Re: [Owasp-modsecurity-core-rule-set] [CRS 3.0, Nginx] Anomaly detection rule does not trigger

Christian Folini Mon, 16 Jan 2017 12:26:59 -0800

On Mon, Jan 16, 2017 at 08:15:22PM +0000, Géza Búza wrote:
> As I see it states that the anomaly score is 5 at that point.
> It looks like REQUEST-949-BLOCKING-EVALUATION is evaluated before
> REQUEST-941-APPLICATION-ATTACK-XSS, at least it appears earlier in the log.


Bingo.

The install file says you need to install on NginX by naming the
rules files one by one:

    include modsecurity.conf
    include owasp-modsecurity-crs/crs-setup.conf
    include 
owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
    include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
    include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
    include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
    include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
    include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
    include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
    include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
    include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
    include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
    include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
    include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
    include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
    include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
    include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
    include 
owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
    include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
    include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
    include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
    include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
    include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
    include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
    include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
    include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
    include 
owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

Is this what you did?

Your logfiles looks like you did include rules/*.conf.

Ahoj,

Christian



> 
> 
> Michael, I'm using this Docker based installation:
> https://github.com/theonemule/docker-waf
> Could you take a look at the configuration files located at
> https://github.com/theonemule/docker-waf/tree/master/waf? You may spot a
> mistake there.
> 
> Regards,
> Geza
> 
> 
> Muenz, Michael <m...@partycrew-united.de> ezt írta (időpont: 2017. jan.
> 16., H, 9:09):
> 
> > Am 15.01.2017 um 19:11 schrieb Géza Búza:
> > > Hi all,
> > >
> > > I'm new to ModSecurity and wanted to try it out by installing Nginx
> > > 1.10.2, latest ModSecurity (master branch), with latest CRS
> > > (v3.0/master branch).
> > >
> > > With the default settings on, I tried to send an attack request and
> > > expected to see it blocked.
> > > So I sent the request below to the demo application
> > > GET http://172.17.0.1/?param=";><script>alert(1);</script>
> > > and it responded with 200 OK (which is okay since it's in detection
> > > only mode by default),
> > > but I expected to see the error "Inbound Anomaly Score Exceeded (Total
> > > Score: 5)" in the audit log. There is no such message, but other rules
> > > have triggered as I expected.
> > > I attached the complete log of the HTTP GET request.
> > >
> > > Could you give me guidance what am I missing?
> > Hi,
> >
> > I've tested in on my installation with
> > ?param="><script>alert(1);</script> and I'm hitting 19 rules, so there's
> > and error somewhere in your configuration.
> >
> > Michael
> >
> > --
> > www.routerperformance.net
> > - Cisco, Linux, Networks
> > _______________________________________________
> > Owasp-modsecurity-core-rule-set mailing list
> > Owasp-modsecurity-core-rule-set@lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
> >
> -- 
> Üdvözlettel,
> Búza Géza

> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set


-- 
https://www.feistyduck.com/training/modsecurity-training-course
mailto:christian.fol...@netnea.com
twitter: @ChrFolini
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Re: [Owasp-modsecurity-core-rule-set] [CRS 3.0, Nginx] Anomaly detection rule does not trigger

Reply via email to