I would like to apply ModSecurity CRS in my project.
However, I have few questions related to this.
Can anybody explain, why the rule:
SecRule REQUEST_FILENAME "#pm nessustest appscan_fingerprint" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',logdata:'%{matched_var}',id:'990902',tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
contains these actions:
setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}
Why do we need to put the message in transaction collection? Why do we need to set the anomaly score?
Why do we need to this:
setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}
Any info would be highly appreciated.
Thank you in advance.
Best Regards,
Maksim
Ok, got it.
There are two modes:
Self-contained mode: when rules just block the request
collaborative mode: rules block the request, which have big anomaly score
Related
I am using mod-security V3 on a centos machine with Openlitespeed.
My php file access.php create cookie: honey_bot_trap with value : 16 character [0-9a-zA-z]. - dynamic: ex: au4abbgjk190Bl
in modsecurity create rules:
SecRule REQUEST_HEADERS:Cookie "#contains honey_bot_trap" "chain,id:'990014',phase:1,t=none,block,msg:'fake cookie'"
i want create rules :
All request to my domain will redirect to access.php (the cookie create by file: honey_bot_trap: au4abbgjk190Bl)
Modsecurity check if no cookie honey_bot_trap: au4abbgjk190Bl is block.
if request has honey_bot_trap: au4abbgjk190Bl add to check rate.
if rate of IP over 2 click /s is block (or redirect to https://m ydomain.com/verify.php)
Please help me. Thank for all.
OpenLiteSpeed is not a creator of rules, but a consumer of them. We generally recommend the use of pre-created rules like OWASP or Comodo. If you wish to create rules you should check out the rules guide: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v3.x)https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v3.x)
The rule you are attempting to create is very, very complicated. It may sound simple, but I've written the 2nd edition of the ModSecurity Handbook and trust me, I would take me 2-3 hours to get this working.
With that being said, ModSec is probably not the best tool for what you have in mind. If you want to push through, try to put your hands on a copy of the ModSecurity Handbook (instead of the reference linked above) and use mod_qos or something along those lines for rate limiting and not ModSec.
#CRSDevOnDuty
P.S. Hat tip to Robert Perper.
I have installed modsecurity on Nginx and as well as the owasp rules,
i have check SecRequestBodyAccess to on,
but when i send a request with a malicious post data, it pass ok with no problem
Can anyone help me?
Modsecurity by default has parameter "SecRuleEngine" set to "DetectionOnly" and work in monitor mode. Must be set to "On".
Modsecurity must have enabled a rule that discovers malicious code - audit_log will tell you if the malicious post data was found. Most of CRS rules find malicious using regex expressions. More fancy attacks require special configuration or new rules, some of them would never be discovered.
Blocking or not later depends on the settings if your're using Anomaly Scoring mode or Self-Contained mode.
For Self-Contained (older way) it is enough to have configuration line like (for POST data = phase 2):
SecDefaultAction "phase:2,log,auditlog,deny,status=403
And that's all, if post data violates any rule - attacker gets 403.
For AnomalyScore mode (newer way, more flexible) line looks like:
SecDefaultAction "phase:2,log,auditlog,pass"
Then all rules for which anomalies were found are countend and their scores are summed up. Depends on the rule it can be "critical_anomaly_score", "error_anomaly_score", "warning_anomaly_score" and "notice_anomaly_score". By default their counts as 5,4,3,2.
If the counted score equals or is greater than "inbound_anomaly_score_threshold" (default 5) then request is blocked.
Thats why by default a one rule with critical_anomaly_score (counted as 5) can block traffic. A single rule with "error_anomaly_score" (counted as 4) is not enough to stop the request.
Im currently working on a more or less RESTful webservice, a type of content api for my companys articles. We currently have a resource for getting all the content of a specific article
http://api.com/content/articles/{id}
will return a full set of article data of the given article id.
Currently we control alot of the article's business logic becasue we only serve a native-app from the webservice. This means we convert tags, links, images and so on in the body text of the article, into a protocol the native-app can understand. Same with alot of different attributes and data on the article, we will transform and modify its original (web) state into a state that the native-app will understand.
fx. img tags will be converted from a normal <img src="http://source.com"/> into a <img src="inline-image//{imageId}"/> tag, samt goes for anchor tags etc.
Now i have to implement a resource that can return the articles data in a new representation
I'm puzzled over how best to do this.
I could just implement a completely new resource, on a different url like: content/articles/web/{id} and move the old one to content/article/app/{id}
I could also specify in my documentation of the resource, that a client should always specify a specific request header maybe the Accept header for the webservice to determine which representation of the article to return.
I could also just use the original url, and use a url parameter like .../{id}/?version=app or .../{id}/?version=web
What would you guys reckon would be the best option? My personal preference lean towards option 1, simply because i think its easier to understand for clients of the webservice.
Regards, Martin.
EDIT:
I have chosen to go with option 1. Thanks for helping out and giving pros and cons. :)
I would choose #1. If you need to preserve the existing URLS you could add a new one content/articles/{id}/native or content/native-articles/{id}/. Both are REST enough.
Working with paths make content more easily cacheable than both header or param options. Using Content-Type overcomplicates the service especially when both are returning JSON.
Use the HTTP concept of Content Negotiation. Use the Accept header with vendor types.
Get the articles in the native representation:
GET /api.com/content/articles/1234
Accept: application/vnd.com.exmaple.article.native+json
Get the articles in the original representation:
GET /api.com/content/articles/1234
Accept: application/vnd.com.exmaple.article.orig+json
Option 1 and Option 3
Both are perfectly good solutions. I like the way Option 1 looks better, but that is just aesthetics. It doesn't really matter. If you choose one of these options, you should have requests to the old URL redirect to the new location using a 301.
Option 2
This could work as well, but only if the two responses have a different Content-Type. From the description, I couldn't really tell if this was the case. I would not define a custom Content-Type in this case just so you could use Content Negotiation. If the media type is not different, I would not use this option.
Perhaps option 2 - with the header being a Content-Type?
That seems to be the way resources are served in differing formats; e.g. XML, JSON, some custom format
I am starting to learn GATE. I created an annotation with features but I would like to put it in a new annotation set.
Can someone please tell me how to do it with JAPE?
Thanks
I found the answer to my question in http://sourceforge.net/p/gate/mailman/message/5348688/ and http://osdir.com/ml/ai.gate.general/2005-04/msg00052.html.
They said that a JAPE rule can't refer to more than one annotation set. These annotation sets are defined in the PR runtime parameters (outputASName, inputASName).
--> So I guess that if I want my annotation to belong to a "Key" annotation set, I should put "Key" in outputASName of my Jape transducer.
Thanks for your help Ian =)
We are facing issues of javascript getting embedded into message body,
following is the code snippet of the javascript,
} {*\htmltag241 var
DanaShimData="var DSJsFuncs =
,null,,,,[{nm:\"Refresh\",lcnm:\"refresh\",flg:0xb},{nm:\
\"Install\",flg:0xf},{nm:\"writeln\",flg:0x3f},{nm:\
"GotoURL\
\",flg:0xe},{nm:\"AddRoot\",lcnm:\"addroot\",flg:0xb},{nm:\
\"LoadURL\",lcnm:\"loadurl\",flg:0xb},{nm:\"addRule\
",flg:0xf},
{nm:\"postURL\",lcnm:\"posturl\",flg:0x12},{nm:\
"replace\ \",flg:0x12f},],[{
Could anyone please let us know if you have observed such occurances /
findings.
Any helps appreciated.
Thanks,
Sudipta Ghosh
Try to use HTMLCodeFormat() or HTMLEditFormat().
See docs.
There is a project called 'AntiSammy' (http://www.antisamy.net/) which uses files to combat XSS attacks that are provided by big sites like Slashdot and eBay. You may want to look at extracting the AntiSammy code to help you.
Here is a post by Peter Freitag on using AntiSammy without ColdBox.
http://www.petefreitag.com/item/760.cfm
Here are the docs for the ColdBox Framework:
http://wiki.coldbox.org/wiki/Plugins:AntiSamy.cfm
Also make sure you use cfqueryparams, captchas or some sort of session authentication form posts.