Thanks Tom. I actually used this tool when we originally added the ModSecurity defenses. ModSecurity blocked it as the tool opens many concurrent connections and then sends the data slowly. This triggered the ModSec thresholds for the # of threads in either the READ/WRITE bucket states.
Ryan Barnett Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Tom Brennan - proactiveRISK <t...@proactiverisk.com<mailto:t...@proactiverisk.com>> Date: Thursday, May 8, 2014 6:49 PM To: Rogerio Brito <rogerio.br...@intercode.com.br<mailto:rogerio.br...@intercode.com.br>> Cc: Ryan Barnett <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>>, "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: Re: [Owasp-modsecurity-core-rule-set] RES: Need help with Joomla websites rules and SlowHttp Attacks Check it with this owasp tool https://www.owasp.org/index.php/OWASP_HTTP_Post_Tool 4.0 in development too blog post about it here http://proactiverisk.blogspot.com/2014/05/blog-post.html --- Tom Brennan | 973-298-1160 x799 | t...@proactiverisk.com<mailto:t...@proactiverisk.com> On May 8, 2014, at 4:48 PM, "Rogerio Brito" <rogerio.br...@intercode.com.br<mailto:rogerio.br...@intercode.com.br>> wrote: Hi Ryan, Ok, I’ll open tickets on github. To fix the Slow DoS Attacks I’ve changed the rule as indicated on Acunetix website, as follows: <IfModule reqtimeout_module> RequestReadTimeout header=20-40,MinRate=500 body=30,MinRate=500 </IfModule> After that they reported it as secure. Thank you []s <image001.gif> De: Ryan Barnett [mailto:rbarn...@trustwave.com] Enviada em: terça-feira, 6 de maio de 2014 18:28 Para: Rogerio Brito Cc: owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> Assunto: Re: [Owasp-modsecurity-core-rule-set] Need help with Joomla websites rules and SlowHttp Attacks Rogerio, A couple of comments - 1) Please open GitHub Issue tickets for your false positives so that we can fix them. 2) How is Acunetix actually testing the vuln? Keep in mind that the ModSecurity defenses for slow DoS attacks (headers vs post body) is really based on a scenario where a client has too many connections open vs actually doing any per-thread timing. If the scanner is only opening a single/small # it connections to test then the SecConnReadStateLimit/SecConnWriteStateLimit directives won't trigger. Ryan Barnett Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> On May 6, 2014, at 5:12 PM, "Rogerio Brito" <rogerio.br...@intercode.com.br<mailto:rogerio.br...@intercode.com.br>> wrote: Hello all, I have lots of Joomla websites and I’ve just installed mod_security with Owasp-modsecurity-core-rule-set. I had to disable the modsecurity_crs_41_xss_attacks.conf and modsecurity_crs_41_sql_injection_attacks.conf rules because I could not edit any article. Whenever I tried to save the article I would get a 403 forbidden. I watched the audit log file and I’ve tried to comment out rule by rule that fails, but as we are editing HTML content there are so many rules to comment that I believe there must some way else to do it. On another case, I’ve enabled the modsecurity_crs_11_slow_dos_protection.conf rules, but I’ve tested the site with http://www.acunetix.com/ and it still reports the site as vulnerable to “Slow HTTP Denial of Service Attack”. Can someone please help? Thank you Rogerio Brito _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set WARNING: E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. No employee or agent is authorized to conclude any binding agreement on behalf of proactiveRISK with another party by email. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
