Hi,

 

I am running Apache 2.2 on Windows and recently configured mod_security.  I placed all the configuration in a mod_security.conf file and added an include /conf/mod_security.conf to my httpd.conf file

Even when I have logging configure, the audit_log is not getting created.  I turned on debugging at some point and the modsec_debug_log did not get created. 

 

I can see this message on the error.log : [Thu Jul 30 08:26:17 2009] [notice] ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/) configured.

So I’ve been assuming that it is configured, but when I run a scan using Nikto, no log gets created and I don’t see any denied on the error log.  Is mod_security really on or protecting.  Thanks in advance for your help.

 

Josue

 

PS:

 

This is the conf file I’m using and I’m not sure if it has to be modified to work on Windows:

 

<IfModule mod_security.c>

    # Only inspect dynamic requests

    # (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)

    SecFilterEngine DynamicOnly

 

    # Reject requests with status 403

    SecFilterDefaultAction "deny,log,status:403"

 

    # Some sane defaults

    SecFilterScanPOST On

    SecFilterCheckURLEncoding On

    SecFilterCheckCookieFormat On

    SecFilterCheckUnicodeEncoding Off

 

    # Accept almost all byte values

    SecFilterForceByteRange 1 255

 

    # Server masking is optional

    # SecServerSignature "Microsoft-IIS/5.0"

 

    SecUploadDir /tmp

    SecUploadKeepFiles Off

 

    # Only record the interesting stuff

    SecAuditEngine RelevantOnly

    SecAuditLog logs/audit_log

 

    # You normally won't need debug logging

    SecFilterDebugLevel 0

    SecFilterDebugLog logs/modsec_debug_log

 

    # Only accept request encodings we know how to handle

    # we exclude GET requests from this because some (automated)

    # clients supply "text/html" as Content-Type

    SecFilterSelective REQUEST_METHOD "!^GET$" chain

    SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"

 

    # Require Content-Length to be provided with

    # every POST request

    SecFilterSelective REQUEST_METHOD "^POST$" chain

    SecFilterSelective HTTP_Content-Length "^$"

 

    # Don't accept transfer encodings we know we don't handle

    # (and you don't need it anyway)

    SecFilterSelective HTTP_Transfer-Encoding "!^$"

 

# WEB-ATTACKS /bin/sh command attempt

SecFilter "/bin/sh"

 

# WEB-ATTACKS ps command attempt

SecFilterSelective THE_REQUEST "/bin/ps"

 

# WEB-ATTACKS /bin/ps command attempt

# SecFilterSelective THE_REQUEST "ps\x20"

 

# WEB-ATTACKS wget command attempt

SecFilter "wget\x20"

 

# WEB-ATTACKS uname -a command attempt

SecFilter "uname\x20-a"

 

# WEB-ATTACKS /usr/bin/id command attempt

SecFilter "/usr/bin/id"

 

# WEB-ATTACKS id command attempt

SecFilter "\;id"

 

# WEB-ATTACKS echo command attempt

SecFilter "/bin/echo"

 

# WEB-ATTACKS kill command attempt

SecFilter "/bin/kill"

 

# WEB-ATTACKS chmod command attempt

SecFilter "/bin/chmod"

 

# WEB-ATTACKS chgrp command attempt

SecFilter "/chgrp"

 

# WEB-ATTACKS chown command attempt

SecFilter "/chown"

 

# WEB-ATTACKS chsh command attempt

SecFilter "/usr/bin/chsh"

 

# WEB-ATTACKS tftp command attempt

SecFilter "tftp\x20"

 

# WEB-ATTACKS gcc command attempt

SecFilter "gcc\x20-o"

 

# WEB-ATTACKS cc command attempt

#SecFilter "cc\x20"

 

# WEB-ATTACKS /usr/bin/cpp command attempt

SecFilter "/usr/bin/cpp"

 

# WEB-ATTACKS cpp command attempt

SecFilter "cpp\x20"

 

# WEB-ATTACKS /usr/bin/g++ command attempt

SecFilter "/usr/bin/g\+\+"

 

# WEB-ATTACKS g++ command attempt

SecFilter "g\+\+\x20"

 

# WEB-ATTACKS bin/python access attempt

SecFilter "bin/python"

 

# WEB-ATTACKS python access attempt

SecFilter "python\x20"

 

# WEB-ATTACKS bin/tclsh execution attempt

SecFilter "bin/tclsh"

 

# WEB-ATTACKS tclsh execution attempt

SecFilter "tclsh8\x20"

 

# WEB-ATTACKS bin/nasm command attempt

SecFilter "bin/nasm"

 

# WEB-ATTACKS nasm command attempt

SecFilter "nasm\x20"

 

# WEB-ATTACKS /usr/bin/perl execution attempt

SecFilter "/usr/bin/perl"

 

# WEB-ATTACKS perl execution attempt

SecFilter "perl\x20"

 

# WEB-ATTACKS traceroute command attempt

SecFilter "traceroute\x20"

 

# WEB-ATTACKS ping command attempt

SecFilter "/bin/ping"

 

# WEB-ATTACKS netcat command attempt

SecFilter "nc\x20"

 

# WEB-ATTACKS nmap command attempt

SecFilter "nmap\x20"

 

# WEB-ATTACKS xterm command attempt

SecFilter "/usr/X11R6/bin/xterm"

 

# WEB-ATTACKS X application to remote host attempt

SecFilter "\x20-display\x20"

 

# WEB-ATTACKS lsof command attempt

SecFilter "lsof\x20"

 

# WEB-ATTACKS rm command attempt

SecFilter "rm\x20"

 

# WEB-ATTACKS mail command attempt

SecFilter "/bin/mail"

 

# WEB-ATTACKS /bin/ls command attempt

SecFilterSelective THE_REQUEST "/bin/ls"

 

# WEB-ATTACKS /etc/inetd.conf access

SecFilter "/etc/inetd\.conf" log,pass

 

# WEB-ATTACKS /etc/motd access

SecFilter "/etc/motd" log,pass

 

# WEB-ATTACKS /etc/shadow access

SecFilter "/etc/shadow" log,pass

 

# WEB-ATTACKS conf/httpd.conf attempt

SecFilter "conf/httpd\.conf" log,pass

 

# WEB-ATTACKS .htgroup access

SecFilterSelective THE_REQUEST "\.htgroup" log,pass

 

# WEB-CGI rksh access

SecFilterSelective THE_REQUEST "/rksh"

 

# WEB-CGI bash access

SecFilterSelective THE_REQUEST "/bash" log,pass

 

# WEB-CGI perl command attempt

SecFilterSelective THE_REQUEST "/perl\?"

 

# WEB-CGI zsh access

SecFilterSelective THE_REQUEST "/zsh"

 

# WEB-CGI csh access

SecFilterSelective THE_REQUEST "/csh"

 

# WEB-CGI tcsh access

SecFilterSelective THE_REQUEST "/tcsh"

 

# WEB-CGI rsh access

SecFilterSelective THE_REQUEST "/rsh"

 

# WEB-CGI ksh access

SecFilterSelective THE_REQUEST "/ksh"

 

# WEB-CGI icat access

SecFilterSelective THE_REQUEST "/icat" log,pass

 

# WEB-CGI /cgi-bin/ls access

SecFilterSelective THE_REQUEST "/cgi-bin/ls" log,pass

 

# WEB-CLIENT Javascript document.domain attempt

SecFilter "document\.domain\("

 

# WEB-CLIENT Javascript URL host spoofing attempt

SecFilter "javascript\://"

 

# WEB-MISC cross site scripting \(img src=javascript\) attempt

SecFilter "img src=javascript"

 

# WEB-MISC .htpasswd access

SecFilter "\.htpasswd"

 

# WEB-MISC http directory traversal

SecFilter "\.\.\\"

 

# WEB-MISC http directory traversal

SecFilter "\.\./"

 

# WEB-MISC ls%20-l

SecFilter "ls\x20-l"

 

# WEB-MISC /etc/passwd

SecFilter "/etc/passwd"

 

# WEB-MISC .htaccess access

SecFilter "\.htaccess"

 

# WEB-MISC cd..

SecFilter "cd\.\."

 

# WEB-MISC /.... access

SecFilter "/\.\.\.\."

