ModSecurity | open source , cross platform web application firewall | Firewall library
kandi X-RAY | ModSecurity Summary
kandi X-RAY | ModSecurity Summary
Libmodsecurity is a complete rewrite of the ModSecurity platform. When it was first devised the ModSecurity project started as just an Apache module. Over time the project has been extended, due to popular demand, to support other platforms including (but not limited to) Nginx and IIS. In order to provide for the growing demand for additional platform support, it has became necessary to remove the Apache dependencies underlying this project, making it more platform independent. As a result of this goal we have rearchitected Libmodsecurity such that it is no longer dependent on the Apache web server (both at compilation and during runtime). One side effect of this is that across all platforms users can expect increased performance. Additionally, we have taken this opportunity to lay the groundwork for some new features that users have been long seeking. For example we are looking to natively support auditlogs in the JSON format, along with a host of other functionality in future versions.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of ModSecurity
ModSecurity Key Features
ModSecurity Examples and Code Snippets
Community Discussions
Trending Discussions on ModSecurity
QUESTION
We are facing a problem when in certain cases ModSecurity is not tracking the blocking in the audit log despite we have set it as a default action and the rule is not having any logging property set. In the error log, we can see only the rule which was triggered due to the anomaly score has been reached but nothing about the rules which actually counted the score. In some other cases, this information is visible.
In modsecurity.conf we have logging of rules enabled
...ANSWER
Answered 2022-Mar-14 at 08:56It is a bug that is presented in ModSecurity 3.0.6 when used along with Nginx.
The resolution is either not to use custom error_page
in Nginx configuration or to recompile the current solution with this fix https://github.com/SpiderLabs/ModSecurity-nginx/pull/273
QUESTION
I have a project (its an old project its actually only used as archive as we moved on from this app) with ResourceSpace, that sometimes needs to be accessed to download some images.
We have this issue now where users are unable to download as we're getting the following error:
...ANSWER
Answered 2022-Feb-16 at 19:05Core Rule Set Developer on Duty here. To confirm: when a user takes a legitimate action (making a download, as you mentioned) then that is the error log entry that appears? And the URL in your error message:
https://jlam.com/rs/pages/download_progress.php?ref=18275
looks legitimate? If so, then your intuition is correct: that is indeed a false positive! Core Rule Set rule 932115 is matching in error.
False positives need to be tuned away to make a given web application fully usable through a WAF. We've written extensively about how to do this in our official documentation, which you can find here: https://coreruleset.org/docs/configuring/false_positives_tuning/
Let's look at the exact issue from your example:
QUESTION
I'm getting tripped by my WHM ModSecurity using OWASP3 rules.
I'd like to create a custom rule to the Rules List in Home>Security Center > ModSecurity Tools>Rules List following these exclusions:
...ANSWER
Answered 2022-Jan-14 at 22:51Core Rule Set Dev on Duty here. As the list of exclusions you gave comes from someone else's blog post it's probably best to ignore them. They disable some key functionality of the Core Rule Set (the 9xxxxx rules you're using is the OWASP Core Rule Set) so it's best not to apply those rule exclusions unless you're certain you know what you're doing and why those exclusions are required.
The three entries from the "HitList" that you quoted: are you certain those are the result of known good traffic? Are those definitely from when you were trying to update a page and you got 403 errors? If you're sure those are genuine false positives (and not attacks) then let's continue…
False positive #1- The rule causing the false positive: 921110
- The location in question: /wp-admin/post.php
- The variable causing the false positive: ARGS:content
Applying a rule exclusion means poking a hole in your WAF's security. We want to try and be as specific as possible so that we make only the smallest hole necessary. We just want to let through the transactions that are being blocked in error and nothing more. We don't want to open a large hole and present an opportunity for attackers to get through.
With that in mind, let's try taking the following approach: let's exclude only the variable in question (ARGS:content) and exclude it only from the rule causing the issue (921110) and only for the location we've seen the problem occur at (/wp-admin/post.php).
Putting all that together looks like so:
QUESTION
An image on our site is flagging a modsec rule I am trying to add a rule exception for only that occurrence. The number at the start of the flagged string is a session number, so I have added a regex to my rule.
I've tried various permutations but had no joy and would appreciate some advice.
Blocked URI: https://www.website.com/application/login?0--preLoginHeaderPanel-companyLogo
Modsec log snippet: [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "65"] [id "942100"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1c found within ARGS_NAME:0--preLoginHeaderPanel-companyLogo: 0--preLoginHeaderPanel-companyLogo"]
Attempted exceptions (within apache.conf): SecRuleUpdateTargetById 942100 !ARGS_NAMES:'[0-9][0-9]?--preLoginHeaderPanel-companyLogo'
...ANSWER
Answered 2022-Jan-12 at 11:51Core Rule Set Dev on Duty here. Rule 942100 is one of our 'LibInjection' rules. LibInjection is quite opaque (it's a third party library/operator), so you're correct that a rule exclusion is the way to fix this issue.
The use of regular expressions in this context follows a specific form. They need to be sandwiched inside forward slashes, like so:
QUESTION
Note: Question has been updated:
What I am really trying to solve is:
Two types of requests: A and B.
B shall only be allowed if A has been called within the last 5 minutes (from the same ip-address).
My idea to trying so solve this is by having one SecRule, for A-requests, setting a mod_sec-variable with an expire timeout, to say the other type of request will be ok.
For B-requests I want to check if this mod_sec-variable is set or not. If it is not set I want to deny the request.
My problem with this is that I can not make the second SecRule match when the variable is not yet set or has expired.
Original question that is more of a description how I tried to make the second match
How do I make a mod_security(2.x) SecRule match on a (yet) undefined variable in Apache config?
I.e. I need the SecRule to be fulfilled if the variable is not yet defined. Some things I tested is matching with @eq 0 as anything else should be converted into a 0 but that did not work. I also tries using ! as a not operator inside the operator field of SecRule but to no use (or maybe incorrect use?). And also even tried using the @unconditionalMatch but it still does not match.
...ANSWER
Answered 2021-Nov-17 at 06:53Unfortunately the mentioned documentation above doesn't describe the &
"operator" in case of SecRule's variables. This character has a special meanings:
- if the variable is a collection (eg.
ARGS
), then using of&
gives back the length of collection. Eg.&ARGS
gives you how many arguments are there - if the variable is a string (eg.
REQUEST_URI
) then it gives the length of it's value. You can use it for collection members, eg.&REQUEST_HEADERS:Host
You can use this form against the operator @eq
with a numeric argument, eg. @eq 0
.
So, based on your clarification, I think you can use something like this:
QUESTION
We use ModSecurity 3.X for NGIX with the OWASP core rule set.
We have a problem with image in base64 and the rule 941170
.
The pattern of the rule is
...ANSWER
Answered 2021-Oct-27 at 12:53The SecRuleUpdateTargetById
rule exclusion you provided looks good to me.
To be clear, the effect of that rule exclusion is:
- Rule 941170 no longer applies to the
screen
argument - Rule 941170 still applies to all other arguments as usual
- All other rules still apply to all arguments, including
screen
, as usual
Is there a reason you're not happy with this?
If you're running a super-high security setup which means that the SecRuleUpdateTargetById
rule exclusion is too coarse, two suggestions I would make:
If appropriate for your web application, limit the rule exclusion for rule 941170 to only apply to the
screen
argument and only for a given location (for example, only for requests to/login.php
)Limit the rule exclusion for rule 941170 to only apply to the
screen
argument and only whenscreen
begins with the stringdata:image/jpeg;base64
You could even combine both of those suggestions to be extremely specific.
If either, or both, of those sound applicable to your situation, let me know if you would like help to put those rule exclusions together.
Also, what paranoia level are you currently running in, out of interest?
Regarding your suggestion to modify rule 941170's regular expression, it's a bad idea to directly modify third-party rules, such as the Core Rule Set rules. You essentially end up creating your own fork of the rule set, and you're left with the responsibility for maintaining any modifications you make. Upgrading the rule set would become difficult: you would have to remember to keep re-applying, and possibly change, your modifications. In short: rule exclusions are the way to go!
UpdateThe second rule exclusion described above may look something like this:
QUESTION
I'm trying to write a modsecurity rule that will match several bad User-Agent strings. User agent string looks like this: "bad-agent name (+http://example.com/)"
But my rule don't seem to be working:
...ANSWER
Answered 2021-Oct-16 at 12:59Your rule looks mostly correct.
Make sure that the SecRuleEngine directive is set to
On
and notDetectionOnly
, otherwise your rule'sdrop
action will never be executed, even if the rule matches.Note: Check your error log file. If you see that your rule is matching (and being logged) but your tests aren't having the expected result (no dropped connections), that would suggest that your ModSecurity instance is in
DetectionOnly
mode.You could also swap out
drop
fordeny
, which may be easier to test with (a 403 response would be a concrete indication that your rule was working!).If you do need to anchor your regular expression, you could use:
QUESTION
Summary:
I have setup a basic WAF with mod-security and the OWASP coreruleset 3.3.2. When using the WAF I see lots of warnings in modsec_audit.log regarding the CONNECT method, which trigger crs rule 920100:
Message: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./](?::\d+)?)?/[^?#](?:\?[^#\s])?(?:#[\S])?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \)\s+[\w\./]+|get /[^?#](?:\?[^#\s])?(?:#[\S])?)$" against "REQUEST_LINE" required. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "63"] [id "920100"] [msg "Invalid HTTP Request Line"] [data "CONNECT oneofmy.longer.hostname.here.abcde.com:443 HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"]
Details regarding setup:
I set up the WAF with mod_security 2.9.2 and httpd. I used the crs-setup.conf.example
provided by crs and only modified these two settings regarding threshhold and allowing the CONNECT http method. (CONNECT method is used in our setup for proxy purposes).
ANSWER
Answered 2021-Oct-13 at 21:58Looking at the part of the regular expression for rule 920100 that deals with the CONNECT
method:
QUESTION
I have quite simple system: ASP .NET Core server which is hosted on domain.ru. In API controller there I have 2 methods:
...ANSWER
Answered 2021-Oct-09 at 12:23Well, seems like I found an answer myself. Will leave it here so it can help someone (maybe me in the future).
Code of the client's send method:
QUESTION
After website deployment to sharing host , sometimes the all routed o websites is becomes white page, but at the same time and on the same system on another browser, the entire website routes comes up and works properly.
white page accures for 1 minute or short time and then it's gone. I mean if all website be come white page for me in my laptop I can access it on my mobile at same time. And after 1 minute blank page I'd gone for me! This blank page is not permanent.
This condition may be reversed after a few minutes and crash on the correct browser and be fixed on another one.
There are no errors in Laravel and the server Log, whether based on Memory Limited or other things, Laravel can write errors because normal errors are stored in Laravel Error Log, but I did not see any error that explains this White Page.
And this problem does not exist when one user is working with the site, but when there are More than One user, this error occurs for some of them and after some minutes it's gone !!!
This is my website details:
...ANSWER
Answered 2021-Oct-08 at 18:52The first line from the server error logs you provided is a ModSecurity log line. We can see that the Comodo WAF is in use:
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install ModSecurity
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page