ModSecurity Alert Management - OpenSource Training
ModSecurity Alert Management - OpenSource Training
ModSecurity Alert Management - OpenSource Training
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
AuditConsole<br />
<strong>ModSecurity</strong> <strong>Alert</strong> <strong>Management</strong><br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Über mich<br />
‣ Lehrstuhl für künstliche Intelligenz,<br />
Technische Universität Dortmund<br />
‣ Forschung im Bereich Data-Stream Mining,<br />
Log-Analyse, Web-Security<br />
‣ Entwickler von Tools um <strong>ModSecurity</strong><br />
‣ AuditViewer, AuditConsole<br />
‣ Web Policy Compiler, Web Application<br />
Profiler<br />
‣ jwall-rbld, jwall-tools<br />
Computer Science Department<br />
Artificial Intelligence Group<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Über mich<br />
‣ Lehrstuhl für künstliche Intelligenz,<br />
Technische Universität Dortmund<br />
‣ Forschung im Bereich Data-Stream Mining,<br />
Log-Analyse, Web-Security<br />
‣ Entwickler von Tools um <strong>ModSecurity</strong><br />
‣ AuditViewer, AuditConsole<br />
‣ Web Policy Compiler, Web Application<br />
Profiler<br />
‣ jwall-rbld, jwall-tools<br />
Computer Science Department<br />
Artificial Intelligence Group<br />
www.jwall.org<br />
@jwallorg<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
<strong>ModSecurity</strong><br />
Open Source Web Application Firewall<br />
AuditConsole<br />
<strong>Alert</strong>-<strong>Management</strong> mit der jwall.org AuditConsole<br />
Behind the Scenes<br />
Aktuelle Entwicklungen um die AuditConsole<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
<strong>ModSecurity</strong><br />
Open Source Web Application Firewall<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
<strong>ModSecurity</strong><br />
Open Source Web Application Firewall<br />
Entwickelt von Ivan Ristic (Start 2002)<br />
Aufgekauft von Breach Security ~ 9/2006<br />
Trustwave kauft Breach ~ Mitte 2010<br />
‣ Weitere Entwicklung (aktuell <strong>ModSecurity</strong> 2.6.8)<br />
‣ OWASP Core-Rule Set Regelwerk (Ryan Barnett)<br />
‣ Port für NGinx WebServer<br />
<strong>ModSecurity</strong><br />
Ivan Ristic, 2002<br />
www.modsecurity.org<br />
Apache Security<br />
Ivan Ristic, 2005<br />
http://www.apachesecurity.net/<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
<strong>ModSecurity</strong><br />
<strong>ModSecurity</strong> ist ein Filter-Modul für den Apache Web-Server<br />
(und NGinx)<br />
‣ Request Filter Engine im Web-Server<br />
‣ Rule Language zur Definition von Firewall-Regeln auf<br />
Web-Traffic<br />
Apache<br />
<strong>ModSecurity</strong><br />
module<br />
Rule 1<br />
...<br />
Rule N<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
<strong>ModSecurity</strong><br />
Realzeit-Filtern von HTTP<br />
‣ Rule-Engine direkt im Apache Process<br />
‣ Komplettes Protokollieren von HTTP Zugriffen<br />
Virtual Patching<br />
‣ Schwachstellen gezielt & schnell beheben<br />
Web-Application Hardening & Intrusion Detection<br />
‣ Angriffserkennung mit generischen Regelwerken<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
<strong>ModSecurity</strong> - Setups<br />
Apache<br />
<strong>ModSecurity</strong><br />
Web Application<br />
(PHP, CGI, Python,...)<br />
Innerhalb des<br />
Web-Servers<br />
Apache<br />
<strong>ModSecurity</strong><br />
mod_proxy<br />
http, ajp<br />
Application Server<br />
Web Application<br />
Als Reverse-Proxy<br />
System<br />
Apache<br />
Web<br />
Application<br />
<strong>ModSecurity</strong><br />
Als passiver<br />
Sensor<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
<strong>ModSecurity</strong><br />
Was passiert wenn ein Angriff erkannt wird?<br />
‣ Eine oder mehr Regeln haben gegriffen<br />
‣ Je nach Konfiguration - z.B. Weiterleitung zu<br />
einer Fehlerseite<br />
‣ Die Transaktion wird protokolliert.<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
<strong>ModSecurity</strong> Audit-Logs<br />
--289e0346-A--<br />
[31/Dec/2009:15:10:58 +0100] 0vnW6X8AAAEAAHywHucAAAAE ::1 59566 ::1 80<br />
--289e0346-B--<br />
OPTIONS * HTTP/1.0<br />
User-Agent: (internal dummy connection)<br />
--289e0346-F--<br />
HTTP/1.1 200 OK<br />
Allow: GET,HEAD,POST,OPTIONS,TRACE<br />
Content-Length: 0<br />
Connection: close<br />
Content-Type: text/plain; charset=UTF-8<br />
--289e0346-H--<br />
Message: Operator EQ matched 0 at REQUEST_HEADERS. [file "/opt/modsecurity/rules/core-rules/<br />
base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "27"] [id "960008"] [msg "Request<br />
Missing a Host Header"] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/rules/corerules/base_rules/modsecurity_crs_60_correlation.conf"]<br />
[line "46"] [msg "Transactional Anomaly<br />
Score (score 5): Request Missing a Host Header"]<br />
Stopwatch: 1262268658079465 19725 (18690 19256 -)<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.11 (http://www.modsecurity.org/); core ruleset/2.0.4.<br />
Server: Apache/2.2.3 (CentOS)<br />
--289e0346-Z--<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted<br />
correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/<br />
modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header requires Cache-<br />
Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/<br />
modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score (score 5): Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or<br />
HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires<br />
Cache-Control Header for HTTP/1.1 requests.',severity:5,id:960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=<br />
+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request<br />
Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:<br />
2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:<br />
2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %<br />
{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protoco
<strong>ModSecurity</strong> Log-<strong>Management</strong><br />
Log-Daten sind ein Schlüsselbaustein der IT-Sicherheit<br />
‣ Läuft die Web-Anwendung wie erwartet?<br />
‣ Warum wurde ein Request geblockt?<br />
‣ Wie erkenne/behandle ich Fehlalarme?<br />
‣ Wie viele Angriffe gab es im letzten Monat?<br />
‣ Welche Arten von Angriffen gab es?<br />
‣ Was waren die häufigstens Angriffe?<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
<strong>ModSecurity</strong> Log-<strong>Management</strong><br />
Rahmenbedingungen<br />
‣ Typischweise mehr Daten als manuell überschaubar<br />
‣ <strong>ModSecurity</strong> Daten komplex<br />
(vollständige Web-Anfragen, Header,..)<br />
‣ neue Daten fallen kontinuierlich an<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
<strong>ModSecurity</strong> Log-<strong>Management</strong><br />
Rechtliche Aspekte<br />
‣ Was darf protokolliert werden?<br />
‣ Wer darf was einsehen?<br />
‣ Was ist zur Beweissicherung erforderlich?<br />
‣ Wie lange müssen/dürfen Log-Daten gespeichert<br />
werden?<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
AuditConsole<br />
<strong>Alert</strong>-<strong>Management</strong> mit der AuditConsole<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
AuditConsole<br />
Frei verfügbare J2EE Web-Anwendung<br />
‣ Live-Empfang von <strong>ModSecurity</strong> Daten<br />
‣ Aufbauend auf etablierten Frameworks<br />
‣ Hibernate, Struts2, Spring-Framework<br />
‣ Google Web Toolkit<br />
‣ Einfache Installation/Updates über Debian/RPM Pakete<br />
‣ Aktive Weiterentwicklung<br />
jwall.org AuditConsole<br />
www.jwall.org/AuditConsole<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
AuditConsole<br />
Web-Interface für <strong>ModSecurity</strong> Log-Daten<br />
‣ Dashboard mit Live-Statistiken<br />
‣ Filtern/Suchen von Ereignissen<br />
‣ Event-Regeln zur Verarbeitung, E-Mail Benachr.<br />
‣ Report-Erstellung (HTML, PDF)<br />
‣ Verwaltung mehrerer Sensoren, Site-Konzept<br />
‣ Multi-User <strong>Management</strong> (Single-Sign-On)<br />
jwall.org AuditConsole<br />
www.jwall.org/AuditConsole<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
AuditConsole<br />
<strong>ModSecurity</strong> enthält einen Log-Data Uploader „mlogc“<br />
‣ Log-Daten werden temporär auf dem Web-Server<br />
gespeichert<br />
‣ mlogc wartet auf neue Log-Daten und schickt diese<br />
per HTTP an einen Receiver (z.B. AuditConsole)<br />
Apache<br />
<strong>ModSecurity</strong><br />
mlogc<br />
Receiver<br />
(AuditConsole)<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
AuditConsole<br />
Basis-Funktionen der AuditConsole<br />
‣ Speichern von Log-Data<br />
‣ Effiziente Speicherung in SQL-Datenbank<br />
‣ Indizierung der Log-Daten<br />
‣ Einfache Abfragesprache zur Filterung<br />
‣ Markierung/Tagging von Log-Daten möglich<br />
‣ Echtzeit-Statistiken<br />
AuditConsole<br />
Log Index<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
123.456.789.012<br />
123.456.789.012<br />
123.456.789.012<br />
123.456.789.012<br />
123.456.789.012<br />
123.456.789.012<br />
123.456.789.012<br />
123.456.789.012<br />
123.456.789.012<br />
123.456.789.012<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
123.456.789.012<br />
123.456.789.012<br />
123.456.789.012<br />
123.456.789.012<br />
123.456.789.012<br />
123.456.789.012<br />
123.456.789.012<br />
123.456.789.012<br />
123.456.789.012<br />
123.456.789.012<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Filtern von Ereignissen<br />
‣ Einfache Filter-Sprache, Syntax nahe an <strong>ModSecurity</strong><br />
REQUEST_METHOD @eq GET<br />
‣ Bool‘sche Verknüpfungen AND/OR für komplexere Filter<br />
REQUEST_METHOD @eq GET<br />
AND REMOTE_ADDR @eq 127.0.0.1<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Filtern von Ereignissen<br />
Unterschiedliche Vergleichsoperatoren werden unterstützt:<br />
‣ @eq, @lt, @gt, =, >, =,
Filtern von Ereignissen<br />
Zahlreiche Variablen zum Filtern verfügbar:<br />
‣ REQUEST_URI, REQUEST_METHOD<br />
‣ REQUEST_HEADERS:Host<br />
‣ REQUEST_HEADERS:User-Agent<br />
‣ RESPONSE_STATUS<br />
‣ TX:ANOMALY_SCORE, SEVERITY, HIGHEST_SEVERITY<br />
‣ RULE_ID, TAGS, SENSOR_NAME, SITE_NAME<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Darstellung von Ereignissen<br />
‣ Preview für schnelle Inspektion (Header/Body)<br />
‣ Detail-View für genaue Analyse<br />
‣ gesonderte Darstellung der Meldungen<br />
‣ Syntax-Highlighting der <strong>ModSecurity</strong> Regeln<br />
‣ Zugriff auf RAW-Darstellung<br />
‣ 1-Klick Download des Ereignisses<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Quick-View für Ereignisse<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score (score<br />
5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Tagging<br />
‣ Ereignisse können mit Tags markiert werden<br />
‣ Tags können helfen Ereignisse zu sortieren<br />
(z.B. „false-positive“)<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Tagging<br />
‣ Spezielle #-tags können verwendet werden, um<br />
Ereignisse mit URLs zu verlinken<br />
‣ Interessant um z.B. Notizen/Dokumentation zu verwalten<br />
‣ Beispiel:<br />
‣ Tag für Event ist #sqli<br />
‣ Tag-Mapping von #sqli => http://internal.wiki/notes/sqli<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Tagging<br />
‣ Regressions-Test<br />
‣ Menge von Ereignissen als Regressions-Test Set<br />
‣ Filter+Download nach Tag möglich<br />
‣ jwall-tools erlauben HTTP-Replay von Audit-Log Daten<br />
# jwall eval 10.0.0.1 /path/events.dat<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
AuditConsole - Event Verarbeitung<br />
Jedes empfangene Ereignis durchläuft einen Prozess:<br />
mlogc<br />
AuditConsole<br />
Web<br />
Receiver<br />
Score, DNS,<br />
Geo Lookup<br />
AuditConsole<br />
Site<br />
Mapping<br />
User Rule<br />
Engine<br />
Storage<br />
Listener<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
AuditConsole - Event Verarbeitung<br />
Jedes empfangene Ereignis durchläuft einen Prozess:<br />
mlogc<br />
AuditConsole<br />
Web<br />
Receiver<br />
Score, DNS,<br />
Geo Lookup<br />
Site<br />
Mapping<br />
User Rule<br />
Engine<br />
Storage<br />
Listener<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
AuditConsole - Event Verarbeitung<br />
Jedes empfangene Ereignis durchläuft einen Prozess:<br />
mlogc<br />
AuditConsole<br />
Web<br />
Receiver<br />
TCP<br />
Receiver<br />
File<br />
Observer<br />
Score, DNS,<br />
Geo Lookup<br />
Site<br />
Mapping<br />
User Rule<br />
Engine<br />
Storage<br />
Listener<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Site Konzept<br />
‣ Häufig sind Web-Umgebungen relativ komplex<br />
‣ Web-Anwendungen über mehrere URLs erreichbar<br />
‣ unterschiedliche virtuelle Hosts, Server-Aliase<br />
‣ Eine Site fasst mehrere Hosts/URL-Bereiche zusammen<br />
‣ z.B. eine Site pro Web-Anwendung<br />
‣ eine Site für mehrere zusammengehörige Web-<br />
Anwendungen<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Site Konzept<br />
‣ Typischerweist entspricht eine Site einer Menge virtueller<br />
Hosts, z.B.<br />
--289e0346-A--<br />
[31/Dec/2009:15:10:58 +0100]<br />
0vnW6X8AAAEAAHywHucAAAAE ::1 59566 ::1 80<br />
--289e0346-B--<br />
OPTIONS * HTTP/1.0<br />
Host: www.test.com<br />
User-Agent: (internal dummy connection)<br />
Host:<br />
www.test.com<br />
--289e0346-A--<br />
[31/Dec/2009:15:10:58 +0100]<br />
0vnW6X8AAAEAAHywHucAAAAE ::1 59566 ::1 80<br />
--289e0346-B--<br />
GET / HTTP/1.1<br />
Host: www.jwall.org<br />
User-Agent: wget<br />
Host:<br />
www.jwall.org<br />
Host:<br />
secure.jwall.org<br />
Site:<br />
jwall.org<br />
Site:<br />
test.com<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Site Konzept<br />
‣ Log-Daten können über Regeln direkt beim Empfang<br />
einer Site zugeordnet werden<br />
‣ Sehr flexible Zuordnung möglich, z.B.<br />
Bedingung Site<br />
REQUEST_HEADERS:Host @sx *jwall.org jwall.org<br />
REQUEST_URI @sx /myApp/* MyApp<br />
SENSOR_NAME = „honeypot“ HoneyPot<br />
SERVER_ADDR = 72.64.92.2 jwall.org<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Multi-User Konzept<br />
‣ Die AuditConsole enthält eine Benutzerverwaltung<br />
‣ Rechteverwaltung der User<br />
‣ Benutzerdefinierte Anfrage-Filter<br />
‣ E-Mail Benachrichtigung, Reports,... pro Benutzer<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Multi-User Konzept<br />
Jedem Nutzer wird ein View zugeordnet, der festlegt welche<br />
Ereignisse er einsehen darf<br />
Site:<br />
jwall.org<br />
Site:<br />
test.com<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Multi-User Konzept<br />
‣ Zusätzlich Integration von SSO-Lösungen möglich<br />
‣ OpenID<br />
‣ Google-Login<br />
‣ Zentrale Authentifikation über CAS<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Event Regeln<br />
Benutzer können Regeln für Ereignisse definieren<br />
‣ Löschen von Ereignissen (im View)<br />
‣ Tag/Markieren eines Ereignisses<br />
‣ E-Mail Benachrichtigungen<br />
‣ Aufruf externer Skripte<br />
‣ Aufruf externer URLs<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Event Regeln<br />
Benutzer können Regeln für Ereignisse definieren<br />
‣ Löschen von Ereignissen (im View)<br />
‣ Tag/Markieren eines Ereignisses<br />
‣ E-Mail Benachrichtigungen<br />
‣ Aufruf externer Skripte<br />
‣ Aufruf externer URLs<br />
GET fw.jwall.org/block.pl?ip=%{REMOTE_ADDR}<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Event Regeln<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Reporting<br />
DocBook basierte Reporting Engine<br />
‣ Aggregation von Ereignissen<br />
‣ Top-k Statistiken (z.B. häufigsten 10 IPs)<br />
‣ Integration mit Ereignis-Filtern<br />
‣ Country Map, basierend auf GeoIP<br />
‣ Report-Templates verfügbar, eigene Reports erstellbar<br />
‣ Erzeugt HTML Reports (und PDF)<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Reporting<br />
Geographische Darstellung von Angriffen:<br />
<br />
Geographic Distribution of Attacks<br />
<br />
<br />
....<br />
<br />
<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Reporting<br />
Geo-IP Darstellung in Reports möglich<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Reporting<br />
Einfache Aggregation von Stati nach z.B. Host:<br />
<br />
Summary of Response Status per Host<br />
<br />
Dies ist nur ein kleines Beispiel.<br />
<br />
<br />
<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Reporting<br />
Einfache Aggregation von Stati nach z.B. Host:<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
AuditConsole<br />
Aktuelle Version ist 0.4.6<br />
‣ Getestet mit Apache Derby, MySQL, PostGres, Oracle<br />
‣ Empfängt bis zu 80~90 events/Sekunde via HTTP,<br />
+200 via TCP<br />
‣ Live-Dashboard<br />
‣ Läuft in gängigen Servlet Containern (Jetty, Tomcat)<br />
‣ bietet optionale REST API,integrierter RBL-Server<br />
‣ einfache Installation über Debian/RPM Pakete<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
AuditConsole<br />
‣ Top Log-<strong>Management</strong> Tool der <strong>ModSecurity</strong> Comunity<br />
‣ Zentrale Log-Console des Web Honeypot Projektes<br />
‣ Im Produktiv-Einsatz bei ein paar Unternehmen<br />
‣ Sponsoring durch Donations<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Behind the Scenes<br />
Aktuelle Entwicklungen der AuditConsole<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
AuditConsole - 0.4.7-SNAPSHOT<br />
‣ Unterstützung für andere Log-Formate<br />
‣ IronBee WAF<br />
‣ Apache Access-Log, Error-Log<br />
‣ Syslog-Receiver für Log-Daten<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
AuditConsole - 0.4.7-SNAPSHOT<br />
Cluster Support<br />
‣ Verteilter Speicher+Index auf mehreren DBs<br />
‣ Ziel: Skalierbarkeit für mehrere Web-Server<br />
(J) Ruby Scripting<br />
‣ Skript-Sprache für spezifische Aufgaben<br />
‣ Skripte sollen auf Cluster laufen können<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
AuditConsole Cluster<br />
‣ Eine einzelne zentrale Datenbank ist schnell ausgelastet<br />
‣ <strong>ModSecurity</strong> in Umgebungen mit vielen Servern<br />
AuditConsole<br />
DataNode<br />
database<br />
AuditConsole<br />
Master<br />
AuditConsole<br />
Apache<br />
AuditConsole<br />
DataNode<br />
database<br />
database<br />
Apache<br />
AuditConsole<br />
DataNode<br />
database<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
AuditConsole Cluster<br />
‣ Eine einzelne zentrale Datenbank ist schnell ausgelastet<br />
‣ <strong>ModSecurity</strong> in Umgebungen mit vielen Servern<br />
Apache<br />
AuditConsole<br />
DataNode<br />
AuditConsole<br />
Master<br />
AuditConsole<br />
AuditConsole<br />
DataNode<br />
database<br />
AuditConsole<br />
DataNode<br />
database database<br />
database<br />
Apache<br />
Apache Apache Apache Apache Apache Apache<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
AuditConsole Cluster<br />
‣ Eine einzelne zentrale Datenbank ist schnell ausgelastet<br />
‣ <strong>ModSecurity</strong> in Umgebungen mit vielen Servern<br />
Apache<br />
AuditConsole<br />
DataNode<br />
AuditConsole<br />
Master<br />
AuditConsole<br />
DataNode<br />
AuditConsole<br />
DataNode<br />
database database<br />
database<br />
Apache<br />
Apache Apache Apache Apache Apache<br />
Apache<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
AuditConsole Cluster<br />
‣ Jeder Knoten soll zentrale Konfiguration verwenden<br />
‣ Für den Nutzer bleibt der Cluster „unsichtbar“<br />
Apache<br />
AuditConsole<br />
DataNode<br />
AuditConsole<br />
Master<br />
AuditConsole<br />
DataNode<br />
AuditConsole<br />
DataNode<br />
database database<br />
database<br />
Apache<br />
Apache Apache Apache Apache Apache<br />
Apache<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
AuditConsole Cluster<br />
‣ Jeder Knoten soll zentrale Konfiguration verwenden<br />
‣ Für den Nutzer bleibt der Cluster „unsichtbar“<br />
Apache<br />
AuditConsole<br />
DataNode<br />
AuditConsole<br />
Master<br />
AuditConsole<br />
DataNode<br />
Event Rules<br />
Event Rules<br />
Sensors<br />
Sensors<br />
Site-Mappings<br />
Site-Mappings<br />
AuditConsole<br />
DataNode<br />
database database<br />
database<br />
Apache<br />
Apache Apache Apache Apache Apache Apache<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
AuditConsole Cluster<br />
‣ Jeder Knoten soll zentrale Konfiguration verwenden<br />
‣ Für den Nutzer bleibt der Cluster „unsichtbar“<br />
Apache<br />
AuditConsole<br />
DataNode<br />
Event Rules<br />
Sensors<br />
AuditConsole<br />
Master<br />
AuditConsole<br />
DataNode<br />
Event Rules<br />
Sensors<br />
Site-Mappings<br />
Event Rules<br />
Sensors<br />
Site-Mappings<br />
AuditConsole<br />
DataNode<br />
Event Rules<br />
Sensors<br />
Site-Mappings<br />
Site-Mappings<br />
database database<br />
database<br />
Apache<br />
Apache Apache Apache Apache Apache Apache<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
AuditConsole Cluster<br />
AuditConsole Cluster stellt einen verteilten Index und<br />
verteilten Speicher der Log-Daten bereit<br />
AuditConsole<br />
DataNode<br />
database<br />
AuditConsole<br />
Master<br />
AuditConsole<br />
DataNode<br />
database<br />
AuditConsole<br />
DataNode<br />
database<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
AuditConsole Cluster<br />
AuditConsole Cluster stellt einen verteilten Index und<br />
verteilten Speicher der Log-Daten bereit<br />
AuditConsole<br />
DataNode<br />
database<br />
User Query<br />
AuditConsole<br />
Master<br />
AuditConsole<br />
DataNode<br />
database<br />
AuditConsole<br />
DataNode<br />
database<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
AuditConsole Cluster<br />
AuditConsole Cluster stellt einen verteilten Index und<br />
verteilten Speicher der Log-Daten bereit<br />
AuditConsole<br />
DataNode<br />
database<br />
User Query<br />
AuditConsole<br />
Master<br />
AuditConsole<br />
DataNode<br />
database<br />
AuditConsole<br />
DataNode<br />
database<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
AuditConsole Cluster<br />
AuditConsole Cluster stellt einen verteilten Index und<br />
verteilten Speicher der Log-Daten bereit<br />
AuditConsole<br />
DataNode<br />
database<br />
User Query<br />
AuditConsole<br />
Master<br />
AuditConsole<br />
DataNode<br />
database<br />
AuditConsole<br />
DataNode<br />
database<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
AuditConsole Cluster<br />
AuditConsole Cluster stellt einen verteilten Index und<br />
verteilten Speicher der Log-Daten bereit<br />
AuditConsole<br />
DataNode<br />
database<br />
Query Results<br />
AuditConsole<br />
Master<br />
AuditConsole<br />
DataNode<br />
database<br />
AuditConsole<br />
DataNode<br />
database<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
(J) Ruby Scripting<br />