 

# WEB-MISC cat%20 access

SecFilter "cat\x20"

 

# WEB-MISC long basic authorization string

SecFilter "Authorization\: Basic "

 

# WEB-MISC .history access

SecFilterSelective THE_REQUEST "/\.history"

 

# WEB-MISC .bash_history access

SecFilterSelective THE_REQUEST "/\.bash_history"

 

# WEB-MISC *%0a.pl access

SecFilterSelective THE_REQUEST "/*\x0a\.pl"

 

# WEB-MISC apache ?M=D directory list attempt

SecFilterSelective THE_REQUEST "/\?M=D" log,pass

 

# WEB-MISC server-status access

SecFilterSelective THE_REQUEST "/server-status" log,pass

 

# WEB-MISC Transfer-Encoding\: chunked

 

SecFilter "chunked"

 

# WEB-MISC perl post attempt

SecFilterSelective THE_REQUEST "/perl/" chain

SecFilter "POST"

 

# WEB-MISC mod_gzip_status access

SecFilterSelective THE_REQUEST "/mod_gzip_status" log,pass

 

# WEB-PHP squirrel mail spell-check arbitrary command attempt

SecFilterSelective THE_REQUEST "/squirrelspell/modules/check_me\.mod\.php" chain

SecFilter "SQSPELL_APP\["

 

# WEB-PHP squirrel mail theme arbitrary command attempt

SecFilterSelective THE_REQUEST "/left_main\.php" chain

SecFilter "cmdd="

 

# WEB-PHP phpbb quick-reply.php arbitrary command attempt

SecFilterSelective THE_REQUEST "/quick-reply\.php" chain

SecFilter "phpbb_root_path="

 

# WEB-PHP phpbb quick-reply.php access

SecFilterSelective THE_REQUEST "/quick-reply\.php" log,pass

SecFilterSelective THE_REQUEST "\.php" chain

SecFilter "path=http\://"

 

# WEB-PHP Mambo uploadimage.php upload php file attempt

SecFilterSelective THE_REQUEST "/uploadimage\.php" chain

SecFilter "\.php"

 

# WEB-PHP Mambo upload.php upload php file attempt

SecFilterSelective THE_REQUEST "/upload\.php" chain

SecFilter "\.php"

 

# WEB-PHP Mambo uploadimage.php access

SecFilterSelective THE_REQUEST "/uploadimage\.php" log,pass

 

# WEB-PHP Mambo upload.php access

SecFilterSelective THE_REQUEST "/upload\.php" log,pass

 

# WEB-PHP phpBB privmsg.php access

SecFilterSelective THE_REQUEST "/privmsg\.php" log,pass

 

# WEB-PHP test.php access

SecFilterSelective THE_REQUEST "/test\.php" log,pass

 

# WEB-PHP phpBB viewtopic.php

SecFilterSelective THE_REQUEST "viewtopic.php" chain

SecFilterSelective "THE_REQUEST|ARG_VALUES" "(system|exec|passthru|cmd|fopen|exit|fwrite)" deny,log

 

# EXTRAS

 

SecFilter "/boot"

SecFilter "/dev"

SecFilter "/etc"

SecFilter "/initrd"

SecFilter "/lost+found"

SecFilter "/mnt"

SecFilter "/proc"

SecFilter "/root"

SecFilter "/sbin"

SecFilter "/tmp"

SecFilter "/usr/local/apache"

SecFilter "/var/spool"

SecFilter "/bin/cc"

SecFilter "/bin/gcc"

SecFilter "<[[:space:]]*script"

SecFilter "<(.|\n)+>"

SecFilter "delete[[:space:]]+from"

SecFilter "insert[[:space:]]+into"

SecFilter "select.+from"

 

</IfModule>

 

Please remember coverage cannot be bound, amended or cancelled via the email or voicemail system. You cannot bind, alter, or cancel coverage without speaking to an authorized representative of Braishfield Associates, Inc. Coverage cannot be assumed to be bound without confirmation from an authorized representative of Braishfield Associates, Inc.

DISCLAIMER:
CONFIDENTIALITY NOTICE: Braishfield Associates, Inc. would like you to know that the information contained in this communication, including attachments is privileged and confidential. It is intended only for the exclusive use of the addressee. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. Insurance coverage can not be bound, amended or changed via an e-mail message without knowledge or consent from the insuring carrier. If you have received this communication in error please notify us by telephone immediately at (407) 825-9911 or e-mail disclaimer@braishfield.com
. Thank you.