ModSecurity

Hi i was trying some logs for the modsecurity Console, and i found these=20
entries (generated by Nikto):
Why there is not Modsecurity_message?
Why there is no Action?
Why sometimes the Handler is proxy-server, and others null?

Any ideas?

Btw im using a modsecurity 1.9 Dev2. + mod_proxy.

Thanks in advance
Christian

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Request: 10.10.0.XXX - - [28/Jun/2005:17:11:31 +0200] "GET=20
/..\\..\\..\\..\\..\\..\\temp\\temp.class HTTP/1.0" 403 32
Handler: proxy-server
----------------------------------------
GET /..\\..\\..\\..\\..\\..\\temp\\temp.class HTTP/1.0
Content-Length: 0
User-Agent: Mozilla/4.75 (Nikto/1.34 )
Host: http://www.myhost.com
Max-Forwards: 10
X-Forwarded-For: 10.10.0.XXX
X-Forwarded-Host: http://www.myhost.com
X-Forwarded-Server: http://www.myhost.com

0


HTTP/1.0 403 Forbidden
Content-Type: text/html; charset=3DUTF-8
Content-Length: 32
Connection: close
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Request: 10.10.0.xxx - - [28/Jun/2005:17:11:30 +0200] "GET=20
/../webserver.ini HTTP/1.0" 400 302
Handler: (null)
----------------------------------------
GET /../webserver.ini HTTP/1.0
Connection: Keep-Alive
Content-Length: 0
User-Agent: Mozilla/4.75 (Nikto/1.34 )
Host: http://www.myhost.com


28
[POST payload not available]

HTTP/1.0 400 Bad Request
Content-Length: 302
Connection: close
Content-Type: text/html; charset=3Diso-8859-1

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Request: 10.10.0.xxx - - [28/Jun/2005:17:11:30 +0200] "GET=20
/../config.dat HTTP/1.0" 400 302
Handler: (null)
----------------------------------------
GET /../config.dat HTTP/1.0
Connection: Keep-Alive
Content-Length: 0
User-Agent: Mozilla/4.75 (Nikto/1.34 )
Host: http://www.myhost.com
28
[POST payload not available]

HTTP/1.0 400 Bad Request
Content-Length: 302
Connection: close
Content-Type: text/html; charset=3Diso-8859-1

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

--=20
______________________________
Christian Martorella
e-Security Engineer
cmartorella@...

Internet Security Auditors, S.L.
c. Santander, 101. Edif. A. 2=BA 1=AA.
08030 Barcelona
Tel: 93 305 13 18
Fax: 93 278 22 48
 http://www.isecauditors.com
____________________________________
Este mensaje y los documentos que, en su caso lleve anexos, pueden
contener informaci=F3n confidencial. Por ello, se informa a quien lo
reciba por error que la informaci=F3n contenida en el mismo es reservada
y su uso no autorizado est=E1 prohibido legalmente, por lo que en tal
caso le rogamos que nos lo comunique por la misma v=EDa o por tel=E9fono
(93 305 13 18), se abstenga de realizar copias del mensaje o remitirlo
o entregarlo a otra persona y proceda a borrarlo de inmediato.

En cumplimiento de la Ley Org=E1nica 15/1999 de 13 de diciembre de
protecci=F3n de datos de car=E1cter personal, Internet Security Auditors
S.L., le informa de que sus datos personales se han incluido en
ficheros informatizados titularidad de Internet Security Auditors
S.L., que ser=E1 el =FAnico destinatario de dichos datos, y cuya finalida=
d
exclusiva es la gesti=F3n de clientes y acciones de comunicaci=F3n
comercial, y de que tiene la posibilidad de ejercer los derechos de
acceso, rectificaci=F3n, cancelaci=F3n y oposici=F3n previstos en la ley
mediante carta dirigida a Internet Security Auditors, c. Santander,
101. Edif. A. 2=BA 1=AA, 08030 Barcelona, o v=EDa e-mail a la siguiente
direcci=F3n de correo: legal@...

Re: [mod-security-users] Strange Logs From: Ivan Ristic <ivanr@we...> - 2005-06-28 15:40 Christian Martorella wrote: > Hi i was trying some logs for the modsecurity Console, and i found these > entries (generated by Nikto): > Why there is not Modsecurity_message? > Why there is no Action? modsecurity 1.9dev2 logs certain requests based only on the response status code (I will change this to be just an option before the final 1.9). So it is probably that Apache rejected those requests before they reached mod_security. You can verify this theory by looking at the debug log (at level 2 or more). > Why sometimes the Handler is proxy-server, and others null? Sometimes a request can be rejected before Apache decides what to do with it. In such cases, the handler is still unknown. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] Strange Logs From: Christian Martorella <cmartorella@is...> - 2005-06-28 15:43 Ivan Ristic wrote: > Christian Martorella wrote: > >> Hi i was trying some logs for the modsecurity Console, and i found=20 >> these entries (generated by Nikto): >> Why there is not Modsecurity_message? >> Why there is no Action? > > > modsecurity 1.9dev2 logs certain requests based only on the > response status code (I will change this to be just an option before > the final 1.9). So it is probably that Apache rejected > those requests before they reached mod_security. You can verify > this theory by looking at the debug log (at level 2 or more). > Fine, so why apache rejected those requests, before reaching the=20 modsecurity ? :) > >> Why sometimes the Handler is proxy-server, and others null? > > > Sometimes a request can be rejected before Apache decides what > to do with it. In such cases, the handler is still unknown. > Ok. Thanks! --=20 _________________________________ Christian Martorella e-Security Engineer cmartorella@... Internet Security Auditors, S.L. c. Santander, 101. Edif. A. 2=BA 1=AA. 08030 Barcelona Tel: 93 305 13 18 Fax: 93 278 22 48 http://www.isecauditors.com ____________________________________ Este mensaje y los documentos que, en su caso lleve anexos, pueden contener informaci=F3n confidencial. Por ello, se informa a quien lo reciba por error que la informaci=F3n contenida en el mismo es reservada y su uso no autorizado est=E1 prohibido legalmente, por lo que en tal caso le rogamos que nos lo comunique por la misma v=EDa o por tel=E9fono (93 305 13 18), se abstenga de realizar copias del mensaje o remitirlo o entregarlo a otra persona y proceda a borrarlo de inmediato. En cumplimiento de la Ley Org=E1nica 15/1999 de 13 de diciembre de protecci=F3n de datos de car=E1cter personal, Internet Security Auditors S.L., le informa de que sus datos personales se han incluido en ficheros informatizados titularidad de Internet Security Auditors S.L., que ser=E1 el =FAnico destinatario de dichos datos, y cuya finalida= d exclusiva es la gesti=F3n de clientes y acciones de comunicaci=F3n comercial, y de que tiene la posibilidad de ejercer los derechos de acceso, rectificaci=F3n, cancelaci=F3n y oposici=F3n previstos en la ley mediante carta dirigida a Internet Security Auditors, c. Santander, 101. Edif. A. 2=BA 1=AA, 08030 Barcelona, o v=EDa e-mail a la siguiente direcci=F3n de correo: legal@...

Re: [mod-security-users] Strange Logs From: Ivan Ristic <ivanr@we...> - 2005-06-28 15:48 Christian Martorella wrote: > Ivan Ristic wrote: > >> Christian Martorella wrote: >> >>> Hi i was trying some logs for the modsecurity Console, and i found >>> these entries (generated by Nikto): >>> Why there is not Modsecurity_message? >>> Why there is no Action? >> >> modsecurity 1.9dev2 logs certain requests based only on the >> response status code (I will change this to be just an option before >> the final 1.9). So it is probably that Apache rejected >> those requests before they reached mod_security. You can verify >> this theory by looking at the debug log (at level 2 or more). >> > Fine, so why apache rejected those requests, before reaching the > modsecurity ? :) Because at the moment mod_security runs last, just before the handler is run. I am thinking about moving mod_security to run first, but only in v2. It's not really clear which option is better. For example, if we run very early we don't get to access Apache's per-context configuration (e.g. <Location>). So in order to retain the same functionality we have now the whole configuration mechanism would have to be replicated internal to modsecurity. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org

1 message has been excluded from this view by a project administrator.