Sheldon, The default action does not really matter much in this regard. You can oversteer it in your rules. I really do not see the issue.
Somebody else understands the problem correctly? Ahoj, Christian On Mon, Mar 27, 2017 at 02:28:33PM +0000, Briand, Sheldon (NRC/CNRC) wrote: > Hi, > > Still playing with this one. I can set my status in a rule (based on the > backup tomcat status) but ultimately the user sees a 403 no matter what I do. > > I'm guess it is because of the default disruptive action when a deny action > is in effect. The default action is to send a 403. I see in > RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf there are ways to change the > default action. > > Is there a way of saying: if backend_status is XXX then set the > SetRuleUpdateActionById to a relevant rule? (Is that the best way to handle > what I want to do?) I assume I would do that in the RESPONSE-999-EXCLUSION > conf file. > > Thanks, > -Sheldon > > -----Original Message----- > From: fol...@netnea.com [mailto:fol...@netnea.com] > Sent: Wednesday, March 01, 2017 5:28 PM > To: Briand, Sheldon (NRC/CNRC) <sheldon.bri...@canada.ca> > Cc: Christian Folini <christian.fol...@netnea.com> > Subject: RE: [Owasp-modsecurity-core-rule-set] Send back the correct response > code > > Hey Sheldon, > > Your rule work in phase 4. But in phase 4, the status header is already sent > out. If you want to manipulate it, you need to do this in phase 3. > > Ahoj, > > Christian > > > Hi, > > > > Thanks for the suggestions so far. I haven't managed to make it work > > and just wanted to see if what I did makes sense. (BTW backend server > > is > > tomcat) > > > > I put the following rule in a local.conf in the rules directory: > > SecRule RESPONSE_HEADERS:status "^(.*?)$" > > "phase:3,pass,id:1,setvar:tx.backend_status=%{MATCHED_VAR}" > > > > I changed RESPONSE-959-BLOCKING-EVALUATION.conf: > > SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge > > %{tx.outbound_anomaly_score_threshold}" \ > > "phase:4,\ > > id:959100,\ > > tag:'anomaly-evaluation',\ > > t:none,\ > > deny,\ > > status:%{TX.backend_status}" > > > > RESPONSE-952-DATA-LEAKAGES-JAVA.conf: > > SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \ > > "phase:4,\ > > rev:'3',\ > > ver:'OWASP_CRS/3.0.0',\ > > maturity:'9',\ > > accuracy:'9',\ > > t:none,\ > > capture,\ > > ctl:auditLogParts=+E,\ > > block,\ > > msg:'Java Source Code Leakage',\ > > logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: > > %{MATCHED_VAR}',\ > > id:952100,\ > > tag:'application-multi',\ > > tag:'language-java',\ > > tag:'platform-multi',\ > > tag:'attack-disclosure',\ > > tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_JAVA',\ > > tag:'WASCTC/WASC-13',\ > > tag:'OWASP_TOP_10/A6',\ > > tag:'PCI/6.5.6',\ > > severity:'ERROR',\ > > setvar:'tx.msg=Access denied with code %{tx.backend_status}',\ > > setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\ > > setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\ > > > > setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}" > > > > I'm seeing errors like this where the status isn't passed: > > Message: Access denied with code 403 (phase 4). Matched phrase > > "javax.servlet" a t RESPONSE_BODY. [file > > "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/RES > > PONSE-952-DATA-LEAKAGES-JAVA.conf"] [line "50"] [id "952100"] [rev > > "3"] [msg "Ja va Source Code Leakage"] [data "Matched Data: > > javax.servlet found within RESPONS > > E_BODY: <!DOCTYPE html><html><head><title>Apache Tomcat/8.0.41 - Error > > report</t > > itle><style type=\x22text/css\x22>H1 > > {font-family:Tahoma,Arial,sans-serif;color: > > white;background-color:#525D76;font-size:22px;} H2 > > {font-family:Tahoma,Arial,san > > s-serif;color:white;background-color:#525D76;font-size:16px;} H3 > > {font-family:Ta > > homa,Arial,sans-serif;color:white;background-color:#525D76;font-size:1 > > 4px;} > > BODY > > {font-family:Tahoma,Arial,sans-serif;color:black;background-..."] > > [severity "ER > > ROR"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag > > "application-mu lti"] [tag "language-java"] [tag "platform-multi"] > > [tag "attack-disclosure"] [ta g "OWASP_CRS/LEAKAGE/SOURCE_CODE_JAVA"] > > [tag "WASCTC/WASC-13"] [tag "OWA > > Message: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. > > [file "/et > > c/httpd/modsecurity.d/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf" > > ] [line "82"] [id "980140"] [msg "Outbound Anomaly Score Exceeded > > (score > > 4): Acc > > ess denied with code "] [tag "event-correlation"] > > > > Thanks! > > -Sheldon > > > > -----Original Message----- > > From: Christian Folini [mailto:christian.fol...@netnea.com] > > Sent: Tuesday, February 21, 2017 4:40 PM > > To: Briand, Sheldon (NRC/CNRC) <sheldon.bri...@canada.ca> > > Subject: Re: [Owasp-modsecurity-core-rule-set] Send back the correct > > response code > > > > Hi there, > > > > I see. Now I get you. > > > > Assuming, that the status action accepts dynamic variables as > > parameters, you could save the status code at the beginning of phase 3 > > and then replace 959100 with a rule with "deny,status:%{TX.backend_status}" > > > > This might work, but I have not tested this. > > > > Ahoj, > > > > Christian > > > > On Tue, Feb 21, 2017 at 08:33:12PM +0000, Briand, Sheldon (NRC/CNRC) > > wrote: > >> Hi Christian, > >> > >> Sorry for not being clear. I'm fairly new to modsecurity. I have a > >> reverse proxy setup. Let's say that a legitimate request comes in. > >> That request generates an error on the backend server. I'd like to > >> return whatever code the backend server would have returned instead > >> of the modsecurity 403. > >> > >> Thanks, > >> -Sheldon > >> > >> -----Original Message----- > >> From: Christian Folini [mailto:christian.fol...@netnea.com] > >> Sent: Tuesday, February 21, 2017 4:24 PM > >> To: Briand, Sheldon (NRC/CNRC) <sheldon.bri...@canada.ca> > >> Subject: Re: [Owasp-modsecurity-core-rule-set] Send back the correct > >> response code > >> > >> Hi Sheldon, > >> > >> Not sure I understand you. What is the "correct" error code in your > >> question? > >> > >> The incoming requests are blocked in rule 949110. That rule does a > >> "deny" which defaults to 403. You can update that rule to include a > >> different status code. If I remember correctly, it is possible to > >> assign a variable as status code. If not, you would have to juggle a > >> bit writing rules for individual status codes and control them via > >> variables or something. > >> > >> Doable, but a bit of work. > >> > >> Ahoj, > >> > >> Christian > >> > >> > >> On Tue, Feb 21, 2017 at 07:55:09PM +0000, Briand, Sheldon (NRC/CNRC) > >> wrote: > >> > Hi, > >> > > >> > I'm wondering how to best setup the CRS 3 rules to allow > >> > modsecurity > >> to return the correct error code in the response. The error message > >> I don't need just the error code that was triggered instead of a 403 > >> every time. I am running in self-contained mode. Is this possible? > >> > > >> > Thanks, > >> > -Sheldon > >> > > >> > > >> > Sheldon Briand > >> > Computer Systems and Applications Analyst National Research > >> > Council/Government of Canada > >> > sheldon.bri...@canada.ca/<mailto:sheldon.bri...@canada.ca/> Tel: > >> > (902) > >> > 426-1677 > >> > > >> > >> > _______________________________________________ > >> > Owasp-modsecurity-core-rule-set mailing list > >> > Owasp-modsecurity-core-rule-set@lists.owasp.org > >> > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rul > >> > e > >> > -s > >> > et > >> > > > > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- https://www.feistyduck.com/training/modsecurity-training-course mailto:christian.fol...@netnea.com twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
