On 12/30/10 2:43 PM, "Dimitri Yioulos" <[email protected]> wrote:
>All,
>
>With the installation of the latest rulesit, I'm
>now getting the following alerts:
>
>Warning - Sticky SessionID Data Changed -
>User-Agent Mismatch. Access denied with code
>403 (phase 2). Match of "streq %{SESSION.UA}"
>against "TX:ua_hash" required.
>
>Hope I'm not being too stupid here, but what does
>that mean? Am I blocking legitimate traffic?
>
>Better still, is there a place (documents, etc.)
>that describes various alerts?
This ruleset will track the IP Address Block Range and User-Agent string
hash for each user and tie it to a SessionID. If those values change
during the course of a session, it will trigger. The goal is to identify
possible session hijacking attacks.
Dimitri - please download the latest release (CRS v2.1.1) that I just
released today. I made a change to the Session Hijacking conf file -
CHANGES file -
- Updated the session hijacking conf file to only enforce rules if a
SessionID Cookie was submitted
http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/optio
nal_rules/modsecurity_crs_16_session_hijacking.conf?revision=1576
I added this line which will skip the check if the client doesn't submit a
SessionID Cookie -
SecRule
&REQUEST_COOKIES:'/(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id
)?|cf(id|token)|sid)/' "@eq 0"
"phase:1,t:none,nolog,pass,skipAfter:END_SESSION_STARTUP"
Hope this helps,
Ryan
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
