Re: [Owasp-modsecurity-core-rule-set] Is it possible to use modsecurity rules to prevent logins by specific user accounts?

Tue, 12 Apr 2016 07:37:04 -0700 

The audit log and the debug log don't seem to help much as they show the sent 
data (i.e. the pretransformed data which has not been base64 Decoded yet).

Can you write a rule to log the post-transform data which might give further 
clues as to why it's not matching?

For example a rule like this would log any request with theĀ 
REQUEST_HEADERS:Authorization and detail the post transform data (TX.0)

SecRule "REQUEST_HEADERS:Authorization" "." 
"phase:2,id:2,t:base64Decode,log,auditlog,allow,capture,logdata:'Matched Data: 
%{TX.0} found within %{MATCHED_VAR_NAME}'"

Thanks,
Barry

----------------------------------------
> From: gary.mans...@ricardo.com
> To: barry_poll...@hotmail.com; csand...@trustwave.com; 
> owasp-modsecurity-core-rule-set@lists.owasp.org
> Subject: RE: [Owasp-modsecurity-core-rule-set] Is it possible to use 
> modsecurity rules to prevent logins by specific user accounts?
> Date: Tue, 12 Apr 2016 07:25:22 +0000
>
> Guys, were you able to see why the admin filter was not working from the logs?
>
> -----Original Message-----
> From: Mansell, Gary
> Sent: 06 April 2016 15:18
> To: 'Barry Pollard' <barry_poll...@hotmail.com>; Chaim Sanders 
> <csand...@trustwave.com>; owasp-modsecurity-core-rule-set@lists.owasp.org
> Subject: RE: [Owasp-modsecurity-core-rule-set] Is it possible to use 
> modsecurity rules to prevent logins by specific user accounts?
>
> Hi,
>
> Apologies but I was out the office yesterday and will be out again tomorrow, 
> but here goes.
>
> I have turned on audit logging as suggested - and made a simple page request 
> from the application again supplying the grmawcadmin username with the 
> password test.
>
> I have to say, the audit log does not really make much sense to me, but I can 
> see this line in many places which must be my basic auth:
>
> Authorization: Basic Z3JtYXdjYWRtaW46dGVzdA==
>
>
> "Z3JtYXdjYWRtaW46dGVzdA==" is base64encoded from the string 
> "grmawcadmin:test" so this looks as expected.
>
> The question is why does modsecurity not decode and detect this authorisation 
> header using the rule Chaim kindly suggested?
>
> Can anyone advise what is wrong - I attach the debug and audit logs
>
> Note: the Web Application is behind an IP whitelist filter and I have since 
> changed the account password...
>
> Rgds
>
> Gary
>
> -----Original Message-----
> From: Barry Pollard [mailto:barry_poll...@hotmail.com]
> Sent: 05 April 2016 09:47
> To: Mansell, Gary <gary.mans...@ricardo.com>; Chaim Sanders 
> <csand...@trustwave.com>; owasp-modsecurity-core-rule-set@lists.owasp.org
> Subject: RE: [Owasp-modsecurity-core-rule-set] Is it possible to use 
> modsecurity rules to prevent logins by specific user accounts?
>
> Christian not sure if you missed this as Gary had replied?
>
> Gary, the key issue is this:
>
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4]
>>  Executing operator "contains" with param "admin:" against 
>> REQUEST_HEADERS:Authorization.
> <snip>
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4]
>>  Rule returned 0.
>
> So your rule is not matching for some reason. I would suggest you turn the 
> audit engine on to capture all request:
>
> SecAuditEngine On
>
> And then see if this Authorization header is included, with a value 
> containing admin, by looking in the audit log.
>
> Alternatively write another rule that matches always:
>
> SecRule "REQUEST_URI" "." "phase:2,id:2,t:base64Decode,log,auditlog,allow"
>
> And again check audit log to see if the Authorization header is included, 
> with a value containing admin.
>
> By the way phase 2 (REQUEST_BODY) also includes phase 1 (REQUEST_HEADER) 
> details. You could move your rule to phase 1 and it will execute earlier 
> which might save you needlessly attempting other phase 2 rules if it fails, 
> but this is not the reason for your failure here.
>
> Hope that helps.
>
> Thanks,
> Barry
>
>
>
>
> ----------------------------------------
>> From: gary.mans...@ricardo.com
>> To: csand...@trustwave.com;
>> owasp-modsecurity-core-rule-set@lists.owasp.org
>> Date: Mon, 4 Apr 2016 14:28:26 +0000
>> Subject: Re: [Owasp-modsecurity-core-rule-set] Is it possible to use 
>> modsecurity rules to prevent logins by specific user accounts?
>>
>> I have got some debug logs, but am not certain how what they are telling me 
>> - I wonder if anyone can advise me on this?
>>
>> I have just the one rule in my config now:
>>
>> SecRule "REQUEST_HEADERS:Authorization" "@contains admin:" 
>> "phase:2,log,auditlog,id:1,t:base64Decode,deny,status:403"
>>
>> I started a fresh apache session with empty debug log, and accessed the web 
>> application from a fresh browser session (15:18:06) and was prompted to 
>> enter username and password. I entered the username grmawcadmin and the 
>> password and this shows at 15:18:07 in the log below.
>>
>> As far as I can see, it does not seem to run the rule in the
>> REQUEST_HEADERS section, but rather at the REQUEST_BODY - is this what
>> is the problem - ie it is checking for the admin string in the
>> REQUEST_BODY rather than the REQUEST_HEADER
>>
>> I would gladly appreciate some help on this, as I am rather stuck.
>>
>> Rgds
>>
>> Gary
>>
>>
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4]
>>  Initialising transaction (txid VwJ3nsCoAUcAABgZAbQAAACX).
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][5]
>>  Adding request cookie: name "__utma", value 
>> "1.1672802757.1445242759.1445242759.1456313530.2"
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][5]
>>  Adding request cookie: name "__utmz", value 
>> "1.1445242759.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)"
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4]
>>  Transaction context created (dcfg 1039140).
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4]
>>  Starting phase REQUEST_HEADERS.
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9]
>>  This phase consists of 0 rule(s).
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4]
>>  Second phase starting (dcfg 1039140).
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4]
>>  Input filter: This request does not have a body.
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4]
>>  Starting phase REQUEST_BODY.
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9]
>>  This phase consists of 1 rule(s).
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4]
>>  Recipe: Invoking rule 109b5e8; [file 
>> "/opt/ptc/HTTPServer/conf/crs/ricardo.conf"] [line "11"] [id "1"].
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][5]
>>  Rule 109b5e8: SecRule "REQUEST_HEADERS:Authorization" "@contains admin:" 
>> "phase:2,log,auditlog,id:1,t:base64Decode,deny,status:403"
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4]
>>  Rule returned 0.
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9]
>>  No match, not chained -> mode NEXT_RULE.
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4]
>>  Hook insert_filter: Adding output filter (r 7fc1ec0098b0).
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9]
>>  Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0098b0).
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4]
>>  Starting phase RESPONSE_HEADERS.
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9]
>>  This phase consists of 0 rule(s).
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9]
>>  Content Injection: Not enabled.
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9]
>>  Output filter: Bucket type TRANSIENT contains 10 bytes.
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9]
>>  Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0098b0).
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9]
>>  Output filter: Bucket type TRANSIENT contains 624 bytes.
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9]
>>  Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0098b0).
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9]
>>  Output filter: Bucket type TRANSIENT contains 8 bytes.
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9]
>>  Output filter: Bucket type EOS contains 0 bytes.
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4]
>>  Output filter: Completed receiving response body (buffered full - 642 
>> bytes).
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4]
>>  Starting phase RESPONSE_BODY.
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9]
>>  This phase consists of 0 rule(s).
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4]
>>  Output filter: Output forwarding complete.
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4]
>>  Initialising logging.
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4]
>>  Starting phase LOGGING.
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9]
>>  This phase consists of 0 rule(s).
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4]
>>  Recording persistent data took 0 microseconds.
>> [04/Apr/2016:15:18:06 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4]
>>  Audit log: Not configured to run for this request.
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4]
>>  Initialising transaction (txid VwJ3qcCoAUcAABgZAbUAAACX).
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][5]
>>  Adding request cookie: name "__utma", value 
>> "1.1672802757.1445242759.1445242759.1456313530.2"
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][5]
>>  Adding request cookie: name "__utmz", value 
>> "1.1445242759.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)"
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4]
>>  Transaction context created (dcfg 1039140).
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4]
>>  Starting phase REQUEST_HEADERS.
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9]
>>  This phase consists of 0 rule(s).
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4]
>>  Second phase starting (dcfg 1039140).
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4]
>>  Input filter: This request does not have a body.
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4]
>>  Starting phase REQUEST_BODY.
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9]
>>  This phase consists of 1 rule(s).
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4]
>>  Recipe: Invoking rule 109b5e8; [file 
>> "/opt/ptc/HTTPServer/conf/crs/ricardo.conf"] [line "11"] [id "1"].
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][5]
>>  Rule 109b5e8: SecRule "REQUEST_HEADERS:Authorization" "@contains admin:" 
>> "phase:2,log,auditlog,id:1,t:base64Decode,deny,status:403"
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9]
>>  T (0) base64Decode: "\x05\xab""
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4]
>>  Transformation completed in 24 usec.
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4]
>>  Executing operator "contains" with param "admin:" against 
>> REQUEST_HEADERS:Authorization.
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9]
>>  Target value: "\x05\xab""
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4]
>>  Operator completed in 7 usec.
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4]
>>  Rule returned 0.
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9]
>>  No match, not chained -> mode NEXT_RULE.
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4]
>>  Hook insert_filter: Adding output filter (r 7fc1ec0340f0).
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9]
>>  Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0340f0).
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4]
>>  Starting phase RESPONSE_HEADERS.
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9]
>>  This phase consists of 0 rule(s).
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9]
>>  Content Injection: Not enabled.
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9]
>>  Output filter: Bucket type TRANSIENT contains 1591 bytes.
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9]
>>  Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0340f0).
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9]
>>  Output filter: Bucket type TRANSIENT contains 1295 bytes.
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9]
>>  Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0340f0).
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9]
>>  Output filter: Bucket type FLUSH contains 0 bytes.
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9]
>>  Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0340f0).
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9]
>>  Output filter: Bucket type TRANSIENT contains 8184 bytes.
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9]
>>  Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0340f0).
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9]
>>  Output filter: Bucket type TRANSIENT contains 129 bytes.
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9]
>>  Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0340f0).
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9]
>>  Output filter: Bucket type EOS contains 0 bytes.
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4]
>>  Output filter: Completed receiving response body (buffered full - 11199 
>> bytes).
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4]
>>  Starting phase RESPONSE_BODY.
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9]
>>  This phase consists of 0 rule(s).
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4]
>>  Output filter: Output forwarding complete.
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4]
>>  Initialising logging.
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4]
>>  Starting phase LOGGING.
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9]
>>  This phase consists of 0 rule(s).
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4]
>>  Recording persistent data took 0 microseconds.
>> [04/Apr/2016:15:18:17 +0100] 
>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4]
>>  Audit log: Not configured to run for this request.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> -----Original Message-----
>> From: Chaim Sanders [mailto:csand...@trustwave.com]
>> Sent: 31 March 2016 17:33
>> To: Mansell, Gary <gary.mans...@ricardo.com>;
>> owasp-modsecurity-core-rule-set@lists.owasp.org
>> Subject: RE: [Owasp-modsecurity-core-rule-set] Is it possible to use 
>> modsecurity rules to prevent logins by specific user accounts?
>>
>> Hey Gary,
>> While I'm not sure what's going wrong with your rule I suggest you check out 
>> the debug log... it will usually contain valuable information to help you 
>> debug your issues :). Maybe someone else will be able to spot the issue.
