mod-security-developers — Development discussion about mod_security

Re: [Mod-security-developers] JSON body processor

[Breno S. <bre...@gm...>]

Hello Ulisses,

Your work on this task will help a lot of people!
Let me point some comments

1 - Please take a look at http://www.apache.org/legal/3party.html. There is
a list of authorized licenses to use.
If you find some good library with a different kind of license we can try
to determine if it is compatible of not.

2 - The first idea is to populate already used modsecurity collections
ARGS, ARGS_NAMES etc. However we can discuss if necessary some additional
collection for example JSON_*. Use ARGS* collection will make user's life
easier to apply the current ruleset against JSON data.

3 -  This is a good question. Currenlty we don't have exact numbers to make
it. But we must keep in mind we don't want to add too  much latency into
http transactions. So we always try to work in a small range of
microseconds. As you said, you can try to generate compatible dataset and
compare the performance numbers.

4 - This is fine to discuss it here. Once we have defined what to do you
can document it in the Jira ticket.

Thanks

Breno

On Sun, Sep 23, 2012 at 8:31 AM, Ulisses Montenegro <
uli...@gm...> wrote:

> Team
>
> As my first attempt in contributing to mod_security I've decided to
> tackle MODSEC-253, a JSON body processor. I've gone through the XML
> and multipart body processors and found them apparently
> straightforward. I would like some pointers on issues which I need to
> address before deciding on my solution, though.
>
> 1. The XML body processor uses libxml for the actual XML parsing, I
> assume adding a JSON parser library would be acceptable as well. If
> so, what licenses would be acceptable?
> 2. XML processor offers a XPath interface for rules to match XML
> contents, which is a standard, but AFAIK there is nothing equivalent
> for JSON (aside from evaluating Javascript object references). What
> interface would work best for the rules to gain access to the JSON
> contents?
> 3. Are there any guidelines/rules regarding memory usage and
> performance, i.e., how can if my code or the library I'm using is
> performing acceptably? I know I can always benchmark/profile other
> body processors and compare the results directly, but I'm looking more
> towards hard numbers, if they're available.
> 4. Finally, do these kind of questions go into JIRA? I decided to try
> the mailing list first as I did not want to add possibly irrelevant
> information to the JIRA issue, but I think at least items [1] and [2]
> should be registered there -- is that how it usually works?
>
> Thanks a lot for the great work on mod_security
> Ulisses
>
> --
> “If debugging is the process of removing software bugs, then
> programming must be the process of putting them in.” - Edsger Dijkstra
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://ad.doubleclick.net/clk;258768047;13503038;j?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php

[Mod-security-developers] JSON body processor

[Ulisses M. <uli...@gm...>]

Team

As my first attempt in contributing to mod_security I've decided to
tackle MODSEC-253, a JSON body processor. I've gone through the XML
and multipart body processors and found them apparently
straightforward. I would like some pointers on issues which I need to
address before deciding on my solution, though.

1. The XML body processor uses libxml for the actual XML parsing, I
assume adding a JSON parser library would be acceptable as well. If
so, what licenses would be acceptable?
2. XML processor offers a XPath interface for rules to match XML
contents, which is a standard, but AFAIK there is nothing equivalent
for JSON (aside from evaluating Javascript object references). What
interface would work best for the rules to gain access to the JSON
contents?
3. Are there any guidelines/rules regarding memory usage and
performance, i.e., how can if my code or the library I'm using is
performing acceptably? I know I can always benchmark/profile other
body processors and compare the results directly, but I'm looking more
towards hard numbers, if they're available.
4. Finally, do these kind of questions go into JIRA? I decided to try
the mailing list first as I did not want to add possibly irrelevant
information to the JIRA issue, but I think at least items [1] and [2]
should be registered there -- is that how it usually works?

Thanks a lot for the great work on mod_security
Ulisses

-- 
“If debugging is the process of removing software bugs, then
programming must be the process of putting them in.” - Edsger Dijkstra

Re: [Mod-security-developers] Interesting Project for a 6-month Internship

[Martin H. <mar...@sm...>]

Hello,
I guess "Write a Positive Learning Engine" means the Task mentioned here
[1]. It sounds interesting, but I must admit I didn't really got what is
asked by the Project. In particular I don't really understand what the
mentioned link [2] has to do with the Project. :(
I hope you can enlight me.
Regards,
Martin Haug


[1] http://www.modsecurity.org/projects/gsoc/ "Automated
Learning/Positive Security Model"
[2]
http://blog.spiderlabs.com/2011/08/implementing-appsensor-detection-points-in-modsecurity.html

