Re: [mod-security-users] not running rules in phase 1 and phase 2
Brought to you by:
victorhora,
zimmerletw
From: Volkov, P. <Pav...@nu...> - 2013-03-21 15:59:46
|
I tried downgrading to mod_security 2.5. I have phase 1 now running before authentication. However I have another problem, first I can't get the username in phase 1 and second there is no phase 3 now for me to catch response status 401. Thanks, Pavel From: Ryan Barnett [mailto:RBa...@tr...] Sent: Wednesday, March 20, 2013 5:17 PM To: Volkov, Pavel Cc: mod...@li... Subject: Re: [mod-security-users] not running rules in phase 1 and phase 2 https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-Configure_ModSecurity -- Ryan Barnett Lead Security Researcher Trustwave - SpiderLabs From: <Volkov>, Pavel <Pav...@nu...<mailto:Pav...@nu...>> Date: Wednesday, March 20, 2013 5:13 PM To: Ryan Barnett <rba...@tr...<mailto:rba...@tr...>> Cc: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Subject: RE: [mod-security-users] not running rules in phase 1 and phase 2 Do you know how to specify this flag exactly? Is there a link to a document that describes this? Thanks a lot for your help. Pavel From: Ryan Barnett [mailto:RBa...@tr...] Sent: Wednesday, March 20, 2013 5:03 PM To: Volkov, Pavel Cc: Ryan Barnett; mod...@li...<mailto:mod...@li...> Subject: Re: [mod-security-users] not running rules in phase 1 and phase 2 I would recommend upgrading vs downgrading as we have fixed many bugs. -- Ryan Barnett Lead Security Researcher Trustwave - SpiderLabs On Mar 20, 2013, at 4:54 PM, "Volkov, Pavel" <Pav...@nu...<mailto:Pav...@nu...>> wrote: Ryan, Thanks a lot for your response. Do you think if I downgrade to mod_security 2.5 it will work or my only option is get 2.7 sources and recompile? Thanks, Pavel From: Ryan Barnett [mailto:RBa...@tr...] Sent: Wednesday, March 20, 2013 4:29 PM To: Volkov, Pavel; mod...@li...<mailto:mod...@li...> Subject: Re: [mod-security-users] not running rules in phase 1 and phase 2 In ModSecurity 2.6 phase 1 was moved from Apache post-read-request hook to the fixup hook which is where phase 2 lives. This was causing users problems when trying to run ModSecurity rules nested inside Apache scope locations (<Location> or <Directory>). While this help to fix that problem, you are running into a consequence - which is that the fixup phase happens after the authentication modules in Apache. In ModSecurity 2.7, you have the ability to control at compile time where you want phase 1 to live - post-read-request or fixup phase - with the --enable-early-request flag. With this in place, ModSecurity would properly register the request with mod_uniqueid in phase:1 and then you should be able to inspect WEBSERVER_ERROR_LOG variable in phase:5 logging to identify if the client has failed basic auth. -Ryan From: "Volkov, Pavel" <Pav...@nu...<mailto:Pav...@nu...>> Date: Wednesday, March 20, 2013 4:20 PM To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Subject: [mod-security-users] not running rules in phase 1 and phase 2 Hi, I have Basic Authentication setup for Apache. I am trying to configure rules to block user after 3 consecutive unsuccessful login. The problem for me is that rules are not executed in phase1,2 unless authentication succeeds. It looks like request is being handled by Apache before it gets to mod_security. I am using Apache 2.2.3 on CentOS 5.4, mod_security version is 2.6.8. In the debug log I don't see any sign of why phase1 and 2 are skipped. [20/Mar/2013:10:25:29 --0400] [10.1.82.164/sid#8977c10][rid#89874a8][/escription/mypage.html][4] Initialising transaction (txid -m-PDH8AAAEAAB33iMYAAAAA). [20/Mar/2013:10:25:29 --0400] [10.1.82.164/sid#8977c10][rid#89874a8][/escription/mypage.html][4] Transaction context created (dcfg 8900888). [20/Mar/2013:10:25:29 --0400] [10.1.82.164/sid#8977c10][rid#89874a8][/escription/mypage.html][4] Hook insert_error_filter: Adding output filter (r 89874a8). [20/Mar/2013:10:25:29 --0400] [10.1.82.164/sid#8977c10][rid#89874a8][/escription/mypage.html][9] Output filter: Receiving output (f 8989398, r 89874a8). [20/Mar/2013:10:25:29 --0400] [10.1.82.164/sid#8977c10][rid#89874a8][/escription/mypage.html][4] Starting phase RESPONSE_HEADERS. [20/Mar/2013:10:25:29 --0400] [10.1.82.164/sid#8977c10][rid#89874a8][/escription/mypage.html][9] This phase consists of 7 rule(s). Does anyone have any ideas? Thanks, Pavel ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar_______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...>https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/http://www.modsecurity.org/projects/commercial/support/ ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |