Home / Browse / ModSecurity / Mail / Archive

ModSecurity

Email Archive: mod-security-users (read-only)

2003:	_Jan	_Feb	_Mar	_Apr	_May	_Jun (2)	_Jul (17)	_Aug (7)	_Sep (8)	_Oct (11)	_Nov (14)	_Dec (19)
2004:	_Jan (46)	_Feb (14)	_Mar (20)	_Apr (48)	_May (15)	_Jun (20)	_Jul (36)	_Aug (24)	_Sep (31)	_Oct (28)	_Nov (23)	_Dec (12)
2005:	_Jan (69)	_Feb (61)	_Mar (82)	_Apr (53)	_May (26)	_Jun (71)	_Jul (27)	_Aug (52)	_Sep (28)	_Oct (49)	_Nov (104)	_Dec (74)
2006:	_Jan (61)	_Feb (148)	_Mar (82)	_Apr (139)	_May (65)	_Jun (116)	_Jul (92)	_Aug (101)	_Sep (84)	_Oct (103)	_Nov (174)	_Dec (102)
2007:	_Jan (166)	_Feb (161)	_Mar (181)	_Apr (152)	_May (192)	_Jun (250)	_Jul (127)	_Aug (165)	_Sep (97)	_Oct (135)	_Nov (206)	_Dec (56)
2008:	_Jan (160)	_Feb (135)	_Mar (98)	_Apr (89)	_May (115)	_Jun (95)	_Jul (188)	_Aug (167)	_Sep (153)	_Oct (84)	_Nov (82)	_Dec (85)
2009:	_Jan (139)	_Feb (133)	_Mar (128)	_Apr (105)	_May (135)	_Jun (79)	_Jul (92)	_Aug (134)	_Sep (73)	_Oct (112)	_Nov (159)	_Dec (80)
2010:	_Jan (100)	_Feb (116)	_Mar (130)	_Apr (59)	_May (87)	_Jun (59)	_Jul (69)	_Aug (67)	_Sep (82)	_Oct (76)	_Nov (59)	_Dec (34)
2011:	_Jan (84)	_Feb (74)	_Mar (81)	_Apr (94)	_May (188)	_Jun (72)	_Jul (118)	_Aug (109)	_Sep (111)	_Oct (80)	_Nov (51)	_Dec (44)
2012:	_Jan (80)	_Feb (123)	_Mar (46)	_Apr (12)	_May (40)	_Jun (62)	_Jul (95)	_Aug (66)	_Sep (65)	_Oct (53)	_Nov (42)	_Dec (60)
2013:	_Jan (96)	_Feb (96)	_Mar (108)	_Apr (72)	_May (87)	_Jun	_Jul	_Aug	_Sep	_Oct	_Nov	_Dec


S	M	T	W	T	F	S
						1
						(1)
2	3	4	5	6	7	8
		(9)	(7)	(4)
9	10	11	12	13	14	15
	(3)		(16)	(8)	(2)
16	17	18	19	20	21	22
	(4)	(3)	(6)	(15)	(1)
23	24	25	26	27	28	29
	(5)	(5)	(2)	(6)
30	31
	(1)

Re: [mod-security-users] SecAction failure.

From: Ryan Barnett <Ryan.Barnett@Br...> - 2008-03-04 20:57

Mike,
Two comments -

1) The reason you are getting the 403 is because you did not specify the disruptive action for SecAction directive so it is inheriting it.  If you want to allow the requst to proceed after a SecAction, you need to specify "pass"

2) The other problem is that this action does not work as you are expecting.  That action is used only for obscuring the data in the Mod audit logs and does not manipulate the raw data.  In order to do what you are describing, you will probably need to use mod_headers.


Thanks,
Ryan C. Barnett 

----- Original Message -----
From: mod-security-users-bounces@... <mod-security-users-bounces@...>
To: mod-security-users@... <mod-security-users@...>
Sent: Tue Mar 04 15:50:02 2008
Subject: [mod-security-users] SecAction failure.

I have been upgrading our setup to newer versions an ran into an  
issue with modsecurity (2.1.6).  We are looking to shield the  
request_header:authorization value from the receiving cgi/php/perl  
application.

The operating system is Solairs 10 (0807) 5.10 Generic_120011-14  
sun4v sparc SUNW,Sun-Fire-T200
Apache  2.0.61

I have used the standard modsecurity_apache with the core rules, no  
modifications - things work and pages are displayed.

I then create the modsecurity_crs_15_customrules.conf and add one line:
SecAction log,phase:1,sanitiseRequestHeader:Authorization

Which yields a "Forbidden - You don't have permission to access on  
this server."

Having a little trouble sorting out why this might be failing......


Thanks,
Mike

I have included the apache info and the modsecurity log and debug log.

Server version: Apache/2.0.61
Server built:   Dec 17 2007 11:47:04
Server's Module Magic Number: 20020903:12
Server loaded:  APR 0.9.16, APR-UTIL 0.9.15
Compiled using: APR 0.9.16, APR-UTIL 0.9.15
Architecture:   32-bit
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/worker"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_FCNTL_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D HTTPD_ROOT="/opt/slis/apache2"
-D SUEXEC_BIN="/opt/slis/apache2/bin/suexec"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="/etc/opt/slis/apache2/mime.types"
-D SERVER_CONFIG_FILE="/etc/opt/slis/apache2/httpd.conf"
Compiled in modules:
   core.c
   mod_access.c
   mod_auth.c
   mod_include.c
   mod_deflate.c
   mod_log_config.c
   mod_env.c
   mod_unique_id.c
   mod_setenvif.c
   mod_ssl.c
   worker.c
   http_core.c
   mod_mime.c
   mod_status.c
   mod_autoindex.c
   mod_asis.c
   mod_suexec.c
   mod_cgid.c
   mod_cgi.c
   mod_negotiation.c
   mod_dir.c
   mod_imap.c
   mod_actions.c
   mod_userdir.c
   mod_alias.c
   mod_rewrite.c
   mod_so.c




modsec_audit.log

--00007490-A--
[04/Mar/2008:14:14:56 --0500] UeU954FPJBIAACl66mYAAAAY 129.79.36.56  
61680 129.79.36.18 443
--00007490-B--
GET /~gallantm/joy.php HTTP/1.1
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Cookie: __utmz=189522035.1195250097.2.1.utmccn=(direct)|utmcsr= 
(direct)|utmcmd=(none);  
__utma=189522035.32106102.1173301404.1173301404.1195250097.2
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/ 
418.9.1 (KHTML, like Gecko) Safari/419.3
Authorization: **********************************************
Connection: keep-alive
Host: iris.slis.indiana.edu

--00007490-F--
HTTP/1.1 403 Forbidden
Content-Length: 219
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--00007490-H--
Message: Access denied with code 403 (phase 1). Unconditional match  
in SecAction.
Action: Intercepted (phase 1)
Stopwatch: 1204658096127463 3166 (- - -)
Producer: ModSecurity v2.1.6 (Apache 2.x)
Server: Apache
Sanitised-Request-Headers: "Authorization".

--00007490-Z--

modsec_debug.log
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Initialising transaction (txid  
UeU954FPJBIAACl66mYAAAAY).
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][5] Adding request cookie: name  
"__utmz", value "189522035.1195250097.2.1.utmccn=(direct)|utmcsr= 
(direct)|utmcmd=(none)"
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][5] Adding request cookie: name  
"__utma", value "189522035.32106102.1173301404.1173301404.1195250097.2"
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Transaction context created (dcfg  
129fb0).
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Starting phase REQUEST_HEADERS.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][9] This phase consists of 1 rule(s).
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Recipe: Invoking rule 1a47e8.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][9] T (0) lowercase: /~gallantm/joy.php
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][9] T (0) replaceNulls: /~gallantm/ 
joy.php
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][9] T (0) compressWhitespace: / 
~gallantm/joy.php
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Executing operator  
unconditionalMatch with param "" against REQUEST_URI.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][9] Target value: /~gallantm/joy.php
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Operator completed in 1 usec.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Rule returned 1.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][9] Match, intercepted -> returning.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][1] Access denied with code 403  
(phase 1). Unconditional match in SecAction.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Initialising logging.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Starting phase LOGGING.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][9] This phase consists of 4 rule(s).
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Recipe: Invoking rule 1ec710.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Executing operator rx with param  
"^400$" against RESPONSE_STATUS.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][9] Target value: 403
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Operator completed in 9 usec.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Rule returned 0.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][9] No match, chained -> mode  
NEXT_CHAIN.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Recipe: Invoking rule 1ee410.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Rule returned 0.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][9] No match, chained -> mode  
NEXT_CHAIN.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Audit log: Logging this transaction.


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
mod-security-users mailing list
mod-security-users@...
https://lists.sourceforge.net/lists/listinfo/mod-security-users

[mod-security-users] SecAction failure.

From: Mike Gallant <gallantm@in...> - 2008-03-04 20:50

I have been upgrading our setup to newer versions an ran into an  
issue with modsecurity (2.1.6).  We are looking to shield the  
request_header:authorization value from the receiving cgi/php/perl  
application.

The operating system is Solairs 10 (0807) 5.10 Generic_120011-14  
sun4v sparc SUNW,Sun-Fire-T200
Apache  2.0.61

I have used the standard modsecurity_apache with the core rules, no  
modifications - things work and pages are displayed.

I then create the modsecurity_crs_15_customrules.conf and add one line:
SecAction log,phase:1,sanitiseRequestHeader:Authorization

Which yields a "Forbidden - You don't have permission to access on  
this server."

Having a little trouble sorting out why this might be failing......


Thanks,
Mike

I have included the apache info and the modsecurity log and debug log.

Server version: Apache/2.0.61
Server built:   Dec 17 2007 11:47:04
Server's Module Magic Number: 20020903:12
Server loaded:  APR 0.9.16, APR-UTIL 0.9.15
Compiled using: APR 0.9.16, APR-UTIL 0.9.15
Architecture:   32-bit
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/worker"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_FCNTL_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D HTTPD_ROOT="/opt/slis/apache2"
-D SUEXEC_BIN="/opt/slis/apache2/bin/suexec"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="/etc/opt/slis/apache2/mime.types"
-D SERVER_CONFIG_FILE="/etc/opt/slis/apache2/httpd.conf"
Compiled in modules:
   core.c
   mod_access.c
   mod_auth.c
   mod_include.c
   mod_deflate.c
   mod_log_config.c
   mod_env.c
   mod_unique_id.c
   mod_setenvif.c
   mod_ssl.c
   worker.c
   http_core.c
   mod_mime.c
   mod_status.c
   mod_autoindex.c
   mod_asis.c
   mod_suexec.c
   mod_cgid.c
   mod_cgi.c
   mod_negotiation.c
   mod_dir.c
   mod_imap.c
   mod_actions.c
   mod_userdir.c
   mod_alias.c
   mod_rewrite.c
   mod_so.c




modsec_audit.log

--00007490-A--
[04/Mar/2008:14:14:56 --0500] UeU954FPJBIAACl66mYAAAAY 129.79.36.56  
61680 129.79.36.18 443
--00007490-B--
GET /~gallantm/joy.php HTTP/1.1
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Cookie: __utmz=189522035.1195250097.2.1.utmccn=(direct)|utmcsr= 
(direct)|utmcmd=(none);  
__utma=189522035.32106102.1173301404.1173301404.1195250097.2
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/ 
418.9.1 (KHTML, like Gecko) Safari/419.3
Authorization: **********************************************
Connection: keep-alive
Host: iris.slis.indiana.edu

--00007490-F--
HTTP/1.1 403 Forbidden
Content-Length: 219
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--00007490-H--
Message: Access denied with code 403 (phase 1). Unconditional match  
in SecAction.
Action: Intercepted (phase 1)
Stopwatch: 1204658096127463 3166 (- - -)
Producer: ModSecurity v2.1.6 (Apache 2.x)
Server: Apache
Sanitised-Request-Headers: "Authorization".

--00007490-Z--

modsec_debug.log
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Initialising transaction (txid  
UeU954FPJBIAACl66mYAAAAY).
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][5] Adding request cookie: name  
"__utmz", value "189522035.1195250097.2.1.utmccn=(direct)|utmcsr= 
(direct)|utmcmd=(none)"
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][5] Adding request cookie: name  
"__utma", value "189522035.32106102.1173301404.1173301404.1195250097.2"
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Transaction context created (dcfg  
129fb0).
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Starting phase REQUEST_HEADERS.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][9] This phase consists of 1 rule(s).
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Recipe: Invoking rule 1a47e8.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][9] T (0) lowercase: /~gallantm/joy.php
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][9] T (0) replaceNulls: /~gallantm/ 
joy.php
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][9] T (0) compressWhitespace: / 
~gallantm/joy.php
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Executing operator  
unconditionalMatch with param "" against REQUEST_URI.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][9] Target value: /~gallantm/joy.php
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Operator completed in 1 usec.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Rule returned 1.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][9] Match, intercepted -> returning.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][1] Access denied with code 403  
(phase 1). Unconditional match in SecAction.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Initialising logging.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Starting phase LOGGING.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][9] This phase consists of 4 rule(s).
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Recipe: Invoking rule 1ec710.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Executing operator rx with param  
"^400$" against RESPONSE_STATUS.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][9] Target value: 403
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Operator completed in 9 usec.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Rule returned 0.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][9] No match, chained -> mode  
NEXT_CHAIN.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Recipe: Invoking rule 1ee410.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Rule returned 0.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][9] No match, chained -> mode  
NEXT_CHAIN.
[04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
[rid#3e2c00][/~gallantm/joy.php][4] Audit log: Logging this transaction.

Re: [mod-security-users] SecAction failure.

From: Brian Rectanus <Brian.Rectanus@br...> - 2008-03-04 20:55

The default in 2.1.6 is "deny,status:403", so that is what it is doing.
 Add the "pass" action:

SecAction "pass,log,phase:1,sanitiseRequestHeader:Authorization"

-B

Mike Gallant wrote:
> I have been upgrading our setup to newer versions an ran into an  
> issue with modsecurity (2.1.6).  We are looking to shield the  
> request_header:authorization value from the receiving cgi/php/perl  
> application.
> 
> The operating system is Solairs 10 (0807) 5.10 Generic_120011-14  
> sun4v sparc SUNW,Sun-Fire-T200
> Apache  2.0.61
> 
> I have used the standard modsecurity_apache with the core rules, no  
> modifications - things work and pages are displayed.
> 
> I then create the modsecurity_crs_15_customrules.conf and add one line:
> SecAction log,phase:1,sanitiseRequestHeader:Authorization
> 
> Which yields a "Forbidden - You don't have permission to access on  
> this server."
> 
> Having a little trouble sorting out why this might be failing......
> 
> 
> Thanks,
> Mike
> 
> I have included the apache info and the modsecurity log and debug log.
> 
> Server version: Apache/2.0.61
> Server built:   Dec 17 2007 11:47:04
> Server's Module Magic Number: 20020903:12
> Server loaded:  APR 0.9.16, APR-UTIL 0.9.15
> Compiled using: APR 0.9.16, APR-UTIL 0.9.15
> Architecture:   32-bit
> Server compiled with....
> -D APACHE_MPM_DIR="server/mpm/worker"
> -D APR_HAS_SENDFILE
> -D APR_HAS_MMAP
> -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
> -D APR_USE_FCNTL_SERIALIZE
> -D APR_USE_PTHREAD_SERIALIZE
> -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
> -D APR_HAS_OTHER_CHILD
> -D AP_HAVE_RELIABLE_PIPED_LOGS
> -D HTTPD_ROOT="/opt/slis/apache2"
> -D SUEXEC_BIN="/opt/slis/apache2/bin/suexec"
> -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
> -D DEFAULT_ERRORLOG="logs/error_log"
> -D AP_TYPES_CONFIG_FILE="/etc/opt/slis/apache2/mime.types"
> -D SERVER_CONFIG_FILE="/etc/opt/slis/apache2/httpd.conf"
> Compiled in modules:
>    core.c
>    mod_access.c
>    mod_auth.c
>    mod_include.c
>    mod_deflate.c
>    mod_log_config.c
>    mod_env.c
>    mod_unique_id.c
>    mod_setenvif.c
>    mod_ssl.c
>    worker.c
>    http_core.c
>    mod_mime.c
>    mod_status.c
>    mod_autoindex.c
>    mod_asis.c
>    mod_suexec.c
>    mod_cgid.c
>    mod_cgi.c
>    mod_negotiation.c
>    mod_dir.c
>    mod_imap.c
>    mod_actions.c
>    mod_userdir.c
>    mod_alias.c
>    mod_rewrite.c
>    mod_so.c
> 
> 
> 
> 
> modsec_audit.log
> 
> --00007490-A--
> [04/Mar/2008:14:14:56 --0500] UeU954FPJBIAACl66mYAAAAY 129.79.36.56  
> 61680 129.79.36.18 443
> --00007490-B--
> GET /~gallantm/joy.php HTTP/1.1
> Accept: */*
> Accept-Language: en
> Accept-Encoding: gzip, deflate
> Cookie: __utmz=189522035.1195250097.2.1.utmccn=(direct)|utmcsr= 
> (direct)|utmcmd=(none);  
> __utma=189522035.32106102.1173301404.1173301404.1195250097.2
> User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/ 
> 418.9.1 (KHTML, like Gecko) Safari/419.3
> Authorization: **********************************************
> Connection: keep-alive
> Host: iris.slis.indiana.edu
> 
> --00007490-F--
> HTTP/1.1 403 Forbidden
> Content-Length: 219
> Keep-Alive: timeout=15, max=100
> Connection: Keep-Alive
> Content-Type: text/html; charset=iso-8859-1
> 
> --00007490-H--
> Message: Access denied with code 403 (phase 1). Unconditional match  
> in SecAction.
> Action: Intercepted (phase 1)
> Stopwatch: 1204658096127463 3166 (- - -)
> Producer: ModSecurity v2.1.6 (Apache 2.x)
> Server: Apache
> Sanitised-Request-Headers: "Authorization".
> 
> --00007490-Z--
> 
> modsec_debug.log
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][4] Initialising transaction (txid  
> UeU954FPJBIAACl66mYAAAAY).
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][5] Adding request cookie: name  
> "__utmz", value "189522035.1195250097.2.1.utmccn=(direct)|utmcsr= 
> (direct)|utmcmd=(none)"
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][5] Adding request cookie: name  
> "__utma", value "189522035.32106102.1173301404.1173301404.1195250097.2"
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][4] Transaction context created (dcfg  
> 129fb0).
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][4] Starting phase REQUEST_HEADERS.
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][9] This phase consists of 1 rule(s).
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][4] Recipe: Invoking rule 1a47e8.
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][9] T (0) lowercase: /~gallantm/joy.php
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][9] T (0) replaceNulls: /~gallantm/ 
> joy.php
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][9] T (0) compressWhitespace: / 
> ~gallantm/joy.php
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][4] Executing operator  
> unconditionalMatch with param "" against REQUEST_URI.
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][9] Target value: /~gallantm/joy.php
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][4] Operator completed in 1 usec.
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][4] Rule returned 1.
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][9] Match, intercepted -> returning.
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][1] Access denied with code 403  
> (phase 1). Unconditional match in SecAction.
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][4] Initialising logging.
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][4] Starting phase LOGGING.
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][9] This phase consists of 4 rule(s).
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][4] Recipe: Invoking rule 1ec710.
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][4] Executing operator rx with param  
> "^400$" against RESPONSE_STATUS.
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][9] Target value: 403
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][4] Operator completed in 9 usec.
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][4] Rule returned 0.
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][9] No match, chained -> mode  
> NEXT_CHAIN.
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][4] Recipe: Invoking rule 1ee410.
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][4] Rule returned 0.
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][9] No match, chained -> mode  
> NEXT_CHAIN.
> [04/Mar/2008:14:14:56 --0500] [iris.slis.indiana.edu/sid#fc178] 
> [rid#3e2c00][/~gallantm/joy.php][4] Audit log: Logging this transaction.
> 
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users


-- 
Brian Rectanus
Breach Security

[mod-security-users] Still stuck with up to 400% decrease in performance.

From: James Nordstrom <james@no...> - 2008-03-04 02:42

Hi All, 

  	I have tried everything I can think of and am still
stuck with up to a 400% decrease in performance.

-Disabled all logging 
-Set log level to 0
-Removed the rules one by one
-Replaced 2.5.0 with 2.1.6 
-Disabled outbound inspection 

	I did not find one offending rule, the rules just
appear to run slow.

        Running a simple 100 user load test: (3 GETS
and 1 POST)
	Mod security disabled  8% - 20% CPU
	Mod security enabled  40% - 80% CPU (various rules
added/removed)

	Since I am facing the same issues with 2.5.0 as I am
with 2.1.6 I am wondering if PCRE can be the issue. I
use Apache 2.2.8 which uses an external PCRE lib.  I
see PCRE 7.6 is out should I upgrade from 7.2?

	My system is:
	-2x 2.4Ghr dual core AMD Opterons
	-32GB Ram 
	-OpenSuse 10.3 64Bit
	-Apache 2.2.8 (64Bit)
	-PCRE 7.2  (64 and 32bit)
	-Mod_security 2.5.0 and 2.1.6
        -Apache is compressing outbound content.

	Any help would be greatly appreciated. 

	Thanks 

	James 

James Nordstrom 
Nordstrom Design Inc. 
E-mail:  james@...
US:       908-419-5597
Europe: 001/908-419-5597

Re: [mod-security-users] Still stuck with up to 400% decrease inperformance.

From: Brian Rectanus <Brian.Rectanus@br...> - 2008-03-04 17:04

Hi James.  Just wanted to let you know I am still looking at this.  I
have not been able to replicate/isolate the issue yet.

>From what I gathered from your emails, this happens just doing a simple
GET request of a static page (one that should not alert).  Is this true?

How are you generating the load?  Is it a single threaded (or multiple
unthreaded) processes on the same box doing requests, or is it some load
generation software external to the box?  Anything that you can do to
better describe your process of load testing would help me setup a
similar test here.

As for PCRE, I am not sure.  I have 7.4 that I am using.

-B

James Nordstrom wrote:
> Hi All,
> 
>         I have tried everything I can think of and am still
> stuck with up to a 400% decrease in performance.
> 
> -Disabled all logging
> -Set log level to 0
> -Removed the rules one by one
> -Replaced 2.5.0 with 2.1.6
> -Disabled outbound inspection
> 
>         I did not find one offending rule, the rules just
> appear to run slow.
> 
>         Running a simple 100 user load test: (3 GETS
> and 1 POST)
>         Mod security disabled  8% - 20% CPU
>         Mod security enabled  40% - 80% CPU (various rules
> added/removed)
> 
>         Since I am facing the same issues with 2.5.0 as I am
> with 2.1.6 I am wondering if PCRE can be the issue. I
> use Apache 2.2.8 which uses an external PCRE lib.  I
> see PCRE 7.6 is out should I upgrade from 7.2?
> 
>         My system is:
>         -2x 2.4Ghr dual core AMD Opterons
>         -32GB Ram
>         -OpenSuse 10.3 64Bit
>         -Apache 2.2.8 (64Bit)
>         -PCRE 7.2  (64 and 32bit)
>         -Mod_security 2.5.0 and 2.1.6
>         -Apache is compressing outbound content.
> 
>         Any help would be greatly appreciated.
> 
>         Thanks
> 
>         James
> 
> James Nordstrom
> Nordstrom Design Inc.
> E-mail:  james@...
> US:       908-419-5597
> Europe: 001/908-419-5597
> 
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 


-- 
Brian Rectanus
Breach Security

Re: [mod-security-users] Still stuck with up to 400% decrease inperformance.

