Hi Ryan,
But in section H of that audit log is:
>> [id "960017"] [rev "2.0.10"] [msg "Host header is a numeric IP address"]
[severity "CRITICAL"]
I look for the word CRITICAL, so I thought that it would have score 5 so it
would be above the max anomaly score.
And in K isnt it strange that there are variables reported instead of
numbers ?:
>> msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE},
SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): Last Matched Message:
%{tx.msg}'
Regards
Mark
> -----Oorspronkelijk bericht-----
> Van: Ryan Barnett [mailto:rbarn...@trustwave.com]
> Verzonden: maandag 19 maart 2012 14:15
> Aan: m...@intcom.nl; owasp-modsecurity-core-rule-set@lists.owasp.org
> Onderwerp: Re: [Owasp-modsecurity-core-rule-set] anomaly score not
> calculated ?
>
>
> Mark,
>
> I would suggest that you use the latest CRS version as there are other
> bugs that we have fixed.
>
> Looking at the example audit log entry you provided, that message "Host
> header is a numeric IP address" only results in a NOTICE level anomaly
> score increase - setvar:tx.anomaly_score=+%{tx.notice_anomaly_score}
>
> Here is the complete rule -
>
> SecRule REQUEST_HEADERS:Host "^[\d.:]+$"
> "phase:2,rev:'2.0.10',t:none,block,msg:'Host header is a numeric IP
> address',
> severity:'2',id:'960017',tag:'PROTOCOL_VIOLATION/IP_HOST',tag:'WAS
> CTC/WASC-
> 21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',tag:'http://technet.mic
> rosoft.co
> m/en-us/magazine/2005.01.hackerbasher.aspx',setvar:'tx.msg=%{rule.
> msg}',set
> var:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_
> score=+%{
> tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/IP_HOST-%{mat
> ched_var_
> name}=%{matched_var}'"
>
> So, when this transaction gets to the 40 Inbound Blocking file this
> ruleset is processed -
>
> # Alert and Block based on Anomaly Scores
> #
> SecRule TX:ANOMALY_SCORE "@gt 0" \
> "chain,phase:2,t:none,deny,log,msg:'Inbound Anomaly Score Exceeded
> (Total Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE},
> XSS=%{TX.XSS_SCORE}): Last Matched Message: %{tx.msg}',logdata:'Last
> Matched Data:
> %{matched_var}',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbou
> nd_anomal
> y_score=%{tx.anomaly_score}"
> SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_level}" chain
> SecRule TX:ANOMALY_SCORE_BLOCKING "@streq on" chain
> SecRule TX:/^\d/ "(.*)"
>
>
> Section K of your audit log shows that the first SecRule matches -
>
> SecRule "TX:ANOMALY_SCORE" "@gt 0"
> "phase:2,chain,t:none,deny,log,msg:'Inbound Anomaly Score Exceeded (Total
> Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE},
> XSS=%{TX.XSS_SCORE}): Last Matched Message: %{tx.msg}',logdata:'Last
> Matched
> Data:
> %{matched_var}',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbou
> nd_anomal
> y
> _score=%{tx.anomaly_score}"
>
>
> But, then it gets to the second SecRule that checks that the anomaly score
> if @ge your tx.inbound_anomaly_score_level, it doesn't match. This is
> because the only 1 rule with the NOTICE level matched. The bottom line is
> that this transaction's anomaly score was below your blocking threshold.
>
> Hope this helps,
> Ryan
>
>
>
> On 3/19/12 8:16 AM, "Mark Boos (IntCom)" <m...@intcom.nl> wrote:
>
> >Hi,
> >
> >An introduction: I use ModSecurity for 5 weeks now, on a relatively quiet
> >internet server. I am not a very experienced ModSecurity user, but the
> >traditional score installation worked just fine. I hope you forgive me my
> >shortcomings in knowledge.
> >
> >I have a problem with the anomaly method: there are warnings and critical
> >errors in the log files, but it seems no action is being taken after the
> >maximum score (5) is exceeded.
> >
> >Installation:
> >- Debian stable with apache 2.2.16
> >- libapache-mod-security 2.5.12-1
> >- crs_2.0.10 rule files (downloaded because the latest and greatest
> >crs_2.2.3 didnt work either)
> >*modsecurity_crs_20_protocol_violations.conf
> >*modsecurity_crs_21_protocol_anomalies.conf
> >*modsecurity_crs_23_request_limits.conf
> >*modsecurity_crs_35_bad_robots.conf
> >*modsecurity_crs_40_generic_attacks.conf
> >*modsecurity_crs_45_trojans.conf
> >*modsecurity_crs_49_inbound_blocking.conf
> >*modsecurity_crs_59_outbound_blocking.conf
> >*modsecurity_crs_60_correlation.conf
> >- latest slr
> >*modsecurity_slr_10_ip_reputation.conf
> >*modsecurity_slr_46_joomla_attacks.conf
> >
> >In modsecurity_crs_10_config.conf the anomaly configuration:
> >----------------------------------------------------------------------
> >SecDefaultAction "phase:2,pass,log"
> >
> >SecAction "phase:1,t:none,nolog,pass, \
> >setvar:tx.critical_anomaly_score=5, \
> >setvar:tx.error_anomaly_score=4, \
> >setvar:tx.warning_anomaly_score=3, \
> >setvar:tx.notice_anomaly_score=2"
> >
> >SecAction
> >"phase:1,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=5"
> >SecAction
> >"phase:1,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=4"
> >
> >SecAction "phase:1,t:none,nolog,pass,setvar:tx.anomaly_score_blocking=on"
> >----------------------------------------------------------------------
> >
> >This results in mod-security audit log for example:
> >----------------------------------------------------------------------
> >--f3f66479-A--
> >[15/Mar/2012:13:08:09 +0100] T2HbqX8AAAEAAEXDCtoAAAAG 93.94.***.** 43988
> >95.142.***.** 80
> >--f3f66479-B--
> >GET /translators.html HTTP/1.1
> >TE: deflate,gzip;q=0.3
> >Keep-Alive: 300
> >Connection: Keep-Alive, TE
> >Host: 95.142.165.25
> >User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1)
> >Opera 7.01 [en]
> >
> >--f3f66479-F--
> >HTTP/1.1 404 Not Found
> >Vary: Accept-Encoding
> >Content-Length: 214
> >Keep-Alive: timeout=15, max=100
> >Connection: Keep-Alive
> >Content-Type: text/html; charset=iso-8859-1
> >
> >--f3f66479-H--
> >Message: Warning. Pattern match "^[\d.:]+$" at
> REQUEST_HEADERS:Host. [file
> >"/etc/apache2/mod-security/activated_rules/modsecurity_crs_21_pro
tocol_ano
> >ma
> >lies.conf"] [line "97"] [id "960017"] [rev "2.0.10"] [msg "Host header is
> >a
> >numeric IP address"] [severity "CRITICAL"] [tag
> >"PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag
> >"OWASP_TOP_10/A7"]
> >[tag "PCI/6.5.10"] [tag
> >"http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx";]
> >Apache-Error: [file "/tmp/buildd/apache2-2.2.16/server/core.c"] [line
> >3648]
> >[level 3] File does not exist:
> >/var/www/vhosts/intcom.nl/httpdocs/translators.html
> >Stopwatch: 1331813289736227 5847 (554 5505 -)
> >Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/);
> >core
> >ruleset/2.0.10.
