modsec ruleset framework for OWA/Exchange

Thread: modsec ruleset framework for OWA/Exchange

Search this list only Search all lists
modsec ruleset framework for OWA/Exchange
	2007-04-06 07:25:26

Hi Christian and list   Here is a framework for a ruleset to potect OWA/Exchange2003 based on a whitelist approach. It is just a poposal which will be tested for the next week(s). We'll also test against OWA/Exchange2007, hopefully this framework is flexible enough to support Exchange2007 (and future releases) as well. Furthermore we hope REMO will support something like this in the future. Happy Easter, Helwin. ########## Basic configuration options ########## SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess On # Logging SecDebugLog /var/log/apache2/modsec_debug.log SecDebugLogLevel 9 SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "^(?:5\|4d[^4])" SecAuditLogParts ABIHZ SecAuditLogType Serial SecAuditLogStorageDir /var/log/apache2/ SecAuditLog /var/log/apache2/modsec_audit.log # Maximum request body size we will # accept for buffering SecRequestBodyLimit 131072 # Store up to 128 KB in memory SecRequestBodyInMemoryLimit 131072 # Buffer response bodies of up to # 512 KB in length SecResponseBodyLimit 524288 SecDefaultAction "log,deny,phase:2,status:502" ########## REDIRECT RULE ######### <LocationMatch "^/$">   SecAction "redirect:/exchange,t:none,msg:'Request redirected.'"; </LocationMatch> ########## OWA LOGON RULES ########## <LocationMatch "^/exchange/?$">   SecRule REQUEST_METHOD "!^GET$" "t:none,deny,id:1,severity:3,msg:'Request method wrong (it is not GET).'"   SecRule   SecRule  ... ... SecAction "allow,id:1,t:none,msg:';Request passed all checks for this location, it is thus allowed.'" </LocationMatch> <LocationMatch "^/exchweb/bin/auth/owalogon.asp$";> ; SecRule REQUEST_METHOD "!^GET$" "t:none,deny,id:2,severity:3,msg:'Request method wrong (it is not GET).'"   SecRule   SecRule  ... ... SecAction "allow,id:2,t:none,msg:';Request passed all checks for this location, it is thus allowed.'" </LocationMatch> <LocationMatch "^/exchweb/bin/auth/owaauth.dll$"> # Checking request method   SecRule REQUEST_METHOD "!^POST$" "t:none,deny,id:4,severity:3,msg:'Request method wrong (it is not POST).';"   SecRule   SecRule  ... ... # All checks passed for this path. Request is allowed.   SecAction "allow,id:3,t:none,msg:';Request passed all checks for this location, it is thus allowed.'" </LocationMatch> ########## GET OWA GUI ########## <LocationMatch "^/exchweb/img/.+.(gif\|wav)$"> SecRule REQUEST_METHOD "!^GET$" "t:none,deny,severity:3,msg:'Request method wrong (it is not GET).'"   SecRule   SecRule  ... ... SecAction "allow,id:4,t:none,msg:';Request passed all checks for this location, it is thus allowed.'" </LocationMatch> <LocationMatch "^/exchweb/6.5.7651.60/controls/.+.(js\|htc\|xsl\|htm\|css)$">   SecRule REQUEST_METHOD "!^GET$" "t:none,deny,severity:3,msg:'Request method wrong (it is not GET).'" SecRule   SecRule  ... ...   SecAction "allow,id:5,t:none,msg:';Request passed all checks for this location, it is thus allowed.'" </LocationMatch> <LocationMatch "^/exchweb/themes/[0-4]/.+.(gif\|css)$">   SecRule REQUEST_METHOD "!^GET$" "t:none,deny,severity:3,msg:'Request method wrong (it is not GET).'"   SecRule   SecRule  ... ...   SecAction "allow,id:6,t:none,msg:';Request passed all checks for this location, is thus allowed.'" </LocationMatch> <LocationMatch "^/exchweb/controls/.