FYI for the same reason I just upgraded to the 2.2.2 modsecurity_crs_41_sql_injection_attacks.conf ruleset, however it doesn't appear to have made any difference.
e.g. The following Cookie triggers 981248 LtpaToken2=x5Orq (it didn't like "50r"?????) Jason On 02/09/11 01:21, Ryan Barnett wrote: > > On 8/31/11 7:11 PM, "Majed B." <[email protected]> wrote: > > >Hello, > > > >I have just configured mod_security (2.6) with rule set 2.2.1. My > >website runs wordpress 3.2.1. mod-sec is running in detection only > >mode. > > You may also be interested in the "WordPress" specific virtual patches in > the slr_rules directory. > > http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/slr_r > ules/modsecurity_crs_46_slr_et_wordpress_attacks.conf > > > These are rules that were created from converted Emerging Threats (ET) > rules for WordPress vulns. The advantage of running these rules are that > they are very specific as to *where* they are looking for attacks vs. the > generic rules in the rest of the CRS which are looking everywhere. > > > > >As soon as I restarted apache, I saw many warnings in the error log as > >visitors come to the site. First, visitors were denied access because > >of a false positive on cookie session hijacking, then when I disabled > >optional_rules altogether, I started getting warnings about SQLi > >attacks when I tried to login to the admin panel of wordpress. > > > >Here's a sample of the error of the SQLi warning: > > > >[Thu Sep 01 01:57:35 2011] [error] [client 98.158.123.158] > >ModSecurity: Warning. Operator GE matched 5 at > >TX:restricted_sqli_char_count. [file > >"/etc/modsecurity/modsecurity-crs/2.2.1/base_rules/modsecurity_crs_41_sql_ > >injection_attacks.conf"] > >[line "551"] [id "981173"] [rev "2.2.1"] [msg "Restricted SQL > >Character Anomaly Detection Alert - Total # of special characters > >exceeded"] [data "9"] [hostname "xyz.com"] [uri "/wp-admin/admin.php"] > >[unique_id "Tl68X04vrrwAAEeUFbUAAAAF"] > >[Thu Sep 01 01:57:36 2011] [error] [client 98.158.123.158] > >ModSecurity: Warning. Operator LT matched 5 at > >TX:inbound_anomaly_score. [file > >"/etc/modsecurity/modsecurity-crs/2.2.1/base_rules/modsecurity_crs_60_corr > >elation.conf"] > >[line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound > >Score: 3, SQLi=10, XSS=): Restricted SQL Character Anomaly Detection > >Alert - Total # of special characters exceeded"] [hostname "xyz.com"] > >[uri "/wp-admin/admin.php"] [unique_id "Tl68X04vrrwAAEeUFbUAAAAF"] > > > >(Note: I renamed the domain name to xyz.com) > > > >I tried increasing the @ge value from 4 to 5, and it stopped the > >warnings from showing when only browsing the login page, but after I > >login, the warnings keep pouring. I don't know what is a suitable > >value to be put there. > > > You need to look at the audit log data for the transaction that has the > UniqueID - Tl68X04vrrwAAEeUFbUAAAAF. You might also want to download the > latest SVN version of the sql injection file as those rules have been > updated - > > http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/base_ > rules/modsecurity_crs_41_sql_injection_attacks.conf?revision=1835 > > -Ryan > > >_______________________________________________ > >Owasp-modsecurity-core-rule-set mailing list > >[email protected] > >https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > > > > This transmission may contain information that is privileged, > confidential, and/or exempt from disclosure under applicable law. If > you are not the intended recipient, you are hereby notified that any > disclosure, copying, distribution, or use of the information contained > herein (including any reliance thereon) is STRICTLY PROHIBITED. If you > received this transmission in error, please immediately contact the > sender and destroy the material in its entirety, whether in electronic > or hard copy format. > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