Am 13.09.2012 15:14, schrieb Breno Silva:
> Hello Martin,
> 
> There are many stuffs to work. I can give u some suggestions:
> - Extend the current encryption engine to protect Cookies and
> input/hidden fields
> - Write a Positive (Learning) engine
> 
> 
> Thanks
> 
> Breno
> 
> On Tue, Sep 11, 2012 at 6:10 PM, Ryan Barnett <RBa...@tr...
> <mailto:RBa...@tr...>> wrote:
> 
>     Hey Martin,
>     Check out our GSOC page for some ideas -
>     - http://www.modsecurity.org/projects/gsoc/
>     -
>     https://www.owasp.org/index.php/GSoC2012_Ideas#ModSecurity_Core_Rule_Set
> 
>     For the rules ideas - most of these could be quickly prototyped
>     using Lua
>     API.  Depending on the idea, some of them could/should be integrated
>     directly into ModSecurity as C code.
> 
>     Let us know if any of these ideas spark your interest.
> 
>     FYI - we will probably be creating a proper Roadmap/Features page.
> 
>     Cheers.
> 
>     --
>     Ryan Barnett
>     Trustwave SpiderLabs
>     ModSecurity Project Leader
>     OWASP ModSecurity CRS Project Leader
> 
> 
> 
> 
> 
>     On 9/11/12 6:10 PM, "Martin Haug" <mar...@sm...
>     <mailto:mar...@sm...>> wrote:
> 
>     >Hello,
>     >I'm  doing a 6-month Internship starting on 1.3.2013. In this i will
>     >develop a Project of my own. I now have to submit a proposal for the
>     >Project.
>     >I don't have a good Idea yet, but it would be nice, if I could work
>     with
>     >an interesting Open Source Project, so my Question is if you have some
>     >Feature on your Wishlist witch you always wanted but nobody implements
>     >it and which is suitable for a 6-month internship.
>     >
>     >The Project has to be Security-related, but I can use a broad
>     Definition
>     >of "Security". :-)
>     >Best Regards,
>     >Martin Haug
>     >
>     >_________________________________________________________________
>     >Free-Mail Postfach (bis zu 10 GB E-Mail-Speicher)
>     >SMS, MMS, Fax und vieles mehr - http://www.smart-mail.de
>     >
>     >
>     >--------------------------------------------------------------------------
>     >----
>     >Live Security Virtual Conference
>     >Exclusive live event will cover all the ways today's security and
>     >threat landscape has changed and how IT managers can respond.
>     Discussions
>     >will include endpoint security, mobile security and the latest in
>     malware
>     >threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>     >_______________________________________________
>     >mod-security-developers mailing list
>     >mod...@li...
>     <mailto:mod...@li...>
>     >https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>     >ModSecurity Services from Trustwave's SpiderLabs:
>     >https://www.trustwave.com/spiderLabs.php
>     >
> 
> 
>     ________________________________
> 
>     This transmission may contain information that is privileged,
>     confidential, and/or exempt from disclosure under applicable law. If
>     you are not the intended recipient, you are hereby notified that any
>     disclosure, copying, distribution, or use of the information
>     contained herein (including any reliance thereon) is STRICTLY
>     PROHIBITED. If you received this transmission in error, please
>     immediately contact the sender and destroy the material in its
>     entirety, whether in electronic or hard copy format.
> 
> 
>     ------------------------------------------------------------------------------
>     Live Security Virtual Conference
>     Exclusive live event will cover all the ways today's security and
>     threat landscape has changed and how IT managers can respond.
>     Discussions
>     will include endpoint security, mobile security and the latest in
>     malware
>     threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>     _______________________________________________
>     mod-security-developers mailing list
>     mod...@li...
>     <mailto:mod...@li...>
>     https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>     ModSecurity Services from Trustwave's SpiderLabs:
>     https://www.trustwave.com/spiderLabs.php
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> 
> 
> 
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
> 

_________________________________________________________________
Free-Mail Postfach (bis zu 10 GB E-Mail-Speicher)
SMS, MMS, Fax und vieles mehr - http://www.smart-mail.de

Re: [Mod-security-developers] Interesting Project for a 6-month Internship

[Breno S. <bre...@gm...>]

Hello Martin,

There are many stuffs to work. I can give u some suggestions:
- Extend the current encryption engine to protect Cookies and input/hidden
fields
- Write a Positive (Learning) engine


Thanks

Breno

On Tue, Sep 11, 2012 at 6:10 PM, Ryan Barnett <RBa...@tr...>wrote:

