subject:"Re\: \[Owasp\-modsecurity\-core\-rule\-set\] \[CRS 3.0, Nginx\] Anomaly detection rule does not trigger"

Re: [Owasp-modsecurity-core-rule-set] [CRS 3.0, Nginx] Anomaly detection rule does not trigger

2017-01-16 Thread Christian Folini

On Mon, Jan 16, 2017 at 08:15:22PM +, Géza Búza wrote:
> As I see it states that the anomaly score is 5 at that point.
> It looks like REQUEST-949-BLOCKING-EVALUATION is evaluated before
> REQUEST-941-APPLICATION-ATTACK-XSS, at least it appears earlier in the log.

Bingo.

The install file says you need to install on NginX by naming the
rules files one by one:

include modsecurity.conf
include owasp-modsecurity-crs/crs-setup.conf
include 
owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
include 
owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
include 
owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

Is this what you did?

Your logfiles looks like you did include rules/*.conf.

Ahoj,

Christian



> 
> 
> Michael, I'm using this Docker based installation:
> https://github.com/theonemule/docker-waf
> Could you take a look at the configuration files located at
> https://github.com/theonemule/docker-waf/tree/master/waf? You may spot a
> mistake there.
> 
> Regards,
> Geza
> 
> 
> Muenz, Michael  ezt írta (időpont: 2017. jan.
> 16., H, 9:09):
> 
> > Am 15.01.2017 um 19:11 schrieb Géza Búza:
> > > Hi all,
> > >
> > > I'm new to ModSecurity and wanted to try it out by installing Nginx
> > > 1.10.2, latest ModSecurity (master branch), with latest CRS
> > > (v3.0/master branch).
> > >
> > > With the default settings on, I tried to send an attack request and
> > > expected to see it blocked.
> > > So I sent the request below to the demo application
> > > GET http://172.17.0.1/?param=;>alert(1);
> > > and it responded with 200 OK (which is okay since it's in detection
> > > only mode by default),
> > > but I expected to see the error "Inbound Anomaly Score Exceeded (Total
> > > Score: 5)" in the audit log. There is no such message, but other rules
> > > have triggered as I expected.
> > > I attached the complete log of the HTTP GET request.
> > >
> > > Could you give me guidance what am I missing?
> > Hi,
> >
> > I've tested in on my installation with
> > ?param=">alert(1); and I'm hitting 19 rules, so there's
> > and error somewhere in your configuration.
> >
> > Michael
> >
> > --
> > www.routerperformance.net
> > - Cisco, Linux, Networks
> > ___
> > Owasp-modsecurity-core-rule-set mailing list
> > Owasp-modsecurity-core-rule-set@lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
> >
> -- 
> Üdvözlettel,
> Búza Géza

> ___
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set


-- 
https://www.feistyduck.com/training/modsecurity-training-course
mailto:christian.fol...@netnea.com
twitter: @ChrFolini
___
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Re: [Owasp-modsecurity-core-rule-set] [CRS 3.0, Nginx] Anomaly detection rule does not trigger

2017-01-16 Thread Géza Búza

Hi Christian and Michael,

Christian, I did what you suggested. See the relevant lines from the log
below.

[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Recipe: Invoking
rule 7fb156958950; [file
"/usr/local/nginx/conf/rules/REQUEST-949-BLOCKING-EVALUATION.co
nf"] [line "57"] [id "949110"].
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][5] Rule 7fb156958950:
SecRule "TX:ANOMALY_SCORE" "@ge %{tx.inbound_anomaly_score_threshold}"
"phase:request,
auditlog,msg:'Inbound Anomaly Score Exceeded (Total Score:
%{TX.ANOMALY_SCORE})',severity:CRITICAL,id:949110,t:none,deny,log,tag:application-multi,tag:language-multi,tag:platform-multi,tag:a
ttack-generic,setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}"
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Transformation
completed in 0 usec.
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Executing operator
"ge" with param "%{tx.inbound_anomaly_score_threshold}" against
TX:anomaly_score.
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Target value: "0"
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Resolved macro
%{tx.inbound_anomaly_score_threshold} to: 5
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Operator completed
in 8 usec.
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Rule returned 0.
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] No match, not
chained -> mode NEXT_RULE.

