So they do, sorry. I don't see anything else with that ID except the
SecAction line. Here's the whole section in case it clarifies.
# Command injection
SecRule ARGS "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm
finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe
/ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl
passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm
/ls nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe /python
/lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod cpp telnet
cmd32.exe gcc g++" \
"phase:2,t:none,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1"
SecAction phase:2,pass,nolog,skipAfter:950006
SecRule ARGS
"(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))"
\
"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System
Command
Injection',id:'950006',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule
REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES
\
"@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger
tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls
tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd
wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls
nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe /python
/lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod cpp telnet
cmd32.exe gcc g++" \
"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1"
SecAction pass,nolog,skipAfter:959006
SecRule
REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES
\
"(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))"
\
"phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System
Command
Injection',id:'959006',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule ARGS \
"(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System
Command
Injection',id:'950907',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule
"REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs|User-Agent)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES"
\
"(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
"phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System
Command
Injection',id:'959907',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
On Wed, Sep 22, 2010 at 5:18 PM, Ryan Barnett <[email protected]>wrote:
> Those have different rule id's vs the alert you showed - [id "959006"]
>
> Sent from my iPhone
>
> On Sep 22, 2010, at 8:12 PM, "Russell Clemings" <[email protected]
> <mailto:[email protected]>> wrote:
>
> It's whatever cPanel supplies by default. Maybe that's part of the problem.
>
> On the ARGS, I just stopped copying too soon. I think this is it:
>
> SecRule ARGS \
> "(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
>
>
> "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System
> Command
> Injection',id:'950907',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
> SecRule
> "REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs|User-Agent)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES"
> \
> "(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
>
>
> "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System
> Command
> Injection',id:'959907',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
>
>
>
> On Wed, Sep 22, 2010 at 5:06 PM, Ryan Barnett <<mailto:
> [email protected]>[email protected]<mailto:
> [email protected]>> wrote:
> Rus,
> What CRS version are you using? This looks old as the newer versions are
> listed in the alert using the rev action. Also i believe the variable
> listing/targets for this rule were updated as it is missing ARGS.
>
> Sent from my iPhone
>
> On Sep 22, 2010, at 7:56 PM, "Russell Clemings" <<mailto:
> [email protected]>[email protected]<mailto:[email protected]>>
> wrote:
>
> > I could use some help dealing with the following false positive (some
> identifying details masked):
> >
> > 116818:[Tue Sep 21 22:52:43 2010] [error] [client XX.XX.XX.XX]
> ModSecurity: Access denied with code 501 (phase 2). Pattern match
> "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*?
> ..." at REQUEST_COOKIES:__utmz. [file
> "/usr/local/apache/conf/modsec2.user.conf"] [line "149"] [id "959006"] [msg
> "System Command Injection"] [data "/mail"] [severity "CRITICAL"] [tag
> "WEB_ATTACK/COMMAND_INJECTION"] [hostname "xxx.xxx.xxx"] [uri
> "/xxxx-xxxxx-xxxxxxxx"] [unique_id "TJlve0CDUIUAAHyD6SMAAAAL"]
> >
> > A couple of previous posts suggest that this is hitting on a Google
> Analytics cookie (REQUEST_COOKIES:__utmz) that tracks where the user came
> from. It only seems to affect a few users. I've commented out the rule, and
> that fixed the immediate problem, but of course I would rather create a
> narrow exemption and leave the rule intact otherwise.
> >
> > How would I do that? FWIW, this is a cPanel VPS so the exceptions have to
> go in an unusual place (e.g.
> /usr/local/apache/conf/userdata/std/2/etc/etc/etc) but I can handle that
> part. It's how to write the rule that confuses me.
> >
> > Here's the rule as it stands now:
> >
> > SecRule
> REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES
> \
> >
> "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))"
> \
> >
> "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System
> Command
> Injection',id:'959006',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
> >
> > I probably should add that I'm functionally regex-illiterate, so please
> speak slowly :)
> >
> > rac
> >
> > _______________________________________________
> > Owasp-modsecurity-core-rule-set mailing list
> > <mailto:[email protected]>
> [email protected]<mailto:
> [email protected]>
> > <
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set>
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
>
>
>
>
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
