On Fri, Jun 27, 2014 at 5:41 PM, Ilyass Kaouam <ilyassi...@gmail.com> wrote:
> hi thank you for your replay > BUT the problem is that the number telfaxmailweb*_1_**171833* / > telfaxmailweb*_1_142609* .... changes (non-static). > have you an idea > > Hi Ilyass, Try using a regex in your exception, e.g.: SecRuleUpdateTargetById 960024 !ARGS:/telfaxmailweb/ -- - Josh > thank you > > > 2014-06-27 8:04 GMT+01:00 Josh Amishav-Zlatin <jam...@owasp.org>: > > On Thu, Jun 26, 2014 at 5:43 PM, Ilyass Kaouam <ilyassi...@gmail.com> >> wrote: >> >>> Hi Josh. >>> >>> It's work very good thank you :) :) :) >>> >>> I have another block :( please help me >>> >> >> Hi Ilyass, >> >> In this case there is a hyphen in the telfaxmailweb_1_171833 parameter >> value. Try using the SecRuleUpdateTargetById directive, e.g. >> SecRuleUpdateTargetById 960024 !ARGS:telfaxmailweb_1_171833 >> >> For details see: >> >> http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html >> >> -- >> - Josh >> >> >>> log: >>> >>> >>> >>> --9b18757a-A-- >>> >>> [26/Jun/2014:16:35:15 +0200] U6wvo38AAAEAAFCgA4AAAAAK >>> >>> --9b18757a-B-- >>> >>> POST /beta/societe-contribEnt HTTP/1.1 >>> >>> Host: www. >>> xxxx >>> . >>> xxx >>> >>> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) >>> Gecko/20100101 Firefox/30.0 >>> >>> Accept: */* >>> >>> Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 >>> >>> Accept-Encoding: gzip, deflate >>> >>> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>> >>> X-Requested-With: XMLHttpRequest >>> >>> Referer: http://www. >>> xxxx >>> .ma/beta/ >>> xxxxx >>> ?action=edit >>> >>> Content-Length: 1735 >>> >>> Cookie: JSESSIONID=2A3D8D47FE45427E1AAFC69A2FA48F7B; >>> __utma=111125463.1234468951.1403792976.1403792976.1403792976.1; >>> __utmb=111125463.7.10.1403792976; __utmc=111125463; >>> __utmz=111125463.1403792976.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) >>> >>> Connection: keep-alive >>> >>> Pragma: no-cache >>> >>> Cache-Control: no-cache >>> >>> >>> --9b18757a-C-- >>> >>> >>> codeAction=1&entid=151549&bilid=148614&idMkt=1628&denomination=INFORISK&denomination_dirty=&entrc=135529&entrc_dirty=&tribunal=12&tribunal_dirty=&fmj=Soci%C3%A9t%C3%A9+Anonyme&fmj_dirty=&capital=12+650+000+Dirhams&capital_dirty=&adresse=43%2C+Boulevard+D'anfa&adresse_dirty=&ville=1488&ville_dirty=&activite=+Collecte%2C+traitement+et+vente+des+informations+financi%C3%A8res%2C+l%C3%A9gales+et+commerciales&activite_dirty=&effectif_dirty=&effectif=30&segmentEffectif_dirty=&segmentEffectif=2&effectifCadre_dirty=&effectifCadre=0&telfaxmailweb_1_171833_dirty=&telfaxmailweb_1_171833=05-22-27-64-10&telfaxmailweb_1_142609_dirty=&telfaxmailweb_1_142609=05-22-42-90-87&telfaxmailweb_1_0_2_dirty=&telfaxmailweb_1_0_2=__-__-__-__-__&telfaxmailweb_1_0_3_dirty=&telfaxmailweb_1_0_3=__-__-__-__-__&telfaxmailweb_2_142611_dirty=&telfaxmailweb_2_142611=05-22-27-64-16&telfaxmailweb_2_0_1_dirty=&telfaxmailweb_2_0_1=__-__-__-__-__&telfaxmailweb_2_0_2_dirty=&telfaxmailweb_2_0_2=__-__-__-__-__&telfaxmailweb_2_0_3_dirty=&telfaxmailweb_2_0_3=__-__-__-__-__&telfaxmailweb_3_142612_dirty=&telfaxmailweb_3_142612=info% >>> 40inforisk.ma >>> &telfaxmailweb_3_0_1_dirty=&telfaxmailweb_3_0_1=&telfaxmailweb_3_0_2_dirty=&telfaxmailweb_3_0_2=&telfaxmailweb_3_0_3_dirty=&telfaxmailweb_3_0_3=&telfaxmailweb_4_142608_dirty=&telfaxmailweb_4_142608= >>> www.inforisk.ma >>> &telfaxmailweb_4_0_1_dirty=&telfaxmailweb_4_0_1=&telfaxmailweb_4_0_2_dirty=&telfaxmailweb_4_0_2=&telfaxmailweb_4_0_3_dirty=&telfaxmailweb_4_0_3=&idMktRefTypeContact_31241_dirty=&idMktRefTypeContact_31241=1&nom_31241=Ayouch&nom_31241_dirty=&prenom_31241=Khalid&prenom_31241_dirty=&tel_31241=__-__-__-__-__&tel_31241_dirty=&email_31241=test% >>> 40gmail.com&email_31241_dirty=1&contact_31241=1&contact_31241_dirty=1 >>> >>> --9b18757a-F-- >>> >>> HTTP/1.1 403 Forbidden >>> >>> Content-Length: 225 >>> >>> Connection: close >>> >>> Content-Type: text/html; charset=iso-8859-1 >>> >>> >>> --9b18757a-E-- >>> >>> >>> --9b18757a-H-- >>> >>> Message: Access denied with code 403 (phase 2). Pattern match >>> "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" >>> at ARGS:telfaxmailweb_1_171833. [file >>> "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] >>> [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly >>> Detection Alert - Total # of special characters exceeded"] [data "Matched >>> Data: - found within ARGS:telfaxmailweb_1_171833: 05-22-27-64-10"] [ver >>> "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag >>> "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] >>> >>> Action: Intercepted (phase 2) >>> >>> Apache-Handler: proxy-server >>> >>> Stopwatch: 1403793315275899 22265 (- - -) >>> >>> Stopwatch2: 1403793315275899 22265; combined=9584, p1=187, p2=9377, >>> p3=0, p4=0, p5=20, sr=28, sw=0, l=0, gc=0 >>> >>> Response-Body-Transformed: Dechunked >>> >>> Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); >>> OWASP_CRS/2.2.9. >>> >>> Server: Apache >>> >>> Engine-Mode: "ENABLED" >>> >>> >>> --9b18757a-Z-- >>> >>> >>> >>> >>> >>> 2014-06-26 13:44 GMT+01:00 Josh Amishav-Zlatin <jam...@owasp.org>: >>> >>> On Thu, Jun 26, 2014 at 3:19 PM, Ilyass Kaouam <ilyassi...@gmail.com> >>>> wrote: >>>> >>>>> Hi guys. >>>>> >>>>> I not understand why modsecurity blocking my request with the >>>>> character "à" in french. >>>>> log: >>>>> >>>> >>>> Hi Ilyass, >>>> >>>> Take a look at the SecUnicodeCodePage and SecUnicodeMapFile directives. >>>> For more information see: >>>> >>>> http://blog.spiderlabs.com/2012/08/waf-normalization-and-i18n.html >>>> >>>> -- >>>> - Josh >>>> >>>> >>>> >>>> >>>> >>>>> >>>>> *--169a1612-A--* >>>>> >>>>> *[26/Jun/2014:11:48:57 +0200] U6vsiX8AAAEAAEkNI7cAAAAQ * >>>>> >>>>> *--169a1612-B--* >>>>> >>>>> *POST /beta/societe-xxxxxr HTTP/1.1* >>>>> >>>>> *Host: www.xxxx.xx* >>>>> >>>>> *User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) >>>>> Gecko/20100101 Firefox/30.0* >>>>> >>>>> *Accept: */** >>>>> >>>>> *Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3* >>>>> >>>>> *Accept-Encoding: gzip, deflate* >>>>> >>>>> *Content-Type: application/x-www-form-urlencoded; charset=UTF-8* >>>>> >>>>> *X-Requested-With: XMLHttpRequest* >>>>> >>>>> *Referer: http://www.xxx.xxx/beta/societe-xxxx >>>>> <http://www.xxx.xxx/beta/societe-xxxx>* >>>>> >>>>> *Content-Length: 760* >>>>> >>>>> *Cookie: JSESSIONID=DC9410B3998A7E973EDBA0ED638F5B40; >>>>> __utma=111125463.1374472637.1403014671.1403719512.1403772965.34; >>>>> __utmz=111125463.1403435014.17.3.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); >>>>> __utmb=111125463.24.10.1403772965; __utmc=111125463; >>>>> JSESSIONID=EB7E51CFBA0B811E9335731DA6A26A08* >>>>> >>>>> *Connection: keep-alive* >>>>> >>>>> *Pragma: no-cache* >>>>> >>>>> *Cache-Control: no-cache* >>>>> >>>>> >>>>> *--169a1612-C--* >>>>> >>>>> *codeAction=1&entid=367928&bilid=321761&idMkt=672&denomination=&capital=10+000+&activite=PRODUCTION+DES+FILMS+CINEMATOGRAPHIQUES+ET+AUDIOVISEUL&effectif=0&effectifCadre=0&segmentEffectif=1&dateContribution=17%2F08%2F13+%C3%A0+15%3A41&loginUser=nabilchant%40hotmail.fr >>>>> <http://40hotmail.fr>&emailUser=nabilchant%40hotmail.fr >>>>> <http://40hotmail.fr>&id=672&denomination_validator=&rc_validator=&tribunal_validator=&fmj_validator=&capital_validator=&adresse_validator=&ville_validator=&activite_validator=&effectif_validator=&segmentEffectif_validator=&effectifCadre_validator=&telfaxmailweb_734=on&telfaxmailweb_734_validator=1&data_734=0610357910&type_734=1&idMktTelfaxmailweb_734=0&telfaxmailweb_735=on&telfaxmailweb_735_validator=1&data_735=0633327850&type_735=1&idMktTelfaxmailweb_735=0&statut=1&remarque=* >>>>> >>>>> *--169a1612-F--* >>>>> >>>>> *HTTP/1.1 403 Forbidden* >>>>> >>>>> *Content-Length: 245* >>>>> >>>>> *Connection: close* >>>>> >>>>> *Content-Type: text/html; charset=iso-8859-1* >>>>> >>>>> >>>>> *--169a1612-E--* >>>>> >>>>> >>>>> *--169a1612-H--* >>>>> >>>>> *Message: Access denied with code 403 (phase 2). Pattern match >>>>> "\\W{4,}" at ARGS:dateContribution. [file >>>>> "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf"] >>>>> [line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection >>>>> Alert - Repetative Non-Word Characters"] [data "Matched Data: \xc3\xa0 >>>>> found within ARGS:dateContribution: 17/08/13 \xc3\xa0 15:41"] [ver >>>>> "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"]* >>>>> >>>>> *Action: Intercepted (phase 2)* >>>>> >>>>> *Apache-Handler: proxy-server* >>>>> >>>>> *Stopwatch: 1403776137380257 11043 (- - -)* >>>>> >>>>> *Stopwatch2: 1403776137380257 11043; combined=642, p1=224, p2=399, >>>>> p3=0, p4=0, p5=19, sr=37, sw=0, l=0, gc=0* >>>>> >>>>> *Response-Body-Transformed: Dechunked* >>>>> >>>>> *Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/ >>>>> <http://www.modsecurity.org/>); OWASP_CRS/2.2.9. <http://2.2.9.>* >>>>> >>>>> *Server: Apache* >>>>> >>>>> *Engine-Mode: "ENABLED"* >>>>> >>>>> >>>>> *--169a1612-Z--* >>>>> >>>>> >>>>> how to allow these types of characters. >>>>> thank you. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Owasp-modsecurity-core-rule-set mailing list >>>>> Owasp-modsecurity-core-rule-set@lists.owasp.org >>>>> >>>>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >>>>> >>>>> >>>> >>> >>> >>> -- >>> *Ilyass kaouam* >>> *Systems administrator* >>> * at Inforisk Group Finaccess * >>> *European Masters in Information Technology* >>> *Portable : (212) * >>> *6 34 57 14 36**http://www.inforisk.ma <http://www.inforisk.ma>* >>> >> >> > > > -- > *Ilyass kaouam* > *Systems administrator* > * at Inforisk Group Finaccess * > *European Masters in Information Technology* > *Portable : (212) * > *6 34 57 14 36**http://www.inforisk.ma <http://www.inforisk.ma>* >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
