Re: [Owasp-modsecurity-core-rule-set] How to prevent request body logging?
@verifyCC is provided by modsecurity for detecting credit card pattern. SecRule ARGS @verifyCC phase:5,nolog,pass,\ sanitiseMatched this might addressed your issue. http://thinksabin.blogspot.com/2014/01/hiding-sensitive-data-in-apache.html Regards, On Wed, Jun 3, 2015 at 8:19 PM, Thayyilekandy, Subin : Barclaycard US sthayyile...@barclaycardus.com wrote: Did you try sanitizeArgs in your custom rules After file ? you can aso specify pattern here I believe otherwise you will have to keep adding new/updated fields here that can possibly have sensitive data. SecAction phase:5,id:200,nolog,pass,\ sanitiseArg:password,\ sanitiseArg:confirmPassword,\ Thanks *Subin * *From:* owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] *On Behalf Of *Charles Farinella *Sent:* Wednesday, June 03, 2015 10:22 AM *To:* Joshua Roback *Cc:* owasp-modsecurity-core-rule-set@lists.owasp.org *Subject:* Re: [Owasp-modsecurity-core-rule-set] How to prevent request body logging? Thanks for the suggestions, but I don't think either of these will solve our problem permanently. The 'nolog' option is rule or status code dependent and we want to make sure that *no* request bodies are ever printed to the Nginx log. The 'SecAuditLogParts' option seems to only affect what gets sent to the audit logs, we've tried this. Mod_security docs say that Messages at levels 1-3 are *always* copied to the Apache error log. We are assuming that this applies equally to Nginx logs, and this is what we need to address. We have clients sending credit card numbers in request bodies and they are triggering mod_security SQL injection rules which then write these bodies to the Nginx logs exposing the CC number. We know that we can disable these specific rules, but are afraid that at some future time, or after an upgrade, these or some other rules will be triggered again exposing sensitive information. Does OWASP have a best practices procedure for protecting this kind of data in a PCI environment? How can we prevent *all* level 1-3 messages from being sent to the Nginx log? Thanks again for your help. --charlie On Tue, Jun 2, 2015 at 4:08 PM, Joshua Roback jrob...@gmail.com wrote: Inside your base modsecurity.conf file, I believe the following directive will allow you to choose which pars are logged based on the assigned letter values. Example below will remove REQUEST and RESPONSE body: SecAuditLogParts ABIFEHZ On Tue, Jun 2, 2015 at 11:39 AM Chaim Sanders csand...@trustwave.com wrote: Hey Charles, You can use the nolog action to prevent ModSecurity from adding entries. For instance: SecRule ARGS:test Test block,status:403,nolog,id:1 *Chaim Sanders* Security Researcher, SpiderLabs *Trustwave* | SMART SECURITY ON DEMAND www.trustwave.com *From:* owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] *On Behalf Of *Charles Farinella *Sent:* Tuesday, June 2, 2015 10:38 AM *To:* owasp-modsecurity-core-rule-set@lists.owasp.org *Subject:* [Owasp-modsecurity-core-rule-set] How to prevent request body logging? We are seeing request bodies logged to our nginx logs. mod_security documentation says that Messages at levels 1-3 are always copied to the Apache error log. Does anyone know how we can prevent this behavior? -- Charles Farinella Systems Administrator Appropriate Solutions, Inc. 603-924-6079 -- This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- Charles Farinella Systems Administrator Appropriate Solutions, Inc. 603-924-6079 Barclaycard www.barclaycardus.com This email and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on. ___ Owasp-modsecurity-core-rule-set mailing list
Re: [Owasp-modsecurity-core-rule-set] problem executing external bash script
issue has been fixed. the problem was that i put that bash script in the /root/ directory. Keeping it inside /usr/share/modsecurity-crs/ it worked. On Wed, Jan 28, 2015 at 1:54 PM, Sabin Ranjit think.sa...@gmail.com wrote: email is not being send. On Wed, Jan 28, 2015 at 1:27 PM, Sabin Ranjit think.sa...@gmail.com wrote: hi, I'm trying to send email when specific rule get matched in the modsecurity but the modsecurity gives execution error in the mod_audit.log. I have written my own test rule like this: SecRule REQUEST_HEADERS:User-Agent FAKE-USER chain,deny,log,exec:/root/send_alert_email_fake-user.sh,id:1234123455 SecRule REMOTE_ADDR ^192\.168\.203\.141 and my script looks like this: #!/bin/sh echo Fake user tried to access the web application |mail -s local server under attack u...@user.com echo Done. The mod_audit.log is giving this message and email is being send. Message: Exec: Execution failed while reading output: /root/send_alert_email_fake-user.sh (End of file found) Message: Failed to execute: /root/send_alert_email_fake-user.sh Message: Warning. Pattern match ^192\\.168\\.203\\.141 at REMOTE_ADDR. [file /usr/share/modsecurity-crs/activated_rules/check_user_agent_email.conf] [line 1] [id 1234123455] Please help me to fix this? I'm also referencing ModSecurity 2.5 by Magnus Mischel. thanks. ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
[Owasp-modsecurity-core-rule-set] problem executing external bash script
hi, I'm trying to send email when specific rule get matched in the modsecurity but the modsecurity gives execution error in the mod_audit.log. I have written my own test rule like this: SecRule REQUEST_HEADERS:User-Agent FAKE-USER chain,deny,log,exec:/root/send_alert_email_fake-user.sh,id:1234123455 SecRule REMOTE_ADDR ^192\.168\.203\.141 and my script looks like this: #!/bin/sh echo Fake user tried to access the web application |mail -s local server under attack u...@user.com echo Done. The mod_audit.log is giving this message and email is being send. Message: Exec: Execution failed while reading output: /root/send_alert_email_fake-user.sh (End of file found) Message: Failed to execute: /root/send_alert_email_fake-user.sh Message: Warning. Pattern match ^192\\.168\\.203\\.141 at REMOTE_ADDR. [file /usr/share/modsecurity-crs/activated_rules/check_user_agent_email.conf] [line 1] [id 1234123455] Please help me to fix this? I'm also referencing ModSecurity 2.5 by Magnus Mischel. thanks. ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
[Owasp-modsecurity-core-rule-set] malicious file not getting blocked while uploading
hi, I'm using modsecurity_crs_46_av_scanning to scan a file with clamAV when user uploads a file. When i tested i did get the log regarding the modsecurity telling its malicious but did not block it from uploading into the server. The modsecurity was running in active mode. How can it be that configured to block malicious file uploads? I got follow log: Message: Warning. File /tmp//20141208-005725-VIVn9H8AAQEAADlz2AAG-file-pDG9cN rejected by the approver script /usr/share/modsecurity-crs/util/av-scanning/runav.pl: 0 clamscan: Suspect.PDF.EmbeddedExecutable-2 [file /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_46_av_scanning.conf] [line 17] [id 950115] [msg Virus found in uploaded file] [severity CRITICAL] [tag MALICIOUS_SOFTWARE/VIRUS] [tag PCI/5.1] Apache-Handler: application/x-httpd-php Stopwatch: 1418029044999223 91983157 (- - -) Stopwatch2: 1418029044999223 91983157; combined=90317213, p1=68, p2=90317138, p3=3, p4=0, p5=4, sr=0, sw=0, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/). Server: Apache/2.4.7 (Ubuntu) Engine-Mode: ENABLED --87cb1800-J-- 3,755390,evil.pdf,Unknown ContentType Total,755390 thanks ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
[Owasp-modsecurity-core-rule-set] crs against brute force not working
hi, im using latest modsecurity rule set and i tried out crs_11_bruteforce from experimental rule. But its not working for me. I created a shortlink of it in the activated rules directory, restarted the apache and when i brute force my web application login page the modsecurity audit log dont give me any brute force warnings. what could be the problem? Im using burp suite pro version's intruder for brute forcing. can anyone point to helpful resource that i can follow? thanks. regards sabin ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
Re: [Owasp-modsecurity-core-rule-set] crs against brute force not working
