Results 1 to 3 of 3
  1. #1

    Great modsecurity rule, what do you think?


    After some research and testing, I found a great rule to stop include attacks;

    #Generic PHP remote file inclusion
    SecFilterSelective REQUEST_URI "\.php\?" chain
    SecFilter "(http|https|ftp)\:/" log,deny

    The problem lately is that scriptkiddies no longer execute WGET/PERL etc. DIRECTLY!! They simply include a script that does the work.. example:

    wget to /tmp
    rm -f

    This way, you cant find any clues in the /tmp folder, because after the script was executed, it was deleted! And wget isn't in the logs, because it was inside a file that was included.

    This seem to be an ideal solution to stop any inclusions..

    However, I've been searching for a way to INSPECT the content of the included file like this:

    SecFilterSelective REQUEST_URI "\.php\?" chain
    SecFilter "(http|https|ftp)\:/" chain
    SecFilter IN THE INCLUDED FILE "wget|perl|anything-suspicous| log,deny

    The problem is, how can we do that!

    What do you guys think?
    I wish I was a carpenter

  2. #2
    I just found a way to filter on OUTPUT:

    ## -- Command execution traces in the output (Unix) --------------------------

    # Command "id"
    SecFilterSelective OUTPUT "uid=[[:digit:]]+\([[:alnum:]]+\) gid=[[:digit:]]\([[:alnum:]]+\)"

    # Command "ls -l"
    SecFilterSelective OUTPUT "total [[:digit:]]+"

    # Command "wget"
    SecFilterSelective OUTPUT "HTTP request sent, awaiting response"

    Just need to figure out how to filter an attack that launches a nobody process..
    I wish I was a carpenter

  3. #3
    What does your audit_log look like in terms of blocked requests? Is this on a personal server (dedicated/VDS) or a large shared hosting server? If you're on a large shared hosting server, you may be blocking quite a bit of legitimate traffic.

    edit: just to clarify, I am speaking in terms of this alone:

    #Generic PHP remote file inclusion
    SecFilterSelective REQUEST_URI "\.php\?" chain
    SecFilter "(http|https|ftp)\:/" log,deny

    not including the wget|perl|other bad stuff
    Last edited by jpetersen; 09-21-2006 at 12:42 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts