[mod-security-users] Problem with global mutex
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] Problem with global mutex
|
From: Matthieu M. <mat...@an...> - 2006-10-17 06:53:11
|
Hi,
I'm using ubuntu breezy with apache 2.0.54. I've just compiled the new
version of mod-security (modsecurity-apahce_2.0.0). No problem for
compilation.
I have download the modsecurity-core-rules and configured my apache2 to
used it.
When I test my installation using an URL of type
http://myserver/?root.exe to match a trojans rule, I found lots of
errors in my audit and debug file :
--225e1c2e-H--
Message: Warning. Unknown error.
Message: Warning. Unknown error.
Message: Warning. Unknown error.
Message: Warning. Unknown error.
Message: Unknown rule processing return code: -1.
Message: Internal Error: Asked to intercept request but was_intercepted
is zero
Message: Audit log: Failed to lock global mutex: Permission denied
Apache-Handler: proxy-server
Stopwatch: 1160998893037413 204720 (5050 6935 -)
Producer: ModSecurity v2.0.0 (Apache 2.x)
Server: Apache/2.0.54 (Ubuntu) proxy_html/2.4 mod_ssl/2.0.54 OpenSSL/0.9.7g
What can I do ? do you need some more information ?
Thanks for response.
**************************************
* Updates : *
**************************************
--------------
First response from Ivan :
I did address some of the problems from your email in the
just-released ModSecurity for Apache 2.0.1.
After the upgrade you will find there are a few signatures in the
core rules. Just comment them for the time being. Ofer will fix
them later and make a new release.
I have also fixed some of the warning messages.
I haven't fixed the mutex problem though. Not yet. If you are just
testing ModSecurity 2 on a development server the mutex issue is
not going to represent a problem. For production use, switching
to "Concurrent" style of audit logging will avoid the problem (it
does not use a mutex).
----------------
So I have just installed the new version 2.0.1 and the message changed :
--0da2090e-H--
Message: Warning. Match of "rx ^$" against "REQUEST_HEADERS:Host" required.
Message: Warning. Match of "rx ^$" against "REQUEST_HEADERS:User-Agent"
required.
Message: Warning. Match of "rx ^$" against "REQUEST_HEADERS:Accept"
required.
Message: Warning. Match of "rx
\\.(?:c(?:onf(?:ig)?|fg|sr)|ba(?:ckup|k)|d(?:bf?|at)|p(?:ass|wd)|\\w{,5}~|in[ci]|key|lo
g|mdb|old|sql)$" against "REQUEST_BASENAME" required.
Message: Audit log: Failed to lock global mutex: Permission denied
Apache-Handler: proxy-server
Stopwatch: 1161066895256167 29049 (4328 26428 -)
Producer: ModSecurity v2.0.0 (Apache 2.x)
Server: Apache/2.0.54 (Ubuntu) proxy_html/2.4 mod_ssl/2.0.54 OpenSSL/0.9.7g
I changed style of audit logging to Concurrent but now I have this
problem in debug file :
Audit log: Skipping request since there is nowhere to write to.
Apache user can write to this directory :
su - www-data -c "touch /var/log/apache2/modsec_audit/test" is working well.
My second problem is that I think modsecurity does not do what I want.
In modsecurity_crs_45_trojans.conf, I change SecDefaultAction to
"log,deny,status:501,phase:4"
When I point to http://myserver/?root.exe I supposed I will have an
error page, but I have the original page without error.
Thanks for help.
--
Matthieu MARC
mat...@an...
|