Re: [Owasp-modsecurity-core-rule-set] [CRS 3.0, Nginx] Anomaly detection rule does not trigger
On Mon, Jan 16, 2017 at 08:15:22PM +, Géza Búza wrote: > As I see it states that the anomaly score is 5 at that point. > It looks like REQUEST-949-BLOCKING-EVALUATION is evaluated before > REQUEST-941-APPLICATION-ATTACK-XSS, at least it appears earlier in the log. Bingo. The install file says you need to install on NginX by naming the rules files one by one: include modsecurity.conf include owasp-modsecurity-crs/crs-setup.conf include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf Is this what you did? Your logfiles looks like you did include rules/*.conf. Ahoj, Christian > > > Michael, I'm using this Docker based installation: > https://github.com/theonemule/docker-waf > Could you take a look at the configuration files located at > https://github.com/theonemule/docker-waf/tree/master/waf? You may spot a > mistake there. > > Regards, > Geza > > > Muenz, Michaelezt írta (időpont: 2017. jan. > 16., H, 9:09): > > > Am 15.01.2017 um 19:11 schrieb Géza Búza: > > > Hi all, > > > > > > I'm new to ModSecurity and wanted to try it out by installing Nginx > > > 1.10.2, latest ModSecurity (master branch), with latest CRS > > > (v3.0/master branch). > > > > > > With the default settings on, I tried to send an attack request and > > > expected to see it blocked. > > > So I sent the request below to the demo application > > > GET http://172.17.0.1/?param=;>alert(1); > > > and it responded with 200 OK (which is okay since it's in detection > > > only mode by default), > > > but I expected to see the error "Inbound Anomaly Score Exceeded (Total > > > Score: 5)" in the audit log. There is no such message, but other rules > > > have triggered as I expected. > > > I attached the complete log of the HTTP GET request. > > > > > > Could you give me guidance what am I missing? > > Hi, > > > > I've tested in on my installation with > > ?param=">alert(1); and I'm hitting 19 rules, so there's > > and error somewhere in your configuration. > > > > Michael > > > > -- > > www.routerperformance.net > > - Cisco, Linux, Networks > > ___ > > Owasp-modsecurity-core-rule-set mailing list > > Owasp-modsecurity-core-rule-set@lists.owasp.org > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > > -- > Üdvözlettel, > Búza Géza > ___ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- https://www.feistyduck.com/training/modsecurity-training-course mailto:christian.fol...@netnea.com twitter: @ChrFolini ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
Re: [Owasp-modsecurity-core-rule-set] [CRS 3.0, Nginx] Anomaly detection rule does not trigger
Hi Christian and Michael, Christian, I did what you suggested. See the relevant lines from the log below. [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Recipe: Invoking rule 7fb156958950; [file "/usr/local/nginx/conf/rules/REQUEST-949-BLOCKING-EVALUATION.co nf"] [line "57"] [id "949110"]. [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][5] Rule 7fb156958950: SecRule "TX:ANOMALY_SCORE" "@ge %{tx.inbound_anomaly_score_threshold}" "phase:request, auditlog,msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE})',severity:CRITICAL,id:949110,t:none,deny,log,tag:application-multi,tag:language-multi,tag:platform-multi,tag:a ttack-generic,setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}" [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Transformation completed in 0 usec. [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Executing operator "ge" with param "%{tx.inbound_anomaly_score_threshold}" against TX:anomaly_score. [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Target value: "0" [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Resolved macro %{tx.inbound_anomaly_score_threshold} to: 5 [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Operator completed in 8 usec. [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Rule returned 0. [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] No match, not chained -> mode NEXT_RULE. >From this it looks like the anomaly score is zero. Because audit log reported XSS detection, I searched the log for the corresponding rule (941100), and it looks like this: [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] T (0) Utf8toUnicode: "">alert(1);" [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] T (0) urlDecodeUni: "">alert(1);" [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] T (0) htmlEntityDecode: "">alert(1);" [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] T (0) jsDecode: "">alert(1);" [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] T (0) cssDecode: "">alert(1);" [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] T (0) removeNulls: "">alert(1);" [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Transformation completed in 36 usec. [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Executing operator "detectXSS" with param "" against ARGS:param. [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Target value: "">alert(1);" [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] IS_XSS: libinjection detected XSS. [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Operator completed in 6 usec. [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][4] Ctl: Set auditLogParts to ABIJDEFHZE. [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Setting variable: tx.msg=%{rule.msg} [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Resolved macro %{rule.msg} to: XSS Attack Detected via libinjection [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Set variable "tx.msg" to "XSS Attack Detected via libinjection". [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Setting variable: tx.xss_score=+%{tx.critical_anomaly_score} [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Recorded original collection variable: tx.xss_score = "0" [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Resolved macro %{tx.critical_anomaly_score} to: 5 [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Relative change: xss_score=0+5 [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Set variable "tx.xss_score" to "5". [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Setting variable: tx.anomaly_score=+%{tx.critical_anomaly_score} [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Recorded original collection variable: tx.anomaly_score = "0" [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Resolved macro %{tx.critical_anomaly_score} to: 5 [16/Jan/2017:19:49:15 +] [25f09e180b51/sid#7fb16296a0a0][rid#7fb155a990a0][/][9] Relative change: anomaly_score=0+5
Re: [Owasp-modsecurity-core-rule-set] [CRS 3.0, Nginx] Anomaly detection rule does not trigger
Hi there, This is odd, I agree. I am personally not much into NginX, but I take it, rule 949110 should be present. Could you please set the debug log level to 9 and repeat the request. Then look for 949110 in the debug log maybe send you that piece of the log (remember to return to a reasonable loglevel afterwards, or the file will grow like mad quickly. Ahoj, Christian On Sun, Jan 15, 2017 at 06:11:51PM +, Géza Búza wrote: > Hi all, > > I'm new to ModSecurity and wanted to try it out by installing Nginx 1.10.2, > latest ModSecurity (master branch), with latest CRS (v3.0/master branch). > > With the default settings on, I tried to send an attack request and > expected to see it blocked. > So I sent the request below to the demo application > GET http://172.17.0.1/?param=;>alert(1); > and it responded with 200 OK (which is okay since it's in detection only > mode by default), > but I expected to see the error "Inbound Anomaly Score Exceeded (Total > Score: 5)" in the audit log. There is no such message, but other rules have > triggered as I expected. > I attached the complete log of the HTTP GET request. > > Could you give me guidance what am I missing? > -- > Üdvözlettel, > Búza Géza > -- > Üdvözlettel, > Búza Géza > ___ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- https://www.feistyduck.com/training/modsecurity-training-course mailto:christian.fol...@netnea.com twitter: @ChrFolini ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set