ModSecurity Alert Management - OpenSource Training

--edb3cf77-A--
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443
--edb3cf77-B--
GET /cart/ HTTP/1.1
Connection: Keep-Alive
Host: example.xom
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
--edb3cf77-E--
The page cannot be found
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
The page cannot be found
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.
If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
Click the Back button to try another link.
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)
Technical Information (for support personnel)
...
--edb3cf77-F--
HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=55
Connection: Keep-Alive
--edb3cf77-H--
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score (score
5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]
Apache-Handler: proxy-server
Stopwatch: 1256057413859166 67702 (355 47563 67008)
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g
--edb3cf77-K--
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%
{matched_var_name}=%{matched_var}"
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"
--edb3cf77-Z--
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org