[prev in list] [next in list] [prev in thread] [next in thread]
List: mod-security-users
Subject: Re: [mod-security-users] Cookie tripping modsec
From: Organic Spider <webmaster () organicspider ! co ! uk>
Date: 2011-08-30 18:57:14
Message-ID: 65bd4fa7-b17d-48f7-a70b-a2673f433358 () office ! splatnix ! net
[Download RAW message or body]
Yes that was the problem. One to watch out for in the future I guess.
--
Thanks, OS
----- Original Message -----
From: "Ryan Barnett" <RBarnett@trustwave.com>
To: "Michael Haas" <michael.haas10@gmail.com>
Cc: "Organic Spider" <webmaster@organicspider.co.uk>, \
mod-security-users@lists.sourceforge.net
Sent: Tuesday, 30 August, 2011 7:31:44 PM
Subject: Re: [mod-security-users] Cookie tripping modsec
Yep, that looks like it is the problem. We will fix it in the CRS. In the mean time \
he needs to change the duplicate ID on the 2nd one.
Ryan
On Aug 30, 2011, at 2:16 PM, "Michael Haas" <michael.haas10@gmail.com> wrote:
> Hi,
>
> do you use the rules from crs 2.2.1? These Rule id's are used two
> times in base_rules/modsecurity_crs_41_sql_injection_attacks.conf .
> Maybe you should change one of them to another id.
>
> Michael
>
> 2011/8/30 Organic Spider <webmaster@organicspider.co.uk>:
> > Based on another recent post I have tried changing the rules to be:
> >
> > SecRuleUpdateTargetById 981243 !REQUEST_COOKIES:/tracker/
> > SecRuleUpdateTargetById 981245 !REQUEST_COOKIES:/tracker/
> >
> > and they are still being triggered :(
> > --
> > Thanks, OS
> >
> > ----- Original Message -----
> >
> > From: "Organic Spider" <webmaster@organicspider.co.uk>
> > To: mod-security-users@lists.sourceforge.net
> > Sent: Tuesday, 30 August, 2011 3:07:33 PM
> > Subject: Re: [mod-security-users] Cookie tripping modsec
> >
> > It would appear that this cookie is also tripping 981243 and 981245. I have \
> > attempted to apply the same logic by adding to the custom_15 rule set:
> > SecRule REQUEST_HEADERS:Host "!@rx (^$)" \
> > "phase:1,t:none,nolog,pass,ctl:ruleUpdateTargetById=981243;!REQUEST_COOKIES:tracker" \
> > SecRule REQUEST_HEADERS:Host "!@rx (^$)" \
> > "phase:1,t:none,nolog,pass,ctl:ruleUpdateTargetById=981245;!REQUEST_COOKIES:tracker" \
> >
> > though they still are being triggered. Attempting to simplify the rules even \
> > further by using:
> > SecRuleUpdateTargetById 981243 !REQUEST_COOKIES:'/tracker/'
> > SecRuleUpdateTargetById 981245 !REQUEST_COOKIES:'/tracker/'
> >
> > has the same result in that they still hit. Am I not understanding how to \
> > override rules correctly ?
> > --
> > Thank you, OS
> >
> > ----- Original Message -----
> >
> > From: "Organic Spider" <webmaster@organicspider.co.uk>
> > To: "kwenu" <uzoka_a@yahoo.co.uk>
> > Cc: "Ryan Barnett" <RBarnett@trustwave.com>, \
> > mod-security-users@lists.sourceforge.net
> > Sent: Friday, 26 August, 2011 4:38:23 PM
> > Subject: Re: [mod-security-users] Cookie tripping modsec
> >
> > Brilliant! that worked perfectly and makes sense; plus I was not using \
> > REQUEST_HEADERS correctly.
> > --
> > Thank you, OS
> > ----- Original Message -----
> >
> > From: "kwenu" <uzoka_a@yahoo.co.uk>
> > To: "Organic Spider" <webmaster@organicspider.co.uk>
> > Cc: "Ryan Barnett" <RBarnett@trustwave.com>, \
> > mod-security-users@lists.sourceforge.net
> > Sent: Friday, 26 August, 2011 4:30:35 PM
> > Subject: Re: Cookie tripping modsec
> >
> > The rule you want to use i beleive is 973020
> >
> > I think rule 981173 cannot be used to identify a specific target but keeps a \
> > score of the times a suspicious character was (as identified by the rules below \
> > 973020) found - so the below rule stops those rules from being run against that \
> > named cookie
> > SecRule REQUEST_HEADERS:Host "!@rx (^$)" \
> > "phase:1,t:none,nolog,pass,ctl:ruleUpdateTargetById=973020;!REQUEST_COOKIES:tracker" \
> >
> >
> >
> >
> > On 26/08/11 16:00, Organic Spider wrote:
> >
> > Changed but it is still being hit. Looking in the audit log it has:
> >
> > --2aac4c11-A--
> > [26/Aug/2011:10:55:48 --0400] Tlez838eCIcAAFhaAg0AAAAD 123.123.123.123 3371 \
> > 234.234.234.234 80
> > --2aac4c11-B--
> > GET /js/ HTTP/1.1
> > Host: www.somesite.com User-Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0) \
> > Gecko/20100101 Firefox/6.0
> > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> > Accept-Language: en-us,en;q=0.5
> > Accept-Encoding: gzip, deflate
> > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> > Connection: keep-alive
> > Referer: http://www.somesite.com/content/ Cookie: last_visit=1314356268; \
> > last_activity=1314370547; \
> > tracker=a%3A5%3A%7Bi%3A0%3Bs%3A6%3A%22people%22%3Bi%3A1%3Bs%3A7%3A%22content%22%3B \
> > i%3A2%3Bs%3A11%3A%22pages%2Fabout%22%3Bi%3A3%3Bs%3A14%3A%22pages%2Fservices%22%3Bi%3A4%3Bs%3A11%3A%22pages%2Fabout%22%3B%7D; \
> >
> > If-Modified-Since: Fri, 26 Aug 2011 14:55:12 GMT
