Debug log review time. You need to verify the your setvar values in the 10 setup file are being read/set properly and then see how those SecRules later on are processing with macro expansion.
Ryan Barnett Senior Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> On Jul 25, 2014, at 7:32 PM, "Ove Hansen -X (ohansen - TEKSYSTEMS at Cisco)" <ohan...@cisco.com<mailto:ohan...@cisco.com>> wrote: Hello all, I’m using mod_security 2.7.7 on nginx, and I have a problem with the OWASP CRS/2.2.9: The rules in modsecurity_crs_30_http_policy.conf that should allow GET, HEAD POST and options always triggers, even for a GET. Similarly, the rule for the Content-Type header won’t allow “application/json”, even though that should be allowed. These rules have not been edited from their default: SecAction \ "id:'900012', \ phase:1, \ t:none, \ setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \ setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json', \ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" "phase:1,t:none,block,msg:'Method is not allowed by policy',logdata:'%{matched_var}',severity:'2',rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',id:'960032',tag:'OWASP_CRS/POLICY/METHOD_NOT_ALLOWED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'OWASP_AppSensor/RE1',tag:'PCI/12.1',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:1,chain,t:none,block,msg:'Request content type is not allowed by policy',rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',id:'960010',tag:'OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED',tag:'WASCTC/WASC-20',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/12.1',severity:'2',logdata:'%{matched_var}'" SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "chain,capture" SecRule TX:0 "!^%{tx.allowed_request_content_type}$" "t:none,ctl:forceRequestBodyVariable=On,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" If I try: curl -k https://nginx/v2.0 I get: ==> modsec_debug.log <== [25/Jul/2014:22:57:18 +0000] [/sid#1af8178][rid#1b1acf8][/v2.0][2] Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/local/nginx/conf/modsec/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] ==> access.log <== 10.154.96.140 - - [25/Jul/2014:22:57:18 +0000] "GET /v2.0 HTTP/1.1" 200 612 "-" "curl/7.33.0" ==> modsec_audit.log <== 10.154.96.140 - [25/Jul/2014:22:57:18 +0000] "GET /v2.0 HTTP/1.1" 200 0 "-" "-" AcALAc5cA9ncAcAcucAcAcAc "-" /20140725/20140725-2257/20140725-225718-AcALAc5cA9ncAcAcucAcAcAc 0 1231 md5:41b0733d42240146fc9df3f80ba8936d # more audit/20140725/20140725-2257/20140725-225718-AcALAc5cA9ncAcAcucAcAcAc --b5d00648-A-- [25/Jul/2014:22:57:18 +0000] AcALAc5cA9ncAcAcucAcAcAc 10.154.96.140 63740 127.0.0.1 80 --b5d00648-B-- GET /v2.0 HTTP/1.1 Host: nginx User-Agent: curl/7.33.0 Accept: */* --b5d00648-F-- HTTP/1.1 200 OK Vary: X-Auth-Token Content-Type: application/json Content-Length: 612 Connection: keep-alive --b5d00648-E-- --b5d00648-H-- Message: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/local/nginx/conf/modsec/activated_rules/modsecu rity_crs_30_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [ver "OWAS P_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSe nsor/RE1"] [tag "PCI/12.1"] Apache-Handler: IIS Stopwatch: 1406329038000190 555175 (- - -) Stopwatch2: 1406329038000190 555175; combined=1179, p1=365, p2=592, p3=5, p4=144, p5=73, sr=18, sw=0, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for nginx (STABLE)/2.7.7 (http://www.modsecurity.org/); OWASP_CRS/2.2.9. Server: ModSecurity Standalone Engine-Mode: "ENABLED" --b5d00648-Z— If I try to request a content-tupe of application/json (which *should* be allowed), I get the following: [25/Jul/2014:23:04:05 +0000] [/sid#1af8178][rid#24f3f38][/v2.0/][2] Warning. Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required. [file "/usr/local/nginx/conf/modsec/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "64"] [id "960010"] [rev "2"] [msg "Request content type is not allowed by policy"] [data "application/json"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] If anyone has any idea then I would be very grateful!!! _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set