Mark,
I would suggest that you use the latest CRS version as there are other
bugs that we have fixed.
Looking at the example audit log entry you provided, that message "Host
header is a numeric IP address" only results in a NOTICE level anomaly
score increase - setvar:tx.anomaly_score=+%{tx.notice_anomaly_score}
Here is the complete rule -
SecRule REQUEST_HEADERS:Host "^[\d.:]+$"
"phase:2,rev:'2.0.10',t:none,block,msg:'Host header is a numeric IP
address',
severity:'2',id:'960017',tag:'PROTOCOL_VIOLATION/IP_HOST',tag:'WASCTC/WASC-
21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',tag:'http://technet.microsoft.co
m/en-us/magazine/2005.01.hackerbasher.aspx',setvar:'tx.msg=%{rule.msg}',set
var:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{
tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/IP_HOST-%{matched_var_
name}=%{matched_var}'"
So, when this transaction gets to the 40 Inbound Blocking file this
ruleset is processed -
# Alert and Block based on Anomaly Scores
#
SecRule TX:ANOMALY_SCORE "@gt 0" \
"chain,phase:2,t:none,deny,log,msg:'Inbound Anomaly Score Exceeded
(Total Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE},
XSS=%{TX.XSS_SCORE}): Last Matched Message: %{tx.msg}',logdata:'Last
Matched Data:
%{matched_var}',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomal
y_score=%{tx.anomaly_score}"
SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_level}" chain
SecRule TX:ANOMALY_SCORE_BLOCKING "@streq on" chain
SecRule TX:/^\d/ "(.*)"
Section K of your audit log shows that the first SecRule matches -
SecRule "TX:ANOMALY_SCORE" "@gt 0"
"phase:2,chain,t:none,deny,log,msg:'Inbound Anomaly Score Exceeded (Total
Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE},
XSS=%{TX.XSS_SCORE}): Last Matched Message: %{tx.msg}',logdata:'Last
Matched
Data:
%{matched_var}',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomal
y
_score=%{tx.anomaly_score}"
But, then it gets to the second SecRule that checks that the anomaly score
if @ge your tx.inbound_anomaly_score_level, it doesn't match. This is
because the only 1 rule with the NOTICE level matched. The bottom line is
that this transaction's anomaly score was below your blocking threshold.
Hope this helps,
Ryan
On 3/19/12 8:16 AM, "Mark Boos (IntCom)" <m...@intcom.nl> wrote:
>Hi,
>
>An introduction: I use ModSecurity for 5 weeks now, on a relatively quiet
>internet server. I am not a very experienced ModSecurity user, but the
>traditional score installation worked just fine. I hope you forgive me my
>shortcomings in knowledge.
>
>I have a problem with the anomaly method: there are warnings and critical
>errors in the log files, but it seems no action is being taken after the
>maximum score (5) is exceeded.
>
>Installation:
>- Debian stable with apache 2.2.16
>- libapache-mod-security 2.5.12-1
>- crs_2.0.10 rule files (downloaded because the latest and greatest
>crs_2.2.3 didnt work either)
>*modsecurity_crs_20_protocol_violations.conf
>*modsecurity_crs_21_protocol_anomalies.conf
>*modsecurity_crs_23_request_limits.conf
>*modsecurity_crs_35_bad_robots.conf
>*modsecurity_crs_40_generic_attacks.conf
>*modsecurity_crs_45_trojans.conf
>*modsecurity_crs_49_inbound_blocking.conf
>*modsecurity_crs_59_outbound_blocking.conf
>*modsecurity_crs_60_correlation.conf
>- latest slr
>*modsecurity_slr_10_ip_reputation.conf
>*modsecurity_slr_46_joomla_attacks.conf
>
>In modsecurity_crs_10_config.conf the anomaly configuration:
>----------------------------------------------------------------------
>SecDefaultAction "phase:2,pass,log"
>
>SecAction "phase:1,t:none,nolog,pass, \
>setvar:tx.critical_anomaly_score=5, \
>setvar:tx.error_anomaly_score=4, \
>setvar:tx.warning_anomaly_score=3, \
>setvar:tx.notice_anomaly_score=2"
>
>SecAction
>"phase:1,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=5"
>SecAction
>"phase:1,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=4"
>
>SecAction "phase:1,t:none,nolog,pass,setvar:tx.anomaly_score_blocking=on"
>----------------------------------------------------------------------
>
>This results in mod-security audit log for example:
>----------------------------------------------------------------------
>--f3f66479-A--
>[15/Mar/2012:13:08:09 +0100] T2HbqX8AAAEAAEXDCtoAAAAG 93.94.***.** 43988
>95.142.***.** 80
>--f3f66479-B--
>GET /translators.html HTTP/1.1
>TE: deflate,gzip;q=0.3
>Keep-Alive: 300
>Connection: Keep-Alive, TE
>Host: 95.142.165.25
>User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1)
>Opera 7.01 [en]
>
>--f3f66479-F--
>HTTP/1.1 404 Not Found
>Vary: Accept-Encoding
>Content-Length: 214
>Keep-Alive: timeout=15, max=100
>Connection: Keep-Alive
>Content-Type: text/html; charset=iso-8859-1
>
>--f3f66479-H--
>Message: Warning. Pattern match "^[\d.:]+$" at REQUEST_HEADERS:Host. [file
>"/etc/apache2/mod-security/activated_rules/modsecurity_crs_21_protocol_ano
>ma
>lies.conf"] [line "97"] [id "960017"] [rev "2.0.10"] [msg "Host header is
>a
>numeric IP address"] [severity "CRITICAL"] [tag
>"PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag
>"OWASP_TOP_10/A7"]
>[tag "PCI/6.5.10"] [tag
>"http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx";]
>Apache-Error: [file "/tmp/buildd/apache2-2.2.16/server/core.c"] [line
>3648]
>[level 3] File does not exist:
>/var/www/vhosts/intcom.nl/httpdocs/translators.html
>Stopwatch: 1331813289736227 5847 (554 5505 -)
>Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/);
>core
>ruleset/2.0.10.
>Server: Apache/2.2.16 (Debian) PHP/5.3.3-7+squeeze8 with Suhosin-Patch
>mod_ssl/2.2.16 OpenSSL/0.9.8o
>
>--f3f66479-K--
>SecAction
>"phase:1,t:none,nolog,pass,setvar:tx.critical_anomaly_score=5,setvar:tx.er
>ro
>r_anomaly_score=4,setvar:tx.warning_anomaly_score=3,setvar:tx.notice_anoma
>ly
>_score=2"
>SecAction
>"phase:1,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=5"
>SecAction
>"phase:1,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=4"
>SecAction "phase:1,t:none,nolog,pass,setvar:tx.anomaly_score_blocking=on"
>SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$"
>"phase:1,log,chain,rev:2.0.10,t:none,block,msg:'GET or HEAD requests with
>bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION,tag:WASCTC/WAS
>C-
>21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,tag:http://www.w3.org/Protocols/rfc2
>61
>6/rfc2616-sec4.html#sec4.3"
>SecRule "REMOTE_ADDR" "@rx .*"
>"phase:1,chain,t:none,log,block,id:2200000,msg:'SLR: Client IP in
>Blacklist.',tag:AUTOMATION/MALICIOUS,setvar:tx.ip_blacklist=/%{matched_var
>}/
>"
>SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$"
>"phase:2,log,chain,rev:2.0.10,t:none,block,msg:'Request Missing an Accept
>Header',severity:2,id:960015,tag:PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT,
>ta
>g:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10"
>SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0"
>"phase:2,log,chain,rev:2.0.10,t:none,block,msg:'Request Containing
>Content,
>but Missing Content-Type header',id:960904,severity:5"
>SecRule "REQUEST_HEADERS:Host" "@rx ^[\\d.:]+$"
>"phase:2,log,rev:2.0.10,t:none,block,msg:'Host header is a numeric IP
>address',severity:2,id:960017,tag:PROTOCOL_VIOLATION/IP_HOST,tag:WASCTC/WA
>SC
>-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,tag:http://technet.microsoft.com/en
>-u
>s/magazine/2005.01.hackerbasher.aspx,setvar:tx.msg=%{rule.msg},setvar:tx.a
>no
>maly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice
>_a
>nomaly_score},setvar:tx.%{rule.id}-POLICY/IP_HOST-%{matched_var_name}=%{ma
>tc
>hed_var}'"
>SecRule "TX:ANOMALY_SCORE" "@gt 0"
>"phase:2,chain,t:none,deny,log,msg:'Inbound Anomaly Score Exceeded (Total
>Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE},
>XSS=%{TX.XSS_SCORE}): Last Matched Message: %{tx.msg}',logdata:'Last
>Matched
>Data:
>%{matched_var}',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anoma
>ly
>_score=%{tx.anomaly_score}"
>SecRule "TX:INBOUND_ANOMALY_SCORE" "@gt 0"
>"phase:5,chain,t:none,log,noauditlog,skipAfter:END_CORRELATION,msg:'Inboun
>d
>Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE},
>SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}):
>%{tx.inbound_tx_msg}'"
>
>--f3f66479-Z--
>
>----------------------------------------------------------------------
>
>It looks like the variables aren't being filled ?
>
>Thank you for your time.
>
>Regards
>Mark
>
>_______________________________________________
>Owasp-modsecurity-core-rule-set mailing list
>Owasp-modsecurity-core-rule-set@lists.owasp.org
>https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the intended
recipient, you are hereby notified that any disclosure, copying, distribution,
or use of the information contained herein (including any reliance thereon) is
STRICTLY PROHIBITED. If you received this transmission in error, please
immediately contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