> Hey Martin,
> Check out our GSOC page for some ideas -
> - http://www.modsecurity.org/projects/gsoc/
> - https://www.owasp.org/index.php/GSoC2012_Ideas#ModSecurity_Core_Rule_Set
>
> For the rules ideas - most of these could be quickly prototyped using Lua
> API.  Depending on the idea, some of them could/should be integrated
> directly into ModSecurity as C code.
>
> Let us know if any of these ideas spark your interest.
>
> FYI - we will probably be creating a proper Roadmap/Features page.
>
> Cheers.
>
> --
> Ryan Barnett
> Trustwave SpiderLabs
> ModSecurity Project Leader
> OWASP ModSecurity CRS Project Leader
>
>
>
>
>
> On 9/11/12 6:10 PM, "Martin Haug" <mar...@sm...> wrote:
>
> >Hello,
> >I'm  doing a 6-month Internship starting on 1.3.2013. In this i will
> >develop a Project of my own. I now have to submit a proposal for the
> >Project.
> >I don't have a good Idea yet, but it would be nice, if I could work with
> >an interesting Open Source Project, so my Question is if you have some
> >Feature on your Wishlist witch you always wanted but nobody implements
> >it and which is suitable for a 6-month internship.
> >
> >The Project has to be Security-related, but I can use a broad Definition
> >of "Security". :-)
> >Best Regards,
> >Martin Haug
> >
> >_________________________________________________________________
> >Free-Mail Postfach (bis zu 10 GB E-Mail-Speicher)
> >SMS, MMS, Fax und vieles mehr - http://www.smart-mail.de
> >
> >
> >--------------------------------------------------------------------------
> >----
> >Live Security Virtual Conference
> >Exclusive live event will cover all the ways today's security and
> >threat landscape has changed and how IT managers can respond. Discussions
> >will include endpoint security, mobile security and the latest in malware
> >threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> >_______________________________________________
> >mod-security-developers mailing list
> >mod...@li...
> >https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> >ModSecurity Services from Trustwave's SpiderLabs:
> >https://www.trustwave.com/spiderLabs.php
> >
>
>
> ________________________________
>
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
> received this transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in electronic or hard
> copy format.
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>

Re: [Mod-security-developers] Interesting Project for a 6-month Internship

[Ryan B. <RBa...@tr...>]

Hey Martin,
Check out our GSOC page for some ideas -
- http://www.modsecurity.org/projects/gsoc/
- https://www.owasp.org/index.php/GSoC2012_Ideas#ModSecurity_Core_Rule_Set

For the rules ideas - most of these could be quickly prototyped using Lua
API.  Depending on the idea, some of them could/should be integrated
directly into ModSecurity as C code.

Let us know if any of these ideas spark your interest.

FYI - we will probably be creating a proper Roadmap/Features page.

Cheers.

--
Ryan Barnett
Trustwave SpiderLabs
ModSecurity Project Leader
OWASP ModSecurity CRS Project Leader





On 9/11/12 6:10 PM, "Martin Haug" <mar...@sm...> wrote:

>Hello,
>I'm  doing a 6-month Internship starting on 1.3.2013. In this i will
>develop a Project of my own. I now have to submit a proposal for the
>Project.
>I don't have a good Idea yet, but it would be nice, if I could work with
>an interesting Open Source Project, so my Question is if you have some
>Feature on your Wishlist witch you always wanted but nobody implements
>it and which is suitable for a 6-month internship.
>
>The Project has to be Security-related, but I can use a broad Definition
>of "Security". :-)
>Best Regards,
>Martin Haug
>
>_________________________________________________________________
>Free-Mail Postfach (bis zu 10 GB E-Mail-Speicher)
>SMS, MMS, Fax und vieles mehr - http://www.smart-mail.de
>
>
>--------------------------------------------------------------------------
>----
>Live Security Virtual Conference
>Exclusive live event will cover all the ways today's security and
>threat landscape has changed and how IT managers can respond. Discussions
>will include endpoint security, mobile security and the latest in malware
>threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>_______________________________________________
>mod-security-developers mailing list
>mod...@li...
>https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>ModSecurity Services from Trustwave's SpiderLabs:
>https://www.trustwave.com/spiderLabs.php
>


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] Interesting Project for a 6-month Internship

[Christian F. <chr...@ti...>]

Hi Martin,

An open-source cookie-store module for Apache would be awesome.
Ideally, this would be a feature in ModSecurity or a standalone
module.

By cookie store I mean a piece of logic / store, that consumes
Set-Cookie Response headers from the backend application 
(typically in a reverse proxy setting) and stores the
cookies in a local session. The client no longer sees the cookies.
But when the client issues a request, the cookies are attached
to his request according to their definition (domain, path,
secure-flag, expiry) again. So for the application, this is
transparent and an attacker is no longer able to steal the
cookies from the client anymore.

Cheers,

Christian


On Wed, Sep 12, 2012 at 12:10:58AM +0200, Martin Haug wrote:
> Hello,
> I'm  doing a 6-month Internship starting on 1.3.2013. In this i will
> develop a Project of my own. I now have to submit a proposal for the
> Project.
> I don't have a good Idea yet, but it would be nice, if I could work with
> an interesting Open Source Project, so my Question is if you have some
> Feature on your Wishlist witch you always wanted but nobody implements
> it and which is suitable for a 6-month internship.
> 
> The Project has to be Security-related, but I can use a broad Definition
> of "Security". :-)
> Best Regards,
> Martin Haug
> 
> _________________________________________________________________
> Free-Mail Postfach (bis zu 10 GB E-Mail-Speicher)
> SMS, MMS, Fax und vieles mehr - http://www.smart-mail.de
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php

[Mod-security-developers] Interesting Project for a 6-month Internship

[Martin H. <mar...@sm...>]

Hello,
I'm  doing a 6-month Internship starting on 1.3.2013. In this i will
develop a Project of my own. I now have to submit a proposal for the
Project.
I don't have a good Idea yet, but it would be nice, if I could work with
an interesting Open Source Project, so my Question is if you have some
Feature on your Wishlist witch you always wanted but nobody implements
it and which is suitable for a 6-month internship.

The Project has to be Security-related, but I can use a broad Definition
of "Security". :-)
Best Regards,
Martin Haug

_________________________________________________________________
Free-Mail Postfach (bis zu 10 GB E-Mail-Speicher)
SMS, MMS, Fax und vieles mehr - http://www.smart-mail.de

[Mod-security-developers] Availability of ModSecurity 2.7.0-RC3 Release Candidate

[Breno S. <bre...@gm...>]

The ModSecurity Development Team is pleased to announce the
availability of ModSecurity
7.0-rc3 Release<http://www.modsecurity.org/download/modsecurity-apache_2.7.0-rc2.tar.gz>.
The stability of this release is good and include bug fixed and new
features. I think the most important one it to be able to handle
Internationalization (I18N) and thus properly handle various data encodings
including Unicode and UTF-8 in order to prevent not only evasion issues but
also to minimize false positives Please check our blog for more
information<http://blog.spiderlabs.com/2012/08/waf-normalization-and-i18n.html>
.
We also merged the Ngnix and IIS code from experimental branch.The IIS code
should be stable now but Ngnix is still in experimental status. This should
be the last -rc extra version until the stable.
Please see the release notes included into
CHANGES<http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/branches/2.7.x/CHANGES>file.
For known problems and more information about bug fixes, please see
the online ModSecurity Jira <https://www.modsecurity.org/tracker/>. Please
report any bug to
mod...@li...<http://lists.sourceforge.net/lists/listinfo/mod-security-developers>
.


Thanks

Breno Silva

[Mod-security-developers] Integer overflow in mod_security for IIS

[Alexander N. <ana...@gm...>]

Hello!

*Steps to reproduce:*

   1. Install mod_security on Windows Server 2008 R2 x64, IIS 7.5 using msi
   installer
   2. Setup mod_security for your website
   3. In IIS go to advanced settings of application pool of your website
   4. Set "Enable 32-Bit Applications" property to "True"
   5. Restart the pool and your website
   6. Make a request to the site

*Actual result:*
in response headers value of "Content-Size" header is enormous. Thus client
actually loads contents but waits for the rest. If you try to load your
site in a common browser such as Chrome loading will hang up.

Re: [Mod-security-developers] SecAuditLogType concurrent, SecAuditLog has file name "audit.log" creates directory audit.log

[Parthasarathi K. <par...@ya...>]

Please find the patch 
Thanks
Partha
--- modsecurity-apache/apache2/msc_util.c    Fri Aug 24 02:23:52 2012 -0700
+++ modsecurity-apache/apache2/msc_util.c    Fri Aug 24 03:26:42 2012 -0700
@@ -387,6 +387,7 @@
     } else {
         d = strrchr(b, '\\');
         if (d != NULL) *d = '\0';
+        else b = apr_pstrdup(p, ".");
     }
 
     return b;
@@ -401,7 +402,7 @@
 
     c = strrchr(b, '/');
     if (c != NULL) *c = '\0';
-
+    else b = apr_pstrdup(p, ".");
     return b;
 }
 #endif



________________________________
 From: Breno Silva <bre...@gm...>
To: mod...@li... 
Sent: Thursday, August 23, 2012 11:34 PM
Subject: Re: [Mod-security-developers] SecAuditLogType concurrent, SecAuditLog has file name "audit.log" creates directory audit.log
 

Hello,

Yes, looks like a possible fix. I just need to make some tests.
Could you send a patch ?

Thanks

Breno


On Thu, Aug 23, 2012 at 12:49 PM, seema deepak <see...@gm...> wrote:

Hi,
>
>Is this a known issue ?
>
>Let me explain the scenario little more.
>
>If we use the below configuration (without SecAuditLogStorageDir) ...
>
>-- -- -- -- --
>
>SecRuleEngine On
>SecAuditEngine On
>SecAuditLogType concurrent
>SecAuditLog ./audit.log
>SecAuditLogParts ABCFHZ
>-- -- -- -- --
>
>when the server starts up, it creates "audit.log" file relative to the server's config directory ( <config dir>/audit.log ).
>And when ModSecurity processes the request, logs the msg in the concurrent log file created relative to server's config directory ( e.g. <config dir>/20120823/20120823-0601/20120823-060111-fNOoe110000000000,0) and that file's info get logged in the audit.log file. 
>So we do see some entries in audit.log and the concurrent log.
>
>If we change AuditLog's location to some absolute path like /tmp/audit.log, 
>then audit.log is created in the /tmp dir and concurrent logs are also created in /tmp  dir ( /tmp/20120823/20120823-0601/20120823-060111-fNOoe110000000000,0).
>
>Issue is when we specify just the filename for SecAuditLog.
>-- -- -- -- --
>
>SecRuleEngine On
>SecAuditEngine On
>SecAuditLogType concurrent
>SecAuditLog audit.log
>SecAuditLogParts ABCFHZ
>
-- -- -- -- --
>
>At server startup, audit.log file gets created in the server's config directory ( <config dir>/audit.log ) . During request processing when ModSecurity tries to create the concurrent log file it tries to create <config dir>/audit.log/<date>/.. dirs but fails as audit.log already exists and is a file.
>
>Change in file_dirname() of msc_util.c to return "." when filename doesn't have "/" or "\" fixed the issue.
>Please let us know if it is the right fix.
>
>Thanks,
>Seema.
>
>
>
>On Tue, Aug 7, 2012 at 9:31 AM, Parthasarathi Kundu <par...@ya...> wrote:
>
>If the rule file contains SecAuditLog and provides the file name  and there is no SecAuditLogStorageDir( it is not mandatory) , it creates audit.log as the directory instead of creating that as the index file.
>>
>>
>>
>>SecRuleEngine On
>>SecAuditEngine On
>>SecAuditLogType concurrent
>>SecAuditLog audit.log
>>SecAuditLogParts ABCFHZ
>>
>>
>>
>>
>>
>>The behaviour is different when SecAuditLog  ./audit.log.
>>
>>
>>The issue is with file_dirname(msr->mp, "audit.log")function. it returns "audit.log", where as 
>>
>>file_dirname(msr->mp, "./audit.log" ) correctly returns "." as the directory.
>>
>>
>>Should not it return "." even on file_dirname(msr->mp, "audit.log") ?
>>
>>
>>Thanks
>>Partha
>>
>>
>>
>>
>>------------------------------------------------------------------------------
>>Live Security Virtual Conference
>>Exclusive live event will cover all the ways today's security and
>>threat landscape has changed and how IT managers can respond. Discussions
>>will include endpoint security, mobile security and the latest in malware
>>threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>_______________________________________________
>>mod-security-developers mailing list
>>mod...@li...
>>https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>>ModSecurity Services from Trustwave's SpiderLabs:
>>https://www.trustwave.com/spiderLabs.php
>>
>
>------------------------------------------------------------------------------
>Live Security Virtual Conference
>Exclusive live event will cover all the ways today's security and
>threat landscape has changed and how IT managers can respond. Discussions
>will include endpoint security, mobile security and the latest in malware
>threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>_______________________________________________
>mod-security-developers mailing list
>mod...@li...
>https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>ModSecurity Services from Trustwave's SpiderLabs:
>https://www.trustwave.com/spiderLabs.php
>

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-developers mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php

Re: [Mod-security-developers] SecAuditLogType concurrent, SecAuditLog has file name "audit.log" creates directory audit.log

[Breno S. <bre...@gm...>]

Hello,

Yes, looks like a possible fix. I just need to make some tests.
Could you send a patch ?

Thanks

Breno

On Thu, Aug 23, 2012 at 12:49 PM, seema deepak <see...@gm...>wrote:

> Hi,
>
> Is this a known issue ?
>
> Let me explain the scenario little more.
>
> If we use the below configuration (without SecAuditLogStorageDir) ...
>
> -- -- -- -- --
>
> SecRuleEngine On
> SecAuditEngine On
> SecAuditLogType concurrent
> SecAuditLog ./audit.log
> SecAuditLogParts ABCFHZ
> -- -- -- -- --
>
> when the server starts up, it creates "audit.log" file relative to the
> server's config directory ( <config dir>/audit.log ).
> And when ModSecurity processes the request, logs the msg in the concurrent
> log file created relative to server's config directory ( e.g. <config
> dir>/20120823/20120823-0601/20120823-060111-fNOoe110000000000,0) and that
> file's info get logged in the audit.log file.
> So we do see some entries in audit.log and the concurrent log.
>
> If we change AuditLog's location to some absolute path like
> /tmp/audit.log,
> then audit.log is created in the /tmp dir and concurrent logs are also
> created in /tmp  dir (
> /tmp/20120823/20120823-0601/20120823-060111-fNOoe110000000000,0).
>
> Issue is when we specify just the filename for SecAuditLog.
> -- -- -- -- --
>
> SecRuleEngine On
> SecAuditEngine On
> SecAuditLogType concurrent
> SecAuditLog audit.log
> SecAuditLogParts ABCFHZ
> -- -- -- -- --
>
> At server startup, audit.log file gets created in the server's config
> directory ( <config dir>/audit.log ) . During request processing when
> ModSecurity tries to create the concurrent log file it tries to create
> <config dir>/audit.log/<date>/.. dirs but fails as audit.log already exists
> and is a file.
>
> Change in file_dirname() of msc_util.c to return "." when filename doesn't
> have "/" or "\" fixed the issue.
> Please let us know if it is the right fix.
>
> Thanks,
> Seema.
>
>
> On Tue, Aug 7, 2012 at 9:31 AM, Parthasarathi Kundu <
> par...@ya...> wrote:
>
>> If the rule file contains SecAuditLog and provides the file name  and
>> there is no SecAuditLogStorageDir( it is not mandatory) , it creates
>> audit.log as the directory instead of creating that as the index file.
>>
>> SecRuleEngine On
>> SecAuditEngine On
>> SecAuditLogType concurrent
>> SecAuditLog audit.log
>> SecAuditLogParts ABCFHZ
>>
>>
>> The behaviour is different when SecAuditLog  ./audit.log.
>>
>> The issue is with file_dirname(msr->mp, "audit.log")function. it returns
>> "audit.log", where as
>> file_dirname(msr->mp, "./audit.log" ) correctly returns "." as the
>> directory.
>>
>> Should not it return "." even on file_dirname(msr->mp, "audit.log") ?
>>
>> Thanks
>> Partha
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>

Re: [Mod-security-developers] SecAuditLogType concurrent, SecAuditLog has file name "audit.log" creates directory audit.log

[seema d. <see...@gm...>]

Hi,

Is this a known issue ?

Let me explain the scenario little more.

If we use the below configuration (without SecAuditLogStorageDir) ...

-- -- -- -- --
SecRuleEngine On
SecAuditEngine On
SecAuditLogType concurrent
SecAuditLog ./audit.log
SecAuditLogParts ABCFHZ
-- -- -- -- --

when the server starts up, it creates "audit.log" file relative to the
server's config directory ( <config dir>/audit.log ).
And when ModSecurity processes the request, logs the msg in the concurrent
log file created relative to server's config directory ( e.g. <config
dir>/20120823/20120823-0601/20120823-060111-fNOoe110000000000,0) and that
file's info get logged in the audit.log file.
So we do see some entries in audit.log and the concurrent log.

If we change AuditLog's location to some absolute path like /tmp/audit.log,
then audit.log is created in the /tmp dir and concurrent logs are also
created in /tmp  dir (
/tmp/20120823/20120823-0601/20120823-060111-fNOoe110000000000,0).

Issue is when we specify just the filename for SecAuditLog.
-- -- -- -- --
SecRuleEngine On
SecAuditEngine On
SecAuditLogType concurrent
SecAuditLog audit.log
SecAuditLogParts ABCFHZ
-- -- -- -- --

At server startup, audit.log file gets created in the server's config
directory ( <config dir>/audit.log ) . During request processing when
ModSecurity tries to create the concurrent log file it tries to create
<config dir>/audit.log/<date>/.. dirs but fails as audit.log already exists
and is a file.

Change in file_dirname() of msc_util.c to return "." when filename doesn't
have "/" or "\" fixed the issue.
Please let us know if it is the right fix.

Thanks,
Seema.


On Tue, Aug 7, 2012 at 9:31 AM, Parthasarathi Kundu <
par...@ya...> wrote:

> If the rule file contains SecAuditLog and provides the file name  and
> there is no SecAuditLogStorageDir( it is not mandatory) , it creates
> audit.log as the directory instead of creating that as the index file.
>
> SecRuleEngine On
> SecAuditEngine On
> SecAuditLogType concurrent
> SecAuditLog audit.log
> SecAuditLogParts ABCFHZ
>
>
> The behaviour is different when SecAuditLog  ./audit.log.
>
> The issue is with file_dirname(msr->mp, "audit.log")function. it returns
> "audit.log", where as
> file_dirname(msr->mp, "./audit.log" ) correctly returns "." as the
> directory.
>
> Should not it return "." even on file_dirname(msr->mp, "audit.log") ?
>
> Thanks
> Partha
>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>

Re: [Mod-security-developers] when ModSecurit Nginx exit cause system trace

[yorkng z. <yor...@gm...>]

hi Alan,
i think there is some minor  errors in my last letter, nginx versions i had
use are 1.2.3 and 1.1.20, not 1.2.1.

*ur question: What's your version of another mod security library
dependencies?*
im not understand the question exactly, compile nginx , i aways use apr
package for the official site, and are the lastest version: apr-1.4.6
apr-iconv-1.2.1
apr-util-1.4.1

*ur question: In what case it occurred?*
when nginx(compile with mod security) run, as long as use web client(such
as curl) access the site which setup by nginx, and then nginx exit(CTRL-C),
the case occur.  but nginx run and exit, havent use web client access the
site, this case would not occur.

*ur question:Update your source tree with svn?*
yes, i update the mod security source tree with svn.

*ur questiong: Show your ModSec.data *
ModSec.data's context is simple:

SecRuleEngine on
SecRule REQUEST_URI "secret" "id:999,phase:1,deny"



Regards

yorkng


On Wed, Aug 15, 2012 at 8:23 PM, Alan Silva <ala...@ac...> wrote:

>  Hi Zhuo,
>
> What's your version of another mod security library dependencies? In what
> case it occurred? Update your source tree with svn? Show your ModSec.data
> too, please!
>
> [ ]'s
>
> Alan
>
> On Wednesday, August 15, 2012 at 6:25 AM, yorkng zhuo wrote:
>
> hi all,
> i compile ModSecurity Nginx project with Nginx-1.2.1, and the nginx.conf
> set like this
>
> *daemon off;
> matser_process off;*
> server {
>      listen      80;
>      server_name   192.168.10.34;
>      location / {
>            root html;
>            index intex.html;
>            ModsecurityConfig
> /opt/modsec-2.7-iis-nginx-1.2.3/conf.d/ModSec.data;
>            ModSecurityEnabled On;
>     }
> }
>
>
> when nginx exit, the system print trace information bellow, i think
> libapr(apr_pool operations) cause this, and its a nginx version regardless
> bug(cause at nginx-1.1.20 also), but i cant identity exactly reason of
> this. anyone know it?
> ------------------------------------------------
> $/opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx
> ^C*** glibc detected *** /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx:
> double free or corruption (!prev): 0x0000000001ee9630 ***
> ======= Backtrace: =========
> /lib/x86_64-linux-gnu/libc.so.6(+0x7e626)[0x7f4cf4f48626]
> /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x4f55e4]
>
> /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(+0x1ed48)[0x7f4cf6110d48]
>
> /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(apr_pool_destroy+0x57)[0x7f4cf610fbd7]
>
> /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(apr_pool_destroy+0x3a)[0x7f4cf610fbba]
>
> /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(apr_pool_terminate+0x39)[0x7f4cf610f707]
>
> /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(apr_terminate+0x22)[0x7f4cf6112b15]
> /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x4ac7da]
> /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x4aba46]
> /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x436926]
> /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x4095f4]
> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7f4cf4eeb76d]
> /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x408f61]
> ======= Memory map: ========
> 00400000-006e2000 r-xp 00000000 08:01 2113858
> /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx
> 008e1000-008e2000 r--p 002e1000 08:01 2113858
> /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx
> 008e2000-00902000 rw-p 002e2000 08:01 2113858
> /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx
> 00902000-00916000 rw-p 00000000 00:00 0
> 01e60000-01f18000 rw-p 00000000 00:00 0
> [heap]
> 7f4cf3923000-7f4cf3938000 r-xp 00000000 08:01 266625
> /lib/x86_64-linux-gnu/libgcc_s.so.1
> 7f4cf3938000-7f4cf3b37000 ---p 00015000 08:01 266625
> /lib/x86_64-linux-gnu/libgcc_s.so.1
