On Thursday 30 December 2010 2:52:29 pm Ryan Barnett wrote: > On 12/30/10 2:43 PM, "Dimitri Yioulos" <[email protected]> wrote: > >All, > > > >With the installation of the latest rulesit, > > I'm now getting the following alerts: > > > >Warning - Sticky SessionID Data Changed - > >User-Agent Mismatch. Access denied with > > code 403 (phase 2). Match of "streq > > %{SESSION.UA}" against "TX:ua_hash" required. > > > >Hope I'm not being too stupid here, but what > > does that mean? Am I blocking legitimate > > traffic? > > > >Better still, is there a place (documents, > > etc.) that describes various alerts? > > This ruleset will track the IP Address Block > Range and User-Agent string hash for each user > and tie it to a SessionID. If those values > change during the course of a session, it will > trigger. The goal is to identify possible > session hijacking attacks. > > Dimitri - please download the latest release > (CRS v2.1.1) that I just released today. I > made a change to the Session Hijacking conf > file - CHANGES file - > > - Updated the session hijacking conf file to > only enforce rules if a SessionID Cookie was > submitted > > > http://mod-security.svn.sourceforge.net/viewvc/ >mod-security/crs/trunk/optio > nal_rules/modsecurity_crs_16_session_hijacking. >conf?revision=1576 > > I added this line which will skip the check if > the client doesn't submit a SessionID Cookie - > > SecRule > &REQUEST_COOKIES:'/(j?sessionid|(php)?sessid|(a >sp|jserv|jw)?session[-_]?(id > )?|cf(id|token)|sid)/' "@eq 0" > "phase:1,t:none,nolog,pass,skipAfter:END_SESSIO >N_STARTUP" > > Hope this helps, > Ryan
Ryan, Thanks very much for your help. I did install the changed session_hijacking.conf file, along with any other updated files (but not the entire ruleset). Just to be on the safe side, I had someone test reaching our Web site from outside, and she landed on the Apache test page. Yikes! So, I disabled session_hijacking.conf, and she was then able to get to our site. Is it an issue with session_hijacking.conf or with our site? Regards, Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
