From 72b1be1cd056ed1710575727bfd7a9da27c3396e Mon Sep 17 00:00:00 2001 From: Steve Grubb Date: Oct 11 2008 18:38:19 +0000 Subject: - improved mod_security rules --- diff --git a/prelude-lml-0.9.13-modsecurity.patch b/prelude-lml-0.9.13-modsecurity.patch new file mode 100644 index 0000000..d765423 --- /dev/null +++ b/prelude-lml-0.9.13-modsecurity.patch @@ -0,0 +1,272 @@ +diff -ur prelude-lml-0.9.13.orig/plugins/pcre/ruleset/modsecurity.rules prelude-lml-0.9.13/plugins/pcre/ruleset/modsecurity.rules +--- prelude-lml-0.9.13.orig/plugins/pcre/ruleset/modsecurity.rules 2008-10-11 14:30:01.000000000 -0400 ++++ prelude-lml-0.9.13/plugins/pcre/ruleset/modsecurity.rules 2008-10-11 14:33:08.000000000 -0400 +@@ -20,7 +20,7 @@ + # the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. + # + ##### +-# The rules developed using mod_security-2.1.6. ++# The rules developed using mod_security-2.5.6 (tested with 2.1.7 and 2.5.6) + ##### + + # Here are some example log entries that should match against rules defined below: +@@ -33,28 +33,120 @@ + # LOG:[Mon Jul 21 16:55:56 2008] [error] [client 127.0.0.1] ModSecurity: Warning. Operator EQ match: 0. [id "960008"] [msg "Request Missing a Host Header"] [severity "WARNING"] [uri "/\\xc4\\x9b+\\xc5\\xa1\\xc4\\x8d\\xc5\\xa1\\xc5\\x99\\xc5\\x99\\xc4\\x8d\\xc3\\xbd\\xc3\\xbd\\xc3\\xa1"] [unique_id "pNLe4woiIjEAAF4fLq0AAAAH"] + # LOG:[Mon Jul 21 16:55:56 2008] [error] [client 127.0.0.1] ModSecurity: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [uri "/\\xc4\\x9b+\\xc5\\xa1\\xc4\\x8d\\xc5\\xa1\\xc5\\x99\\xc5\\x99\\xc4\\x8d\\xc3\\xbd\\xc3\\xbd\\xc3\\xa1"] [unique_id "S2NY@woiIjEAAF4eLX8AAAAG"] + +-# 3160-3167 +-regex=\[severity "(?:EMERGENCY|ALERT|CRITICAL|ERROR)"\]; \ +- id=3160; \ ++######################## ++ ++# Protocol violation ++regex=\[id "(960911|950012|960912|960016|960011|960012|960013|950107|950801|950116|960014|960018|960901)"\]; \ ++ id=3167; \ ++ classification.text=HTTP Protocol violation; \ ++ assessment.impact.severity=medium; \ ++ additional_data(1).type=integer; \ ++ additional_data(1).meaning=ModSec Rule ID; \ ++ additional_data(1).data=$1; \ ++ chained; silent; ++ ++# Protocol anomaly ++regex=\[id "(960019|960008|960015|960009|960904|960017|960913)"\]; \ ++ id=3168; \ ++ classification.text=HTTP Protocol anomaly; \ ++ assessment.impact.severity=low; \ ++ additional_data(1).type=integer; \ ++ additional_data(1).meaning=ModSec Rule ID; \ ++ additional_data(1).data=$1; \ ++ chained; silent; ++ ++# Request limits ++regex=\[id "(960335)"\]; \ ++ id=3169; \ ++ classification.text=HTTP Request limit exceeded; \ ++ assessment.impact.severity=high; \ ++ additional_data(1).type=integer; \ ++ additional_data(1).meaning=ModSec Rule ID; \ ++ additional_data(1).data=$1; \ ++ chained; silent; ++ ++# HTTP policy ++regex=\[id "(960032|960010|960034|960035|960038|960902|960903)"\]; \ ++ id=3170; \ ++ classification.text=HTTP policy violation; \ ++ assessment.impact.severity=high; \ ++ additional_data(1).type=integer; \ ++ additional_data(1).meaning=ModSec Rule ID; \ ++ additional_data(1).data=$1; \ ++ chained; silent; ++ ++# Bad robots ++regex=\[id "(990002|990901|990902|990012|990011)"\]; \ ++ id=3171; \ ++ classification.text=Bad HTTP robot; \ ++ assessment.impact.severity=info; \ ++ additional_data(1).type=integer; \ ++ additional_data(1).meaning=ModSec Rule ID; \ ++ additional_data(1).data=$1; \ ++ chained; silent; ++ ++# Generic attacks ++regex=\[id "(959009|950007|959007|950904|959904|950001|959001|950901|959901|950906|959906|950908|959908|950004|959004|950005|959005|950002|950006|959006|950907|959907|950008|959008|950010|959010|950011|959011|950013|959013|950018|959018|950019|959019|950910|950911)"\]; \ ++ id=3172; \ ++ classification.text=Generic HTTP attack; \ ++ assessment.impact.severity=high; \ ++ additional_data(1).type=integer; \ ++ additional_data(1).meaning=ModSec Rule ID; \ ++ additional_data(1).data=$1; \ ++ chained; silent; ++ ++# Trojans ++regex=\[id "(950921|950922)"\]; \ ++ id=3173; \ ++ classification.text=HTTP trojan; \ + assessment.impact.severity=high; \ ++ additional_data(1).type=integer; \ ++ additional_data(1).meaning=ModSec Rule ID; \ ++ additional_data(1).data=$1; \ ++ chained; silent; ++ ++# Outbound ++regex=\[id "(970003|970004|970904|970007|970008|970009|970010|970012|970013|970014|970903|970015|970902|970016|970018|970901|970118|970021|970011)"\]; \ ++ id=3174; \ ++ classification.text=HTTP outbound policy violation; \ ++ assessment.impact.severity=high; \ ++ additional_data(1).type=integer; \ ++ additional_data(1).meaning=ModSec Rule ID; \ ++ additional_data(1).data=$1; \ ++ chained; silent; ++ ++######################### ++ ++# 3160-3166 ++regex=\[file "([^"]+)"\]; \ ++ id=3160; \ ++ additional_data(>>).type=string; \ ++ additional_data(-1).meaning=ModSec Ruleset File; \ ++ additional_data(-1).data=$1; \ + chained; silent; + +-regex=\[severity "WARNING"\]; \ ++regex=\[line "(\d+)"\]; \ + id=3161; \ +- assessment.impact.severity=medium; \ ++ additional_data(>>).type=integer; \ ++ additional_data(-1).meaning=ModSec Ruleset Line; \ ++ additional_data(-1).data=$1; \ + chained; silent; + +-regex=\[severity "NOTICE"\]; \ ++regex=\[tag "(\S+)"\]; \ + id=3162; \ +- assessment.impact.severity=low; \ ++ additional_data(>>).type=string; \ ++ additional_data(-1).meaning=ModSec Rule Tag; \ ++ additional_data(-1).data=$1; \ + chained; silent; + +-regex=\[severity "(?:INFO|DEBUG)"\]; \ ++regex=\[severity "(\S+)"\]; \ + id=3163; \ +- assessment.impact.severity=info; \ ++ additional_data(>>).type=string; \ ++ additional_data(-1).meaning=ModSec Severity; \ ++ additional_data(-1).data=$1; \ + chained; silent; + +-regex=\[msg "([^"]+)"\]; \ ++regex=\[msg "([^"]+)"\]; optgoto=3167-3174; min-optgoto-match=1; \ + id=3164; \ + classification.reference(0).meaning=$1; \ + classification.reference(0).origin=vendor-specific; \ +@@ -62,67 +154,89 @@ + + regex=\[hostname "(\S+)"\]; \ + id=3165; \ +- target(0).node.address(1).address=$1; \ +- chained; silent; +- +-regex=\[id "(\d+)"\]; \ +- id=3166; \ +- additional_data(1).type=integer; \ +- additional_data(1).meaning=ModSec Rule ID; \ +- additional_data(1).data=$1; \ +- classification.reference(0).name=$1; \ ++ target(0).node.address(0).address=$1; \ + chained; silent; + + regex=\[unique_id "(\S+)"\]; \ +- id=3167; \ +- additional_data(2).type=string; \ +- additional_data(2).meaning=Unique ID; \ +- additional_data(2).data=$1; \ +- chained; silent; ++ id=3166; \ ++ additional_data(>>).type=string; \ ++ additional_data(-1).meaning=Unique ID; \ ++ additional_data(-1).data=$1; \ ++ chained; silent; ++ ++#regex=\[id "(\d+)"\]; \ ++# id=3166; \ ++# additional_data(1).type=integer; \ ++# additional_data(1).meaning=ModSec Rule ID; \ ++# additional_data(1).data=$1; \ ++# classification.reference(0).name=$1; \ ++# chained; silent; ++######################### + +-# 3120-3121; +-regex=Match of "(.+)" against "(\S+)" required\.; optgoto=3160-3167; \ ++# 3120-3125 ++regex=Match of "(.+)" against "(\S+)" required\.; optgoto=3160-3166; \ + id=3120; \ + assessment.impact.description=ModSecurity found pattern match "$1" in HTTP object $2.; \ + chained; silent; + +-regex=Operator ([A-Z]{2}) match: (\d+)\.; optgoto=3160-3167; \ ++regex=Operator ([A-Z]{2}) match: (\d+)\.; optgoto=3160-3166; \ + id=3121; \ + assessment.impact.description=ModSecurity found operator "$1" match "$2".; \ + chained; silent; + +-regex=Pattern match "(.+)" at (\S+)\.; optgoto=3160-3167; \ ++regex=Pattern match "(.+)" at (.+?)