Please take our Survey
logo       
<prev   next>

Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...

Re: REQUEST_COOKIES_NAMES: msg#00128

apache.mod-security.user

Subject: Re: REQUEST_COOKIES_NAMES

Thanks. Ryan.

I included the #9500004 reference so you would know what rule I was customizing. My file is actually named modsecurity_crs_41_xss. Changing the ID is a good suggestion for the custom rules (will do); so is having 'custom' in the name (or we considered a different directory).

!REQUEST_HEADERS:Cookie works, but I didn't want to exclude all cookies. Unfortunately we have a cookie whose name ends with '.cookie'; it is triggering a false positive.

I had hoped I could use REQUEST_COOKIES_NAMES to exclude just cookies whose names end with .cookie.

How would you use REQUEST_COOKIES_NAMES?

----- Original Message ----
From: Ryan Barnett <Ryan.Barnett@xxxxxxxxxx>
To: mod-security-users@xxxxxxxxxxxxxxxxxxxxx
Sent: Friday, January 26, 2007 10:26:39 AM
Subject: Re: [mod-security-users] REQUEST_COOKIES_NAMES

Nicholas,

Core Rule ID # 950004 searches the REQUEST_HEADERS variable, which includes all request headers including Cookies.  If you wanted to make an exclusion to not inspect Cookies at all for this XSS rule, then add the following to the rule variable line - !REQUEST_HEADERS:Cookie.  While this would work, I would recommend that you try not to alter the Core Rules themselves but rather contain your custom/local updates to a separate config file.  The best solution is to create a custom rules file called ? modsecurity_crs_15_customrules.conf ? and place it in the same directory as the other Core rules.  The name of this file is important as you want it to be read just after the modsecurity_crs_10_config.conf file.  Having your custom rules read next allows you to override other Core Rules sigs that are causing false positives in your environment.  Here is an ls listing of the Core Rules directory -

 

# ls

CHANGELOG                            modsecurity_crs_20_protocol_violations.conf  modsecurity_crs_50_outbound.conf

LICENSE                              modsecurity_crs_30_http_policy.conf          modsecurity_crs_55_marketing.conf

modsecurity-core-rules_2.0-1.2.tar   modsecurity_crs_35_bad_robots.conf           README

modsecurity_crs_10_config.conf       modsecurity_crs_40_generic_attacks.conf

modsecurity_crs_15_customrules.conf  modsecurity_crs_45_trojans.conf

 

Next, let?s look at the custom rules file -

 

# cat modsecurity_crs_15_customrules.conf

# XSS   

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Cookie "(?:\b(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|mocha):|type\b\W*?\b(?:text\b(?:\W*?\b(?:j(?:ava)?|ecma)script\b| [_vbscript_])|application\b\W*?\bx-(?:java|vb)script\b)|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|background-image:|@import)\b|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\\btype\b\W*?\bimage)\b|!\[CDATA\[|script|meta)|.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)\b)" \

        "log,id:1,severity:2,msg:'Cross-site Scripting (XSS) Attack'"

<LocationMatch />

SecRuleRemoveByID 950004

</LocationMatch>

 

We are doing 2 things here ?

  1. We have copied Rule ID # 950004, however we have updated it to include our new Cookie header exclusion.  We have also given this rule a new Rule ID # of 1.  FYI ? if you are creating custom rules, use the range between 1-99999.  See the updated Reference Manual for more information on ID range reservations.
  2. We also added in an Apache LocationMatch directive that contains the SecRuleRemoveById directive that will remove the Core Rule ID # 950004 that was causing you problems.

 

With this type of methodology, you can create custom exclusions that get executed prior to the Core Rules and it allows for easy updating of the Core Rules themselves.  What we don?t want to have happen is that people have altered the Core Rules files themselves so much for their environment that they do not want to upgrade in the future because they would have to re-implement all of their custom configs.  With this scenario, you can download new Core Rules versions as they are released and then just copy over your modsecurity_crs_customrules.conf file and you are ready to go J

 

Ryan C. Barnett
Director of Application Security Training
Breach Security, Inc.
Phone: 703-794-2248
Cell: 703-269-8998 
Ryan.Barnett@xxxxxxxxxx
www.Breach.com

From: mod-security-users-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:mod-security-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Nicholas Vulgrinski
Sent: Friday, January 26, 2007 10:06 AM
To: mod-security-users@xxxxxxxxxxxxxxxxxxxxx
Subject: [mod-security-users] REQUEST_COOKIES_NAMES

 

Can I use REQUEST_COOKIES_NAMES to exclude cookie names from being include a XSS rule match (950004)? Adding !REQUEST_COOKIES_NAMES does not seems to work.

Is there a way to exclude cookie names that include .cookie in their name from triggering using some thing like !REQUEST_COOKIES_NAMES:[.]cookie

 

It's here! Your new message!
Get new email alerts with the free Yahoo! Toolbar.

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
mod-security-users mailing list
mod-security-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/mod-security-users


Food fight? Enjoy some healthy debate
in the Yahoo! Answers Food & Drink Q&A.-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________
mod-security-users mailing list
mod-security-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/mod-security-users
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: modsecurity 2.0.4(Checking virus by executingscript), Ryan Barnett
Next by Date:  New ModSecurity Initiative: Cool Rules, Ryan Barnett
Previous by Thread:  Re: REQUEST_COOKIES_NAMES, Ryan Barnett
Next by Thread:  Re: REQUEST_COOKIES_NAMES, Ryan Barnett
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
Recently Viewed:
hardware.arm.at...    cms.citadel.dev...    video.gstreamer...    java.facelets.u...    misc.basics.qna...    web.wiki.instik...    network.uip.use...    xdg.devel/2003-...    tex.bibtex.bibd...    finance.quotesp...    ietf.zeroconf/2...    redhat.blinux.g...    suse.db2/2003-0...    php.phpesp/2004...    uml.devel/2003-...    gnome.labyrinth...    qnx.openqnx.dev...    boot-loaders.gr...    db.dataperfect....    audio.audacity....    linux.uclinux.m...    editors.j.devel...    os.openbsd.tech...    kde.users.multi...   
Home | advertise | OSDir is an inevitable website. super tiny logo

Free Magazines

Cisco News
Receive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business.
subscribe

Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe

The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business.
subscribe

Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe

Total Telecom Total Telecom is "The Economist of the communications industry".
subscribe

Navigation