Resolves: #RHEL-22733 - mod_security_crs - The rule id:913100 in the

REQUEST-913-SCANNER-DETECTION.conf blocks requests with "User-agent: urlgrabber/3.10 yum/3.4.3"
2024-02-09 13:36:49 +01:00 · 2024-02-09 13:36:49 +01:00 · 429331631d
commit 429331631d
parent 8eea142c6a
2 changed files with 38 additions and 1 deletions
--- a/mod_security_crs-rule-913100-req-scanner-detection.patch
+++ b/mod_security_crs-rule-913100-req-scanner-detection.patch
@ -0,0 +1,29 @@
 diff --git a/rules/REQUEST-913-SCANNER-DETECTION.conf b/rules/REQUEST-913-SCANNER-DETECTION.conf
 index 2b21cef..335dad2 100644
 --- a/rules/REQUEST-913-SCANNER-DETECTION.conf
 +++ b/rules/REQUEST-913-SCANNER-DETECTION.conf
@@ -31,6 +31,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,skipAf
 # 913101 - scripting/generic HTTP clients (data file scripting-user-agents.data)
 # 913102 - web crawlers/bots (data file crawlers-user-agents.data)
 #
 +# Chained rule is doing whitelist for YUM package manager of CentOS / Fedore.
 SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
     "id:913100,\
     phase:2,\
@@ -49,10 +50,12 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
     tag:'PCI/6.5.10',\
     ver:'OWASP_CRS/3.3.4',\
     severity:'CRITICAL',\
 -    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
 -    setvar:'ip.reput_block_flag=1',\
 -    setvar:'ip.reput_block_reason=%{rule.msg}',\
 -    expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
 +    chain"
 +    SecRule MATCHED_VARS "!@rx ^urlgrabber/[0-9\.]+ yum/[0-9\.]+$" \
 +        "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
 +        setvar:'ip.reput_block_flag=1',\
 +        setvar:'ip.reput_block_reason=%{rule.msg}',\
 +        expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
 SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data" \
     "id:913110,\
--- a/mod_security_crs.spec
+++ b/mod_security_crs.spec
@ -1,7 +1,7 @@
 Summary: ModSecurity Rules
 Name: mod_security_crs
 Version: 3.3.4
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: ASL 2.0
 URL: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
 Source: https://github.com/coreruleset/coreruleset/archive/refs/tags/v%{version}.tar.gz
@ -11,6 +11,8 @@ Obsoletes: mod_security_crs-extras < 3.0.0
 Patch0: mod_security_crs-early-blocking.patch
 # https://issues.redhat.com/browse/RHEL-16358
 Patch1: mod_security_crs-rule-941310-dont-match-japanese-word.patch
 # https://issues.redhat.com/browse/RHEL-22733
 Patch2: mod_security_crs-rule-913100-req-scanner-detection.patch
 %description
 This package provides the base rules for mod_security.
@ -19,6 +21,7 @@ This package provides the base rules for mod_security.
 %setup -q -n coreruleset-%{version}
 %patch0 -p1 -b .early_blocking
 %patch1 -p1 -b .rule_941310
 %patch2 -p1 -b .rule_913100
 %build
@ -51,6 +54,11 @@ done
 %{_datarootdir}/mod_modsecurity_crs
 %changelog
 * Fri Feb 09 2024 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-3
 - Resolves: #RHEL-22733 - mod_security_crs - The rule id:913100 in the
  REQUEST-913-SCANNER-DETECTION.conf blocks requests  with "User-agent:
  urlgrabber/3.10 yum/3.4.3"
 * Fri Feb 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-2
 - Resolves: RHEL-16358 - A form data, "会社"(Company in Japanese) is forbade
  with REQUEST-941-APPLICATION-ATTACK-XSS.conf of mod_security_crs