Re: mod sec 2 only able to turn off rules for a location in vhost conf and audit log

no thats incorrect even adding the phase:2 a location cannot turn off filtering, removing id's should be easy now ive written them all down. Ive also intergrated the gotroot set of rules for modsec2, after shaving a stack of rules i dont need as we dont run most of the exploited apps.

There is prob some duplicate rules and id clashes ill have to go through, its a huge task :\

Mod Security 2 Default Rules - /default/

marketing.conf

10005 - Marketing Default Action
10006 - Google robot activity
10007 - Yahoo robot activity
10008 - MSN robot activity


http_policy.conf

60031 - HTTP Policy Default Action
60032 - Allow only POST,GET,HEAD Requests
60033 - Block CONNECT / TRACE Requests
60010 - Restrict Content Types For Posts
60034 - Restrict HTTP Protocol Versions
60035 - File extension request restrictions
60036 - Allow Only Certain Extensions

generic_attacks.conf

50002 - Generic Attacks Default Action
50009 - Session Fixation Cookie Mangling ?
50007 - Blind SQL Injection Attack
50903 - Blind SQL Injection Attack
50904 - Blind SQL Injection Attack
50001 - SQL Injection Attack
50905 - SQL Injection Attack
50906 - SQL Injection Attack
50004 - Cross-site Scripting (XSS) Attack
50005 - Remote File Access Attempt
50002 - System Command Access
50006 - System Command Injection
50008 - Injection of Undocumented ColdFusion Tags
50010 - LDAP Injection Attack
50011 - SSI injection Attack
50013 - PHP Injection Attack

bad_robots.conf

90900 - Bad Robots Default Action
90002 - Block Known Bot Scanners
90901 - Block Known Bot Scanners
90902 - Block Known Bot Scanners
90012 - Rogue Site Crawlers
90011 - Automated Site Crawler

outbound.conf

70001 - Outbound Filter Default Action
70002 - Statistic Software Information Leak
70003 - SQL Information Leakage
70004 - IIS Information Leakage
70007 - Zope Information Leakage
70008 - Cold Fusion Information Leakage
70009 - PHP Information Leakage
70010 - ISA server existence revealed
70012 - Microsoft Word document properties leakage
70013 - Directory Listings Turned OFF !!
70011 - File or Directory Names Leakage
70014 - ASP/JSP source code leakage
70903 - ASP/JSP source code leakage
70015 - PHP source code leakage
70016 - Cold Fusion source code leakage
70901 - IIS Application Not Available
70118 - IIS Application Not Available

protocol_violations.conf

60007 - Protocol Violations Default Action
60008 - Request Missing a Host Header
60009 - Request Missing a User Agent Header
60015 - Request Missing an Accept Header
60016 - Non Numeric Content-Length Header
60017 - Host header is a numeric IP address
60011 - Block GET or HEAD requests with bodies
60012 - POST request must have a Content-Length header
60013 - ModSecurity does not support transfer encodings
50107 - URL Encoding Abuse Attack
50801 - UTF8 Encoding Abuse Attack
60014 - Proxy access attempt
60015 - Request Missing an Accept Header Byte Range
60901 - Localized Byte Range Check

trojans.conf

50920 - Trojans Default Action
50111 - Possible malicious file upload
50921 - Possible malicious file upload
50922 - Possible malicious file upload


Got root rule ids

Got Root Mod Security 2 Rules - /gotroot/

apache2-rules.conf

400050 - Apache 2 Rules Default Action

jitp.conf

300051 - Just In Time Patches Default Action
390000 - Awstats.pl probe
390080 - Tests For Valid X-Forwarded Header


