Owasp-modsecurity-crs: 900600 doesn't do anything and when turning on logging it gives error

Created on 5 Mar 2019  路  13Comments  路  Source: SpiderLabs/owasp-modsecurity-crs



Type of Issue



Bug

Description







When/if enabling 900600 it does nothing to block. If I turn on logging I get
"Unconditional match in SecAction" for that rule (and I'm using the default rule for testing)

Your Environment


  • CRS version (e.g. v3.0.2):
    3.1.0 (3.2/dev according to github)
  • ModSecurity version (e.g. 2.9.2):
    2.9.1
  • Web Server and version (e.g. apache 2.4.27):
    2.4.25
  • Operating System and version:
    Debian 9

Confirmation

--5b6cfa4f-A--
[05/Mar/2019:09:49:41 +0100] XH44JV-YtPYAAAItno4AAAAE 2001:9b1:8018:46:616a:7ef6:1b44:92f 64539 2a01:4f9:c01f:2c::1 443
--5b6cfa4f-B--
GET /wp-content/uploads/2012/05/something.jpg HTTP/1.1
Host: domain.tld
Connection: keep-alive
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36
DNT: 1
Accept: image/webp,image/apng,image/,/*;q=0.8
Referer: https://domain.tld/
Accept-Encoding: gzip, deflate, br
Accept-Language: sv-SE,sv;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: __cfduid=d686960490e26cdad7b6dfc5715e951411546609707; _ga=GA1.2.663986308.1550759431

--5b6cfa4f-F--
HTTP/1.1 301 Moved Permanently
Location: https://domain.tld/wp-content/uploads/2012/05/something.jpg
Cache-Control: max-age=0
Expires: Tue, 05 Mar 2019 08:49:41 GMT
Content-Length: 273
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--5b6cfa4f-E--

--5b6cfa4f-H--
Message: Warning. Unconditional match in SecAction. [file "/usr/share/modsecurity-crs/crs-setup.conf"] [line "666"] [id "900600"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Stopwatch: 1551775781192451 6014 (- - -)
Stopwatch2: 1551775781192451 6014; combined=961, p1=660, p2=0, p3=51, p4=125, p5=125, sr=50, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.1.0.
Server: Apache/2.4.25
Engine-Mode: "ENABLED"

The setting (now commented out for operational reasons)

SecAction \
"id:900600,\
phase:1,\
log,\
pass,\
t:none,\
setvar:'tx.high_risk_country_codes=UA ID YU LT EG RO BG TR RU PK MY CN'"

Need more info

Most helpful comment

I understand your problems, but GeoIP DB format support is really a ModSecurity issue and not so much a CRS problem. They need to be more flexible with various formats.

All 13 comments

Hello @geekteq,

Sorry for the inconvenience and thank you for reporting. This works together with the MaxMind GeoIP database functionality. Do you have that in place?

The rule is meant to set the variable with your high risk countries. It is not meant to do anything else by itself. There is a separate rule which would then block requests.

The SecAction is not reported in the error log of the server, but it is written in the audit log. This is the way it is meant to be with all rules in crs-setup.conf.

I don't mind raising issues if we can resolve them so don't be sorry. I sort of figured: since I can't find anyone else with this issue and it being disabled per default and I used in a previous setup (due to most of the sites on the server not catering to anyone outside certain countries) I'd see if we can iron out why it's not working now.

Yes, I've added Maxmind (tried both mmdb and legacy dat versions) and the response is the same.
And if I turn this rule every request gets marked as

Message: Warning. Unconditional match in SecAction. [file "/usr/share/modsecurity-crs/crs-setup.conf"] [line "666"] [id "900600"]

And nothing else seems to process.

GeoLite2-City.mmdb (from maxmind) and maxmind.dat (from https://www.miyuru.lk/geoiplegacy ) have been enabled separately for testing but doesn't make a difference in the execution.

Debugging:
[06/Mar/2019:12:19:48 +0100] [domain.tld/sid#7fb343c0e4f0][rid#7fb3456510a0][/wp-content/plugins/jet-elements/assets/css/jet-elements.css][4] Warning. Unconditional match in SecAction. [file "/usr/share/modsecurity-crs/crs-setup.conf"] [line "666"] [id "900600"]
[06/Mar/2019:12:19:48 +0100] [domain.tld/sid#7fb343c0e4f0][rid#7fb34b9c70a0][/wp-content/plugins/wordfence/css/wordfenceBox.1551370846.css][4] Recipe: Invoking rule 7fb344db8eb0; [file "/usr/share/modsecurity-crs/crs-setup.conf"] [line "666"] [id "900600"].
[06/Mar/2019:12:19:48 +0100] [domain.tld/sid#7fb343c0e4f0][rid#7fb34b9c70a0][/wp-content/plugins/wordfence/css/wordfenceBox.1551370846.css][5] Rule 7fb344db8eb0: SecAction "phase:1,auditlog,status:403,id:900600,nolog,pass,t:none,setvar:'tx.high_risk_country_codes=UA ID
YU LT EG RO BG TR RU PK MY CN'"

This rule should execute 910100 and in debug on that.. for the above request I only find:
[06/Mar/2019:12:19:48 +0100] [domain.tld/sid#7fb343c0e4f0][rid#7fb3456510a0][/wp-content/plugins/jet-elements/assets/css/jet-elements.css][9] Current rule is id="910100" [chained 0] is trying to find the SecMarker="END-DRUPAL-RULE-EXCLUSIONS" [stater 0]

Which I find weird :)

I only changed it "log" to see what was happening since I would not see any response regardless of where a person was coming from (tried VPNing over to different countries to test it.)

Unconditional Match in SecAction sounds to me that something is written wrong in the rule, but I can be wrong -- that happens

Can you write a rule that prints out the resolved GeoIP country code in an alert?

I'm a noob at writing rules so if you can give me one I can put it in and test it! 馃

Ok, byt serious trial and terror I've concluded that it's GeoIP database that's the problem.
Question though. It seems like modsecurity doesn't like a combined IPv4/IPv6 GeoIP database.. and if I add them in separate lines on the last takes effect.. so any suggestions on how to get it to do both IPv6 and IPv4? Or, if all else fails, get modsecurity to accept mmdb instead of dat?

Here is the rule that displays the country code if it's available:

SecRule &GEO:COUNTRY_CODE "@eq 1" "id:5000,phase:5,pass,log,msg:'GeoIP: %{GEO.COUNTRY_CODE}'"

I do not have any experiece with mixed format GeoIP databases. Maybe @emphazer can tell us more.

i never mixed it with ipv6 sorry.

Rule 900600 doesn鈥檛 work for me too. Thats why i never used it.
I do one rule in phase 2 for inbound and one in phase 4 for outbound.

SecRule REMOTE_ADDR "@geoLookup" chain
SecRule GEO:COUNTRY_CODE "@pm AD AE... etc etc...

Ok, so I'll leave it for IPv4 only until such time as you guys can get it working (either by mixed format or two DBs - one IPv4 and one IPv6). Since IPv6 is coming of age quite rapidly and even started being used by all these script kiddies it would be good to get it working somehow.

I understand your problems, but GeoIP DB format support is really a ModSecurity issue and not so much a CRS problem. They need to be more flexible with various formats.

@geekteq can this be closed now?

Was this page helpful?
0 / 5 - 0 ratings

Related issues

jeremyjpj0916 picture jeremyjpj0916  路  4Comments

cPJasonB picture cPJasonB  路  3Comments

dune73 picture dune73  路  6Comments

elexisvenator picture elexisvenator  路  3Comments

spartantri picture spartantri  路  3Comments