Hi,

 

I’m interested in help, just let me know what do we/you need, i have a VM where I’ve been doing all these tests.

OS -> Windows Server 2012 R2, IIS 8.5, ModSecurity 2.80

 

Best Regards,

Ricardo Fernandes

 

From: Felipe Costa [mailto:FCosta@trustwave.com]
Sent: Tuesday, June 10, 2014 11:38 PM
To: <mod-security-users@lists.sourceforge.net>
Subject: Re: [mod-security-users] mlogc on IIS

 

Hi,

 

There is a bug on Github for this mlogc problem on windows:

https://github.com/SpiderLabs/ModSecurity/issues/727

 

I started to debug the problem, here is the piece of code:

https://github.com/SpiderLabs/ModSecurity/commit/593750addb57796d252c5e3bd406d591c7f66b11

 

ModSecurity uses libapr to pipe/exec the mlogc process and for some reason this is not working correctly. Tried with other software such as a simple hello world and even so the process execution was somehow denied. 

https://github.com/SpiderLabs/ModSecurity/blob/master/apache2/apache2_config.c#L1177-L1209

 

During the debug, I have copied the code from libapr inside the ModSecurityIIS to have more control over the return codes which is not so verbose under the libapr. By doing that I was able to have the process running, however, with some limitations, such as the path to the target application should be the same path of the ModSecurityIIS.dll.

 

libapr code itself is not the problem since Apache/Win is able to execute mlgoc.

 

I stopped to debug this issue before be able to conclude which was causing it to work while the code was inside ModSecurityIIS and not on the libapr. My debug is available under the branch:

https://github.com/SpiderLabs/ModSecurity/compare/testing_win_mlogc

 

There is the possibility to use other softwares such as the jwall tools, to send all the logs to a central server, here is the link:

http://www.jwall.org/tools/jwall-tools.jsp

 

if you guys are interested in help on this debug process, let me know so i can help you to setup all the needed decencies to get ModSecurityIIS compiled in your box.

 

Br.,

Felipe "Zimmerle" Costa

Security Researcher, SpiderLabs

 

Trustwave | SMART SECURITY ON DEMAND

www.trustwave.com

 

 

On Jun 10, 2014, at 6:55 PM, Ricardo Fernandes <rfernandes@apokaliptiko.pt> wrote:



Hi,

 

I’m trying to get time for more debugging, I think IIS is not accepting the pipe in conf file, even with bat file IIS returns an error about opening the file (don’t know if security feature in IIS or some kind of limitation of modsecurity.dll).

 

Best Regards,

Ricardo Fernandes

 

From: J. Tozo [mailto:juniorbsd@gmail.com] 
Sent: Tuesday, June 10, 2014 10:52 PM
To: mod-security-users@lists.sourceforge.net
Subject: Re: [mod-security-users] mlogc on IIS

 

Hi Ricardo, thanks for your answer. 

 

This configuration file its a result of several tries to make it work. 

 

I was thinking in a way to only generate the logs in any format readable by mlogc and later call mlogc using task scheduler to send to my log console.

 

 Have you had any success in a workaround for this bug?

 

On Tue, Jun 10, 2014 at 6:38 PM, Ricardo Fernandes <rfernandes@apokaliptiko.pt> wrote:

Hello,

 

I haven’t found the answer yet, but i can tell you one thing wrong is that for SecAuditLogType you should use Concurrent not Serial.

Modsec.conf

I had already tried a lot of combinations and always the same error, I think this is a bug…

mlog.conf

 

 

Best Regards,

Ricardo Fernandes

 

 

From: J. Tozo [mailto:juniorbsd@gmail.com] 
Sent: Tuesday, June 10, 2014 10:28 PM
To: mod-security-users@lists.sourceforge.net
Subject: Re: [mod-security-users] mlogc on IIS

 

Relevant information, im tryin to deploy it in a Windows 2008 server R2 within IIS 7.5.

 

On Tue, Jun 10, 2014 at 6:24 PM, J. Tozo <juniorbsd@gmail.com> wrote:

Hi, suffering from the same issue here, does anyone knows the right direction to point me?

