From 0e3df4b5c0c43fc1b8470b761722c3bc2631b180 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Fri, 5 Aug 2022 13:21:57 +0200 Subject: [PATCH] Fix patch for early blocking Related: rhbz#2115313 --- mod_security_crs-early-blocking.patch | 138 -------------------------- mod_security_crs.spec | 6 +- 2 files changed, 5 insertions(+), 139 deletions(-) diff --git a/mod_security_crs-early-blocking.patch b/mod_security_crs-early-blocking.patch index c26d52f..16bced8 100644 --- a/mod_security_crs-early-blocking.patch +++ b/mod_security_crs-early-blocking.patch @@ -176,144 +176,6 @@ index 5f370a1..338ce88 100644 SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" -diff --git a/rules/REQUEST-949-BLOCKING-EVALUATION.conf.orig b/rules/REQUEST-949-BLOCKING-EVALUATION.conf.orig -new file mode 100644 -index 0000000..5f370a1 ---- /dev/null -+++ b/rules/REQUEST-949-BLOCKING-EVALUATION.conf.orig -@@ -0,0 +1,132 @@ -+# ------------------------------------------------------------------------ -+# OWASP ModSecurity Core Rule Set ver.3.3.0 -+# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -+# -+# The OWASP ModSecurity Core Rule Set is distributed under -+# Apache Software License (ASL) version 2 -+# Please see the enclosed LICENSE file for full details. -+# ------------------------------------------------------------------------ -+ -+# -+# -= Paranoia Level 0 (empty) =- (apply unconditionally) -+# -+ -+# Summing up the anomaly score. -+ -+# NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs. -+# So we add to it. -+SecRule TX:PARANOIA_LEVEL "@ge 1" \ -+ "id:949060,\ -+ phase:2,\ -+ pass,\ -+ t:none,\ -+ nolog,\ -+ setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl1}'" -+ -+SecRule TX:PARANOIA_LEVEL "@ge 2" \ -+ "id:949061,\ -+ phase:2,\ -+ pass,\ -+ t:none,\ -+ nolog,\ -+ setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl2}'" -+ -+SecRule TX:PARANOIA_LEVEL "@ge 3" \ -+ "id:949062,\ -+ phase:2,\ -+ pass,\ -+ t:none,\ -+ nolog,\ -+ setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl3}'" -+ -+SecRule TX:PARANOIA_LEVEL "@ge 4" \ -+ "id:949063,\ -+ phase:2,\ -+ pass,\ -+ t:none,\ -+ nolog,\ -+ setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl4}'" -+ -+ -+SecMarker "BEGIN-REQUEST-BLOCKING-EVAL" -+ -+# These rules use the anomaly score settings specified in the 10 config file. -+# You should also set the desired disruptive action (deny, redirect, etc...). -+# -+# -=[ IP Reputation Checks ]=- -+# -+# Block based on variable IP.REPUT_BLOCK_FLAG and TX.DO_REPUT_BLOCK -+# -+SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \ -+ "id:949100,\ -+ phase:2,\ -+ deny,\ -+ log,\ -+ msg:'Request Denied by IP Reputation Enforcement',\ -+ logdata:'Previous Block Reason: %{ip.reput_block_reason}',\ -+ tag:'application-multi',\ -+ tag:'language-multi',\ -+ tag:'platform-multi',\ -+ tag:'attack-reputation-ip',\ -+ ver:'OWASP_CRS/3.3.0',\ -+ severity:'CRITICAL',\ -+ chain" -+ SecRule TX:DO_REPUT_BLOCK "@eq 1" \ -+ "setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'" -+ -+# -+# -=[ Anomaly Mode: Overall Transaction Anomaly Score ]=- -+# -+SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \ -+ "id:949110,\ -+ phase:2,\ -+ deny,\ -+ t:none,\ -+ log,\ -+ msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE})',\ -+ tag:'application-multi',\ -+ tag:'language-multi',\ -+ tag:'platform-multi',\ -+ tag:'attack-generic',\ -+ ver:'OWASP_CRS/3.3.0',\ -+ severity:'CRITICAL',\ -+ setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'" -+ -+ -+ -+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" -+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" -+# -+# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) -+# -+ -+ -+ -+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:949013,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" -+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:949014,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" -+# -+# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) -+# -+ -+ -+ -+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:949015,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" -+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:949016,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" -+# -+# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) -+# -+ -+ -+ -+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:949017,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" -+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:949018,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" -+# -+# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) -+# -+ -+ -+ -+# -+# -= Paranoia Levels Finished =- -+# -+SecMarker "END-REQUEST-949-BLOCKING-EVALUATION" diff --git a/rules/RESPONSE-950-DATA-LEAKAGES.conf b/rules/RESPONSE-950-DATA-LEAKAGES.conf index c34607e..a192359 100644 --- a/rules/RESPONSE-950-DATA-LEAKAGES.conf diff --git a/mod_security_crs.spec b/mod_security_crs.spec index f9cb275..d2666c4 100644 --- a/mod_security_crs.spec +++ b/mod_security_crs.spec @@ -1,7 +1,7 @@ Summary: ModSecurity Rules Name: mod_security_crs Version: 3.3.0 -Release: 4%{?dist} +Release: 5%{?dist} License: ASL 2.0 URL: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project Source: https://github.com/coreruleset/coreruleset/archive/refs/tags/v%{version}.tar.gz @@ -46,6 +46,10 @@ done %{_datarootdir}/mod_modsecurity_crs %changelog +* Fri Aug 05 2022 Tomas Korbar - 3.3.0-5 +- Fix patch for early blocking +- Related: rhbz#2115313 + * Thu Aug 04 2022 Tomas Korbar - 3.3.0-4 - Backport early blocking feature - Resolves: rhbz#2115313