Debug log review time.

You need to verify the your setvar values in the 10 setup file are being 
read/set properly and then see how those SecRules later on are processing with 
macro expansion.

Ryan Barnett
Senior Lead Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>

On Jul 25, 2014, at 7:32 PM, "Ove Hansen -X (ohansen - TEKSYSTEMS at Cisco)" 
<ohan...@cisco.com<mailto:ohan...@cisco.com>> wrote:

Hello all,

I’m using mod_security 2.7.7 on nginx, and I have a problem with the OWASP 
CRS/2.2.9:

The rules in modsecurity_crs_30_http_policy.conf that should allow GET, HEAD 
POST and options always triggers, even for a GET. Similarly, the rule for the 
Content-Type header won’t allow “application/json”, even though that should be 
allowed. These rules have not been edited from their default:

SecAction \
  "id:'900012', \
  phase:1, \
  t:none, \
  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
  
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json',
 \

SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" 
"phase:1,t:none,block,msg:'Method is not allowed by 
policy',logdata:'%{matched_var}',severity:'2',rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',id:'960032',tag:'OWASP_CRS/POLICY/METHOD_NOT_ALLOWED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'OWASP_AppSensor/RE1',tag:'PCI/12.1',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"

SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" 
"phase:1,chain,t:none,block,msg:'Request content type is not allowed by 
policy',rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',id:'960010',tag:'OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED',tag:'WASCTC/WASC-20',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/12.1',severity:'2',logdata:'%{matched_var}'"
        SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "chain,capture"
                SecRule TX:0 "!^%{tx.allowed_request_content_type}$" 
"t:none,ctl:forceRequestBodyVariable=On,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"

If I try:

curl -k https://nginx/v2.0

I get:

==> modsec_debug.log <==
[25/Jul/2014:22:57:18 +0000] [/sid#1af8178][rid#1b1acf8][/v2.0][2] Warning. 
Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. 
[file 
"/usr/local/nginx/conf/modsec/activated_rules/modsecurity_crs_30_http_policy.conf"]
 [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] 
[data "GET"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] 
[accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag 
"WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag 
"PCI/12.1"]

==> access.log <==
10.154.96.140 - - [25/Jul/2014:22:57:18 +0000] "GET /v2.0 HTTP/1.1" 200 612 "-" 
"curl/7.33.0"

==> modsec_audit.log <==
10.154.96.140 -  [25/Jul/2014:22:57:18 +0000] "GET /v2.0 HTTP/1.1" 200 0 "-" 
"-" AcALAc5cA9ncAcAcucAcAcAc "-" 
/20140725/20140725-2257/20140725-225718-AcALAc5cA9ncAcAcucAcAcAc 0 1231 
md5:41b0733d42240146fc9df3f80ba8936d

# more audit/20140725/20140725-2257/20140725-225718-AcALAc5cA9ncAcAcucAcAcAc
--b5d00648-A--
[25/Jul/2014:22:57:18 +0000] AcALAc5cA9ncAcAcucAcAcAc 10.154.96.140 63740 
127.0.0.1 80
--b5d00648-B--
GET /v2.0 HTTP/1.1
Host: nginx
User-Agent: curl/7.33.0
Accept: */*

--b5d00648-F--
HTTP/1.1 200 OK
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 612
Connection: keep-alive

--b5d00648-E--

--b5d00648-H--
Message: Warning. Match of "within %{tx.allowed_methods}" against 
"REQUEST_METHOD" required. [file 
"/usr/local/nginx/conf/modsec/activated_rules/modsecu
rity_crs_30_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method 
is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [ver "OWAS
P_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag 
"OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag 
"OWASP_TOP_10/A6"] [tag "OWASP_AppSe
nsor/RE1"] [tag "PCI/12.1"]
Apache-Handler: IIS
Stopwatch: 1406329038000190 555175 (- - -)
Stopwatch2: 1406329038000190 555175; combined=1179, p1=365, p2=592, p3=5, 
p4=144, p5=73, sr=18, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for nginx (STABLE)/2.7.7 (http://www.modsecurity.org/); 
OWASP_CRS/2.2.9.
Server: ModSecurity Standalone
Engine-Mode: "ENABLED"

--b5d00648-Z—


If I try to request a content-tupe of application/json (which *should* be 
allowed), I get the following:

[25/Jul/2014:23:04:05 +0000] [/sid#1af8178][rid#24f3f38][/v2.0/][2] Warning. 
Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required. 
[file 
"/usr/local/nginx/conf/modsec/activated_rules/modsecurity_crs_30_http_policy.conf"]
 [line "64"] [id "960010"] [rev "2"] [msg "Request content type is not allowed 
by policy"] [data "application/json"] [severity "CRITICAL"] [ver 
"OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag 
"OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag 
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"]

If anyone has any idea then I would be very grateful!!!
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

________________________________

This transmission may contain information that is privileged, confidential, 
and/or exempt from disclosure under applicable law. If you are not the intended 
recipient, you are hereby notified that any disclosure, copying, distribution, 
or use of the information contained herein (including any reliance thereon) is 
strictly prohibited. If you received this transmission in error, please 
immediately contact the sender and destroy the material in its entirety, 
whether in electronic or hard copy format.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to