 

My configuration: (Full conf at http://pastebin.com/2tf9jeAW )

 

SecAuditLogType Serial

SecAuditLog "| C:\Windows\System32\inetsrv\mlogc.exe C:\Windows\System32\inetsrv\mlogc.conf"

 

Answer in the windows eventviewer:

Syntax error in config file C:\Program Files\ModSecurity IIS\modsecurity.conf, line 26: ModSecurity: Failed to open the audit log pipe: C:\Windows\System32\inetsrv\mlogc.exe C:\Windows\System32\inetsrv\mlogc.conf

 

If i execute the piped command directly in powershell the mlogc works as expected.

 

from mlogc-error.log:

[Tue Jun 10 18:14:03 2014] [3] [6200/0] Configuring ModSecurity Audit Log Collector 2.8.0.

[Tue Jun 10 18:14:03 2014] [3] [6200/0] Delaying execution for 5000ms.

[Tue Jun 10 18:14:08 2014] [3] [6200/0] Queue file not found. New one will be created.

[Tue Jun 10 18:14:08 2014] [3] [6200/0] ModSecurity Audit Log Collector 2.8.0 terminating normally.

 

I also noted that Serial logs arent being created correctly in the folder already set in modsecurity.conf

 

SecAuditLogStorageDir "C:\inetpub\logs\audit"

 

This directory has permissions which everyone can read write and execute.

 

 Im stuck, any help will be apreciated.

 

-J

 

On Wed, May 21, 2014 at 12:11 PM, Ryan Barnett <RBarnett@trustwave.com> wrote:

Can you list your modsecurity conf data for the audit log directives?

Ryan Barnett
Lead Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>




On 5/21/14 8:51 AM, "Marcus Semblano" <marcus.semblano@locaweb.com.br>
wrote:


>Does anyone here uses ModSecurity on IIS?
>

>No answers at all!!

>No proper documentation on IIS configuration regarding config files.
>

>Maybe it's better to file a bug report :/
>
>Atenciosamente,
>
>Marcus Semblano
>
>
>
>________________________________________
>From: Ricardo Fernandes [rfernandes@apokaliptiko.pt]
>Sent: Monday, May 19, 2014 11:21 AM
>To: mod-security-users@lists.sourceforge.net
>Subject: [mod-security-users] mlogc on IIS
>
>Hello,
>
>I'm experiencing the same problem of this link:
>http://sourceforge.net/p/mod-security/mailman/message/31780263/
>
>I cannot send the events for remote console:
>
>Syntax error in config file C:\Program Files\ModSecurity
>IIS\modsecurity.conf, line 195: ModSecurity: Failed to open the audit log
>pipe: c:\inetpub\modsecurity\bin\mlog.bat
>
>IIS 8.5 (Windows Server 2012 R2)
>The folder has all the permissions necessary
>
>Can not find anything in web out to configure correctly mlogc for iis...
>
>ModSecurity is running ok, only the part for sending for console is
>failing.
>
>Best Regards,
>Ricardo Fernandes
>
>
>
>
>
>
>--------------------------------------------------------------------------
>----

>"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>Instantly run your Selenium tests across 300+ browser/OS combos.
>Get unparalleled scalability from the best Selenium testing platform
>available
>Simple to use. Nothing to install. Get started now for free."
>http://p.sf.net/sfu/SauceLabs
>_______________________________________________
>mod-security-users mailing list
>mod-security-users@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/mod-security-users
>Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>http://www.modsecurity.org/projects/commercial/rules/
>http://www.modsecurity.org/projects/commercial/support/
>

>--------------------------------------------------------------------------

>----
>"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>Instantly run your Selenium tests across 300+ browser/OS combos.
>Get unparalleled scalability from the best Selenium testing platform
>available
>Simple to use. Nothing to install. Get started now for free."
>http://p.sf.net/sfu/SauceLabs
>_______________________________________________
>mod-security-users mailing list
>mod-security-users@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/mod-security-users
>Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>http://www.modsecurity.org/projects/commercial/rules/
>http://www.modsecurity.org/projects/commercial/support/
>

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.



------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/



 

--

Grato,

 Tozo



 

--

Grato,

 Tozo


------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/



 

--

Grato,

 Tozo

------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

 

 



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.