>From this it looks like the anomaly score is zero.
Because audit log reported XSS detection, I searched the log for the
corresponding rule (941100), and it looks like this:

[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] T (0)
Utf8toUnicode: "">alert(1);"
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] T (0) urlDecodeUni:
"">alert(1);"
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] T (0)
htmlEntityDecode: "">alert(1);"
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] T (0) jsDecode:
"">alert(1);"
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] T (0) cssDecode:
"">alert(1);"
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] T (0) removeNulls:
"">alert(1);"
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Transformation
completed in 36 usec.
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Executing operator
"detectXSS" with param "" against ARGS:param.
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Target value:
"">alert(1);"
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] IS_XSS:
libinjection detected XSS.
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Operator completed
in 6 usec.
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Ctl: Set
auditLogParts to ABIJDEFHZE.
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Setting variable:
tx.msg=%{rule.msg}
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Resolved macro
%{rule.msg} to: XSS Attack Detected via libinjection
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Set variable
"tx.msg" to "XSS Attack Detected via libinjection".
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Setting variable:
tx.xss_score=+%{tx.critical_anomaly_score}
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Recorded original
collection variable: tx.xss_score = "0"
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Resolved macro
%{tx.critical_anomaly_score} to: 5
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Relative change:
xss_score=0+5
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Set variable
"tx.xss_score" to "5".
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Setting variable:
tx.anomaly_score=+%{tx.critical_anomaly_score}
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Recorded original
collection variable: tx.anomaly_score = "0"
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Resolved macro
%{tx.critical_anomaly_score} to: 5
[16/Jan/2017:19:49:15 +]
[25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Relative change:
anomaly_score=0+5

Re: [Owasp-modsecurity-core-rule-set] [CRS 3.0, Nginx] Anomaly detection rule does not trigger

2017-01-15 Thread Christian Folini

Hi there,

This is odd, I agree. I am personally not much into NginX, but I
take it, rule 949110 should be present.

Could you please set the debug log level to 9 and repeat the
request. Then look for 949110 in the debug log maybe send you that
piece of the log (remember to return to a reasonable loglevel
afterwards, or the file will grow like mad quickly.

Ahoj,

Christian


On Sun, Jan 15, 2017 at 06:11:51PM +, Géza Búza wrote:
> Hi all,
> 
> I'm new to ModSecurity and wanted to try it out by installing Nginx 1.10.2,
> latest ModSecurity (master branch), with latest CRS (v3.0/master branch).
> 
> With the default settings on, I tried to send an attack request and
> expected to see it blocked.
> So I sent the request below to the demo application
> GET http://172.17.0.1/?param=;>alert(1);
> and it responded with 200 OK (which is okay since it's in detection only
> mode by default),
> but I expected to see the error "Inbound Anomaly Score Exceeded (Total
> Score: 5)" in the audit log. There is no such message, but other rules have
> triggered as I expected.
> I attached the complete log of the HTTP GET request.
> 
> Could you give me guidance what am I missing?
> -- 
> Üdvözlettel,
> Búza Géza
> -- 
> Üdvözlettel,
> Búza Géza


> ___
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set


-- 
https://www.feistyduck.com/training/modsecurity-training-course
mailto:christian.fol...@netnea.com
twitter: @ChrFolini
___
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Re: [Owasp-modsecurity-core-rule-set] [CRS 3.0, Nginx] Anomaly detection rule does not trigger

Re: [Owasp-modsecurity-core-rule-set] [CRS 3.0, Nginx] Anomaly detection rule does not trigger

Re: [Owasp-modsecurity-core-rule-set] [CRS 3.0, Nginx] Anomaly detection rule does not trigger

3 matches

Site Navigation

Mail list logo

Footer information