Is it possible to exclude modsecurity_crs_11_dos_protection.conf rules only for
certain IP ranges?
Our internal test suites are being flagged with this (as expected as they run a
lot of tests in a short period of time) so I would like them excluded. However
I want the other CRS tests to be incl
Figured out this myself if anyone's interested.
You don't seem to have access to any variables or headers not specified in the
rule arguments, so not as simple as adding a new rule filter (especially if you
want to use other fields such as X-Forwarded-For header).
The best way I found was to pu
I've a few questions about modsecurity_crs_11_dos_protection.conf
Question 1. The first set of rules are these:
#
# Enforce an existing IP address block and log only 1-time/minute
# We don't want to get flooded by alerts during an attack or scan so
# we are only triggering an alert once/minute.
Thanks for those answers Chaim. Make sense to me.
I do think the use of SDBM for storage for large scale tracking like for IP
addresses is a problem (with ModSecurity rather than with the core rule set but
not that that matters). Unfortunately it just doesn't work for even relatively
small amou
Date: Wed, 11 Mar 2015 12:13:06 +
>
> It should be noted for the purposes of this discussion that there is an
> experimental build of mod security with memcache support
> (https://github.com/SpiderLabs/ModSecurity/tree/memcache_collections).
>
> From: Josh Amishav-Zlatin mailto:
I agree with Joshua that it's better to do this from within ModSecurity. This
is because LocationMatch runs AFTER the phase 1 ModSecurity rules so that's the
only option for adjusting phase 1 rules. Now this particular example is a phase
2 rule, however so LocationMatch should work but nice to b
That would work though I personally prefer to use @ipMatch which also allows
you to match multiple IPs:
SecRule REMOTE_ADDR "@ipMatch XXX.YYY.Z.WWW XXX.YYY.Z."
"id:1000,phase:2,t:none,pass,nolog,ctl:ruleRemoveById=960009"
A few other things to note:
1) 960009 is a phase 2 rule and you hav
I've no idea how your set up works to be honest.
I presume something in your main httpd.conf apache file is loading
modsecurity_crs_10_setup.conf file (either directly or by importing another
file which imports this)?
I also presume something else is loading your individual rules files. Perhaps
rule-set] Rule 960009 generates false
> positives from my own server IP
> Date: Fri, 15 May 2015 16:48:07 +
>
> ctl:ruleRemoveById must appear BEFORE the rule in question. Where as
> SecRuleRemoveByID must appear after. See the excerpt from this issue
> (https://g
yId=960009"
> You´re telling me to use this:
>
> "ctl:ruleRemoveById=960009,id:1000,phase:2,t:none,pass" SecRule REMOTE_ADDR
> "@ipMatch 999.99.99.99"
> YIs this right?
> I probably got it all wrong
> Tks a lot!
> Best regards!
> Luiz
>
>
Should we add a "ctl:ruleEngine=On" to all the "allow" rules (900042, 900043,
999005 and 999006) in modsecurity_crs_10_ignore_static.conf?
The reason being that when running in DetectionOnly mode, these rules are
effectively ignore and so performance is WORSE in detection only mode.
DetectionOn
In my opinion there are few real world examples of people intentionally using
IP address over hostname and the website owner should know them all (e.g. Load
balancers, health checkers and internal system scanners). It's easy to
whitelist those specific systems.
So anything else using IP address
oesn't take too many IP address
attempts ;-)
Thanks,
Barry
> On 7 Feb 2016, at 21:53, Christian Folini wrote:
>
> Barry,
>
> Thanks for chiming in. The more people, the better decisions we will
> make.
>
>> On Sun, Feb 07, 2016 at 09:40:20PM +, Barry Pol
Christian not sure if you missed this as Gary had replied?
Gary, the key issue is this:
> [04/Apr/2016:15:18:17 +0100]
> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4]
> Executing operator "contains" with param "admin:" against
> REQUEST_HEADERS:Authorization.
Subject: Re: [Owasp-modsecurity-core-rule-set] Is it possible to use
> modsecurity rules to prevent logins by specific user accounts?
>
> Indeed, I missed this. Probably clicked it away.
>
> Thank you Barry.
>
> Ahoj,
>
> Christian
>
> On Tue, Apr 05, 2016 at 09:46
to use
> modsecurity rules to prevent logins by specific user accounts?
> Date: Tue, 12 Apr 2016 07:25:22 +
>
> Guys, were you able to see why the admin filter was not working from the logs?
>
> -Original Message-
> From: Mansell, Gary
> Sent: 06 April
OK so the audit log shows shows this in your header:
Authorization: Basic Z3JtYXdjYWRtaW46dGVzdA==
The value of the Authorization header is therefore "Basic
Z3JtYXdjYWRtaW46dGVzdA==" which cannot be base64 decoded due to that initial
"Basic " part which is not Base 64 encoded. This is what
You are whitelisting the cookie name and not its value.
Try this:
SecRuleUpdateTargetById 981318 "!REQUEST_COOKIES:CFAUTHORIZATION_cfadmin"
Thanks,
Barry
> On 26 Apr 2016, at 19:47, Colin MacAllister wrote:
>
> SecRuleUpdateTargetById 981318
> "!REQUEST_COOKIES_NAMES:CFAUTHORIZATION_cfad
them when the cookie name is as
> above.
>
> from my phone
>
> On Apr 26, 2016 3:10 PM, Barry Pollard wrote:
> You are whitelisting the cookie name and not its value.
>
> Try this:
>
> SecRuleUpdateTargetById 981318 "!REQUEST_COOKIES:CFAUTHORIZATI
wever, it’s still not working. Now I have
>
> SecRuleUpdateTargetById 981318
> "!REQUEST_COOKIES:CFAUTHORIZATION_cfadmin"
>
> The logs show everything starting up fine, and only one block – the first
> time it runs into that cookie.
>
> Sent from Mail
Any reasons these rules are phase 2 rules?
960034 checks http protocol version (available in phase 1)960035 checks
requested filename (available in phase 1)960038 checks http headers (available
in phase 1)
Surely we should check all rules are earliest possible phase as a matter or
principal and
Hi Christian,
Thanks for your reply.
While I agree the distinction at an Apache level is now meaningless (without
changing compile options), there is still a usefulness at a ModSecurity level
for ordering of rules (e.g. I want to whitelist after phase1 for example,
primarily to reduce setting up
Correct.
Thanks,
Barry
> On 28 Apr 2016, at 08:31, Christian Folini
> wrote:
>
> Barry,
>
>> On Thu, Apr 28, 2016 at 08:19:33AM +0100, Barry Pollard wrote:
>> While I agree the distinction at an Apache level is now meaningless
>> (without changing c
Dauto (and Christian),
I had a look at this rule before and am not a fan.
CSRF_TOKEN's should come from the app in my mind and not the WAF. However
ModSecurity does have a method of using them, which is an interesting proof of
concept, but I think it's flaky for a number of reasons.
The way it wo
I would say first thing is to turn blocking off and run in DetectionOnly mode
to help you fine tune your rules. To do that update your SecRuleEngine config
like so:
SecRuleEngine DetectionOnly
This will of course mean you are not protected but us a necessary step to
getting your set up right. N
Christian I think you missed possibly the two main reasons for lack of comments:
1. People haven't had a chance to try it yet. It's been out 3 days! While you
guys have spent a lot of time on this, and I honestly appreciate that,
ModSecurity is not my full time job and while I personally do inte
Put quotes around it so it doesn't think the spaces are separate arguments?
SecGeoLookupDb "C:\Program Files\ModSecurity
IIS\owasp_crs\base_rules\GeoLiteCity.dat"
Thanks,
Barry
On 29 Aug 2016, at 07:40, Gary Tam
mailto:gary@ges.com.hk>> wrote:
Dear Bill,
Thanks for your reply and informa
Been thinking about this and you've got me intrigued as to whether this was an
intentional decision or not...
As far as I can see, you are right these could have been written using
REQUEST_FILENAME and ARGS rather than REQUEST_URI and REQUEST_BODY.
ModSecurity is quite flexible and there are a
I use Splunk (https://www.splunk.com) to collect log files. I can then set up
alerts based on those. Don't alert on everything (agree with Cosimo on that!)
but have a dashboard of web server healthiness (of which ModSecurity alerts is
one measure) and individual alerts for some rules/URLs that a
This is a VERY subjective topic, but my opinions are below.
On 16 Apr 2017, at 20:26, Ervin Hegedus <
...and I
could demonstrate the advantages of WAF to my collegues. But
there were only two basic attack, what I could show them: XSS and
SQL injection.
My 2 cents question is: how can I demonstra
I thought through that before, but I thought Modsecurity stores
it in memory... I've found few e-mails on mailing lists, where
users discusses about hash tables for session/ip, session/UA, but
I didn't dound any other information about that.
These are "collections" that I mentioned. They are stor
Rule 920440 looks to be in two parts but basically is this:
SecRule REQUEST_BASENAME "\.(.*)$" "id:920440,chain,block...etc."
SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" "..."
This basically says is there a dot in the request basename?
And, if so, is the Extension of that requ
32 matches
Mail list logo
