What does the debug log show when you run these checks?
Try this -
SecRule "TX:'/tx.900030-Detects\s(.*)-ARGS_NAMES:jform/'" "@contains ]["
"chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-4"
-Ryan
From: "[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Date: Fri, 6 May 2011 08:29:53 -0500
To:
"[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Subject: [Owasp-modsecurity-core-rule-set] Joomla jforms issue
Good day,
I have a problem with a site that is currently running joomla 1.6.0, when
working in the admin panel.
The site gives false positives on the below rule in:
modsecurity_crs_41_phpids_filters.conf
SecRule ARGS|ARGS_NAMES|XML:/*
"(?:=\s*\w+\s*\+\s*\")|(?:\+=\s*\(\s\")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:\"\s*\+\s*\")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:\"\s*[&|]+\s*\")|(?:\/\s*\?\s*\")|(?:\
/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)"
"phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,b
lock,nolog,auditlog,msg:'Detects common XSS concatenation patterns
1/2',id:'900030',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',set
var:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
The reason for the matching seems to be the posting of the data once the
particular article has been updated, some snippets of the audit log for this
site:
Message: Pattern match
"(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)"
at ARGS_NAMES:jform[rules][core.edit][6]. [file
"/usr/local/etc/apache22/Includes/mod_security2/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "205"] [id "900030"] [msg "Detects common XSS concatenation patterns
1/2"] [data "][c"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag
"WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]
Message: Pattern match
"(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)"
at ARGS_NAMES:jform[rules][core.edit.state][6]. [file
"/usr/local/etc/apache22/Includes/mod_security2/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "205"] [id "900030"] [msg "Detects common XSS concatenation patterns
1/2"] [data "][c"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag
"WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]
Message: Pattern match
"(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)"
at ARGS_NAMES:jform[rules][core.delete][7]. [file
"/usr/local/etc/apache22/Includes/mod_security2/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "205"] [id "900030"] [msg "Detects common XSS concatenation patterns
1/2"] [data "][c"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag
"WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]
Message: Pattern match
"(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)"
at ARGS_NAMES:jform[rules][core.edit][7]. [file
"/usr/local/etc/apache22/Includes/mod_security2/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "205"] [id "900030"] [msg "Detects common XSS concatenation patterns
1/2"] [data "][c"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag
"WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]
Message: Pattern match
"(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)"
at ARGS_NAMES:jform[rules][core.edit.state][7]. [file
"/usr/local/etc/apache22/Includes/mod_security2/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "205"] [id "900030"] [msg "Detects common XSS concatenation patterns
1/2"] [data "][c"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag
"WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]
Message: Pattern match
"(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)"
at ARGS_NAMES:jform[rules][core.delete][2]. [file
"/usr/local/etc/apache22/Includes/mod_security2/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "205"] [id "900030"] [msg "Detects common XSS concatenation patterns
1/2"] [data "][c"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag
"WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]
Seeing that the rule set the variable I wanted to matched based on that
variable:
[06/May/2011:14:18:50 +0200]
[/sid#809b82900][rid#81de4e0a8][/administrator/index.php][9] Set variable
"tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[attribs][show_icons]" to "][s".
I used a combination of resources from the below sites to create the correct
rule structure:
https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2010-January/000257.html
http://www.modsecurity.org/blog/archives/2007/12/using_transacti.html
The file that I used for my rule is:
modsecurity_crs_48_local_exceptions.conf
The rules are as follows.
1) SecRule TX:"/tx.900030-Detects\s(.*)-ARGS_NAMES:jform/" "@contains ]["
"chain,phase:2,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Fix false
positive',pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-4"
2) SecRule TX:"/tx.900030-Detects\s(.*)-ARGS_NAMES:jform/" "@contains ]["
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-4"
3) SecRule TX:'/tx.900030-Detects(.*)-ARGS_NAMES:jform/' "@contains ]["
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-4" #### This rule
did not want to work with the single quotes.
>From what I have tested so far, the regex should works for all variants of the
>variables set, however the anomaly score does not decrease, and from what I
>could see in both the audit and debug logs it does not look like it follows
>the logic as I understand it, so either the regex is incorrect or I am placing
>it in the incorrect file, but then why would it then work when I remove the
>rule in the same file using SecRuleRemoveById.
Some of the variants, there are currently 55.
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[attribs][show_item_navigation]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[attribs][show_icons]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[attribs][show_print_icon]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[attribs][show_email_icon]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[attribs][show_vote]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[attribs][show_hits]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[attribs][show_noauth]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[attribs][alternative_readmore]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[attribs][article_layout]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[metadata][robots]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[metadata][author]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[metadata][rights]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[metadata][xreference]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[rules][core.delete][1]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[rules][core.edit][1]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[rules][core.edit.state][1]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[rules][core.delete][6]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[rules][core.edit][6]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[rules][core.edit.state][6]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[rules][core.delete][7]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[rules][core.edit][7]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[rules][core.edit.state][7]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[rules][core.delete][2]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[rules][core.edit][2]
________________________________
This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the intended
recipient, you are hereby notified that any disclosure, copying, distribution,
or use of the information contained herein (including any reliance thereon) is
STRICTLY PROHIBITED. If you received this transmission in error, please
immediately contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
