WAF Rule - File Extension to be blocked
The CRS rule (ID 920440 ) will trigger if a match is detected for any of the following Forbidden file extensions:
".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/.dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/.rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/"
A rule trigger example for the file extension .axd
2021-06-04T13:14:36+02:00 kemp02 wafd: [client 121.128.80.30] ModSecurity: Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/tmp/waf/5/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1034"] [id "920440"] [msg "URL file extension is restricted by policy"] [data ".axd"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "192.168.99.21 (testvs)"] [uri "/testvs/WebResource.axd"] [unique_id "af8885df-69f6-4be5-a219-349152c6d70f"]
How can I add an exception to allow the .axd files?
Your options are:
1- Disable the Rule 920440 from that VS and allow all extensions
2 - Create an equivalent rules to allow the file extension needed and still block all the other one's
Rules to be created
So the way to achieve the CRS-SETUP.CONF is as follow.
We need to open the CRS-SETUP.CONF provide by OWASP website (https://coreruleset.org/installation/) a file called crs-setup.conf.example you will then need to open it using an editor, and you will then be searching for the "Forbidden file extensions",
"Forbidden file extensions."
"Guards against unintended exposure of development/configuration files."
Once you find it you will then be creating a new custom rule (rule_900240.conf the name can be anything you want), just with the part that references "Forbidden file extensions" mention on the crs-setup.conf.example:
SecAction \
"id:900240,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.restricted_extensions=.asd/ .asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
Rule to be created (this rule was created from the original one REQUEST-920-PROTOCOL-ENFORCEMENT.conf, the only thing to be doing here is to change the ID of the Rule, reason for is because we are disabling it for the GUI and we need to enable it again but this time using a different ID)
Creating a custom rule (Rule_820440.conf)
SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \
"id:820440,\
phase:1,\
block,\
capture,\
t:none,\
msg:'URL file extension is restricted by policy',\
logdata:'%{TX.0}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.extension=.%{tx.1}/',\
chain"
SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" \
"t:none,t:urlDecodeUni,t:lowercase,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score
https://support.kemptechnologies.com/hc/en-us/articles/4409216181901-WAF-Rule-Writing-Guide
Once the two rules are created and saved as .conf files you will then need to upload them into the LM by going:
Web Application Firewall - Custom Rules - Waf Custom Rules
You will then be able to see those rules available under the WAF rules on the Virtual Service.
Test done on the loadmaster:
Created the two rules and apply them on the VS with the Waf enabled
.asx was taken out that is the extension that i waf to allow
SecAction \
"id:900240,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.restricted_extensions=.asd/ .asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
Create a rule based on the one that we just disabled 920440 Rule (REQUEST-920-PROTOCOL-ENFORCEMENT.conf) (Title of the rule to search for Restrict File Extension)
SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \
"id:999999,\
phase:1,\
block,\
capture,\
t:none,\
msg:'URL file extension is restricted by policy',\
logdata:'%{TX.0}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.0',\
severity:'CRITICAL',\
setvar:'tx.extension=.%{tx.1}/',\
chain"
SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" \
"t:none,t:urlDecodeUni,t:lowercase,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
And then created two file on my server:
One with .asx extension and another one with .asd that it should be blocked because its part of the file
File create like this:
.asd
<html>
<head>
</head>
<body>
<h1>test page</h1>
</body>
</html>
.asx
<html>
<head>
</head>
<body>
<h1>test page</h1>
</body>
</html>
Result:
curl -k https://10.2.126.180/wafblocking.asd
<html><head><title>403 Forbidden</title></head><body>Access denied</body>
curl -k https://10.2.126.180/waftest.asx
<html>
<head>
</head>
<body>
<h1>test page</h1>
</body>
</html>
Logs on the LM:
Blocking one
Comments
When a rule is triggered which leads to a request been blocked, details of the event can be found under the "False Positive Analysis" view.
The False Positive Analysis can be selected under the WAF Configuration or in the Virtual Service Configuration.
Michal Wojcicki
Very useful article! I have one question about "Blocking one" section.
In the log above when it's detected and Warning triggered - I can find rule ID 920350, check it contents, edit it, but what in case of blocking,
when ModSecurity is blocking where can I find REQUEST-949-BLOCKING-EVALUATION.conf and rule 949110?
Best Regards,
Michal Wojcicki