Page MenuHomePhabricator

Adjust modsecurity rules to work for us
Closed, ResolvedPublic

Description

We can help JGreen with PCI hell by working with him to write modsecurity rule overrides. He's already taken on a bunch of overly long regexen. There are charset issues that cause false positives, where UTF-8 characters cause matches against e.g. SQL attack regexen.

@Jgreen: please link to the repos in question, and maybe paste any open leads you would like to hand off. @awight could write a mw-vagrant role for modsecurity if that's helpful.

Related Objects

Event Timeline

awight created this task.Aug 25 2015, 6:27 PM
awight raised the priority of this task from to High.
awight updated the task description. (Show Details)
awight added subscribers: awight, Jgreen.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 25 2015, 6:27 PM
awight added a parent task: Restricted Task.Aug 25 2015, 7:12 PM
Jgreen added a comment.EditedAug 25 2015, 7:21 PM

We have so far:

  1. OWASP Core Rule Set https://github.com/SpiderLabs/owasp-modsecurity-crs
  1. several explody rules disabled via frack puppet/modules/apache2/manifests/mod/security

    $security2_module_exclude_rules_by_id = [ '970003', # pcre recursive death spiral, fix in local ruleset '973302', # pcre recursive death spiral, fix in local ruleset '973337', # pcre recursive death spiral, fix in local ruleset '981172', # pcre recursive death spiral, fix in local ruleset '981173', # pcre recursive death spiral, fix in local ruleset '981242', # pcre recursive death spiral, fix in local ruleset '981243', # pcre recursive death spiral, fix in local ruleset '981247', # pcre recursive death spiral, fix in local ruleset '981248', # pcre recursive death spiral, fix in local ruleset ]
  1. local rules replacing these ^^^ and doing exclusions in modules/apache2/templates/modsecurity_crs_48_local_exceptions.conf.erb
  1. logs are collecting at indium:/var/log/remote/payments-apache2_mod_security
  1. more detailed logs on each payments server
Jgreen claimed this task.May 2 2016, 12:23 PM
Jgreen set Security to None.

After a whole lot of testing and tweaking, I'm pretty much at the conclusion that owasp-crs rules for tracking sessions and detecting malfeasance simply won't work on the old modsecurity version that's distributed with precise. I haven't figured out why yet, but as far as I can tell SESSION:IS_NEW is broken, I can see that session IDs make it into the persistent store, but that state does not seem to be detected on subsequent hits. Works fine on trusty however.

Jgreen created subtask Restricted Task.May 18 2016, 4:55 PM
Jgreen added a subtask: Restricted Task.May 18 2016, 5:00 PM
Jgreen edited subtasks, added: Restricted Task; removed: Restricted Task.

After a whole lot of testing and tweaking, I'm pretty much at the conclusion that owasp-crs rules for tracking sessions and detecting malfeasance simply won't work on the old modsecurity version that's distributed with precise. I haven't figured out why yet, but as far as I can tell SESSION:IS_NEW is broken, I can see that session IDs make it into the persistent store, but that state does not seem to be detected on subsequent hits. Works fine on trusty however.

Sigh.

09 Mar 2012 - 2.6.4

  • Fixed ModSecurity cannot load session and user sdbm data.
Jgreen removed a parent task: Restricted Task.Jun 2 2016, 6:30 PM
Jgreen changed the task status from Open to Stalled.Jun 2 2016, 6:34 PM

Stalling this ticket because we've reigned in false positives with sane rules wherever possible, but the outstanding issues have to be fixed on the application side (notably &referrer= and similar) before we can create sane whitelist rules.

Jgreen lowered the priority of this task from High to Low.Jun 2 2016, 6:35 PM
mmodell removed a subscriber: awight.Jun 22 2017, 9:38 PM
Jgreen removed Jgreen as the assignee of this task.Jul 11 2017, 8:52 PM
Jgreen added a parent task: Restricted Task.
Jgreen added a subscriber: awight.
awight removed a subscriber: awight.Mar 21 2019, 3:59 PM
Jgreen moved this task from Triage to Stalled on the fundraising-tech-ops board.Feb 19 2020, 10:51 PM
Jgreen changed the status of subtask Restricted Task from Open to Stalled.Feb 20 2020, 3:23 PM
Jgreen moved this task from Stalled to Backlog on the fundraising-tech-ops board.Jul 9 2020, 3:01 PM
Jgreen closed this task as Resolved.Jul 9 2020, 3:03 PM
Jgreen removed a project: Fundraising-Backlog.
Jgreen added a subscriber: awight.

Closing task because we did about as much ruleset tuning as was feasible given the application. Spun off T122322 to look at the possibility of modifying payments-wiki behavior to make it easier to work with a WAF.

Jgreen moved this task from Backlog to Done on the fundraising-tech-ops board.Jul 9 2020, 3:06 PM