headers
Cristóbal Palmer | 17 Feb 08:50
Picon

NetNewsWire trips 960011,960015,960904

I think NetNewsWire/3.1.7 is causing a false positive (please pardon
the exceedingly long lines from the audit log):

--ec1d7c2b-A--
[17/Feb/2009:00:35:32 --0600] go2wnEPA-0QAAANqBr4AAAAA [remote IP redacted] 33331 [local IP
redacted] 80
--ec1d7c2b-B--
GET /wp-commentsrss2.php HTTP/1.1
Host: [realblognameredacted.example.com]
Accept-Encoding: gzip
User-Agent: NetNewsWire/3.1.7 (Mac OS X; http://www.newsgator.com/Individuals/NetNewsWire/)
If-None-Match: "296ae0448a8c91602f2d552e96baa308"
If-Modified-Since: Tue, 17 Feb 2009 06:34:00 GMT
Connection: close

--ec1d7c2b-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.1.6
X-Pingback: http://[realblognameredacted.example.com]/xmlrpc.php
Last-Modified: Tue, 17 Feb 2009 06:35:00 GMT
ETag: "acdf648ee8148a3784ccaa850dd3716e"
Content-Length: 13632
Connection: close
Content-Type: text/xml;charset=UTF-8

--ec1d7c2b-H--
Message: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"]
 [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"]
Apache-Handler: php5-script
Stopwatch: 1234852532564124 133463 (257 989 133282)
Producer: ModSecurity for Apache/2.5.7 (http://www.modsecurity.org/); core ruleset/1.6.1.
Server: Apache

--ec1d7c2b-K--
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$"
"phase:2,chain,t:none,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"
SecRule "&REQUEST_HEADERS:Accept" "@eq 0"
"phase:2,chain,skip:1,t:none,log,auditlog,msg:'Request Missing an Accept Header',severity:2,id:960015,tag:PROTOCOL_VIOLATION/MISSING_HEADER"
SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" "phase:2,log,auditlog,pass,t:none"
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0"
"phase:2,pass,chain,t:none,log,auditlog,msg:'Request Containing Content, but Missing
Content-Type header',id:960904,severity:4"
SecAction "phase:2,auditlog,nolog,skipAfter:959009"
SecAction "phase:2,auditlog,nolog,skipAfter:959007"
SecAction "phase:2,auditlog,nolog,skipAfter:959904"
SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"
"@pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile
inner shutdown tbcreator @@version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys
xp_loginconfig xp_dirtree ifnull sp_addextendedproc xp_regaddmultistring delete sp_sqlexec and
sp_oacreate sp_execute cast xp_ntsec xp_regdeletekey drop varchar xp_execresultset having utl_file
xp_regenumvalues xp_terminate xp_availablemedia xp_regdeletevalue dumpfile isnull sql_variant
select 'sa' xp_regremovemultistring xp_makecab 'msdasql' xp_cmdshell openquery sp_executesql
'sqloledb' dbms_java 'dbo' utl_http sp_makewebtask benchmark xp_regread xp_regwrite" "phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,nolog,skip:1"
SecAction "phase:2,auditlog,nolog,skipAfter:959906"
SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"
"@pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup
activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout
onabort shell: .innerhtml onmousedown onkeypress asfunction: onclick .fromcharcode
background-image: .cookie ondragdrop onblur x-javascript mocha: onfocus javascript:
getparentfolder lowsrc onresize @import alert onselect script onmouseout onmousemove background
application .execscript livescript: getspecialfolder vbscript iframe .addimport onunload
createtextrange onload <input" "phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,skip:1"
SecAction "phase:2,auditlog,nolog,skipAfter:959005"
SecAction "phase:2,auditlog,nolog,skipAfter:950006"
SecRule
"REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES"
"@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd
/chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd
wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /chmod /nc /g++ /id
/chown cmd /nmap chsh /gcc net.exe /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod cpp
telnet cmd32.exe gcc g++" "phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,skip:1"
SecAction "phase:2,auditlog,nolog,skipAfter:959013"

--ec1d7c2b-Z--

So, thinking I would whitelist NetNewsWire, I first looked in
/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf at
the exceptions at the top and was then going to add the following to
/etc/httpd/modsecurity.d/modsecurity_crs_60_localrules.conf:

# Make an exception for NetNewsWire
SecRule REQUEST_LINE "^GET /wp-commentsrss2.php HTTP/1.1$" "chain,phase:2,t:none,pass,nolog,ctl:ruleRemoveById=960011,ctl:ruleRemoveById=960015,ctl:ruleRemoveById=960904,id:'1',severity:'5'"
SecRule REQUEST_HEADERS:User-Agent "^NetNewsWire.*\(Mac OS X.*\)$"

Am I on the right track? Is modsecurity_crs_60_localrules.conf the
right place to put that? I'm confused since some places on the 'net
indicate the removals should come before, while others indicate
after. Please do recommend a better approach or exception rule if I'm
going about this wrong.

Cheers,
--

-- 
Cristóbal Palmer

------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
Permalink | Reply |

Gmane