[mod-security-users] Problem with global mutex
Brought to you by:
victorhora,
zimmerletw
From: Matthieu M. <mat...@an...> - 2006-10-17 06:53:11
|
Hi, I'm using ubuntu breezy with apache 2.0.54. I've just compiled the new version of mod-security (modsecurity-apahce_2.0.0). No problem for compilation. I have download the modsecurity-core-rules and configured my apache2 to used it. When I test my installation using an URL of type http://myserver/?root.exe to match a trojans rule, I found lots of errors in my audit and debug file : --225e1c2e-H-- Message: Warning. Unknown error. Message: Warning. Unknown error. Message: Warning. Unknown error. Message: Warning. Unknown error. Message: Unknown rule processing return code: -1. Message: Internal Error: Asked to intercept request but was_intercepted is zero Message: Audit log: Failed to lock global mutex: Permission denied Apache-Handler: proxy-server Stopwatch: 1160998893037413 204720 (5050 6935 -) Producer: ModSecurity v2.0.0 (Apache 2.x) Server: Apache/2.0.54 (Ubuntu) proxy_html/2.4 mod_ssl/2.0.54 OpenSSL/0.9.7g What can I do ? do you need some more information ? Thanks for response. ************************************** * Updates : * ************************************** -------------- First response from Ivan : I did address some of the problems from your email in the just-released ModSecurity for Apache 2.0.1. After the upgrade you will find there are a few signatures in the core rules. Just comment them for the time being. Ofer will fix them later and make a new release. I have also fixed some of the warning messages. I haven't fixed the mutex problem though. Not yet. If you are just testing ModSecurity 2 on a development server the mutex issue is not going to represent a problem. For production use, switching to "Concurrent" style of audit logging will avoid the problem (it does not use a mutex). ---------------- So I have just installed the new version 2.0.1 and the message changed : --0da2090e-H-- Message: Warning. Match of "rx ^$" against "REQUEST_HEADERS:Host" required. Message: Warning. Match of "rx ^$" against "REQUEST_HEADERS:User-Agent" required. Message: Warning. Match of "rx ^$" against "REQUEST_HEADERS:Accept" required. Message: Warning. Match of "rx \\.(?:c(?:onf(?:ig)?|fg|sr)|ba(?:ckup|k)|d(?:bf?|at)|p(?:ass|wd)|\\w{,5}~|in[ci]|key|lo g|mdb|old|sql)$" against "REQUEST_BASENAME" required. Message: Audit log: Failed to lock global mutex: Permission denied Apache-Handler: proxy-server Stopwatch: 1161066895256167 29049 (4328 26428 -) Producer: ModSecurity v2.0.0 (Apache 2.x) Server: Apache/2.0.54 (Ubuntu) proxy_html/2.4 mod_ssl/2.0.54 OpenSSL/0.9.7g I changed style of audit logging to Concurrent but now I have this problem in debug file : Audit log: Skipping request since there is nowhere to write to. Apache user can write to this directory : su - www-data -c "touch /var/log/apache2/modsec_audit/test" is working well. My second problem is that I think modsecurity does not do what I want. In modsecurity_crs_45_trojans.conf, I change SecDefaultAction to "log,deny,status:501,phase:4" When I point to http://myserver/?root.exe I supposed I will have an error page, but I have the original page without error. Thanks for help. -- Matthieu MARC mat...@an... |