Re: [mod-security-users] {Disarmed} Re: Broke mlogc
Brought to you by:
victorhora,
zimmerletw
From: Dimitri Y. <dyi...@fi...> - 2010-02-11 15:15:07
|
Hi, Ivan. Sure enough, there are exceptions listed in debug.log.0: Feb 10, 2010 6:34:48 PM org.mortbay.http.HttpConnection exception WARNING: PUT /rpc/auditLogReceiver HTTP/1.1 java.lang.NumberFormatException: For input string: "6966436955734" at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48) at java.lang.Integer.parseInt(Integer.java:459) at java.lang.Integer.parseInt(Integer.java:497) at org.mortbay.http.HttpFields.getIntField(HttpFields.java:986) at org.mortbay.http.HttpMessage.getIntField(HttpMessage.java:333) at org.mortbay.http.HttpConnection.verifyHTTP_1_1 (HttpConnection.java:482) at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:969) at org.mortbay.http.HttpConnection.handle(HttpConnection.java:833) at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:244) at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:357) at org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:534) Feb 10, 2010 6:34:48 PM org.mortbay.http.HttpConnection exception WARNING: PUT /rpc/auditLogReceiver HTTP/1.1 java.lang.NumberFormatException: For input string: "7052336301674" at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48) at java.lang.Integer.parseInt(Integer.java:459) at java.lang.Integer.parseInt(Integer.java:497) at org.mortbay.http.HttpFields.getIntField(HttpFields.java:986) at org.mortbay.http.HttpMessage.getIntField(HttpMessage.java:333) at org.mortbay.http.HttpConnection.verifyHTTP_1_1 (HttpConnection.java:482) at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:969) at org.mortbay.http.HttpConnection.handle(HttpConnection.java:833) at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:244) at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:357) at org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:534) and in stderr.log: Velocity message: 1 Velocimacro : initialization starting. Velocity message: 1 Velocimacro : adding VMs from VM library template : VM_global_library.vm Velocity message: 3 ResourceManager : unable to find resource 'VM_global_library.vm' in any resource loader. Velocity message: 1 Velocimacro : error using VM library template VM_global_library.vm : org.apache.velocity.exception.Reso urceNotFoundException: Unable to find resource 'VM_global_library.vm' Velocity message: 1 Velocimacro : VM library template macro registration complete. Additionally, if this will help: java version "1.5.0_08" modsecurity-console version 1.02 (later versions didn't work for me) Continuing help much appreciated. Dimitri On Wednesday 10 February 2010 5:43:05 pm you wrote: > And you have no administrative events on the > home page of the console (in the lower area)? > > You should go to CONSOLEHOME/var/logs and look > at stderr.log and debug.log.0. There's going to > be an exception there that describes the > problem. > > On Wed, Feb 10, 2010 at 7:03 PM, Dimitri Yioulos <dyi...@fi...> wrote: > > J, > > > > I can access the console. However, there've > > been no new dtata reported in it since I > > broke mlogc. > > > > Dimitri > > > > > > On Wed, 10 Feb 2010 20:37:59 +0200, Jamuse > > wrote > > > >> Hey Dimitri, > >> > >> Can you confirm that your console is running > >> properly? Can you access the administrative > >> console via your web browser? > >> > >> - J > >> > >> On Wed, Feb 10, 2010 at 5:33 PM, Dimitri Yioulos <dyi...@fi...>wrote: > >> > Chris, > >> > > >> > Here's my mlogc.conf: > >> > > >> > CollectorRoot "/var/log/mlogc" > >> > > >> > ConsoleURI > >> > "http://192.168.1.3:8886/rpc/auditLogRece > >> >iver" > >> > > >> > SensorUsername "xxxxxxx" > >> > SensorPassword "yyyyyyy" > >> > > >> > LogStorageDir "data" > >> > > >> > TransactionLog > >> > "mlogc-transaction.log" > >> > > >> > QueuePath "mlogc-queue.log" > >> > > >> > ErrorLog "mlogc-error.log" > >> > > >> > LockFile "mlogc.lck" > >> > > >> > KeepEntries 0 > >> > > >> > ErrorLogLevel 3 > >> > > >> > MaxConnections 10 > >> > > >> > TransactionDelay 50 > >> > > >> > StartupDelay 1000 > >> > > >> > CheckpointInterval 15 > >> > > >> > ServerErrorTimeout 60 > >> > > >> > I didn't change ot from that of the > >> > previous version. Nor did I change > >> > anything having > >> > to do with the console itself. I did a > >> > diff modsecurity.conf-minimal and my > >> > modsecurity.conf, and made appropriate > >> > changes (I checked for typos, etc.). I did > >> > as > >> > Jamuse suggested, and upped the log level > >> > of mlogc, and have posted output to > >> > pastebin > >> > (http://pastebin.com/d48d02659). Looking > >> > forward to everyone's analysis. > >> > > >> > Dimitri > >> > > >> > > >> > On Wed, 10 Feb 2010 13:17:59 +0100, > >> > Christian Bockermann wrote > >> > > >> > > Hi Dimitri, > >> > > > >> > > these error indicate that the > >> > > ModSecurity Console was unable to > >> > > process the incoming data. That's why it > >> > > rejected the events and mlogc flagged > >> > > >> > the > >> > > >> > > console as "errored". > >> > > (mlogc is trying to send the same event > >> > > over and over again) > >> > > > >> > > Did you modify your mlogc-configuration > >> > > or the ModSecurity console before > >> > > getting these errors? > >> > > > >> > > Some more information about your setup > >> > > would help: especially the > >> > > >> > mlogc-config > >> > > >> > > (without passwords). > >> > > > >> > > Best regards, > >> > > Chris > >> > > > >> > > Am 09.02.2010 um 23:06 schrieb Dimitri Yioulos: > >> > > > Greetz, all. > >> > > > > >> > > > Well, here we go again. I was looking > >> > > > to upgrade modsec to the latest and > >> > > > greatest from version 2.5.9. All of > >> > > > the pieces are where they should be, > >> > > > and config files (I believe) correct, > >> > > > but now I'm geeting no output to the > >> > > > modsecurity console, and am getting > >> > > > this in mlogc-log.error: > >> > > > > >> > > > [Tue Feb 09 17:00:37 2010] [2] > >> > > > [12366/9b678a8] Flagging server as > >> > > > errored after failure to submit entry > >> > > > SM4XTcCoAQMAAHNbbhYAAAAG with HTTP > >> > > > response code 500: Internal Server > >> > > > Error [Tue Feb 09 17:00:37 2010] [2] > >> > > > [12369/8f308a8] Flagging server as > >> > > > errored after failure to submit entry > >> > > > SM4XTcCoAQMAAHNbbhYAAAAG with HTTP > >> > > > response code 500: Internal Server > >> > > > Error [Tue Feb 09 17:01:42 2010] [2] > >> > > > [12366/9b678a8] Flagging server as > >> > > > errored after failure to submit entry > >> > > > SM4XTcCoAQMAAHNbbhYAAAAG with HTTP > >> > > > response code 500: Internal Server > >> > > > Error [Tue Feb 09 17:01:42 2010] [2] > >> > > > [12369/8f308a8] Flagging server as > >> > > > errored after failure to submit entry > >> > > > SM4XTcCoAQMAAHNbbhYAAAAG with HTTP > >> > > > response code 500: Internal Server > >> > > > Error [Tue Feb 09 17:02:47 2010] [2] > >> > > > [12366/9b678a8] Flagging server as > >> > > > errored after failure to submit entry > >> > > > SM4XTcCoAQMAAHNbbhYAAAAG with HTTP > >> > > > response code 500: Internal Server > >> > > > Error [Tue Feb 09 17:02:47 2010] [2] > >> > > > [12369/8f308a8] Flagging server as > >> > > > errored after failure to submit entry > >> > > > SM4XTcCoAQMAAHNbbhYAAAAG with HTTP > >> > > > response code 500: Internal Server > >> > > > Error [Tue Feb 09 17:03:52 2010] [2] > >> > > > [12366/9b678a8] Flagging server as > >> > > > errored after failure to submit entry > >> > > > SM4XTcCoAQMAAHNbbhYAAAAG with HTTP > >> > > > response code 500: Internal Server > >> > > > Error [Tue Feb 09 17:03:52 2010] [2] > >> > > > [12369/8f308a8] Flagging server as > >> > > > errored after failure to submit entry > >> > > > SM4XTcCoAQMAAHNbbhYAAAAG with HTTP > >> > > > response code 500: Internal Server > >> > > > Error [Tue Feb 09 17:04:57 2010] [2] > >> > > > [12366/9b678a8] Flagging server as > >> > > > errored after failure to submit entry > >> > > > SM4XTcCoAQMAAHNbbhYAAAAG with HTTP > >> > > > response code 500: Internal Server > >> > > > Error [Tue Feb 09 17:04:57 2010] [2] > >> > > > [12369/8f308a8] Flagging server as > >> > > > errored after failure to submit entry > >> > > > SM4XTcCoAQMAAHNbbhYAAAAG (cURL code > >> > > > 55): select/poll returned error > >> > > > > >> > > > How might I fix what I messed up. > >> > > > > >> > > > Thanks. > >> > > > > >> > > > Dimitri > >> > > > > >> > > > -- > >> > > > This message has been scanned for > >> > > > viruses and dangerous content by > >> > > > MailScanner, and is believed to be > >> > > > clean. > >> > > >> > ------------------------------------------ > >> >------------------------------------ > >> > > >> > > > SOLARIS 10 is the OS for Data Centers > >> > > > - provides features such as > >> > > >> > DTrace, > >> > > >> > > > Predictive Self Healing and Award > >> > > > Winning ZFS. Get Solaris 10 NOW > >> > > > http://p.sf.net/sfu/solaris-dev2dev > >> > > > ______________________________________ > >> > > >_________ mod-security-users mailing > >> > > > list > >> > > > mod...@li...urceforge.n > >> > > >et > >> > > > https://lists.sourceforge.net/lists/li > >> > > >stinfo/mod-security-users Commercial > >> > > > ModSecurity Appliances, Rule Sets and > >> > > > Support: > >> > > > http://www.modsecurity.org/breach/inde > >> > > >x.html > >> > > > >> > > -- > >> > > This message has been scanned for > >> > > viruses and dangerous content by > >> > > MailScanner, and is believed to be > >> > > clean. > >> > > >> > -- > >> > Dimitri Yioulos, CIO > >> > First 1 Financial Corporation > >> > 600 Cordwainer Dr. > >> > Norwell, MA 02061 > >> > > >> > 781-871-4220 x1007 > >> > dyi...@fi... > >> > > >> > > >> > -- > >> > This message has been scanned for viruses > >> > and dangerous content by MailScanner, and > >> > is believed to be clean. > >> > > >> > > >> > > >> > ------------------------------------------ > >> >------------------------------------ > >> > SOLARIS 10 is the OS for Data Centers - > >> > provides features such as DTrace, > >> > Predictive Self Healing and Award Winning > >> > ZFS. Get Solaris 10 NOW > >> > http://p.sf.net/sfu/solaris-dev2dev > >> > __________________________________________ > >> >_____ mod-security-users mailing list > >> > mod...@li... > >> > https://lists.sourceforge.net/lists/listin > >> >fo/mod-security-users Commercial > >> > ModSecurity Appliances, Rule Sets and > >> > Support: > >> > http://www.modsecurity.org/breach/index.ht > >> >ml > >> > >> -- > >> This message has been scanned for viruses > >> and dangerous content by MailScanner, and is > >> believed to be clean. > > > > -- > > Dimitri Yioulos, CIO > > First 1 Financial Corporation > > 600 Cordwainer Dr. > > Norwell, MA 02061 > > > > 781-871-4220 x1007 > > dyi...@fi... > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > --------------------------------------------- > >--------------------------------- SOLARIS 10 > > is the OS for Data Centers - provides > > features such as DTrace, Predictive Self > > Healing and Award Winning ZFS. Get Solaris 10 > > NOW http://p.sf.net/sfu/solaris-dev2dev > > _____________________________________________ > >__ mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/ > >mod-security-users Commercial ModSecurity > > Appliances, Rule Sets and Support: > > http://www.modsecurity.org/breach/index.html > > -- > Ivan Ristic > ModSecurity Handbook > [https://www.feistyduck.com] SSL Labs > [https://www.ssllabs.com/ssldb/] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |