From 75e1cd2ed5a1a0bc2c255745a06096e2ed5d4c41 Mon Sep 17 00:00:00 2001 From: Chaim Sanders Date: Tue, 19 Sep 2017 22:21:59 -0400 Subject: [PATCH 01/20] Update .travis.yml Update to support v3.1 --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index 7f1627887..f4449ecb9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -9,3 +9,4 @@ branches: only: - v3.0/dev - v3.0/master + - v3.1/dev From 519d67d72257afb9bccdff63197d7ff9cbab91ad Mon Sep 17 00:00:00 2001 From: Chaim Sanders Date: Wed, 15 Nov 2017 10:20:13 -0500 Subject: [PATCH 02/20] updating crs site location --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1661e657e..5c123b31d 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection r ## CRS Resources -Please see the [OWASP ModSecurity Core Rule Set page](https://modsecurity.org/crs/) to get introduced to the CRS and view resources on installation, configuration, and working with the CRS. +Please see the [OWASP ModSecurity Core Rule Set page](https://coreruleset.org/) to get introduced to the CRS and view resources on installation, configuration, and working with the CRS. ## Contributing to the CRS From 66b338a95440d5b6944bf6b9bb71ea45549b5187 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felipe=20Zipitr=C3=ADa?= Date: Fri, 1 Dec 2017 14:37:04 -0300 Subject: [PATCH 03/20] Update date and add badges --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5c123b31d..033ccf5d8 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -[![Join the chat at https://gitter.im/owasp-crs/Lobby](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/owasp-crs/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) +[![Join the chat at https://gitter.im/owasp-crs/Lobby](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/owasp-crs/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)[![Travis build v3.1/dev](https://badges.herokuapp.com/travis/SpiderLabs/owasp-modsecurity-crs?branch=v3.1/dev&label=CRS%20v3.1/dev)[![Travis build v3.0/dev](https://badges.herokuapp.com/travis/SpiderLabs/owasp-modsecurity-crs?branch=v3.0/dev&label=CRS%20v3.0/dev)[![Travis build v3.0/master](https://badges.herokuapp.com/travis/SpiderLabs/owasp-modsecurity-crs?branch=v3.0/master&label=CRS%20v3.0/master) # OWASP ModSecurity Core Rule Set (CRS) @@ -20,7 +20,7 @@ We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beg ## License -Copyright 2006-2016 Trustwave and contributors. +Copyright 2006-2017 Trustwave and contributors. The OWASP ModSecurity Core Rule Set is distributed under Apache Software License (ASL) version 2. Please see the enclosed LICENSE file for full details. From f11241cb643300f3185ee46e7d6de90ac697893e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felipe=20Zipitr=C3=ADa?= Date: Mon, 4 Dec 2017 17:56:48 -0300 Subject: [PATCH 04/20] Fix typo with extra bracket. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 033ccf5d8..6e7f67fc9 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -[![Join the chat at https://gitter.im/owasp-crs/Lobby](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/owasp-crs/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)[![Travis build v3.1/dev](https://badges.herokuapp.com/travis/SpiderLabs/owasp-modsecurity-crs?branch=v3.1/dev&label=CRS%20v3.1/dev)[![Travis build v3.0/dev](https://badges.herokuapp.com/travis/SpiderLabs/owasp-modsecurity-crs?branch=v3.0/dev&label=CRS%20v3.0/dev)[![Travis build v3.0/master](https://badges.herokuapp.com/travis/SpiderLabs/owasp-modsecurity-crs?branch=v3.0/master&label=CRS%20v3.0/master) +[![Join the chat at https://gitter.im/owasp-crs/Lobby](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/owasp-crs/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)![Travis build v3.1/dev](https://badges.herokuapp.com/travis/SpiderLabs/owasp-modsecurity-crs?branch=v3.1/dev&label=CRS%20v3.1/dev)![Travis build v3.0/dev](https://badges.herokuapp.com/travis/SpiderLabs/owasp-modsecurity-crs?branch=v3.0/dev&label=CRS%20v3.0/dev)![Travis build v3.0/master](https://badges.herokuapp.com/travis/SpiderLabs/owasp-modsecurity-crs?branch=v3.0/master&label=CRS%20v3.0/master) # OWASP ModSecurity Core Rule Set (CRS) From 6a2b20c2fab8550e93cda88dd8d5cb4955de0c04 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felipe=20Zipitr=C3=ADa?= Date: Mon, 4 Dec 2017 18:15:36 -0300 Subject: [PATCH 05/20] Merge badges with v3.1/dev --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6e7f67fc9..7af891d54 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -[![Join the chat at https://gitter.im/owasp-crs/Lobby](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/owasp-crs/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)![Travis build v3.1/dev](https://badges.herokuapp.com/travis/SpiderLabs/owasp-modsecurity-crs?branch=v3.1/dev&label=CRS%20v3.1/dev)![Travis build v3.0/dev](https://badges.herokuapp.com/travis/SpiderLabs/owasp-modsecurity-crs?branch=v3.0/dev&label=CRS%20v3.0/dev)![Travis build v3.0/master](https://badges.herokuapp.com/travis/SpiderLabs/owasp-modsecurity-crs?branch=v3.0/master&label=CRS%20v3.0/master) +[![Join the chat at https://gitter.im/owasp-crs/Lobby](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/owasp-crs/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)![Travis build v3.1/dev](https://badges.herokuapp.com/travis/SpiderLabs/owasp-modsecurity-crs?branch=v3.1/dev&label=CRS%20v3.1/dev)![Travis build v3.0/dev](https://badges.herokuapp.com/travis/SpiderLabs/owasp-modsecurity-crs?branch=v3.0/dev&label=CRS%20v3.0/dev)![Travis build v3.0/master](https://badges.herokuapp.com/travis/SpiderLabs/owasp-modsecurity-crs?branch=v3.0/master&label=CRS%20v3.0/master)[![OWASP Flagship](https://img.shields.io/badge/owasp-flagship%20project-38a047.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Flagship_Projects) # OWASP ModSecurity Core Rule Set (CRS) From 6a42d99ef114e7916944726586aade6a2c823c96 Mon Sep 17 00:00:00 2001 From: ihacku Date: Tue, 5 Dec 2017 11:06:22 +0800 Subject: [PATCH 06/20] Update REQUEST-920-PROTOCOL-ENFORCEMENT.conf Fix typo my->may --- rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf index 24126bae3..55ca4db1b 100644 --- a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf +++ b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf @@ -481,7 +481,7 @@ SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \ # -# Disallow use of full-width unicode as decoding evasions my be possible. +# Disallow use of full-width unicode as decoding evasions may be possible. # # -=[ Rule Logic ]=- # This rule looks for full-width encoding by looking for %u followed by 2 'f' From a216353c97dd6ef767a6db4dbf9b724627811c9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felipe=20Zipitr=C3=ADa?= Date: Tue, 2 Jan 2018 10:35:32 -0300 Subject: [PATCH 07/20] Updated year. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7af891d54..db1a6463d 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beg ## License -Copyright 2006-2017 Trustwave and contributors. +Copyright 2006-2018 Trustwave and contributors. The OWASP ModSecurity Core Rule Set is distributed under Apache Software License (ASL) version 2. Please see the enclosed LICENSE file for full details. From 76661d5c43a31d0d4970cc225b9b64bc8c514f80 Mon Sep 17 00:00:00 2001 From: Chaim Sanders Date: Wed, 4 Jul 2018 12:19:48 +0100 Subject: [PATCH 08/20] init v3.2 commit --- crs-setup.conf.example | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crs-setup.conf.example b/crs-setup.conf.example index 153d938d3..ecb767ff8 100644 --- a/crs-setup.conf.example +++ b/crs-setup.conf.example @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.0.2 +# OWASP ModSecurity Core Rule Set ver.3.2.0 # Copyright (c) 2006-2017 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under From 37aca209cd7a68ccbeb43748f2c955ddc5f0c54c Mon Sep 17 00:00:00 2001 From: spartantri Date: Wed, 25 Jul 2018 19:15:24 -0500 Subject: [PATCH 09/20] Missing java classes --- rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf | 6 +++--- rules/java-classes.data | 3 +++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf b/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf index 3a2424f31..d5a83317a 100644 --- a/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf +++ b/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf @@ -86,7 +86,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES # Magic bytes detected and payload included possibly RCE vulnerable classess detected and process execution methods detected # anomaly score set to critical as all conditions indicate the request try to perform RCE. SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ - "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure)" \ + "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \ "id:944120,\ phase:2,\ block,\ @@ -235,7 +235,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain" - SecRule MATCHED_VARS "@rx (?:runtime|processbuilder|clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure)" \ + SecRule MATCHED_VARS "@rx (?:runtime|processbuilder|clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \ "t:base64Decode,t:lowercase,\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.rce_score=+%{tx.critical_anomaly_score},\ @@ -244,7 +244,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES # Renamed 944340 to 944240 SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ - "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure)" \ + "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \ "id:944240,\ phase:2,\ block,\ diff --git a/rules/java-classes.data b/rules/java-classes.data index eeb7cdbad..aa6bf325a 100644 --- a/rules/java-classes.data +++ b/rules/java-classes.data @@ -8,6 +8,8 @@ java.io.CharArrayReader java.io.DataInputStream java.io.File java.io.FileOutputStream +java.io.FilePermission +java.io.FileWriter java.io.FilterInputStream java.io.FilterOutputStream java.io.FilterReader @@ -36,3 +38,4 @@ java.lang.System javax.script.ScriptEngineManager org.apache.commons org.omg.CORBA +java.beans.XMLDecoder From 8945641caa0eb46d4f4590c99c2f01d6ca28ab21 Mon Sep 17 00:00:00 2001 From: Manuel Spartan Date: Mon, 7 Jan 2019 14:26:21 +0000 Subject: [PATCH 10/20] Conflict resolution Replaced with origin --- .../REQUEST-944-APPLICATION-ATTACK-JAVA.conf | 165 ++++++++---------- 1 file changed, 74 insertions(+), 91 deletions(-) diff --git a/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf b/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf index d5a83317a..05641dc77 100644 --- a/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf +++ b/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf @@ -12,19 +12,29 @@ # # Many rules check request bodies, use "SecRequestBodyAccess On" to enable it on main modsecurity configuration file. -SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:944011,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" -SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:944012,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "phase:1,id:944011,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "phase:2,id:944012,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" # -# -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher) +# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# +# This rule is also triggered by an Apache Struts exploit: +# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ] +# +# This rule is also triggered by an Apache Struts Remote Code Execution exploit: +# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ] +# +# This rule is also triggered by an Apache Struts Remote Code Execution exploit: +# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ] +# +# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: +# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] # -# Renamed 944200 to 944100 SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ "@rx java\.lang\.(?:runtime|processbuilder)" \ "id:944100,\ phase:2,\ block,\ log,\ - auditlog,\ msg:'Remote Command Execution: Suspicious Java class detected',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ t:none,t:lowercase,\ @@ -37,22 +47,25 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ - rev:'1',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ - setvar:tx.rce_score=+%{tx.critical_anomaly_score},\ - setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ - setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'" + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" +# This rule is also triggered by the following exploit(s): +# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ] +# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ] +# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ] # [ Java deserialization vulnerability/Apache Struts (CVE-2017-9805) ] # [ Java deserialization vulnerability/Oracle Weblogic (CVE-2017-10271) ] +# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # # Generic rule to detect processbuilder or runtime calls, if any of thos is found and the same target contains # java. unmarshaller or base64data to trigger a potential payload execution # tested with https://www.exploit-db.com/exploits/42627/ and https://www.exploit-db.com/exploits/43458/ -# Renamed 944210 to 944110 SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ "@rx (?:runtime|processbuilder)" \ "id:944110,\ @@ -71,18 +84,15 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ - rev:'1',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain" - SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \ - "setvar:'tx.msg=%{rule.msg}',\ - setvar:tx.rce_score=+%{tx.critical_anomaly_score},\ - setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ - setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'" + SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \ + "setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" -# Renamed 944220 to 944120 -# Moved 944340 to 944220 # Magic bytes detected and payload included possibly RCE vulnerable classess detected and process execution methods detected # anomaly score set to critical as all conditions indicate the request try to perform RCE. SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ @@ -103,25 +113,35 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ - rev:'1',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \ "t:none,t:lowercase,\ setvar:'tx.msg=%{rule.msg}',\ - setvar:tx.rce_score=+%{tx.critical_anomaly_score},\ - setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ - setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'" + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" -# Renamed 944230 to 944130 +# This rule is also triggered by an Apache Struts exploit: +# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/mazen160/struts-pwn ] +# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ] +# +# This rule is also triggered by an Apache Struts Remote Code Execution exploit: +# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ] +# +# This rule is also triggered by an Apache Struts Remote Code Execution exploit: +# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ] +# +# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: +# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] +# SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ "@pmf java-classes.data" \ "id:944130,\ phase:2,\ block,\ log,\ - auditlog,\ msg:'Suspicious Java class detected',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ t:none,t:lowercase,\ @@ -134,19 +154,18 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ - rev:'1',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ - setvar:tx.rce_score=+%{tx.critical_anomaly_score},\ - setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ - setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'" + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" -SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:944013,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" -SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:944014,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "phase:1,id:944013,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "phase:2,id:944014,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" # -# -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher) +# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) # # [ Java deserialization vulnerability/Apache Commons (CVE-2015-4852) ] # @@ -159,7 +178,6 @@ SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:944014,nolog,pass,skipAfter:END-RE # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ # https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet # -# Renamed 944300 to 944200 # Potential false positives with random fields, the anomaly level is set low to avoid blocking request SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ "@rx \xac\xed\x00\x05" \ @@ -178,15 +196,13 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - rev:'1',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ - setvar:tx.rce_score=+%{tx.critical_anomaly_score},\ - setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ - setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'" + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" -# Renamed 944310 to 944210 # Detecting possibe base64 text to match encoded magic bytes \xac\xed\x00\x05 with padding encoded in base64 strings are rO0ABQ KztAAU Cs7QAF SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ "@rx (?:rO0ABQ|KztAAU|Cs7QAF)" \ @@ -205,44 +221,13 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - rev:'1',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ - setvar:tx.rce_score=+%{tx.critical_anomaly_score},\ - setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ - setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'" - -# Renamed 944320 to 944220 -SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ - "@rx [a-zA-Z0-9\-_]{45}(?:[a-zA-Z0-9\-_]{3})*(?:[a-zA-Z0-9\-_]{1}==|[a-zA-Z0-9\-_]{2}=)?" \ - "id:944220,\ - phase:2,\ - block,\ - log,\ - msg:'Probable vulnerable java class in use',\ - logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-java',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - rev:'1',\ - ver:'OWASP_CRS/3.1.0',\ - severity:'CRITICAL',\ - chain" - SecRule MATCHED_VARS "@rx (?:runtime|processbuilder|clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \ - "t:base64Decode,t:lowercase,\ - setvar:'tx.msg=%{rule.msg}',\ - setvar:tx.rce_score=+%{tx.critical_anomaly_score},\ - setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ - setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'" + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" -# Renamed 944340 to 944240 SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \ "id:944240,\ @@ -261,15 +246,16 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - rev:'1',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ - setvar:tx.rce_score=+%{tx.critical_anomaly_score},\ - setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ - setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'" + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" -# Renamed 944350 to 944250 +# This rule is also triggered by the following exploit(s): +# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] +# SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ "@rx java\b.+(?:runtime|processbuilder)" \ "id:944250,\ @@ -288,22 +274,20 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - rev:'1',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ - setvar:tx.rce_score=+%{tx.critical_anomaly_score},\ - setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ - setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'" + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" -SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:944015,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" -SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:944016,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "phase:1,id:944015,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "phase:2,id:944016,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" # -# -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher) +# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) # -# Renamed 944400 to 944300 # Interesting keywords for possibly RCE on vulnerable classess and methods base64 encoded # Keywords = ['runtime', 'processbuilder', 'clonetransformer', 'forclosure', 'instantiatefactory', 'instantiatetransformer', 'invokertransformer', 'prototypeclonefactory', 'prototypeserializationfactory', 'whileclosure'] #for item in keywords: @@ -329,19 +313,18 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - rev:'1',\ ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ - setvar:tx.rce_score=+%{tx.critical_anomaly_score},\ - setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ - setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'" + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" -SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:944017,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" -SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:944018,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "phase:1,id:944017,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "phase:2,id:944018,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" # -# -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher) +# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) # From 072d6dae13b7f04d19f2aad524098731ad9163cd Mon Sep 17 00:00:00 2001 From: Manuel Spartan Date: Mon, 7 Jan 2019 14:27:48 +0000 Subject: [PATCH 11/20] Conflict resolution Replaced with Origin --- crs-setup.conf.example | 72 +++++++++++++++++++++++++++++++++++------- 1 file changed, 61 insertions(+), 11 deletions(-) diff --git a/crs-setup.conf.example b/crs-setup.conf.example index ecb767ff8..60ad9b47f 100644 --- a/crs-setup.conf.example +++ b/crs-setup.conf.example @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2017 Trustwave and contributors. All rights reserved. +# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -17,7 +17,7 @@ # ModSecurity Web Application Firewall. # # See also: -# https://modsecurity.org/crs/ +# https://coreruleset.org/ # https://github.com/SpiderLabs/owasp-modsecurity-crs # https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project # @@ -34,9 +34,10 @@ # ModSecurity settings (modsecurity.conf) such as SecRuleEngine, # SecRequestBodyAccess, SecAuditEngine, SecDebugLog, and XML processing. # -# The CRS assumes that modsecurity.conf has been loaded. If you don't have this -# file, you can get it from: -# https://github.com/SpiderLabs/ModSecurity/blob/master/modsecurity.conf-recommended +# The CRS assumes that modsecurity.conf has been loaded. It is bundled with +# ModSecurity. If you don't have it, you can get it from: +# 2.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v2/master/modsecurity.conf-recommended +# 3.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended # # The order of file inclusion in your webserver configuration should always be: # 1. modsecurity.conf @@ -130,7 +131,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # -- [[ Paranoia Level Initialization ]] --------------------------------------- # # The Paranoia Level (PL) setting allows you to choose the desired level -# of rule checks. +# of rule checks that will add to your anomaly scores. # # With each paranoia level increase, the CRS enables additional rules # giving you a higher level of security. However, higher paranoia levels @@ -166,8 +167,8 @@ SecDefaultAction "phase:2,log,auditlog,pass" # example: [tag "paranoia-level/2"]. This allows you to deduct from the # audit log how the WAF behavior is affected by paranoia level. # -# It is important to also look into the variable -# tx.enforce_bodyproc_urlencoded (Enforce Body Processor URLENCODED) +# It is important to also look into the variable +# tx.enforce_bodyproc_urlencoded (Enforce Body Processor URLENCODED) # defined below. Enabling it closes a possible bypass of CRS. # # Uncomment this rule to change the default: @@ -181,6 +182,32 @@ SecDefaultAction "phase:2,log,auditlog,pass" # setvar:tx.paranoia_level=1" +# It is possible to execute rules from a higher paranoia level but not include +# them in the anomaly scoring. This allows you to take a well-tuned system on +# paranoia level 1 and add rules from paranoia level 2 without having to fear +# the new rules would lead to false positives that raise your score above the +# threshold. +# This optional feature is enabled by uncommenting the following rule and +# setting the tx.executing_paranoia_level. +# Technically, rules up to the level defined in tx.executing_paranoia_level +# will be executed, but only the rules up to tx.paranoia_level affect the +# anomaly scores. +# By default, tx.executing_paranoia_level is set to tx.paranoia_level. +# tx.executing_paranoia_level must not be lower than tx.paranoia_level. +# +# Please notice that setting tx.executing_paranoia_level to a higher paranoia +# level results in a performance impact that is equally high as setting +# tx.paranoia_level to said level. +# +#SecAction \ +# "id:900001,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.executing_paranoia_level=1" + + # # -- [[ Enforce Body Processor URLENCODED ]] ----------------------------------- # @@ -330,7 +357,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # setvar:tx.crs_exclusions_drupal=1,\ # setvar:tx.crs_exclusions_wordpress=1,\ # setvar:tx.crs_exclusions_nextcloud=1,\ -# setvar:tx.crs_exclusions_dokuwik=1,\ +# setvar:tx.crs_exclusions_dokuwiki=1,\ # setvar:tx.crs_exclusions_cpanel=1" # @@ -370,7 +397,20 @@ SecDefaultAction "phase:2,log,auditlog,pass" # nolog,\ # pass,\ # t:none,\ -# setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|text/plain'" +# setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|application/csp-report|application/xss-auditor-report|text/plain'" + +# Content-Types charsets that a client is allowed to send in a request. +# Default: utf-8|iso-8859-1|iso-8859-15|windows-1252 +# Uncomment this rule to change the default. +# Use "|" to separate multiple charsets like in the rule defining +# tx.allowed_request_content_type. +#SecAction \ +# "id:900270,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'" # Allowed HTTP versions. # Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 @@ -425,6 +465,16 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'" +# Locations that will be inspected to enforce only images and documents uploads. +# Default: /wp-admin/upload.php /wp-admin/media-new.php +# Uncomment this rule to change the default set in 901180 +#SecAction \ +# "id:900270,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.protected_uploads=#/wp-admin/upload.php# #/wp-admin/media-new.php#'" # # -- [[ HTTP Argument/Upload Limits ]] ----------------------------------------- @@ -802,4 +852,4 @@ SecAction \ nolog,\ pass,\ t:none,\ - setvar:tx.crs_setup_version=302" + setvar:tx.crs_setup_version=310" From 0bef084f0d619cbe6606e7a31fc58291feb74112 Mon Sep 17 00:00:00 2001 From: Manuel Spartan Date: Mon, 7 Jan 2019 15:24:09 -0500 Subject: [PATCH 12/20] conflict resolution --- .travis.yml | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/.travis.yml b/.travis.yml index be2a3c1b1..22894c31c 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,27 +5,33 @@ language: python python: - 2.7 before_install: - - docker build --build-arg REPO=$TRAVIS_PULL_REQUEST_SLUG --build-arg COMMIT=$TRAVIS_PULL_REQUEST_SHA -t modsecurity-crs ./util/ - - docker run -ti -e PARANOIA=5 -d --rm -p 80:80 -v /var/log/apache2:/var/log/apache2/ modsecurity-crs + - | + if [[ "$TRAVIS_PULL_REQUEST" != "false" ]]; then + docker build --build-arg REPO=$TRAVIS_PULL_REQUEST_SLUG --build-arg COMMIT=$TRAVIS_PULL_REQUEST_SHA -t modsecurity-crs ./util/docker/ + else + docker build -t modsecurity-crs ./util/docker/ + fi + - docker run -ti -e PARANOIA=5 -d -p 80:80 -v /var/log/apache2:/var/log/apache2/ --name "$TRAVIS_BUILD_ID" modsecurity-crs install: - pip install -r ./util/integration/requirements.txt - pip install -r ./util/regression-tests/requirements.txt script: - - docker ps | grep -q modsecurity-crs || exit 1 + - | + docker ps | grep -q modsecurity-crs + if [[ $? -ne 0 ]]; then + docker logs "$TRAVIS_BUILD_ID" + docker rm -f "$TRAVIS_BUILD_ID" + exit 1 + fi - py.test -vs ./util/integration/format_tests.py - - py.test -vs util/regression-tests/CRS_Tests.py --rule=util/regression-tests/tests/test.yaml - - py.test -vs util/regression-tests/CRS_Tests.py --ruledir=util/regression-tests/tests/REQUEST-911-METHOD-ENFORCEMENT - - py.test -vs util/regression-tests/CRS_Tests.py --ruledir=util/regression-tests/tests/REQUEST-913-SCANNER-DETECTION - - py.test -vs util/regression-tests/CRS_Tests.py --ruledir=util/regression-tests/tests/REQUEST-921-PROTOCOL-ATTACK - - py.test -vs util/regression-tests/CRS_Tests.py --ruledir=util/regression-tests/tests/REQUEST-930-APPLICATION-ATTACK-LFI - - py.test -vs util/regression-tests/CRS_Tests.py --ruledir=util/regression-tests/tests/REQUEST-941-APPLICATION-ATTACK-XSS - - py.test -vs util/regression-tests/CRS_Tests.py --ruledir=util/regression-tests/tests/REQUEST-942-APPLICATION-ATTACK-SQLI - - py.test -vs util/regression-tests/CRS_Tests.py --ruledir=util/regression-tests/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION + - py.test -vs util/regression-tests/CRS_Tests.py --ruledir_recurse=util/regression-tests/tests/ + - docker rm -f "$TRAVIS_BUILD_ID" # safelist branches: only: - v3.0/dev - v3.0/master - v3.1/dev + - v3.2/dev notifications: - irc: "chat.freenode.net#modsecurity" \ No newline at end of file + irc: "chat.freenode.net#modsecurity" From 2426fae5f1460a4f79b689cfaf7197dd4d785fc5 Mon Sep 17 00:00:00 2001 From: Manuel Spartan Date: Tue, 27 Aug 2019 10:39:47 -0400 Subject: [PATCH 13/20] conflict resolution --- .../REQUEST-944-APPLICATION-ATTACK-JAVA.conf | 377 ++---------------- 1 file changed, 43 insertions(+), 334 deletions(-) diff --git a/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf b/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf index 05641dc77..d13a339ac 100644 --- a/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf +++ b/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf @@ -1,334 +1,43 @@ -# ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. -# -# The OWASP ModSecurity Core Rule Set is distributed under -# Apache Software License (ASL) version 2 -# Please see the enclosed LICENSE file for full details. -# ------------------------------------------------------------------------ - -# -# -= Paranoia Level 0 (empty) =- (apply unconditionally) -# -# Many rules check request bodies, use "SecRequestBodyAccess On" to enable it on main modsecurity configuration file. - -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "phase:1,id:944011,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "phase:2,id:944012,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" -# -# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) -# -# This rule is also triggered by an Apache Struts exploit: -# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ] -# -# This rule is also triggered by an Apache Struts Remote Code Execution exploit: -# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ] -# -# This rule is also triggered by an Apache Struts Remote Code Execution exploit: -# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ] -# -# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: -# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] -# -SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ - "@rx java\.lang\.(?:runtime|processbuilder)" \ - "id:944100,\ - phase:2,\ - block,\ - log,\ - msg:'Remote Command Execution: Suspicious Java class detected',\ - logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ - t:none,t:lowercase,\ - tag:'application-multi',\ - tag:'language-java',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.1.0',\ - severity:'CRITICAL',\ - setvar:'tx.msg=%{rule.msg}',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" - -# This rule is also triggered by the following exploit(s): -# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ] -# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ] -# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ] -# [ Java deserialization vulnerability/Apache Struts (CVE-2017-9805) ] -# [ Java deserialization vulnerability/Oracle Weblogic (CVE-2017-10271) ] -# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] -# -# Generic rule to detect processbuilder or runtime calls, if any of thos is found and the same target contains -# java. unmarshaller or base64data to trigger a potential payload execution -# tested with https://www.exploit-db.com/exploits/42627/ and https://www.exploit-db.com/exploits/43458/ - -SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ - "@rx (?:runtime|processbuilder)" \ - "id:944110,\ - phase:2,\ - block,\ - t:none,t:lowercase,\ - log,\ - msg:'Remote Command Execution: Java process spawn (CVE-2017-9805)',\ - logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-java',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.1.0',\ - severity:'CRITICAL',\ - chain" - SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \ - "setvar:'tx.msg=%{rule.msg}',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" - -# Magic bytes detected and payload included possibly RCE vulnerable classess detected and process execution methods detected -# anomaly score set to critical as all conditions indicate the request try to perform RCE. -SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ - "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \ - "id:944120,\ - phase:2,\ - block,\ - t:none,t:lowercase,\ - log,\ - msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',\ - logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-java',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.1.0',\ - severity:'CRITICAL',\ - chain" - SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \ - "t:none,t:lowercase,\ - setvar:'tx.msg=%{rule.msg}',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" - -# This rule is also triggered by an Apache Struts exploit: -# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/mazen160/struts-pwn ] -# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ] -# -# This rule is also triggered by an Apache Struts Remote Code Execution exploit: -# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ] -# -# This rule is also triggered by an Apache Struts Remote Code Execution exploit: -# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ] -# -# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: -# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] -# -SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ - "@pmf java-classes.data" \ - "id:944130,\ - phase:2,\ - block,\ - log,\ - msg:'Suspicious Java class detected',\ - logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ - t:none,t:lowercase,\ - tag:'application-multi',\ - tag:'language-java',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.1.0',\ - severity:'CRITICAL',\ - setvar:'tx.msg=%{rule.msg}',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" - - -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "phase:1,id:944013,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "phase:2,id:944014,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" -# -# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) -# -# [ Java deserialization vulnerability/Apache Commons (CVE-2015-4852) ] -# -# Detect exploitation of "Java deserialization" Apache Commons. -# -# Based on rules by @spartantri. -# https://spartantri.com/ModSecurity/?p=44 -# -# Interesting references about the vulnerability -# https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ -# https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet -# -# Potential false positives with random fields, the anomaly level is set low to avoid blocking request -SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ - "@rx \xac\xed\x00\x05" \ - "id:944200,\ - phase:2,\ - block,\ - log,\ - msg:'Magic bytes Detected, probable java serialization in use',\ - logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-java',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ - severity:'CRITICAL',\ - setvar:'tx.msg=%{rule.msg}',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ - setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" - -# Detecting possibe base64 text to match encoded magic bytes \xac\xed\x00\x05 with padding encoded in base64 strings are rO0ABQ KztAAU Cs7QAF -SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ - "@rx (?:rO0ABQ|KztAAU|Cs7QAF)" \ - "id:944210,\ - phase:2,\ - block,\ - log,\ - msg:'Magic bytes Detected Base64 Encoded, probable java serialization in use',\ - logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-java',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ - severity:'CRITICAL',\ - setvar:'tx.msg=%{rule.msg}',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ - setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" - -SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ - "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \ - "id:944240,\ - phase:2,\ - block,\ - t:none,t:lowercase,\ - log,\ - msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',\ - logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-java',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ - severity:'CRITICAL',\ - setvar:'tx.msg=%{rule.msg}',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ - setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" - -# This rule is also triggered by the following exploit(s): -# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] -# -SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ - "@rx java\b.+(?:runtime|processbuilder)" \ - "id:944250,\ - phase:2,\ - block,\ - log,\ - msg:'Remote Command Execution: Suspicious Java method detected',\ - logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ - t:lowercase,\ - tag:'application-multi',\ - tag:'language-java',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ - severity:'CRITICAL',\ - setvar:'tx.msg=%{rule.msg}',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ - setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" - - - -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "phase:1,id:944015,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "phase:2,id:944016,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" -# -# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) -# -# Interesting keywords for possibly RCE on vulnerable classess and methods base64 encoded -# Keywords = ['runtime', 'processbuilder', 'clonetransformer', 'forclosure', 'instantiatefactory', 'instantiatetransformer', 'invokertransformer', 'prototypeclonefactory', 'prototypeserializationfactory', 'whileclosure'] -#for item in keywords: -# pad='\x00' -# for padding in xrange(3): -# print base64.b64encode(''.join([pad*padding,item])).replace('=','')[padding:], -#cnVudGltZQ HJ1bnRpbWU BydW50aW1l cHJvY2Vzc2J1aWxkZXI HByb2Nlc3NidWlsZGVy Bwcm9jZXNzYnVpbGRlcg Y2xvbmV0cmFuc2Zvcm1lcg GNsb25ldHJhbnNmb3JtZXI BjbG9uZXRyYW5zZm9ybWVy Zm9yY2xvc3VyZQ GZvcmNsb3N1cmU Bmb3JjbG9zdXJl aW5zdGFudGlhdGVmYWN0b3J5 Gluc3RhbnRpYXRlZmFjdG9yeQ BpbnN0YW50aWF0ZWZhY3Rvcnk aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg Gluc3RhbnRpYXRldHJhbnNmb3JtZXI BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy aW52b2tlcnRyYW5zZm9ybWVy Gludm9rZXJ0cmFuc2Zvcm1lcg BpbnZva2VydHJhbnNmb3JtZXI cHJvdG90eXBlY2xvbmVmYWN0b3J5 HByb3RvdHlwZWNsb25lZmFjdG9yeQ Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5 Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ d2hpbGVjbG9zdXJl HdoaWxlY2xvc3VyZQ B3aGlsZWNsb3N1cmU -SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ - "@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)" \ - "id:944300,\ - phase:2,\ - block,\ - t:none,\ - log,\ - msg:'Base64 encoded string matched suspicious keyword',\ - logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-java',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.1.0',\ - severity:'CRITICAL',\ - setvar:'tx.msg=%{rule.msg}',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\ - setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" - - -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "phase:1,id:944017,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "phase:2,id:944018,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" -# -# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) -# - - -# -# -= Paranoia Levels Finished =- -# -SecMarker "END-REQUEST-944-APPLICATION-ATTACK-JAVA" +com.opensymphony.xwork2 +com.sun.org.apache +java.io.BufferedInputStream +java.io.BufferedReader +java.io.ByteArrayInputStream +java.io.ByteArrayOutputStream +java.io.CharArrayReader +java.io.DataInputStream +java.io.File +java.io.FileOutputStream +java.io.FilePermission +java.io.FileWriter +java.io.FilterInputStream +java.io.FilterOutputStream +java.io.FilterReader +java.io.InputStream +java.io.InputStreamReader +java.io.LineNumberReader +java.io.ObjectOutputStream +java.io.OutputStream +java.io.PipedOutputStream +java.io.PipedReader +java.io.PrintStream +java.io.PushbackInputStream +java.io.Reader +java.io.StringReader +java.lang.Class +java.lang.Integer +java.lang.Number +java.lang.Object +java.lang.Process +java.lang.ProcessBuilder +java.lang.reflect +java.lang.Runtime +java.lang.String +java.lang.StringBuilder +java.lang.System +javax.script.ScriptEngineManager +org.apache.commons +org.apache.struts +org.apache.struts2 +org.omg.CORBA +java.beans.XMLDecode From 625d5bc88ac1a9294ad73452650ff79b6601e5d8 Mon Sep 17 00:00:00 2001 From: Manuel Spartan Date: Tue, 27 Aug 2019 10:40:59 -0400 Subject: [PATCH 14/20] conflict resolution --- .../REQUEST-944-APPLICATION-ATTACK-JAVA.conf | 364 +++++++++++++++--- 1 file changed, 321 insertions(+), 43 deletions(-) diff --git a/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf b/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf index d13a339ac..81b19f8ec 100644 --- a/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf +++ b/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf @@ -1,43 +1,321 @@ -com.opensymphony.xwork2 -com.sun.org.apache -java.io.BufferedInputStream -java.io.BufferedReader -java.io.ByteArrayInputStream -java.io.ByteArrayOutputStream -java.io.CharArrayReader -java.io.DataInputStream -java.io.File -java.io.FileOutputStream -java.io.FilePermission -java.io.FileWriter -java.io.FilterInputStream -java.io.FilterOutputStream -java.io.FilterReader -java.io.InputStream -java.io.InputStreamReader -java.io.LineNumberReader -java.io.ObjectOutputStream -java.io.OutputStream -java.io.PipedOutputStream -java.io.PipedReader -java.io.PrintStream -java.io.PushbackInputStream -java.io.Reader -java.io.StringReader -java.lang.Class -java.lang.Integer -java.lang.Number -java.lang.Object -java.lang.Process -java.lang.ProcessBuilder -java.lang.reflect -java.lang.Runtime -java.lang.String -java.lang.StringBuilder -java.lang.System -javax.script.ScriptEngineManager -org.apache.commons -org.apache.struts -org.apache.struts2 -org.omg.CORBA -java.beans.XMLDecode +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.1.0 +# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# +# Many rules check request bodies, use "SecRequestBodyAccess On" to enable it on main modsecurity configuration file. + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# +# This rule is also triggered by an Apache Struts exploit: +# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ] +# +# This rule is also triggered by an Apache Struts Remote Code Execution exploit: +# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ] +# +# This rule is also triggered by an Apache Struts Remote Code Execution exploit: +# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ] +# +# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: +# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] +# +SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ + "@rx java\.lang\.(?:runtime|processbuilder)" \ + "id:944100,\ + phase:2,\ + block,\ + log,\ + msg:'Remote Command Execution: Suspicious Java class detected',\ + logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ + t:none,t:lowercase,\ + tag:'application-multi',\ + tag:'language-java',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ + tag:'WASCTC/WASC-31',\ + tag:'OWASP_TOP_10/A1',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/1',\ + ver:'OWASP_CRS/3.1.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# This rule is also triggered by the following exploit(s): +# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ] +# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ] +# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ] +# [ Java deserialization vulnerability/Apache Struts (CVE-2017-9805) ] +# [ Java deserialization vulnerability/Oracle Weblogic (CVE-2017-10271) ] +# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] +# +# Generic rule to detect processbuilder or runtime calls, if any of thos is found and the same target contains +# java. unmarshaller or base64data to trigger a potential payload execution +# tested with https://www.exploit-db.com/exploits/42627/ and https://www.exploit-db.com/exploits/43458/ + +SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ + "@rx (?:runtime|processbuilder)" \ + "id:944110,\ + phase:2,\ + block,\ + t:none,t:lowercase,\ + log,\ + msg:'Remote Command Execution: Java process spawn (CVE-2017-9805)',\ + logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ + tag:'application-multi',\ + tag:'language-java',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ + tag:'WASCTC/WASC-31',\ + tag:'OWASP_TOP_10/A1',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/1',\ + ver:'OWASP_CRS/3.1.0',\ + severity:'CRITICAL',\ + chain" + SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \ + "setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# Magic bytes detected and payload included possibly RCE vulnerable classess detected and process execution methods detected +# anomaly score set to critical as all conditions indicate the request try to perform RCE. +SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ + "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \ + "id:944120,\ + phase:2,\ + block,\ + t:none,t:lowercase,\ + log,\ + msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',\ + logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ + tag:'application-multi',\ + tag:'language-java',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ + tag:'WASCTC/WASC-31',\ + tag:'OWASP_TOP_10/A1',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/1',\ + ver:'OWASP_CRS/3.1.0',\ + severity:'CRITICAL',\ + chain" + SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \ + "t:none,t:lowercase,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# This rule is also triggered by the following exploit(s): +# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/mazen160/struts-pwn ] +# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ] +# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ] +# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ] +# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] +# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45262 ] +# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45260 ] +# +SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_FILENAME|REQUEST_HEADERS|XML:/*|XML://@* \ + "@pmFromFile java-classes.data" \ + "id:944130,\ + phase:2,\ + block,\ + log,\ + msg:'Suspicious Java class detected',\ + logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ + t:none,t:lowercase,\ + tag:'application-multi',\ + tag:'language-java',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ + tag:'WASCTC/WASC-31',\ + tag:'OWASP_TOP_10/A1',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/1',\ + ver:'OWASP_CRS/3.1.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +# +# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# +# [ Java deserialization vulnerability/Apache Commons (CVE-2015-4852) ] +# +# Detect exploitation of "Java deserialization" Apache Commons. +# +# Based on rules by @spartantri. +# https://spartantri.com/ModSecurity/?p=44 +# +# Interesting references about the vulnerability +# https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ +# https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet +# +# Potential false positives with random fields, the anomaly level is set low to avoid blocking request +SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ + "@rx \xac\xed\x00\x05" \ + "id:944200,\ + phase:2,\ + block,\ + log,\ + msg:'Magic bytes Detected, probable java serialization in use',\ + logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ + tag:'application-multi',\ + tag:'language-java',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ + tag:'WASCTC/WASC-31',\ + tag:'OWASP_TOP_10/A1',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/3.1.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# Detecting possibe base64 text to match encoded magic bytes \xac\xed\x00\x05 with padding encoded in base64 strings are rO0ABQ KztAAU Cs7QAF +SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ + "@rx (?:rO0ABQ|KztAAU|Cs7QAF)" \ + "id:944210,\ + phase:2,\ + block,\ + log,\ + msg:'Magic bytes Detected Base64 Encoded, probable java serialization in use',\ + logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ + tag:'application-multi',\ + tag:'language-java',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ + tag:'WASCTC/WASC-31',\ + tag:'OWASP_TOP_10/A1',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/3.1.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ + "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \ + "id:944240,\ + phase:2,\ + block,\ + t:none,t:lowercase,\ + log,\ + msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',\ + logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ + tag:'application-multi',\ + tag:'language-java',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ + tag:'WASCTC/WASC-31',\ + tag:'OWASP_TOP_10/A1',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/3.1.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# This rule is also triggered by the following exploit(s): +# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] +# +SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ + "@rx java\b.+(?:runtime|processbuilder)" \ + "id:944250,\ + phase:2,\ + block,\ + log,\ + msg:'Remote Command Execution: Suspicious Java method detected',\ + logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ + t:lowercase,\ + tag:'application-multi',\ + tag:'language-java',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ + tag:'WASCTC/WASC-31',\ + tag:'OWASP_TOP_10/A1',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/3.1.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +# +# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# +# Interesting keywords for possibly RCE on vulnerable classess and methods base64 encoded +# Keywords = ['runtime', 'processbuilder', 'clonetransformer', 'forclosure', 'instantiatefactory', 'instantiatetransformer', 'invokertransformer', 'prototypeclonefactory', 'prototypeserializationfactory', 'whileclosure'] +#for item in keywords: +# pad='\x00' +# for padding in xrange(3): +# print base64.b64encode(''.join([pad*padding,item])).replace('=','')[padding:], +#cnVudGltZQ HJ1bnRpbWU BydW50aW1l cHJvY2Vzc2J1aWxkZXI HByb2Nlc3NidWlsZGVy Bwcm9jZXNzYnVpbGRlcg Y2xvbmV0cmFuc2Zvcm1lcg GNsb25ldHJhbnNmb3JtZXI BjbG9uZXRyYW5zZm9ybWVy Zm9yY2xvc3VyZQ GZvcmNsb3N1cmU Bmb3JjbG9zdXJl aW5zdGFudGlhdGVmYWN0b3J5 Gluc3RhbnRpYXRlZmFjdG9yeQ BpbnN0YW50aWF0ZWZhY3Rvcnk aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg Gluc3RhbnRpYXRldHJhbnNmb3JtZXI BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy aW52b2tlcnRyYW5zZm9ybWVy Gludm9rZXJ0cmFuc2Zvcm1lcg BpbnZva2VydHJhbnNmb3JtZXI cHJvdG90eXBlY2xvbmVmYWN0b3J5 HByb3RvdHlwZWNsb25lZmFjdG9yeQ Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5 Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ d2hpbGVjbG9zdXJl HdoaWxlY2xvc3VyZQ B3aGlsZWNsb3N1cmU +SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ + "@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)" \ + "id:944300,\ + phase:2,\ + block,\ + t:none,\ + log,\ + msg:'Base64 encoded string matched suspicious keyword',\ + logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ + tag:'application-multi',\ + tag:'language-java',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ + tag:'WASCTC/WASC-31',\ + tag:'OWASP_TOP_10/A1',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/3',\ + ver:'OWASP_CRS/3.1.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +# +# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-944-APPLICATION-ATTACK-JAVA" From ba3f28804af610cb2fb10278fa7ce53747eca327 Mon Sep 17 00:00:00 2001 From: Manuel Spartan Date: Tue, 27 Aug 2019 10:41:30 -0400 Subject: [PATCH 15/20] conflict resolution --- rules/java-classes.data | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/java-classes.data b/rules/java-classes.data index aa6bf325a..d13a339ac 100644 --- a/rules/java-classes.data +++ b/rules/java-classes.data @@ -37,5 +37,7 @@ java.lang.StringBuilder java.lang.System javax.script.ScriptEngineManager org.apache.commons +org.apache.struts +org.apache.struts2 org.omg.CORBA -java.beans.XMLDecoder +java.beans.XMLDecode From 7c422d7f109d8431bb781c99f6a3aea6722fbda2 Mon Sep 17 00:00:00 2001 From: Manuel Spartan Date: Tue, 27 Aug 2019 10:42:02 -0400 Subject: [PATCH 16/20] conflict resolution --- .travis.yml | 82 +++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 57 insertions(+), 25 deletions(-) diff --git a/.travis.yml b/.travis.yml index 22894c31c..cc1520286 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,31 +1,62 @@ -sudo: required -services: -- docker language: python + python: - 2.7 -before_install: - - | - if [[ "$TRAVIS_PULL_REQUEST" != "false" ]]; then - docker build --build-arg REPO=$TRAVIS_PULL_REQUEST_SLUG --build-arg COMMIT=$TRAVIS_PULL_REQUEST_SHA -t modsecurity-crs ./util/docker/ - else - docker build -t modsecurity-crs ./util/docker/ - fi - - docker run -ti -e PARANOIA=5 -d -p 80:80 -v /var/log/apache2:/var/log/apache2/ --name "$TRAVIS_BUILD_ID" modsecurity-crs -install: - - pip install -r ./util/integration/requirements.txt - - pip install -r ./util/regression-tests/requirements.txt -script: - - | - docker ps | grep -q modsecurity-crs - if [[ $? -ne 0 ]]; then - docker logs "$TRAVIS_BUILD_ID" - docker rm -f "$TRAVIS_BUILD_ID" - exit 1 - fi - - py.test -vs ./util/integration/format_tests.py - - py.test -vs util/regression-tests/CRS_Tests.py --ruledir_recurse=util/regression-tests/tests/ - - docker rm -f "$TRAVIS_BUILD_ID" + +sudo: required + +services: + - docker + +jobs: + allow_failures: + - env: CONFIG=3.0-apache LOGDIR=/var/log/apache2 + - env: CONFIG=3.0-nginx LOGDIR=/var/log/nginx + fast_finish: true + include: + - &test-common + env: CONFIG=2.9-apache LOGDIR=/var/log/apache2 + before_install: + - | + if [[ "$TRAVIS_PULL_REQUEST" != "false" ]]; then + docker build --build-arg REPO=$TRAVIS_PULL_REQUEST_SLUG \ + --build-arg BRANCH=$TRAVIS_PULL_REQUEST_BRANCH \ + --build-arg COMMIT=$TRAVIS_PULL_REQUEST_SHA \ + -f ./util/docker/Dockerfile-$CONFIG \ + -t modsecurity-crs-$CONFIG ./util/docker/ + else + docker build -f ./util/docker/Dockerfile-$CONFIG \ + -t modsecurity-crs-$CONFIG ./util/docker/ + fi + - | + docker run -ti -e PARANOIA=5 -d -p 80:80 \ + --volume $LOGDIR:$LOGDIR \ + --name "$TRAVIS_BUILD_ID" modsecurity-crs-$CONFIG + - | + docker ps | grep -q modsecurity-crs + if [[ $? -ne 0 ]]; then + docker logs "$TRAVIS_BUILD_ID" + docker rm -f "$TRAVIS_BUILD_ID" + exit 1 + fi + install: + - pip install -r util/integration/requirements.txt + - pip install -r util/regression-tests/requirements.txt + before_script: + - git clone https://github.com/CRS-support/secrules_parsing + - pip install -r secrules_parsing/requirements.txt + - python secrules_parsing/secrules_parser.py -c -f rules/*.conf + script: + - py.test -vs util/integration/format_tests.py + - | + py.test -vs util/regression-tests/CRS_Tests.py \ + --config=$CONFIG --ruledir_recurse=util/regression-tests/tests + - docker rm -f "$TRAVIS_BUILD_ID" + - <<: *test-common + env: CONFIG=3.0-apache LOGDIR=/var/log/apache2 + - <<: *test-common + env: CONFIG=3.0-nginx LOGDIR=/var/log/nginx + # safelist branches: only: @@ -33,5 +64,6 @@ branches: - v3.0/master - v3.1/dev - v3.2/dev + notifications: irc: "chat.freenode.net#modsecurity" From 4baf3446fc8ccc2dc0106c2a4f98b63f877efc28 Mon Sep 17 00:00:00 2001 From: Manuel Spartan Date: Tue, 27 Aug 2019 10:42:38 -0400 Subject: [PATCH 17/20] conflict resolution --- crs-setup.conf.example | 87 ++++++++---------------------------------- 1 file changed, 16 insertions(+), 71 deletions(-) diff --git a/crs-setup.conf.example b/crs-setup.conf.example index 60ad9b47f..4ebf343b4 100644 --- a/crs-setup.conf.example +++ b/crs-setup.conf.example @@ -354,11 +354,12 @@ SecDefaultAction "phase:2,log,auditlog,pass" # nolog,\ # pass,\ # t:none,\ +# setvar:tx.crs_exclusions_cpanel=1,\ # setvar:tx.crs_exclusions_drupal=1,\ -# setvar:tx.crs_exclusions_wordpress=1,\ -# setvar:tx.crs_exclusions_nextcloud=1,\ # setvar:tx.crs_exclusions_dokuwiki=1,\ -# setvar:tx.crs_exclusions_cpanel=1" +# setvar:tx.crs_exclusions_nextcloud=1,\ +# setvar:tx.crs_exclusions_wordpress=1,\ +# setvar:tx.crs_exclusions_xenforo=1" # # -- [[ HTTP Policy Settings ]] ------------------------------------------------ @@ -389,7 +390,8 @@ SecDefaultAction "phase:2,log,auditlog,pass" # Content-Types that a client is allowed to send in a request. # Default: application/x-www-form-urlencoded|multipart/form-data|text/xml|\ # application/xml|application/soap+xml|application/x-amf|application/json|\ -# application/octet-stream|text/plain +# application/octet-stream|application/csp-report|\ +# application/xss-auditor-report|text/plain # Uncomment this rule to change the default. #SecAction \ # "id:900220,\ @@ -399,19 +401,6 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|application/csp-report|application/xss-auditor-report|text/plain'" -# Content-Types charsets that a client is allowed to send in a request. -# Default: utf-8|iso-8859-1|iso-8859-15|windows-1252 -# Uncomment this rule to change the default. -# Use "|" to separate multiple charsets like in the rule defining -# tx.allowed_request_content_type. -#SecAction \ -# "id:900270,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'" - # Allowed HTTP versions. # Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 # Example for legacy clients: HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 @@ -428,8 +417,8 @@ SecDefaultAction "phase:2,log,auditlog,pass" # Forbidden file extensions. # Guards against unintended exposure of development/configuration files. -# Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/ -# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .sql/ +# Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/ +# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .rdb/ .sql/ # Uncomment this rule to change the default. #SecAction \ # "id:900240,\ @@ -437,7 +426,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # nolog,\ # pass,\ # t:none,\ -# setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" +# setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" # Forbidden request headers. # Header names should be lowercase, enclosed by /slashes/ as delimiters. @@ -465,16 +454,18 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'" -# Locations that will be inspected to enforce only images and documents uploads. -# Default: /wp-admin/upload.php /wp-admin/media-new.php -# Uncomment this rule to change the default set in 901180 +# Content-Types charsets that a client is allowed to send in a request. +# Default: utf-8|iso-8859-1|iso-8859-15|windows-1252 +# Uncomment this rule to change the default. +# Use "|" to separate multiple charsets like in the rule defining +# tx.allowed_request_content_type. #SecAction \ -# "id:900270,\ +# "id:900280,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ -# setvar:'tx.protected_uploads=#/wp-admin/upload.php# #/wp-admin/media-new.php#'" +# setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'" # # -- [[ HTTP Argument/Upload Limits ]] ----------------------------------------- @@ -789,52 +780,6 @@ SecDefaultAction "phase:2,log,auditlog,pass" SecCollectionTimeout 600 -# -# -- [[ Debug Mode ]] ---------------------------------------------------------- -# -# To enable rule development and debugging, CRS has an optional debug mode -# that does not block a request, but instead sends detection information -# back to the HTTP client. -# -# This functionality is currently only supported with the Apache web server. -# The Apache mod_headers module is required. -# -# In debug mode, the webserver inserts "X-WAF-Events" / "X-WAF-Score" -# response headers whenever a debug client makes a request. Example: -# -# # curl -v 'http://192.168.1.100/?foo=../etc/passwd' -# X-WAF-Events: TX:930110-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-REQUEST_URI, -# TX:930120-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-ARGS:foo, -# TX:932160-OWASP_CRS/WEB_ATTACK/RCE-ARGS:foo -# X-WAF-Score: Total=15; sqli=0; xss=0; rfi=0; lfi=10; rce=5; php=0; http=0; ses=0 -# -# To enable debug mode, include the RESPONSE-981-DEBUG.conf file. -# This file resides in a separate folder, as it is not compatible with -# nginx and IIS. -# -# You must specify the source IP address/network where you will be running the -# tests from. The source IP will BYPASS all CRS blocking, and will be sent the -# response headers as specified above. Be careful to only list your private -# IP addresses/networks here. -# -# Tip: for regression testing of CRS or your own ModSecurity rules, you may -# be interested in using the OWASP CRS regression testing suite instead. -# View the file util/regression-tests/README for more information. -# -# Uncomment these rules, filling in your CRS path and the source IP address, -# to enable debug mode: -# -#Include /path/to/crs/util/debug/RESPONSE-981-DEBUG.conf -#SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \ -# "id:900980,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# ctl:ruleEngine=DetectionOnly,\ -# setvar:tx.crs_debug_mode=1" - - # # -- [[ End of setup ]] -------------------------------------------------------- # From 8d6100579afc39c4139ab0851950e89c4352ce2c Mon Sep 17 00:00:00 2001 From: Manuel Spartan Date: Tue, 27 Aug 2019 11:40:06 -0400 Subject: [PATCH 18/20] Matching rules per PL send payload script --- util/send-payload-pls.sh | 55 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 util/send-payload-pls.sh diff --git a/util/send-payload-pls.sh b/util/send-payload-pls.sh new file mode 100644 index 000000000..5f16fde6c --- /dev/null +++ b/util/send-payload-pls.sh @@ -0,0 +1,55 @@ +#!/bin/bash +# +# Script to post a payload against a local webserver at each paranoia level +# +# Note: Webserver has to be prepared to take desired PL as Request Header "PL" +# +#Path to CRS rule set and local files +CRS="/usr/share/modsecurity-crs/rules/" +accesslog="/apache/logs/access.log" +errorlog="/apache/logs/error.log" + +#URL of web server +URL="localhost:40080" + +#Rules per Paranoia level +#Paranoia level 1 rules, rule 012 is the phase 2 rule delimiter of the start of PL1 +#Paranoia level 1 rules, rule 013 is the phase 1 rule delimiter of the finish of PL1 +PL1=$(awk "/012,phase:2/,/013,phase:1/" $CRS/*.conf |egrep -v "(012|013),phase" |egrep -o "id:[0-9]+" |sed -r 's,id:([0-9]+),\1\\,' |tr -t '\n' '\|' |sed -r 's,\\\|$,,') + +#Paranoia level 2 rules, rule 014 is the phase 2 rule delimiter of the start of PL2 +#Paranoia level 2 rules, rule 015 is the phase 1 rule delimiter of the finish of PL2 +PL2=$(awk "/014,phase:2/,/015,phase:1/" $CRS/*.conf |egrep -v "(014|015),phase" |egrep -o "id:[0-9]+" |sed -r 's,id:([0-9]+),\1\\,' |tr -t '\n' '\|' |sed -r 's,\\\|$,,') + +#Paranoia level 3 rules, rule 016 is the phase 2 rule delimiter of the start of PL3 +#Paranoia level 3 rules, rule 017 is the phase 1 rule delimiter of the finish of PL3 +PL3=$(awk "/016,phase:2/,/017,phase:1/" $CRS/*.conf |egrep -v "(016|017),phase" |egrep -o "id:[0-9]+" |sed -r 's,id:([0-9]+),\1\\,' |tr -t '\n' '\|' |sed -r 's,\\\|$,,') + +#Paranoia level 4 rules, rule 018 is the phase 2 rule delimiter of the start of PL4 +#Paranoia level 4 rules, "Paranoia Levels Finished" delimiter of the finish of PL4 +PL4=$(awk "/018,phase:2/,/Paranoia Levels Finished/" $CRS/*.conf |egrep -v "018,phase" |egrep -o "id:[0-9]+" |sed -r 's,id:([0-9]+),\1\\,' |tr -t '\n' '\|' |sed -r 's,\\\|$,,') + +if [ ! -z "$1" ]; then + PAYLOAD="$1" +else + echo "Please submit payload as parameter. This is fatal. Aborting." + exit 1 +fi + +echo "Sending the following payload at multiple paranoia levels: $PAYLOAD" +echo + +for PL in 1 2 3 4; do + echo "--- Paranoia Level $PL ---" + echo + if [ -f "$PAYLOAD" ]; then + curl $URL --data-binary "@$PAYLOAD" -H "PL: $PL" -o /dev/null -s + else + curl $URL -d "$PAYLOAD" -H "PL: $PL" -o /dev/null -s + fi + grep $(tail -1 $accesslog | cut -d\" -f11 | cut -b2-26) $errorlog | sed -e "s/.*\[id \"//" -e "s/\(......\).*\[msg \"/\1 /" -e "s/\"\].*//" -e "s/(Total .*/(Total ...) .../" -e "s/Incoming and Outgoing Score: [0-9]* [0-9]*/Incoming and Outgoing Score: .../" | sed -e "s/$PL1/& PL1/" -e "s/$PL2/& PL2/" -e "s/$PL4/& PL4/" | sort -k2 + echo + echo -n "Total Incoming Score: " + tail -1 $accesslog | cut -d\" -f11 | cut -d\ -f14 | tr "-" "0" + echo +done From 8eb87c13d596a97c178ca9a141618efd4dc163d1 Mon Sep 17 00:00:00 2001 From: Manuel Spartan Date: Tue, 27 Aug 2019 12:21:32 -0400 Subject: [PATCH 19/20] Added mising PL3 expression --- util/send-payload-pls.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/send-payload-pls.sh b/util/send-payload-pls.sh index 5f16fde6c..3d9bdfeef 100644 --- a/util/send-payload-pls.sh +++ b/util/send-payload-pls.sh @@ -47,7 +47,7 @@ for PL in 1 2 3 4; do else curl $URL -d "$PAYLOAD" -H "PL: $PL" -o /dev/null -s fi - grep $(tail -1 $accesslog | cut -d\" -f11 | cut -b2-26) $errorlog | sed -e "s/.*\[id \"//" -e "s/\(......\).*\[msg \"/\1 /" -e "s/\"\].*//" -e "s/(Total .*/(Total ...) .../" -e "s/Incoming and Outgoing Score: [0-9]* [0-9]*/Incoming and Outgoing Score: .../" | sed -e "s/$PL1/& PL1/" -e "s/$PL2/& PL2/" -e "s/$PL4/& PL4/" | sort -k2 + grep $(tail -1 $accesslog | cut -d\" -f11 | cut -b2-26) $errorlog | sed -e "s/.*\[id \"//" -e "s/\(......\).*\[msg \"/\1 /" -e "s/\"\].*//" -e "s/(Total .*/(Total ...) .../" -e "s/Incoming and Outgoing Score: [0-9]* [0-9]*/Incoming and Outgoing Score: .../" | sed -e "s/$PL1/& PL1/" -e "s/$PL2/& PL2/" -e "s/$PL3/& PL3/ "-e "s/$PL4/& PL4/" | sort -k2 echo echo -n "Total Incoming Score: " tail -1 $accesslog | cut -d\" -f11 | cut -d\ -f14 | tr "-" "0" From 8e0681d6e185851fddb7dbf85697ab148fc70ca8 Mon Sep 17 00:00:00 2001 From: Manuel Spartan Date: Tue, 27 Aug 2019 12:24:26 -0400 Subject: [PATCH 20/20] Added link to log format --- util/send-payload-pls.sh | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/util/send-payload-pls.sh b/util/send-payload-pls.sh index 3d9bdfeef..def264158 100644 --- a/util/send-payload-pls.sh +++ b/util/send-payload-pls.sh @@ -3,30 +3,31 @@ # Script to post a payload against a local webserver at each paranoia level # # Note: Webserver has to be prepared to take desired PL as Request Header "PL" +# Check the access log format at https://www.netnea.com/cms/apache-tutorial-5_extending-access-log/ # -#Path to CRS rule set and local files +# Path to CRS rule set and local files CRS="/usr/share/modsecurity-crs/rules/" accesslog="/apache/logs/access.log" errorlog="/apache/logs/error.log" -#URL of web server +# URL of web server URL="localhost:40080" -#Rules per Paranoia level -#Paranoia level 1 rules, rule 012 is the phase 2 rule delimiter of the start of PL1 -#Paranoia level 1 rules, rule 013 is the phase 1 rule delimiter of the finish of PL1 +# Rules per Paranoia level +# Paranoia level 1 rules, rule 012 is the phase 2 rule delimiter of the start of PL1 +# Paranoia level 1 rules, rule 013 is the phase 1 rule delimiter of the finish of PL1 PL1=$(awk "/012,phase:2/,/013,phase:1/" $CRS/*.conf |egrep -v "(012|013),phase" |egrep -o "id:[0-9]+" |sed -r 's,id:([0-9]+),\1\\,' |tr -t '\n' '\|' |sed -r 's,\\\|$,,') -#Paranoia level 2 rules, rule 014 is the phase 2 rule delimiter of the start of PL2 -#Paranoia level 2 rules, rule 015 is the phase 1 rule delimiter of the finish of PL2 +# Paranoia level 2 rules, rule 014 is the phase 2 rule delimiter of the start of PL2 +# Paranoia level 2 rules, rule 015 is the phase 1 rule delimiter of the finish of PL2 PL2=$(awk "/014,phase:2/,/015,phase:1/" $CRS/*.conf |egrep -v "(014|015),phase" |egrep -o "id:[0-9]+" |sed -r 's,id:([0-9]+),\1\\,' |tr -t '\n' '\|' |sed -r 's,\\\|$,,') -#Paranoia level 3 rules, rule 016 is the phase 2 rule delimiter of the start of PL3 -#Paranoia level 3 rules, rule 017 is the phase 1 rule delimiter of the finish of PL3 +# Paranoia level 3 rules, rule 016 is the phase 2 rule delimiter of the start of PL3 +# Paranoia level 3 rules, rule 017 is the phase 1 rule delimiter of the finish of PL3 PL3=$(awk "/016,phase:2/,/017,phase:1/" $CRS/*.conf |egrep -v "(016|017),phase" |egrep -o "id:[0-9]+" |sed -r 's,id:([0-9]+),\1\\,' |tr -t '\n' '\|' |sed -r 's,\\\|$,,') -#Paranoia level 4 rules, rule 018 is the phase 2 rule delimiter of the start of PL4 -#Paranoia level 4 rules, "Paranoia Levels Finished" delimiter of the finish of PL4 +# Paranoia level 4 rules, rule 018 is the phase 2 rule delimiter of the start of PL4 +# Paranoia level 4 rules, "Paranoia Levels Finished" delimiter of the finish of PL4 PL4=$(awk "/018,phase:2/,/Paranoia Levels Finished/" $CRS/*.conf |egrep -v "018,phase" |egrep -o "id:[0-9]+" |sed -r 's,id:([0-9]+),\1\\,' |tr -t '\n' '\|' |sed -r 's,\\\|$,,') if [ ! -z "$1" ]; then