Re: [mod-security-users] update from modsecurity-apache_1.9.4 to modsecurity-apache_2.1.6?
Brought to you by:
victorhora,
zimmerletw
From: Sebastian K. <sko...@tr...> - 2008-02-25 14:50:49
|
thank you very much! Mit freundlichen Grüßen Sebastian Kösters systems architect Trade Haven GmbH In der Steele 37, 40599 Düsseldorf T +49 211 749659 14 mailto:sko...@tr... F +49 211 749659 29 http://www.tradehaven.de -------------------------------------------------------------------- Geschäftsführer: Michael Heck | Oliver Wagner Handelsregister Düsseldorf: HRB 53379 Ryan Barnett schrieb: > SecFilter search the entire inbound request transaction for the RegEx. In 2.x, you must specify a variable location. Take a look at the examples in the Core Rules (http://www.modsecurity.org/projects/rules/index.html) - > > SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*| !REQUEST_HEADERS:Referer "insert[[:space:]]+into" > > This rule lists the common variables that are inspected which includes the request URI, all request headers and any arguments while also excluding the Referer header (as it normally is a false positive). > > As for the regex, take a look at the 40 Generic Attacks Core Rules file as it includes many SQL Injection RegExs that are much more comprehensive that the examples ones from the 1.9 branch. > > -Ryan > > >> -----Original Message----- >> From: mod...@li... [mailto:mod- >> sec...@li...] On Behalf Of Sebastian >> Kösters >> Sent: Monday, February 25, 2008 9:09 AM >> To: Brian Rectanus >> Cc: mod...@li... >> Subject: Re: [mod-security-users] update from modsecurity-apache_1.9.4 to >> modsecurity-apache_2.1.6? >> >> found what failed. mod_unique_id was not loaded. i am sorry. >> >> one (for now) last question. >> >> with version 1.9.4 it was possible to do a very simple rule like >> >> SecFilter "insert[[:space:]]+into" >> >> i found nothing to create such a simple rule with 2.x >> >> Mit freundlichen Grüßen >> >> >> Sebastian Kösters >> >> systems architect >> Trade Haven GmbH >> In der Steele 37, 40599 Düsseldorf >> T +49 211 749659 14 mailto:sko...@tr... >> F +49 211 749659 29 http://www.tradehaven.de >> -------------------------------------------------------------------- >> Geschäftsführer: Michael Heck | Oliver Wagner Handelsregister Düsseldorf: >> HRB 53379 >> >> >> >> Brian Rectanus schrieb: >> >>> This will audit log everything: >>> >>> SecAuditEngine On >>> >>> >>> This rule will deny everything and log: >>> >>> SecAction "phase:2,deny,status:403,log,auditlog,msg:'DENY ALL TEST >>> >> RULE'" >> >>> -B >>> >>> Sebastian Kösters wrote: >>> >>> >>>> how must a rule look like to deny all traffic? With such a rule i could >>>> check if something gets logged. >>>> >>>> Mit freundlichen Grüßen >>>> >>>> >>>> Sebastian Kösters >>>> >>>> systems architect >>>> Trade Haven GmbH >>>> In der Steele 37, 40599 Düsseldorf >>>> T +49 211 749659 14 mailto:sko...@tr... >>>> F +49 211 749659 29 http://www.tradehaven.de >>>> -------------------------------------------------------------------- >>>> Geschäftsführer: Michael Heck | Oliver Wagner Handelsregister >>>> Düsseldorf: HRB 53379 >>>> >>>> >>>> >>>> Brian Rectanus schrieb: >>>> >>>> >>>>> If you want to log everything, then set SecAuditEngine On. Otherwise >>>>> >>>>> >>>> it will only log errors and any rules that match (you appear not to >>>> >> have >> >>>> any rules). >>>> >>>> >>>>> -B >>>>> >>>>> >>>>> ----- Original Message ----- >>>>> From: mod...@li... >>>>> >>>>> >>>> <mod...@li...> >>>> >>>> >>>>> To: Robert Lount <ro...@ey...> >>>>> Cc: mod...@li... >>>>> >>>>> >>>> <mod...@li...> >>>> >>>> >>>>> Sent: Sat Feb 23 12:04:45 2008 >>>>> Subject: Re: [mod-security-users] update from modsecurity-apache_1.9.4 >>>>> >>>>> >>>> to modsecurity-apache_2.1.6? >>>> >>>> >>>>> thank you. >>>>> >>>>> i used the .mk files from another directory and it worked. >>>>> >>>>> But i have another Problem. >>>>> >>>>> the mod_security logs nothing. >>>>> >>>>> My config (for the moment) looks like this: >>>>> >>>>> SecRuleEngine On >>>>> SecRequestBodyAccess On >>>>> SecResponseBodyAccess Off >>>>> >>>>> SecDebugLog /var/log/apache2/modsec_debug.log >>>>> SecDebugLogLevel 3 >>>>> >>>>> SecAuditEngine RelevantOnly >>>>> SecAuditLogRelevantStatus ^5 >>>>> SecAuditLogParts ABIFHZ >>>>> SecAuditLogType Serial >>>>> SecAuditLog /var/log/apache2/modsec_audit.log >>>>> >>>>> SecDefaultAction >>>>> >>>>> >>>>> >> "phase:2,log,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespa >> ce" >> >>>>> With the 1.9.4 Version i allways saw if someone opened a Website in my >>>>> Server. Now the logfile is empty. >>>>> >>>>> The Configuration is much more different to 1.9.4 i see. >>>>> >>>>> Mit freundlichen Grüßen >>>>> >>>>> >>>>> Sebastian Kösters >>>>> >>>>> systems architect >>>>> Trade Haven GmbH >>>>> In der Steele 37, 40599 Düsseldorf >>>>> T +49 211 749659 14 mailto:sko...