ModSecurity

Greetings,

I'd like to know if it's possible to implement per/vhost exclussions using 
mod_security.

We are using gotroot's rules as well as some custom rules but it's not 
working correctly with all sites.

For example the cookies validation, UTF-8 encoding checks as well as 
application specific rules need to be excluded here and there.

All the below config vars for example are hitting few sites on every 
general web hosting server I came across till now and it's a pitty not to 
secure some 400 sites on the machine because 10 of them are getting hurt :(

     SecFilterCheckURLEncoding Off
     SecFilterCheckUnicodeEncoding Off
     SecFilterCheckCookieFormat Off
     SecFilterNormalizeCookies Off

I believe mod_security is a great tools for webhosters, but rules 
organizations can be improved, specially when working with tons of rules, 
like the ones provided by gotroot.

thanks,
	Justin

We are building a new server and cannot get modsecurity to install.  =
Below find the server info and following that the first few lines of =
hundreds that follow when attempting to install mod_security 1.8.7

Linux u15190851.onlinehome-server.com 2.6.11.9-050512a #1 SMP Thu May 12 =
20:53:02 CEST 2005 i686 i686 i386 GNU/Linux

Fedora Core release 2 (Tettnang)

Server version: Apache/2.0.51
Server built:   Nov 12 2004 10:10:20
Server's Module Magic Number: 20020903:9
Architecture:   32-bit
Server compiled with....
 -D APACHE_MPM_DIR=3D"server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D HTTPD_ROOT=3D"/etc/httpd"
 -D SUEXEC_BIN=3D"/usr/sbin/suexec"
 -D DEFAULT_PIDLOG=3D"logs/httpd.pid"
 -D DEFAULT_SCOREBOARD=3D"logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE=3D"logs/accept.lock"
 -D DEFAULT_ERRORLOG=3D"logs/error_log"
 -D AP_TYPES_CONFIG_FILE=3D"conf/mime.types"
 -D SERVER_CONFIG_FILE=3D"conf/httpd.conf"

Compiled in modules:
  core.c
  prefork.c
  http_core.c
  mod_so.c

MODULE_RELEASE "1.8.7"

=3D=3D=3D=3D=3D=3D ONLY A FEW lines as examples to avoid uploaded such a =
large file.

cc -DHARD_SERVER_LIMIT=3D512  =
-DDEFAULT_PATH=3D"/usr/local/psa/admin/bin:/bin:/usr/bin" -DLINUX=3D22 =
-DTARGET=3D"httpsd" -DHAVE_SET_DUMPABLE -I/usr/include/gdbm =
-DMOD_SSL=3D208122 -DEAPI -O -pipe  -W -Wall =
-I/home/builder/pb_work_dir/psa_aiconfig_7.5.3/psa/lib/dist/usr/include =
-DPLESK_Linux =
-I/home/builder/pb_work_dir/psa_aiconfig_7.5.3/psa/plesk-utils/include =
-DBSG_CR -DBSG_MSG -I/usr/include -DHAS_RPM -O3 =
-fexpensive-optimizations -I/usr/kerberos/include -fstrength-reduce =
-pipe -I/usr/include/libxml2 -Wno-unused-parameter -fpic -DSHARED_MODULE =
-I/usr/local/psa/admin/include  -c mod_security.c
mod_security.c:35:19: unixd.h: No such file or directory
mod_security.c:47:20: ap_mpm.h: No such file or directory
mod_security.c:49:17: apr.h: No such file or directory
mod_security.c:50:25: apr_strings.h: No such file or directory
mod_security.c:51:22: apr_hash.h: No such file or directory
mod_security.c:52:22: apr_user.h: No such file or directory
mod_security.c:53:21: apr_lib.h: No such file or directory
mod_security.c:54:24: apr_signal.h: No such file or directory
mod_security.c:55:30: apr_global_mutex.h: No such file or directory
mod_security.c:61: error: syntax error before "security_module"
mod_security.c:61: warning: type defaults to `int' in declaration of =
`security_module'
mod_security.c:61: warning: data definition has no type or storage class
mod_security.c:63: error: syntax error before '*' token
mod_security.c:63: warning: type defaults to `int' in declaration of =
`modsec_debuglog_lock'
mod_security.c:63: warning: data definition has no type or storage class
mod_security.c:64: error: syntax error before '*' token
mod_security.c:64: warning: type defaults to `int' in declaration of =
`modsec_auditlog_lock'
mod_security.c:64: warning: data definition has no type or storage class
mod_security.c:66: error: syntax error before '*' token
mod_security.c:66: warning: type defaults to `int' in declaration of =
`global_sec_filter_in'
mod_security.c:66: warning: data definition has no type or storage class
mod_security.c:67: error: syntax error before '*' token
mod_security.c:67: warning: type defaults to `int' in declaration of =
`global_sec_filter_out'
mod_security.c:67: warning: data definition has no type or storage class
mod_security.c:290: error: syntax error before "apr_array_header_t"
mod_security.c:290: warning: no semicolon at end of struct or union
mod_security.c:291: warning: type defaults to `int' in declaration of =
`signature'
mod_security.c:291: warning: data definition has no type or storage =
class
mod_security.c:299: error: syntax error before "apr_array_header_t"
mod_security.c:299: warning: no semicolon at end of struct or union

Ryan Barnett wrote:
> Ivan can speak better on this, however I believe that the problem is
> that Apache does some processing early in the request loop cycle
> before mod_security has a hook to inspect it.
> 
> Take a look here at the Apache request loop -
> http://modperlbook.org/html/ch01_04.html.  Then compare this will the
> hooks that mod_security has into Apache. -
>
 > ...
>     NULL,                       /* [#8] MIME-typed-dispatched handlers */
>     NULL,                       /* [#1] URI to filename translation    */
>     NULL,                       /* [#4] validate user id from request  */
>     NULL,                       /* [#5] check if the user is ok _here_ */
>     NULL,                       /* [#3] check access by host address   */
>     NULL,                       /* [#6] determine MIME type            */
>     sec_check_access,           /* [#7] pre-run fixups                 */
>     sec_logger,                 /* [#9] log a transaction              */
>     NULL,                       /* [#2] header parser                  */
>     sec_child_init,             /* child_init                          */
>     NULL,                       /* child_exit                          */
>     NULL                        /* [#0] post read-request              */
> 
> Apache runs through steps 0 -  6 before mod_security has a hook to
> perform any actions.

   That's correct. For me it was always a matter of choice whether I
   want to protect applications, or Apache itself. At the moment
   mod_security is configured to protect applications. A further problem
   is that, as Apache processes phases 0-6, it creates a lot of
   information (which mod_security uses) which would otherwise be
   unavailable in hook #0 (for example).

   My idea is to split rule processing into two phases. One would happen
   in hook #0, and the other #6.

   However, as I was making improvements to 1.9 I solved one of the
   major obstacles to move mod_security from hook #7 into earlier phase.
   I won't bother you with programming details but now it may be possible
   to run from hook #0. I don't have time to test it thoroughly but since
   there is demand for it, I'll do a couple of test to see if it works,
   and if does I will release 1.9dev3 (by the end of week) with a
   configuration option to choose the hook to run at.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org