>>
>> -----Original Message-----
>> From: Mansell, Gary [mailto:gary.mans...@ricardo.com]
>> Sent: Thursday, March 31, 2016 12:31 PM
>> To: Chaim Sanders <csand...@trustwave.com>;
>> owasp-modsecurity-core-rule-set@lists.owasp.org
>> Subject: Re: [Owasp-modsecurity-core-rule-set] Is it possible to use 
>> modsecurity rules to prevent logins by specific user accounts?
>>
>> Is there no one who can help me further on this, as it seems exactly the 
>> sort of thing that modsecurity should be able to do (but I am struggling 
>> with)?
>>
>> All of my Web Application admin accounts end in the string "admin", and I 
>> would like to be able to use a modsecurity rule on the reverse proxy server 
>> in the DMZ to prevent any admin logins (as admins should only ever login 
>> directly via the internal apache server rather than the reverse proxy)?
>>
>> It is my understanding that even though this is a https request, as this 
>> application uses basic authentication, every request via the reverse apache 
>> server includes a base64 encoded username and password in the authorisation 
>> header - I can't understand why I can't block this with a simple modsecurity 
>> rule.
>>
>> The rule suggestion that I was sent by Chaim seems to make sense to me, but 
>> I just can't get it to work - it seems to be looking to deny any request 
>> with authorization Header containing the string "admin:"
>>
>> SecRule REQUEST_HEADERS:Authorization "@contains admin:" 
>> "id:1,t:base64Decode,deny,status:403"
>>
>> Can anyone help me on this - is there just a simple typo in the rule 
>> perhaps? Do I have to choose a unique ID value other than 1 (as I had the 
>> Owasp core rule set configured too)?
>>
>> Rgds
>>
>> Gary
>>
>>
>>
>>
>> I have had a good crack at trying to get this to work, but to no avail, 
>> unfortunately.
>>
>> SecRule REQUEST_HEADERS:Authorization "@contains admin:" 
>> "id:1,t:base64Decode,deny,status:403"
>>
>> I tried changing the contains string to various things that may be relevant, 
>> but still no joy.
>>
>> Is it perhaps because both the reverse proxy and the internal apache server 
>> are configured for https?
>>
>> How do I tell whether my system is using base64 to encode the username in 
>> the header?
>>
>> I have to say I am completely lost with this now, it seems like something 
>> that modsecurity should be able to do, but I don't know where to start with 
>> debugging, or testing this to get it to work?
>>
>> Any ideas anyone?
>>
>> Rgds
>>
>> Gary
>>
>>
>> -----Original Message-----
>> From: Chaim Sanders [mailto:csand...@trustwave.com]
>> Sent: 14 March 2016 15:58
>> To: Mansell, Gary <gary.mans...@ricardo.com>;
>> owasp-modsecurity-core-rule-set@lists.owasp.org
>> Subject: RE: [Owasp-modsecurity-core-rule-set] Is it possible to use 
>> modsecurity rules to prevent logins by specific user accounts?
>>
>> Hey Gary,
>> This Is actually a great question and should be very easily possible. 
>> Typically Basic Authentication uses base64. So you could do something 
>> similar to the following (untested) SecRule REQUEST_HEADERS:Authorization 
>> "@contains admin:" "id:1, t:base64Decode,deny,status:403'
>>
>> -----Original Message-----
>> From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org
>> [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On
>> Behalf Of Mansell, Gary
>> Sent: Monday, March 14, 2016 11:13 AM
>> To: owasp-modsecurity-core-rule-set@lists.owasp.org
>> Subject: [Owasp-modsecurity-core-rule-set] Is it possible to use modsecurity 
>> rules to prevent logins by specific user accounts?
>>
>> Hi,
>>
>> I have an internal Web application that uses Apache Basic Authentication, 
>> checking user account logins against an internal LDAP Server for 
>> authentication.
>>
>> I am now looking to present this Web Application to whitelisted IP's on the 
>> Internet, by means of a Reverse Proxy Apache Server in a DMZ with 
>> modsecurity enabled and one of the free rulesets to protect the application 
>> being abused. Both the Reverse Proxy and the Internal Apache server are 
>> configured for https only.
>>
>> It occurs to me that Administrative users should never be able to login to 
>> the Web Application from the via the Reverse Proxy Apache server - I hence 
>> wonder if it is possible to use modsecurity on the Reverse Apache server to 
>> prevent specific Admin user accounts from logging in to the Web Application?
>>
>> If so, please can someone point me in the direction of how I might achieve 
>> this?
>>
>> Thanks
>>
>> Gary
>>
>>
>>
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ------------------ This e-mail and any files transmitted with it are
>> confidential and intended solely for the use of the individual or entity to 
>> whom they are addressed. If you have received this e-mail in error please 
>> notify the sender immediately and delete this e-mail from your system.
>> Please note that any views or opinions presented in this e-mail are solely 
>> those of the author and do not necessarily represent those of Ricardo (save 
>> for reports and other documentation formally approved and signed for release 
>> to the intended recipient). Only Directors are authorised to enter into 
>> legally binding obligations on behalf of Ricardo. Ricardo may monitor 
>> outgoing and incoming e-mails and other telecommunications systems. By 
>> replying to this e-mail you give consent to such monitoring. The recipient 
>> should check e-mail and any attachments for the presence of viruses. Ricardo 
>> accepts no liability for any damage caused by any virus transmitted by this 
>> e-mail.
>> "Ricardo" means Ricardo plc and its subsidiary companies.
>> Ricardo plc is a public limited company registered in England with 
>> registered number 00222915.
>> The registered office of Ricardo plc is Shoreham Technical Centre, 
>> Shoreham-by Sea, West Sussex, BN43 5FG.
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ------------------ _______________________________________________
>> Owasp-modsecurity-core-rule-set mailing list
>> Owasp-modsecurity-core-rule-set@lists.owasp.org
>> http://scanmail.trustwave.com/?c=4062&d=wND91tX1TZq0UB15loWcH4RfFlxJe-
>> IvfXYgFS8s2g&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flisti
>> nfo%2fowasp-modsecurity-core-rule-set
>>
>> ________________________________
>>
>> This transmission may contain information that is privileged, confidential, 
>> and/or exempt from disclosure under applicable law. If you are not the 
>> intended recipient, you are hereby notified that any disclosure, copying, 
>> distribution, or use of the information contained herein (including any 
>> reliance thereon) is strictly prohibited. If you received this transmission 
>> in error, please immediately contact the sender and destroy the material in 
>> its entirety, whether in electronic or hard copy format.
>>
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ------------------ This e-mail and any files transmitted with it are
>> confidential and intended solely for the use of the individual or entity to 
>> whom they are addressed. If you have received this e-mail in error please 
>> notify the sender immediately and delete this e-mail from your system.
>> Please note that any views or opinions presented in this e-mail are solely 
>> those of the author and do not necessarily represent those of Ricardo (save 
>> for reports and other documentation formally approved and signed for release 
>> to the intended recipient). Only Directors are authorised to enter into 
>> legally binding obligations on behalf of Ricardo. Ricardo may monitor 
>> outgoing and incoming e-mails and other telecommunications systems. By 
>> replying to this e-mail you give consent to such monitoring. The recipient 
>> should check e-mail and any attachments for the presence of viruses. Ricardo 
>> accepts no liability for any damage caused by any virus transmitted by this 
>> e-mail.
>> "Ricardo" means Ricardo plc and its subsidiary companies.
>> Ricardo plc is a public limited company registered in England with 
>> registered number 00222915.
>> The registered office of Ricardo plc is Shoreham Technical Centre, 
>> Shoreham-by Sea, West Sussex, BN43 5FG.
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ------------------ _______________________________________________
>> Owasp-modsecurity-core-rule-set mailing list
>> Owasp-modsecurity-core-rule-set@lists.owasp.org
>> http://scanmail.trustwave.com/?c=4062&d=wND91tX1TZq0UB15loWcH4RfFlxJe-
>> IvfXYgFS8s2g&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flisti
>> nfo%2fowasp-modsecurity-core-rule-set
>>
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ------------------ This e-mail and any files transmitted with it are
>> confidential and intended solely for the use of the individual or entity to 
>> whom they are addressed. If you have received this e-mail in error please 
>> notify the sender immediately and delete this e-mail from your system.
