Closed quenenni closed 8 years ago
have you made sure your secruleengine is 'on' and that your default action is disruptive to block? additionally, if you're using anomaly mode, did you enable that explicitly in the setup.conf?
@csanders-git I think this might be just the same problem from #373 and #364. It looks definitely like the setup variables are not set in time.
@quenenni As in your other report, please replace all phase:request
with phase:1
in your setup.conf and let us know if this helps!
@lifeforms : I'll do that asap and report back here (tomorrow hopefully).
@csanders-git : My modsecurity.conf:
SecRuleEngine On
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "(?:text|application)/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRule REQUEST_HEADERS:Content-Type "application/json" \
"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 1124288
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200002', phase:2,t:none,log,deny,status:412,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:412, \
msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200004',phase:2,t:none,log,deny,status:412,msg:'Multipart parser detected a possible unmatched boundary.'"
SecPcreMatchLimit 2000
SecPcreMatchLimitRecursion 2000
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200005',phase:2,t:none,deny,status:412,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
SecResponseBodyAccess On
SecResponseBodyMimeType text/plain text/html text/xml
SecResponseBodyLimit 2248288
SecResponseBodyLimitAction ProcessPartial
SecTmpDir /tmp/
SecDataDir /tmp/
SecUploadDir /var/lib/mod_security/
SecUploadKeepFiles RelevantOnly
SecUploadFileLimit 10
SecUploadFileMode 0644
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogDirMode 0777
SecAuditLogFileMode 0666
SecAuditLogType Concurrent
SecAuditLogStorageDir /var/log/modsec/data
SecAuditLog /var/log/modsec/modsec-index
SecArgumentSeparator &
SecCookieFormat 0
SecUnicodeMapFile unicode.mapping 20127
SecStatusEngine On
SecDefaultAction "phase:2,deny,status:412,log,auditlog"
SecGeoLookupDb /usr/share/GeoIP/GeoLiteCity.dat
My modsecurity_crs_10_setup.conf
SecComponentSignature "OWASP_CRS/3.0.0"
SecDefaultAction "phase:1,status:412,deny,log"
SecDefaultAction "phase:2,status:412,deny,log"
SecAction \
"id:'900001',\
phase:request,\
nolog,\
pass,\
t:none,\
setvar:tx.critical_anomaly_score=5,\
setvar:tx.error_anomaly_score=4,\
setvar:tx.warning_anomaly_score=3,\
setvar:tx.notice_anomaly_score=2,\
setvar:tx.block_duration=300"
SecAction \
"id:'900002',\
phase:request,\
nolog,\
pass,\
t:none,\
setvar:tx.anomaly_score=0,\
setvar:tx.sql_injection_score=0,\
setvar:tx.xss_score=0,\
setvar:tx.rfi_score=0,\
setvar:tx.lfi_score=0,\
setvar:tx.rce_score=0,\
setvar:tx.php_injection_score=0,\
setvar:tx.http_violation_score=0,\
setvar:tx.session_fixation_score=0,\
setvar:tx.inbound_anomaly_score=0,\
setvar:tx.outbound_anomaly_score=0"
SecAction \
"id:'900003',\
phase:request,\
nolog,\
pass,\
t:none,\
setvar:tx.sql_injection_score_threshold=15,\
setvar:tx.xss_score_threshold=15,\
setvar:tx.rfi_score_threshold=5,\
setvar:tx.lfi_score_threshold=5,\
setvar:tx.rce_score_threshold=5,\
setvar:tx.command_injection_score_threshold=5,\
setvar:tx.php_injection_score_threshold=5,\
setvar:tx.http_violation_score_threshold=5,\
setvar:tx.trojan_score_threshold=5,\
