store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Mon Jul 28, 2014 12:11 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: Rules missing IDs
Unread postPosted: Fri Aug 20, 2010 11:27 am 
Offline
New Forum User
New Forum User

Joined: Fri Aug 20, 2010 11:13 am
Posts: 3
It appears that several rules in the 99_asl_jitp.conf file are missing unique ID numbers. We are testing the real-time rules in a shared hosting environment, and it's very important that we are able to disable specific rules when they cause trouble for an individual's site. Here is an example of a rule that's causing a problem that we can't disable:

=====
# Rule 310019: PhpX <= 3.5.9 SQL Injection -> login bypass -> remote command/code execution
SecRule REQUEST_URI "/admin/" chain
SecRule ARGS:username "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from|or user_id=2)" "t:replaceComments"
=====
[Fri Aug 20 09:39:05 2010] [error] [client [REDACTED]] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\\*| |\\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\\*| |\\,]|\\'|union.*select.*from|or user_id=2)" at ARGS:username. [file "/var/asl/rules/99_asl_jitp.conf"] [line "6203"] [hostname "[REDACTED]"] [uri "/admin/admin_users.php"] [unique_id "TG6TiUo1A8sAAH@GW0cAAADX"]
=====
--0ba83576-A--
[20/Aug/2010:09:39:05 --0500] TG6TiUo1A8sAAH@GW0cAAADX [REDACTED] 49892 [REDACTED] 80
--0ba83576-B--
POST /admin/admin_users.php?sid=[REDACTED] HTTP/1.1
Host: [REDACTED]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; fr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr-ca,fr;q=0.8,fr-fr;q=0.7,en-ca;q=0.5,en-us;q=0.3,en;q=0.2
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://[REDACTED]/admin/admin_users.php?sid=[REDACTED]
Cookie: PHPSESSID=[REDACTED];
[REDACTED]
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 66

--0ba83576-C--
username=Dreamz%27&mode=edit&submituser=Rechercher+l%27utilisateur
--0ba83576-F--
HTTP/1.1 403 Forbidden
X-Powered-By: PHP/5.2.14
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

--0ba83576-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from|or user_id=2)" at ARGS:username. [file "/var/asl/rules/99_asl_jitp.conf"] [line "6203"]
Action: Intercepted (phase 2)
Apache-Handler: application/x-httpd-php5
Stopwatch: 1282315145549225 78527 (1540* 6750 -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); 201001051959.
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.7a

--0ba83576-Z--
=====

While the comment claims the ID is "310019", disabling that rule does nothing. Any information is appreciated.


Top
 Profile  
 
 Post subject: Re: Rules missing IDs
Unread postPosted: Fri Aug 20, 2010 6:01 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3603
Location: Chantilly, VA
You appear to be running rules from January, just upgrade to the latest real time rule release.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Rules missing IDs
Unread postPosted: Fri Aug 20, 2010 6:42 pm 
Offline
New Forum User
New Forum User

Joined: Fri Aug 20, 2010 11:13 am
Posts: 3
The rules were last updated yesterday. I just updated to the ones from today, and it appears that while that particular one is fixed that I was quoting, there are still many without IDs. Just as an example, these are all from the same 99_asl_jitp.conf file:

===========================
# Rule 310019: Orca Blog SQL inj. vuln.
SecRule REQUEST_URI "/blog\?msg=(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)" "t:replaceComments"

# Rule 310019: wormsign
SecRule REQUEST_URI "hacked.*by.*member.*of.*scc"

# Rule 310019: phpMyAdmin Cross-Site Scripting Vulnerabilities
SecRule REQUEST_HEADERS:Host "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)"

# Rule 310019: Nortel SSL VPN Web Interface XSS
SecRule REQUEST_URI "/tunnelform\.yaws" chain
SecRule ARGS:a "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"

# Rule 310019: SyntaxCMS XSS vuln.
SecRule REQUEST_URI "/search/\?search_query=*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"
===========================


Top
 Profile  
 
 Post subject: Re: Rules missing IDs
Unread postPosted: Fri Aug 20, 2010 6:50 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3603
Location: Chantilly, VA
The log entry you provided shows that you are running rules from January, heres the line to look at:

Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); 201001051959.

That last bit is the date of the rule release, which is January 5th, 2010. Are you using the real time rules, or the free unsupported rules?

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Rules missing IDs
Unread postPosted: Fri Aug 20, 2010 7:27 pm 
Offline
New Forum User
New Forum User

Joined: Fri Aug 20, 2010 11:13 am
Posts: 3
That is actually present due to this line in our mod_security config:

=========================
SecComponentSignature 201001051959
=========================

The files do appear to be the most recent ones which are obtained using the following script to download the latest from your site:

=========================
#!/bin/bash

USERNAME="[REDACTED]"
PASSWORD="[REDACTED]"

version=`curl -sku $USERNAME:$PASSWORD https://www.atomicorp.com/channels/rule ... on/VERSION | awk -F'=' '/MODSEC_VERSION/ { print $2 }'`

curl -sku $USERNAME:$PASSWORD https://www.atomicorp.com/channels/rule ... ion.tar.gz | tar -zxf -
=========================


Top
 Profile  
 
 Post subject: Re: Rules missing IDs
Unread postPosted: Fri Aug 20, 2010 7:36 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3603
Location: Chantilly, VA
In that case, if you have a real time subscription, just update to the latest rules. We put out updates all day long. Also, if you need support you will get much faster response than posting to the forums if you email support@atomicorp.com, or log into the support portal:

https://www.atomicorp.com/portal/

Also, its a good idea to change this line:

Code:
SecComponentSignature 201001051959


To the current version of the rules you have installed (ASL does this automatically). That helps us to know what version you have installed when troubleshooting.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Bing [Bot] and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group