On 8/31/11 7:11 PM, "Majed B." <[email protected]> wrote: >Hello, > >I have just configured mod_security (2.6) with rule set 2.2.1. My >website runs wordpress 3.2.1. mod-sec is running in detection only >mode.
You may also be interested in the "WordPress" specific virtual patches in the slr_rules directory. http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/slr_r ules/modsecurity_crs_46_slr_et_wordpress_attacks.conf These are rules that were created from converted Emerging Threats (ET) rules for WordPress vulns. The advantage of running these rules are that they are very specific as to *where* they are looking for attacks vs. the generic rules in the rest of the CRS which are looking everywhere. > >As soon as I restarted apache, I saw many warnings in the error log as >visitors come to the site. First, visitors were denied access because >of a false positive on cookie session hijacking, then when I disabled >optional_rules altogether, I started getting warnings about SQLi >attacks when I tried to login to the admin panel of wordpress. > >Here's a sample of the error of the SQLi warning: > >[Thu Sep 01 01:57:35 2011] [error] [client 98.158.123.158] >ModSecurity: Warning. Operator GE matched 5 at >TX:restricted_sqli_char_count. [file >"/etc/modsecurity/modsecurity-crs/2.2.1/base_rules/modsecurity_crs_41_sql_ >injection_attacks.conf"] >[line "551"] [id "981173"] [rev "2.2.1"] [msg "Restricted SQL >Character Anomaly Detection Alert - Total # of special characters >exceeded"] [data "9"] [hostname "xyz.com"] [uri "/wp-admin/admin.php"] >[unique_id "Tl68X04vrrwAAEeUFbUAAAAF"] >[Thu Sep 01 01:57:36 2011] [error] [client 98.158.123.158] >ModSecurity: Warning. Operator LT matched 5 at >TX:inbound_anomaly_score. [file >"/etc/modsecurity/modsecurity-crs/2.2.1/base_rules/modsecurity_crs_60_corr >elation.conf"] >[line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound >Score: 3, SQLi=10, XSS=): Restricted SQL Character Anomaly Detection >Alert - Total # of special characters exceeded"] [hostname "xyz.com"] >[uri "/wp-admin/admin.php"] [unique_id "Tl68X04vrrwAAEeUFbUAAAAF"] > >(Note: I renamed the domain name to xyz.com) > >I tried increasing the @ge value from 4 to 5, and it stopped the >warnings from showing when only browsing the login page, but after I >login, the warnings keep pouring. I don't know what is a suitable >value to be put there. You need to look at the audit log data for the transaction that has the UniqueID - Tl68X04vrrwAAEeUFbUAAAAF. You might also want to download the latest SVN version of the sql injection file as those rules have been updated - http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/base_ rules/modsecurity_crs_41_sql_injection_attacks.conf?revision=1835 -Ryan >_______________________________________________ >Owasp-modsecurity-core-rule-set mailing list >[email protected] >https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
