What CRS version are you running? In the current verion (2.2.9) in GitHub repo, there is this line -
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/optional_ru les/modsecurity_crs_16_session_hijacking.conf#L27 This checks the inbound request for the existence of popular SessionID cookie names. If they are NOT found, then it will skip the inbound session hijacking checks. Ryan Barnett Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com <http://www.trustwave.com/> On 3/3/14 1:18 PM, "Ramy Darwish" <jackbro.pluc...@gmail.com> wrote: >Reposting as plain text for formatting... >------------------------------------------------------------ >Hi everyone! > >I'm trying to fit the Session Highjacking rules >(modsecurity_crs_16_session_hijacking.conf) to my web app. >My problem was described by someone else (but apparently never solved) >on that older post on the modsecurity-users list: >http://sourceforge.net/p/mod-security/mailman/message/30069414/ > >The Session Highjacking rules look at request and response cookies to >find or create a new sessions. >That works perfectly. >However, the two rules after it will run in ANY case, even when no >sessions has been initialized: >----------------------------------------- >SecRule REMOTE_ADDR >"^(\d{1,3}\.\d{1,3}\.\d{1,3}\.)""chain,phase:3,id:'981063',capture,t:none, >nolog,pass" > SecRule TX:1 >".*""t:sha1,t:hexEncode,setvar:session.ip_hash=%{matched_var}" >SecRule REQUEST_HEADERS:User-Agent >".*""phase:3,id:'981064',t:none,t:sha1,t:hexEncode,nolog,pass,setvar:sessi >on.ua_hash=%{matched_var}" >----------------------------------------- > >Because the session collection wasn't initialized (e.g. for anonymous >users or bots), >the setvars fail and the log is filled with errors like: >----------------------------------------- >[example.com/sid#7fc5067fe380][rid#7fc4f43380a0][/path/to/file][3] Could >not set variable "session.ip_hash" as the collection does not exist. >[example.com/sid#7fc5067fe380][rid#7fc4f43380a0][/path/to/file][3] Could >not set variable "session.ua_hash" as the collection does not exist. >----------------------------------------- > >To avoid this problem, I would like to chain these rules with a >Collection existence check, to avoid non-existence errors. >My two questions: > > 1/ I don't know how to test for the existence of the session >collection. > I don't know if it makes a difference that the rule is parsed on >phase 3 (response headers). > > 2/ More importantly, it seems like even chaining it to an impossible >rule > (e.g. SecRule &ARGS:x58t4z5 "@gt 128") will not stop it from >logging these errors! > Maybe I misunderstood chaining or variable collections, but I >can't seem to comprehend this issue! > >If anyone can enlighten me on either or both, I'd be delighted to hear >your advice. Thanks! > >Ramy >_______________________________________________ >Owasp-modsecurity-core-rule-set mailing list >Owasp-modsecurity-core-rule-set@lists.owasp.org >https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