From: James Nordstrom <james@no...> - 2008-03-04 19:02

Hi Brian, 

    Thanks for your help.

    I am using webload (http://www.radview.com/) 100
users concurrent with 1 - 2 second sleep times. Each
virtual user request three pages using GET no prams,
test is running in a loop. No fixed number of
iterations. Load is generated on a dedicated load
generation box.  The target machine is also dedicated,
all test are run with everything configured the same
way with the exception of SecRuleEngine On and
SecRuleEngine Off,  network is dedicated 100Mb.

    The only odd thing I noticed was the test request
are not caching correctly, meeting for each request I
may be requesting 20 or more static files (css. js and
images) It was my understanding that mod_security
would not do or at least do limited work on these
types of request. (sub request from the parent HTML)

    If mod_security is acting on these request it
might explain the load. Because now 100 concurrent
request becomes 2000 request

    I also run the apache server as a reverse proxy
and SSL termination point. 

APACHE_MODULES="dir alias expires headers log_config
mime negotiation setenvif ssl unique_id proxy rewrite
deflate proxy_http authz_host  authn_file php5 cgi
mod_security2

    Test box is running on a private network, maybe a
DNS issue, but that would not explain the high CPU.

     From your internal load test what is the expected
overhead will all core rules applied?

     James Nordstrom


    


--- Brian Rectanus <Brian.Rectanus@...> wrote:

> Hi James.  Just wanted to let you know I am still
> looking at this.  I
> have not been able to replicate/isolate the issue
> yet.
> 
> From what I gathered from your emails, this happens
> just doing a simple
> GET request of a static page (one that should not
> alert).  Is this true?
> 
> How are you generating the load?  Is it a single
> threaded (or multiple
> unthreaded) processes on the same box doing
> requests, or is it some load
> generation software external to the box?  Anything
> that you can do to
> better describe your process of load testing would
> help me setup a
> similar test here.
> 
> As for PCRE, I am not sure.  I have 7.4 that I am
> using.
> 
> -B
> 
> James Nordstrom wrote:
> > Hi All,
> > 
> >         I have tried everything I can think of and
> am still
> > stuck with up to a 400% decrease in performance.
> > 
> > -Disabled all logging
> > -Set log level to 0
> > -Removed the rules one by one
> > -Replaced 2.5.0 with 2.1.6
> > -Disabled outbound inspection
> > 
> >         I did not find one offending rule, the
> rules just
> > appear to run slow.
> > 
> >         Running a simple 100 user load test: (3
> GETS
> > and 1 POST)
> >         Mod security disabled  8% - 20% CPU
> >         Mod security enabled  40% - 80% CPU
> (various rules
> > added/removed)
> > 
> >         Since I am facing the same issues with
> 2.5.0 as I am
> > with 2.1.6 I am wondering if PCRE can be the
> issue. I
> > use Apache 2.2.8 which uses an external PCRE lib. 
> I
> > see PCRE 7.6 is out should I upgrade from 7.2?
> > 
> >         My system is:
> >         -2x 2.4Ghr dual core AMD Opterons
> >         -32GB Ram
> >         -OpenSuse 10.3 64Bit
> >         -Apache 2.2.8 (64Bit)
> >         -PCRE 7.2  (64 and 32bit)
> >         -Mod_security 2.5.0 and 2.1.6
> >         -Apache is compressing outbound content.
> > 
> >         Any help would be greatly appreciated.
> > 
> >         Thanks
> > 
> >         James
> > 
> > James Nordstrom
> > Nordstrom Design Inc.
> > E-mail:  james@...
> > US:       908-419-5597
> > Europe: 001/908-419-5597
> > 
> > 
> >
>
-------------------------------------------------------------------------
> > This SF.net email is sponsored by: Microsoft
> > Defy all challenges. Microsoft(R) Visual Studio
> 2008.
> >
>
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > _______________________________________________
> > mod-security-users mailing list
> > mod-security-users@...
> >
>
https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > 
> 
> 
> -- 
> Brian Rectanus
> Breach Security
> 


James Nordstrom 
Nordstrom Design Inc. 
E-mail:  james@...
US:       908-419-5597
Europe: 001/908-419-5597

[mod-security-users] phpmyadmin

From: Kevin Ross <kevin@cs...> - 2008-03-04 03:22

Hi all,

I just did a reinstall for one of our users--I installed Fedora 8--and his 
phpmyadmin is no longer accessible.  I can't seem to find information on the web 
about how to disable this--to allow access to phpmyadmin.  Does anyone here 
happen to be familiar with this?

Thanks,

Kevin

Re: [mod-security-users] phpmyadmin

From: Ryan Barnett <Ryan.Barnett@Br...> - 2008-03-04 16:23

What do the error logs say?  If modsecurity is blocking access, then the
error log data will tell you why.  What rule sets are you using?

-Ryan

 
> -----Original Message-----
> From: mod-security-users-bounces@... [mailto:mod-
> security-users-bounces@...] On Behalf Of Kevin Ross
> Sent: Monday, March 03, 2008 12:49 PM
> To: mod-security-users@...
> Subject: [mod-security-users] phpmyadmin
> 
> Hi all,
> 
> I just did a reinstall for one of our users--I installed Fedora 8--and
his
> phpmyadmin is no longer accessible.  I can't seem to find information
on
> the web
> about how to disable this--to allow access to phpmyadmin.  Does anyone
> here
> happen to be familiar with this?
> 
> Thanks,
> 
> Kevin
> 
>
------------------------------------------------------------------------
-
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

Re: [mod-security-users] Run external command pipping out IP address

From: Jerry <gmane@ho...> - 2008-03-04 09:42

I have now tried this on 2.5 and still get the same problem.

Is this specific to Centos 4?

Could it be due to selinux (either on or off)?

Is there another way to achieve the objective namely: If X rule is triggered 
automatically ban the IP via iptables?

What I'm trying to do is to totally block traffic which triggers a specific 
rule. I know I can set the rule to drop the connection but when the source 
sends 20 hits at a time this is not effective. I'd rather drop the first one 
and permanently ban the IP there and then and review it manually later.


"Ryan Barnett" <Ryan.Barnett@...> wrote in message 
news:50E6558DF2E9624DA8DADDE0C5018486012524BB@......
> Jerry,
> I just ran some tests and had similar results.  The issue ended up being
> not with the perms on the file but rather the perms on the directory the
> script was in.  Ensure that the Apache user has execute perms on the
> entire directory structure to where your test.sh script is
> (/secondary/logs/).
>
> -- 
> Ryan C. Barnett
> ModSecurity Community Manager
> Breach Security: Director of Training
> Web Application Security Consortium (WASC) Member
> CIS Apache Benchmark Project Lead
> SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
> Author: Preventing Web Attacks with Apache
>
>> -----Original Message-----
>> From: mod-security-users-bounces@... [mailto:mod-
>> security-users-bounces@...] On Behalf Of Jerry
>> Sent: Friday, February 15, 2008 3:20 PM
>> To: mod-security-users@...
>> Subject: Re: [mod-security-users] Run external command pipping out IP
>> address
>>
>> Thanks to chris for some pointers here but I still can't get this
> working.
>>
>> centos 4.6, modsec 2.1.4
>>
>> debug log is showing:
>>
>> Exec: execution failed:  /secondary/logs/test.sh (End of file found)
>>
>> The file exists is chmod 755 and I tried different ownerships.
>>
>> I also tried
>>
>> exec:'/bin/sh /secondary/logs/test.sh'
>>
>> and a php test script
>>
>> exec:'/usr/bin/php /secondary/logs/test.php'
>>
>> Both tests fail with the End of file found message. Both files work
> from
>> the
>> server command line.
>>
>>
>>
>>
>>
> ------------------------------------------------------------------------
> -
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2008.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>> _______________________________________________
>> mod-security-users mailing list
>> mod-security-users@...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/