Good day,
I have a problem with a site that is currently running joomla 1.6.0, when
working in the admin panel.
The site gives false positives on the below rule in:
modsecurity_crs_41_phpids_filters.conf
SecRule ARGS|ARGS_NAMES|XML:/* "(?:=\s*\w+\s*\+\s*\")|(?:\+=\s*\(\s\")|
(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:\"\s*\+\s*\")|
(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:\"\s*[&|]+\s*\")|(?:\/\s*\?\s*\")|(?:\
/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|
(?:[^\s]\s*=\s*\/)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,b
lock,nolog,auditlog,msg:'Detects common XSS concatenation patterns
1/2',id:'900030',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',set
var:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
The reason for the matching seems to be the posting of the data once the
particular article has been updated, some snippets of the audit log for
this site:
Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|
(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|
(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|
(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at
ARGS_NAMES:jform[rules][core.edit][6].
[file "/usr/local/etc/apache22/Includes/mod_security2/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "205"] [id "900030"] [msg "Detects common XSS concatenation patterns
1/2"] [data "][c"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"]
[tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]
Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|
(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|
(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|
(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at
ARGS_NAMES:jform[rules][core.edit.state][6].
[file "/usr/local/etc/apache22/Includes/mod_security2/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "205"] [id "900030"] [msg "Detects common XSS concatenation patterns
1/2"] [data "][c"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"]
[tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]
Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|
(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|
(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|
(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at
ARGS_NAMES:jform[rules][core.delete][7].
[file "/usr/local/etc/apache22/Includes/mod_security2/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "205"] [id "900030"] [msg "Detects common XSS concatenation patterns
1/2"] [data "][c"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"]
[tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]
Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|
(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|
(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|
(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at
ARGS_NAMES:jform[rules][core.edit][7].
[file "/usr/local/etc/apache22/Includes/mod_security2/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "205"] [id "900030"] [msg "Detects common XSS concatenation patterns
1/2"] [data "][c"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"]
[tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]
Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|
(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|
(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|
(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at
ARGS_NAMES:jform[rules][core.edit.state][7].
[file "/usr/local/etc/apache22/Includes/mod_security2/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "205"] [id "900030"] [msg "Detects common XSS concatenation patterns
1/2"] [data "][c"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"]
[tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]
Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|
(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|
(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|
(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at
ARGS_NAMES:jform[rules][core.delete][2].
[file "/usr/local/etc/apache22/Includes/mod_security2/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "205"] [id "900030"] [msg "Detects common XSS concatenation patterns
1/2"] [data "][c"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"]
[tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]
Seeing that the rule set the variable I wanted to matched based on that
variable:
[06/May/2011:14:18:50 +0200]
[/sid#809b82900][rid#81de4e0a8][/administrator/index.php][9] Set
variable "tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[attribs][show_icons]" to "][s".
I used a combination of resources from the below sites to create the
correct rule structure:
https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2010-January/000257.html
http://www.modsecurity.org/blog/archives/2007/12/using_transacti.html
The file that I used for my rule is:
modsecurity_crs_48_local_exceptions.conf
The rules are as follows.
1) SecRule TX:"/tx.900030-Detects\s(.*)-ARGS_NAMES:jform/" "@contains
][" "chain,phase:2,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Fix
false positive',pass"
SecRule
MATCHED_VAR_NAME "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-4"
2) SecRule TX:"/tx.900030-Detects\s(.*)-ARGS_NAMES:jform/" "@contains
][" "capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-4"
3) SecRule TX:'/tx.900030-Detects(.*)-ARGS_NAMES:jform/' "@contains
][" "capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-4" ####
This rule did not want to work with the single quotes.
From what I have tested so far, the regex should works for all variants of
the variables set, however the anomaly score does not decrease, and from
what I could see in both the audit and debug logs it does not look like it
follows the logic as I understand it, so either the regex is incorrect or I
am placing it in the incorrect file, but then why would it then work when I
remove the rule in the same file using SecRuleRemoveById.
Some of the variants, there are currently 55.
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[attribs][show_item_navigation]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[attribs][show_icons]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[attribs][show_print_icon]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[attribs][show_email_icon]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[attribs][show_vote]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[attribs][show_hits]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[attribs][show_noauth]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[attribs][alternative_readmore]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[attribs][article_layout]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[metadata][robots]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[metadata][author]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[metadata][rights]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[metadata][xreference]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[rules][core.delete][1]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[rules][core.edit][1]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[rules][core.edit.state][1]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[rules][core.delete][6]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[rules][core.edit][6]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[rules][core.edit.state][6]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[rules][core.delete][7]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[rules][core.edit][7]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[rules][core.edit.state][7]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[rules][core.delete][2]
tx.900030-Detects common XSS concatenation patterns
1/2-WEB_ATTACK/INJECTION-ARGS_NAMES:jform[rules][core.edit][2]
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