setvar:tx.session_fixation_score_threshold=5,\
setvar:tx.inbound_anomaly_score_threshold=5,\
setvar:tx.outbound_anomaly_score_threshold=4"
SecAction \
"id:'900023',\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.paranoia_level=4"
SecAction \
"id:'900024', \
phase:1, \
t:none, \
setvar:tx.sql_error_match=0, \
setvar:tx.msaccess=1, \
setvar:tx.db2=1, \
setvar:tx.emc=1, \
setvar:tx.firebird=1, \
setvar:tx.frontbase=1, \
setvar:tx.hsqldb=1, \
setvar:tx.informix=1, \
setvar:tx.ingres=1, \
setvar:tx.interbase=1, \
setvar:tx.maxdb=1, \
setvar:tx.mssql=1, \
setvar:tx.mysql=1, \
setvar:tx.oracle=1, \
setvar:tx.pgsql=1, \
setvar:tx.sqlite=1, \
setvar:tx.sybase=1, \
nolog, \
pass"
SecGeoLookupDb /usr/share/GeoIP/GeoLiteCity.dat
SecAction \
"id:'900022',\
phase:request,\
nolog,\
pass,\
t:none,\
setvar:'tx.high_risk_country_codes=UA RU CN MD BY KZ KR TR ID YU LT EG RO BG PK MY'"
SecHttpBlKey xxxxxxxxxx
SecAction "id:'900025', \
phase:1, \
nolog,\
pass,\
t:none,\
setvar:tx.block_search_ip=1, \
setvar:tx.block_suspicious_ip=1, \
setvar:tx.block_harvester_ip=1, \
setvar:tx.block_spammer_ip=1"
SecAction \
"id:'900006',\
phase:request,\
nolog,\
pass,\
t:none,\
setvar:tx.max_num_args=255"
SecAction \
"id:'900012',\
phase:request,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
setvar:'tx.static_resources=jpg|jpeg|png|gif|js|css|ico|tiff|ods|fods|odt|fodt|odp|fodp|odg|docx|xlsx|rtf|csv|ppt|pptx|pps|ppsx|ogg|ogm|mp4|flac|ape|wav|mkv|mpg|mpeg|avi|flv|swf|wma', \
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain', \
setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'"
SecRule REQUEST_HEADERS:User-Agent "^(.*)$" \
"id:'900018', \
phase:1, \
t:none,t:sha1,t:hexEncode, \
setvar:tx.ua_hash=%{matched_var}, \
nolog, \
pass"
SecRule REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" \
"id:'900019', \
phase:1, \
t:none, \
capture, \
setvar:tx.real_ip=%{tx.1}, \
nolog, \
pass"
SecRule &TX:REAL_IP "!@eq 0" \
"id:'900020', \
phase:1, \
t:none, \
initcol:global=global, \
initcol:ip=%{tx.real_ip}_%{tx.ua_hash}, \
nolog, \
pass"
SecRule &TX:REAL_IP "@eq 0" \
"id:'900021', \
phase:1, \
t:none, \
initcol:global=global, \
initcol:ip=%{remote_addr}_%{tx.ua_hash}, \
setvar:tx.real_ip=%{remote_addr}, \
nolog, \
pass"
SecCollectionTimeout 600
The changes I've made for #373 seems to have been also the solution for the problem reported here. I can see blocked requests from modsec rules and not only my custom rules.
Thanks to both of you to have taken the time to help me.
@quenenni i'm glad we got it in the end :)
Server: Debian Wheezy PHP Version 5.4.45-0+deb7u3 Apache-npm-itk v2.2.22 libapache2-mod-security2: v2.8.0-2~bpo70+1 Modsec Crs: v3.0.0-rc1
It's very strange. Modsec seems to works fine. I have plenty of Warnings on attacks in my logs, but even if the rule triggered has 'block' as param, the request isn't blocked.. Only warnings. The custom rules I created block the requests when asked.
I.E.: +- 25 requests like this one [data "Matched Data: /etc/passwd found within ARGS:id: cat /etc/passwd"] triggered the rule id:930120, rule that should block the request.. but no, just a warning.
My paranoia level is at 4 (setvar:tx.paranoia_level=4").
What did I miss? Is there an another option to set? How can I have modsec blocks the requests it should block?
I attached the log of a request to the ticket: event_29140.txt