Re: [mod-security-users] Unable to filter response body.[even using lowercase pattern]
Brought to you by:
victorhora,
zimmerletw
From: Ivan R. <iva...@gm...> - 2007-02-13 14:05:16
|
On 2/11/07, maximo decimo <max...@gm...> wrote: > I am not sure if this was answered. Apologies if it was. > I've repeated all tests and I still can't work it out, checkout my config -> > Just one rule, set up to be checked at 4th phase, pattern in lowercase and > It doesn't seem to be registered when mod_security processes response. As Ryan mentioned, there is an issue with phases 3 and 4 when Apache decides to handle the request without invoking any of the handlers. In your example below the logs point to a non-existent file. If you try it with a script it should work fine. I have mod_fcgid running and have experienced no issues. > > Apache 2.2.3 + Suexec + mod_fcgid + php (external cgi) + mod_security2 > > > > modsec.conf > > SecRuleEngine On > SecRequestBodyAccess On > SecResponseBodyAccess On > SecResponseBodyMimeType text/html text/plain text/xml > SecResponseBodyLimit 524288 > SecAuditEngine On > SecAuditLogType Serial > SecAuditLog log/www.example.com_audit.log > SecAuditLogParts "ABIFHZ" > SecCookieFormat 0 > SecRequestBodyInMemoryLimit 131072 > SecDebugLog log/www.example.com_debug.log > SecDebugLogLevel 9 > SecRule RESPONSE_BODY "not found" "log,phase:4,auditlog,deny" > ------------------------------------------------------------------------------- > www.example.com_debug.log > [11/Feb/2007:10:54:12 --0600] [ > www.example.com/sid#73ebb0][rid#7b2308][/sdfasdfdsafs.jpg][4] > Initialising transaction (txid PgDt438AAAEAAAM@MDIAAACA). > [11/Feb/2007:10:54:12 --0600] [ > www.example.com/sid#73ebb0][rid#7b2308][/sdfasdfdsafs.jpg][5] > Adding request cookie: name > "77013700cdca618686eae9b6276ad536", value > "7520d7829d5cfe4fa14f9a950b6e1142" > [11/Feb/2007:10:54:12 --0600] [ > www.example.com/sid#73ebb0][rid#7b2308][/sdfasdfdsafs.jpg][4] > Transaction context created (dcfg 74eb98). > [11/Feb/2007:10:54:12 --0600] [ > www.example.com/sid#73ebb0][rid#7b2308][/sdfasdfdsafs.jpg][4] > Starting phase REQUEST_HEADERS. > [11/Feb/2007:10:54:12 --0600] [ > www.example.com/sid#73ebb0][rid#7b2308][/sdfasdfdsafs.jpg][9] > This phase consists of 0 rule(s). > [11/Feb/2007:10:54:12 --0600] > [www.example.com/sid#73ebb0][rid#7b2308][/sdfasdfdsafs.jpg][4 > ] Second phase starting (dcfg 74eb98). > [11/Feb/2007:10:54:12 --0600] > [www.example.com/sid#73ebb0][rid#7b2308][/sdfasdfdsafs.jpg][4] > Input filter: This request does not have a body. > [11/Feb/2007:10:54:12 --0600] > [www.example.com/sid#73ebb0][rid#7b2308][/sdfasdfdsafs.jpg][4] > Time #1: 1171212852064783 > [11/Feb/2007:10:54:12 --0600] [ > www.example.com/sid#73ebb0][rid#7b2308][/sdfasdfdsafs.jpg][4] > Starting phase REQUEST_BODY. > [11/Feb/2007:10:54:12 --0600] [ > www.example.com/sid#73ebb0][rid#7b2308][/sdfasdfdsafs.jpg][9] > This phase consists of 0 rule(s). > [11/Feb/2007:10:54:12 --0600] > [www.example.com/sid#73ebb0][rid#7b2308][/sdfasdfdsafs.jpg][4 > ] Time #2: 1171212852064830 > [11/Feb/2007:10:54:12 --0600] > [www.example.com/sid#73ebb0][rid#7b2308][/sdfasdfdsafs.jpg][4] > Hook insert_filter: Adding output filter (r 7b2308). > [11/Feb/2007:10:54:12 --0600] > [www.example.com/sid#73ebb0][rid#7b2308][/sdfasdfdsafs.jpg][4] > Initialising logging. > [11/Feb/2007:10:54:12 --0600] [ > www.example.com/sid#73ebb0][rid#7b2308][/sdfasdfdsafs.jpg][4] > Starting phase LOGGING. > [11/Feb/2007:10:54:12 --0600] [ > www.example.com/sid#73ebb0][rid#7b2308][/sdfasdfdsafs.jpg][9] > This phase consists of 0 rule(s). > [11/Feb/2007:10:54:12 --0600] > [www.example.com/sid#73ebb0][rid#7b2308][/sdfasdfdsafs.jpg][4 > ] Audit log: Logging this transaction > > ------------------------------------------------------------------------------------------------------------------------- > www.example.com_audit.log > --143f433d-A-- > [11/Feb/2007:10:54:12 --0600] PgDt438AAAEAAAM@MDIAAACA WWW.ZZZ.YYY.XXX > 46339 XXX.YYY.ZZZ.WWW 80 > --143f433d-B-- > GET /sdfasdfdsafs.jpg HTTP/1.1 > Host: www.example.com > User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv: 1.8.0.7) Gecko/20060830 > Firefox/1.5.0.7 > Accept: > text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 > Accept-Language: en-us;q=0.7,en;q=0.3 > Accept-Encoding: gzip,deflate > Accept-Charset: UTF-8,* > Keep-Alive: 300 > Connection: keep-alive > Cookie: > 77013700cdca618686eae9b6276ad536=7520d7829d5cfe4fa14f9a950b6e1142 > > --143f433d-F-- > HTTP/1.1 404 Not Found > Cache-Control: public, proxy-revalidate > Content-Length: 292 > Keep-Alive: timeout=8, max=30 > Connection: Keep-Alive > Content-Type: text/html; charset=iso-8859-1 > > --143f433d-H-- > Apache-Error: [file "/build/buildd/apache2- 2.2.3/server/core.c"] [line > 3612] [level 3] File does not exist: > /var/www/www.example.com/sdfasdfdsafs.jpg > Stopwatch: 0 1171212852065533 (1171212852064783 1171212852064830 -) > Producer: ModSecurity v2.1.0-rc7 (Apache 2.x) > Server: Apache/2.2.3 > > --143f433d-Z-- > > > -------------------------------------------------------------------------------- > vhost > > <VirtualHost *:80> > ServerName www.example.com > DocumentRoot /var/www/www.example.com/ > ErrorLog log/www.example.com_error.log > CustomLog log/www.example.com_access.log combined > SuexecUserGroup example example > AddHandler fcgid-script .php > DirectoryIndex index.php > > <IfModule mod_security2.c> > Include conf/www.example.com/modsec.conf > </IfModule> > > <Directory "/var/www/www.example.com/"> > AllowOverride None > Options ExecCGI FollowSymLinks > <IfModule mod_fcgid.c> > FCGIWrapper > /var/www/www.example.com/cgi-bin/php5.fcgi .php > </IfModule> > </Directory> > </VirtualHost> > -------------------------------------------------------------------------------- > > 2007/2/11, maximo decimo < max...@gm...>: > > > > > > > > 2007/2/11, Ofer Shezaf <Of...@br...>: > > > > > > > > > > > > > > > > > > > > > Please note that the "lowercase" transformation function is on by > default, unless you used a SecDefaultAction directive, so you should use: > > > > > > > > > > > > SecRule RESPONSE_BODY "not found" "log,phase:4,auditlog,deny" > > > > > > > > > > > > With "not found" in lower case. > > > > > > > > > > > > ~ Ofer > > > > > > > > > > > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier. > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > -- Ivan Ristic |