Hey Mark,
You are correct about the severity. It should NOT be listed as 2
"CRITICAL" - I will fix that. It is at a NOTICE level.
As for Section K, it lists the rule lines that matched, however unlike the
actual Error or Audit log alert, macros are not expanded here.
-Ryan
On 3/19/12 9:33 AM, "Mark Boos (IntCom)" <m...@intcom.nl> wrote:
>Hi Ryan,
>
>But in section H of that audit log is:
>
>>> [id "960017"] [rev "2.0.10"] [msg "Host header is a numeric IP
>>>address"]
>[severity "CRITICAL"]
>
>I look for the word CRITICAL, so I thought that it would have score 5 so
>it
>would be above the max anomaly score.
>
>And in K isnt it strange that there are variables reported instead of
>numbers ?:
>
>>> msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE},
>SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): Last Matched
>Message:
>%{tx.msg}'
>
>
>Regards
>Mark
>
>> -----Oorspronkelijk bericht-----
>> Van: Ryan Barnett [mailto:rbarn...@trustwave.com]
>> Verzonden: maandag 19 maart 2012 14:15
>> Aan: m...@intcom.nl; owasp-modsecurity-core-rule-set@lists.owasp.org
>> Onderwerp: Re: [Owasp-modsecurity-core-rule-set] anomaly score not
>> calculated ?
>>
>>
>> Mark,
>>
>> I would suggest that you use the latest CRS version as there are other
>> bugs that we have fixed.
>>
>> Looking at the example audit log entry you provided, that message "Host
>> header is a numeric IP address" only results in a NOTICE level anomaly
>> score increase - setvar:tx.anomaly_score=+%{tx.notice_anomaly_score}
>>
>> Here is the complete rule -
>>
>> SecRule REQUEST_HEADERS:Host "^[\d.:]+$"
>> "phase:2,rev:'2.0.10',t:none,block,msg:'Host header is a numeric IP
>> address',
>> severity:'2',id:'960017',tag:'PROTOCOL_VIOLATION/IP_HOST',tag:'WAS
>> CTC/WASC-
>> 21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',tag:'http://technet.mic
>> rosoft.co
>> m/en-us/magazine/2005.01.hackerbasher.aspx',setvar:'tx.msg=%{rule.
>> msg}',set
>> var:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_
>> score=+%{
>> tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/IP_HOST-%{mat
>> ched_var_
>> name}=%{matched_var}'"
>>
>> So, when this transaction gets to the 40 Inbound Blocking file this
>> ruleset is processed -
>>
>> # Alert and Block based on Anomaly Scores
>> #
>> SecRule TX:ANOMALY_SCORE "@gt 0" \
>> "chain,phase:2,t:none,deny,log,msg:'Inbound Anomaly Score Exceeded
>> (Total Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE},
>> XSS=%{TX.XSS_SCORE}): Last Matched Message: %{tx.msg}',logdata:'Last
>> Matched Data:
>> %{matched_var}',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbou
>> nd_anomal
>> y_score=%{tx.anomaly_score}"
>> SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_level}" chain
>> SecRule TX:ANOMALY_SCORE_BLOCKING "@streq on" chain
>> SecRule TX:/^\d/ "(.*)"
>>
>>
>> Section K of your audit log shows that the first SecRule matches -
>>
>> SecRule "TX:ANOMALY_SCORE" "@gt 0"
>> "phase:2,chain,t:none,deny,log,msg:'Inbound Anomaly Score Exceeded
>>(Total
>> Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE},
>> XSS=%{TX.XSS_SCORE}): Last Matched Message: %{tx.msg}',logdata:'Last
>> Matched
>> Data:
>> %{matched_var}',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbou
>> nd_anomal
>> y
>> _score=%{tx.anomaly_score}"
>>
>>
>> But, then it gets to the second SecRule that checks that the anomaly
>>score
>> if @ge your tx.inbound_anomaly_score_level, it doesn't match. This is
>> because the only 1 rule with the NOTICE level matched. The bottom line
>>is
>> that this transaction's anomaly score was below your blocking threshold.
>>
>> Hope this helps,
>> Ryan
>>
>>
>>
>> On 3/19/12 8:16 AM, "Mark Boos (IntCom)" <m...@intcom.nl> wrote:
>>
>> >Hi,
>> >
>> >An introduction: I use ModSecurity for 5 weeks now, on a relatively
>>quiet
>> >internet server. I am not a very experienced ModSecurity user, but the
>> >traditional score installation worked just fine. I hope you forgive me
>>my
>> >shortcomings in knowledge.
>> >
>> >I have a problem with the anomaly method: there are warnings and
>>critical
>> >errors in the log files, but it seems no action is being taken after
>>the
>> >maximum score (5) is exceeded.
>> >
>> >Installation:
>> >- Debian stable with apache 2.2.16
>> >- libapache-mod-security 2.5.12-1
>> >- crs_2.0.10 rule files (downloaded because the latest and greatest
>> >crs_2.2.3 didnt work either)
>> >*modsecurity_crs_20_protocol_violations.conf
>> >*modsecurity_crs_21_protocol_anomalies.conf
>> >*modsecurity_crs_23_request_limits.conf
>> >*modsecurity_crs_35_bad_robots.conf
>> >*modsecurity_crs_40_generic_attacks.conf
>> >*modsecurity_crs_45_trojans.conf
>> >*modsecurity_crs_49_inbound_blocking.conf
>> >*modsecurity_crs_59_outbound_blocking.conf
>> >*modsecurity_crs_60_correlation.conf
>> >- latest slr
>> >*modsecurity_slr_10_ip_reputation.conf
>> >*modsecurity_slr_46_joomla_attacks.conf
>> >
>> >In modsecurity_crs_10_config.conf the anomaly configuration:
>> >----------------------------------------------------------------------
>> >SecDefaultAction "phase:2,pass,log"
>> >
>> >SecAction "phase:1,t:none,nolog,pass, \
>> >setvar:tx.critical_anomaly_score=5, \
>> >setvar:tx.error_anomaly_score=4, \
>> >setvar:tx.warning_anomaly_score=3, \
>> >setvar:tx.notice_anomaly_score=2"
>> >
>> >SecAction
>> >"phase:1,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=5"
>> >SecAction
>> >"phase:1,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=4"
>> >
>> >SecAction
>>"phase:1,t:none,nolog,pass,setvar:tx.anomaly_score_blocking=on"
>> >----------------------------------------------------------------------
>> >
>> >This results in mod-security audit log for example:
>> >----------------------------------------------------------------------
>> >--f3f66479-A--
>> >[15/Mar/2012:13:08:09 +0100] T2HbqX8AAAEAAEXDCtoAAAAG 93.94.***.**
>>43988
>> >95.142.***.** 80
>> >--f3f66479-B--
>> >GET /translators.html HTTP/1.1
>> >TE: deflate,gzip;q=0.3
>> >Keep-Alive: 300
>> >Connection: Keep-Alive, TE
>> >Host: 95.142.165.25
>> >User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT
>>5.1)
>> >Opera 7.01 [en]
>> >
>> >--f3f66479-F--
>> >HTTP/1.1 404 Not Found
>> >Vary: Accept-Encoding
>> >Content-Length: 214
>> >Keep-Alive: timeout=15, max=100
>> >Connection: Keep-Alive
>> >Content-Type: text/html; charset=iso-8859-1
>> >
>> >--f3f66479-H--
>> >Message: Warning. Pattern match "^[\d.:]+$" at
>> REQUEST_HEADERS:Host. [file
>> >"/etc/apache2/mod-security/activated_rules/modsecurity_crs_21_pro
>tocol_ano
>> >ma
>> >lies.conf"] [line "97"] [id "960017"] [rev "2.0.10"] [msg "Host header
>>is
>> >a
>> >numeric IP address"] [severity "CRITICAL"] [tag
>> >"PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag
>> >"OWASP_TOP_10/A7"]
>> >[tag "PCI/6.5.10"] [tag
>>
>>>"http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx";]
>> >Apache-Error: [file "/tmp/buildd/apache2-2.2.16/server/core.c"] [line
>> >3648]
>> >[level 3] File does not exist:
>> >/var/www/vhosts/intcom.nl/httpdocs/translators.html
>> >Stopwatch: 1331813289736227 5847 (554 5505 -)
>> >Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/);
>> >core
>> >ruleset/2.0.10.