+.(htc\|css\|js\|xsl\|htm)$";> ; SecRule REQUEST_METHOD "!^GET$" "t:none,deny,severity:3,msg:'Request method wrong (it is not GET).'"   SecRule   SecRule  ... ...   SecAction "allow,id:7,t:none,msg:';Request passed all checks for this location, is thus allowed.'" </LocationMatch> ########## USER ACTIONS RULES ########## <LocationMatch "^/exchange/([a-z]w)/.$"> # We assume a lowercase user-id   # Checking request method   SecRule REQUEST_METHOD "!^(GET\|POST\|SUBSCRIBE\|SEARCH\|BPROPPATCH\|PROPFIND\|POLL\|DELETE\|BMOVE\|MOVE)$" "t:none,deny,id:8, ,msg:'Action not allowed here'" SecRule REQUEST_METHOD "^GET$" "t:none,pass,skip:9,id:80" SecRule REQUEST_METHOD "^SUBSCRIBE$" "t:none,pass,skip:11,id:81" ; SecRule REQUEST_METHOD "^SEARCH$" "t:none,pass,skip:13,id:82" SecRule REQUEST_METHOD "^BPROPPATCH$" "t:none,pass,skip:15,id:83" ; SecRule REQUEST_METHOD "^PROPFIND$"; "t:none,pass,skip:17,id:84" ; SecRule REQUEST_METHOD "^POLL$" "t:none,pass,skip:19,id:85" SecRule REQUEST_METHOD "^POST$" "t:none,pass,skip:21,id:86" ; SecRule REQUEST_METHOD "^DELETE$" "t:none,pass,skip:23,id:87" ; SecRule REQUEST_METHOD "^BMOVE$" "t:none,pass,skip:25,id:88" SecRule REQUEST_METHOD "^MOVE$" "t:none,pass,skip:27,id:89" #NB. the number of lines to skip depends on the number of SecRules in the "blocks". For this example we assume 2 SecRules for every block #GET block   SecRule   SecRule  ... ... SecAction "allow,id:90,msg:'Request passed all checks for this action, is thus allowed.'" #SUBSCRIBE block   SecRule   SecRule  ... ...   SecAction "allow,id:91,msg:'Request passed all checks for this action, is thus allowed.'" #SEARCH block   SecRule   SecRule  ... ...   SecAction "allow,id:92,msg:'Request passed all checks for this action, is thus allowed.'" #BPROPPATCH block   SecRule   SecRule  ... ...   SecAction "allow,id:93,msg:'Request passed all checks for this action, is thus allowed.'" #PROPFIND block   SecRule   SecRule  ... ...   SecAction "allow,id:94,msg:'Request passed all checks for this action, is thus allowed.'" #POLL block   SecRule   SecRule  ... ...   SecAction "allow,id:95,msg:'Request passed all checks for this action, is thus allowed.'" #POST block   SecRule   SecRule  ... ...   SecAction "allow,id:96,msg:'Request passed all checks for this action, is thus allowed.'" #DELETE block   SecRule   SecRule  ... ...   SecAction "allow,id:97,msg:'Request passed all checks for this action, is thus allowed.'" #BMOVE block   SecRule   SecRule  ... ...   SecAction "allow,id:98,msg:'Request passed all checks for this action, is thus allowed.'" #MOVE block   SecRule   SecRule  ... ...   SecAction "allow,id:99,msg:'Request passed all checks for this action, is thus allowed.'" </LocationMatch> ########## FALLBACK RULE ########## <LocationMatch "^/.*$"> SecAction "deny,status:403,severity:3,msg:'Unknown location. Access denied by fallback rule.'" </LocationMatch>
Re: modsec ruleset framework for OWA/Exchange
United States	2007-04-06 07:52:54

Helwin, I love the idea and I am really glad to see users submitting rule examples as this is sorely needed. This OWA white-list ruleset would certainly qualify as a “Cool Rules̶1; example J - http://www.modsecurity.org/projects/coolRules/index.html. Please keep posting your development efforts to the list so that everyone can benefit. Cheers. -- *Ryan C. Barnett* ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member Author: Preventing Web Attacks with Apache -------------- Web Security Threat Report Webinar on May 9, 2007 (12 pm EST) Learn More About the Breach Webinar Series: http://www.breach.com/webinars.asp -------------- From: mod-security-users-bounceslists.sourceforge.net [mailto:mod-security-users-bounceslists.sourceforge.net] On Behalf Of modsecowagmail.com Sent: Friday, April 06, 2007 8:25 AM To: Christian Folini Cc: Mod Security Subject: [mod-security-users] modsec ruleset framework for OWA/Exchange Hi Christian and list Here is a framework for a ruleset to potect OWA/Exchange2003 based on a whitelist approach. It is just a poposal which will be tested for the next week(s). We'll also test against OWA/Exchange2007, hopefully this framework is flexible enough to support Exchange2007 (and future releases) as well. Furthermore we hope REMO will support something like this in the future. Happy Easter, Helwin. ########## Basic configuration options ########## SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess On # Logging SecDebugLog /var/log/apache2/modsec_debug.log SecDebugLogLevel 9 SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "^(?:5\|4d[^4])" SecAuditLogParts ABIHZ SecAuditLogType Serial SecAuditLogStorageDir /var/log/apache2/ SecAuditLog /var/log/apache2/modsec_audit.log # Maximum request body size we will # accept for buffering SecRequestBodyLimit 131072 # Store up to 128 KB in memory SecRequestBodyInMemoryLimit 131072 # Buffer response bodies of up to # 512 KB in length SecResponseBodyLimit 524288 SecDefaultAction "log,deny,phase:2,status:502" ########## REDIRECT RULE ######### <LocationMatch "^/$">   SecAction "redirect:/exchange,t:none,msg:'Request redirected.'" </LocationMatch> ########## OWA LOGON RULES ########## <LocationMatch "^/exchange/?$";>   SecRule REQUEST_METHOD "!^GET$" "t:none,deny,id:1,severity:3,msg:'Request method wrong (it is not GET).'"   SecRule SecRule  ...   ...   SecAction "allow,id:1,t:none,msg:'Request passed all checks for this location, it is thus allowed.'" <;/LocationMatch> <LocationMatch "^/exchweb/bin/auth/owalogon.asp$"> SecRule REQUEST_METHOD "!^GET$" "t:none,deny,id:2,severity:3,msg:'Request method wrong (it is not GET).'" SecRule   SecRule  ; ...   ...   SecAction "allow,id:2,t:none,msg:'Request passed all checks for this location, it is thus allowed.'" <;/LocationMatch> <LocationMatch "^/exchweb/bin/auth/owaauth.dll$">; # Checking request method   SecRule REQUEST_METHOD "!^POST$" "t:none,deny,id:4,severity:3,msg:'Request method wrong (it is not POST).'" SecRule   SecRule  ; ...   ...   # All checks passed for this path. Request is allowed. SecAction "allow,id:3,t:none,msg:'Request passed all checks for this location, it is thus allowed.'" </LocationMatch> ########## GET OWA GUI ########## <LocationMatch "^/exchweb/img/.+.(gif\|wav)$"> SecRule REQUEST_METHOD "!^GET$" "t:none,deny,severity:3,msg:'Request method wrong (it is not GET).'" SecRule   SecRule  ; ...   ... SecAction "allow,id:4,t:none,msg:'Request passed all checks for this location, it is thus allowed.'" <;/LocationMatch> <LocationMatch "^/exchweb/6.5.7651.60/controls/.+.(js\|htc\|xsl\|htm\|css)$"> ; SecRule REQUEST_METHOD "!^GET$" "t:none,deny,severity:3,msg:'Request method wrong (it is not GET).'" SecRule SecRule  ; ...   ... SecAction "allow,id:5,t:none,msg:'Request passed all checks for this location, it is thus allowed.'" <;/LocationMatch> <LocationMatch "^/exchweb/themes/[0-4]/.+.(gif\|css)$">   SecRule REQUEST_METHOD "!^GET$" "t:none,deny,severity:3,msg:'Request method wrong (it is not GET).'" SecRule   SecRule  ; ...   ... SecAction "allow,id:6,t:none,msg:'Request passed all checks for this location, is thus allowed.'" <;/LocationMatch> <LocationMatch "^/exchweb/controls/.+.(htc\|css\|js\|xsl\|htm)$"> SecRule REQUEST_METHOD "!^GET$" "t:none,deny,severity:3,msg:'Request method wrong (it is not GET).'" SecRule   SecRule  ; ...   ... SecAction "allow,id:7,t:none,msg:'Request passed all checks for this location, is thus allowed.'" <;/LocationMatch> ########## USER ACTIONS RULES ########## <LocationMatch "^/exchange/([a-z]w)/.$";> # We assume a lowercase user-id # Checking request method   SecRule REQUEST_METHOD ";!^(GET\|POST\|SUBSCRIBE\|SEARCH\|BPROPPATCH\|PROPFIND\|POLL\|DELETE\|BMOVE\|MOVE)$" "t:none,deny,id:8, ,msg:'Action not allowed here'"; SecRule REQUEST_METHOD "^GET$" "t:none,pass,skip:9,id:80"; SecRule REQUEST_METHOD "^SUBSCRIBE$" "t:none,pass,skip:11,id:81"   SecRule REQUEST_METHOD "^SEARCH$" "t:none,pass,skip:13,id:82" SecRule REQUEST_METHOD "^BPROPPATCH$" "t:none,pass,skip:15,id:83" SecRule REQUEST_METHOD "^PROPFIND$"; "t:none,pass,skip:17,id:84"   SecRule REQUEST_METHOD "^POLL$" "t:none,pass,skip:19,id:85"   SecRule REQUEST_METHOD "^POST$" "t:none,pass,skip:21,id:86" ; SecRule REQUEST_METHOD "^DELETE$" "t:none,pass,skip:23,id:87"   SecRule REQUEST_METHOD "^BMOVE$" "t:none,pass,skip:25,id:88" SecRule REQUEST_METHOD "^MOVE$" "t:none,pass,skip:27,id:89" #NB. the number of lines to skip depends on the number of SecRules in the ";blocks". For this example we assume 2 SecRules for every block #GET block SecRule   SecRule  ; ...   ...   SecAction "allow,id:90,msg:'Request passed all checks for this action, is thus allowed.'" #SUBSCRIBE block SecRule   SecRule  ; ...   ... SecAction "allow,id:91,msg:'Request passed all checks for this action, is thus allowed.'" #SEARCH block SecRule   SecRule  ; ...   ... SecAction "allow,id:92,msg:'Request passed all checks for this action, is thus allowed.'" #BPROPPATCH block SecRule   SecRule  ; ...   ... SecAction "allow,id:93,msg:'Request passed all checks for this action, is thus allowed.'" #PROPFIND block SecRule   SecRule  ; ...   ... SecAction "allow,id:94,msg:'Request passed all checks for this action, is thus allowed.'" #POLL block SecRule SecRule  ; ...   ... SecAction "allow,id:95,msg:'Request passed all checks for this action, is thus allowed.'" #POST block SecRule   SecRule  ; ...   ... SecAction "allow,id:96,msg:'Request passed all checks for this action, is thus allowed.'" #DELETE block SecRule   SecRule  ; ...   ... SecAction "allow,id:97,msg:'Request passed all checks for this action, is thus allowed.'" #BMOVE block SecRule   SecRule  ; ...   ... SecAction "allow,id:98,msg:'Request passed all checks for this action, is thus allowed.'" #MOVE block SecRule   SecRule  ; ...   ... SecAction "allow,id:99,msg:'Request passed all checks for this action, is thus allowed.'" </LocationMatch>; ########## FALLBACK RULE ########## <LocationMatch "^/.*$"> SecAction "deny,status:403,severity:3,msg:'Unknown location. Access denied by fallback rule.'" </LocationMatch>

[1-2]

about | contact Other archives ( Real Estate discussion Medical topics )