jitp2.conf

300051 - Just In Time Patches Default Action
390000 - Awstats.pl probe
390070 - Generic phpbb_root_path exploit
390075 - Generic mosConfig_absolute_path File Inclusion Vulnerability
390076 - Generic mosConfig_absolute_path File Inclusion Vulnerability
390083 - tikiwiki XSS Vulnerability
390082 - tikiwiki Remote File Inclusion Vulnerability
390039 - vwar_root remote/local file inclusion
390001 - aWebBB XSS attack on post.php
390002 - aWebBB XSS attack on editac.php
390003 - aWebBB XSS attack on register.php
390004 - aWebBB XSS attack / aWebBB SQL attack
390005 - aWebBB SQL attack
390006 - phpBB cur_password XSS attack
390007 - PHPNuke-Clan 3.0.1 Remote File Inclusion Exploit
390008 - Claroline <= 1.7.4 scormExport.inc.php remote command vuln
390009 - Claroline <= 1.7.4 scormExport.inc.php remote command vuln
390010 - Claroline <= 1.7.4 XSS attack
390011 - aWebNews XSS attack
390012 - aWebBBNewsSQL attack
390013 - aWebBBNewsSQL attack
390014 - aWebAPP XSS attack
390015 - qliteNEws SQL injection attack
390016 - RedCMS SQL Injection
390017 - RedCMS SQL Injection
390018 - RedCMS XSS attack
390019 - Oxygen SQL Injection
390020 - Mantis XSS attack
390021 - Oxygen SQL Injection
390022 - Mantis XSS attack
390023 - PHPCollab v2.x / NetOffice v2.x sendpassword.php SQL Injection
390024 - Sourceworkshop newsletter SQL Injection Vulnerability
390025 - X-Changer SQL Injection Vulnerability
390025 - X-Changer SQL Injection Vulnerability
390026 - X-Changer XSS Vulnerability
390027 - Null news Multiple SQL Injection Vulnerabilities
390028 - Null news Multiple SQL Injection Vulnerabilities
390029 - Null news Multiple SQL Injection Vulnerabilities
390030 - PHPLiveHelper 1.8 remote command execution Xploit
390031 - Pixel Motion Blog SQL Injection Vulnerabilities
390032 - Pixel Motion Blog SQL Injection Vulnerabilities
390033 - Nuked-Klan SQL Injection Vulnerability
390035 - TFT Gallery passwd Exposure of User Credentials
390036 - Nuked-Klan SQL Injection Vulnerability
390037 - WEBalbum Local File Inclusion Vulnerability
390038 - G-Book g_message Script Insertion Vulnerability
390039 - PHPMyChat exploit
390040 - Horde Help Module Remote Execution
390041 - Internet PhotoShow Remote File Inclusion Exploit
390042 - Censtore.cgi exploit
390043 - quizz.pl exploit
390044 - phpinfo.cgi command execution
390045 - phpRaid phpbb_root_path File Inclusion Vulnerability
390046 - openEngine template Parameter Local File Inclusion Vulnerability
390047 - ISPConfig go_info[server][classes_root] File Inclusion
390048 - ManageEngine OpManager searchTerm Cross-Site Scripting
390049 - AliPAGER ubild Cross-Site Scripting and SQL Injection
390050 - MxBB Portal pafileDB Module module_root_path File Inclusion
390051 - Jadu CMS register.php Cross-Site Scripting Vulnerabilities
390052 - OpenFAQ q Parameter Script Insertion Vulnerability
390053 - phpBB foing Module phpbb_root_path File Inclusion
390054 - Sugar Suite sugarEntry Parameter Security Bypass
390055 - Sugar Suite sugarEntry Parameter Security Bypass
390056 - Sugar Suite sugarEntry Parameter Security Bypass
390057 - Sugar Suite exploit
390058 - TikiWiki Multiple Cross-Site Scripting Vulnerabilities
390059 - TikiWiki Multiple Cross-Site Scripting Vulnerabilities
390060 - TikiWiki Multiple Cross-Site Scripting Vulnerabilities
390061 - TikiWiki Multiple Cross-Site Scripting Vulnerabilities
390062 - TikiWiki Multiple Cross-Site Scripting Vulnerabilities
390063 - TikiWiki Multiple Cross-Site Scripting Vulnerabilities
390095 - TikiWiki Multiple Cross-Site Scripting Vulnerabilities
390064 - Wordpress shell injection Vulnerability
390065 - Nucleus arbitrary remote inclusion exploit
390066 - Horde passthru exploit
390067 - CMS-Bandits spaw_root File Inclusion Vulnerability
390068 - phpBB Blend Portal System Module phpbb_root_path File Inclusion
390069 - Admanager Pro exploit
390071 - Bible Portal Project destination File Inclusion Vulnerability
390072 - Flipper Poll root_path File Inclusion Vulnerability
390073 - PictureDis Products lang Parameter File Inclusion Vulnerability
390074 - Joomla/Mambo Weblinks blind SQL injection
390076 - Generic m2f_root_path File Inclusion Vulnerability
390077 - Generic PHP download incddir File Inclusion Vulnerability
390078 - SiteDepth CMS SD_DIR Parameter Handling Remote File Inclusion Vulnerability
390079 - PhpLinkExchange page Parameter Handling Remote File Inclusion Vulnerability
390080 - Tests For Valid X-Forwarded Header


recons.conf

350001 - Recons Default Action
350000 - Gravity Board Google Recon attempt
350001 - SilverNews Google Recon attempt
350002 - PHPBB 2.0 Google Recon attempt
350003 - PHPFreeNews Google Recon attempt
350004 -  /cgi-bin/guery Google Recon attempt
350005 - tiki-edit Google Recon attempt
350006 - wps_shop.cgi Google Recon attempt
350007 - edit_blog.php Google Recon attempt
350008 - passwd.txt Google Recon attempt
350008 - admin.mdb Google Recon attempt

rootkits.conf

390143 - Root Kits Default Action
390144 - Generic Attempt to install rootkit in Horde
390145 - Generic Attempt to install rootkit

rules.conf

340001 - Got Root Rules Default Action
340000 - Enforce proper HTTP requests
340002 - Generic rule for allowed characters
340004 - Dis-allowed Transfer Encoding
340007 - deny TRACE method
300002 - XSS insertion into headers
300003 - Don't accept chunked encodings
330003 - Code injection via content length
300004 - generic recursion signatures
300005 - generic recursion signatures
300006 - generic bogus path sigs
330001 - Generic PHP exploit signatures
330002 - Generic PHP exploit signatures
300008 - Generic PHP exploit pattern
300010 - generic XSS PHP attack types
300011 - Prevent SQL injection in cookies
300012 - Prevent SQL injection in UA
300013 - Generic filter to prevent SQL injection attacks
300014 - Generic SQL sigs
300015 - Generic SQL sigs
300016 - Generic SQL sigs
380015 - Meta character SQL injection
300017 - Generic command line attack filter
300018 - Generic PHP code injection protection via ARGS
300040 - Generic PHP code injection protection in URI

useragents.conf

380001 - User Agents Default Action
380000 - Addresses With No HTTP_Accept



Ofer Shezaf wrote:

 

Another note: I still did not read in details the e-mails you sent yesterday (I will get to that), but vhost is the only location selection directive that works in phase 1, so it still seems like an issue with phases.

 

~ Ofer

 

---

From: mod-security-users-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:mod-security-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Dan Rossi
Sent: Tuesday, November 28, 2006 6:35 AM
To: mod-security-users@xxxxxxxxxxxxxxxxxxxxx
Subject: [mod-security-users] mod sec 2 only able to turn off rules for a location in vhost conf and audit log

 

Ok it seems the only rule that works for a location in vhost configs is to turn off rules by id, this is going to take alot of messing around with as there is obviouslly hundreds of rules and id's.

I am still noticing 404's being logged into the audit log which has nothing to do with trapping urls, i was trying to trap one of the rules but got a 404 instead doesnt seem like its running.

--0efc837a-A--
[28/Nov/2006:15:26:05 +1100] DHk6Q8CoAGcAAQ9PBRwAAAAA
--0efc837a-B--
GET /directory.php HTTP/1.0
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.9 (KHTML, like Gecko) Safari/419.3
Host:

X-Forwarded-For:
Cache-Control: max-age=259200
Connection: keep-alive

--0efc837a-F--
HTTP/1.1 404 Not Found
Content-Length: 298
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--0efc837a-H--
Apache-Error: [file "/usr/home/danielr/php-4.4.4/sapi/apache2handler/sapi_apache2.c"] [line 282] [level 3] script '/www/directory.php' not found or unable to stat
Stopwatch:(579 21364 -)
Producer: ModSecurity v2.0.3 (Apache 2.x)
Server: Apache/2.0.59 (FreeBSD) PHP/4.4.4 DAV/2 hiperf_auth_mysql_module/1.0.3

--0efc837a-Z--

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________
mod-security-users mailing list
mod-security-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/mod-security-users