Running ModSecurity 2.93, and OWASP ModSecurity Core Rule Set (CRS)
3.3.2.
Enabled the Nextcloud exceptions contained in REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf, and they are being loaded fine.
Nextcloud is updated to the last stable version, and passes all checks.
However, ModSecurity breaks its functionality in many important ways.
I get several false positives in regards to the activity of the sync app on desktop, the sync app on mobile and WebDav in general.
This is entirely ModSecurity doing. Nextcloud reports no errors and disabling ModSecurity solves the problems.
My attempts to fix this have failed. In particular, adding the following rules to REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf completely breaks Nextcloud functionality, and doesn't solve any false positives. Not sure why:
SecRule REQUEST_URI "#beginsWith /remote.php/dav/files/admin/" \
"id:10000003,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetById=921110,\
ctl:ruleRemoveTargetById=980130,\
ctl:ruleRemoveTargetById=949110"
Samples from the ModSecurity Audit log:
Message: Warning. Match of "within %{tx.allowed_request_content_type}" against "TX:content_type" required. [file "/etc/modsecurity/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "956"] [id "920420"] [msg "Request content type is not allowed by policy"] [data "|image/png|"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153"] [tag "PCI/12.1"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/modsecurity/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/modsecurity/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [ver "OWASP_CRS/3.3.2"] [tag "event-correlation"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client <ip>] ModSecurity: Warning. Match of "within %{tx.allowed_request_content_type}" against "TX:content_type" required. [file "/etc/modsecurity/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "956"] [id "920420"] [msg "Request content type is not allowed by policy"] [data "|image/png|"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153"] [tag "PCI/12.1"] [hostname "<hostname>"] [uri "/index.php/apps/files/"] [unique_id "Y8Yq5sm-7UrRygrbZZNbsgAAABc"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client <ip>] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/modsecurity/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "<hostname>"] [uri "/index.php/apps/files/"] [unique_id "Y8Yq5sm-7UrRygrbZZNbsgAAABc"]
The message in the Android sync app is usually "you are not permitted to upload to this folder". In general all sync apps are stumped by the 403 error provided by ModSecurity. I am not positive this isn't happening only for certain file types or certain folders, or, as I think, for all files.
CRS Dev-On-Duty here. You seem to have two issues with your tuning rules.
The first issue is that you're using the control statement ctl:ruleRemoveTargetById=921110 without specifying a target after the rule. Either specify a target with ctl:ruleRemoveTargetById=9xxxxx;ARGS:myArg or only remove the rule by using ruleRemoveById instead of ruleRemoveTargetById.
Second issue: never ever remove the blocking rule 949110 or the correlation rule 980130. You switch off the WAF.
To solve your problem (I only see one rule that matched, besides of the blocking and correlation rule), I think it's best to add the Content-Type: image/png to the list of allowed request content-types. This can be done by uncommenting the rule 900220 in your crs-setup.conf and adding your required request content type:
https://github.com/coreruleset/coreruleset/blob/v3.3/dev/crs-setup.conf.example#L422
If you need more tuning help, I highly recommend the tuning guide of our CRS co-lead Christian Folini, especially "Handling False Positives with the OWASP CRS": https://www.netnea.com/cms/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set/.
I think I may have figured out my problem.
I had this enabled in my crs-setup.conf:
SecRule SERVER_NAME "<hostname>" \
"id:10000001,\
phase:1,\
pass,\
nolog,\
setvar:tx.error_anomaly_score=4"
Which was an old attempt I had made to lower MS sensitivity, after reading about it in the MS handbook. Obviously I had made some serious misjudgment there. Things seem to be working now.
By the way: how to properly change the anomaly score for an hostname, so that MS is less sensitive? What's the normal value? I thought it was 5...
EDIT: Other problems in my log file, that caused sync with nextcloud to malfunction with certain file types, seemed to be due to a new Nextcloud bug documented for version 25.
Related
I have enabled NDIS/WIFI verification flag of my driver in Driver Verifier. This resulted in BSOD for hitting the ndistimeddatahang rule. When I analyzed the dump, I got -
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
Arguments:
Arg1: 000000000009200f, ID of the 'NdisTimedDataHang' rule
that was violated.
Arg2: fffff806cd819200, A pointer to the string
describing the violated rule condition.
Arg3: ffff87862606b110,
Address of internal rule state (second argument to !ruleinfo).
Arg4:
ffff87862606b240, Address of supplemental states (third argument to
!ruleinfo).
When I did !ndiskd.pendingnbls, I got the list of NBLs that are currently pending while the dump was taken. To figure out, which NBL has caused the violation, I tried to use !ruleinfo command with the arguments received in analyzing.
ruleinfo 0x9200f 0xffff87862606b110 0xffff87862606b240
but Windbg reported the error -
Failed to read the rule state (check the second argument).
What am I doing wrong ? Is there any way to figure out which NBL failed to complete in 22 seconds which is a requirement for ndistimeddatahang rule ?
I am using dtrace to sample stack traces of a process like this:
# /usr/sbin/dtrace -p $MYPID -x ustackframes=100 stack.d -s -o stack.log
Where stack.d looks like:
profile-99
/execname == "mybinary"/
{
#[execname, ustack()] = count();
}
I am adding -p to dtrace such that it has the symbols during stack writing even when the user process has already exited.
This works - but I observe 3 issues:
During tracing I regularly get error messages like:
dtrace: error on enabled probe ID 1 (ID 12345: profile:::profile-99):\
invalid address (0x0) in action #3
dtrace: error on enabled probe ID 1 (ID 12345: profile:::profile-99):\
invalid address (0xffffffff00000000) in action #3
dtrace: error on enabled probe ID 1 (ID 12345: profile:::profile-99):\
invalid address (0x7ffe8000) in action #3
[..]
(i.e. many of those)
What is the underlying issue there?
The process executes like it should (i.e. no crashes).
The other thing is that a lot of recorded stacks don't contain any symbols at all.
What are possible reasons for such symbol-less stacks?
Also - some stacks do not start with _start -> main but still contain symbols (i.e. with function from the binary).
Are those incomplete stacks ones where dtrace somehow failed to get to the bottom?
I have a UISegmentedControl and whenever I touch a button it should show an alert with the index of the segment currently selected:
- (IBAction)bOkayTouched:(id)sender
{
NSString *msg = [NSString stringWithFormat:#"%#", [scRPSSL selectedSegmentIndex]];
UIAlertView *lol = [[UIAlertView alloc] initWithTitle:#"Mkay" message:msg delegate:self cancelButtonTitle:#"Okay" otherButtonTitles:nil];
[lol show];
[lol release];
}
However, the app crashes when it must create the NSString. But it does not crash when I replace that line with:
NSString *msg = [NSString stringWithFormat:#"XD"];
or similar.
Oh, and here's what the debugger tells me:
[Session started at 2009-08-30 21:04:38 +0200.]
[Session started at 2009-08-30 21:04:43 +0200.]
GNU gdb 6.3.50-20050815 (Apple version gdb-966) (Tue Mar 10 02:43:13 UTC 2009)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-apple-darwin".sharedlibrary apply-load-rules all
Attaching to process 4630.
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
unable to read unknown load command 0x80000022
(gdb)
Can anyone help me?
Also, the alert says '(null)' if the selected index is 0 (zero).
Thanks!
selectedSegmentIndex is likely an integer value, in which case the format string %# is not the right choice. Try the following instead:
[NSString stringWithFormat:#"%d", [scRPSSL selectedSegmentIndex]];
More information can be found in Apple's developer documentation on format specifiers, but the gist of it is that %# is used only for subclasses of NSObject. It works by calling [object description] which returns a string. If you use it on an integer value, you are essentially sending an Objective-C message to something that isn't an object, which results in undefined behaviour (usually a crash).
here is the code: http://pastie.org/562956
this code crashes on the call to itemsArray.count on "didSelectRowAtIndexPath". I don't get why... itemsArray is accessed for other methods like "numberOfRowsInSection". why would it all of a sudden get dereferenced ( I assume that is what is happening).
here is the output (dunno what's up with "unable to read unknown load command 0x22" either)
[Session started at 2009-07-28 22:11:50 -0600.]
Warning - No location found for "NSUserDefaults-Optimize.m:81"
GNU gdb 6.3.50-20050815 (Apple version gdb-966) (Tue Mar 10 02:43:13 UTC 2009)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-apple-darwin".sharedlibrary apply-load-rules all
Attaching to process 56173.
unable to read unknown load command 0x22
unable to read unknown load command 0x22
unable to read unknown load command 0x22
unable to read unknown load command 0x22
unable to read unknown load command 0x22
unable to read unknown load command 0x22
unable to read unknown load command 0x22
unable to read unknown load command 0x22
unable to read unknown load command 0x22
unable to read unknown load command 0x22
unable to read unknown load command 0x22
unable to read unknown load command 0x22
unable to read unknown load command 0x22
unable to read unknown load command 0x22
unable to read unknown load command 0x22
unable to read unknown load command 0x22
unable to read unknown load command 0x22
unable to read unknown load command 0x22
unable to read unknown load command 0x22
2009-07-28 22:11:55.545 Send2iPhone[56173:20b] Load items
2009-07-28 22:11:55.629 Send2iPhone[56173:20b] cellforrow 0
2009-07-28 22:11:55.634 Send2iPhone[56173:20b] value=(null)
2009-07-28 22:11:55.644 Send2iPhone[56173:20b] cellforrow 1
2009-07-28 22:11:55.645 Send2iPhone[56173:20b] value=(null)
2009-07-28 22:11:55.654 Send2iPhone[56173:20b] cellforrow 2
2009-07-28 22:11:55.658 Send2iPhone[56173:20b] value=(null)
2009-07-28 22:11:55.659 Send2iPhone[56173:20b] cellforrow 3
2009-07-28 22:11:55.663 Send2iPhone[56173:20b] value=(null)
2009-07-28 22:11:57.724 Send2iPhone[56173:20b] row = 0
Program received signal: “EXC_BAD_ACCESS”.
kill
quit
The Debugger has exited with status 0.(gdb)
Chuck has it right, you aren't retaining the array.
One fix is to make itemsArray a property of the controller so in the header
#interface RootViewController : UITableViewController {
NSArray *itemsArray;
NSString *test;
}
//add the property directive for itemsArray and tell it to use retain
#property (nonatomic, retain) NSArray *itemsArray;
and in the .m
#implementation RootViewController
// add the synthesize for itemsArray property
#synthesize itemsArray;
// when you set the value of itemsArray use self.itemsArray this will properly retain the array
self.itemsArray = [NSArray arrayWithContentsOfURL:plistURL];
// release the itemsArray in dealloc
- (void)dealloc {
[itemsArray release];
[super dealloc];
}
You are not claiming ownership of itemsArray, so it's being freed by the autorelease pool at some point. You could solve it by setting the variable using an accessor that properly retains and releases. Also, if you haven't, you should read the Cocoa memory management guidelines.
I am again rephrasing the issue that we are facing:
We are creating link aggregations [dlmp groups] with two interfaces named net0 & net5:
# dladm create-aggr -m dlmp -l net0 -l net5 -l net2 aggr1
Setting prob targets for aggr1:
# dladm set-linkprop -p probe-ip=+ aggr1
Setting failure detection time:
# dladm set-linkprop -p probe-fdt=15 aggr1
After this we are adding IP to this aggregation as follows:
# ipadm create-ip aggr1
Assigns an IP to this:
# ipadm create-addr -T static -a x.x.x.x/y aggr1/addr
Then we check the status using dladm and ipadm everything seems up and running.
Then we tested a scenario where we are dettached cables from above n/w interfaces, but what we got is as follows:
# dladm show-aggr -x
LINK PORT SPEED DUPLEX STATE ADDRESS PORTSTATE
traf0 -- 100Mb unknown up 0:10:e0:5b:69:1 --
net0 100Mb unknown down 0:10:e0:5b:69:1 attached
net5 100Mb unknown down a0:36:9f:45:de:9d attached
First issues is that we are getting the state of link "traf0" as up in above command output, secondly in the output of "ipadm":
traf0 ip ok -- --
traf0/addr static ok -- 7.8.0.199/16
We are getting the status of traf0 as ok.
So here I have a query, can't we have any configuration where we could get right status of traf0 both in dladm and ipadm output?
[One more thing to add here is, when we don't assign any IP to this traf0 aggregation then in that case on dettaching the cables we get right output in dladm command.]
Apart from this configuration, we are using these aggregations as vnics in zones. There also we are getting the status of these links up in ipadm command output [after dettaching the cables].
A small update::
We have set the value of "TRACK_INTERFACES_ONLY_WITH_GROUPS" parameter in /etc/default/mpathd as no and getting the state of "traf0" in ipadm command as failed, but still we get traf0/addr as ok.
traf0 ip failed -- --
traf0/addr static ok -- 7.8.0.199/16