‣ Einige Aufgaben erfordern mehr Kontrolle<br />
‣ Idee: Skript-Sprache zur Behandlung von Ereignissen:<br />
# tag all POST methods with score > 40<br />
#<br />
method = $event.get( “REQUEST_METHOD“ )<br />
score = $event.get( “TX:ANOMALY_SCORE“ )<br />
if( method == ‘POST‘ && score > 40 )<br />
$view.tag( $event, ‘dangerous‘ )<br />
end<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
(J) Ruby Scripting im Cluster<br />
JRuby Scripting + Cluster erlaubt Ausführung von Skripten im<br />
Stile von Map&Reduce:<br />
AuditConsole<br />
DataNode<br />
AuditConsole<br />
Master<br />
AuditConsole<br />
DataNode<br />
AuditConsole<br />
DataNode<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
(J) Ruby Scripting im Cluster<br />
JRuby Scripting + Cluster erlaubt Ausführung von Skripten im<br />
Stile von Map&Reduce:<br />
AuditConsole<br />
DataNode<br />
Trigger Ruby Script<br />
AuditConsole<br />
Master<br />
AuditConsole<br />
DataNode<br />
AuditConsole<br />
DataNode<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
(J) Ruby Scripting im Cluster<br />
JRuby Scripting + Cluster erlaubt Ausführung von Skripten im<br />
Stile von Map&Reduce:<br />
AuditConsole<br />
DataNode<br />
AuditConsole<br />
Master<br />
AuditConsole<br />
DataNode<br />
AuditConsole<br />
DataNode<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
(J) Ruby Scripting im Cluster<br />
JRuby Scripting + Cluster erlaubt Ausführung von Skripten im<br />
Stile von Map&Reduce:<br />
Compute<br />
Results (Map)<br />
AuditConsole<br />
DataNode<br />
AuditConsole<br />
Master<br />
AuditConsole<br />
DataNode<br />
AuditConsole<br />
DataNode<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
(J) Ruby Scripting im Cluster<br />
JRuby Scripting + Cluster erlaubt Ausführung von Skripten im<br />
Stile von Map&Reduce:<br />
Merge Results<br />
(Reduce Step)<br />
Compute<br />
Results (Map)<br />
AuditConsole<br />
DataNode<br />
AuditConsole<br />
Master<br />
AuditConsole<br />
DataNode<br />
AuditConsole<br />
DataNode<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
(J) Ruby Scripting im Cluster<br />
JRuby Scripting + Cluster erlaubt Ausführung von Skripten im<br />
Stile von Map&Reduce:<br />
Merge Results<br />
(Reduce Step)<br />
Compute<br />
Results (Map)<br />
AuditConsole<br />
DataNode<br />
Script Results<br />
AuditConsole<br />
Master<br />
AuditConsole<br />
DataNode<br />
AuditConsole<br />
DataNode<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
AuditConsole<br />
‣ Aktueller Entwicklungsstand<br />
‣ Verteilter Index mit DataNodes<br />
‣ Zentrale Konfiguration (Sites, Sensors, Rules)<br />
‣ Prototyp für JRuby Scripting<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Policy <strong>Management</strong> (geplant)<br />
‣ Anpassen aktueller <strong>ModSecurity</strong> Regelwerke<br />
‣ Einfache Ausnahmen (z.B. per Kontext-Menü)<br />
‣ Integration der Web Policy Language<br />
‣ Web-Editor für Web Policies<br />
‣ Verteilung von Regeln z.B. über curl-API<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
AuditConsole Support<br />
‣ Aktuell „best effort“ Support über Mailing-Liste<br />
console-users@lists.jwall.org<br />
‣ Zusätzlich (unvollständiges) Handbuch unter<br />
http://jwall.org/AuditConsole/user-guide/<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
AuditConsole History<br />
‣ Ausgang war ein Log-Parser/Viewer in Java<br />
‣ Idee zur Web-Console kam im Gespräch mit Ralf Spenneberg<br />
‣ Erste Web-Oberfläche zum Anzeigen, Filtern, Tagging<br />
‣ Support für Event-Regeln<br />
‣ Reporting Engine („Sponsor“: Pure Hacking)<br />
‣ Rewrite des Web-UI mit GWT, Dashboard<br />
‣ OpenID/CAS/Google Single-Sign-On<br />
‣ Integration RBL, REST-API<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org