Re: [mod-security-users] What is this? Can you please explain?
Brought to you by:
victorhora,
zimmerletw
From: Christian B. <ch...@jw...> - 2007-05-29 10:10:56
|
As the audit-log states, it is a missing Accept-header that leads to the rejection of the request. Thus, in your rule-files you have a rule that is like SecFilterSelective REQUEST_HEADERS:Accept ^$ "deny,status: 500,log,auditlog,.." or similar. A short grep on your files should reveal a list of possible locations: grep -H Accept /etc/httpd/conf/mod*.conf /etc/httpd/modules.d/ 82_mod_sec* This will show a list of all files that have a rule that validates the Accept-header. What you can then do, is to skip this rule in case of the remote-addr being the local host. In case you have the above rule in one of your files you can prepend a rule to that, which skips this check for local connections: SecFilterSelective REMOTE_ADDR "127\.0\.0\.1" "skipnext:1" SecFilterSelective REQUEST_HEADERS:Accept ^$ "deny,status: 500,log,auditlog,.." An alternative would be to use the "chain" action: SecFilterSelective REMOTE_ADDR "!127\.0\.0\.1" "chain" SecFilterSelective REQUEST_HEADERS:Accept ^$ "deny,status: 500,log,auditlog,.." Which should invoke the Accept-header-rule only, in case the first rule matched, which says "not from localhost". If you want to disable rule-checking for all local connections you might also specify SecFilterSelective REMOTE_ADDR "127\.0\.0\.1" allow as the first rule after your basic settings, which will disable the filter for all requests coming from the local host. Regards, Chris Am 29.05.2007 um 03:30 schrieb Albert E. Whale: > I think that it depends on the release of Mandriva. For apache- > mod_security-1.9.4-1mlcs4 for CS4, this version includes > > /etc/httpd/conf/mod_security-snortrules.conf > /etc/httpd/conf/modsecurity-experimental.conf > /etc/httpd/conf/modsecurity-general.conf > /etc/httpd/conf/modsecurity-hardening.conf > /etc/httpd/conf/modsecurity-output.conf > /etc/httpd/conf/modsecurity-php.conf > /etc/httpd/modules.d/82_mod_security.conf > > However, the function I am trying to permit is the polling by > Nagios for the Local WebServer. Here is the output of the Audit Log > > > ==4ede536b============================== > Request: www.ABS-CompTech.com 127.0.0.1 - - [28/May/2007:19:40:03 > --0400] "GET / HTTP/1.0" 500 1058 "-" "check_http/1.89 (nagios- > plugins 1.4.3)" RJ9HmX8AAAEAAHIRaSoAAAAA "-" > Handler: type-map > ---------------------------------------- > GET / HTTP/1.0 > User-Agent: check_http/1.89 (nagios-plugins 1.4.3) > Host: 127.0.0.1 > mod_security-message: Access denied with code 500. Pattern match "^ > $" at HEADER("Accept") [severity "EMERGENCY"] > mod_security-action: 500 > > HTTP/1.1 500 Internal Server Error > Vary: accept-language,accept-charset > Accept-Ranges: bytes > Connection: close > Content-Type: text/html; charset=iso-8859-1 > Content-Language: en > Expires: Mon, 28 May 2007 23:40:03 GMT > --4ede536b-- > > Can you help me identify the correct action to permit the > connection from Nagios? > > Ofer Shezaf wrote: >> What rule set does the Mandriva package uses? >> >> >> >> ~ Ofer >> >> >> >> From: Albert E. Whale [mailto:aewhale@ABS-CompTech.com] >> Sent: Monday, May 28, 2007 5:57 PM >> To: Ofer Shezaf >> Cc: Christian Bockermann; mod...