Re: [mod-security-users] What is this? Can you please explain?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] What is this? Can you please explain?
|
From: Christian B. <ch...@jw...> - 2007-05-29 10:10:56
|
As the audit-log states, it is a missing Accept-header that leads to the
rejection of the request. Thus, in your rule-files you have a rule that
is like
SecFilterSelective REQUEST_HEADERS:Accept ^$ "deny,status:
500,log,auditlog,.."
or similar.
A short grep on your files should reveal a list of possible locations:
grep -H Accept /etc/httpd/conf/mod*.conf /etc/httpd/modules.d/
82_mod_sec*
This will show a list of all files that have a rule that validates
the Accept-header.
What you can then do, is to skip this rule in case of the remote-addr
being the local
host. In case you have the above rule in one of your files you can
prepend a
rule to that, which skips this check for local connections:
SecFilterSelective REMOTE_ADDR "127\.0\.0\.1" "skipnext:1"
SecFilterSelective REQUEST_HEADERS:Accept ^$ "deny,status:
500,log,auditlog,.."
An alternative would be to use the "chain" action:
SecFilterSelective REMOTE_ADDR "!127\.0\.0\.1" "chain"
SecFilterSelective REQUEST_HEADERS:Accept ^$ "deny,status:
500,log,auditlog,.."
Which should invoke the Accept-header-rule only, in case the first
rule matched, which
says "not from localhost".
If you want to disable rule-checking for all local connections you
might also specify
SecFilterSelective REMOTE_ADDR "127\.0\.0\.1" allow
as the first rule after your basic settings, which will disable the
filter for all
requests coming from the local host.
Regards,
Chris
Am 29.05.2007 um 03:30 schrieb Albert E. Whale:
> I think that it depends on the release of Mandriva. For apache-
> mod_security-1.9.4-1mlcs4 for CS4, this version includes
>
> /etc/httpd/conf/mod_security-snortrules.conf
> /etc/httpd/conf/modsecurity-experimental.conf
> /etc/httpd/conf/modsecurity-general.conf
> /etc/httpd/conf/modsecurity-hardening.conf
> /etc/httpd/conf/modsecurity-output.conf
> /etc/httpd/conf/modsecurity-php.conf
> /etc/httpd/modules.d/82_mod_security.conf
>
> However, the function I am trying to permit is the polling by
> Nagios for the Local WebServer. Here is the output of the Audit Log
>
>
> ==4ede536b==============================
> Request: www.ABS-CompTech.com 127.0.0.1 - - [28/May/2007:19:40:03
> --0400] "GET / HTTP/1.0" 500 1058 "-" "check_http/1.89 (nagios-
> plugins 1.4.3)" RJ9HmX8AAAEAAHIRaSoAAAAA "-"
> Handler: type-map
> ----------------------------------------
> GET / HTTP/1.0
> User-Agent: check_http/1.89 (nagios-plugins 1.4.3)
> Host: 127.0.0.1
> mod_security-message: Access denied with code 500. Pattern match "^
> $" at HEADER("Accept") [severity "EMERGENCY"]
> mod_security-action: 500
>
> HTTP/1.1 500 Internal Server Error
> Vary: accept-language,accept-charset
> Accept-Ranges: bytes
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
> Content-Language: en
> Expires: Mon, 28 May 2007 23:40:03 GMT
> --4ede536b--
>
> Can you help me identify the correct action to permit the
> connection from Nagios?
>
> Ofer Shezaf wrote:
>> What rule set does the Mandriva package uses?
>>
>>
>>
>> ~ Ofer
>>
>>
>>
>> From: Albert E. Whale [mailto:aewhale@ABS-CompTech.com]
>> Sent: Monday, May 28, 2007 5:57 PM
>> To: Ofer Shezaf
>> Cc: Christian Bockermann; mod...@li...
>> Subject: Re: [mod-security-users] What is this? Can you please
>> explain?
>>
>>
>>
>> Thank you. Since this is a Mandriva release of the Mod_Security
>> package I can review the information and fix it for me, and also
>> the Mandriva distribution ... this may help a few other newcomers
>> as well.
>>
>> Thank you!
>>
>> Ofer Shezaf wrote:
>>
>> Actually Albert might be right. Some versions of Apache use an
>> internalkeep alive pinger that issues a request without a host
>> name. The Core Rule Set have a specific exclusion for that, but
>> this rule isprobably not part of the Core Rule Set (no rule ID)
>> and blocks thisrequest. In order to verify we will need the entire
>> request as you can find inthe audit log. So in order to permit it:
>> either use the core rule set instead of therules you use or refer
>> to Ryan's recent blog entry on creatingexceptionshttp://
>> www.modsecurity.org/blog/archives/2007/02/handling_false.html ~
>> Ofer -----Original Message----- From: mod-security-users-
>> bo...@li... [mailto:mod- security-users-
>> bo...@li...] On Behalf Of Christian Bockermann
>> Sent: Monday, May 28, 2007 11:20 AM To: aewhale@ABS-CompTech.com
>> Cc: mod...@li... Subject: Re: [mod-
>> security-users] What is this? Can you please explain? Hi
>> Albert! In this case it is not the fact that it's the localhost,
>> but a matter of a missing/empty Accept-Header in the request. Do
>> you use the core-rules or any custom-made ruleset? The core
>> rules contain some checks that complain if an Accept-header
>> is missing. This is a problem I observed with some RSS-clients
>> for example. According to the RFC the Accept-header is optional.
>> Regards, Chris Am 28.05.2007 um 05:26 schrieb Albert E.
>> Whale: Too me this appears to indicate that
>> the localhost is not permitted to test the root level of the web
>> Server. Why? [Sun May 27 23:24:03 2007] [error] [client
>> 127.0.0.1] mod_security: Access denied with code 500. Pattern
>> match "^$" at HEADER("Accept") [severity "EMERGENCY"] [hostname
>> "127.0.0.1"] [uri "/"] [unique_id "R9xVQH8AAAEAAAN2kzoAAAAF"]
>> Where can I permit this? -- Albert E. Whale, CHS CISA CISSP Sr.
>> Security, Network, Risk Assessment and Systems Consultant ABS
>> Computer Technology, Inc. - Email, Internet and Security
>> Consultants SPAMZapper - No-JunkMail.com - True Spam
>> Elimination.
>> ---------------------------------------------------------------------
>> - --- This SF.net email is sponsored by DB2 Express Download
>> DB2 Express C - the FREE version of DB2 express and take control
>> of your XML. No limits. Just data. Click to get it now. http://
>> sourceforge.net/powerbar/db2/
>> _______________________________________________ mod-security-users
>> mailing list mod...@li... https://
>> lists.sourceforge.net/lists/listinfo/mod-security-
>> users
>> ---------------------------------------------------------------------
>> -- -- This SF.net email is sponsored by DB2 Express Download DB2
>> Express C - the FREE version of DB2 express and take control of
>> your XML. No limits. Just data. Click to get it now. http://
>> sourceforge.net/powerbar/db2/
>> _______________________________________________ mod-security-users
>> mailing list mod...@li... https://
>> lists.sourceforge.net/lists/listinfo/mod-security-users
>> ---------------------------------------------------------------------
>> ----This SF.net email is sponsored by DB2 ExpressDownload DB2
>> Express C - the FREE version of DB2 express and takecontrol of
>> your XML. No limits. Just data. Click to get it now.http://
>> sourceforge.net/powerbar/db2/
>> _______________________________________________mod-security-users
>> mailing lis...@li...https://
>> lists.sourceforge.net/lists/listinfo/mod-security-users
>>
>>
>> --
>> Albert E. Whale, CHS CISA CISSP
>> Sr. Security, Network, Risk Assessment and Systems Consultant
>>
>> ABS Computer Technology, Inc. - Email, Internet and Security
>> Consultants
>> SPAMZapper - No-JunkMail.com - True Spam Elimination.
>>
>
>
> --
> Albert E. Whale, CHS CISA CISSP
> Sr. Security, Network, Risk Assessment and Systems Consultant
> ABS Computer Technology, Inc. - Email, Internet and Security
> Consultants
> SPAMZapper - No-JunkMail.com - True Spam Elimination.
> ----------------------------------------------------------------------
> ---
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
|