Created
November 24, 2016 15:07
-
-
Save defanator/cdec2cbe3a7eaf5952246700b96e8c9a to your computer and use it in GitHub Desktop.
Triggering rule 920440 from OWASP CRS v3.0.0
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [4] (Rule: 920440) Executing operator "@rx" with param "\.(.*)$" against REQUEST_BASENAME. | |
| [9] T (0) t:urlDecodeUni: "/nginx_signing.key" | |
| [9] T (1) t:lowercase: "/nginx_signing.key" | |
| [9] Target value: "/nginx_signing.key" (Variable: REQUEST_BASENAME) | |
| [4] Operator completed in 0.000027 seconds | |
| [4] Rule returned 1. | |
| ... | |
| [4] (Rule: 949110) Executing operator "@ge" with param "5" Was: "%{tx.inbound_anomaly_score_threshold}" against TX:ANOMALY_SCORE. | |
| [9] Target value: "0" (Variable: TX:ANOMALY_SCORE) | |
| [6] Resolving: tx.inbound_anomaly_score_threshold to: 5 | |
| [4] Operator completed in 0.000011 seconds | |
| [4] Rule returned 0. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][4] Recipe: Invoking rule 7ff48fc4c230; [file "/etc/modsecurity/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1058"] [id "920440"] [rev "2"]. | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][5] Rule 7ff48fc4c230: SecRule "REQUEST_BASENAME" "@rx \\.(.*)$" "phase:request,log,auditlog,chain,capture,t:none,t:urlDecodeUni,t:lowercase,block,msg:'URL file extension is restricted by policy',severity:CRITICAL,rev:2,ver:OWASP_CRS/3.0.0,maturity:9,accuracy:9,id:920440,logdata:%{TX.0},tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:OWASP_CRS/POLICY/EXT_RESTRICTED,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,setvar:tx.extension=.%{tx.1}/" | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] T (0) urlDecodeUni: "nginx_signing.key" | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] T (0) lowercase: "nginx_signing.key" | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][4] Transformation completed in 10 usec. | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][4] Executing operator "rx" with param "\\.(.*)$" against REQUEST_BASENAME. | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Target value: "nginx_signing.key" | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Added regex subexpression to TX.0: .key | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Added regex subexpression to TX.1: key | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][4] Operator completed in 17 usec. | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Setting variable: tx.extension=.%{tx.1}/ | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Resolved macro %{tx.1} to: key | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Set variable "tx.extension" to ".key/". | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][4] Rule returned 1. | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Match -> mode NEXT_RULE. | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][4] Recipe: Invoking rule 7ff48fc47788; [file "/etc/modsecurity/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1063"]. | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][5] Rule 7ff48fc47788: SecRule "TX:EXTENSION" "@within %{tx.restricted_extensions}" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/EXT_RESTRICTED-%{matched_var_name}=%{matched_var}" | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][4] Transformation completed in 0 usec. | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][4] Executing operator "within" with param "%{tx.restricted_extensions}" against TX:extension. | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Target value: ".key/" | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Resolved macro %{tx.restricted_extensions} to: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/ | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][4] Operator completed in 12 usec. | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Setting variable: tx.msg=%{rule.msg} | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Resolved macro %{rule.msg} to: URL file extension is restricted by policy | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Set variable "tx.msg" to "URL file extension is restricted by policy". | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Setting variable: tx.anomaly_score=+%{tx.critical_anomaly_score} | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Recorded original collection variable: tx.anomaly_score = "0" | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Resolved macro %{tx.critical_anomaly_score} to: 5 | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Relative change: anomaly_score=0+5 | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Set variable "tx.anomaly_score" to "5". | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Setting variable: tx.%{rule.id}-OWASP_CRS/POLICY/EXT_RESTRICTED-%{matched_var_name}=%{matched_var} | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Resolved macro %{rule.id} to: 920440 | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Resolved macro %{matched_var_name} to: TX:extension | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Resolved macro %{matched_var} to: .key/ | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Set variable "tx.920440-OWASP_CRS/POLICY/EXT_RESTRICTED-TX:extension" to ".key/". | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Resolved macro %{TX.0} to: .key | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][2] Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/etc/modsecurity/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1058"] [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".key"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][4] Rule returned 1. | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Match -> mode NEXT_RULE. | |
| ... | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][4] Recipe: Invoking rule 7ff48f5a81b0; [file "/etc/modsecurity/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"]. | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][5] Rule 7ff48f5a81b0: SecRule "TX:ANOMALY_SCORE" "@ge %{tx.inbound_anomaly_score_threshold}" "phase:request,auditlog,msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE})',severity:CRITICAL,id:949110,t:none,deny,log,tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-generic,setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}" | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][4] Transformation completed in 0 usec. | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][4] Executing operator "ge" with param "%{tx.inbound_anomaly_score_threshold}" against TX:anomaly_score. | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Target value: "5" | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Resolved macro %{tx.inbound_anomaly_score_threshold} to: 5 | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][4] Operator completed in 12 usec. | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Setting variable: tx.inbound_tx_msg=%{tx.msg} | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Resolved macro %{tx.msg} to: URL file extension is restricted by policy | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Set variable "tx.inbound_tx_msg" to "URL file extension is restricted by policy". | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Setting variable: tx.inbound_anomaly_score=%{tx.anomaly_score} | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Resolved macro %{tx.anomaly_score} to: 5 | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Set variable "tx.inbound_anomaly_score" to "5". | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][4] Rule returned 1. | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Match, intercepted -> returning. | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Resolved macro %{TX.ANOMALY_SCORE} to: 5 | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][1] Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/modsecurity/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][4] Hook insert_error_filter: Adding output filter (r 7ff495ec90a0). | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][9] Output filter: Receiving output (f 7ff495ecae18, r 7ff495ec90a0). | |
| [24/Nov/2016:14:15:58 +0000] [localhost/sid#7ff49c2d15c8][rid#7ff495ec90a0][/keys/nginx_signing.key][4] Skipping phase 3 as request was already intercepted. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment