[Owasp-modsecurity-core-rule-set] Fail to create negative rule

Fri, 24 Aug 2012 10:16:00 -0700 

Hey people, good afternoon!

I'm trying to Add a new negative policy rule (
http://www.modsecurity.org/blog/archives/2007/02/handling_false.html),
because am facing false positve with the rule 970901.

*## log

*[Fri Aug 24 13:44:57 2012] [error] [client 192.168.21.10] ModSecurity:
Rule 2d8f030 [id "950901"][file
"/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line
"77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname
"10.1.125.204"] [uri "/sites/all/themes/fsa/img/icone-seta.jpg"] [unique_id
"UDeviX8AAAEAAHXIAy0AAAAA"]
[Fri Aug 24 13:44:57 2012] [error] [client 192.168.21.10] ModSecurity: Rule
2d8f030 [id "950901"][file
"/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line
"77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname
"10.1.125.204"] [uri "/sites/all/themes/fsa/img/icone-seta.jpg"] [unique_id
"UDeviX8AAAEAAHXIAy0AAAAA"]
[Fri Aug 24 13:44:57 2012] [error] [client 192.168.21.10] ModSecurity: Rule
2d8f030 [id "950901"][file
"/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line
"77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname
"10.1.125.204"] [uri "/sites/all/themes/fsa/img/onda-fsa.png"] [unique_id
"UDeviX8AAAEAAHXPDFoAAAAF"]


*## log in verbose mode:*

[24/Aug/2012:13:24:52 --0300] [192.168.21.10/sid#1526d30][rid#27f7510][/][5]
Rule 116d418: SecRule
"REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*"
"@rx
(?:(?:[\\;\\|\\`]\\W*?\\bcc|\\b(wget|curl))\\b|\\/cc(?:[\\'\"\\|\\;\\`\\-\\s]|$))"
"phase:2,log,rev:2.2.5,capture,t:none,t:normalisePath,t:lowercase,ctl:auditLogParts=+E,msg:'System
Command
Injection',id:950907,tag:WEB_ATTACK/COMMAND_INJECTION,tag:WASCTC/WASC-31,tag:OWASP_TOP_10/A1,tag:PCI/6.5.2,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{
rule.id
}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_COMMAND_INJECTION1"
[24/Aug/2012:13:24:52 --0300] [192.168.21.10/sid#1526d30][rid#27f7510][/][4]
Expanded
"REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*"
to
"REQUEST_COOKIES:SESSc2ec4f8fae0f9b49b1219031f3052c40|REQUEST_COOKIES:SESS988f6dde2396798ae2237ef1db71fdb8|REQUEST_COOKIES:SESS8677ac936d1934b4e08580e4b78c02d0|REQUEST_COOKIES:SESS4922cbb0a9f1bcd7dd450637560249a3|REQUEST_COOKIES:__utma|REQUEST_COOKIES:__utmz|REQUEST_COOKIES:SESSe8a50359f7869c256a51e29f93548645|REQUEST_COOKIES:pma_lang|REQUEST_COOKIES:SESS448430042d094f8dddea85b752fc6947|REQUEST_COOKIES:phpMyAdmin|REQUEST_COOKIES:__utmc|REQUEST_COOKIES:has_js|REQUEST_COOKIES_NAMES:SESSc2ec4f8fae0f9b49b1219031f3052c40|REQUEST_COOKIES_NAMES:SESS988f6dde2396798ae2237ef1db71fdb8|REQUEST_COOKIES_NAMES:SESS8677ac936d1934b4e08580e4b78c02d0|REQUEST_COOKIES_NAMES:SESS4922cbb0a9f1bcd7dd450637560249a3|REQUEST_COOKIES_NAMES:__utma|REQUEST_COOKIES_NAMES:__utmz|REQUEST_COOKIES_NAMES:SESSe8a50359f7869c256a51e29f93548645|REQUEST_COOKIES_NAMES:pma_lang|REQUEST_COOKIES_NAMES:SESS448430042d094f8dddea85b752fc6947|REQUEST_COOKIES_NAMES:php


***************************************


So, I created a file called modsecurity_crs_61_custom_rules.conf and I
inserted the rule (see bellow) on it:


SecRule
REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML|
!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES_NAMES:/^SESS$/:/*
"(?i:([\s'\"`´â(\)]*)?([\d\w]+)([\s'\"`´â(\)]*)?(?:=|<=>|r?like|sounds\s+like|regexp)([\s'\"`´â(\)]*)?([\s'\"`´â(\)]*)?([\d\w]+)([\s'\"`´â(\)]*)?(?:!=|<=|>=|<>|<|>|\^|is\s+not|not\s+likgexp)([\s'\"`´â(\)]*)?(?!\6)([\d\w]+))"
\

"phase:2,rev:'2.2.5',capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,ctl:auditLogParts=+E,block,msg:'SQL
Injection
Attack',id:'1',logdata:'%{TX.0}',severity:'2',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{
rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"



####

*[root@myserver httpd]# /etc/init.d/httpd start*
Starting httpd: Syntax error on line 10 of
/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_61_custom_rules.conf:
SecRule takes two or three arguments, rule target, operator and optional
action list
                                                           [FAILED]

What I'm doing wrong in this rule ?

many thanks!

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to