\.; optgoto=3160-3166; \ + id=3122; \ + assessment.impact.description=ModSecurity found pattern match "$1" in HTTP object $2.; \ + chained; silent; + ++regex=Operator ([A-Z]{2}) matched (\d+) at (\S+)\.; optgoto=3160-3166; \ ++ id=3123; \ ++ assessment.impact.description=ModSecurity found operator "$1" match "$2".; \ ++ chained; silent; ++ ++regex=Found (\d+) byte\(s\) in (\S+) outside range: (\S+)\.; optgoto=3160-3166; \ ++ id=3124; \ ++ assessment.impact.description=ModSecurity found $1 byte(s) in "$2" outside range $3.; \ ++ chained; silent; ++ ++regex=Found (\d+) byte\(s\) outside range: (\S+)\.; optgoto=3160-3166; \ ++ id=3125; \ ++ assessment.impact.description=ModSecurity found $1 byte(s) outside range $3.; \ ++ chained; silent; ++ + # 3130-3133; Access denied + ... +-regex=with code (\d+) \(phase \d\)\.; optgoto=3120-3122; \ ++regex=with code (\d+) \(phase \d\)\.; optgoto=3120-3125; \ + id=3130; \ + assessment.action(0).category = block-installed; \ + assessment.action(0).description = Access was blocked with HTTP response code $1.; \ + chained; silent; + +-regex=using proxy to \(phase (\d+)\) (\S+)\.; optgoto=3120-3122; \ ++regex=using proxy to \(phase (\d+)\) (\S+)\.; optgoto=3120-3125; \ + id=3131; \ + assessment.action(0).category = block-installed; \ + assessment.action(0).description = Access was denied using proxy to $2.; \ + chained; silent; + +-regex=with redirection to (\S+) using status (\d+) \(phase (\d+)\)\.; optgoto=3120-3122; \ ++regex=with redirection to (\S+) using status (\d+) \(phase (\d+)\)\.; optgoto=3120-3125; \ + id=3132; \ + assessment.action(0).category = block-installed; \ + assessment.action(0).description = Access was redirected to $1.; \ + chained; silent; + +-regex=with connection close \(phase (\d+)\).; optgoto=3120-3122; \ ++regex=with connection close \(phase (\d+)\).; optgoto=3120-3125; \ + id=3133; \ + assessment.action(0).category = block-installed; \ + assessment.action(0).description = Connection was closed.; \ + chained; silent; + ++# Output filter ++regex=Response body too large \(over limit of (\d+)(.+?)\)\.; optgoto=3160-3166; \ ++ id=3150; \ ++ assessment.impact.description=Response body too large (over limit of $1$2); \ ++ chained; silent; ++ + # 3100-3102 +-regex=Warning\.; optgoto=3120-3121; \ ++regex=Warning\.; optgoto=3120-3125; \ + id=3101; \ + classification.text=HTTP Warning.; \ + assessment.impact.completion=succeeded; \ +@@ -134,7 +248,14 @@ + assessment.impact.completion=failed; \ + chained; silent; + +-regex=\[client ([\d\.]+)\] ModSecurity:.*\[uri "([^"]+)"\]; optgoto=3101-3102; \ ++regex=Output filter:; optgoto=3150; \ ++ id=3103; \ ++ classification.text=HTTP Output filer error; \ ++ assessment.impact.completion=failed; \ ++ assessment.impact.severity=high; \ ++ chained; silent; ++ ++regex=\[client ([\d\.]+)\] ModSecurity:.*\[uri "([^"]+)"\]; optgoto=3101-3103; \ + id=3100; \ + analyzer(0).name=ModSecurity; \ + analyzer(0).manufacturer=www.modsecurity.org; \ diff --git a/prelude-lml.spec b/prelude-lml.spec index 6be2851..13818e0 100644 --- a/prelude-lml.spec +++ b/prelude-lml.spec @@ -1,6 +1,6 @@ Name: prelude-lml Version: 0.9.13 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The prelude log analyzer Group: System Environment/Libraries @@ -9,6 +9,7 @@ URL: http://prelude-ids.org/ Source0: http://www.prelude-ids.org/download/releases/%{name}/%{name}-%{version}.tar.gz Source1: prelude-lml.init Patch1: prelude-lml-0.9.12-pie.patch +Patch2: prelude-lml-0.9.13-modsecurity.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: gamin-devel, libprelude-devel, pcre-devel @@ -44,6 +45,7 @@ sensor. %prep %setup -q %patch1 -p1 +%patch2 -p1 sed -i.debug -e '/nlist/s|\$rm|: $rm|' ltmain.sh @@ -111,6 +113,9 @@ fi %changelog +* Sat Oct 11 2008 Steve Grubb 0.9.13-2 +- improved mod_security rules + * Wed Aug 27 2008 Steve Grubb 0.9.13-1 - new upstream release