> >Server: Apache/2.2.16 (Debian) PHP/5.3.3-7+squeeze8 with Suhosin-Patch
> >mod_ssl/2.2.16 OpenSSL/0.9.8o
> >
> >--f3f66479-K--
> >SecAction
> >"phase:1,t:none,nolog,pass,setvar:tx.critical_anomaly_score=5,set
> var:tx.er
> >ro
> >r_anomaly_score=4,setvar:tx.warning_anomaly_score=3,setvar:tx.not
ice_anoma
> >ly
> >_score=2"
> >SecAction
> >"phase:1,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=5"
> >SecAction
> >"phase:1,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=4"
> >SecAction "phase:1,t:none,nolog,pass,setvar:tx.anomaly_score_blocking=on"
> >SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$"
> >"phase:1,log,chain,rev:2.0.10,t:none,block,msg:'GET or HEAD requests with
> >bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION,tag:W
> ASCTC/WAS
> >C-
> >21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,tag:http://www.w3.org/Proto
> cols/rfc2
> >61
> >6/rfc2616-sec4.html#sec4.3"
> >SecRule "REMOTE_ADDR" "@rx .*"
> >"phase:1,chain,t:none,log,block,id:2200000,msg:'SLR: Client IP in
> >Blacklist.',tag:AUTOMATION/MALICIOUS,setvar:tx.ip_blacklist=/%{ma
> tched_var
> >}/
> >"
> >SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$"
> >"phase:2,log,chain,rev:2.0.10,t:none,block,msg:'Request Missing an Accept
> >Header',severity:2,id:960015,tag:PROTOCOL_VIOLATION/MISSING_HEADE
> R_ACCEPT,
> >ta
> >g:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10"
> >SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0"
> >"phase:2,log,chain,rev:2.0.10,t:none,block,msg:'Request Containing
> >Content,
> >but Missing Content-Type header',id:960904,severity:5"
> >SecRule "REQUEST_HEADERS:Host" "@rx ^[\\d.:]+$"
> >"phase:2,log,rev:2.0.10,t:none,block,msg:'Host header is a numeric IP
> >address',severity:2,id:960017,tag:PROTOCOL_VIOLATION/IP_HOST,tag:
> WASCTC/WA
> >SC
> >-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,tag:http://technet.microso
> ft.com/en
> >-u
> >s/magazine/2005.01.hackerbasher.aspx,setvar:tx.msg=%{rule.msg},se
> tvar:tx.a
> >no
> >maly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{
> tx.notice
> >_a
> >nomaly_score},setvar:tx.%{rule.id}-POLICY/IP_HOST-%{matched_var_n
> ame}=%{ma
> >tc
> >hed_var}'"
> >SecRule "TX:ANOMALY_SCORE" "@gt 0"
> >"phase:2,chain,t:none,deny,log,msg:'Inbound Anomaly Score Exceeded (Total
> >Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE},
> >XSS=%{TX.XSS_SCORE}): Last Matched Message: %{tx.msg}',logdata:'Last
> >Matched
> >Data:
> >%{matched_var}',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbo
> und_anoma
> >ly
> >_score=%{tx.anomaly_score}"
> >SecRule "TX:INBOUND_ANOMALY_SCORE" "@gt 0"
> >"phase:5,chain,t:none,log,noauditlog,skipAfter:END_CORRELATION,ms
> g:'Inboun
> >d
> >Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE},
> >SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}):
> >%{tx.inbound_tx_msg}'"
> >
> >--f3f66479-Z--
> >
> >----------------------------------------------------------------------
> >
> >It looks like the variables aren't being filled ?
> >
> >Thank you for your time.
> >
> >Regards
> >Mark
> >
> >_______________________________________________
> >Owasp-modsecurity-core-rule-set mailing list
> >Owasp-modsecurity-core-rule-set@lists.owasp.org
> >https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
> >
>
>
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law.
> If you are not the intended recipient, you are hereby notified
> that any disclosure, copying, distribution, or use of the
> information contained herein (including any reliance thereon) is
> STRICTLY PROHIBITED. If you received this transmission in error,
> please immediately contact the sender and destroy the material in
> its entirety, whether in electronic or hard copy format.
>
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