@tr... >>>>> F +49 211 749659 29 http://www.tradehaven.de >>>>> -------------------------------------------------------------------- >>>>> Geschäftsführer: Michael Heck | Oliver Wagner Handelsregister >>>>> >>>>> >>>> Düsseldorf: HRB 53379 >>>> >>>> >>>>> Robert Lount schrieb: >>>>> >>>>> >>>>> >>>>>> Sebastian Kösters wrote: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> i installed Apache2 + PHP5 on Ubuntu 6.06.2 LTS als Package some >>>>>>> >>>>>>> >>>> time ago. >>>> >>>> >>>>>>> After that i installed mod_security 1.9.4 with apxs2 -cia "module". >>>>>>> >>>>>>> That worked fine. >>>>>>> >>>>>>> Today i noticed that there is a 2.1.6 Version existing and i wanted >>>>>>> >> to >> >>>>>>> update mod_security. But that did not work. >>>>>>> >>>>>>> I tried the following: >>>>>>> >>>>>>> apxs2 -cia mod_security2.c >>>>>>> >>>>>>> that worked. >>>>>>> >>>>>>> it is also loades in the httpd.conf >>>>>>> >>>>>>> #LoadModule security_module >>>>>>> >> /usr/lib/apache2/modules/mod_security.so >> >>>>>>> <- thats the old version 1.9.4 >>>>>>> LoadModule security2_module >>>>>>> >> /usr/lib/apache2/modules/mod_security2.so >> >>>>>>> When i now start apache with the new modul this error message comes: >>>>>>> >>>>>>> * Starting apache 2.0 web >>>>>>> >>>>>>> >>>>>>> >>>> server... >>>> >>>> >>>>>>> Syntax error on line 7 of /etc/apache2/httpd.conf: >>>>>>> Cannot load /usr/lib/apache2/modules/mod_security2.so into server: >>>>>>> /usr/lib/apache2/modules/mod_security2.so: undefined symbol: >>>>>>> >> msc_alert >> >>>>>>> I also tried to do it like the manuel told me. >>>>>>> >>>>>>> libxml2 is installed and the pathes in the Makefile are correct. >>>>>>> >>>>>>> When i try to do "make" it i see this error: >>>>>>> >>>>>>> Makefile:40: /etc/apache2/build/special.mk: No such file or >>>>>>> >> directory >> >>>>>>> make: *** no rule to mal /etc/apache2/build/special.mk >>>>>>> >>>>>>> Where do i get this file? Whats wrong? I have the latest apache2 >>>>>>> >> Version >> >>>>>>> When i start apache with the old version of the Module everything >>>>>>> >> works >> >>>>>>> fine again. >>>>>>> >>>>>>> I hope someone of you can help me. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> Do you have the apache2-<worker-version-here>-dev packages installed. >>>>>> All my issues with make have had to do with either libxm2-dev or >>>>>> apache-*-dev not being installed. >>>>>> >>>>>> I am currently running Ubuntu 7.10 server, and aside from shooting my >>>>>> own foot with rules it seems to be working fine. Here are my >>>>>> >> installed >> >>>>>> versions of Apache and libxml2 >>>>>> >>>>>> i apache2-threaded-dev - development headers for apache2 >>>>>> i A apache2-mpm-prefork - Traditional model for Apache >>>>>> >> HTTPD >> >>>>>> i A apache2.2-common - Next generation, scalable, >>>>>> extendable web server >>>>>> >>>>>> i libxml2 - GNOME XML library >>>>>> i libxml2-dev - Development files for the GNOME >>>>>> >> XML >> >>>>>> library >>>>>> >>>>>> >>>>>> I hope this is a help and not an annoyance. >>>>>> >>>>>> Robert >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> ---------------------------------------------------------------------- >>>>> >> --- >> >>>>> This SF.net email is sponsored by: Microsoft >>>>> Defy all challenges. Microsoft(R) Visual Studio 2008. >>>>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ >>>>> _______________________________________________ >>>>> mod-security-users mailing list >>>>> mod...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>> >>>>> >>>>> >>> >>> >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by: Microsoft >> Defy all challenges. Microsoft(R) Visual Studio 2008. >> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > |