REQUEST-944-APPLICATION-ATTACK-JAVA.conf #990
Conversation
The rule will ignore non all upper case header names, which I don't think was the idea behind this rule.
3.2. Header Fields
Each header field consists of a case-insensitive field name followed by a colon (":"), optional leading whitespace, the field value, and optional trailing whitespace.
|
@spartantri looks really hot! :-) |
|
@spartantri Sorry to tell you this, but it doesn't follow the contributing guidelines... |
|
@spartantri great! Thats what we need with REQUEST_HEADERS! Thanks |
| @@ -0,0 +1,290 @@ | |||
| # ------------------------------------------------------------------------ | |||
| # OWASP ModSecurity Core Rule Set ver.3.1.0 | |||
| # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. | |||
There was a problem hiding this comment.
I don't know but changed anyway
| setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\ | ||
| setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}'" | ||
|
|
||
| SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML|XML:/* \ |
| ver:'OWASP_CRS/3.1.0',\ | ||
| severity:'CRITICAL',\ | ||
| chain" | ||
| SecRule MATCHED_VARS "@rx (?:unmarshaller|base64data|java\.)" \ |
There was a problem hiding this comment.
This 'SecRule' should be aligned with the previous 'chain'
| ver:'OWASP_CRS/3.1.0',\ | ||
| severity:'NOTICE',\ | ||
| chain" | ||
| SecRule MATCHED_VARS "@rx (?:runtime|processbuilder|clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure)" \ |
There was a problem hiding this comment.
This 'SecRule' should be aligned with the previous 'chain'
There was a problem hiding this comment.
fixed, missed that one
| ver:'OWASP_CRS/3.1.0',\ | ||
| severity:'CRITICAL',\ | ||
| chain" | ||
| SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \ |
There was a problem hiding this comment.
Fixed all those, sorry about that, it is my personal identation style to distinguish short chains, anyway, removed all those extra 4 spaces to allign to contributing.md
|
mmm I don't know why File upload rules get mixed with this so I will move that file off to finish this PR and once done move it back to create a new PR |
| setvar:'tx.msg=%{rule.msg}',\ | ||
| setvar:tx.rce_score=+%{tx.notice_anomaly_score},\ | ||
| setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\ | ||
| setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'" |
There was a problem hiding this comment.
I'm not sure how common this may be for legitimate purposes so let's start with 3 and lower it once we have some feedback.
| ver:'OWASP_CRS/3.1.0',\ | ||
| severity:'NOTICE',\ | ||
| chain" | ||
| SecRule MATCHED_VARS "@rx (?:runtime|processbuilder|clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure)" \ |
There was a problem hiding this comment.
fixed, missed that one
| setvar:'tx.msg=%{rule.msg}',\ | ||
| setvar:tx.rce_score=+%{tx.notice_anomaly_score},\ | ||
| setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\ | ||
| setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'" |
There was a problem hiding this comment.
no there is no chain in this one is intended to complain on most common keywords to spawn a process
| setvar:'tx.msg=%{rule.msg}',\ | ||
| setvar:tx.rce_score=+%{tx.notice_anomaly_score},\ | ||
| setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\ | ||
| setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'" |
There was a problem hiding this comment.
changed the message to class lets add this into a new rule, maybe a new PR if required
| setvar:'tx.msg=%{rule.msg}',\ | ||
| setvar:tx.rce_score=+%{tx.notice_anomaly_score},\ | ||
| setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\ | ||
| setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'" |
There was a problem hiding this comment.
Added to 944230 and class list into java-classes.data
|
Confirming that 2 false negatives are now gone! Only this one is left, I don't know why it is not detecting: |
| tag:'paranoia-level/1',\ | ||
| ctl:forceRequestBodyVariable=On,\ | ||
| rev:'1',\ | ||
| ver:'OWASP_CRS/3.1.0'" |
There was a problem hiding this comment.
We leave this in for now and create a separate issue on how to handle this generally in setup/initialization file.
There was a problem hiding this comment.
@lifeforms There are no false negative on my tests but some of the rules were on pass instead of block for testing, changed all back to block, please test again
[Tue Feb 06 19:04:15.778459 2018] [:error] [pid 13977] [client 127.0.0.1] ModSecurity: Warning. Matched phrase "com.opensymphony.xwork2" at ARGS_NAMES:redirect:${#matt= #context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#matt.setContentType('text/plain'),#matt.getWriter().println ('successsuccess'),#matt.getWriter().flush(),#matt.getWriter().close()}. [file "/home/spartan/owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf"] [line "160"] [id "944230"] [rev "1"] [msg "Suspicious Java class detected"] [data "Matched Data: redirect:${#matt= #context.get('com.opensymphony.xwork2.dispatcher.httpservletresponse'),#matt.setcontenttype('text/plain'),#matt.getwriter().println ('successsuccess'),#matt.getwriter().flush(),#matt.getwriter().close()} found within ARGS_NAMES:redirect:${#matt= #context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#matt.setContentType('text/plain'),#matt.getWriter().println ('successsuccess'),#matt.getWriter().flush(),#matt.getWriter().close()}"] [severity "NOTICE"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "l [hostname "localhost"] [uri "/"] [unique_id "WnnuH38AAQEAADaZIF4AAAAK"]
|
Decision: I will merge this after a final test run, Friday at the latest! |
|
@lifeforms Some rules including pmf were in pass, changed back to block, please test again |
|
Thanks for the updates... I now tried out the PR on a clean checkout, so I was using paranoia level 1, and I notice that there are no rules active in this level... Is that intended? Lol, due to this I've wasted a lot of time redoing my install... Hence my review is a bit shorter than I'd liked.
|
|
I've stayed away from this discussion, but let me chime in on @lifeform's questions: 3: I do not think any special treatment with regards to PL is due. If FPs are nearly non-existent, then it should be PL1, if there are some, then it's a PL2, if they are frequent, then a PL3. 4: I'm generally all for CRITICAL in almost all cases. |
|
well then I lowered the PLs and changed the severity and scores to critical, it should be ready now |
|
My tests are succeeding! I did notice though that you put the deserialization magic bytes rule (944200) in PL2. Did you find false positives on this one? If so, PL2 is the best place for it, but it seems so rare that I think PL1 would be possible. That said, I have never run many Java applications (and especially no enterprise ones) so I'm surely not qualified. Apart from this final point, I have only love to spread. It works really nicely whatever kind of exploit I know that I throw at it :) |
|
Hi @lifeforms, I let the 944200 at PL2 due that 4 bytes is not so long to avoid false positives. What can be done later is add an additional rule a bit more specific at PL1 to avoid false positive but yet grab serialized java objects. |
|
MERGED 💃 |
Java attacks updated config