On Tue, Nov 15, 2016 at 07:53:52PM +0000, Jose Pablo Valcárcel Lázaro wrote: > Sorry Christian. I didn't look in your tutorial CRS3: > > 152 x 942260 Detects basic SQL authentication bypass attempts 2/3 > ----------------------------------------------------------------- > # ModSec Rule Exclusion: 942260 : Detects basic SQL authentication > bypass attempts 2/3 > SecRule REQUEST_URI "@beginsWith /drupal/index.php/search/node" > "phase:2,nolog,pass,id:10003,ctl:ruleRemoveTargetById=942260;ARGS:keys"
Nevermind. ;) And the fact, that my tutorial works with the same rule is a pure coincidence. Ahoj, Christian > > Regards > > El mar., 15 de noviembre de 2016 20:44, Christian Folini < > christian.fol...@netnea.com> escribió: > > > Kamil, > > > > Thanks for reporting. > > > > You are facing the following alerts: > > > > 920300 REQUEST_HEADERS:User-Agent Request Missing an Accept Header > > 920300 REQUEST_HEADERS:User-Agent Request Missing an Accept Header > > 942260 REQUEST_COOKIES:OutlookSession Detects basic SQL auth bypass > > 942260 REQUEST_COOKIES:OutlookSession Detects basic SQL auth bypass > > > > 920300 is usually legitimate and likely points to a client not sending > > the accept header like it should. This is a widespread misbehaviour. > > That is why we pushed the rule to paranoia level 2. You are apparently > > running PL2 or higher. You should thus tune this alert away via a rule > > exclusion. > > > > The 942260 is likely also legitimate. It's just that your poor client > > has a session cookie smelling of SQL authentication bypass. You > > should exclude the said cookie from the list of parameters examined > > by 942260. > > > > My tutorials at https://www.netnea.com/cms/apache-tutorials give > > you detailed step by step instructions how to do this. > > > > Best, > > > > Christian > > > > > > > > On Tue, Nov 15, 2016 at 05:54:52PM +0100, kamil kapturkiewicz wrote: > > > Hi, > > > I have had this issue with previous 2.2.9 version, but I am not really > > sure is related to mod_security it self or to CRS. The problem is with some > > Windows machines, below is the example from one of our corporate user, who > > is working on Windows 7 machine. I am pretty sure machine is not infected > > by malware or something, and this problem occures on FF, Chrome, Opera and > > IE. But in combination with fail2ban, this cut him off from web server > > every time he is trying to access company website. Do > > > you guys have any idea what is causing this? > > > > > > [Tue Nov 15 16:26:41.962933 2016] [:error] [pid 31434] [client > > 213.81.82.201] ModSecurity: Warning. Match of "pm > > > AppleWebKit Android" against "REQUEST_HEADERS:User-Agent" required. > > [file > > "/usr/share/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] > > [line "1251"] [id "920300"] [rev "3"] [msg "Request Missing an Accept > > Header"] [severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] > > [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag > > "platform-multi"] [tag "attack-protocol"] [tag > > "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag > > "WASCTC/WASC-21"] [tag > > > "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "paranoia-level/2"] [hostname > > "domain.com"] [uri "/autodiscover/autodiscover.xml"] [unique_id > > "WCs3QX8AAQEAAHrKJTMAAAAF"] > > > [Tue Nov 15 16:26:41.963976 2016] [:error] [pid 31434] [client > > 213.81.82.201] ModSecurity: Access denied with code 403 (phase 2). Pattern > > match > > "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select\\\\s+)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`])|(?:like\\\\s*?[\\"'`]\\\\%)|(?:[\\"'`]\\\\s*?like\\\\W*?[\\"'`\\\\d])|(?:[\\"'`]\\\\s*?(?:n?and|x?x?or|div|like|between|and|not|\\\\|\\\\||\\\\&\\\\&)\\\\s+[\\\\s\\\\w]+=\\\\s*?\\\\w+\\\\s*?h > > ..." at REQUEST_COOKIES:OutlookSession. [file > > > > > "/usr/share/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] > > [line "705"] [id "942260"] [rev "2"] [msg "Detects basic SQL authentication > > bypass attempts 2/3"] [data "Matched Data: \\x22{BB1B2590-E found within > > REQUEST_COOKIES:OutlookSession: > > \\x22{BB1B2590-EEE9-451E-9ABD-B75491F282EE}\\x22"] [severity "CRITICAL"] > > [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag > > "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag > > "attack-sqli"] [tag > > > "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag > > "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag > > "paranoia-level/2"] [hostname "domain.com"] [uri > > "/autodiscover/autodiscover.xml"] [unique_id "WCs3QX8AAQEAAHrKJTMAAAAF"] > > > [Tue Nov 15 16:26:44.390517 2016] [:error] [pid 31254] [client > > 213.81.82.201] ModSecurity: Warning. Match of "pm AppleWebKit Android" > > against "REQUEST_HEADERS:User-Agent" required. [file > > "/usr/share/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] > > [line "1251"] [id "920300"] [rev "3"] [msg "Request Missing an Accept > > Header"] [severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] > > [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag > > "platform-multi"] [tag > > > "attack-protocol"] [tag > > "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag > > "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag > > "paranoia-level/2"] [hostname "domain.com"] [uri > > "/autodiscover/autodiscover.xml"] [unique_id "WCs3RH8AAQEAAHoWjIUAAAAD"] > > > [Tue Nov 15 16:26:44.391535 2016] [:error] [pid 31254] [client > > 213.81.82.201] ModSecurity: Access denied with code 403 (phase 2). Pattern > > match > > "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select\\\\s+)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`])|(?:like\\\\s*?[\\"'`]\\\\%)|(?:[\\"'`]\\\\s*?like\\\\W*?[\\"'`\\\\d])|(?:[\\"'`]\\\\s*?(?:n?and|x?x?or|div|like|between|and|not|\\\\|\\\\||\\\\&\\\\&)\\\\s+[\\\\s\\\\w]+=\\\\s*?\\\\w+\\\\s*?h > > ..." at REQUEST_COOKIES:OutlookSession. [file > > > > > "/usr/share/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] > > [line "705"] [id "942260"] [rev "2"] [msg "Detects basic SQL authentication > > bypass attempts 2/3"] [data "Matched Data: \\x22{BB1B2590-E found within > > REQUEST_COOKIES:OutlookSession: > > \\x22{BB1B2590-EEE9-451E-9ABD-B75491F282EE}\\x22"] [severity "CRITICAL"] > > [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag > > "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag > > "attack-sqli"] [tag > > > "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag > > "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag > > "paranoia-level/2"] [hostname "domain.com"] [uri > > "/autodiscover/autodiscover.xml"] [unique_id "WCs3RH8AAQEAAHoWjIUAAAAD"] > > > > > > > > > > > > > > > _______________________________________________ > > > Owasp-modsecurity-core-rule-set mailing list > > > Owasp-modsecurity-core-rule-set@lists.owasp.org > > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > _______________________________________________ > > Owasp-modsecurity-core-rule-set mailing list > > Owasp-modsecurity-core-rule-set@lists.owasp.org > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
