import CS mod_security_crs-3.3.4-3.el9

This commit is contained in:
eabdullin 2024-03-28 11:11:06 +00:00
parent 9d60603089
commit e41e5285f5
3 changed files with 62 additions and 2 deletions

View File

@ -0,0 +1,29 @@
diff --git a/rules/REQUEST-913-SCANNER-DETECTION.conf b/rules/REQUEST-913-SCANNER-DETECTION.conf
index 2b21cef..335dad2 100644
--- a/rules/REQUEST-913-SCANNER-DETECTION.conf
+++ b/rules/REQUEST-913-SCANNER-DETECTION.conf
@@ -31,6 +31,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,skipAf
# 913101 - scripting/generic HTTP clients (data file scripting-user-agents.data)
# 913102 - web crawlers/bots (data file crawlers-user-agents.data)
#
+# Chained rule is doing whitelist for YUM package manager of CentOS / Fedore.
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
"id:913100,\
phase:2,\
@@ -49,10 +50,12 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
- setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
- setvar:'ip.reput_block_flag=1',\
- setvar:'ip.reput_block_reason=%{rule.msg}',\
- expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
+ chain"
+ SecRule MATCHED_VARS "!@rx ^urlgrabber/[0-9\.]+ yum/[0-9\.]+$" \
+ "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
+ setvar:'ip.reput_block_flag=1',\
+ setvar:'ip.reput_block_reason=%{rule.msg}',\
+ expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data" \
"id:913110,\

View File

@ -0,0 +1,16 @@
--- a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf 2020-07-01 18:38:19.000000000 +0200
+++ b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf 2023-02-16 09:14:52.151838881 +0100
@@ -543,8 +543,11 @@
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
- setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
- setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+ chain"
+ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx [^\xe4]\xbc[^\x9a][^\xbe>]*[^\xe7][^\xa4][\xbe>]|<[^\xbe]*[^\xe7][^\xa4]\xbe" \
+ "t:none,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
+ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# https://nedbatchelder.com/blog/200704/xss_with_utf7.html

View File

@ -1,7 +1,7 @@
Summary: ModSecurity Rules
Name: mod_security_crs
Version: 3.3.4
Release: 1%{?dist}
Release: 3%{?dist}
License: ASL 2.0
URL: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
Source: https://github.com/coreruleset/coreruleset/archive/refs/tags/v%{version}.tar.gz
@ -9,13 +9,19 @@ BuildArch: noarch
Requires: mod_security >= 2.9.6
Obsoletes: mod_security_crs-extras < 3.0.0
Patch0: mod_security_crs-early-blocking.patch
# https://issues.redhat.com/browse/RHEL-16358
Patch1: mod_security_crs-rule-941310-dont-match-japanese-word.patch
# https://issues.redhat.com/browse/RHEL-22733
Patch2: mod_security_crs-rule-913100-req-scanner-detection.patch
%description
This package provides the base rules for mod_security.
%prep
%setup -q -n coreruleset-%{version}
%patch0 -p1 -b.early_blocking
%patch0 -p1 -b .early_blocking
%patch1 -p1 -b .rule_941310
%patch2 -p1 -b .rule_913100
%build
@ -48,6 +54,15 @@ done
%{_datarootdir}/mod_modsecurity_crs
%changelog
* Fri Feb 09 2024 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-3
- Resolves: #RHEL-22733 - mod_security_crs - The rule id:913100 in the
REQUEST-913-SCANNER-DETECTION.conf blocks requests with "User-agent:
urlgrabber/3.10 yum/3.4.3"
* Fri Feb 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-2
- Resolves: RHEL-16358 - A form data, ""(Company in Japanese) is forbade
with REQUEST-941-APPLICATION-ATTACK-XSS.conf of mod_security_crs
* Mon Dec 05 2022 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-1
- new version 3.3.4
- Resolves: #2143210 - [RFE] upgrade mod_security_crs to latest upstream 3.3.x