naah!! I tried it, its not working for me. I used the value like that but when i do brute force attempt in the web application with random username and password it gives me nothing in the mod audit log. I'm using burp suit pro intruder for testing. Have you tried it besides wordpress? Wonder what I'm doing wrong. thanks anyway. cheers On Thu, Aug 21, 2014 at 11:43 PM, Wesley Render wren...@otherdata.com wrote: I believe you would just set yours like this (Just include the URL after the domain name)…. # # -- [[ Brute Force Protection ]] - # # If you are using the Brute Force Protection rule set, then uncomment the following # lines and set the following variables: # - Protected URLs: resources to protect (e.g. login pages) - set to your login page # - Burst Time Slice Interval: time interval window to monitor for bursts # - Request Threshold: request # threshold to trigger a burst # - Block Period: temporary block timeout # SecAction \ id:'900014', \ phase:1, \ t:none, \ setvar:'tx.brute_force_protected_urls=#/user/user/login/#', \ setvar:'tx.brute_force_burst_time_slice=60', \ setvar:'tx.brute_force_counter_threshold=10', \ setvar:'tx.brute_force_block_timeout=300', \ nolog, \ pass [image: Otherdata_Logo_2011] *Wesley Render, IT Consultant, RHCSA* Phone: 1.403.228.1221 ext 201 www.otherdata.com [image: findonfacebook] http://www.facebook.com/otherdata *From:* Sabin Ranjit [mailto:think.sa...@gmail.com] *Sent:* August-21-14 10:39 AM *To:* Wesley Render *Cc:* owasp-modsecurity-core-rule-set@lists.owasp.org *Subject:* Re: [Owasp-modsecurity-core-rule-set] crs against brute force not working hi Wesley, I'm not using wordpress, I'm try to protect my application made in Yii framework and its login url looks like this: https://domainname.net/user/user/login/ how can I set brute_force_protected_urls value for this of url ? I tried few ways but it gave me syntax error. thanks, regards On Thu, Aug 21, 2014 at 9:36 PM, Wesley Render wren...@otherdata.com wrote: In your modsecurity_crs_10_setup.conf file you need to make sure to uncomment, and define the paths for your login page. You will notice the first line of the rule is commented out with a regular pound symbol. Then restart apache. Here is how mine looks. I set it up for WordPress and Drupal. It has been working well for WordPress brute force attempts: # # -- [[ Brute Force Protection ]] - # # If you are using the Brute Force Protection rule set, then uncomment the following # lines and set the following variables: # - Protected URLs: resources to protect (e.g. login pages) - set to your login page # - Burst Time Slice Interval: time interval window to monitor for bursts # - Request Threshold: request # threshold to trigger a burst # - Block Period: temporary block timeout # SecAction \ id:'900014', \ phase:1, \ t:none, \ setvar:'tx.brute_force_protected_urls=#/wp-login.php# #/user#', \ setvar:'tx.brute_force_burst_time_slice=60', \ setvar:'tx.brute_force_counter_threshold=10', \ setvar:'tx.brute_force_block_timeout=300', \ nolog, \ pass [image: Otherdata_Logo_2011] *Wesley Render, IT Consultant, RHCSA* Phone: 1.403.228.1221 ext 201 www.otherdata.com [image: findonfacebook] http://www.facebook.com/otherdata *From:* owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] *On Behalf Of *Sabin Ranjit *Sent:* August-21-14 4:17 AM *To:* owasp-modsecurity-core-rule-set@lists.owasp.org *Subject:* [Owasp-modsecurity-core-rule-set] crs against brute force not working hi, im using latest modsecurity rule set and i tried out crs_11_bruteforce from experimental rule. But its not working for me. I created a shortlink of it in the activated rules directory, restarted the apache and when i brute force my web application login page the modsecurity audit log dont give me any brute force warnings. what could be the problem? Im using burp suite pro version's intruder for brute forcing. can anyone point to helpful resource that i can follow? thanks. regards sabin ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
Re: [Owasp-modsecurity-core-rule-set] changing default page
thank, yersinia, i will go through both of those resources. :) regards On Thu, Jul 17, 2014 at 4:15 PM, yersinia yersinia.spi...@gmail.com wrote: Il 17/lug/2014 10:16 Sabin Ranjit think.sa...@gmail.com ha scritto: hi, i want to change the default page that get displayed when modsecurity detects the sql injection attack or any other attacks like xss. how can i do that? If you use the owasp crs this book can Tell you a possible configuration http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118362187.html ( aside : worth reading anyway ) Also the ivan mod security handbook speaking about this. In Short define in mod security an http redirect to some page or application. I had used this configuration many times. Hth regards, sabin ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set