[prev in list] [next in list] [prev in thread] [next in thread] 

List:       prelude-devel
Subject:    Re: [prelude-devel] [Prelude Hybrid IDS] #216: mod_security
From:       "Prelude Hybrid IDS" <noreply () prelude-ids ! org>
Date:       2007-06-06 11:26:33
Message-ID: 054.b61e719ce89cf658cd63b0aef14784fc () prelude-ids ! org
[Download RAW message or body]

#216: mod_security modifications
-------------------------+--------------------------------------------------
 Reporter:  gegomez      |        Owner:  gegomez           
     Type:  defect       |       Status:  assigned          
 Priority:  normal       |    Milestone:  Prelude-LML 0.9.11
Component:  prelude-lml  |      Version:  0.9               
 Severity:  normal       |   Resolution:                    
 Keywords:               |  
-------------------------+--------------------------------------------------
Comment (by anonymous):

 Hello,

 Here is my rule when using ModSecurity(2)

 {{{
 #LOG:May 31 11:51:09 server httpd[10634]: [error] [client 10.8.0.128]
 ModSecurity: Access denied with code 400 (phase 2). Pattern match
 "^[\\\\d\\\\.]+$" at REQUEST_HEADERS:Host. [id "960017"] [msg "Host header
 is a numeric IP address"] [severity "CRITICAL"] [hostname "10.8.0.127"]
 [uri "/blah"] [unique_id "CcdHJFKU22EAACmK5AcAAAAF"]
 regex=\[client ([\d\.]+)\] ModSecurity: Access denied with code (\d+)
 \(phase (\d+)\)\. Pattern match "(\S+)" (.+)\. \[id "(\d+)"\] \[msg
 "(.+)"\] \[severity "(\S+)"\] \[hostname "([\S.]+)"\] \[uri "(.+)"\]
 \[unique_id "(\S+)"\]; \
  id=3108; \
  revision=1; \
  classification.ident = $11; \
  classification.text=HTTP $5 ($4) Blocked; \
  analyzer(0).name=ModSecurity; \
  analyzer(0).manufacturer=www.modsecurity.org; \
  analyzer(0).class=HIDS; \
  assessment.impact.severity=$8; \
  assessment.impact.completion=failed; \
  assessment.impact.description=mod_security encountered an error: $7.; \
  assessment.action(0).category = block-installed; \
  assessment.impact.description=Access was blocked with HTTP response code
 $2; \
  source(0).service.iana_protocol_name=tcp; \
  source(0).service.iana_protocol_number=6; \
  source(0).node.address(0).category=ipv4-addr; \
  source(0).node.address(0).address=$1; \
  target(0).node.name=$9; \
  target(0).service.iana_protocol_name=tcp; \
  target(0).service.iana_protocol_number=6; \
  target(0).service.name=http; \
  target(0).service.web_service.url = $10; \
  additional_data(0).type=integer; \
  additional_data(0).meaning=HTTP code returned; \
  additional_data(0).data=$2; \
  additional_data(1).type=integer; \
  additional_data(1).meaning=id; \
  additional_data(1).data=$6; \
  additional_data(2).type=integer; \
  additional_data(2).meaning=phase; \
  additional_data(2).data=$3; \
  last
 }}}

 Regards,

 Robin

-- 
Ticket URL: <https://trac.prelude-ids.org/ticket/216#comment:2>
Prelude Hybrid IDS <http://www.prelude-ids.org>
The Prelude Hybrid Intrusion Detection System suite
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic