modsecurity whitelisting certian types of cookies

Question

I am seeing cookies being generated on our server which appear to be from 3rd party objects in the site and don't show themselves when one logs in or navigates through the site.

The cookies are random but all start with Wm. So some of them might be wm_cm_12345-12345-12345-12345 and some of them might be wm-wtchd-22. I am thinking that perhaps I could have them not alert if they're Wm*.

How can I whitelist cookies starting with Wm?

and any other ideas that you might have that you'd like to include with how I can whitelist these?

Thanks

an example cookie

TX:981243-Detects classic SQL injection probings 2/2-OWASP_CRS/WEB_ATTACK/SQLI-REQUEST_COOKIES:wm_rx_123456eabcdef7890_0edb4989-1523-ff12-ccab-beddddaaffccc. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 41, SQLi=9, XSS=): Last Matched Message: 981243-Detects classic SQL injection probings 2/2"] [data "Last Matched Data: \\x22:61"] [hostname "Somefoowebsite.com"] [uri "/images/nyancat.jpg"]

Another example of what I am seeing:

[30/Nov/2015:13:54:27 --0700] [bumblebeetune.com/sid#7fee134ee758][rid#7fee13b510d8][/nyancat.foo][2] Warning. Pattern match "(.*)" at TX:981243-Detects classic SQL injection probings 2/2-OWASP_CRS/WEB_ATTACK/SQLI-REQUEST_COOKIES:[30/Nov/2015:13:54:27 --0700] [bumblebeetuna.com/sid#7fee134ee758][rid#7fee13b510d8][/nyancat.foo][2] Warning. Pattern match "(.*)" at TX:981243-Detects classic SQL injection probings 2/2-OWASP_CRS/WEB_ATTACK/SQLI-REQUEST_COOKIES:wm_ct_877bb6e0e4744fd6a270f70f3e0c8a67_d464ab47-3cf0-fe3f-89d5-bd785f7bdcfa. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 18, SQLi=4, XSS=): Last Matched Message: 981243-Detects classic SQL injection probings 2/2"] [data "Last Matched Data: \x22:61"]. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 18, SQLi=4, XSS=): Last Matched Message: 981243-Detects classic SQL injection probings 2/2"] [data "Last Matched Data: \x22:61"]

Barry Pollard · Accepted Answer · 2015-11-23T18:30:05.160

2

You can do what you want you can add config like this (as detailed here):

SecRuleUpdateTargetById 981243 !REQUEST_COOKIES:'/^wm.*/'

In fact this is already built in for some regular cookies that this rule incorrectly flags as false positives (__utm used by Google Analytics and _pk_ref used by a similar analytics piece of software) as you can see when looking at the rule definition of the original rule that flagged:

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\"'´’‘]\s*?\*.+(?:x?or|div|like|between|and|id)\W*?[\"'´’‘]\d)|(?:\^[\"'´’‘])|(?:^[\w\s\"'´’‘-]+(?<=and\s)(?<=or|xor|div|like|between|and\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+()|(?:[\"'´’‘][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'´’‘\d])|(?:[\"'´’‘]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[\"'´’‘])|(?:[\"'´’‘]\s*?[^\w\s]+\s*?[\W\d].*?(?:#|--))|(?:[\"'´’‘].?*\s?\d)|(?:[\"'´’‘]\s*?(x?or|div|like|between|and)\s[^\d]+[\w-]+.*?\d)|(?:[()\*<>%+-][\w-]+[^\w\s]+[\"'´’‘][^,]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects classic SQL injection probings 2/2',id:'981243',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Now if you can figure our that regexpr then you're a better man than me, but you can see the config for which cookies it applies to at the beginning.

Note it's best to add above config to dynamically modify the rule, rather than editing the rule itself since upgrading your rules will overwrite any edits whereas overrides can be kept (assuming they are in a separate override file which is still present after the upgrade).

edited Nov 23 '15 at 18:30

answered Nov 21 '15 at 15:07

Barry Pollard

4,461
14
26

hmm I am trying to figure out why this rule didn't work. I am still seeing – LUser Nov 23 '15 at 17:32
I had the wrong id in my answer (981241 instead of 981243). Corrected now. You also might need to add the above SecRuleUpdateTargetById bit AFTER the rule is defined rather than before (not sure if this is necessary but my config adds amends like this after). – Barry Pollard Nov 23 '15 at 18:30
I noticed that, but I corrected this already. When you say to add after is that to have the rule ID to be after or the .conf to be a higher number? – LUser Nov 23 '15 at 18:41
Make sure the .conf file defining the rule is loaded before the .conf file that alters the rule. – Barry Pollard Nov 23 '15 at 19:12
Yes, I have that for as conf 15. Is SQLI-REQUEST_COOKIES it's own var or something? I have them all eliminated except for one of those ironically. wm_ct_944bb6e0e3356fd6a990f70f3e9c9c77_84a4567-6b37-d71e-b7db-1d221326c157 – LUser Nov 24 '15 at 18:45
No that's just logging info. You're rule amend must not be being picked up for some reason. Is it the exact same error message? – Barry Pollard Nov 24 '15 at 19:16
this appears to be the original rule that is alerting – LUser Nov 24 '15 at 19:27
SecRule TX:ANOMALY_SCORE "@gt 0" \ "chain,phase:2,id:'981176',t:none,deny,log,msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): Last Matched Message: %{tx.msg}',logdata:'Last Matched Data: %{matched_var}',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}" SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_level}" chain SecRule TX:ANOMALY_SCORE_BLOCKING "@streq on" chain SecRule TX:/^\d/ "(.*)" – LUser Nov 24 '15 at 19:28
That rule fires only if other rules also fire and so the anomaly score is higher than a threshold. – Barry Pollard Nov 24 '15 at 19:33
Thought I would try this to see if it works.SecRuleUpdateTargetById 981176 !REQUEST_COOKIES:'/^wm.*/' "phase:1,t:none,nolog,pass,ctl:ruleRemoveById=981176,setvar:tx.anomaly_score=-5" And it hasn't – LUser Nov 24 '15 at 19:35
Parameters like phase, nolog, pass and ctl can only be specified in a new rule (using SecRule) not in a SecRuleUodateTargetById statement. Which rule other than 981176 is firing? – Barry Pollard Nov 24 '15 at 19:46
981243 , 981257 , 981245 are as well – LUser Nov 24 '15 at 21:25
Then add similar fixes for those rules and that will stop the overall rule 981176 firing. – Barry Pollard Nov 24 '15 at 21:46
I have but still the same results. – LUser Nov 24 '15 at 22:15
Please post more details in the original question to show ALL the alerts. Can't guess what you're seeing. – Barry Pollard Nov 24 '15 at 23:26
Ok added more info, but so far nothing of what we have done has made any visible impact. – LUser Nov 30 '15 at 21:22
One thing that sticks out to me is "Inbound Anomaly Score Exceeded (Total Score: 18, SQLi=4, XSS=)" . Is there something that can be done for this in this situation? – LUser Nov 30 '15 at 21:23
This worked after I set it after all rules on 61 conf loaded in. – LUser Dec 04 '15 at 19:47

modsecurity whitelisting certian types of cookies

1 Answers1