The mod-security-users list would be the best place for this question - http://lists.sourceforge.net/lists/listinfo/mod-security-users
That being said - Chris Bockermann's AuditConsole is probably the best free tool out there right now - <http://jwall.org/web/audit/console/index.jsp> http://jwall.org/web/audit/console/index.jsp On Mar 8, 2011, at 12:18 PM, "Abdellah Tantan" <[email protected]<mailto:[email protected]>> wrote: I am not sure if this is the right mailing list for these questions. What’s the best tool to manage modsecurity logs? Keeping in mind that performance is a concern. Is there any good article of how to configure modsecurity for better performance? Thanks Abdellah From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Mirabito, Massimo (Max) (CDC/OID/OD) (CTR) Sent: Tuesday, March 08, 2011 1:59 PM To: '[email protected]<mailto:[email protected]>' Cc: Wang, Silver (CDC/OID/OD) (CTR) Subject: [Owasp-modsecurity-core-rule-set] Rule Set is being violated on modsecurity_crs_41_phpids_converter.conf line 70 Dear All We are having difficulty with one of our applications as it appears that mod_security is blocking some of the content thinking that it is a vulnerability. We are running Apache version 2.2 with mod_security version 2.05 The url that is giving us problems is as follows: <https://myserver.com/MYAPP/nt/chart/run.do?t=tcg&m=cot/trend&f=png&r=3&y=2005+to+2009&d=labels_x:%5b2005,2006,2007,2008,2009,-8.88888888E8,2015%5d;tlabels_x:%5b2005,2006,2007,2008,2009%5d;g:%5b%5b89.690721649,86.746987952,91.946308725,90,85.135135135,-8.88888888E8,null%5d,%5b90,85,87,89,90,-8.88888888E8,null%5d,%5b83.209136562,83.894290701,84.484373669,81.189229619,64.743991641,-8.88888888E8,null%5d,%5bnull,null,null,null,null,-8.88888888E8,93%5d%5d;t:%5b%5b194,166,149,150,148%5d,%5b184,155,144,141,130%5d,%5b174,144,137,135,126%5d,%5b10,11,5,9,18%5d%5d&c=0+0+0+0+1&rid=1>https://myserver.com/MYAPP/nt/chart/run.do?t=tcg&m=cot/trend&f=png&r=3&y=2005+to+2009&d=labels_x:[2005,2006,2007,2008,2009,-8.88888888E8,2015];tlabels_x:[2005,2006,2007,2008,2009];g:[[89.690721649,86.746987952,91.946308725,90,85.135135135,-8.88888888E8,null],[90,85,87,89,90,-8.88888888E8,null],[83.209136562,83.894290701,84.484373669,81.189229619,64.743991641,-8.88888888E8,null],[null,null,null,null,null,-8.88888888E8,93]];t:[[194,166,149,150,148],[184,155,144,141,130],[174,144,137,135,126],[10,11,5,9,18]]&c=0+0+0+0+1&rid=1 The peculiar thing is that a similar url runs properly, see below https:// myserver.com/MYAPP/nt/chart/run.do?<http://myserver.com/MYAPP/nt/chart/run.do?> t=pct&m=cot/outcomes&f=png&r=3&y=2009&d=p:[[148,100],[126,85.135135135],[4,2.7027027027],[0,0],[2,1.3513513514],[1,0.6756756757],[15,10.135135135]]&&rid=1 The logs show the following rule being violated: Message: Pattern match "(?:[\d+-=\/\* ]+(?:\s?,\s?[\d+-=\/\* ]+)){4,}" at ARGS:d. [file "C:/Apache2.2/conf/mod_security/base_rules/modsecurity_crs_41_phpids_converter.conf"] [line "70"] [id "973016"] [msg "Basic Charcode Pattern Found"] [data "2005,2006,2007,2008,2009,-8.88888888e3"] The rule in question is located in modsecurity_crs_41_phpids_converter.conf - line 70 SecRule ARGS|ARGS_NAMES|XML:/* "(?:[\d+-=\/\* ]+(?:\s?,\s?[\d+-=\/\* ]+)){4,}" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Basic Charcode Pattern Found',id:'973016',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}" My coworker discovered that if we modify a portion of the rule then we are able to run the application properly. In particular if we modify {4} to {10} then things begin working SecRule ARGS|ARGS_NAMES|XML:/* "(?:[\d+-=\/\* ]+(?:\s?,\s?[\d+-=\/\* ]+)){4,}" …… TO ……. SecRule ARGS|ARGS_NAMES|XML:/* "(?:[\d+-=\/\* ]+(?:\s?,\s?[\d+-=\/\* ]+)){10,}" We are concerned that by making this change we either inadvertently make our security weaker or break other things. So we are wondering if the rule has an inherit problem and is there a way to either resolve it or by pass it or any other best practice. Any feedback is greatly appreciated Thanks, Max _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected]<mailto:[email protected]> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
