|
Packit |
284210 |
### libinjection.
|
|
Packit |
284210 |
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "misc",
|
|
Packit |
284210 |
comment => "fuzzyHash test",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecRuleEngine On
|
|
Packit |
284210 |
SecDebugLog $ENV{DEBUG_LOG}
|
|
Packit |
284210 |
SecDebugLogLevel 9
|
|
Packit |
284210 |
SecRequestBodyAccess On
|
|
Packit |
284210 |
|
|
Packit |
284210 |
SecRule REQUEST_BODY "\@fuzzyHash $ENV{CONF_DIR}/ssdeep.txt 1" "id:192372,log,deny"
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
error => [ qr/ModSecurity: Access denied with code 403 \(phase 2\)\. Fuzzy hash of REQUEST_BODY matched with 96:MbQ1L0LDX8GPI8ov3D2D9zd6.*"modsecurity.conf-recommended"|ModSecurity was not compiled with ssdeep support./, 1],
|
|
Packit |
284210 |
debug => [ qr/Access denied with code 403 \(phase 2\)\. Fuzzy hash of REQUEST_BODY matched with 96:MbQ1L0LDX8GPI8ov3D2D9zd6.*"modsecurity.conf-recommended"|ModSecurity was not compiled with ssdeep support./, 1],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^403|200$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/index.html",
|
|
Packit |
284210 |
[
|
|
Packit |
284210 |
"Content-Type" => "application/x-www-form-urlencoded",
|
|
Packit |
284210 |
],
|
|
Packit |
284210 |
# Args
|
|
Packit |
284210 |
"
|
|
Packit |
284210 |
# -- Rule engine initialization ----------------------------------------------
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# Enable ModSecurity, attaching it to every transaction. Use detection
|
|
Packit |
284210 |
# only to start with, because that minimises the chances of post-installation
|
|
Packit |
284210 |
# disruption.
|
|
Packit |
284210 |
#
|
|
Packit |
284210 |
SecRuleEngine DetectionOnly
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# -- Request body handling ---------------------------------------------------
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# Allow ModSecurity to access request bodies. If you don't, ModSecurity
|
|
Packit |
284210 |
# won't be able to see any POST parameters, which opens a large security
|
|
Packit |
284210 |
# hole for attackers to exploit.
|
|
Packit |
284210 |
#
|
|
Packit |
284210 |
SecRequestBodyAccess On
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# Enable XML request body parser.
|
|
Packit |
284210 |
# Initiate XML Processor in case of xml content-type
|
|
Packit |
284210 |
#
|
|
Packit |
284210 |
SecRule REQUEST_HEADERS:Content-Type \"text/xml\" \
|
|
Packit |
284210 |
\"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML\"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# Enable JSON request body parser.
|
|
Packit |
284210 |
# Initiate JSON Processor in case of JSON content-type; change accordingly
|
|
Packit |
284210 |
# if your application does not use 'application/json'
|
|
Packit |
284210 |
#
|
|
Packit |
284210 |
SecRule REQUEST_HEADERS:Content-Type \"application/json\" \
|
|
Packit |
284210 |
\"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON\"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# Maximum request body size we will accept for buffering. If you support
|
|
Packit |
284210 |
# file uploads then the value given on the first line has to be as large
|
|
Packit |
284210 |
# as the largest file you are willing to accept. The second value refers
|
|
Packit |
284210 |
# to the size of data, with files excluded. You want to keep that value as
|
|
Packit |
284210 |
# low as practical.
|
|
Packit |
284210 |
#
|
|
Packit |
284210 |
SecRequestBodyLimit 13107200
|
|
Packit |
284210 |
SecRequestBodyNoFilesLimit 131072
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# Store up to 128 KB of request body data in memory. When the multipart
|
|
Packit |
284210 |
# parser reachers this limit, it will start using your hard disk for
|
|
Packit |
284210 |
# storage. That is slow, but unavoidable.
|
|
Packit |
284210 |
#
|
|
Packit |
284210 |
SecRequestBodyInMemoryLimit 131072
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# What do do if the request body size is above our configured limit.
|
|
Packit |
284210 |
# Keep in mind that this setting will automatically be set to ProcessPartial
|
|
Packit |
284210 |
# when SecRuleEngine is set to DetectionOnly mode in order to minimize
|
|
Packit |
284210 |
# disruptions when initially deploying ModSecurity.
|
|
Packit |
284210 |
#
|
|
Packit |
284210 |
SecRequestBodyLimitAction Reject
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# Verify that we've correctly processed the request body.
|
|
Packit |
284210 |
# As a rule of thumb, when failing to process a request body
|
|
Packit |
284210 |
# you should reject the request (when deployed in blocking mode)
|
|
Packit |
284210 |
# or log a high-severity alert (when deployed in detection-only mode).
|
|
Packit |
284210 |
#
|
|
Packit |
284210 |
SecRule REQBODY_ERROR \"!\@eq 0\" \
|
|
Packit |
284210 |
\"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2\"
|
|
Packit |
284210 |
"
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "misc",
|
|
Packit |
284210 |
comment => "fuzzyHash test",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecRuleEngine On
|
|
Packit |
284210 |
SecDebugLog $ENV{DEBUG_LOG}
|
|
Packit |
284210 |
SecDebugLogLevel 9
|
|
Packit |
284210 |
SecRequestBodyAccess On
|
|
Packit |
284210 |
|
|
Packit |
284210 |
SecRule REQUEST_BODY "\@fuzzyHash $ENV{CONF_DIR}/ssdeep.txt 1" "id:192372,log,deny"
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
-error => [ qr/Fuzzy hash of REQUEST_BODY matched/, 1],
|
|
Packit |
284210 |
-debug => [ qr/Fuzzy hash of REQUEST_BODY matched/, 1],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^200$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/index.html",
|
|
Packit |
284210 |
[
|
|
Packit |
284210 |
"Content-Type" => "application/x-www-form-urlencoded",
|
|
Packit |
284210 |
],
|
|
Packit |
284210 |
# Args
|
|
Packit |
284210 |
"
|
|
Packit |
284210 |
wheee
|
|
Packit |
284210 |
"
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "misc",
|
|
Packit |
284210 |
comment => "fuzzy hash with FILES_TMP_CONTENT",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecRuleEngine On
|
|
Packit |
284210 |
SecDebugLog $ENV{DEBUG_LOG}
|
|
Packit |
284210 |
SecDebugLogLevel 9
|
|
Packit |
284210 |
SecRequestBodyAccess On
|
|
Packit |
284210 |
SecUploadKeepFiles On
|
|
Packit |
284210 |
|
|
Packit |
284210 |
SecRule FILES_TMP_CONTENT "\@fuzzyHash $ENV{CONF_DIR}/ssdeep.txt 1" "id:192372,log,deny"
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
debug => [ qr/operator \"fuzzyHash\" with param \".*ssdeep.txt 1\" against FILES_TMP_CONTENT:image1/s, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^200$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
|
|
Packit |
284210 |
[
|
|
Packit |
284210 |
"Content-Type" => q(multipart/form-data; boundary=0000),
|
|
Packit |
284210 |
],
|
|
Packit |
284210 |
normalize_raw_request_data(
|
|
Packit |
284210 |
q(
|
|
Packit |
284210 |
--0000
|
|
Packit |
284210 |
Content-Disposition: form-data; name="name"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
Brian Rectanus
|
|
Packit |
284210 |
--0000
|
|
Packit |
284210 |
Content-Disposition: form-data; name="email"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
brian.rectanus@breach.com
|
|
Packit |
284210 |
--0000
|
|
Packit |
284210 |
Content-Disposition: form-data; name="image1"; filename="image1.jpg"
|
|
Packit |
284210 |
Content-Type: image/jpeg
|
|
Packit |
284210 |
|
|
Packit |
284210 |
BINARYDATA1
|
|
Packit |
284210 |
--0000
|
|
Packit |
284210 |
Content-Disposition: form-data; name="image2"; filename="image2.jpg"
|
|
Packit |
284210 |
Content-Type: image/jpeg
|
|
Packit |
284210 |
|
|
Packit |
284210 |
BINARYDATA2
|
|
Packit |
284210 |
--0000
|
|
Packit |
284210 |
Content-Disposition: form-data; name="image3"; filename="image3.jpg"
|
|
Packit |
284210 |
Content-Type: image/jpeg
|
|
Packit |
284210 |
|
|
Packit |
284210 |
BINARYDATA3
|
|
Packit |
284210 |
--0000
|
|
Packit |
284210 |
Content-Disposition: form-data; name="test"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
This is test data.
|
|
Packit |
284210 |
--0000--
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|