Hi, An introduction: I use ModSecurity for 5 weeks now, on a relatively quiet internet server. I am not a very experienced ModSecurity user, but the traditional score installation worked just fine. I hope you forgive me my shortcomings in knowledge.
I have a problem with the anomaly method: there are warnings and critical errors in the log files, but it seems no action is being taken after the maximum score (5) is exceeded. Installation: - Debian stable with apache 2.2.16 - libapache-mod-security 2.5.12-1 - crs_2.0.10 rule files (downloaded because the latest and greatest crs_2.2.3 didnt work either) *modsecurity_crs_20_protocol_violations.conf *modsecurity_crs_21_protocol_anomalies.conf *modsecurity_crs_23_request_limits.conf *modsecurity_crs_35_bad_robots.conf *modsecurity_crs_40_generic_attacks.conf *modsecurity_crs_45_trojans.conf *modsecurity_crs_49_inbound_blocking.conf *modsecurity_crs_59_outbound_blocking.conf *modsecurity_crs_60_correlation.conf - latest slr *modsecurity_slr_10_ip_reputation.conf *modsecurity_slr_46_joomla_attacks.conf In modsecurity_crs_10_config.conf the anomaly configuration: ---------------------------------------------------------------------- SecDefaultAction "phase:2,pass,log" SecAction "phase:1,t:none,nolog,pass, \ setvar:tx.critical_anomaly_score=5, \ setvar:tx.error_anomaly_score=4, \ setvar:tx.warning_anomaly_score=3, \ setvar:tx.notice_anomaly_score=2" SecAction "phase:1,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=5" SecAction "phase:1,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=4" SecAction "phase:1,t:none,nolog,pass,setvar:tx.anomaly_score_blocking=on" ---------------------------------------------------------------------- This results in mod-security audit log for example: ---------------------------------------------------------------------- --f3f66479-A-- [15/Mar/2012:13:08:09 +0100] T2HbqX8AAAEAAEXDCtoAAAAG 93.94.***.** 43988 95.142.***.** 80 --f3f66479-B-- GET /translators.html HTTP/1.1 TE: deflate,gzip;q=0.3 Keep-Alive: 300 Connection: Keep-Alive, TE Host: 95.142.165.25 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en] --f3f66479-F-- HTTP/1.1 404 Not Found Vary: Accept-Encoding Content-Length: 214 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 --f3f66479-H-- Message: Warning. Pattern match "^[\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_21_protocol_anoma lies.conf"] [line "97"] [id "960017"] [rev "2.0.10"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx";] Apache-Error: [file "/tmp/buildd/apache2-2.2.16/server/core.c"] [line 3648] [level 3] File does not exist: /var/www/vhosts/intcom.nl/httpdocs/translators.html Stopwatch: 1331813289736227 5847 (554 5505 -) Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.10. Server: Apache/2.2.16 (Debian) PHP/5.3.3-7+squeeze8 with Suhosin-Patch mod_ssl/2.2.16 OpenSSL/0.9.8o --f3f66479-K-- SecAction "phase:1,t:none,nolog,pass,setvar:tx.critical_anomaly_score=5,setvar:tx.erro r_anomaly_score=4,setvar:tx.warning_anomaly_score=3,setvar:tx.notice_anomaly _score=2" SecAction "phase:1,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=5" SecAction "phase:1,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=4" SecAction "phase:1,t:none,nolog,pass,setvar:tx.anomaly_score_blocking=on" SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:1,log,chain,rev:2.0.10,t:none,block,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION,tag:WASCTC/WASC- 21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,tag:http://www.w3.org/Protocols/rfc261 6/rfc2616-sec4.html#sec4.3" SecRule "REMOTE_ADDR" "@rx .*" "phase:1,chain,t:none,log,block,id:2200000,msg:'SLR: Client IP in Blacklist.',tag:AUTOMATION/MALICIOUS,setvar:tx.ip_blacklist=/%{matched_var}/ " SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" "phase:2,log,chain,rev:2.0.10,t:none,block,msg:'Request Missing an Accept Header',severity:2,id:960015,tag:PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT,ta g:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10" SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,log,chain,rev:2.0.10,t:none,block,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5" SecRule "REQUEST_HEADERS:Host" "@rx ^[\\d.:]+$" "phase:2,log,rev:2.0.10,t:none,block,msg:'Host header is a numeric IP address',severity:2,id:960017,tag:PROTOCOL_VIOLATION/IP_HOST,tag:WASCTC/WASC -21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,tag:http://technet.microsoft.com/en-u s/magazine/2005.01.hackerbasher.aspx,setvar:tx.msg=%{rule.msg},setvar:tx.ano maly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_a nomaly_score},setvar:tx.%{rule.id}-POLICY/IP_HOST-%{matched_var_name}=%{matc hed_var}'" SecRule "TX:ANOMALY_SCORE" "@gt 0" "phase:2,chain,t:none,deny,log,msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): Last Matched Message: %{tx.msg}',logdata:'Last Matched Data: %{matched_var}',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly _score=%{tx.anomaly_score}" SecRule "TX:INBOUND_ANOMALY_SCORE" "@gt 0" "phase:5,chain,t:none,log,noauditlog,skipAfter:END_CORRELATION,msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'" --f3f66479-Z-- ---------------------------------------------------------------------- It looks like the variables aren't being filled ? Thank you for your time. Regards Mark _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
