Ich habe eine WAF - Hilfe, sie loggt! ModSecurity Alert Management

Frühjahrsfachgespräch 2013, GUUG

Christian Bockermann - chris @ jwall.org

Über mich ‣ Lehrstuhl für künstliche Intelligenz, Technische Universität Dortmund

‣ Forschung im Bereich Data-Stream Mining,

Computer Science Department Artificial Intelligence Group

Log-Analyse, Web-Security

‣ Entwickler von Tools um ModSecurity ‣ AuditViewer, AuditConsole ‣ Web Policy Compiler, Web Application Profiler

‣ jwall-rbld, jwall-tools Frühjahrsfachgespräch 2013, GUUG

Christian Bockermann - chris @ jwall.org

Über mich ‣ Lehrstuhl für künstliche Intelligenz, Technische Universität Dortmund

‣ Forschung im Bereich Data-Stream Mining,

Computer Science Department Artificial Intelligence Group

Log-Analyse, Web-Security

‣ Entwickler von Tools um ModSecurity ‣ AuditViewer, AuditConsole

www.jwall.org @jwallorg

‣ Web Policy Compiler, Web Application Profiler

‣ jwall-rbld, jwall-tools Frühjahrsfachgespräch 2013, GUUG

Christian Bockermann - chris @ jwall.org

ModSecurity Open Source Web Application Firewall

AuditConsole Alert-Management mit der jwall.org AuditConsole

Behind the Scenes Aktuelle Entwicklungen um die AuditConsole

Frühjahrsfachgespräch 2013, GUUG

Christian Bockermann - chris @ jwall.org

ModSecurity Open Source Web Application Firewall

Frühjahrsfachgespräch 2013, GUUG

Christian Bockermann - chris @ jwall.org

Angriffe auf Web-Anwendungen

Frühjahrsfachgespräch 2013, GUUG

Christian Bockermann - chris @ jwall.org

Angriffe auf Web-Anwendungen Top-10 / Open Web Application Security Project 1. Injection Flaws (SQL-Injection, RFI, ...) 2. Cross Site Scripting (XSS)

OWASP - Open Web Application Security Project http://www.owasp.org/

3. Broken Authentication / Session Management 4. Insecure Direct Object Reference 5. Cross Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Malicious File Execution (Remote File Inclusion)

Frühjahrsfachgespräch 2013, GUUG

Christian Bockermann - chris @ jwall.org

ModSecurity Open Source Web Application Firewall Entwickelt von Ivan Ristic (Start 2002)

ModSecurity Ivan Ristic, 2002 www.modsecurity.org

Apache Security Ivan Ristic, 2005 http://www.apachesecurity.net/

Aufgekauft von Breach Security ~ 9/2006 Trustwave kauft Breach ~ Mitte 2010

‣ Weitere Entwicklung (aktuell ModSecurity 2.6.8) ‣ OWASP Core-Rule Set Regelwerk (Ryan Barnett) ‣ Port für NGinx WebServer Frühjahrsfachgespräch 2013, GUUG

Christian Bockermann - chris @ jwall.org

ModSecurity ModSecurity ist ein Filter-Modul für den Apache Web-Server (und NGinx)

‣ Request Filter Engine im Web-Server ‣ Rule Language zur Definition von Firewall-Regeln auf Web-Traffic Apache

ModSecurity module

Frühjahrsfachgespräch 2013, GUUG

Rule 1 ... Rule N

Christian Bockermann - chris @ jwall.org

ModSecurity Realzeit-Filtern von HTTP

‣ Rule-Engine direkt im Apache Process ‣ Komplettes Protokollieren von HTTP Zugriffen Virtual Patching

‣ Schwachstellen gezielt & schnell beheben Web-Application Hardening & Intrusion Detection

‣ Angriffserkennung mit generischen Regelwerken Frühjahrsfachgespräch 2013, GUUG

Christian Bockermann - chris @ jwall.org

ModSecurity - Setups Apache

ModSecurity Web Application (PHP, CGI, Python,...)

Apache

ModSecurity

http, ajp

Application Server Web Application

Innerhalb des Web-Servers

Frühjahrsfachgespräch 2013, GUUG

ModSecurity

mod_proxy

Als Reverse-Proxy System

Apache

Web Application

Als passiver Sensor

Christian Bockermann - chris @ jwall.org

ModSecurity - Rule Sets Wo gibt es ModSecurity Regeln? ModSecurity Core-Rules OWASP Projekt

ModSecurity Core Rules OWASP Project, Trustwave

Atomicorp Mod Security Rules Michael Shinn et. al. http://www.gotroot.com

Support + erweiterte Regeln gotroot.com Regeln frei verfügbare Regeln Subscription-Modell für automatische Updates

Frühjahrsfachgespräch 2013, GUUG

Christian Bockermann - chris @ jwall.org

ModSecurity - Virtual Patching Eigene Regeln (virtual Patching): Pentest hat SQL Injection Möglichkeit gefunden Software develpment life cycle:

Fixing Testing Deployment

1 week 2 weeks 1 day? 3 weeks

Möglichkeit: Manuelle WAF Regeln um Lücke kurzfristig zu stopfen Frühjahrsfachgespräch 2013, GUUG

Christian Bockermann - chris @ jwall.org

ModSecurity - Virtual Patching Sony Breach > 1mio Klartext Passwörter Passwort-Dateien verfügbar über Torrent War ja nur Sony - betrifft uns nicht!?

Frühjahrsfachgespräch 2013, GUUG

Christian Bockermann - chris @ jwall.org

ModSecurity - Virtual Patching Sony Breach > 1mio Klartext Passwörter Passwort-Dateien verfügbar über Torrent War ja nur Sony - betrifft uns nicht!? Was ist, wenn einer unserer User auf Sony Plattform nutzte?

Frühjahrsfachgespräch 2013, GUUG

Christian Bockermann - chris @ jwall.org

ModSecurity - Virtual Patching Sony Breach > 1mio Klartext Passwörter Passwort-Dateien verfügbar über Torrent War ja nur Sony - betrifft uns nicht!? Was ist, wenn einer unserer User auf Sony Plattform nutzte? # block if login,password is corrupted! # SecAction setvar:TX.LP=‘%{ARGS:login}#%{ARGS:pass}‘ SecRule %{TX:LP}

Frühjahrsfachgespräch 2013, GUUG

“@pmFromFile /tmp/passwords“

deny

Christian Bockermann - chris @ jwall.org

ModSecurity Was passiert wenn ein Angriff erkannt wird?

‣ Eine oder mehr Regeln haben gegriffen ‣ Je nach Konfiguration - z.B. Weiterleitung zu einer Fehlerseite

‣ Die Transaktion wird protokolliert.

Frühjahrsfachgespräch 2013, GUUG

Christian Bockermann - chris @ jwall.org

ModSecurity Audit-Logs --289e0346-A-[31/Dec/2009:15:10:58 +0100] 0vnW6X8AAAEAAHywHucAAAAE ::1 59566 ::1 80 --289e0346-B-OPTIONS * HTTP/1.0 User-Agent: (internal dummy connection) --289e0346-F-HTTP/1.1 200 OK Allow: GET,HEAD,POST,OPTIONS,TRACE Content-Length: 0 Connection: close Content-Type: text/plain; charset=UTF-8 --289e0346-H-Message: Operator EQ matched 0 at REQUEST_HEADERS. [file "/opt/modsecurity/rules/core-rules/ base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "27"] [id "960008"] [msg "Request Missing a Host Header"] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/rules/corerules/base_rules/modsecurity_crs_60_correlation.conf"] [line "46"] [msg "Transactional Anomaly Score (score 5): Request Missing a Host Header"] Stopwatch: 1262268658079465 19725 (18690 19256 -) Producer: ModSecurity for Apache/2.5.11 (http://www.modsecurity.org/); core ruleset/2.0.4. Server: Apache/2.2.3 (CentOS) --289e0346-Z--

Frühjahrsfachgespräch 2013, GUUG

Christian Bockermann - chris @ jwall.org

--edb3cf77-A-[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443 --edb3cf77-B-GET /cart/ HTTP/1.1 Connection: Keep-Alive Host: example.xom Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 --edb3cf77-E- The page cannot be found BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon }

The page cannot be found The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly. If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. Click the Back button to try another link. HTTP Error 404 - File or directory not found. Internet Information Services (IIS) Technical Information (for support personnel) ... Frühjahrsfachgespräch 2013, GUUG Christian Bockermann - chris @ jwall.org --edb3cf77-F-HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Vary: Accept-Encoding Keep-Alive: timeout=15, max=55 Connection: Keep-Alive --edb3cf77-H-Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/ modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header requires CacheControl Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"] Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/ modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score (score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] Apache-Handler: proxy-server Stopwatch: 1256057413859166 67702 (355 47563 67008) Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1. Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g --edb3cf77-K-SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION" SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ" SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain" SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score= +5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-% {matched_var_name}=%{matched_var}" SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5" SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK" SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX" SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase: 2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES" SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase: 2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES" SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score % {TX.ANOMALY_SCORE}): %{tx.msg}'" --edb3cf77-Z-Frühjahrsfachgespräch 2013, GUUG Christian Bockermann - chris @ jwall.org --edb3cf77-A-[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443 --edb3cf77-B-GET /cart/ HTTP/1.1 Connection: Keep-Alive Host: example.xom Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 --edb3cf77-A-[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443 --edb3cf77-B-GET /cart/ HTTP/1.1 Connection: Keep-Alive Host: example.xom Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 --edb3cf77-E- The page cannot be found BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } --edb3cf77-E- The page cannot be found BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } The page cannot be found The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly. If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. Click the Back button to try another link. HTTP Error 404 - File or directory not found. Internet Information Services (IIS) Technical Information (for support personnel) ... --edb3cf77-F-HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Vary: Accept-Encoding Keep-Alive: timeout=15, max=55 Connection: Keep-Alive The page cannot be found The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly. If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. Click the Back button to try another link. HTTP Error 404 - File or directory not found. Internet Information Services (IIS) Technical Information (for support personnel) ... --edb3cf77-F-HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Vary: Accept-Encoding Keep-Alive: timeout=15, max=55 Connection: Keep-Alive --edb3cf77-H-Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"] Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score (score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] Apache-Handler: proxy-server Stopwatch: 1256057413859166 67702 (355 47563 67008) Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1. Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g --edb3cf77-H-Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"] Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score (score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] Apache-Handler: proxy-server Stopwatch: 1256057413859166 67702 (355 47563 67008) Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1. Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g --edb3cf77-K-SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION" SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id: 960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ" SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain" SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-% {matched_var_name}=%{matched_var}" SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5" SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK" SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX" SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES" SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES" SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'" --edb3cf77-K-SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION" SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id: 960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ" SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain" SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-% {matched_var_name}=%{matched_var}" SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5" SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK" SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX" SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES" SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES" SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'" --edb3cf77-Z-- --edb3cf77-Z-- --edb3cf77-A-[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443 --edb3cf77-B-GET /cart/ HTTP/1.1 Connection: Keep-Alive Host: example.xom Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 --edb3cf77-A-[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443 --edb3cf77-B-GET /cart/ HTTP/1.1 Connection: Keep-Alive Host: example.xom Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 --edb3cf77-E- The page cannot be found BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } --edb3cf77-E- The page cannot be found BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } The page cannot be found The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly. If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. Click the Back button to try another link. HTTP Error 404 - File or directory not found. Internet Information Services (IIS) Technical Information (for support personnel) ... --edb3cf77-F-HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Vary: Accept-Encoding Keep-Alive: timeout=15, max=55 Connection: Keep-Alive The page cannot be found The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly. If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. Click the Back button to try another link. HTTP Error 404 - File or directory not found. Internet Information Services (IIS) Technical Information (for support personnel) ... --edb3cf77-F-HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Vary: Accept-Encoding Keep-Alive: timeout=15, max=55 Connection: Keep-Alive --edb3cf77-H-Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"] Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score (score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] Apache-Handler: proxy-server Stopwatch: 1256057413859166 67702 (355 47563 67008) Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1. Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g --edb3cf77-H-Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"] Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score (score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] Apache-Handler: proxy-server Stopwatch: 1256057413859166 67702 (355 47563 67008) Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1. Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g --edb3cf77-K-SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION" SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id: 960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ" SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain" SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-% {matched_var_name}=%{matched_var}" SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5" SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK" SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX" SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES" SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES" SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'" --edb3cf77-K-SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION" SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id: 960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ" SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain" SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-% {matched_var_name}=%{matched_var}" SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5" SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK" SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX" SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES" SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES" SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'" --edb3cf77-Z-- --edb3cf77-Z-- --edb3cf77-A-[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443 --edb3cf77-B-GET /cart/ HTTP/1.1 Connection: Keep-Alive Host: example.xom Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 --edb3cf77-A-[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443 --edb3cf77-B-GET /cart/ HTTP/1.1 Connection: Keep-Alive Host: example.xom Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 --edb3cf77-E- The page cannot be found BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } --edb3cf77-E- The page cannot be found BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } The page cannot be found The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly. If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. Click the Back button to try another link. HTTP Error 404 - File or directory not found. Internet Information Services (IIS) Technical Information (for support personnel) ... --edb3cf77-F-HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Vary: Accept-Encoding Keep-Alive: timeout=15, max=55 Connection: Keep-Alive The page cannot be found The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly. If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. Click the Back button to try another link. HTTP Error 404 - File or directory not found. Internet Information Services (IIS) Technical Information (for support personnel) ... --edb3cf77-F-HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Vary: Accept-Encoding Keep-Alive: timeout=15, max=55 Connection: Keep-Alive --edb3cf77-H-Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"] Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score (score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] Apache-Handler: proxy-server Stopwatch: 1256057413859166 67702 (355 47563 67008) Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1. Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g --edb3cf77-H-Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"] Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score (score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] Apache-Handler: proxy-server Stopwatch: 1256057413859166 67702 (355 47563 67008) Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1. Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g --edb3cf77-K-SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION" SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id: 960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ" SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain" SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-% {matched_var_name}=%{matched_var}" SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5" SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK" SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX" SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES" SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES" SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'" --edb3cf77-K-SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION" SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id: 960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ" SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain" SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-% {matched_var_name}=%{matched_var}" SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5" SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK" SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX" SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES" SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES" SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'" --edb3cf77-Z-- --edb3cf77-Z-- --edb3cf77-A-[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443 --edb3cf77-B-GET /cart/ HTTP/1.1 Connection: Keep-Alive Host: example.xom Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 --edb3cf77-A-[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443 --edb3cf77-B-GET /cart/ HTTP/1.1 Connection: Keep-Alive Host: example.xom Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 --edb3cf77-E- The page cannot be found BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } --edb3cf77-E- The page cannot be found BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } The page cannot be found The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly. If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. Click the Back button to try another link. HTTP Error 404 - File or directory not found. Internet Information Services (IIS) Technical Information (for support personnel) ... --edb3cf77-F-HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Vary: Accept-Encoding Keep-Alive: timeout=15, max=55 Connection: Keep-Alive The page cannot be found The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly. If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. Click the Back button to try another link. HTTP Error 404 - File or directory not found. Internet Information Services (IIS) Technical Information (for support personnel) ... --edb3cf77-F-HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Vary: Accept-Encoding Keep-Alive: timeout=15, max=55 Connection: Keep-Alive --edb3cf77-H-Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"] Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score (score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] Apache-Handler: proxy-server Stopwatch: 1256057413859166 67702 (355 47563 67008) Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1. Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g --edb3cf77-H-Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"] Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score (score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] Apache-Handler: proxy-server Stopwatch: 1256057413859166 67702 (355 47563 67008) Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1. Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g --edb3cf77-K-SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION" SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id: 960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ" SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain" SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-% {matched_var_name}=%{matched_var}" SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5" SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK" SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX" SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES" SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES" SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'" --edb3cf77-K-SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION" SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id: 960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ" SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain" SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-% {matched_var_name}=%{matched_var}" SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5" SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK" SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX" SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES" SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES" SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'" --edb3cf77-Z-- --edb3cf77-Z-- --edb3cf77-A-[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443 --edb3cf77-B-GET /cart/ HTTP/1.1 Connection: Keep-Alive Host: example.xom Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 --edb3cf77-A-[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443 --edb3cf77-B-GET /cart/ HTTP/1.1 Connection: Keep-Alive Host: example.xom Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 --edb3cf77-E- The page cannot be found BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } --edb3cf77-E- The page cannot be found BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } , =, Frühjahrsfachgespräch 2013, GUUG http://internal.wiki/notes/sqli Christian Bockermann - chris @ jwall.org Tagging ‣ Regressions-Test ‣ Menge von Ereignissen als Regressions-Test Set ‣ Filter+Download nach Tag möglich ‣ jwall-tools erlauben HTTP-Replay von Audit-Log Daten # jwall eval 10.0.0.1 /path/events.dat Frühjahrsfachgespräch 2013, GUUG Christian Bockermann - chris @ jwall.org AuditConsole - Event Verarbeitung Jedes empfangene Ereignis durchläuft einen Prozess: AuditConsole mlogc AuditConsole Web Receiver Score, DNS, Geo Lookup Frühjahrsfachgespräch 2013, GUUG Site Mapping User Rule Engine Storage Listener Christian Bockermann - chris @ jwall.org AuditConsole - Event Verarbeitung Jedes empfangene Ereignis durchläuft einen Prozess: AuditConsole mlogc Web Receiver Score, DNS, Geo Lookup Frühjahrsfachgespräch 2013, GUUG Site Mapping User Rule Engine Storage Listener Christian Bockermann - chris @ jwall.org AuditConsole - Event Verarbeitung Jedes empfangene Ereignis durchläuft einen Prozess: AuditConsole mlogc Web Receiver Score, DNS, Geo Lookup Site Mapping User Rule Engine Storage Listener TCP Receiver File Observer Frühjahrsfachgespräch 2013, GUUG Christian Bockermann - chris @ jwall.org Site Konzept ‣ Häufig sind Web-Umgebungen relativ komplex ‣ Web-Anwendungen über mehrere URLs erreichbar ‣ unterschiedliche virtuelle Hosts, Server-Aliase ‣ Eine Site fasst mehrere Hosts/URL-Bereiche zusammen ‣ z.B. eine Site pro Web-Anwendung ‣ eine Site für mehrere zusammengehörige WebAnwendungen Frühjahrsfachgespräch 2013, GUUG Christian Bockermann - chris @ jwall.org Site Konzept ‣ Typischerweist entspricht eine Site einer Menge virtueller Hosts, z.B. --289e0346-A-[31/Dec/2009:15:10:58 +0100] 0vnW6X8AAAEAAHywHucAAAAE ::1 59566 ::1 80 --289e0346-B-OPTIONS * HTTP/1.0 Host: www.test.com User-Agent: (internal dummy connection) Host: www.test.com --289e0346-A-[31/Dec/2009:15:10:58 +0100] 0vnW6X8AAAEAAHywHucAAAAE ::1 59566 ::1 80 --289e0346-B-GET / HTTP/1.1 Host: www.jwall.org User-Agent: wget Host: www.jwall.org Host: secure.jwall.org Frühjahrsfachgespräch 2013, GUUG Site: jwall.org Site: test.com Christian Bockermann - chris @ jwall.org Site Konzept ‣ Log-Daten können über Regeln direkt beim Empfang einer Site zugeordnet werden ‣ Sehr flexible Zuordnung möglich, z.B. Bedingung Site REQUEST_HEADERS:Host @sx *jwall.org jwall.org REQUEST_URI @sx /myApp/* MyApp SENSOR_NAME = „honeypot“ HoneyPot SERVER_ADDR = 72.64.92.2 jwall.org Frühjahrsfachgespräch 2013, GUUG Christian Bockermann - chris @ jwall.org Multi-User Konzept ‣ Die AuditConsole enthält eine Benutzerverwaltung ‣ Rechteverwaltung der User ‣ Benutzerdefinierte Anfrage-Filter ‣ E-Mail Benachrichtigung, Reports,... pro Benutzer Frühjahrsfachgespräch 2013, GUUG Christian Bockermann - chris @ jwall.org Multi-User Konzept Jedem Nutzer wird ein View zugeordnet, der festlegt welche Ereignisse er einsehen darf Site: Site: jwall.org test.com Frühjahrsfachgespräch 2013, GUUG Christian Bockermann - chris @ jwall.org Multi-User Konzept ‣ Zusätzlich Integration von SSO-Lösungen möglich ‣ OpenID ‣ Google-Login ‣ Zentrale Authentifikation über CAS ‣ Implementierung nutzt spring-security Framework, daher zahlreiche weitere Authentifizierungen möglich (LDAP,Kerberos) Frühjahrsfachgespräch 2013, GUUG Christian Bockermann - chris @ jwall.org Event Regeln Benutzer können Regeln für Ereignisse definieren ‣ Löschen von Ereignissen (im View) ‣ Tag/Markieren eines Ereignisses ‣ E-Mail Benachrichtigungen ‣ Aufruf externer Skripte ‣ Aufruf externer URLs Frühjahrsfachgespräch 2013, GUUG Christian Bockermann - chris @ jwall.org Event Regeln Benutzer können Regeln für Ereignisse definieren ‣ Löschen von Ereignissen (im View) ‣ Tag/Markieren eines Ereignisses ‣ E-Mail Benachrichtigungen ‣ Aufruf externer Skripte ‣ Aufruf externer URLs GET fw.jwall.org/block.pl?ip=%{REMOTE_ADDR} Frühjahrsfachgespräch 2013, GUUG Christian Bockermann - chris @ jwall.org Event Regeln Frühjahrsfachgespräch 2013, GUUG Christian Bockermann - chris @ jwall.org Reporting DocBook basierte Reporting Engine ‣ Aggregation von Ereignissen ‣ Top-k Statistiken (z.B. häufigsten 10 IPs) ‣ Integration mit Ereignis-Filtern ‣ Country Map, basierend auf GeoIP ‣ Report-Templates verfügbar, eigene Reports erstellbar ‣ Erzeugt HTML Reports (und PDF) Frühjahrsfachgespräch 2013, GUUG Christian Bockermann - chris @ jwall.org Reporting Geographische Darstellung von Angriffen: Geographic Distribution of Attacks .... Frühjahrsfachgespräch 2013, GUUG Christian Bockermann - chris @ jwall.org Reporting Geo-IP Darstellung in Reports möglich Frühjahrsfachgespräch 2013, GUUG Christian Bockermann - chris @ jwall.org Reporting Einfache Aggregation von Stati nach z.B. Host: Summary of Response Status per Host Dies ist nur ein kleines Beispiel. Frühjahrsfachgespräch 2013, GUUG Christian Bockermann - chris @ jwall.org Reporting Einfache Aggregation von Stati nach z.B. Host: Frühjahrsfachgespräch 2013, GUUG Christian Bockermann - chris @ jwall.org AuditConsole Aktuelle Version ist 0.4.6 ‣ Getestet mit Apache Derby, MySQL, PostGres, Oracle ‣ Empfängt bis zu 80~90 events/Sekunde via HTTP, +200 via TCP ‣ Live-Dashboard ‣ Läuft in gängigen Servlet Containern (Jetty, Tomcat) ‣ bietet optionale REST API,integrierter RBL-Server ‣ einfache Installation über Debian/RPM Pakete Frühjahrsfachgespräch 2013, GUUG Christian Bockermann - chris @ jwall.org AuditConsole ‣ Log-Management Tool der ModSecurity Comunity ‣ Zentrale Log-Console des Web Honeypot Projektes ‣ Im Produktiv-Einsatz bei mehreren Unternehmen ‣ Sponsoring durch Donations Frühjahrsfachgespräch 2013, GUUG Christian Bockermann - chris @ jwall.org Suggest Documents modsecurity handbook pdf - Google Drive Read more ModSecurity Handbook Sample - Feisty Duck Read more Management Alert - the DC Auditor Read more [19;11;07] - Free Download ModSecurity Handbook ... - WordPress.com Read more Download ModSecurity 2.5 Free Online - Google Sites Read more Alert Management Systems: A Quick Introduction Read more alert alert - HubSpot Read more VRTX Chassis Alert Management Techniques - Dell Community Read more CONSUMER ALERT: Phone Scam Alert Read more Murs Alert Manual.indd - Dakota Alert Read more +*GuuG=]] Read 'Tennessee WilliamsCry Of The Heart' Ebooks Free ... Read more media alert ** media alert ** media alert ** conductors cristian ... Read more media alert ** media alert ** media alert ** conductors cristian ... Read more [PDF] Download ModSecurity 2.5 Full ePub - Google Sites Read more RED-Alert brochure - RED-Alert project Read more Alert Lift Area Alert Lift Area Read more Alert Lift Area Alert Lift Area Read more Extended Alert Request - TransUnion - Online Fraud Alert Read more RED-Alert brochure - RED-Alert project Read more Alert Lift Area Alert Lift Area Read more Proxy Alert Read more FRIDAY ALERT Read more ENERGY ALERT Read more ENERGY ALERT Read more × Report "ModSecurity Alert Management - GUUG" Your name Email Reason -Select Reason- Pornographic Defamatory Illegal/Unlawful Spam Other Terms Of Service Violation File a copyright complaint Description Close Save changes × Sign In Email Password Remember me Forgot password? Sign In Our partners will collect data and use cookies for ad personalization and measurement. Learn how we and our ad partner Google, collect and use data. Agree & close