@li... >> Subject: Re: [mod-security-users] What is this? Can you please >> explain? >> >> >> >> Thank you. Since this is a Mandriva release of the Mod_Security >> package I can review the information and fix it for me, and also >> the Mandriva distribution ... this may help a few other newcomers >> as well. >> >> Thank you! >> >> Ofer Shezaf wrote: >> >> Actually Albert might be right. Some versions of Apache use an >> internalkeep alive pinger that issues a request without a host >> name. The Core Rule Set have a specific exclusion for that, but >> this rule isprobably not part of the Core Rule Set (no rule ID) >> and blocks thisrequest. In order to verify we will need the entire >> request as you can find inthe audit log. So in order to permit it: >> either use the core rule set instead of therules you use or refer >> to Ryan's recent blog entry on creatingexceptionshttp:// >> www.modsecurity.org/blog/archives/2007/02/handling_false.html ~ >> Ofer -----Original Message----- From: mod-security-users- >> bo...@li... [mailto:mod- security-users- >> bo...@li...] On Behalf Of Christian Bockermann >> Sent: Monday, May 28, 2007 11:20 AM To: aewhale@ABS-CompTech.com >> Cc: mod...@li... Subject: Re: [mod- >> security-users] What is this? Can you please explain? Hi >> Albert! In this case it is not the fact that it's the localhost, >> but a matter of a missing/empty Accept-Header in the request. Do >> you use the core-rules or any custom-made ruleset? The core >> rules contain some checks that complain if an Accept-header >> is missing. This is a problem I observed with some RSS-clients >> for example. According to the RFC the Accept-header is optional. >> Regards, Chris Am 28.05.2007 um 05:26 schrieb Albert E. >> Whale: Too me this appears to indicate that >> the localhost is not permitted to test the root level of the web >> Server. Why? [Sun May 27 23:24:03 2007] [error] [client >> 127.0.0.1] mod_security: Access denied with code 500. Pattern >> match "^$" at HEADER("Accept") [severity "EMERGENCY"] [hostname >> "127.0.0.1"] [uri "/"] [unique_id "R9xVQH8AAAEAAAN2kzoAAAAF"] >> Where can I permit this? -- Albert E. Whale, CHS CISA CISSP Sr. >> Security, Network, Risk Assessment and Systems Consultant ABS >> Computer Technology, Inc. - Email, Internet and Security >> Consultants SPAMZapper - No-JunkMail.com - True Spam >> Elimination. >> --------------------------------------------------------------------- >> - --- This SF.net email is sponsored by DB2 Express Download >> DB2 Express C - the FREE version of DB2 express and take control >> of your XML. No limits. Just data. Click to get it now. http:// >> sourceforge.net/powerbar/db2/ >> _______________________________________________ mod-security-users >> mailing list mod...@li... https:// >> lists.sourceforge.net/lists/listinfo/mod-security- >> users >> --------------------------------------------------------------------- >> -- -- This SF.net email is sponsored by DB2 Express Download DB2 >> Express C - the FREE version of DB2 express and take control of >> your XML. No limits. Just data. Click to get it now. http:// >> sourceforge.net/powerbar/db2/ >> _______________________________________________ mod-security-users >> mailing list mod...@li... https:// >> lists.sourceforge.net/lists/listinfo/mod-security-users >> --------------------------------------------------------------------- >> ----This SF.net email is sponsored by DB2 ExpressDownload DB2 >> Express C - the FREE version of DB2 express and takecontrol of >> your XML. No limits. Just data. Click to get it now.http:// >> sourceforge.net/powerbar/db2/ >> _______________________________________________mod-security-users >> mailing lis...@li...https:// >> lists.sourceforge.net/lists/listinfo/mod-security-users >> >> >> -- >> Albert E. Whale, CHS CISA CISSP >> Sr. Security, Network, Risk Assessment and Systems Consultant >> >> ABS Computer Technology, Inc. - Email, Internet and Security >> Consultants >> SPAMZapper - No-JunkMail.com - True Spam Elimination. >> > > > -- > Albert E. Whale, CHS CISA CISSP > Sr. Security, Network, Risk Assessment and Systems Consultant > ABS Computer Technology, Inc. - Email, Internet and Security > Consultants > SPAMZapper - No-JunkMail.com - True Spam Elimination. > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |