Hi Breno,

 

Just to make sure I was using the same libs..

 

[root@dev /usr/local/src/pcre-8.12]# ./configure  --prefix=/usr/local/pcre

 

[root@dev /usr/local/src/httpd-2.2.17]# ./configure --prefix=/usr/local/apache --enable-ssl --enable-cgi --enable-so --enable-rewrite --enable-mime-magic --enable-speling --enable-usertrack --enable-unique-id --with-included-apr --enable-expires --enable-headers --enable-deflate -with-pcre=/usr/local/pcre/

 

[root@dev /usr/local/src/modsecurity-apache_2.5.13/apache2]# ./configure --with-pcre=/usr/local/pcre/

 

 

 

And then…..it worked!  Thank you very much!  I had tried compiling modsec with the apache bundled version of pcre yesterday, but for some reason that didn’t work

 

 

Would you mind helping me understand whats happening to make it hang like this please ? My brain cant quite grasp whats going on.

 

Thanks again

 

Glen

 

 

From: Breno Silva [mailto:breno.silva@gmail.com]
Sent: Wednesday, 23 March 2011 10:39 AM
To: ghollings@ingenuity.net.au
Cc: mod-security-users@lists.sourceforge.net
Subject: Re: [mod-security-users] httpd hangs after mod_security update

 

Hi Glen,

I didn't see anything strange in your debug information. The exception is the find_minlength of pcre. Are you using the same libpcre version in apache and mosecurity ?
 If not, please use the same lib version.

Thanks

Breno

On Tue, Mar 22, 2011 at 6:49 PM, Glen Hollings <ghollings@ingenuity.net.au> wrote:

Hi Breno,

 

Sorry, its not a crash, more of a ‘hang’ I guess.  It just chews cpu until I cancel or kill it.

 

I happy to run any other debugging you would like done.

 

Thanks

 

Glen

 

From: Breno Silva [mailto:breno.silva@gmail.com]
Sent: Wednesday, 23 March 2011 2:30 AM
To: ghollings@ingenuity.net.au
Cc: mod-security-users@lists.sourceforge.net
Subject: Re: [mod-security-users] httpd hangs after mod_security update

 

Hi Glen,

Are you getting a crash ? If so...

Please get me a backtrace from the core dump.

Basically do this in httpd.conf:

Make sure there is a core dump area with something like:

  CoreDumpDirectory /tmp

Make sure limits are set to dump core:

  ulimit -c unlimited

Restart apache and trigger the error.  A core file should be in the directory
you specified.

Then use gdb to get a backtrace:

gdb /path/to/httpd /path/to/core --batch --quiet \
  -ex "thread apply all bt full" > backtrace.log

send me the output *privately* making sure there is no sensitive data in it first.

Thanks

Breno

On Tue, Mar 22, 2011 at 12:48 AM, Glen Hollings <ghollings@ingenuity.net.au> wrote:

After days of frustration, Im reaching out J

 

Because of the addition of decodeBase64Ext, I obviously needed to update modsecurity.  But once I updated from 2.5.11 to .13, httpd no longer completes startup, and eventually chews 100% of the CPU, and needs to be cancelled.

 

I am running

 

FreeBSD 8.0

Httpd 2.2.17 (Have tried 2.2.15) (I have tried compiling this with external pcre with no luck)

Php 5.2.3

 

Through a process of trial and much error I am also running these (although they didn’t change the behaviour at all)

 

Pcre 8.12

APR 1.4.2

APR-Util 1.3.10

 

Modsec 2.5.11 runs perfectly, even recompiling it in the updated environment it works fine.

 

I tried modsec 2.5.12 and it has the same issues.  I have also tried compiling modsec with the pcre that comes with httpd with no change.

 

I have googled around a heap and found a number of similar issues, but unfortunately with no fix.

 

 

Running httpd with debugging enabled doesn’t give me anything useful

 

[root@dev /usr/local/src/modsecurity-apache_2.5.13/apache2]# /usr/local/apache/bin/apachectl -e debug

[Tue Mar 22 05:40:55 2011] [debug] mod_so.c(246): loaded module php5_module

[Tue Mar 22 05:40:55 2011] [debug] mod_so.c(246): loaded module security2_module

 

 

This is what lead me to change pcre, but hey, im not exactly sure how to use gdb

 

[root@dev /usr/local/src]# gdb -p 52455 /usr/local/apache/bin/httpd

GNU gdb 6.1.1 [FreeBSD]

Copyright 2004 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB.  Type "show warranty" for details.

This GDB was configured as "amd64-marcel-freebsd"...

Attaching to program: /usr/local/apache/bin/httpd, process 52455

Reading symbols from /lib/libz.so.5...done.

Loaded symbols for /lib/libz.so.5

Reading symbols from /usr/lib/libssl.so.6...done.

Loaded symbols for /usr/lib/libssl.so.6

Reading symbols from /lib/libcrypto.so.6...done.

Loaded symbols for /lib/libcrypto.so.6

Reading symbols from /lib/libm.so.5...done.

Loaded symbols for /lib/libm.so.5

Reading symbols from /usr/local/apache/lib/libaprutil-1.so.3...done.

Loaded symbols for /usr/local/apache/lib/libaprutil-1.so.3

Reading symbols from /usr/local/lib/libexpat.so.6...done.

Loaded symbols for /usr/local/lib/libexpat.so.6

Reading symbols from /usr/local/apache/lib/libapr-1.so.4...done.

Loaded symbols for /usr/local/apache/lib/libapr-1.so.4

Reading symbols from /lib/libcrypt.so.5...done.

Loaded symbols for /lib/libcrypt.so.5

Reading symbols from /lib/libthr.so.3...done.

[New Thread 8015021c0 (LWP 100466)]

Loaded symbols for /lib/libthr.so.3

Reading symbols from /lib/libc.so.7...done.

Loaded symbols for /lib/libc.so.7

Reading symbols from /usr/local/apache/modules/libphp5.so...done.

Loaded symbols for /usr/local/apache/modules/libphp5.so

Reading symbols from /usr/local/lib/libmcrypt.so.8...done.

Loaded symbols for /usr/local/lib/libmcrypt.so.8

Reading symbols from /usr/local/lib/libltdl.so.7...done.

Loaded symbols for /usr/local/lib/libltdl.so.7

Reading symbols from /usr/local/lib/libintl.so.8...done.

Loaded symbols for /usr/local/lib/libintl.so.8

Reading symbols from /usr/local/lib/libpng.so.6...done.

Loaded symbols for /usr/local/lib/libpng.so.6

Reading symbols from /usr/local/lib/libjpeg.so.11...done.

Loaded symbols for /usr/local/lib/libjpeg.so.11

Reading symbols from /usr/local/lib/libcurl.so.6...done.

Loaded symbols for /usr/local/lib/libcurl.so.6

Reading symbols from /usr/local/lib/mysql/libmysqlclient.so.16...done.

Loaded symbols for /usr/local/lib/mysql/libmysqlclient.so.16

Reading symbols from /usr/local/lib/libxml2.so.5...done.

Loaded symbols for /usr/local/lib/libxml2.so.5

Reading symbols from /usr/local/lib/libiconv.so.3...done.

Loaded symbols for /usr/local/lib/libiconv.so.3

Reading symbols from /usr/local/apache/modules/mod_security2.so...done.

Loaded symbols for /usr/local/apache/modules/mod_security2.so

Reading symbols from /usr/local/lib/libpcre.so.0...done.

Loaded symbols for /usr/local/lib/libpcre.so.0

Reading symbols from /usr/local/lib/liblua-5.1.so.1...done.

Loaded symbols for /usr/local/lib/liblua-5.1.so.1

Reading symbols from /libexec/ld-elf.so.1...done.

Loaded symbols for /libexec/ld-elf.so.1

[Switching to Thread 8015021c0 (LWP 100466)]

0x0000000802c5a729 in find_minlength () from /usr/local/lib/libpcre.so.0

 

 

It seems to me that something fundamental has changed in 2.5.12+ that is making it difficult for FreeBSD somehow…

 

Any help would be greatly appreciated!

 

Thanks

 

Glen

 


------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software
be a part of the solution? Download the Intel(R) Manageability Checker
today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php