[prev in list] [next in list] [prev in thread] [next in thread]
List: mod-security-users
Subject: Re: [mod-security-users] how important is rule 960015?
From: Ehsan Mahdavi <ehsan.mahdavi () gmail ! com>
Date: 2015-01-23 16:55:05
Message-ID: CAC7V=myHnyS+c2gXjhXRLs-5oTSaKY2Ds26uVuLoY7Cm60CO8A () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi , Winni
Thanks for your response.
On Wed, Jan 21, 2015 at 7:11 PM, Winfried Neessen <neessen@cleverbridge.com>
wrote:
> Hi Ehsan,
>
> in my opinion it's safe to disable that rule. As the ruleset file says,
> it's an "anomaly", something
> that doesn't behaves like it should. Usually this should cause any harm
> (just speaking for my
> applications I am securing with mod_sec).
>
>
> Winni
>
> ------------------------------
>
> *From: *"Ehsan Mahdavi" <ehsan.mahdavi@gmail.com>
> *To: *"mod-security-users" <mod-security-users@lists.sourceforge.net>
> *Sent: *Tuesday, January 20, 2015 7:02:24 AM
> *Subject: *Re: [mod-security-users] how important is rule 960015?
>
> Hi, Winni,
> I am not complaining about the chunk of audit entries that this rule
> generates. If it blocks anything we better to be informed.
>
> However I need to know what are the most important attacks that this rule
> might prevent?
>
> If it is just preventing some bots from crawling the site, I have better
> ideas than disabling this rule or making it silent.
>
> For example Bad Behavior <http://bad-behavior.ioerror.us/>, a product
> similar to modsecurity, does not block these requests unless the request is
> a POST request. This cuts down on spam and reduces false positives to
> approximately zero, but still passes other bots. The author believes, many
> of those get caught by other rules anyway.
>
> Or I just can write a rule like this:
>
> SecRule REQUEST_HEADERS:User-Agent "Google|Mail|Yandex"
> "phase:1,t:none,nolog,ctl:ruleRemoveById=960015"
>
> The problem is that I don't know the most dangerous attacks that it might
> prevent? and does it worth using this rule or not?
> What are the effects of any solution taken?
>
>
> --
> regards
> Ehsan.Mahdavi
> PhD candidated for Computer Engineering
> by Isfahan University of Technology
> http://emahdavi.ece.iut.ac.ir/
>
> On Mon, Jan 19, 2015 at 10:58 PM, Winfried Neessen <
> neessen@cleverbridge.com> wrote:
>
>> Hi,
>>
>> Rule 960015 is generating more than 10 thousand alerts in a daily basis.
>> It also blocks Google, YANADEX and some other good bots.
>>
>> How important is this rule?
>> Does it buy me valuable security comparing to the chunk of audit log
>> entries that generates?
>>
>> # Missing/Empty Accept Header
>> #
>> # -=[ Rule Logic ]=-
>> # These rules will first check to see if an Accept header is present.
>> # The second check is to see if an Accept header exists but is empty.
>>
>> This is basically what the rule does. If this brings any valuable
>> security for you,
>> totally depends on your definition of security. You could leave it,
>> change the
>> logging schema for it (no audit logging for this rule) or simply disable
>> the
>> rule.
>>
>>
>> Winni
>>
>>
>> ------------------------------------------------------------------------------
>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>> GigeNET is offering a free month of service with a new server in Ashburn.
>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>> http://p.sf.net/sfu/gigenet
>> _______________________________________________
>> mod-security-users mailing list
>> mod-security-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>>
>>
>
>
>
>
>
> ------------------------------------------------------------------------------
> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
> GigeNET is offering a free month of service with a new server in Ashburn.
> Choose from 2 high performing configs, both with 100TB of bandwidth.
> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
> http://p.sf.net/sfu/gigenet
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
>
>
> ------------------------------------------------------------------------------
> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
> GigeNET is offering a free month of service with a new server in Ashburn.
> Choose from 2 high performing configs, both with 100TB of bandwidth.
> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
> http://p.sf.net/sfu/gigenet
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
>
--
regards
Ehsan.Mahdavi
PhD candidated for Computer Engineering
by Isfahan University of Technology
http://emahdavi.ece.iut.ac.ir/
[Attachment #5 (text/html)]
<div dir="ltr">Hi , Winni<div><br></div><div>Thanks for your \
response.</div><div><br></div></div><div class="gmail_extra"><br><div \
class="gmail_quote">On Wed, Jan 21, 2015 at 7:11 PM, Winfried Neessen <span \
dir="ltr"><<a href="mailto:neessen@cleverbridge.com" \
target="_blank">neessen@cleverbridge.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div><div \
style="font-family:arial,helvetica,sans-serif;font-size:12pt;color:#000000"><div>Hi \
Ehsan,</div><div><br></div><div>in my opinion it's safe to disable that rule. As \
the ruleset file says, it's an "anomaly", something</div><div>that \
doesn't behaves like it should. Usually this should cause any harm (just speaking \
for my</div><div>applications I am securing with \
mod_sec).</div><div><br></div><div><br></div><div>Winni</div><div><br></div><hr><div><blockquote \
style="border-left:2px solid \
#1010ff;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:norm \
al;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt"><b>From: \
</b>"Ehsan Mahdavi" <<a href="mailto:ehsan.mahdavi@gmail.com" \
target="_blank">ehsan.mahdavi@gmail.com</a>><br><b>To: \
</b>"mod-security-users" <<a \
href="mailto:mod-security-users@lists.sourceforge.net" \
target="_blank">mod-security-users@lists.sourceforge.net</a>><br><b>Sent: \
</b>Tuesday, January 20, 2015 7:02:24 AM<br><b>Subject: </b>Re: [mod-security-users] \
how important is rule 960015?<br></blockquote></div><div><div \
class="h5"><div><blockquote style="border-left:2px solid \
#1010ff;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:norm \
al;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt"><div \
dir="ltr">Hi, Winni,<span \
face="yw-15a9bfd17914e0eda307a8c41932607546164d73-98f14744505261ac0815ecc101e4c8c8--o" \
style="font-family:yw-15a9bfd17914e0eda307a8c41932607546164d73-98f14744505261ac0815ecc101e4c8c8--o"></span><br><div>I \
am not complaining about the chunk of audit entries that this rule generates. If it \
blocks anything we better to be informed.</div><br><div>However I need to know what \
are the most important attacks that this rule might prevent?</div><br><div>If it is \
just preventing some bots from crawling the site, I have better ideas than disabling \
this rule or making it silent.</div><br><div>For example <a \
href="http://bad-behavior.ioerror.us/" target="_blank">Bad Behavior</a>, a product \
similar to modsecurity, does not block these requests unless the request is a POST \
request. This cuts down on spam and reduces false positives to approximately zero, \
but still passes other bots. The author believes, many of those get caught by other \
rules anyway.</div><br><div>Or I just can write a rule like \
this:</div><br><div>SecRule REQUEST_HEADERS:User-Agent "Google|Mail|Yandex" \
"phase:1,t:none,nolog,ctl:ruleRemoveById=960015"<br></div><br><div>The \
problem is that I don't know the most dangerous attacks that it might prevent? \
and does it worth using this rule or not?</div><div>What are the effects of any \
solution taken? </div><br><br><div>-- <br><div><div dir="ltr"><div dir="ltr"><div \
style="color:rgb(136,136,136)"> regards<br> \
Ehsan.Mahdavi</div><div style="color:rgb(136,136,136)">PhD candidated for Computer \
Engineering</div><div style="color:rgb(136,136,136)"> by Isfahan University of \
Technology</div><div><span color="#888888" style="color:#888888"> <a \
href="http://emahdavi.ece.iut.ac.ir/" \
target="_blank">http://emahdavi.ece.iut.ac.ir/</a></span></div></div></div></div></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Mon, Jan 19, 2015 at 10:58 PM, \
Winfried Neessen <span dir="ltr"><<a href="mailto:neessen@cleverbridge.com" \
target="_blank">neessen@cleverbridge.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div \
style="font-family:arial,helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><div><div>Hi,</div><blockquote \
style="border-left-width:2px;border-left-style:solid;border-left-color:rgb(16,16,255); \
margin-left:5px;padding-left:5px;color:rgb(0,0,0);font-weight:normal;font-style:normal \
;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt"><div \
dir="ltr"><div>Rule 960015 is generating more than 10 thousand alerts in a daily \
basis.</div><div>It also blocks Google, YANADEX and some other good \
bots.</div><br><div>How important is this rule?</div><div>Does it buy me valuable \
security comparing to the chunk of audit log entries that \
generates?</div></div></blockquote><div># Missing/Empty Accept Header<br>#<br># -=[ \
Rule Logic ]=-<br># These rules will first check to see if an Accept header is \
present.<br># The second check is to see if an Accept header exists but is \
empty.</div><br></div><div>This is basically what the rule does. If this brings any \
valuable security for you, </div><div>totally depends on your definition of \
security. You could leave it, change the</div><div>logging schema for it (no audit \
logging for this rule) or simply disable the </div><div>rule. \
</div><br><br><div>Winni</div></div></div><br>------------------------------------------------------------------------------<br> \
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.<br> GigeNET is \
offering a free month of service with a new server in Ashburn.<br> Choose from 2 high \
performing configs, both with 100TB of bandwidth.<br> Higher redundancy.Lower \
latency.Increased capacity.Completely compliant.<br> <a \
href="http://p.sf.net/sfu/gigenet" \
target="_blank">http://p.sf.net/sfu/gigenet</a><br>_______________________________________________<br> \
mod-security-users mailing list<br> <a \
href="mailto:mod-security-users@lists.sourceforge.net" \
target="_blank">mod-security-users@lists.sourceforge.net</a><br> <a \
href="https://lists.sourceforge.net/lists/listinfo/mod-security-users" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/mod-security-users</a><br> \
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:<br> <a \
href="http://www.modsecurity.org/projects/commercial/rules/" \
target="_blank">http://www.modsecurity.org/projects/commercial/rules/</a><br> <a \
href="http://www.modsecurity.org/projects/commercial/support/" \
target="_blank">http://www.modsecurity.org/projects/commercial/support/</a><br> \
<br></blockquote></div><br><br clear="all"><br><div><div dir="ltr"><div><div \
dir="ltr"><br></div></div></div></div></div></div><br>------------------------------------------------------------------------------<br>New \
Year. New Location. New Benefits. New Data Center in Ashburn, VA.<br>GigeNET is \
offering a free month of service with a new server in Ashburn.<br>Choose from 2 high \
performing configs, both with 100TB of bandwidth.<br>Higher redundancy.Lower \
latency.Increased capacity.Completely compliant.<br><a \
href="http://p.sf.net/sfu/gigenet" \
target="_blank">http://p.sf.net/sfu/gigenet</a><br>_______________________________________________<br>mod-security-users \
mailing list<br><a href="mailto:mod-security-users@lists.sourceforge.net" \
target="_blank">mod-security-users@lists.sourceforge.net</a><br><a \
href="https://lists.sourceforge.net/lists/listinfo/mod-security-users" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/mod-security-users</a><br>Commercial \
ModSecurity Rules and Support from Trustwave's SpiderLabs:<br><a \
href="http://www.modsecurity.org/projects/commercial/rules/" \
target="_blank">http://www.modsecurity.org/projects/commercial/rules/</a><br><a \
href="http://www.modsecurity.org/projects/commercial/support/" \
target="_blank">http://www.modsecurity.org/projects/commercial/support/</a><br></block \
quote></div></div></div></div></div><br>------------------------------------------------------------------------------<br>
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.<br>
GigeNET is offering a free month of service with a new server in Ashburn.<br>
Choose from 2 high performing configs, both with 100TB of bandwidth.<br>
Higher redundancy.Lower latency.Increased capacity.Completely compliant.<br>
<a href="http://p.sf.net/sfu/gigenet" \
target="_blank">http://p.sf.net/sfu/gigenet</a><br>_______________________________________________<br>
mod-security-users mailing list<br>
<a href="mailto:mod-security-users@lists.sourceforge.net">mod-security-users@lists.sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/mod-security-users" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/mod-security-users</a><br>
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:<br>
<a href="http://www.modsecurity.org/projects/commercial/rules/" \
target="_blank">http://www.modsecurity.org/projects/commercial/rules/</a><br> <a \
href="http://www.modsecurity.org/projects/commercial/support/" \
target="_blank">http://www.modsecurity.org/projects/commercial/support/</a><br> \
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div \
class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div \
style="color:rgb(136,136,136)"> regards<br> \
Ehsan.Mahdavi</div><div style="color:rgb(136,136,136)">PhD candidated for Computer \
Engineering</div><div style="color:rgb(136,136,136)"> by Isfahan University of \
Technology</div><div><font color="#888888"> <a \
href="http://emahdavi.ece.iut.ac.ir/" \
target="_blank">http://emahdavi.ece.iut.ac.ir/</a></font><br></div></div></div></div></div>
</div>
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic