Re: [mod-security-users] mod-security-users Digest, Vol 6, Issue 22
Brought to you by:
victorhora,
zimmerletw
From: Dan R. <sp...@el...> - 2006-11-22 04:37:11
|
Sorry, ive just tried to use the ports install on the freebsd dev system, it had the module commented out, i uncommented and attempted a restart Syntax error on line 279 of /usr/local/etc/apache2/httpd.conf: Can't locate API module structure `security_module' in file /usr/local/libexec/apache2/mod_security.so: Undefined symbol "security_module" LoadModule security_module libexec/apache2/mod_security.so Ivan Ristic wrote: > On 11/21/06, Dan Rossi <sp...@el...> wrote: >> >> > I am not sure what problem you are describing. Can you be more >> > specific please? >> >> Ok a rule for a cookie data check had a log,pass action was causing a >> 500 status from the default action deny,log,status:500 etc, i was also >> getting a default status of 403 when i set the default action to >> "auditlog,pass" so i can see what urls should be getting through but are >> tripping the audit log, so still allow the traffic until i tweak >> everything. > > To me sounds like the situation I explained in one of my previous > emails. In ModSecurity 1.9.x (not so in 2.x) there is a number of > checks that are enabled with configuration, not with rules. If any of > those checks are triggered access will be forbidden. The default > action list only affects rules. If you don't like this you need to > relax the checks in configuration. > >> > You can implement that via en external script using the exec action. >> > In general it's not a very good idea unless you implement throttling >> > too, ie have a mechanism that will prevent uncontrolled sending of >> > thousands of emails. >> > >> >> I could look at some kind of "buffered smtp appender", what i was asking >> specicially how are we able to send the message as an argument to a perl >> script ie "deny,log,status:500,send:alert.pl themessagevarhere". I only >> really need this for the start , as it seems im getting alot of >> errornous audits which should be letting traffic through so i need to be >> aware of it so take action and tweak things. > > All the information should be in the environment variables. Just print > all of them and you'll see what I mean. > |