[prev in list] [next in list] [prev in thread] [next in thread]
List: mod-security-users
Subject: Re: [mod-security-users] Possible bug in rule set
From: Ryan Barnett <RBarnett () trustwave ! com>
Date: 2010-11-09 21:03:58
Message-ID: 384AD006-BB26-4FC3-B210-7A282E4662F0 () trustwave ! com
[Download RAW message or body]
Jay,
A few items -
1) Please use the owasp crs mail-list for rule issues
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
2) You are using an older crs version (2.0.5). The current version is 2.0.8 and the \
issues you mention have been fixed - \
http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project#tab=Download
-Ryan
On Nov 9, 2010, at 5:53 AM, "jaylam@jetco.com.hk" <jaylam@jetco.com.hk> wrote:
>
> Hi all,
>
> I found some problem in modsecuirty 2.5.12 rule set and i wonder if they
> are bugs~
>
> First of all, the following is my config in modsecurity_crs_10_config.conf:
>
>
> SecAction "phase:1,t:none,nolog,pass, \
> setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
> setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded
> multipart/form-data text/xml application/xml', \
> setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
> setvar:'tx.restricted_extensions=.asa .asax .ascx .axd .backup .bak .bat
> .cdx .cer .cfg .cmd .com .config .conf .cs .csproj .csr .dat .db .dbf .dll
> .dos .htr .htw .ida .idc .idq .inc .ini .key .licx .lnk .log .mdb .old
> .pass .pdb .pol .printer .pwd .resources .resx .sql .sys .vb .vbs .vbproj
> .vsdisco .webinfo .xsd .xsx', \
> setvar:'tx.restricted_headers=Proxy-Connection Lock-Token Content-Range
> Translate via if'"
>
>
> Firstly, i used the default value in tx.allowed_request_content_type, but i
> got a lot error in audit log:
>
> Message: Pattern match "^([^;\s]+)" at REQUEST_HEADERS:Content-Type. [file
> "/usr/local/apache/conf/modsecurity/base_rules/modsecurity_crs_30_http_policy.conf"]
> [line "63"] [id "960010"] [msg "Request content type is not allowed by
> policy"] [data "application/x-www-form-urlencoded"] [severity "WARNING"]
> [tag "POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag
> "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"]
>
> Obviously i allow request_content_type=application/x-www-form-urlencoded
> (see my config above), but it non-stop giving me this error....so is it a
> bug?
>
>
>
> Secondly, the name of my webpages are always map as
> "https://<myWebSite>/<myAction>.do"
> But i found the extension ".do" is always blocked since the
> tx.restricted_extensions include ".dos"...(see my config above)
> Finally i removed the ".dos" entry in the tx.restricted_extensions...then
> the problem solved....so i think it block the ".do" incorrectly since it
> look like ".dos"
>
>
> Last but not least, i got thousands of this message in auditlog everyday:
>
> Message: Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file
> "/usr/local/apache/conf/modsecurity/base_rules/modsecurity_crs_21_protocol_anomalies.conf"]
> [line "46"] [id "960015"] [rev "2.0.5"] [msg "
> Request Missing an Accept Header"] [severity "CRITICAL"] [tag
> "PROTOCOL_VIOLATION/MISSING_HEADER"] [tag "WASCTC/WASC-21"] [tag
> "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
>
> But i found the request does contain the Accept header:
>
> --0393171d-B--
> POST /Pay/processTxn HTTP/1.1
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
> application/x-shockwave-flash, application/vnd.ms-powerpoint,
> application/vnd.ms-excel, application/msword, application/x-ms-application,
> application/x-ms-xbap, application/vnd.ms-xpsdocument,
> application/xaml+xml, */*
> Referer: https://192.168.55.222/Pay/enterNum.jsp
> Accept-Language: en-us
> Content-Type: application/x-www-form-urlencoded
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6.6;
> .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR
> 1.1.4322)
> Host: 192.168.55.222
> Content-Length: 124
> Connection: Keep-Alive
> Cache-Control: no-cache
> Cookie: ASESSIONID=XXXXXXXXXXXXXXXXXXXXXXXX
>
> Then if it is a bug??
>
> Thank you very much!
>
> Jay
>
>
> This e-mail is intended solely for the addressee. If you have received
> this e-mail in error, please notify the sender by reply e-mail and
> immediately delete it from your system.
>
>
> ------------------------------------------------------------------------------
> The Next 800 Companies to Lead America's Growth: New Video Whitepaper
> David G. Thomson, author of the best-selling book "Blueprint to a
> Billion" shares his insights and actions to help propel your
> business during the next growth cycle. Listen Now!
> http://p.sf.net/sfu/SAP-dev2dev
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html
>
------------------------------------------------------------------------------
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a
Billion" shares his insights and actions to help propel your
business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic