CORERULES-16: Rule 300016, which was reporting in the apache error log as:

(insert[[:space:]]+into.+values|select._from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+(._from)

Was incorrectly matching this block of text:
selection of side dishes made from seasonal greenmarket produce. Several ages and cuts of beef are on the menu at all times. Place also has a raw bar of the freshest oysters, raw fish preparations as well as marinated and chilled seafood.

The combination of "selection" followed by "from" was causing the core of the issue. The regex should most likely only match the word "select" followed by a space, and then wildcard chars.

Using latest commit (#6607644166) produced:

Apache# httpd -t
Syntax error on line 38 of /[...my path...]/activated_rules/modsecurity_crs_42_comment_spam.conf:
ModSecurity: No action id present within the rule

CORERULES-10: The XSS and SQLi rules only need to use the full transformation functions on the @pmFromFile pre-qualifier checks. Then, if/when they set any TX variable data on matched content, the remaining SQLi rules inspect that TX data. In this case, the data has already been transformed so t:none is appropriate.

Hello,

i made the following sql statements on a text box in a website that kept for searching drivers and returns results in an ajax response. All of the below 3 statements we denied with a 406 not acceptable. but if i tested the blow on a login form with POST Method, the form successfully loges in. what could be the problem?

Test1 :

a' union sElEcT 1,2,table_nAme fRom informAtion_schemA.tAbles WhErE tablE_scHemA=dAtabase()-- -

Test2 :

a'///!unIoN////!SelEct///1,/!table_name/,database()//from//information_schema.tables//WheRe/**/tablE_SchEma=daTabase()--+-

Test3 :

' or 'a'='a'-- -

It seems like rule 950901, is matching on some cookies that contain a substring which looks like a tautology. For example:

Cookie: LoginCookie=wh=www.some.site ab=/path/login?param1=value1&param2=value2&callback=jsonp1368230255523&_=1368230255732 cd=1 rh=http://www.some.site ru=%2Fpath%2Fpath2%2Flogin

Notice the "h=h" substring in the cookie value, which triggers.

I think it would make more sense to add \b around the tautology regex, or at least require one or more whitespaces around it

CORERULES-4: We've seen some weird-but-legit webclients making requests using the URL instead of the URI - i.e just like a proxy request - but to the local server. I suggest using a chain rule to exclude matches IFF the "proxy attempt" is against the same server. I'm using SERVER_NAME, as we have "UseCanonical On". CAVEAT: otherwise SERVER_NAME matches the client "Host: " header - which wouldn't be any good. If you know of a better var to use that always refers to ServerName, then great, otherwise documenting the use of UseCanonical is probably needed

See https://www.modsecurity.org/tracker/browse/MODSEC-44 for other details

SecRule REQUEST_URI_RAW "^\w+:/" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'Proxy access attempt',severity:'2',id:'1960014',tag:'PROTOCOL_VIOLATION/PROXY_ACCESS'"
SecRule MATCHED_VAR "!@beginswith http://%{SERVER_NAME}"

We are using Apache 2.2.24 32bit (provided by apachelounge.org) running on a Windows 2008 R2 server 64bit. We have been able to successfully run security2_module and the modsecurity_crs_10_setup.conf.example. Where we seem to be running into trouble is with loading of the individual rules. Per the readme.txt instructions, we attempted to add this code into our configuration files:

$ pwd
/apache2/conf/crs
$ ls
CHANGELOG app_sensor modsecurity_crs_10_config.conf slr_rules
....... ect.

We receive these errors in our Windows Application logs during start-up (which fails):

The Apache service named reported the following error:
Invalid command '$', perhaps misspelled or defined by a module not included in the server configuration .

The Apache service named reported the following error:
Syntax error on line 6 of C:/Apache2.2.24/conf/crs/activated_rules/modsecurity_crs_10_activated_rules.conf:

We are obviously missing something but can't figure out what. Any assistance would be greatly appreciated.

Also, we are running our Apache in ReverseProxy mode. Is there anything special we need to do to make certain that the rules are pointing in the right directions?

Thanks, Kevin

As I was working on parsing out the regex in line 220 (command injection) I came across this character class "[/]".

The regex checker I was using declares that this is an error.

I believe that it needs to be "[\/]" to include both "/" and "".

Hello,

We have installed the OWASP rule set. But the rule fails to block the following sql

' or 'a'='a'-- -

What could be wrong?

Hi,

There is a set of rules in 2.2.6 (mostly SQL Injection) that constantly generate false positives on complex cookie values (e.g. JSON structures).

If it was one or two rules, I would say it's fine, but when it's 6 or more rules that constantly trigger on these cookies, I think we have a problem - this can't be fixed with a threshold setting.

In addition, I think that these rules are really not doing their task well - I don't think that the triggers you will see below are supposed to trigger.

Here is the cookie:

MyCookie={"v":1,"rid":"1371546489873_699561","to":5,"c":"http://www.some.site/page.aspx?a=5","pv":2,"lc":{"d0":{"v":2,"s":true}},"cd":0,"sd":0,"f":1371546904751}

Rules triggered:

• 973333 - matching string is:
  • ","to":5,"c":"http://www.some.site/page.aspx?a=
• 981172 - matching strings are:
  • {"v":1,"rid":"
  • ://www.some.site/page.aspx?a=5","pv":2,"lc":{"
  • }},"cd":0,"sd":
  • ","to":5,"c":"
  • ":{"v":2,"s":
• 981243 - matching strings are:
  • ":1,"
  • ":"137
  • ":5,"
  • ":2,"
  • ":{"
  • ":{"
  • ":2,"
  • ":0,"
  • ":0,"
  • ":13
• 981245 - matching strings are:
  • ":1,"r
  • ":"1371546489873_699561","t
  • ":5,"c
  • ":"http://w
  • ":2,"l
  • ":{"d0":{"v
  • ":2,"s
  • ":true}},"c
  • ":0,"s
  • ":0,"f
• 981246 - matching string is:
  • "rid":"
• 981257 - matching strings are:
  • ,"rid
  • ,"to":5,"c":
  • ,"pv":2,"lc":{
  • ,"s":true}},"cd":0,
  • ,"f":1371546904751}

It would be nice if rules followed a stricter logic. It makes it harder (although not impossible) to automate the deployments of the CRS rules (im guessing the commercial rules have the same issue).

For example, the optional rule modsecurity_crs_42_comment_spam.conf has a data file named modsecurity_42_comment_spam.data. Forcing me to gsub the file name to remove _crs.

It would be more elegant, and easier to configure using a CM tool like Chef/Puppet if rules file name matched their data file name.

Enabling CRSF protection (modsecurity_crs_43_crsf_protection.conf and modsecurity_crs_16_session_hijacking.conf) seems to break Oracle Access Manager login. Testing shows that modsecurity CRS for CRSF protection appends JavaScript to the end of the page, however, it's after the closing html tag and therefore is not rendered correctly. Additionally, if CRSF is left enabled, then login into the OAM protected resource is impaired.

CORERULES-7: Your latest core rule set : modsecurity-core-rules_2.5-1.6.1.tar.gz blocks OpenID

The offending rule is in modsecurity_crs_42_tight_security.conf

The exact rule is

SecRule ARGS "^(?:ht|f)tp:/"
"phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Inclusion Attack',id:'950117',severity:'2'"

I commented out that rule, restarted Apache, and now my users can log in with openid - yea \0/

Log :

--ccbd4859-H--
Message: Access denied with code 501 (phase 2). Pattern match "^(?:ht|f)tp:/" at ARGS:openid.ns. [file "/etc/apache2/conf.d/modsecurity/optional_rules/modsecurity_crs_42_tight_security.conf"] [line "32"] [id "950117"] [msg "Remote File Inclusion Attack"] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Stopwatch: 1241131110731486 10573 (571 10040 -)
Producer: ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/); core ruleset/1.6.1; core ruleset/1.6.1.
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny2 with Suhosin-Patch

--ccbd4859-K--
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,log,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:4"
SecAction "phase:2,auditlog,nolog,skipAfter:959009"
SecAction "phase:2,auditlog,nolog,skipAfter:959007"
SecAction "phase:2,auditlog,nolog,skipAfter:959904"
SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/|!REQUEST_HEADERS:Referer" "@pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@Version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnu$
SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/|!REQUEST_HEADERS:Referer" "@pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@Version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnu$
SecAction "phase:2,auditlog,nolog,skipAfter:959906"
SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/|!REQUEST_HEADERS:Referer" "@pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedo$
SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/|!REQUEST_HEADERS:Referer" "@pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedo$
SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/|!REQUEST_HEADERS:Referer" "@pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedo$
SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/|!REQUEST_HEADERS:Referer" "@pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedo$
SecAction "phase:2,auditlog,nolog,skipAfter:959005"
SecRule "ARGS" "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /ch$
SecRule "ARGS" "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /ch$
SecRule "ARGS" "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /ch$
SecRule "ARGS" "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /ch$
SecRule "ARGS" "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /ch$
SecRule "ARGS" "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /ch$
SecRule "ARGS" "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /ch$
SecRule "ARGS" "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /ch$
SecRule "REQUEST_HEADERS|XML:/|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES" "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python trac$
SecRule "REQUEST_HEADERS|XML:/|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES" "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python trac$
SecAction "phase:2,auditlog,nolog,skipAfter:959013"
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,chain,t:none,deny,log,auditlog,status:400,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:4"
SecAction "phase:2,auditlog,nolog,skipAfter:959009"
SecAction "phase:2,auditlog,nolog,skipAfter:959007"
SecAction "phase:2,auditlog,nolog,skipAfter:959904"
SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/|!REQUEST_HEADERS:Referer" "@pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@Version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnu$
SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/|!REQUEST_HEADERS:Referer" "@pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@Version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnu$
SecAction "phase:2,auditlog,nolog,skipAfter:959906"
SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/|!REQUEST_HEADERS:Referer" "@pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedo$
SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/|!REQUEST_HEADERS:Referer" "@pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedo$
SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/|!REQUEST_HEADERS:Referer" "@pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedo$
SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/|!REQUEST_HEADERS:Referer" "@pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedo$
SecAction "phase:2,auditlog,nolog,skipAfter:959005"
SecRule "ARGS" "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /ch$
SecRule "ARGS" "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /ch$
SecRule "ARGS" "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /ch$
SecRule "ARGS" "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /ch$
SecRule "ARGS" "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /ch$
SecRule "ARGS" "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /ch$
SecRule "ARGS" "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /ch$
SecRule "ARGS" "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /ch$
SecRule "REQUEST_HEADERS|XML:/|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES" "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python trac$
SecRule "REQUEST_HEADERS|XML:/|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES" "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python trac$
SecAction "phase:2,auditlog,nolog,skipAfter:959013"
SecRule "ARGS|ARGS_NAMES" "@rx \bhttp:" "phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,id:999010,severity:5"
SecRule "ARGS|ARGS_NAMES" "@rx \bhttp:" "phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,id:999010,severity:5"
SecRule "ARGS|ARGS_NAMES" "@rx \bhttp:" "phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,id:999010,severity:5"
SecRule "ARGS" "@rx ^(?:ht|f)tp:/" "phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Inclusion Attack',id:950117,severity:2"

My apache error_log got many modsecurity-crs-logs, even with
SecDefaultAction "phase:1,pass,nolog,auditlog"
in my modsecurity_crs_10_setup.conf .

Seems like there are hard "log" parts in
base_rules/modsecurity_crs_60_correlation.conf

Hi,

Some new commit use actions "ver", "maturity" and "accuracy". Those are not available in mod_security 2.6.

Mod_security 2.7 is very new (October 16, 2012) and depending on it will break installations using distribution packages or others.

At least, provide a "2.6" branch to include important fixes like "92c65eba3dc7".

The following section of the regular expression:

(?:["'´’‘]\s*?[^?\w\s=.,;)(]+\s*?[(@\"'´’‘]?\s?\w+\W+\w)

Will match on the following values:

• "|name=value"
• "-1<2"
• '-a-b-c'

And so forth.

I'm nor certain what this specific section is trying to achieve, so I can't offer a fix.

The following section of the regular expression:

(?:["'´’‘]\s*?(x?or|div|like|between|and)[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'´’‘])

Will generate false positives on strings such as:

• "orca-1"
• 'ornament=1'
  *"divider-1"

In general, JSON objects would have a high chance of containing such strings, for example:

{"name":"divider-1"}

I am using the latest mod_security with base rules. I have discovered that all files handled by mod_pagespeed ( js, css, images, etc.. ) are missing the "Accept Header", thus triggering the block and virtually throwing 403 errors for every page serve from my Linux instance. Furthermore, some of the compression to javascripts are creating strings that make MS think it is a sql injection.

Is there a way to adjust rule(s) so that pagespeed files are ignored when scoring?

Rules 981243, 981318 and 981173

The following characters are creating false positives ´’‘ .
I think the best way would be to remove the characters from the rule and add the t:utf8toUnicode,t:urlDecodeUni transformations.
If the removed charcters are needed then they should be moved to another rule so these three rules don't need to be excluded because of false positives.

Michael

CORERULES-12: Implemented XSS Filters from Internet Explorer 8.
http://blogs.technet.com/srd/archive/2008/08/18/ie-8-xss-filter-architecture-implementation.aspx

Really minor issue in modsecurity_crs_10_setup.conf.example

# You should use the modsecurity.conf-recommended file that comes with the
# ModSecurity source code archive.
#
# Ref: http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/modsecurity.conf-recommended
#

The ref is outdated; the correct one should be

https://raw.github.com/SpiderLabs/ModSecurity/master/modsecurity.conf-recommended

Thanks for the great work!

CORERULES-3: Our Docushare server is being blocked by our modsecurity WAF frontend for some URLs. Not major numbers - but >1 and not malicious

Anyway, the issue is the requests have this humungous Cookie that rule doesn't like. However, I piped it through perl and the Cookie is pure ASCII - so I don't know why it's triggering. It does contain url-encoded sequences like "CFMAGIC=2421351%3A9116039", and the rule does say "t:urlDecodeUni", so doesn't that mean modsecurity would decode back to Unicode before matching? If so, isn't that the problem?

I can send you the raw transcript, but it may contain authentication information, so it'll need to be private.

Thanks!

Jason

git cloned at ~16.00utc

Syntax error on line 26 of /etc/modsecurity/crs/modsecurity_crs_49_header_tagging.conf:
ModSecurity: Found another rule with the same id

rules with id 981173 appears on modsecurity_crs_41_sql_injection_attacks.conf and modsecurity_crs_49_header_tagging.conf

CORERULES-15: I just downloaded CRS 2.0.1 and rule 958297 seams to be triggering on every request. Looking at the regex of this rule I found that there is a missing ")" somewhere. I just couldn't figure out where.

The rule is in file modsecurity_crs_42_comment_spam.conf:

SecRule REQUEST_HEADERS:User-Agent "^(?:m(?:o(?:zilla(?:/4.0+?()?|vable type)|i(?:crosoft url|ssigua)|j12bot/v1.0.8|sie)|e(?:mail
(?:collector| ?siphon)|collector)|(?:blogsearchbot-marti|super happy fu)n|i(?:nternet explorer|sc systems irc)|ja(?:karta commons|va(?:
/| )1.)|c(?:ore-project/|herrypicker)|p(?:sycheclone|ussycat|ycurl)|(?:grub crawl|omniexplor)er|a(?:utoemailspider|dwords)|w(?:innie p
oh|ordpress)|nut(?:scrape/|chcvs)|8484 boston project|user(?:[- ]agent:)?|l(?:ibwww-perl|wp)|di(?:amond|gger)|trackback/|httpproxy|<sc)
"
"phase:2,t:none,t:lowercase,block,nolog,auditlog,status:404,msg:'Common SPAM/Email Harvester crawler',id:'958297',tag:'AUTOMATIO
N/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+1,setvar:tx.anomaly_score=+10,setvar:'tx.%{rule.id}=%{
matched_var_name}=%{matched_var}'"

The User Agent for the request that triggered the rule is:

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)

I get bogus error messages in DetectionOnly with mod_security2 v2.7.0 and CRS version 2.2.7:

[Thu Apr 11 11:52:29 2013] [error] [client 10.0.0.1] ModSecurity: Warning. Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required. 
[file "/usr/local/httpd_v22_32bit/conf/modsecurity2/activated_rules/30_modsecurity_crs_30_http_policy.conf"] [line "64"] [id "960010"] [rev "2"] 
[msg "Request content type is not allowed by policy"] 
[data "text/xml"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [hostname "host.example.net"] 
[uri "/url/1"] [unique_id "UWaH3QoSEDoAAH-QRHoAAAAP"]

[Thu Apr 11 11:47:35 2013] [error] [client 10.0.0.2] ModSecurity: Warning. Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required. 
[file "/usr/local/httpd_v22_32bit/conf/modsecurity2/activated_rules/30_modsecurity_crs_30_http_policy.conf"] [line "64"] [id "960010"] [rev "2"] 
[msg "Request content type is not allowed by policy"] 
[data "application/x-www-form-urlencoded"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [hostname "host.example.net"] 
[uri "/url/2"] [unique_id "UWaGtwoSEDoAAH8MAXMAAAAA"]

I think the regular expression captures the whitespace around the Content-type header value, and the whole string is compared to the allowed request content types. The comparison fails. The following patch fixes the error messages:

base_rules/modsecurity_crs_30_http_policy.conf
66c67
<       SecRule TX:0 "!^%{tx.allowed_request_content_type}$" "t:none,ctl:forceRequestBodyVariable=On,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"

---
>       SecRule TX:1 "!^%{tx.allowed_request_content_type}$" "t:none,ctl:forceRequestBodyVariable=On,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"

I am not aware of any restriction on initial whitespace in header values, though a quick RFC search yielded nothing to prove my point.

CORERULES-5: Not sure if this is the place for false positives but the script says to report them!

This rule:
SecRule REQUEST_URI|REQUEST_BODY "<[[:space:]](script|about|applet|activex|chrome)>.(script|about|applet|activex|chrome)[[:space:]]>"

Blocks Joomla (or any CMS for that matter) from submitting web content that contains javascript which is often desirable to allow (like for admins).

Hi all,

I'm new to ModSec and try to config NGINX with ModSec.
I could only find document to apply CRS for Apache, but not in nginx.

I have a simple /nginx/conf/modsecurity.conf with a sampe rules could work fine

SecRuleEngine On
SecDefaultAction "phase:1,deny,log,status:403"
SecRule REQUEST_URI "huong-dan-su-dung" "id:00001"

But I don't know how to apply CRS to nginx
Any help ?

Thanks
Tan

Here is the regression test:

%test Invalid HTTP Request Line (960911) - Test 2

%remark
This test uses backslashes instead of forward slashes.
%endremark
%status 400|403
%request
GET \index.html HTTP\1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5
Keep-Alive: 300
Proxy-Connection: keep-alive

When sniffing the traffic over the wire, you will notice that the \index.html is being sent as simply "index.html" (backslash disappears), and the HTTP protocol version is sent as HTTP[\x01].0 - (\1 is sent as \x01 ASCII).

My guess is that the test needs some escaping for the backslash characters.

I ran a quick search on other tests, and none of them has a similar problem.

CORERULES-9: After upgrading from Core Rules ver. 1.6.1 to ver. 2.0 (with optional_rules) I got this error message when starting Apache 2.2.12:
Syntax error on line 28 of optional_rules/modsecurity_crs_42_comment_spam.conf:
SecRule takes two or three arguments, tule target, operator and optional action list

I think there is a missing \ (backslash) near the end of line 27 before the second-last " (double quote):
... |httpproxy|<sc|")"
should be:
... |httpproxy|<sc|")" \

CORERULES-2: When a string like this is passed through mod security:

{noformat}
"

It does not pass it's filters.

Original rule:

{noformat}
(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|.exe)|(?:map|c).exe)|t(?:racer(?:oute|t)|elnet.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp).exe|echo\b
\W_?\by+)\b|c(?:md(?:(?:32)?.exe\b|\b\W_?/c)|d(?:\b\W_?[\/]|\W_?..)|hmod.{0,40}?+.{0,3}x))|[;|]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:assw d|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:++|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|p( ?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:++|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"|\;-\s]|$))
{noformat}

Our modified rule:

{noformat}
(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|.exe)|(?:map|c).exe)|t(?:racer(?:oute|t)|elnet.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp).exe|echo\b
\W_?\by+)\b|c(?:md(?:(?:32)?.exe\b|\b\W_?/c)|d(?:\b\s+[.~\/]|\W_?..)|hmod.{0,40}?+.{0,3}x))|[;|]\W_?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:a sswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:++|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp) |p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:++|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"|\;-\s]|$))
{noformat}

Please advise what the correct rule would be.

i am using the latest set of owasp crs.

an sql injection test on a website in our server has the following result.

Test1 :
a' union sElEcT 1,2,table_nAme fRom informAtion_schemA.tAbles WhErE tablE_scHemA=dAtabase()-- -

Result : Error 406 issued successfully

Test2 :
a'///!unIoN////!SelEct///1,/!table_name/,database()//from//information_schema.tables//WheRe/**/tablE_SchEma=daTabase()--+-

Result :
Successfully bypassed the security.

Hi,

The file base_rules/modsecurity_crs_41_sql_injection_attacks.conf has bot tags WEB_ATTACK/SQLI and WEB_ATTACK/SQL_INJECTION.

This is inconsistent.

Line 106-107:

SecRule RESPONSE_STATUS ^400$ "t:none,phase:5,chain,block,msg:'Invalid request',id:'960913',severity:'4'"
SecRule WEBSERVER_ERROR_LOG !ModSecurity "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.leakage_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"

When I try to start apache I get:

ModSecurity: Disruptive actions cannot be specified in the logging phase.

Unfortunately removing the block action doesn't work either. I'm pretty new to mod_security, I'm not sure what else is disruptive in that line.

Additionally the comment above this line states that mod_unique_id needs to be patched for this to work, but the gmane post is from 2009. Does this still need patching?

if "Include modsecurity.d/slr_rules/*.conf" (mod_security-2.7.2, mod_security_crs-2.2.6) get result:

sh-4.1# httpd -t
Syntax error on line 17 of /etc/httpd/modsecurity.d/slr_rules/modsecurity_crs_46
_slr_et_joomla_attacks.conf:
ModSecurity: No action id present within the rule

How to enable slr_rules?;(

CORERULES-1: modsecurity_crs_10_config.conf

This file mentions the following, but this is a ModSecurity 1.9.x utility:

{noformat}

Inspect uploaded files.

TODO If there is a danger of attack through uploaded files then it

is possible to configure an external script to inspect each file

before it is seen by the application. An example script is

included with ModSecurity (/util/modsec-clamscan.pl).

Inspecting uploaded files is especially important in a hosting,

community or blogging environments where uploading files is permitted.

{noformat}

After including this i am recieving the following error:
Syntax error on line 52 of /etc/modsecurity/activated_rules/modsecurity_crs_20_protocol_violations.conf

Any ideas what could be causing this?

Please see http://bugs.jqueryui.com/ticket/8027

See my post in the forum: https://sourceforge.net/p/mod-security/discussion/1298046/thread/684839f2/

Basically, rule id #950010 is catching injection attempts in the headers but not in the body. An injection attempt embedded in a GET request is trapped, but an injection attempted embedded in a form field of a POST is missed. I imagine this would take a new rule rather than an edit of 950010, but my modsecurity rule foo is rudimentary at best so I'm afraid I can't be of much help.

If get some pages in joomla 1.5 CMS on remoteshaman.com site mod_security false alarm as test mode "SecRuleEngine DetectionOnly":

--82e83c6c-A--
[05/Feb/2013:06:39:06 +0400] URBwyl2qgHIAADehGLYAAAAA 109.95.47.222 41573 127.0.
0.1 81
--82e83c6c-B--
GET /index.php?option=com_content&view=article&id=139:bezvozvratnoe-udaleniezati
ranieunichtozhenie-fajlovkatalogov-dannyxinformaczii-iz-konsoli&catid=1:defence&
Itemid=65 HTTP/1.0
Host: remoteshaman.com
X-Real-IP: 109.95.47.222
Connection: close
User-Agent: Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.10.229 Version/11.64
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, imag
e/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
Referer: http://remoteshaman.com/
Cookie: c95b573d4ece60267eebe4909c7dcf18=52+B+3+E4A11+95B5B11444A+04259585857415
F15595551+F11+7+65A5A+C5B4045435545+D41415A40+B+15F124758464114+B14+7465946+9575
1+D112D686B7B77611C5B+0531446431B5E4D; jc_homepage=; 1fd4e15a49b554fa07c1f5692db
f224e=1; currentURI=http%3A%2F%2Fremoteshaman.com%2Findex.php%3Foption%3Dcom_com
munity%26view%3Dvideos%26Itemid%3D59; 102d16838e890126ac58488e19aaad2d=h6bt6hg3u
td65k30n25u37i1k1; activeProfile=64; b=b
Cache-Control: no-cache

--82e83c6c-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.21
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Tue, 05 Feb 2013 02:39:06 GMT
Connection: close
Content-Type: text/html; charset=utf-8

--82e83c6c-H--
Message:  [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql
_injection_attacks.conf"] [line "170"] [id "981173"] [rev "2"] [msg "Restricted
SQL Character Anomaly Detection Alert - Total # of special characters exceeded"]
 [data "Matched Data: - found within ARGS:id: 139:bezvozvratnoe-udaleniezatirani
eunichtozhenie-fajlovkatalogov-dannyxinformaczii-iz-konsoli"] [ver "OWASP_CRS/2.
2.6"] [maturity "9"] [accuracy "8"] Warning. Pattern match "([\\~\\!\\@\\#\\$\\%
\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2
\x80\x98\\`\\<\\>].*?){4,}" at ARGS:id.
Message:  [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_60_cor
relation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inb
ound Score: 3, SQLi=1, XSS=): Restricted SQL Character Anomaly Detection Alert -
 Total # of special characters exceeded"] Warning. Operator LT matched 5 at TX:i
nbound_anomaly_score.
Apache-Handler: fcgid-script
Stopwatch: 1360031946334718 414785 (- - -)
Stopwatch2: 1360031946334718 414785; combined=13942, p1=666, p2=13121, p3=0, p4=
0, p5=155, sr=92, sw=0, l=0, gc=0
WAF: ModSecurity for Apache/2.7.2 (http://www.modsecurity.org/); OWASP_CRS/2.2.6
.
Server: Apache
Engine-Mode: "DETECTION_ONLY"

--82e83c6c-Z--

--36a9ea69-A--
[05/Feb/2013:06:39:12 +0400] URBw0F2qgHIAADejHWgAAAAC 66.249.75.136 57737 93.170
.128.114 443
--36a9ea69-B--
GET /pt/index.php?option=com_content&view=article&id=129%3Aobnaruzhen-novyj-gene
rator-virusov-diy&Itemid=118 HTTP/1.1
Host: remotehelp.pp.ua
Connection: Keep-alive
Accept: */*
From: googlebot(at)googlebot.com
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.h
tml)
Accept-Encoding: gzip,deflate

--36a9ea69-F--
HTTP/1.1 301 Moved Permanently
Location: http://remoteshaman.com/pt/index.php?option=com_content&view=article&i
d=129%253Aobnaruzhen-novyj-generator-virusov-diy&Itemid=118
Content-Length: 416
Connection: close
Content-Type: text/html; charset=iso-8859-1

--36a9ea69-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://remoteshaman.com/pt/index.php?option=c
om_content&amp;view=article&amp;id=129%253Aobnaruzhen-novyj-generator-virusov-di
y&amp;Itemid=118">here</a>.</p>
<hr>
<address>Apache Server at remotehelp.pp.ua Port 443</address>
</body></html>

--36a9ea69-H--
Message:  [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql
_injection_attacks.conf"] [line "170"] [id "981173"] [rev "2"] [msg "Restricted
SQL Character Anomaly Detection Alert - Total # of special characters exceeded"]
 [data "Matched Data: - found within ARGS:id: 129:obnaruzhen-novyj-generator-vir
usov-diy"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] Warning. Patter
n match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\
\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" at ARGS:id.
Message:  [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_60_cor
relation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inb
ound Score: 3, SQLi=1, XSS=): Restricted SQL Character Anomaly Detection Alert -
 Total # of special characters exceeded"] Warning. Operator LT matched 5 at TX:i
nbound_anomaly_score.
Stopwatch: 1360031952686859 35016 (- - -)
Stopwatch2: 1360031952686859 35016; combined=3711, p1=185, p2=3149, p3=0, p4=314
, p5=63, sr=74, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
WAF: ModSecurity for Apache/2.7.2 (http://www.modsecurity.org/); OWASP_CRS/2.2.6
.
Server: Apache
Engine-Mode: "DETECTION_ONLY"

--36a9ea69-Z--

--6825be5e-A--
[05/Feb/2013:06:39:13 +0400] URBw0V2qgHIAADeiG@gAAAAB 66.249.78.24 41653 127.0.0
.1 81
--6825be5e-B--
GET /pt/index.php?option=com_content&view=article&id=129%253Aobnaruzhen-novyj-ge
nerator-virusov-diy&Itemid=118 HTTP/1.0
Host: remoteshaman.com
X-Real-IP: 66.249.78.24
Connection: close
Accept: */*
From: googlebot(at)googlebot.com
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.h
tml)
Accept-Encoding: gzip,deflate

--6825be5e-F--
HTTP/1.1 404 Not Found
Content-Length: 276
Connection: close
Content-Type: text/html; charset=iso-8859-1

--6825be5e-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pt/index.php was not found on this server.</p>
<hr>
<address>Apache Server at remoteshaman.com Port 80</address>
</body></html>

--6825be5e-H--
Message:  [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_20_pro
tocol_violations.conf"] [line "464"] [id "950109"] [rev "2"] [msg "Multiple URL
Encoding Detected"] [severity "WARNING"] [ver "OWASP_CRS/2.2.6"] [maturity "6"]
[accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"] Warning. Pattern mat
ch "\\%((?!$|\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:id.
Message:  [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql
_injection_attacks.conf"] [line "170"] [id "981173"] [rev "2"] [msg "Restricted
SQL Character Anomaly Detection Alert - Total # of special characters exceeded"]
 [data "Matched Data: - found within ARGS:id: 129:obnaruzhen-novyj-generator-vir
usov-diy"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] Warning. Patter
n match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\
\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" at ARGS:id.
Message:  [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_60_cor
relation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (
Total Inbound Score: 6, SQLi=1, XSS=): Restricted SQL Character Anomaly Detectio
n Alert - Total # of special characters exceeded"] Warning. Operator GE matched
5 at TX:inbound_anomaly_score.
Apache-Error: [file "/builddir/build/BUILD/httpd-2.2.23/server/core.c"] [line 37
08] [level 3] File does not exist: /var/www/wrs/public_html/pt
Stopwatch: 1360031953049913 8777 (- - -)
Stopwatch2: 1360031953049913 8777; combined=7021, p1=95, p2=6668, p3=0, p4=200,
p5=58, sr=28, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
WAF: ModSecurity for Apache/2.7.2 (http://www.modsecurity.org/); OWASP_CRS/2.2.6
.
Server: Apache
Engine-Mode: "DETECTION_ONLY"

--6825be5e-Z--

almost all requests to the site pages mod_setsurity mistaken as an attack;((

where is ([data "Matched Data: ;id found within ARGS_NAMES:amp;id: amp;id"]) the "System Command Injection"?;(

--ad06f25a-A--
[06/Feb/2013:14:33:32 +0400] URIxfF2qgHIAAGEldGQAAAAB 195.66.197.148 40963 127.0
.0.1 81
--ad06f25a-B--
GET /index.php?option=com_content&view=article&id=67%3Austanovka-pear-na
-php-54-pod-windows&Itemid=66 HTTP/1.0
Host: remotehelp.pp.ua
X-Real-IP: 195.68.197.148
Connection: close
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:18.0) Gecko/20100101 Firefo
x/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate

--ad06f25a-F--
HTTP/1.1 403 Forbidden
Content-Length: 277
Connection: close
Content-Type: text/html; charset=iso-8859-1

--ad06f25a-E--

--ad06f25a-H--
Message:  [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_40_gen
eric_attacks.conf"] [line "209"] [id "950006"] [rev "2"] [msg "System Command In
jection"] [data "Matched Data: ;id found within ARGS_NAMES:amp;id: amp;id"] [sev
erity "CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "9"] [tag "OW
ASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10
/A1"] [tag "PCI/6.5.2"] Access denied with code 403 (phase 2). Pattern match "(?
:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:ou
te|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+
)\\b|c(?:md(?:(?:\\.exe|32)\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\/]|\\W*?\\.\\.)|hmod
.{0,40}?\\ ..." at ARGS_NAMES:amp;id.
Action: Intercepted (phase 2)
Apache-Handler: php5-fcgi
Stopwatch: 1360146812114807 1305 (- - -)
Stopwatch2: 1360146812114807 1305; combined=600, p1=186, p2=396, p3=0, p4=0, p5=
18, sr=56, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
WAF: ModSecurity for Apache/2.7.2 (http://www.modsecurity.org/); OWASP_CRS/2.2.6
.
Server: Apache
Engine-Mode: "ENABLED"

--ad06f25a-Z--

If send article about programming aka POST in text argument, then the contents in text ARG matched rules in modsecurity_crs_40_generic_attacks.conf and modsecurity_crs_41_sql_injection_attacks.conf, ID 950010 950018 950910 950911 950005 950901 981317 ("LDAP Injection Attack", "Execution error - PCRE limits exceeded (-8): (null)", "HTTP Response Splitting Attack", "Remote File Access Attempt", "SQL Injection Attack: SQL Tautology Detected.", SQL SELECT Statement Anomaly Detection Alert) - and other many-many rules!;(

How to exclude from specific ARG like exclude ID aka SecRuleRemoveById?

git clone some minutes ago:
Syntax error on line 35 of /etc/modsecurity/crs/modsecurity_crs_10_ignore_static.conf:
ModSecurity: No action id present within the rule

CORERULES-6: Earlier rules files had a SecDefaultAction in each file which set pass as the default action. In 1.6.1, the only SecDefaultAction is in _crs_10_config which (as in earlier rule sets) sets deny as the default action. Several rules still depend on the assumption that pass is the default although this is no loger the case.

This also effectively eliminates the difference between main rule set and the "optional" rule set.

Although several rules in several files are affected, a specifi example would be all the rules in _crs_55_marketing.conf, which without modification of the rules or addition of a SecDefaultAction to set pass, have the effect of denying the major search engine crawlers.

Several examples in the documentation also seem to implicitly assume that 'pass' is the default action even though this is no loger the case.

CORERULES-11: We are updating the target variable list used in the XSS rules to lessen false negatives. We are now using REQUEST_URI_RAW|REQUEST_BODY

CORERULES-8: Details please refer to this link.

http://www.milw0rm.com/exploits/8930

CORERULES-14: HI
I am also a new one to mod_security2 and apache2.
Now my group are developing a kernel-level web protection system,and we want to use mod_security2 module for prevent from sql injection and xss attack.
Well,is there more or less rules for sql injection ?
Just a few is ok

CORERULES-13: Added converted PHPIDS signatures from here - https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml

CORERULES-17: modsecurity_crs_41_phpids_filters.conf

SecRule REQUEST_URI|REQUEST_BODY|XML:/* "[^\:]//(.*)$" "phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Comment Evasion Attempt',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{matched_var}"

This rule matches perfectly legal variables like "http%3A//website.com" created by php urlencode() function.

"%3a" value should be checked.

The "bad robots" rule (id 990012) contains a line that blocks all traffic with an user agent containing the string "Windows XP 5". However, each and every Java applet that runs on a Windows XP machine has a user agent string that looks like this: "User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_13".

That means that this rule kicks out everyone connecting with a Java applet from a Windows XP machine. This is surely not the correct behaviour, so the rule should be fixed to either not block user agent string that contain "Windows XP" or, that it only blocks traffic where the user agent string contains exactly "Windows XP 5". I.e. not with a "." following it.

We are aware of download errors when attempting to download the ZIP/TAR files. The problem is associated with the nodeload.github.com domain. We have opened a ticket with GH Support.

In the interim, you can use -

$ git close master

CORERULES-18: User agent with following identity "Mozilla/5.0 (Windows; U; Windows NT 5.1; id; rv:1.9.1.3) Gecko/200908 24 YFF35 Firefox/3.5.3" will match to 959006 rule. I change the regexp from "... (?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?: ..." to "... (?:xte)?rm|ls(?:of)?|telnet|uname|echo)\b|id(?!;\srv:)\b|g(?: ...", but there is possibility if attacker add "; rv:" after id to bypass this rule.