Re: [mod-security-users] mod_security skipping all rules
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] mod_security skipping all rules
|
From: mfu (sf) <mf...@us...> - 2012-09-10 20:45:01
|
Breno,
thanks for the answer, my colleage got rid of the tar ball hence no
possibilities to check the md5.
We downloaded a fresh tar.gz and recompiled and now everything is
fine. I guess we were using a bad version.
Thanks a lot for the help.
Cheers,
Mfu
------------------------
Hello mfu,
Before announce the 2.6.7 i noticed this issue in the tarball in the
sourceforge, then i updated it.
When did u download it ?
Can you check the md5 of your tarball and the one in sourceforge ?
Thanks
On Mon, Sep 10, 2012 at 7:50 AM, mfu (sf) <mfu@...> wrote:
> Dear all,
>
> I am setting up a new installation of mod_security (2.6.7) under Apache/2.2.22.
>
> My problem is that I cannot seems to convince mod_security to apply
> any rules. Engine is on, rules are read, audit & debug are filled, but
> every rule is skipped.
>
> Below is a sample of my debug.log, all rules are "skipped" and I
> cannot find any indication as to why ?
>
> The rules that I try to match are (for debugging purpose):
>
> SecRule REQUEST_URI "@rx toto" "phase:1,t:none,log,deny,status:500"
> SecRule &ARGS "@eq 0" "phase:1,t:none,log,deny,status:500"
> SecRule REQUEST_HEADERS:User-Agent "mfu"
> "phase:1,t:none,log,deny,msg:'Tests MFU detected'"
>
> There are three rules before that are from the recommendation in the manual.
> There are a few rules after that are also for debugging and are also skipped.
>
> Could anyone kindly point me to where might be the problem.
>
> Best regards,
>
> mfu.
>
>
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Initialising
> transaction (txid UE3fS8CoECUAADkiCsMAAAkn).
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Transaction context
> created (dcfg 81827d0).
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] First phase
> starting (dcfg 81827d0).
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Starting phase
> REQUEST_HEADERS.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][9] This phase consists
> of 10 rule(s).
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Recipe: Invoking
> rule 81422b0; [file "/apache/conf/itconf/mod_security.conf"] [line
> "138"].
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][5] Rule 81422b0:
> SecRule "REQUEST_URI" "@rx toto"
> "phase:1,auditlog,status:500,t:none,log,deny"
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Transformation
> completed in 2 usec.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Executing operator
> "rx" with param "toto" against REQUEST_URI skipped.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Rule returned 0.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][9] No match, not
> chained -> mode NEXT_RULE.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Recipe: Invoking
> rule 8142960; [file "/apache/conf/itconf/mod_security.conf"] [line
> "139"].
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][5] Rule 8142960:
> SecRule "&ARGS" "@eq 0" "phase:1,auditlog,status:500,t:none,log,deny"
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Transformation
> completed in 1 usec.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Executing operator
> "eq" with param "0" against &ARGS skipped.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Rule returned 0.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][9] No match, not
> chained -> mode NEXT_RULE.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Recipe: Invoking
> rule 8142fb0; [file "/apache/conf/itconf/mod_security.conf"] [line
> "140"].
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][5] Rule 8142fb0:
> SecRule "REQUEST_HEADERS:User-Agent" "@rx mfu"
> "phase:1,auditlog,status:501,t:none,log,deny,msg:'Tests MFU detected'"
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Transformation
> completed in 1 usec.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Executing operator
> "rx" with param "mfu" against REQUEST_HEADERS:User-Agent skipped.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Rule returned 0.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][9] No match, not
> chained -> mode NEXT_RULE.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Recipe: Invoking
> rule 8145888; [file
> "/apache/conf/itconf/mod_security_rules/00_test.conf"] [line "1"].
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][5] Rule 8145888:
> SecRule "REQUEST_URI" "@rx ^/toto.html$"
> "phase:1,log,auditlog,deny,status:501"
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Transformation
> completed in 1 usec.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Executing operator
> "rx" with param "^/toto.html$" against REQUEST_URI skipped.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Rule returned 0.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][9] No match, not
> chained -> mode NEXT_RULE.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Recipe: Invoking
> rule 8145e38; [file
> "/apache/conf/itconf/mod_security_rules/10_whitelisted.conf"] [line
> "7"].
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][5] Rule 8145e38:
> SecRule "REQUEST_URI" "@rx ^/$" "phase:1,log,auditlog,allow"
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Transformation
> completed in 0 usec.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Executing operator
> "rx" with param "^/$" against REQUEST_URI skipped.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Rule returned 0.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][9] No match, not
> chained -> mode NEXT_RULE.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Recipe: Invoking
> rule 8146318; [file
> "/apache/conf/itconf/mod_security_rules/10_whitelisted.conf"] [line
> "8"].
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][5] Rule 8146318:
> SecRule "&ARGS" "@eq 0" "phase:1,log,auditlog,chain,allow"
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Transformation
> completed in 1 usec.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Executing operator
> "eq" with param "0" against &ARGS skipped.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Rule returned 0.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][9] No match, chained
> -> mode NEXT_CHAIN.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Recipe: Invoking
> rule 8146d58; [file
> "/apache/conf/itconf/mod_security_rules/10_whitelisted.conf"] [line
> "10"].
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][5] Rule 8146d58:
> SecRule "REQUEST_URI" "@rx ^/WebGoat/attack"
> "phase:1,log,auditlog,chain,allow"
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Transformation
> completed in 0 usec.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Executing operator
> "rx" with param "^/WebGoat/attack" against REQUEST_URI skipped.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Rule returned 0.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][9] No match, chained
> -> mode NEXT_CHAIN.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Recipe: Invoking
> rule 81476d0; [file
> "/apache/conf/itconf/mod_security_rules/99_deny_all.conf"] [line "4"].
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][5] Rule 81476d0:
> SecRule "REQUEST_URI" "@rx /" "phase:1,log,auditlog,deny,status:503"
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Transformation
> completed in 0 usec.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Executing operator
> "rx" with param "/" against REQUEST_URI skipped.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Rule returned 0.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][9] No match, not
> chained -> mode NEXT_RULE.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Second phase
> starting (dcfg 81827d0).
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Input filter: This
> request does not have a body.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Starting phase
> REQUEST_BODY.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][9] This phase consists
> of 2 rule(s).
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Recipe: Invoking
> rule 813d148; [file "/apache/conf/itconf/mod_security.conf"] [line
> "114"].
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][5] Rule 813d148:
> SecRule "REQBODY_PROCESSOR_ERROR" "!@eq 0"
> "phase:2,auditlog,status:501,t:none,log,block,msg:'Failed to parse
> request body: %{REQBODY_PROCESSOR_ERROR_MSG}'"
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Transformation
> completed in 1 usec.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Executing operator
> "!eq" with param "0" against REQBODY_PROCESSOR_ERROR skipped.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Rule returned 0.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][9] No match, not
> chained -> mode NEXT_RULE.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Recipe: Invoking
> rule 813ff50; [file "/apache/conf/itconf/mod_security.conf"] [line
> "133"].
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][5] Rule 813ff50:
> SecRule "MULTIPART_STRICT_ERROR" "!@eq 0"
> "phase:2,auditlog,status:501,t:none,log,block,msg:'Multipart request
> body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}, BQ
> %{MULTIPART_BOUNDARY_QUOTED}, BW %{MULTIPART_BOUNDARY_WHITESPACE}, DB
> %{MULTIPART_DATA_BEFORE}, DA %{MULTIPART_DATA_AFTER}, HF
> %{MULTIPART_HEADER_FOLDING}, LF %{MULTIPART_LF_LINE}, SM
> %{MULTIPART_SEMICOLON_MISSING}, IQ %{MULTIPART_INVALID_QUOTING}, IF
> %{MULTIPART_INVALID_HEADER_FOLDING}, FE
> %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Transformation
> completed in 1 usec.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Executing operator
> "!eq" with param "0" against MULTIPART_STRICT_ERROR skipped.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Rule returned 0.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][9] No match, not
> chained -> mode NEXT_RULE.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Hook insert_filter:
> Adding output filter (r 84226e8).
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][9] Output filter:
> Receiving output (f 8424108, r 84226e8).
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Starting phase
> RESPONSE_HEADERS.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][9] This phase consists
> of 0 rule(s).
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][9] Content Injection:
> Not enabled.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][9] Output filter:
> Bucket type MMAP contains 40 bytes.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][9] Output filter:
> Bucket type EOS contains 0 bytes.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Output filter:
> Completed receiving response body (buffered full - 40 bytes).
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Starting phase
> RESPONSE_BODY.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][9] This phase consists
> of 0 rule(s).
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Output filter:
> Output forwarding complete.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Initialising
> logging.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Starting phase
> LOGGING.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][9] This phase consists
> of 1 rule(s).
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Recipe: Invoking
> rule 8141a30; [file "/apache/conf/itconf/mod_security.conf"] [line
> "136"].
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][5] Rule 8141a30:
> SecRule "TX:MSC_PCRE_LIMITS_EXCEEDED" "@eq 1"
> "phase:5,auditlog,status:501,t:none,log,pass,msg:'PCRE limits
> exceeded'"
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Rule returned 0.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][9] No match, not
> chained -> mode NEXT_RULE.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Recording
> persistent data took 0 microseconds.
> [10/Sep/2012:14:38:35 +0200]
> [testhost/sid#810f598][rid#84226e8][/toto.html][4] Audit log: Logging
> this transaction.
|