Hi Ryan, Here is the output of the command:
330 Cross-site Scripting (XSS) Attack 256 XSS Attack Detected 208 Detects basic directory traversal 206 Request content type is not allowed by policy 197 IE XSS Filters - Attack Detected 177 Remote File Access Attempt 174 Detects specific directory and path traversal 169 Detects etc/passwd inclusion attempts 162 SQL Injection Attack 147 Possible XSS Attack Detected - HTML Tag Handler 145 Detects very basic XSS probings 140 Detects possibly malicious html elements including some attributes 136 Detects obfuscated script tags and XML wrapped HTML 132 Host header is a numeric IP address 98 Detects basic SQL authentication bypass attempts 2/3 97 The application is not available 93 Detects concatenated basic SQL injection and SQLLFI attempts 85 finds html breaking injections including whitespace attacks 77 Detects classic SQL injection probings 2/2 75 Invalid character in request 66 Protocol Violations Detected (score 5): 900012-Detects etc/passwd inclusion attempts 65 XSS Detected (score 120): IE XSS Filters - Attack Detected 59 Detects common comment types 51 XSS Detected (score 140): IE XSS Filters - Attack Detected 45 Anomaly Score Exceeded (score 55): 900012-Detects etc/passwd inclusion attempts 44 Outbound Anomaly Score Exceeded (score 15): The application is not available 43 Anomaly Score Exceeded (score 35): 900012-Detects etc/passwd inclusion attempts 42 Phreebooks Local file inclusion vulnerability 38 Anomaly Score Exceeded (score 141): IE XSS Filters - Attack Detected 35 Detects chained SQL injection attempts 2/2 34 MyNews CMS XSS Vulnerability 34 Anomaly Score Exceeded (score 81): SQL Injection Attack 34 Anomaly Score Exceeded (score 60): 900012-Detects etc/passwd inclusion attempts 32 MyNews CMS Local File Inclusion Vulnerability 26 phpckSec file inclusion vulnerability 24 RFI Detected (score 20): 900012-Detects etc/passwd inclusion attempts 23 Anomaly Score Exceeded (score 40): 900012-Detects etc/passwd inclusion attempts 21 Comment Evasion Attempt 21 Anomaly Score Exceeded (score 25): 900010-Detects basic directory traversal 20 XSS Detected (score 20): 900012-Detects etc/passwd inclusion attempts 20 uigaproxy remote file inclusion vulnerability 19 ccTiddly Remote File Inclusion Vulnerability 18 MACS-CMS XSS vulnerability 18 Anomaly Score Exceeded (score 55): SQL Injection Attack 16 XSS Detected (score 100): IE XSS Filters - Attack Detected 16 Anomaly Score Exceeded (score 151): IE XSS Filters - Attack Detected 15 Detects JavaScript object properties and methods 15 Correlated Attack Attempt Identified: (Total Score: 35, SQLi=, XSS=)Inbound Attack (900012-Detects etc/passwd inclusion attempts InboundAnomaly Score: 35) + Outbound Application Error (The application is notavailable - Outbound Anomaly Score: 15) 15 Anomaly Score Exceeded (score 156): IE XSS Filters - Attack Detected 14 Anomaly Score Exceeded (score 161): IE XSS Filters - Attack Detected 12 Anomaly Score Exceeded (score 80): 900012-Detects etc/passwd inclusion attempts 12 Anomaly Score Exceeded (score 121): IE XSS Filters - Attack Detected 10 RFI Detected (score 20): 900010-Detects basic directory traversal 10 phpckSec XSS vulnerability 9 XSS Detected (score 160): IE XSS Filters - Attack Detected 9 MegaFileManager prone to file inclusion vulnerability 9 Anomaly Score Exceeded (score 75): 900012-Detects etc/passwd inclusion attempts 8 RFI Detected (score 20): 8 Anomaly Score Exceeded (score 20): 7 XSS Detected (score 20): Cross-site Scripting (XSS) Attack 7 Izumi local file inclusion vulnerability 7 eliteCMS XSS Attack 7 Anomaly Score Exceeded (score 60): SQL Injection Attack 7 Anomaly Score Exceeded (score 20): Cross-site Scripting (XSS) Attack 7 Anomaly Score Exceeded (score 171): IE XSS Filters - Attack Detected 6 XSS Detected (score 60): XSS Attack Detected 6 uigaproxy prone to file inclusion vulnerability 6 phportal Remote File Inclusion Vulnerability 6 phpMyAdmin XSS vulnerability 6 nuBuilder File Inclusion Vulnerability 6 Detects url-, name-, JSON, and referrer-contained payload attacks 6 collaborative File Inclusion Vulnerability 6 Anomaly Score Exceeded (score 175): IE XSS Filters - Attack Detected 5 Tiki XSS Vulnerability 5 Anomaly Score Exceeded (score 146): IE XSS Filters - Attack Detected 4 XSS Detected (score 80): IE XSS Filters - Attack Detected 4 Tiki Wiki CMS Groupware XSS Vulnerability 4 Storyteller CMS (var) Local File Inclusion Vulnerability 4 Possible RegEx DoS Payload 4 finds unquoted attribute breaking injections 4 clearBudget Remote File Inclusion Vulnerability 4 Anomaly Score Exceeded (score 73): XSS Attack Detected 3 webmail local file inclusion vulnerability 3 Tiki Wiki CMS XSS Vulnerability 3 Anomaly Score Exceeded (score 88): IE XSS Filters - Attack Detected 2 System Command Injection 2 hobcms / hertzCMS File Inclusion Vulnerability 2 Gaestebuch remote file inclusion vulnerability 2 flatpress prone to local file inclusion vulnerability 2 Detects self contained xss via with(), common loops and regex to string conversion 2 Detects attributes in closing tags and conditional compilation tokens 2 CF Image Hosting Script v1.3.8 Remote File Inclusion 2 CF Image Hosting Script Remote File Inclusion 2 Anomaly Score Exceeded (score 68): XSS Attack Detected 2 Anomaly Score Exceeded (score 20): System Command Injection 2 Anomaly Score Exceeded (score 176): IE XSS Filters - Attack Detected 1 XSS Detected (score 40): XSS Attack Detected 1 XSS Detected (score 20): 1 Visitor Logger Remote file inclusion vulnerability 1 Protocol Violations Detected (score 5): 900011-Detects specific directory and path traversal 1 php-fusion local file inclusion vulnerability 1 Detects nullbytes and other dangerous characters 1 Anomaly Score Exceeded (score 76): SQL Injection Attack 1 Anomaly Score Exceeded (score 65): 900012-Detects etc/passwd inclusion attempts 1 Anomaly Score Exceeded (score 53): XSS Attack Detected 1 Anomaly Score Exceeded (score 52): SQL Injection Attack 1 Anomaly Score Exceeded (score 40): 1 Anomaly Score Exceeded (score 35): 900011-Detects specific directory and path traversal 1 Anomaly Score Exceeded (score 131): IE XSS Filters - Attack Detected Jay. I wanted to say thanks to those of youwho have sent in some stats! I see that some users are already usingChristian Bockermann’s updated jwall-tools.jar file to gather statswhich is cool. We still needs more stats sent in though, so if you have a minute, please send them in. Thanks again for your help. -Ryan On 10/4/10 4:49 PM, "Ryan Barnett" <[email protected]> wrote: Greetings everyone, Iam asking for some assistance from the ModSecurity user-base. I amworking on a project and need to gather some high level statistics ofModSecurity event data. Our long-term goal is to eventually have astatistical reporting utility that ModSec users can run through cron orsomething to report data in semi-realtime batches. We can then postthis data onto the ModSecurity.org website. This data would only be ananonymous count of the ModSecurity/CRS Event message data (SQLInjection Attack, Invalid character in request, etc....). It will notinclude any sensitive data identifying web sites, users or their data. Inthe short-term, what I am asking for you all to do to help with thisinitial effort, is to simply run the following command pipeline againsttheir saved ModSecurity audit log data. The audit log can be eitherserial or concurrent. All you need to do is to traverse into your logsdirectory (example - /usr/local/apache/logs). This directory needs tobe the directory that holds either the serial modsec_audit.log file orwhere the concurrent SecDataDir directory is located. Next, execute thefollowing command (you may need to use sudo or something if you do nothave the correct permissions to view the file) - $egrep -R'^Message\:' . | awk -F' \\[msg ' '{ print $2 }' | awk -F'"' '{print$2}' | egrep -v '^(Inbound Anomaly Score|$)' | sort | uniq -c | sort -nr Thiscommand will extract out the ModSecurity Message lines from theaudit_log data and then sort and unique the ModSecurity event message“msg” data from all of the events. The output format should be similarto this - 3809 Rogue web site crawler 3809 Request Indicates a Security Scanner Scanned the Site 3808 Request Missing an Accept Header 795 Cross-site Scripting (XSS) Attack 538 Detects very basic XSS probings 478 Detects possibly malicious html elements including some attributes 474 Detects obfuscated script tags and XML wrapped HTML 434 Detects specific directory and path traversal 421 XSS Attack Detected 396 IE XSS Filters - Attack Detected 359 Remote File Access Attempt 324 Possible XSS Attack Detected - HTML Tag Handler 318 Detects basic directory traversal 274 Detects etc/passwd inclusion attempts 155 Host header is a numeric IP address 155 finds html breaking injections including whitespace attacks 145 Detects JavaScript object properties and methods 116 Detects basic SQL authentication bypass attempts 2/3 112 Detects common XSS concatenation patterns 1/2 96 Detects classic SQL injection probings 2/2 94 Detects self-executing JavaScript functions 84 Detects possible includes and typical script methods 83 Invalid character in request 69 Restricted Character Anomaly Detection Alert - Repetative Non-Word Characters 54 System Command Injection 32 Detects common comment types 31 Detects possible includes, VBSCript/JScript encodeed and packed functions 30 Comment Evasion Attempt 27 System Command Access 25 More than 3 times special encode Error 25 Detects JavaScript location/document property access and window access obfuscation 18 GET or HEAD requests with bodies 18 Detects basic SQL authentication bypass attempts 3/3 14 Restricted Character Anomaly Detection Alert - Total # of special characters exceeded 13 Detects JavaScript language constructs 12 HTTP protocol version is not allowed by policy 10 Detects data: URL injections, VBS injections and common URI schemes 9 Detects classic SQL injection probings 1/2 8 Input Validation Error 8 Detects code injection attempts 3/3 7 Detects chained SQL injection attempts 1/2 6 Invalid HTTP Request Line 6 finds attribute breaking injections including whitespace attacks 5 Method is not allowed by policy 4 SQL Injection Attack 4 Detects obfuscated JavaScript script injections 4 Detects halfwidth/fullwidth encoded unicode HTML breaking attempts 4 Detects common function declarations and special JS operators 4 Detects code injection attempts 2/3 3 Request Missing a Host Header 3 Detects MySQL comment-/space-obfuscated injections 3 Detects basic obfuscated JavaScript script injections 2 Unicode Full/Half Width Abuse Attack Attempt 2 Remote File Inclusion Attack 2 Hexadecimal Charcode Pattern Found 2 finds unquoted attribute breaking injections 2 Detects the IE octal, hex and unicode entities 2 Detects nullbytes and other dangerous characters 2 Detects JavaScript string properties and methods 2 Detects basic SQL authentication bypass attempts 1/3 1 URL Encoding Abuse Attack Attempt 1 Request Missing a User Agent Header 1 Possible RegEx DoS Payload 1 Detects basic XSS DoS attempts 1 Blind SQL Injection Attack 1 Backdoor access Onceyou have run this against your saved logs, please send them to me inemail to the following email address – [email protected]. If youcould, also please specify the following in the email body - 1. How many websites ModSecurity is monitoring, and 2. The date range of the data included in the stats report (we are looking for all data from 2010). Thanks for your help in this research effort. Ryan Barnett ModSecurity Community Manager OWASP ModSecurity Core Rule Set Project Lead _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
