On Fri, Aug 24, 2012 at 8:12 PM, Leonardo Bacha Abrantes < leona...@lbasolutions.com> wrote:
> Hey people, good afternoon! > > I'm trying to Add a new negative policy rule ( > http://www.modsecurity.org/blog/archives/2007/02/handling_false.html), > because am facing false positve with the rule 970901. > > Hi Leonardo, Handling false positives has gotten much easier since that blog post was written in 2007. If your running a modern version of ModSecurity, the SecRuleUpdateTargetById directive should do the trick. You may want to read Ryan's updated post on the subject here: http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html -- - Josh *## log > > *[Fri Aug 24 13:44:57 2012] [error] [client 192.168.21.10] ModSecurity: > Rule 2d8f030 [id "950901"][file > "/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line > "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname > "10.1.125.204"] [uri "/sites/all/themes/fsa/img/icone-seta.jpg"] [unique_id > "UDeviX8AAAEAAHXIAy0AAAAA"] > [Fri Aug 24 13:44:57 2012] [error] [client 192.168.21.10] ModSecurity: > Rule 2d8f030 [id "950901"][file > "/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line > "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname > "10.1.125.204"] [uri "/sites/all/themes/fsa/img/icone-seta.jpg"] [unique_id > "UDeviX8AAAEAAHXIAy0AAAAA"] > [Fri Aug 24 13:44:57 2012] [error] [client 192.168.21.10] ModSecurity: > Rule 2d8f030 [id "950901"][file > "/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line > "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname > "10.1.125.204"] [uri "/sites/all/themes/fsa/img/onda-fsa.png"] [unique_id > "UDeviX8AAAEAAHXPDFoAAAAF"] > > > *## log in verbose mode:* > > [24/Aug/2012:13:24:52 --0300] [ > 192.168.21.10/sid#1526d30][rid#27f7510][/][5<http://192.168.21.10/sid#1526d30][rid%2327f7510][/][5>] > Rule 116d418: SecRule > "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*" > "@rx > (?:(?:[\\;\\|\\`]\\W*?\\bcc|\\b(wget|curl))\\b|\\/cc(?:[\\'\"\\|\\;\\`\\-\\s]|$))" > "phase:2,log,rev:2.2.5,capture,t:none,t:normalisePath,t:lowercase,ctl:auditLogParts=+E,msg:'System > Command > Injection',id:950907,tag:WEB_ATTACK/COMMAND_INJECTION,tag:WASCTC/WASC-31,tag:OWASP_TOP_10/A1,tag:PCI/6.5.2,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{ > rule.id > }-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_COMMAND_INJECTION1" > [24/Aug/2012:13:24:52 --0300] [ > 192.168.21.10/sid#1526d30][rid#27f7510][/][4<http://192.168.21.10/sid#1526d30][rid%2327f7510][/][4>] > Expanded > "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*" > to > "REQUEST_COOKIES:SESSc2ec4f8fae0f9b49b1219031f3052c40|REQUEST_COOKIES:SESS988f6dde2396798ae2237ef1db71fdb8|REQUEST_COOKIES:SESS8677ac936d1934b4e08580e4b78c02d0|REQUEST_COOKIES:SESS4922cbb0a9f1bcd7dd450637560249a3|REQUEST_COOKIES:__utma|REQUEST_COOKIES:__utmz|REQUEST_COOKIES:SESSe8a50359f7869c256a51e29f93548645|REQUEST_COOKIES:pma_lang|REQUEST_COOKIES:SESS448430042d094f8dddea85b752fc6947|REQUEST_COOKIES:phpMyAdmin|REQUEST_COOKIES:__utmc|REQUEST_COOKIES:has_js|REQUEST_COOKIES_NAMES:SESSc2ec4f8fae0f9b49b1219031f3052c40|REQUEST_COOKIES_NAMES:SESS988f6dde2396798ae2237ef1db71fdb8|REQUEST_COOKIES_NAMES:SESS8677ac936d1934b4e08580e4b78c02d0|REQUEST_COOKIES_NAMES:SESS4922cbb0a9f1bcd7dd450637560249a3|REQUEST_COOKIES_NAMES:__utma|REQUEST_COOKIES_NAMES:__utmz|REQUEST_COOKIES_NAMES:SESSe8a50359f7869c256a51e29f93548645|REQUEST_COOKIES_NAMES:pma_lang|REQUEST_COOKIES_NAMES:SESS448430042d094f8dddea85b752fc6947|REQUEST_COOKIES_NAMES:php > > > *************************************** > > > So, I created a file called modsecurity_crs_61_custom_rules.conf and I > inserted the rule (see bellow) on it: > > > SecRule > REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML| > > !REQUEST_HEADERS:Cookie|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES_NAMES:/^SESS$/:/* > "(?i:([\s'\"`´â(\)]*)?([\d\w]+)([\s'\"`´â(\)]*)?(?:=|<=>|r?like|sounds\s+like|regexp)([\s'\"`´â(\)]*)?([\s'\"`´â(\)]*)?([\d\w]+)([\s'\"`´â(\)]*)?(?:!=|<=|>=|<>|<|>|\^|is\s+not|not\s+likgexp)([\s'\"`´â(\)]*)?(?!\6)([\d\w]+))" > \ > > "phase:2,rev:'2.2.5',capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,ctl:auditLogParts=+E,block,msg:'SQL > Injection > Attack',id:'1',logdata:'%{TX.0}',severity:'2',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{ > rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" > > > > #### > > *[root@myserver httpd]# /etc/init.d/httpd start* > Starting httpd: Syntax error on line 10 of > /etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_61_custom_rules.conf: > SecRule takes two or three arguments, rule target, operator and optional > action list > [FAILED] > > What I'm doing wrong in this rule ? > > many thanks! > > > > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
