Re: [Owasp-modsecurity-core-rule-set] [CRS 3.0, Nginx] Anomaly detection rule does not trigger

Géza Búza Mon, 16 Jan 2017 12:16:22 -0800

Hi Christian and Michael,

Christian, I did what you suggested. See the relevant lines from the log
below.


[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Recipe: Invoking
rule 7fb156958950; [file
"/usr/local/nginx/conf/rules/REQUEST-949-BLOCKING-EVALUATION.co
nf"] [line "57"] [id "949110"].
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][5] Rule 7fb156958950:
SecRule "TX:ANOMALY_SCORE" "@ge %{tx.inbound_anomaly_score_threshold}"
"phase:request,
auditlog,msg:'Inbound Anomaly Score Exceeded (Total Score:
%{TX.ANOMALY_SCORE})',severity:CRITICAL,id:949110,t:none,deny,log,tag:application-multi,tag:language-multi,tag:platform-multi,tag:a
ttack-generic,setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}"
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Transformation
completed in 0 usec.
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Executing operator
"ge" with param "%{tx.inbound_anomaly_score_threshold}" against
TX:anomaly_score.
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Target value: "0"
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Resolved macro
%{tx.inbound_anomaly_score_threshold} to: 5
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Operator completed
in 8 usec.
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Rule returned 0.
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] No match, not
chained -> mode NEXT_RULE.

>From this it looks like the anomaly score is zero.
Because audit log reported XSS detection, I searched the log for the
corresponding rule (941100), and it looks like this:

[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] T (0)
Utf8toUnicode: ""><script>alert(1);</script>"
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] T (0) urlDecodeUni:
""><script>alert(1);</script>"
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] T (0)
htmlEntityDecode: ""><script>alert(1);</script>"
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] T (0) jsDecode:
""><script>alert(1);</script>"
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] T (0) cssDecode:
""><script>alert(1);</script>"
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] T (0) removeNulls:
""><script>alert(1);</script>"
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Transformation
completed in 36 usec.
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Executing operator
"detectXSS" with param "" against ARGS:param.
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Target value:
""><script>alert(1);</script>"
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] IS_XSS:
libinjection detected XSS.
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Operator completed
in 6 usec.
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Ctl: Set
auditLogParts to ABIJDEFHZE.
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Setting variable:
tx.msg=%{rule.msg}
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Resolved macro
%{rule.msg} to: XSS Attack Detected via libinjection
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Set variable
"tx.msg" to "XSS Attack Detected via libinjection".
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Setting variable:
tx.xss_score=+%{tx.critical_anomaly_score}
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Recorded original
collection variable: tx.xss_score = "0"
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Resolved macro
%{tx.critical_anomaly_score} to: 5
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Relative change:
xss_score=0+5
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Set variable
"tx.xss_score" to "5".
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Setting variable:
tx.anomaly_score=+%{tx.critical_anomaly_score}
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Recorded original
collection variable: tx.anomaly_score = "0"
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Resolved macro
%{tx.critical_anomaly_score} to: 5
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Relative change:
anomaly_score=0+5
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Set variable
"tx.anomaly_score" to "5".
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Setting variable:
tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Resolved macro %{
rule.id} to: 941100
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Resolved macro
%{matched_var_name} to: ARGS:param
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Set variable
"tx.941100-OWASP_CRS/WEB_ATTACK/XSS-ARGS:param" to "".
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Resolved macro
%{MATCHED_VAR_NAME} to: ARGS:param
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Resolved macro
%{MATCHED_VAR} to: "><script>alert(1);</script>
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][2] Warning. detected
XSS using libinjection. [file
"/usr/local/nginx/conf/rules/REQUEST-941-APPLICATION-ATTA
CK-XSS.conf"] [line "56"] [id "941100"] [rev "2"] [msg "XSS Attack Detected
via libinjection"] [data "Matched Data:  found within ARGS:param:
\x22><script>alert(1);</script>"] [severity "CRI
TICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag
"application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag
"attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag
 "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag
"OWASP_AppSensor/IE1"] [tag "CAPEC-242"]
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Rule returned 1.
[16/Jan/2017:19:49:15 +0000]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Match -> mode
NEXT_RULE.

As I see it states that the anomaly score is 5 at that point.
It looks like REQUEST-949-BLOCKING-EVALUATION is evaluated before
REQUEST-941-APPLICATION-ATTACK-XSS, at least it appears earlier in the log.


Michael, I'm using this Docker based installation:
https://github.com/theonemule/docker-waf
Could you take a look at the configuration files located at
https://github.com/theonemule/docker-waf/tree/master/waf? You may spot a
mistake there.

Regards,
Geza


Muenz, Michael <m...@partycrew-united.de> ezt írta (időpont: 2017. jan.
16., H, 9:09):

> Am 15.01.2017 um 19:11 schrieb Géza Búza:
> > Hi all,
> >
> > I'm new to ModSecurity and wanted to try it out by installing Nginx
> > 1.10.2, latest ModSecurity (master branch), with latest CRS
> > (v3.0/master branch).
> >
> > With the default settings on, I tried to send an attack request and
> > expected to see it blocked.
> > So I sent the request below to the demo application
> > GET http://172.17.0.1/?param=";><script>alert(1);</script>
> > and it responded with 200 OK (which is okay since it's in detection
> > only mode by default),
> > but I expected to see the error "Inbound Anomaly Score Exceeded (Total
> > Score: 5)" in the audit log. There is no such message, but other rules
> > have triggered as I expected.
> > I attached the complete log of the HTTP GET request.
> >
> > Could you give me guidance what am I missing?
> Hi,
>
> I've tested in on my installation with
> ?param="><script>alert(1);</script> and I'm hitting 19 rules, so there's
> and error somewhere in your configuration.
>
> Michael
>
> --
> www.routerperformance.net
> - Cisco, Linux, Networks
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
-- 
Üdvözlettel,
Búza Géza

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Re: [Owasp-modsecurity-core-rule-set] [CRS 3.0, Nginx] Anomaly detection rule does not trigger

Reply via email to