CODEWITHSUNDEEP
c#asp.netiismod-securitymod-security2
Ogglas
Ogglas

Reputation: 69968

ModSecurity default installation running on IIS 10.0 with CRS rule set generating a lot of errors

I have just installed ModSecurity on IIS 10.0 running on Windows 10. However even a "clean" install generates a lot of errors only by visiting the default IIS site.

By looking at eventvwr and making a single request I get a total of 14 new errors for a GET request to localhost.

Every event has the following description:

The description for Event ID 1 from source ModSecurity cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Eventdata:

[client ] ModSecurity: IPmatch: bad IPv4 specification "". [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]

[client ] ModSecurity: Rule processing failed. [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]

[client ] ModSecurity: Rule 15448555590 [id "981172"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "157"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]

[client ] ModSecurity: Rule 154485cd4a0 [id "981243"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "245"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]

[client ] ModSecurity: IPmatch: bad IPv4 specification "". [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]

[client ] ModSecurity: Rule processing failed. [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]

[client ] ModSecurity: Rule 15448555590 [id "981172"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "157"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]

[client ] ModSecurity: Rule 154485cd4a0 [id "981243"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "245"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]

[client ] ModSecurity: Rule 15448555590 [id "981172"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "157"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/iisstart.htm"] [unique_id "18158513704000290822"]

[client ] ModSecurity: Rule 154485cd4a0 [id "981243"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "245"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/iisstart.htm"] [unique_id "18158513704000290822"]

[client ] ModSecurity: collections_remove_stale: Failed to access DBM file "C:/inetpub/temp/ip": Access is denied. [hostname "HOSTNAME"] [uri "/iisstart.htm"] [unique_id "18158513704000290822"]

[client ] ModSecurity: collections_remove_stale: Failed to access DBM file "C:/inetpub/temp/global": Access is denied. [hostname "HOSTNAME"] [uri "/iisstart.htm"] [unique_id "18158513704000290822"]

[client ] ModSecurity: Rule 15448555590 [id "981172"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "157"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/iisstart.png"] [unique_id "18158513704000290823"]

[client ] ModSecurity: Rule 154485cd4a0 [id "981243"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "245"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/iisstart.png"] [unique_id "18158513704000290823"]

What I have done:

Installed ModSecurity v2.9.1 for IIS MSI Installer - 64bits and Visual Studio 2013 Runtime (vcredist).

Downloaded OWASP ModSecurity Core Rule Set (CRS) from https://github.com/SpiderLabs/owasp-modsecurity-crs and put the folder in C:\Program Files\ModSecurity IIS. Changed the name crs-setup.conf.example to crs-setup.conf.

Under \rules I changed REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example and RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example to not contain .example.

Modified modsecurity_iis.conf to the following:

Include modsecurity.conf
Include modsecurity_crs_10_setup.conf
Include owasp_crs\base_rules\*.conf
#OWASP-Rules
include owasp-modsecurity-crs/crs-setup.conf
include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

Restarted IIS and then checked Event Viewer. What have I missed or is this normal behavior?

Upvotes: 1

Views: 3778

Answers (1)

Ogglas
Ogglas

Reputation: 69968

Regarding the description I found this:

This is just an warning. That is actually the ModSecurity letting you know something about a given request. The "windows description" of the event can be ignored. Look at the content...

https://github.com/SpiderLabs/ModSecurity/issues/877#issuecomment-267712103

1. Execution error - PCRE limits exceeded (-8): (null):

Modified modsecurity.conf values to the following:

SecPcreMatchLimit 500000
SecPcreMatchLimitRecursion 500000

Instead of reading data from EventLog I started using Audit log instead. Can be enabled via modsecurity.conf. Set format to JSON instead of Native to read the log file programatically. Remember to give the user IIS_IUSRS access to the logs folder and files. 

# -- Audit log configuration -------------------------------------------------

# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,  
# level response status codes).
#

SecAuditLogFormat JSON

SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"

# Log everything we know about a transaction.
SecAuditLogParts ABIJDEFHZ

# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#
SecAuditLogType Serial
SecAuditLog c:\inetpub\logs\modsec_audit.log

# Specify the path for concurrent audit logging.
SecAuditLogStorageDir c:\inetpub\logs\

Upvotes: 1

Related Questions