Hi, Still playing with this one. I can set my status in a rule (based on the backup tomcat status) but ultimately the user sees a 403 no matter what I do.
I'm guess it is because of the default disruptive action when a deny action is in effect. The default action is to send a 403. I see in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf there are ways to change the default action. Is there a way of saying: if backend_status is XXX then set the SetRuleUpdateActionById to a relevant rule? (Is that the best way to handle what I want to do?) I assume I would do that in the RESPONSE-999-EXCLUSION conf file. Thanks, -Sheldon -----Original Message----- From: fol...@netnea.com [mailto:fol...@netnea.com] Sent: Wednesday, March 01, 2017 5:28 PM To: Briand, Sheldon (NRC/CNRC) <sheldon.bri...@canada.ca> Cc: Christian Folini <christian.fol...@netnea.com> Subject: RE: [Owasp-modsecurity-core-rule-set] Send back the correct response code Hey Sheldon, Your rule work in phase 4. But in phase 4, the status header is already sent out. If you want to manipulate it, you need to do this in phase 3. Ahoj, Christian > Hi, > > Thanks for the suggestions so far. I haven't managed to make it work > and just wanted to see if what I did makes sense. (BTW backend server > is > tomcat) > > I put the following rule in a local.conf in the rules directory: > SecRule RESPONSE_HEADERS:status "^(.*?)$" > "phase:3,pass,id:1,setvar:tx.backend_status=%{MATCHED_VAR}" > > I changed RESPONSE-959-BLOCKING-EVALUATION.conf: > SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge > %{tx.outbound_anomaly_score_threshold}" \ > "phase:4,\ > id:959100,\ > tag:'anomaly-evaluation',\ > t:none,\ > deny,\ > status:%{TX.backend_status}" > > RESPONSE-952-DATA-LEAKAGES-JAVA.conf: > SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \ > "phase:4,\ > rev:'3',\ > ver:'OWASP_CRS/3.0.0',\ > maturity:'9',\ > accuracy:'9',\ > t:none,\ > capture,\ > ctl:auditLogParts=+E,\ > block,\ > msg:'Java Source Code Leakage',\ > logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: > %{MATCHED_VAR}',\ > id:952100,\ > tag:'application-multi',\ > tag:'language-java',\ > tag:'platform-multi',\ > tag:'attack-disclosure',\ > tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_JAVA',\ > tag:'WASCTC/WASC-13',\ > tag:'OWASP_TOP_10/A6',\ > tag:'PCI/6.5.6',\ > severity:'ERROR',\ > setvar:'tx.msg=Access denied with code %{tx.backend_status}',\ > setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\ > setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\ > > setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}" > > I'm seeing errors like this where the status isn't passed: > Message: Access denied with code 403 (phase 4). Matched phrase > "javax.servlet" a t RESPONSE_BODY. [file > "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/RES > PONSE-952-DATA-LEAKAGES-JAVA.conf"] [line "50"] [id "952100"] [rev > "3"] [msg "Ja va Source Code Leakage"] [data "Matched Data: > javax.servlet found within RESPONS > E_BODY: <!DOCTYPE html><html><head><title>Apache Tomcat/8.0.41 - Error > report</t > itle><style type=\x22text/css\x22>H1 > {font-family:Tahoma,Arial,sans-serif;color: > white;background-color:#525D76;font-size:22px;} H2 > {font-family:Tahoma,Arial,san > s-serif;color:white;background-color:#525D76;font-size:16px;} H3 > {font-family:Ta > homa,Arial,sans-serif;color:white;background-color:#525D76;font-size:1 > 4px;} > BODY > {font-family:Tahoma,Arial,sans-serif;color:black;background-..."] > [severity "ER > ROR"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag > "application-mu lti"] [tag "language-java"] [tag "platform-multi"] > [tag "attack-disclosure"] [ta g "OWASP_CRS/LEAKAGE/SOURCE_CODE_JAVA"] > [tag "WASCTC/WASC-13"] [tag "OWA > Message: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. > [file "/et > c/httpd/modsecurity.d/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf" > ] [line "82"] [id "980140"] [msg "Outbound Anomaly Score Exceeded > (score > 4): Acc > ess denied with code "] [tag "event-correlation"] > > Thanks! > -Sheldon > > -----Original Message----- > From: Christian Folini [mailto:christian.fol...@netnea.com] > Sent: Tuesday, February 21, 2017 4:40 PM > To: Briand, Sheldon (NRC/CNRC) <sheldon.bri...@canada.ca> > Subject: Re: [Owasp-modsecurity-core-rule-set] Send back the correct > response code > > Hi there, > > I see. Now I get you. > > Assuming, that the status action accepts dynamic variables as > parameters, you could save the status code at the beginning of phase 3 > and then replace 959100 with a rule with "deny,status:%{TX.backend_status}" > > This might work, but I have not tested this. > > Ahoj, > > Christian > > On Tue, Feb 21, 2017 at 08:33:12PM +0000, Briand, Sheldon (NRC/CNRC) > wrote: >> Hi Christian, >> >> Sorry for not being clear. I'm fairly new to modsecurity. I have a >> reverse proxy setup. Let's say that a legitimate request comes in. >> That request generates an error on the backend server. I'd like to >> return whatever code the backend server would have returned instead >> of the modsecurity 403. >> >> Thanks, >> -Sheldon >> >> -----Original Message----- >> From: Christian Folini [mailto:christian.fol...@netnea.com] >> Sent: Tuesday, February 21, 2017 4:24 PM >> To: Briand, Sheldon (NRC/CNRC) <sheldon.bri...@canada.ca> >> Subject: Re: [Owasp-modsecurity-core-rule-set] Send back the correct >> response code >> >> Hi Sheldon, >> >> Not sure I understand you. What is the "correct" error code in your >> question? >> >> The incoming requests are blocked in rule 949110. That rule does a >> "deny" which defaults to 403. You can update that rule to include a >> different status code. If I remember correctly, it is possible to >> assign a variable as status code. If not, you would have to juggle a >> bit writing rules for individual status codes and control them via >> variables or something. >> >> Doable, but a bit of work. >> >> Ahoj, >> >> Christian >> >> >> On Tue, Feb 21, 2017 at 07:55:09PM +0000, Briand, Sheldon (NRC/CNRC) >> wrote: >> > Hi, >> > >> > I'm wondering how to best setup the CRS 3 rules to allow >> > modsecurity >> to return the correct error code in the response. The error message >> I don't need just the error code that was triggered instead of a 403 >> every time. I am running in self-contained mode. Is this possible? >> > >> > Thanks, >> > -Sheldon >> > >> > >> > Sheldon Briand >> > Computer Systems and Applications Analyst National Research >> > Council/Government of Canada >> > sheldon.bri...@canada.ca/<mailto:sheldon.bri...@canada.ca/> Tel: >> > (902) >> > 426-1677 >> > >> >> > _______________________________________________ >> > Owasp-modsecurity-core-rule-set mailing list >> > Owasp-modsecurity-core-rule-set@lists.owasp.org >> > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rul >> > e >> > -s >> > et >> > _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