> > Authorization: Basic aGtzdHJhdGVnaWVzOklMNXRyYXQ=
> >
> > --2aac4c11-F--
> > HTTP/1.1 200 OK
> > X-Powered-By: PHP/5.3.6
> > Expires: Sat, 26 Jul 1997 05:00:00 GMT
> > Last-Modified: Fri, 26 Aug 2011 14:55:48 GMT
> > Pragma: no-cache
> > Content-Type: text/javascript
> > Set-Cookie: last_activity=1314370547; expires=Sat, 25-Aug-2012 14:55:47 GMT; \
> > path=/
> > Set-Cookie: tracker=a%3A5%3A%7Bi%3A0%3Bs%3A2%3A%22js%22%3Bi%3A1%3Bs%3A6%3A%22peopl \
> > e%22%3Bi%3A2%3Bs%3A7%3A%22content%22%3Bi%3A3%3Bs%3A11%3A%22pages%2Fabout%22%3Bi%3A4%3Bs%3A14%3A%22pages%2Fservices%22%3B%7D; \
> > path=/
> > Set-Cookie: tracker=a%3A4%3A%7Bi%3A0%3Bs%3A6%3A%22people%22%3Bi%3A1%3Bs%3A7%3A%22c \
> > ontent%22%3Bi%3A2%3Bs%3A11%3A%22pages%2Fabout%22%3Bi%3A3%3Bs%3A14%3A%22pages%2Fservices%22%3B%7D; \
> > path=/
> > Connection: close
> > Transfer-Encoding: chunked
> >
> > --2aac4c11-H--
> > Message: Warning. Operator GE matched 4 at TX:restricted_sqli_char_count. [file \
> > "/usr/local/httpd-2.2.19/modsecurity/rules/modsecurity_crs_41_sql_injection_attacks.conf"] \
> > [line "551"] [id "981173"] [rev "2.2.1"] [msg "Restricted SQL Character Anomaly \
> > Detection Alert - Total # of special characters exceeded"] [data "5"]
> >
> > To me it is the setting of the tracker cookie which is causing the warning to be \
> > thrown. Am I reading it correctly ? \
> > ------------------------------------------------------------------------------ \
> > EMC VNX: the world's simplest storage, starting under $10K The only unified \
> > storage solution that offers unified management Up to 160% more powerful than \
> > alternatives and 25% more efficient. Guaranteed. \
> > http://p.sf.net/sfu/emc-vnx-dev2dev \
> > _______________________________________________ mod-security-users mailing list \
> > mod-security-users@lists.sourceforge.net \
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity \
> > Services from Trustwave's SpiderLabs: \
> > https://www.trustwave.com/application-security.php
> > ------------------------------------------------------------------------------
> > EMC VNX: the world's simplest storage, starting under $10K
> > The only unified storage solution that offers unified management
> > Up to 160% more powerful than alternatives and 25% more efficient.
> > Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> > _______________________________________________
> > mod-security-users mailing list
> > mod-security-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > ModSecurity Services from Trustwave's SpiderLabs:
> > https://www.trustwave.com/application-security.php
> >
> > ------------------------------------------------------------------------------
> > Special Offer -- Download ArcSight Logger for FREE!
> > Finally, a world-class log management solution at an even better
> > price-free! And you'll get a free "Love Thy Logs" t-shirt when you
> > download Logger. Secure your free ArcSight Logger TODAY!
> > http://p.sf.net/sfu/arcsisghtdev2dev
> > _______________________________________________
> > mod-security-users mailing list
> > mod-security-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > ModSecurity Services from Trustwave's SpiderLabs:
> > https://www.trustwave.com/application-security.php
> >
> > ------------------------------------------------------------------------------
> > Special Offer -- Download ArcSight Logger for FREE!
> > Finally, a world-class log management solution at an even better
> > price-free! And you'll get a free "Love Thy Logs" t-shirt when you
> > download Logger. Secure your free ArcSight Logger TODAY!
> > http://p.sf.net/sfu/arcsisghtdev2dev
> > _______________________________________________
> > mod-security-users mailing list
> > mod-security-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > ModSecurity Services from Trustwave's SpiderLabs:
> > https://www.trustwave.com/application-security.php
> >
>
> ------------------------------------------------------------------------------
> Special Offer -- Download ArcSight Logger for FREE!
> Finally, a world-class log management solution at an even better
> price-free! And you'll get a free "Love Thy Logs" t-shirt when you
> download Logger. Secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsisghtdev2dev
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/application-security.php
>
This transmission may contain information that is privileged, confidential, and/or \
exempt from disclosure under applicable law. If you are not the intended recipient, \
you are hereby notified that any disclosure, copying, distribution, or use of the \
information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. \
If you received this transmission in error, please immediately contact the sender and \
destroy the material in its entirety, whether in electronic or hard copy format.
------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic