Hello,

Please send me your error.log too.

Let's try to understand where is the problem. Please follow the steps:

Make sure there is a core dump area with something like:

  CoreDumpDirectory /tmp

Make sure limits are set to dump core:

  ulimit -c unlimited

Restart and trigger the error.  A core file should be in the directory
you specified.

Then use gdb to get a backtrace:

gdb /path/to/httpd /path/to/core --batch --quiet \
  -ex "thread apply all bt full" > backtrace.log

Please send me the backtrace.log in a private e-mail.

Thanks

Breno

On Mon, Mar 25, 2013 at 4:32 PM, Mark Morley <rmm@islandnet.com> wrote:

Hi all,

We're experiencing something odd with modsecurity.

We added modsecurity 2.7.2 to an Apache 2.2.24 server that has never had modsecurity loaded before.  Of many hundreds of web sites it serves, one site (that we know of) started spitting out seemingly random binary data instead of the index.html file.  This doesn't happen every time you load the page, but always with the same site.

The output was mostly gibberish, with the occasional recognisable string that clearly came from .htaccess files and virtual host config files that the main config includes.  Basically it looks like it was dumping memory.  And so much of it that the browser hangs.

Note that there were *no* rules loaded, and SecRuleEngine was not even on, simply having the module loaded caused the problem.  MMAP and Sendfile are off.  We recompiled Apache and all modules (FreeBSD).  The site in question has no PHP, just plain html.  They do have a .htaccess file that enables SSI, adds some expire headers, and enabled mod_deflate.

We've removed modsecurity and the problem goes away.  We add it back and the problem returns, so it pretty clearly has something to do with modsecurity, although it could be that some other module is also related.  The modules in use are listed at the end of this message.

Also, httpd appears to segfault when this happens (not sure if it's the same request as I don't have mod_forensic installed at the moment, but it never segfaults when modsecurity is not loaded).

Any thoughts?  Any more info I should provide?
 
Mark
 
Loaded Modules:
core_module (static)
mpm_prefork_module (static)
http_module (static)
so_module (static)
actions_module (shared)
alias_module (shared)
auth_basic_module (shared)
auth_digest_module (shared)
authn_anon_module (shared)
authn_file_module (shared)
authz_dbm_module (shared)
authz_groupfile_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
cgi_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
expires_module (shared)
filter_module (shared)
geoip_module (shared)
headers_module (shared)
include_module (shared)
log_config_module (shared)
logio_module (shared)
mime_module (shared)
negotiation_module (shared)
php5_module (shared)
reqtimeout_module (shared)
rewrite_module (shared)
setenvif_module (shared)
ssl_module (shared)
unique_id_module (shared)
proctitle_module (shared)
mysql_auth_module (shared)

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/