Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Proposal to include monitoring agents exceptions in a new data file

See original GitHub issue

_Issue originally created by user fzipi on date 2019-10-08 20:31:17. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1589._

Type of Issue

New feature.

Description

While working on creating one exception for FP (#1583), the discussion there turned into getting a more holistic approach for monitoring agents.

We can take into account Monit, Nagios, Elasticsearch Metricbeat: anything that does the monitoring exclusively from 127.0.0.1.

For example:

SecRule REMOTE_ADDR "@ipMatch 127.0.01,::1" ...
    SecRule REQUEST_HEADERS:User-Agent "@rx %{tx.monitoring_user_agent_rx}" ...

The list of monitoring agent could be read from a data file.

It should not be enabled by default (which was a common concern), and also we may want to add something related to awareness about SSRF by adding these exceptions.

But this is normally a must for anyone that has production server: they will need monitoring.

Issue Analytics

State:
Created 3 years ago
Comments:29 (18 by maintainers)

Top GitHub Comments

2reactions

dune73commented, Oct 21, 2020

Yes, that problem with the tags persists.

If #1886 is adopted, then it’s perfectly OK to use it here of course.

901470 should have the default-UAs empty, should not it? And 901480 should then check for the existence / size of that variable. So unless you define UAs in crs-setup.conf, there is nothing that is disabled.

I like the proposal laid out and I realize, I have been overly defensive above. Sorry. If it’s limited to individual IPs, we should be on the safe ground.

Bonus points for only disabling rules that are commonly triggered by monitoring agents.

Is there sense in limiting this to the HEAD and GET methods?

So all in all, I see this as a useful workaround for a persisting problem.

1reaction

fzipicommented, Oct 20, 2020

I like the approach. We should sort the IDs in the ruleRemoveById. The only thing I see is that we might want to use more tags instead of specific numbers. But in that case, we should have to add additional tags to those rules 🤔

Top Results From Across the Web

CE DATA QUALITY PROFILE TEAM - Bureau of Labor Statistics

Deliverable #3. A proposal for a preliminary framework for monitoring and reporting on data quality for the Consumer Expenditure Survey.

Best Practices for Deploying Behavior Monitoring and Device ...

xml file in a specified folder. d) Review the applications that have been identified as conflicting and add them to the Behavior Monitoring...

Proposed rule: Cybersecurity Risk Management ... - SEC.gov

2018) (“Monetization of stolen data, which has always been a problem for cybercriminals, seems to have become less difficult because of ...

Guidance for Clinical Trial Sponsors - FDA

This guidance finalizes the draft guidance entitled "Guidance for Clinical Trial Sponsors: On the Establishment and Operation of Clinical Trial Data Monitoring ......

Circular No. A-108 - Department of Justice

the agency's proposals to conduct or participate in a matching program ... minimum, the Data Integrity Board includes the Inspector General of the...