Re: [mod-security-users] mod_security skipping all rules
Brought to you by:
victorhora,
zimmerletw
From: mfu (sf) <mf...@us...> - 2012-09-10 20:45:01
|
Breno, thanks for the answer, my colleage got rid of the tar ball hence no possibilities to check the md5. We downloaded a fresh tar.gz and recompiled and now everything is fine. I guess we were using a bad version. Thanks a lot for the help. Cheers, Mfu ------------------------ Hello mfu, Before announce the 2.6.7 i noticed this issue in the tarball in the sourceforge, then i updated it. When did u download it ? Can you check the md5 of your tarball and the one in sourceforge ? Thanks On Mon, Sep 10, 2012 at 7:50 AM, mfu (sf) <mfu@...> wrote: > Dear all, > > I am setting up a new installation of mod_security (2.6.7) under Apache/2.2.22. > > My problem is that I cannot seems to convince mod_security to apply > any rules. Engine is on, rules are read, audit & debug are filled, but > every rule is skipped. > > Below is a sample of my debug.log, all rules are "skipped" and I > cannot find any indication as to why ? > > The rules that I try to match are (for debugging purpose): > > SecRule REQUEST_URI "@rx toto" "phase:1,t:none,log,deny,status:500" > SecRule &ARGS "@eq 0" "phase:1,t:none,log,deny,status:500" > SecRule REQUEST_HEADERS:User-Agent "mfu" > "phase:1,t:none,log,deny,msg:'Tests MFU detected'" > > There are three rules before that are from the recommendation in the manual. > There are a few rules after that are also for debugging and are also skipped. > > Could anyone kindly point me to where might be the problem. > > Best regards, > > mfu. > > > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Initialising > transaction (txid UE3fS8CoECUAADkiCsMAAAkn). > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Transaction context > created (dcfg 81827d0). > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] First phase > starting (dcfg 81827d0). > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Starting phase > REQUEST_HEADERS. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][9] This phase consists > of 10 rule(s). > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Recipe: Invoking > rule 81422b0; [file "/apache/conf/itconf/mod_security.conf"] [line > "138"]. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][5] Rule 81422b0: > SecRule "REQUEST_URI" "@rx toto" > "phase:1,auditlog,status:500,t:none,log,deny" > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Transformation > completed in 2 usec. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Executing operator > "rx" with param "toto" against REQUEST_URI skipped. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Rule returned 0. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][9] No match, not > chained -> mode NEXT_RULE. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Recipe: Invoking > rule 8142960; [file "/apache/conf/itconf/mod_security.conf"] [line > "139"]. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][5] Rule 8142960: > SecRule "&ARGS" "@eq 0" "phase:1,auditlog,status:500,t:none,log,deny" > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Transformation > completed in 1 usec. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Executing operator > "eq" with param "0" against &ARGS skipped. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Rule returned 0. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][9] No match, not > chained -> mode NEXT_RULE. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Recipe: Invoking > rule 8142fb0; [file "/apache/conf/itconf/mod_security.conf"] [line > "140"]. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][5] Rule 8142fb0: > SecRule "REQUEST_HEADERS:User-Agent" "@rx mfu" > "phase:1,auditlog,status:501,t:none,log,deny,msg:'Tests MFU detected'" > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Transformation > completed in 1 usec. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Executing operator > "rx" with param "mfu" against REQUEST_HEADERS:User-Agent skipped. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Rule returned 0. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][9] No match, not > chained -> mode NEXT_RULE. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Recipe: Invoking > rule 8145888; [file > "/apache/conf/itconf/mod_security_rules/00_test.conf"] [line "1"]. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][5] Rule 8145888: > SecRule "REQUEST_URI" "@rx ^/toto.html$" > "phase:1,log,auditlog,deny,status:501" > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Transformation > completed in 1 usec. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Executing operator > "rx" with param "^/toto.html$" against REQUEST_URI skipped. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Rule returned 0. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][9] No match, not > chained -> mode NEXT_RULE. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Recipe: Invoking > rule 8145e38; [file > "/apache/conf/itconf/mod_security_rules/10_whitelisted.conf"] [line > "7"]. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][5] Rule 8145e38: > SecRule "REQUEST_URI" "@rx ^/$" "phase:1,log,auditlog,allow" > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Transformation > completed in 0 usec. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Executing operator > "rx" with param "^/$" against REQUEST_URI skipped. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Rule returned 0. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][9] No match, not > chained -> mode NEXT_RULE. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Recipe: Invoking > rule 8146318; [file > "/apache/conf/itconf/mod_security_rules/10_whitelisted.conf"] [line > "8"]. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][5] Rule 8146318: > SecRule "&ARGS" "@eq 0" "phase:1,log,auditlog,chain,allow" > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Transformation > completed in 1 usec. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Executing operator > "eq" with param "0" against &ARGS skipped. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Rule returned 0. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][9] No match, chained > -> mode NEXT_CHAIN. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Recipe: Invoking > rule 8146d58; [file > "/apache/conf/itconf/mod_security_rules/10_whitelisted.conf"] [line > "10"]. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][5] Rule 8146d58: > SecRule "REQUEST_URI" "@rx ^/WebGoat/attack" > "phase:1,log,auditlog,chain,allow" > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Transformation > completed in 0 usec. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Executing operator > "rx" with param "^/WebGoat/attack" against REQUEST_URI skipped. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Rule returned 0. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][9] No match, chained > -> mode NEXT_CHAIN. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Recipe: Invoking > rule 81476d0; [file > "/apache/conf/itconf/mod_security_rules/99_deny_all.conf"] [line "4"]. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][5] Rule 81476d0: > SecRule "REQUEST_URI" "@rx /" "phase:1,log,auditlog,deny,status:503" > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Transformation > completed in 0 usec. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Executing operator > "rx" with param "/" against REQUEST_URI skipped. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Rule returned 0. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][9] No match, not > chained -> mode NEXT_RULE. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Second phase > starting (dcfg 81827d0). > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Input filter: This > request does not have a body. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Starting phase > REQUEST_BODY. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][9] This phase consists > of 2 rule(s). > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Recipe: Invoking > rule 813d148; [file "/apache/conf/itconf/mod_security.conf"] [line > "114"]. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][5] Rule 813d148: > SecRule "REQBODY_PROCESSOR_ERROR" "!@eq 0" > "phase:2,auditlog,status:501,t:none,log,block,msg:'Failed to parse > request body: %{REQBODY_PROCESSOR_ERROR_MSG}'" > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Transformation > completed in 1 usec. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Executing operator > "!eq" with param "0" against REQBODY_PROCESSOR_ERROR skipped. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Rule returned 0. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][9] No match, not > chained -> mode NEXT_RULE. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Recipe: Invoking > rule 813ff50; [file "/apache/conf/itconf/mod_security.conf"] [line > "133"]. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][5] Rule 813ff50: > SecRule "MULTIPART_STRICT_ERROR" "!@eq 0" > "phase:2,auditlog,status:501,t:none,log,block,msg:'Multipart request > body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}, BQ > %{MULTIPART_BOUNDARY_QUOTED}, BW %{MULTIPART_BOUNDARY_WHITESPACE}, DB > %{MULTIPART_DATA_BEFORE}, DA %{MULTIPART_DATA_AFTER}, HF > %{MULTIPART_HEADER_FOLDING}, LF %{MULTIPART_LF_LINE}, SM > %{MULTIPART_SEMICOLON_MISSING}, IQ %{MULTIPART_INVALID_QUOTING}, IF > %{MULTIPART_INVALID_HEADER_FOLDING}, FE > %{MULTIPART_FILE_LIMIT_EXCEEDED}'" > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Transformation > completed in 1 usec. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Executing operator > "!eq" with param "0" against MULTIPART_STRICT_ERROR skipped. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Rule returned 0. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][9] No match, not > chained -> mode NEXT_RULE. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Hook insert_filter: > Adding output filter (r 84226e8). > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][9] Output filter: > Receiving output (f 8424108, r 84226e8). > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Starting phase > RESPONSE_HEADERS. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][9] This phase consists > of 0 rule(s). > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][9] Content Injection: > Not enabled. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][9] Output filter: > Bucket type MMAP contains 40 bytes. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][9] Output filter: > Bucket type EOS contains 0 bytes. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Output filter: > Completed receiving response body (buffered full - 40 bytes). > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Starting phase > RESPONSE_BODY. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][9] This phase consists > of 0 rule(s). > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Output filter: > Output forwarding complete. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Initialising > logging. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Starting phase > LOGGING. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][9] This phase consists > of 1 rule(s). > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Recipe: Invoking > rule 8141a30; [file "/apache/conf/itconf/mod_security.conf"] [line > "136"]. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][5] Rule 8141a30: > SecRule "TX:MSC_PCRE_LIMITS_EXCEEDED" "@eq 1" > "phase:5,auditlog,status:501,t:none,log,pass,msg:'PCRE limits > exceeded'" > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Rule returned 0. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][9] No match, not > chained -> mode NEXT_RULE. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Recording > persistent data took 0 microseconds. > [10/Sep/2012:14:38:35 +0200] > [testhost/sid#810f598][rid#84226e8][/toto.html][4] Audit log: Logging > this transaction. |