Question about mod_security

Robertosky

• June 02, 2014 07:51

i saw some rules requires .data file for make rules working! where i should upload .data file inside my server what path ?

• 

  cPanelMichael

  • June 02, 2014 13:59

  Hello :) Could you provide us with more information about the specific rule you are adding, and how you are configuring it? Is it part of a rules package? Thank you.

  0
• 

  Robertosky

  • June 02, 2014 15:14

  hello best! yes i'm took rules from a website OWASP! yes on rules are two file like! GenericAttack.data GenericAttack.conf .data file set-cookie .cookie expiressys.user_objects sys.user_triggers @@spid msysaces instr sys.user_views mysql. sys.tab charindex locate sys.user_catalog constraint_type msysobjects attnotnull select sys.user_tables sys.user_constraints sys.user_tab_columns waitfor sys.all_tables msysrelationships msyscolumns msysqueriessubstr xtype textpos all_objects rownum sysfilegroups sysprocesses user_group sysobjects systables user_tables pg_attribute column_id user_password user_users attrelid user_tab_columns table_name pg_class user_constraints user_objects object_type sysconstraints mb_users column_name atttypid substring object_id syscat sysibm user_ind_columns syscolumns sysdba object_name sqrt insert date instr floor autonomous_transaction print encode coalesce if degrees release_lock procedure_analyse password least cr32 subdate xp_filelist owa_util trim xp_regenumkeys charset ciel bit_or delete time month xp_execresultset round dba_users is master_pos_wait decode unhex char_length strcmp rtrim 'sa' version ord xp_makecab truncate last concat coercibility right length ascii var_samp char extract get_ bit_length xp_regread export_set aes_decrypt name_const left conv bin not_in infile substr uuid is_srvrolemember var_pop ln aes_encrypt outfile current_date quote in user locate @@version exp current_timestamp sql_longvarchar values subtime xp_loginconfig sin xp_regaddmultistring replace tan xmltype character_length cast current_time varchar position to_number addtime mid found_rows stddev xp_availablemedia substring dumpfile isnull cot select concat_ws convert uncompress radians uncompressed_length acos 'sqloledb' dbms_pipe.receive_message utl_http cieling row_count benchmark sec_to_time sysdate hour current_user utc_ curdate nvarchar schema data_type lcase inner make_set day tbcreator sum sign adddate ltrim variance weight_string second microsecond system_user abs ifnull minute unix_timestamp collation curtime lower repeat sp_oacreate group_concat sp_execute xp_ntsec xp_regdeletekey drop quarter local str_to_date nullif from_ old_password xp_regdeletevalue asin oct load_file sp_password bit_xor xp_regremovemultistring chr avg std openquery makedate database updatexml datediff now year mod bit_and lpad xp_enumdsn max period_ soundex shutdown bit_count field connection_id sha default interval xp_dirtree reverse ucase compress xp_terminate_process md5 rpad session_user find_in_set dump convert_tz having des_ greatest xp_regenumvalues utl_file cos log pi sql_variant encrypt upper rand week min xp_cmdshell 'msdasql' space sp_executesql elt pow 'dbo' sp_makewebtask dbms_java to_ format xp_regwrite sp_helpjscript onsubmit copyparentfolder document javascript meta onchange onmove onkeydown onkeyup activexobject onerror onmouseup ecmascript bexpression onmouseover vbscript:
.conf # --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.9 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # OS Command Injection Attacks # # -=[ Rule Logic ]=- # These rules look for attempts to access OS commands such as curl, wget and cc # These commands are often used in injection attacks to force the victim web # application to initiate a connection out to a hacker site to download, compile # and install malicious toolkits such as those to participate in Botnets. # # -=[ References ]=- # http://projects.webappsec.org/OS-Commanding # http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\;\|\`]\W*?\bcc|\b(wget|curl))\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'8',capture,t:none,t:normalisePath,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'950907',tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_COMMAND_INJECTION1" SecMarker END_COMMAND_INJECTION1 # # -=[ Heuristic Checks ]=- # # [ Repeatative Non-Word Chars ] # # This rule attempts to identify when multiple (4 or more) non-word characters are repeated in sequence # SecRule ARGS "\W{4,}" "phase:2,capture,t:none,t:urlDecodeUni,block,id:'960024',rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'8',msg:'Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}" # # Coldfusion Injection # # -=[ Rule Logic ]=- # These rules look for the existence of undocumented ColdFusion Admin functions on input # # -=[ References ]=- # http://www.adobe.com/devnet/security/security_zone/asb99-10.html # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug|execute)\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'Injection of Undocumented ColdFusion Tags',id:'950008',tag:'OWASP_CRS/WEB_ATTACK/CF_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/CF_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_CF_INJECTION" SecMarker END_CF_INJECTION # # LDAP Injection # # -=[ Rule Logic ]=- # These rules look for common LDAP data constructions. # # -=[ References ]=- # http://technet.microsoft.com/en-us/library/aa996205%28EXCHG.65%29.aspx # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'LDAP Injection Attack',id:'950010',tag:'OWASP_CRS/WEB_ATTACK/LDAP_INJECTION',tag:'WASCTC/WASC-29',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/LDAP_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_LDAP_INJECTION" SecMarker END_LDAP_INJECTION # # SSI injection # # -=[ Rule Logic ]=- # These rules look for common Server-Site Include format data on input. # # -=[ References ]=- # http://projects.webappsec.org/SSI-Injection # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "

  0
• 

  cPanelMichael

  • June 02, 2014 16:58

  You would typically upload the .data file to the same location that you upload the .conf file. Thank you.

  0
• 

  Robertosky

  • June 02, 2014 22:19

  i'm upload conf to mod_security so they should be on mod_security path ?

  0
• 

  cPanelMichael

  • June 03, 2014 14:20

  [quote="Robertosky, post: 1656231">i'm upload conf to mod_security so they should be on mod_security path ?
  Could you provide the specific paths you are referring to? Thank you.

  0

Please sign in to leave a comment.