESSION collection is initialized with the SessionID as the key and a
> variable called VALID is created.  We know this SESSIONID is valid since the
> application is handing it out.
>
> Do you have an audit_log example of this transaction?  You can then look to
> see if the transaction has a SessionID in it or not.


Log bellow:

modsec_debug.log:

[30/Nov/2010:10:52:06 --0200]
[vares04.ucs.br/sid#194bc180][rid#1c436ff8][/][3] Could not set
variable "session.sessionid" as the collection does not exist.


modsec_audit.log:

-6cf66e6f-A--
[30/Nov/2010:17:30:53 --0200] TPVQ7X8AAAEAAC9zNQkAAABD X.X.X.X 7801 Y.Y.Y.Y 5003
--6cf66e6f-B--
GET / HTTP/1.0
Host: server.domain.com:5003
User-Agent: Mozilla/5.0 (X11; U; Linux i686; pt-BR; rv:1.9.2.12)
Gecko/20101027 Fedora/3.6.12-1.fc14 Firefox/3.6.12
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-br,pt;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: identity
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Cache-Control: max-age=259200

--6cf66e6f-F--
HTTP/1.1 200 OK
Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT
ETag: "31ff0b-2c-3e9564c23b600"
Accept-Ranges: bytes
Content-Length: 44
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

--6cf66e6f-H--
Message: Could not set variable "session.sessionid" as the collection
does not exist.
Stopwatch: 1291145453154984 3024 (1017 2402 -)
Producer: ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/);
core ruleset/2.0.10.
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
WebApp-Info: "default" "-" ""

--6cf66e6f-Z--


-- 
Jeronimo Zucco - CISSP
http://jczucco.blogspot.com


More information about the Owasp-modsecurity-core-rule-set mailing list