8000 Enhance 3 remaining rules (942521, 943110, 943120) where affected parameter is not visible in alert message · Issue #3428 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Enhance 3 remaining rules (942521, 943110, 943120) where affected parameter is not visible in alert message #3428

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dune73 opened this issue Dec 15, 2023 · 5 comments · Fixed by #3543
Closed

Enhance 3 remaining rules (942521, 943110, 943120) where affected parameter is not visible in alert message #3428

dune73 opened this issue Dec 15, 2023 · 5 comments · Fixed by #3543
Assignees
@airween
Labels
👍 Feature Request

Comments

@dune73
Copy link
Member
dune73 commented Dec 15, 2023
edited by airween
Loading

@airween has improved quite a few of these rules. See #3409 for a pattern how to do this.

Here are example the alert messages if the 3 rules in question:

## 942521
[2023-12-15 09:39:53.898812] [security2:error] 127.0.0.1:37032 ZXwQ2fUpwlBSgEDtAzsRagAAABE [client 127.0.0.1] ModSecurity: Warning. Pattern match "^(?:and|or)$" at TX:1. [file "/home/dune73/crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1536"] [id "942521"] [msg "Detects basic SQL authentication bypass attempts 4.1/4"] [data "Matched Data: -1839' or found within TX:1: or"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "localhost"] [uri "/"] [unique_id "ZXwQ2fUpwlBSgEDtAzsRagAAABE"]
## 943110
[2023-12-15 09:39:58.868778] [security2:error] 127.0.0.1:58950 ZXwQ3vUpwlBSgEDtAzsa3AAAABA [client 127.0.0.1] ModSecurity: Warning. Match of "endsWith %{request_headers.host}" against "TX:1" required. [file "/home/dune73/crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf"] [line "69"] [id "943110"] [msg "Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer"] [data "Matched Data: http://www.attackersite.com/ found within TX:1: www.attackersite.com"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-fixation"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/225/21/593/61"] [hostname "localhost"] [uri "/login.php"] [unique_id "ZXwQ3vUpwlBSgEDtAzsa3AAAABA"]
## 943120
[2023-12-15 09:39:58.890206] [security2:error] 127.0.0.1:59046 ZXwQ3vUpwlBSgEDtAzsa6AAAABQ [client 127.0.0.1] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/home/dune73/crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf"] [line "95"] [id "943120"] [msg "Possible Session Fixation Attack: SessionID Parameter Name with No Referer"] [data "Matched Data: jsessionid found within REQUEST_HEADERS: 0"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-fixation"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/225/21/593/61"] [hostname "localhost"] [uri "/login.php"] [unique_id "ZXwQ3vUpwlBSgEDtAzsa6AAAABQ"]

This is a problem that only affects chained rules. With the 92x rules, it's usually clear what's at stake even if the log message does not reveal the original parameter hit. (-> because the rule inspects only the Accept header for example). But with the application rules, you are left in the dark. So the log messages of these rules should be enhanced.

I went through all the chained rules systematically and checked the log message. These seem to be the only remaining ones where we need to update the rule.

I do not think this is mandatory for a v4 release, but it would be sweet.

Also: I did this to make sure my C-Rex software is able to pick the correct parameter for every CRS rule alert, always. Catching up on a few of the rules now.
@airween airween self-assigned this Dec 15, 2023
@airween
Copy link
Contributor
airween commented Dec 15, 2023

Thanks, I'm going to take a look this soon.

Btw. I think more and more that the mentioned check should be integrated into our pipeline.

@dune73
Copy link
Member Author
dune73 commented Dec 15, 2023

Thank you

@airween airween changed the title Enhance 3 remaining rules (942521, 943110, 932120) where affected parameter is not visible in alert message Enhance 3 remaining rules (942521, 943110, 943120) where affected parameter is not visible in alert message Dec 15, 2023
@airween
Copy link
Contributor
airween commented Dec 15, 2023

I'm wondering why 942440 does not follows this behavior:

[id "942440"] [msg "SQL Comment Sequence Detected"] [data "Matched Data: ;-- found within ARGS:var: DROP sampletable;--"]

This rule uses MATCHED_VARS (there is an S at the end) and not MATCHED_VAR.

May be we can use this solution for each cases?

@airween
Copy link
Contributor
airween commented Dec 15, 2023

Rule 931131 also uses an interesting solution which avoids this behavior.

@dune73
Copy link
Member Author
dune73 commented Dec 20, 2023

Yes, I saw the 931131 too. Maybe we can converge on a single variant and not like every chained rule re-invents the wheel.

@airween airween mentioned this issue Feb 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@airween airween

Labels
👍 Feature Request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Replaced MATCHED_VAR in logdata argument by a real target name airween/coreruleset
2 participants
@airween @dune73
0