>> >Server: Apache/2.2.16 (Debian) PHP/5.3.3-7+squeeze8 with Suhosin-Patch
>> >mod_ssl/2.2.16 OpenSSL/0.9.8o
>> >
>> >--f3f66479-K--
>> >SecAction
>> >"phase:1,t:none,nolog,pass,setvar:tx.critical_anomaly_score=5,set
>> var:tx.er
>> >ro
>> >r_anomaly_score=4,setvar:tx.warning_anomaly_score=3,setvar:tx.not
>ice_anoma
>> >ly
>> >_score=2"
>> >SecAction
>> >"phase:1,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=5"
>> >SecAction
>> >"phase:1,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=4"
>> >SecAction
>>"phase:1,t:none,nolog,pass,setvar:tx.anomaly_score_blocking=on"
>> >SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$"
>> >"phase:1,log,chain,rev:2.0.10,t:none,block,msg:'GET or HEAD requests
>>with
>> >bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION,tag:W
>> ASCTC/WAS
>> >C-
>> >21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,tag:http://www.w3.org/Proto
>> cols/rfc2
>> >61
>> >6/rfc2616-sec4.html#sec4.3"
>> >SecRule "REMOTE_ADDR" "@rx .*"
>> >"phase:1,chain,t:none,log,block,id:2200000,msg:'SLR: Client IP in
>> >Blacklist.',tag:AUTOMATION/MALICIOUS,setvar:tx.ip_blacklist=/%{ma
>> tched_var
>> >}/
>> >"
>> >SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$"
>> >"phase:2,log,chain,rev:2.0.10,t:none,block,msg:'Request Missing an
>>Accept
>> >Header',severity:2,id:960015,tag:PROTOCOL_VIOLATION/MISSING_HEADE
>> R_ACCEPT,
>> >ta
>> >g:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10"
>> >SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0"
>> >"phase:2,log,chain,rev:2.0.10,t:none,block,msg:'Request Containing
>> >Content,
>> >but Missing Content-Type header',id:960904,severity:5"
>> >SecRule "REQUEST_HEADERS:Host" "@rx ^[\\d.:]+$"
>> >"phase:2,log,rev:2.0.10,t:none,block,msg:'Host header is a numeric IP
>> >address',severity:2,id:960017,tag:PROTOCOL_VIOLATION/IP_HOST,tag:
>> WASCTC/WA
>> >SC
>> >-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,tag:http://technet.microso
>> ft.com/en
>> >-u
>> >s/magazine/2005.01.hackerbasher.aspx,setvar:tx.msg=%{rule.msg},se
>> tvar:tx.a
>> >no
>> >maly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{
>> tx.notice
>> >_a
>> >nomaly_score},setvar:tx.%{rule.id}-POLICY/IP_HOST-%{matched_var_n
>> ame}=%{ma
>> >tc
>> >hed_var}'"
>> >SecRule "TX:ANOMALY_SCORE" "@gt 0"
>> >"phase:2,chain,t:none,deny,log,msg:'Inbound Anomaly Score Exceeded
>>(Total
>> >Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE},
>> >XSS=%{TX.XSS_SCORE}): Last Matched Message: %{tx.msg}',logdata:'Last
>> >Matched
>> >Data:
>> >%{matched_var}',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbo
>> und_anoma
>> >ly
>> >_score=%{tx.anomaly_score}"
>> >SecRule "TX:INBOUND_ANOMALY_SCORE" "@gt 0"
>> >"phase:5,chain,t:none,log,noauditlog,skipAfter:END_CORRELATION,ms
>> g:'Inboun
>> >d
>> >Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE},
>> >SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}):
>> >%{tx.inbound_tx_msg}'"
>> >
>> >--f3f66479-Z--
>> >
>> >----------------------------------------------------------------------
>> >
>> >It looks like the variables aren't being filled ?
>> >
>> >Thank you for your time.
>> >
>> >Regards
>> >Mark
>> >
>> >_______________________________________________
>> >Owasp-modsecurity-core-rule-set mailing list
>> >Owasp-modsecurity-core-rule-set@lists.owasp.org
>>
>>>https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>> >
>>
>>
>> This transmission may contain information that is privileged,
>> confidential, and/or exempt from disclosure under applicable law.
>> If you are not the intended recipient, you are hereby notified
>> that any disclosure, copying, distribution, or use of the
>> information contained herein (including any reliance thereon) is
>> STRICTLY PROHIBITED. If you received this transmission in error,
>> please immediately contact the sender and destroy the material in
>> its entirety, whether in electronic or hard copy format.
>>
>
>_______________________________________________
>Owasp-modsecurity-core-rule-set mailing list
>Owasp-modsecurity-core-rule-set@lists.owasp.org
>https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the intended
recipient, you are hereby notified that any disclosure, copying, distribution,
or use of the information contained herein (including any reliance thereon) is
STRICTLY PROHIBITED. If you received this transmission in error, please
immediately contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