>> Please note that any views or opinions presented in this e-mail are solely 
>> those of the author and do not necessarily represent those of Ricardo (save 
>> for reports and other documentation formally approved and signed for release 
>> to the intended recipient). Only Directors are authorised to enter into 
>> legally binding obligations on behalf of Ricardo. Ricardo may monitor 
>> outgoing and incoming e-mails and other telecommunications systems. By 
>> replying to this e-mail you give consent to such monitoring. The recipient 
>> should check e-mail and any attachments for the presence of viruses. Ricardo 
>> accepts no liability for any damage caused by any virus transmitted by this 
>> e-mail.
>> "Ricardo" means Ricardo plc and its subsidiary companies.
>> Ricardo plc is a public limited company registered in England with 
>> registered number 00222915.
>> The registered office of Ricardo plc is Shoreham Technical Centre, 
>> Shoreham-by Sea, West Sussex, BN43 5FG.
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ------------------
>>
>> ________________________________
>>
>> This transmission may contain information that is privileged, confidential, 
>> and/or exempt from disclosure under applicable law. If you are not the 
>> intended recipient, you are hereby notified that any disclosure, copying, 
>> distribution, or use of the information contained herein (including any 
>> reliance thereon) is strictly prohibited. If you received this transmission 
>> in error, please immediately contact the sender and destroy the material in 
>> its entirety, whether in electronic or hard copy format.
>>
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ------------------ This e-mail and any files transmitted with it are
>> confidential and intended solely for the use of the individual or
>> entity to whom they are addressed. If you have received this e-mail in error 
>> please notify the sender immediately and delete this e-mail from your system.
>> Please note that any views or opinions presented in this e-mail are
>> solely those of the author and do not necessarily represent those of
>> Ricardo (save for reports and other documentation formally approved
>> and signed for release to the intended recipient). Only Directors are
>> authorised to enter into legally binding obligations on behalf of Ricardo. 
>> Ricardo may monitor outgoing and incoming e-mails and other 
>> telecommunications systems. By replying to this e-mail you give consent to 
>> such monitoring. The recipient should check e-mail and any attachments for 
>> the presence of viruses. Ricardo accepts no liability for any damage caused 
>> by any virus transmitted by this e-mail.
>> "Ricardo" means Ricardo plc and its subsidiary companies.
>> Ricardo plc is a public limited company registered in England with 
>> registered number 00222915.
>> The registered office of Ricardo plc is Shoreham Technical Centre, 
>> Shoreham-by Sea, West Sussex, BN43 5FG.
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ------------------ _______________________________________________
>> Owasp-modsecurity-core-rule-set mailing list
>> Owasp-modsecurity-core-rule-set@lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-s
>> et
>
>
> --------------------------------------------------------------------------------------------------------------------------------------------------------------
> This e-mail and any files transmitted with it are confidential and intended 
> solely for the use of the individual or entity to whom they are
> addressed. If you have received this e-mail in error please notify the sender 
> immediately and delete this e-mail from your system.
> Please note that any views or opinions presented in this e-mail are solely 
> those of the author and do not necessarily represent those
> of Ricardo (save for reports and other documentation formally approved and 
> signed for release to the intended recipient). Only Directors
> are authorised to enter into legally binding obligations on behalf of 
> Ricardo. Ricardo may monitor outgoing and incoming e-mails and
> other telecommunications systems. By replying to this e-mail you give consent 
> to such monitoring. The recipient should check e-mail and
> any attachments for the presence of viruses. Ricardo accepts no liability for 
> any damage caused by any virus transmitted by this e-mail.
> "Ricardo" means Ricardo plc and its subsidiary companies.
> Ricardo plc is a public limited company registered in England with registered 
> number 00222915.
> The registered office of Ricardo plc is Shoreham Technical Centre, 
> Shoreham-by Sea, West Sussex, BN43 5FG.
> --------------------------------------------------------------------------------------------------------------------------------------------------------------
                                          
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to