Re: [mod-security-users] Modsecurity not trapping attacks
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Modsecurity not trapping attacks
|
From: Brian R. <Bri...@br...> - 2009-01-14 18:16:37
|
Ryan Barnett wrote: > -----Original Message----- > From: Walt Williams [mailto:wal...@gm...] > Sent: Tuesday, January 13, 2009 5:31 PM > To: mod...@li... > Subject: [mod-security-users] Modsecurity not trapping attacks > > On apache 2.067 on RHEL 4.5, running the latest build of mod_security > > Apache loads, with the following entries in the httpd.conf file: > > LoadModule unique_id_module libexec/mod_unique_id.so > LoadModule rewrite_module libexec/mod_rewrite.so > LoadModule jk_module "/usr/local/apache2/libexec/mod_jk.so" > LoadModule geoip_module libexec/mod_geoip.so > JkWorkersFile "/usr/local/apache2/conf/workers.properties" > JkLogFile "logs/mod_jk.log" > JkLogLevel info > LoadModule security2_module libexec/mod_security2.so > > We're running with the core rule set, unmodified: > > SecRuleEngine On > > Yet it appears as if mod_rewrite is happening before mod_security, as > I found this in my error_log: > > [Tue Jan 13 16:58:14 2009] [error] [client 72.248.67.210] File does > not exist: /opt/Apache-VirtualHost-Root/rev103/cmd.exe > > And the mod_security logs are empty. > > Would reversing the loading of the two modules resolve this? > > [Ryan Barnett] There was a recent list posting about Hook Ordering here that you may want to review - http://article.gmane.org/gmane.comp.apache.mod-security.user/5699. The short answer is yes - the module order in the httpd.conf file may impact which module rules first. What is the rewrite config you are using? It appears you are using RewriteCond with a "-f". This occurs in the file system mapping hook and is prior to ModSecurity phase:2 rules. So anything Apache does prior to phase:2 (fixup hook) will be before ModSecurity has a chance to look at it in phase:2 rules. I am not sure why there would be a difference between two installs, though. Take a look at the docs here to see where things run: http://www.modsecurity.org/documentation/modsecurity-apache/2.5.7/modsecurity2-apache-reference.html#processing-phases -B -- Brian Rectanus Breach Security |