ModSecurity Allow Rules

    AUS DON'T PANIC WIKI


    ModSecurity Handbook:

    Making Rules:

    Argument Conditions Example

    Uri allow:

    • <fqdn>/test.php?disable=true &testvar=test

    Uri deny:

    • <fqdn>/test.php?disable=tru &testvar=test
    SecRule REQUEST_URI "@beginsWith /test.php" "phase:1,chain,nolog,pass,id:10001"
  SecRule ARGS_GET:disable "@streq true" "id:10002,t:lowercase,ctl:ruleRemoveById=930100-930110"

    Uri allow:

    • <fqdn>/<script>?modsec=disable&var=myvariable &testvar=test

    Uri deny:

    • <fqdn>/script>?modsec=disabled&var=myvariable &testvar=test
    • <fqdn>/script>?modsec=disable&var=variable &testvar=test


    SecRule ARGS_GET:modsec "@streq disable" "phase:1,chain,nolog,pass,id:10003"
  SecRule ARGS_GET:var "@contains myvar" "id:10004,t:lowercase,ctl:ruleRemoveById=930100-930110"

    Custom Rule Example

    https://example.at/?modsec=disable

    SecRule ARGS_GET:modsec "@streq disable" "phase:1,deny,id:10001,status:403,msg:\'Modsec Diable Test\'"

    Logfile

    Access denied with code 403 (phase 1). Matched "Operator `StrEq' with parameter `disable' against variable `ARGS_GET:modsec' (Value: `disable' ) [file "<<reference missing or not informed>>"] [line "2"] [id "10001"] [rev ""] [msg "Modsec Diable Test"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "172.16.0.1"] [uri "/"] [unique_id "157485998771.391198"] [ref "v13,7"], client: 172.16.0.1, server: example.at, request: "GET /?modsec=disable HTTP/1.1", host: "example.at"

    Don't Panic Allow Rules

    adapted to ansible

    Allow Rules Version 1

    I-Doit

    ## RESPONSE-980-CORRELATION
    SecRule REQUEST_URI "@beginsWith /i-doit" "phase:1,nolog,pass,id:10100,ctl:ruleRemoveById=980130"
    ## Path Traversal Attack (/../)
    SecRule REQUEST_URI "@beginsWith /i-doit/src/tools/php/qr/qr_img.php" "phase:1,nolog,pass,id:10101,ctl:ruleRemoveById=930120"
    SecRule REQUEST_URI "@beginsWith /i-doit" "phase:1,nolog,pass,id:10102,ctl:ruleRemoveById=949110"
    ## URL Parameter using IP Address
    SecRule REQUEST_URI "@beginsWith /i-doit/src/tools/php/qr/qr_img.php" "phase:1,nolog,pass,id:10103,ctl:ruleRemoveById=931100"
    ## 	OS File Access Attempt idoit-updates
    SecRule REQUEST_URI "@beginsWith /i-doit/index.php" "phase:1,nolog,pass,id:10104,ctl:ruleRemoveById=930120"

    Check_MK

    # Check_MK
## RESPONSE-980-CORRELATION
SecRule REQUEST_URI "@beginsWith /{{ default_check_mk_sitename }}/check_mk/index.py" "phase:1,nolog,pass,id:10200,ctl:ruleRemoveById=980130"
SecRule REQUEST_URI "@beginsWith /{{ default_check_mk_sitename }}/pnp4nagios/index.php" "phase:1,nolog,pass,id:10201,ctl:ruleRemoveById=980130"
## Path Traversal Attack (/../)
SecRule REQUEST_URI "@beginsWith /{{ default_check_mk_sitename }}/pnp4nagios/index.php" "phase:1,nolog,pass,id:10202,ctl:ruleRemoveById=930110"
SecRule REQUEST_URI "@beginsWith /{{ default_check_mk_sitename }}/pnp4nagios/index.php" "phase:1,nolog,pass,id:10203,ctl:ruleRemoveById=949110"

    Zammad

    # Zammad
    ## Path Traversal Attack (/../)
    SecRule REQUEST_URI "@beginsWith /api/v1/" "phase:1,nolog,pass,id:10000,ctl:ruleRemoveById=949110"
    ## RESPONSE-980-CORRELATION
    SecRule REQUEST_URI "@beginsWith /api/v1/" "phase:1,nolog,pass,id:10001,ctl:ruleRemoveById=980130"
    ## XSS Injection
    SecRule REQUEST_URI "@beginsWith /api/v1/form_config" "phase:1,nolog,pass,id:10002,ctl:ruleRemoveById=941130"
    ## Method is not allowed by policy
    SecRule REQUEST_METHOD "^PUT$" "phase:1,chain,nolog,pass,id:10010"
      SecRule REQUEST_URI "@beginsWith /api/v1" "id:10011,ctl:ruleRemoveById=911100"
    SecRule REQUEST_METHOD "^DELETE$" "phase:1,chain,nolog,pass,id:10012"
      SecRule REQUEST_URI "@beginsWith /api/v1/online_notifications" "id:10013,ctl:ruleRemoveById=911100"
      SecRule REQUEST_URI "@beginsWith /api/v1/taskbar" "id:10014,ctl:ruleRemoveById=911100"

    Nextcloud

    # RESPONSE-980-CORRELATION
    SecRule REQUEST_URI "@beginsWith /remote.php/dav" "phase:1,nolog,pass,id:10000,ctl:ruleRemoveById=980130"
    SecRule REQUEST_URI "@beginsWith /remote.php/webdav" "phase:1,nolog,pass,id:10001,ctl:ruleRemoveById=980130"
    SecRule REQUEST_URI "@beginsWith /.well-known/carddav" "phase:1,nolog,pass,id:10002,ctl:ruleRemoveById=980130"
    SecRule REQUEST_URI "@beginsWith /index.php/settings/users" "phase:1,nolog,pass,id:10003,ctl:ruleRemoveById=980130"

    # REQUEST-949-BLOCKING-EVALUATION
    SecRule REQUEST_URI "@beginsWith /remote.php/dav" "phase:1,nolog,pass,id:10010,ctl:ruleRemoveById=949110"
    SecRule REQUEST_URI "@beginsWith /remote.php/webdav" "phase:1,nolog,pass,id:10011,ctl:ruleRemoveById=949110"
    SecRule REQUEST_URI "@beginsWith /index.php/apps" "phase:1,nolog,pass,id:10012,ctl:ruleRemoveById=949110"
    SecRule REQUEST_URI "@beginsWith /ocs/v2.php/cloud" "phase:1,nolog,pass,id:10013,ctl:ruleRemoveById=949110"
    SecRule REQUEST_URI "@beginsWith /.well-known/caldav" "phase:1,nolog,pass,id:10014,ctl:ruleRemoveById=949110"
    SecRule REQUEST_URI "@beginsWith /.well-known/carddav" "phase:1,nolog,pass,id:10015,ctl:ruleRemoveById=949110"
    SecRule REQUEST_URI "@beginsWith /index.php/settings/users" "phase:1,nolog,pass,id:10016,ctl:ruleRemoveById=949110"

    # XSS Attack Detected via libinjection
    SecRule REQUEST_URI "@beginsWith /remote.php/webdav" "phase:1,nolog,pass,id:10020,ctl:ruleRemoveById=941100"

    # REQUEST-941-APPLICATION-ATTACK-XSS
    SecRule REQUEST_URI "@beginsWith /remote.php/webdav" "phase:1,nolog,pass,id:10030,ctl:ruleRemoveById=941130"

    # Method is not allowed by policy
    SecRule REQUEST_METHOD "^(PUT|PROPFIND|DELETE|REPORT|MKCOL|MOVE)$" "phase:1,chain,nolog,id:10040"
      SecRule REQUEST_URI "@beginsWith /remote.php/dav" "id:10041,ctl:ruleRemoveById=911100"
    SecRule REQUEST_METHOD "^PUT$" "phase:1,chain,nolog,id:10042"
      SecRule REQUEST_URI "@beginsWith /index.php/apps" "id:10043,ctl:ruleRemoveById=911100"

    # XML parsing error: XML: Failed parsing document.
    SecRule REQUEST_URI "@beginsWith /remote.php/dav/addressbooks/users" "phase:1,nolog,pass,id:10050,ctl:ruleRemoveById=200002"

    # Path Traversal Attack (/../)
    SecRule REQUEST_URI "@beginsWith /remote.php/dav/uploads" "phase:1,nolog,pass,id:10060,ctl:ruleRemoveById=930100"
    SecRule REQUEST_URI "@beginsWith /remote.php/dav/uploads" "phase:1,nolog,pass,id:10061,ctl:ruleRemoveById=930110"

    # Request content type is not allowed by policy
    SecRule REQUEST_URI "@beginsWith /remote.php/dav/addressbooks" "phase:1,chain,nolog,pass,id:10110"
      SecRule REQUEST_HEADERS:Content-Type "text/vcard" "id:10111,ctl:ruleRemoveById=920420"
    SecRule REQUEST_URI "@beginsWith /remote.php/dav/calendars" "phase:1,chain,nolog,pass,id:10120"
      SecRule REQUEST_HEADERS:Content-Type "text/calendar" "id:10121,ctl:ruleRemoveById=920420"

    # Allow Content Types on Nextcloud
    SecRule REQUEST_URI "@beginsWith /remote.php/dav/uploads" "phase:1,chain,nolog,pass,id:10100"
      SecRule REQUEST_HEADERS:Content-Type "video/mp4" "id:10101,ctl:ruleRemoveById=920420"
      SecRule REQUEST_HEADERS:Content-Type "video/x-ms-wmv" "id:10102,ctl:ruleRemoveById=920420"

    Kibana

    Deactivate ModSec

    SecAction "phase:1,nolog,id:10000,ctl:ruleEngine=Off"

    Veröffentlicht