开发者

mod_sec trigger on CSR rule _23

开发者 https://www.devze.com 2023-01-07 22:55 出处:网络
I\'m using mod_security with the latest core rules. It triggers on all my pages whenever I use a querystring.. ie.

I'm using mod_security with the latest core rules.

It triggers on all my pages whenever I use a querystring.. ie.

www.mypage.com/index.php?querystring=1

I get a warning that it exceeds maximum allowed number of arguements, however the base config defines max_numb_args to = 255 which of course it doesn't exceed.

Any ideas why?

Base conf:

SecRuleEngine On

SecAuditEngine RelevantOnly

SecAuditLog /var/log/apache2/modsec_audit.log

SecDebugLog /var/log/apache2/modsec_debug_log

SecDebugLogLevel 3

SecDefaultAction "phase:2,pass,log,status:500"

SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow

SecRequestBodyAccess On

SecResponseBodyAccess On

SecResponseBodyMimeType (null) text/html text/plain text/xml

SecResponseBodyLimit 2621440

SecServerSignature Apache

SecUploadDir /tmp

SecUploadKeepFiles Off

SecAuditLogParts ABIFHZ

SecArgumentSeparator "&"

SecCookieFormat 0

SecRequestBodyInMemoryLimit 131072

SecDataDir /tmp

SecTmpDir /tmp

SecAuditLogStorageDir /var/log/apache2/audit

SecResponseBodyLimitAction ProcessPartial

SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_num_args=255"

Rule that triggers:

# Maximum number of arguments in request limited  
SecRule &TX:MAX_NUM_ARGS "@eq 1" "chain,phase:2,t:none,pass,nolog,auditlog,msg:'Maximum number of arguments in request reached',id:'960335',severity:'4',rev:'2.0.7'"
    SecRule &ARGS "@gt %{tx.max_num_args}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"

And the log ouput:

--ad5dc005-C-- queryString=2 --ad5dc005-F-- HTTP/1.1 200 OK

X-Powered-By: PHP/5.3

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

开发者_如何学运维Set-Cookie: SESSION=ak19oq36gpi94rco2qbi6j2k20; path=/

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 1272

Keep-Alive: timeout=15, max=99

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8

--ad5dc005-H--

Message: Operator GT matched 0 at ARGS. [file "/etc/apache2/conf/modsecurity_crs/base_rules/modsecurity_crs_23_request_limits.conf"] [line "30"] [id "960335"] [rev "2.0.7"] [msg "Maximum number of arguments in request reached"] [severity "WARNING"]

Message: Operator GE matched 0 at TX:anomaly_score. [file "/etc/apache2/conf/modsecurity_crs/base_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "18"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5, SQLi=, XSS=): Maximum number of arguments in request reached"]

Message: Warning. Operator GE matched 0 at TX:inbound_anomaly_score. [file "/etc/apache2/conf/modsecurity_crs/base_rules/modsecurity_crs_60_correlation.conf"] [line "35"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5, SQLi=, XSS=): Maximum number of arguments in request reached"]

Apache-Handler: application/x-httpd-php

Stopwatch: 1279667800315092 76979 (1546* 7522 72931)

Producer: ModSeurity for Apache/2.5.11 (http://www.modsecurity.org/); core ruleset/2.0.7. Server: Apache


I was using the lib from Ubuntu.. which had the .11 version. I uninstalled it, compiled from source .12 version and now it's alive, kicking and screaming!

Latest CSR rules needs the .12 version. Cheers.

0

精彩评论

暂无评论...
验证码 换一张
取 消