I am not sure if this is the right mailing list for these questions.
What's the best tool to manage modsecurity logs? Keeping in mind that performance is a concern. Is there any good article of how to configure modsecurity for better performance? Thanks Abdellah From: [email protected] [mailto:[email protected]] On Behalf Of Mirabito, Massimo (Max) (CDC/OID/OD) (CTR) Sent: Tuesday, March 08, 2011 1:59 PM To: '[email protected]' Cc: Wang, Silver (CDC/OID/OD) (CTR) Subject: [Owasp-modsecurity-core-rule-set] Rule Set is being violated on modsecurity_crs_41_phpids_converter.conf line 70 Dear All We are having difficulty with one of our applications as it appears that mod_security is blocking some of the content thinking that it is a vulnerability. We are running Apache version 2.2 with mod_security version 2.05 The url that is giving us problems is as follows: https://myserver.com/MYAPP/nt/chart/run.do?t=tcg&m=cot/trend&f=png&r=3&y=200 5+to+2009&d=labels_x:[2005,2006,2007,2008,2009,-8.88888888E8,2015];tlabels_x :[2005,2006,2007,2008,2009];g:[[89.690721649,86.746987952,91.946308725,90,85 .135135135,-8.88888888E8,null],[90,85,87,89,90,-8.88888888E8,null],[83.20913 6562,83.894290701,84.484373669,81.189229619,64.743991641,-8.88888888E8,null] ,[null,null,null,null,null,-8.88888888E8,93]];t:[[194,166,149,150,148],[184, 155,144,141,130],[174,144,137,135,126],[10,11,5,9,18]]&c=0+0+0+0+1&rid=1 The peculiar thing is that a similar url runs properly, see below https:// myserver.com/MYAPP/nt/chart/run.do? t=pct&m=cot/outcomes&f=png&r=3&y=2009&d=p:[[148,100],[126,85.135135135],[4,2 .7027027027],[0,0],[2,1.3513513514],[1,0.6756756757],[15,10.135135135]]&&rid =1 The logs show the following rule being violated: Message: Pattern match "(?:[\d+-=\/\* ]+(?:\s?,\s?[\d+-=\/\* ]+)){4,}" at ARGS:d. [file "C:/Apache2.2/conf/mod_security/base_rules/modsecurity_crs_41_phpids_convert er.conf"] [line "70"] [id "973016"] [msg "Basic Charcode Pattern Found"] [data "2005,2006,2007,2008,2009,-8.88888888e3"] The rule in question is located in modsecurity_crs_41_phpids_converter.conf - line 70 SecRule ARGS|ARGS_NAMES|XML:/* "(?:[\d+-=\/\* ]+(?:\s?,\s?[\d+-=\/\* ]+)){4,}" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressW hiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Basic Charcode Pattern Found',id:'973016',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',s etvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_sco re},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}" My coworker discovered that if we modify a portion of the rule then we are able to run the application properly. In particular if we modify {4} to {10} then things begin working SecRule ARGS|ARGS_NAMES|XML:/* "(?:[\d+-=\/\* ]+(?:\s?,\s?[\d+-=\/\* ]+)){4,}" .. TO ... SecRule ARGS|ARGS_NAMES|XML:/* "(?:[\d+-=\/\* ]+(?:\s?,\s?[\d+-=\/\* ]+)){10,}" We are concerned that by making this change we either inadvertently make our security weaker or break other things. So we are wondering if the rule has an inherit problem and is there a way to either resolve it or by pass it or any other best practice. Any feedback is greatly appreciated Thanks, Max
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
