And ModSecurity 2.x does not support htaccess.

-B

--
Brian Rectanus
Breach Security

-----Original Message-----
From: Ryan Barnett [Ryan.Barnett@breach.com]
Received: 1/31/10 6:54 AM
To: michael.heuberger@binarykitchen.com [michael.heuberger@binarykitchen.com]; mod-security-users@lists.sourceforge.net [mod-security-users@lists.sourceforge.net]
Subject: Re: [mod-security-users] Help required: How to forbid inclusion attacks?

You are mixing syntax between versions.  There are new directives in v2.5 (such as SecRuleEngine vs SecFilterEngine).  See the migration matrix doc -
http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf


Ryan C. Barnett
Director of Application Security Research
Breach Security, Inc.
Ryan.Barnett@Breach.com
www.Breach.com


----- Original Message -----
From: Michael Heuberger <michael.heuberger@binarykitchen.com>
To: mod-security-users@lists.sourceforge.net <mod-security-users@lists.sourceforge.net>
Sent: Sat Jan 30 21:16:18 2010
Subject: Re: [mod-security-users] Help required: How to forbid inclusion        attacks?

Hi Ryan

I have ModSecurity Version 2.5, not 1.x sorry.

I changed SecFilterEngine from DynamicOnly to On and voliĆ  it works now
like a charm. Why that? All pages I serve are PHP, so dynamic ...

By the way, now all filtered request are redirected to an Apache 2 Test
Page.

But in my htaccess file I stated:

# The default rule to apply to inherited rules
SecFilterDefaultAction "deny,log,status:412"

HTTP Response 412 should be displayed which isn't the case.

Regards

Michael

--

On 30/01/2010 2:33 a.m., Ryan Barnett wrote:
> On Friday 29 January 2010 07:59:13 am Michael Heuberger wrote:
>   
>> Hi Chris
>>
>> Thank you very much for trying to help me.
>>
>> I have replaced my line with your line in the htaccess file but it
>> doesn't seem to work.
>>
>> A RFI attack like
>> "http://www.deafzone.ch/?id=http://www.sun-angel.ru//js/gid.gif" is
>> still possible and passed through.
>>
>> I have attached my whole htaccess file, maybe you see something else
>> that causes my rules to fail?
>>
>>     
> Hey Michael,
> A few questions -
>
> 1) What exact version of ModSecurity is the hosting company using?
> 2) Do any of your other rules work?
> 3) Did you try it with the SecFilterEngine set to On?
>
> -Ryan
>
>   
>> Best regards from New Zealand
>>
>> Michael
>>
>> --
>>
>> On 29/01/2010 8:59 p.m., Christian Bockermann wrote:
>>     
>>> Hi Michael,
>>>
>>> you're are still on modsecurty 1.x, right? The SecFilter* commands are
>>> syntax rules of ModSecurity 1.x.
>>>
>>> As for your request, I'd assume the regex is a little bit broken. If I
>>> see this correctly, then '=' and ":" are not a meta-character in pcre and
>>> might not need escaping, thus try with
>>>
>>>      SecFilterSelective REQUEST_URI "=(ftp|http|https):/"  "msg:'Possible
>>> RFI attack!'"
>>>
>>>
>>> Also note, support for rules in .htaccess files has been removed at some
>>> stage in 2.x IIRC. So there is little chance to add ModSec 2.x rules
>>> without access to the server config (which you said you don't have in
>>> your other mail).
>>>
>>> Usually Ryan steps in at this point referring to his migration matrix at
>>> :-)
>>>
>>>
>>> http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf
>>>
>>>
>>> Best regards,
>>>
>>>       Chris
>>>
>>> Am 28.01.2010 um 23:52 schrieb Michael Heuberger:
>>>       
>>>> H
>>>>
>>>> I tried following rule:
>>>> SecFilterSelective REQUEST_URI "\=(http|ftp|https)\:/" "msg:'Inclusion
>>>> attacks not allowed'"
>>>>
>>>> But somehow it doesn't work. I want to filter out URLs like
>>>> "http://www.deafzone.ch/?id=http://www.sun-angel.ru//js/gid.gif"
>>>>
>>>> Any inclusion attach beginning with "=http:" or "=ftp:" or "=https:"
>>>> should be filtered out with the above rule.
>>>>
>>>> Maybe I did something wrong?
>>>>
>>>> Thank you for your help
>>>>
>>>> Michael H.
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>> ------ The Planet: dedicated and managed hosting, cloud storage,
>>>> colocation Stay online with enterprise data centers and the best network
>>>> in the business Choose flexible plans and management services without
>>>> long-term contracts Personal 24x7 support from experience hosting pros
>>>> just a phone call away. http://p.sf.net/sfu/theplanet-com
>>>> _______________________________________________
>>>> mod-security-users mailing list
>>>> mod-security-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>> Commercial ModSecurity Appliances, Rule Sets and Support:
>>>> http://www.modsecurity.org/breach/index.html
>>>>         
>>     

--

Binary Kitchen
Michael Heuberger
10N Sylvan Avenue East
Mt Eden
Auckland 1024
(New Zealand)

Mobile (text only) ...  +64 21 261 89 81
Email ................  michael@binarykitchen.com
Website ..............  http://www.binarykitchen.com


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html