Hi, Although I have read mod_security book by Ivan Restic, I feel I am still very new to Mod_Security. I am wondering why sending a simple request triggered all these rules (see raw data bellow)? if the request was marked as critical, why it was not blocked? Any help to understand this is appreciated,
This is my main configuration file SecComponentSignature "core ruleset/2.1.1" SecRuleEngine On SecDefaultAction "phase:2,pass,nolog,auditlog" SecAction "phase:1,t:none,nolog,pass,setvar:tx.anomaly_score_blocking=on" SecAction "phase:1,t:none,nolog,pass, \ setvar:tx.critical_anomaly_score=5, \ setvar:tx.error_anomaly_score=4, \ setvar:tx.warning_anomaly_score=3, \ setvar:tx.notice_anomaly_score=2" SecAction "phase:1,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=5" SecAction "phase:1,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=4" raw data bellow. --342fe054-A-- [15/Mar/2011:13:23:56 --0500] iAJfIgoAygIAAGstEDsAAAAC 66.37.224.199 52567 10.0.202.2 80 --342fe054-B-- GET /lpandl/images/buttons/login.gif HTTP/1.1 Host: 98.142.93.2 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Connection: keep-alive Referer: https://98.142.93.2/lpandl/Logon.do;jsessionid=2D2A0F2EC20B323DEFE7901DB4800 52E Cookie: JSESSIONID=2D2A0F2EC20B323DEFE7901DB480052E X-Forwarded-For: 66.37.224.199 Front-End-Https: On --342fe054-E-- --342fe054-F-- HTTP/1.1 200 OK ETag: W/"929-1272484876000" Last-Modified: Wed, 28 Apr 2010 20:01:16 GMT Content-Length: 929 Connection: close Content-Type: image/gif --342fe054-H-- Message: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/httpd/conf/modsecurity/rules/base_rules/modsecurity_crs_30_http_policy .conf"] [line "30"] [id "960032"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] Message: Warning. Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/etc/httpd/conf/modsecurity/rules/base_rules/modsecurity_crs_30_http_policy .conf"] [line "77"] [id "960034"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/1.1"] [severity "CRITICAL"] [tag "POLICY/PROTOCOL_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.10"] Apache-Handler: jakarta-servlet Stopwatch: 1300213436407586 8794 (450 5600 -) Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/). Server: Apache/2.2.3 (CentOS) --342fe054-K-- SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:1,log,auditlog,chain,rev:2.1.1,t:none,block,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION,tag:WASCTC/WASC- 21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,tag:http://www.w3.org/Protocols/rfc261 6/rfc2616-sec4.html#sec4.3" SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" "phase:2,log,auditlog,chain,rev:2.1.1,t:none,block,msg:'Request Missing an Accept Header',severity:2,id:960015,tag:PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT,ta g:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10" SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,log,auditlog,chain,rev:2.1.1,t:none,block,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5" SecRule "REQUEST_METHOD" "!@within %{tx.allowed_methods}" "phase:2,log,auditlog,t:none,block,msg:'Method is not allowed by policy',severity:2,id:960032,tag:POLICY/METHOD_NOT_ALLOWED,tag:WASCTC/WASC-1 5,tag:OWASP_TOP_10/A6,tag:OWASP_AppSensor/RE1,tag:PCI/12.1,logdata:%{matched _var},setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomal y_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rul e.id}-POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_PROTOCOL" "!@within %{tx.allowed_http_versions}" "phase:2,log,auditlog,t:none,block,msg:'HTTP protocol version is not allowed by policy',severity:2,id:960034,tag:POLICY/PROTOCOL_NOT_ALLOWED,tag:WASCTC/WASC -21,tag:OWASP_TOP_10/A6,tag:PCI/6.5.10,logdata:%{matched_var},setvar:tx.msg= %{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.p olicy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/PROTOCO L_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_BASENAME" "@rx \\.(.*)$" "phase:2,log,auditlog,chain,capture,setvar:tx.extension=.%{tx.1}/,t:none,t:u rlDecodeUni,t:lowercase,block,msg:'URL file extension is restricted by policy',severity:2,id:960035,tag:POLICY/EXT_RESTRICTED,tag:WASCTC/WASC-15,ta g:OWASP_TOP_10/A7,tag:PCI/6.5.10,logdata:%{TX.0}" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLOWED, tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:O WASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar :tx.header_name='/%{tx.0}/'" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLOWED, tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:O WASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar :tx.header_name='/%{tx.0}/'" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLOWED, tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:O WASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar :tx.header_name='/%{tx.0}/'" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLOWED, tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:O WASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar :tx.header_name='/%{tx.0}/'" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLOWED, tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:O WASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar :tx.header_name='/%{tx.0}/'" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLOWED, tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:O WASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar :tx.header_name='/%{tx.0}/'" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLOWED, tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:O WASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar :tx.header_name='/%{tx.0}/'" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLOWED, tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:O WASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar :tx.header_name='/%{tx.0}/'" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLOWED, tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:O WASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar :tx.header_name='/%{tx.0}/'" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLOWED, tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:O WASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar :tx.header_name='/%{tx.0}/'" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',id:960038,tag:POLICY/HEADER_RESTRICTED,tag:POLICY/FILES_NOT_ALLOWED, tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:O WASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar :tx.header_name='/%{tx.0}/'" SecRule "RESPONSE_BODY" "!@pm iframe" "phase:4,auditlog,rev:2.1.1,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode ,t:lowercase,nolog,skipAfter:END_IFRAME_CHECK" SecRule "RESPONSE_BODY" "!@pmFromFile modsecurity_50_outbound.data" "phase:4,auditlog,rev:2.1.1,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode ,nolog,skipAfter:END_OUTBOUND_CHECK" --342fe054-Z-- _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