> 7f4cf3b37000-7f4cf3b38000 r--p 00014000 08:01 266625
> /lib/x86_64-linux-gnu/libgcc_s.so.1
> 7f4cf3b38000-7f4cf3b39000 rw-p 00015000 08:01 266625
> /lib/x86_64-linux-gnu/libgcc_s.so.1
> 7f4cf3b39000-7f4cf3b45000 r-xp 00000000 08:01 276110
> /lib/x86_64-linux-gnu/libnss_files-2.15.so
> 7f4cf3b45000-7f4cf3d44000 ---p 0000c000 08:01 276110
> /lib/x86_64-linux-gnu/libnss_files-2.15.so
> 7f4cf3d44000-7f4cf3d45000 r--p 0000b000 08:01 276110
> /lib/x86_64-linux-gnu/libnss_files-2.15.so
> 7f4cf3d45000-7f4cf3d46000 rw-p 0000c000 08:01 276110
> /lib/x86_64-linux-gnu/libnss_files-2.15.so
> 7f4cf3d46000-7f4cf3d50000 r-xp 00000000 08:01 276111
> /lib/x86_64-linux-gnu/libnss_nis-2.15.so
> 7f4cf3d50000-7f4cf3f50000 ---p 0000a000 08:01 276111
> /lib/x86_64-linux-gnu/libnss_nis-2.15.so
> 7f4cf3f50000-7f4cf3f51000 r--p 0000a000 08:01 276111
> /lib/x86_64-linux-gnu/libnss_nis-2.15.so
> 7f4cf3f51000-7f4cf3f52000 rw-p 0000b000 08:01 276111
> /lib/x86_64-linux-gnu/libnss_nis-2.15.so
> 7f4cf3f52000-7f4cf3f69000 r-xp 00000000 08:01 268342
> /lib/x86_64-linux-gnu/libnsl-2.15.so
> 7f4cf3f69000-7f4cf4168000 ---p 00017000 08:01 268342
> /lib/x86_64-linux-gnu/libnsl-2.15.so
> 7f4cf4168000-7f4cf4169000 r--p 00016000 08:01 268342
> /lib/x86_64-linux-gnu/libnsl-2.15.so
> 7f4cf4169000-7f4cf416a000 rw-p 00017000 08:01 268342
> /lib/x86_64-linux-gnu/libnsl-2.15.so
> 7f4cf416a000-7f4cf416c000 rw-p 00000000 00:00 0
> 7f4cf416c000-7f4cf4174000 r-xp 00000000 08:01 276113
> /lib/x86_64-linux-gnu/libnss_compat-2.15.so
> 7f4cf4174000-7f4cf4373000 ---p 00008000 08:01 276113
> /lib/x86_64-linux-gnu/libnss_compat-2.15.so
> 7f4cf4373000-7f4cf4374000 r--p 00007000 08:01 276113
> /lib/x86_64-linux-gnu/libnss_compat-2.15.so
> 7f4cf4374000-7f4cf4375000 rw-p 00008000 08:01 276113
> /lib/x86_64-linux-gnu/libnss_compat-2.15.so
> 7f4cf4375000-7f4cf446e000 r-xp 00000000 08:01 267092
> /lib/x86_64-linux-gnu/libm-2.15.so
> 7f4cf446e000-7f4cf466d000 ---p 000f9000 08:01 267092
> /lib/x86_64-linux-gnu/libm-2.15.so
> 7f4cf466d000-7f4cf466e000 r--p 000f8000 08:01 267092
> /lib/x86_64-linux-gnu/libm-2.15.so
> 7f4cf466e000-7f4cf466f000 rw-p 000f9000 08:01 267092
> /lib/x86_64-linux-gnu/libm-2.15.so
> 7f4cf466f000-7f4cf468c000 r-xp 00000000 08:01 2246869
> /opt/modsec-2.7-iis-nginx-1.2.3/lib/zlib-1.2.4/lib/libz.so.1.2.4
> 7f4cf468c000-7f4cf488c000 ---p 0001d000 08:01 2246869
> /opt/modsec-2.7-iis-nginx-1.2.3/lib/zlib-1.2.4/lib/libz.so.1.2.4
> 7f4cf488c000-7f4cf488d000 r--p 0001d000 08:01 2246869
> /opt/modsec-2.7-iis-nginx-1.2.3/lib/zlib-1.2.4/lib/libz.so.1.2.4
> 7f4cf488d000-7f4cf488e000 rw-p 0001e000 08:01 2246869
> /opt/modsec-2.7-iis-nginx-1.2.3/lib/zlib-1.2.4/lib/libz.so.1.2.4
> 7f4cf488e000-7f4cf4898000 r-xp 00000000 08:01 2113179
> /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-iconv-1.2.1/lib/libapriconv-1.so.0.2.1
> 7f4cf4898000-7f4cf4a98000 ---p 0000a000 08:01 2113179
> /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-iconv-1.2.1/lib/libapriconv-1.so.0.2.1
> 7f4cf4a98000-7f4cf4a9a000 r--p 0000a000 08:01 2113179
> /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-iconv-1.2.1/lib/libapriconv-1.so.0.2.1
> 7f4cf4a9a000-7f4cf4a9b000 rw-p 0000c000 08:01 2113179
> /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-iconv-1.2.1/lib/libapriconv-1.so.0.2.1
> 7f4cf4a9b000-7f4cf4ac2000 r-xp 00000000 08:01 266041
> /lib/x86_64-linux-gnu/libexpat.so.1.5.2
> 7f4cf4ac2000-7f4cf4cc2000 ---p 00027000 08:01 266041
> /lib/x86_64-linux-gnu/libexpat.so.1.5.2
> 7f4cf4cc2000-7f4cf4cc4000 r--p 00027000 08:01 266041
> /lib/x86_64-linux-gnu/libexpat.so.1.5.2
> 7f4cf4cc4000-7f4cf4cc5000 rw-p 00029000 08:01 266041
> /lib/x86_64-linux-gnu/libexpat.so.1.5.2
> 7f4cf4cc5000-7f4cf4cc9000 r-xp 00000000 08:01 266113
> /lib/x86_64-linux-gnu/libuuid.so.1.3.0
> 7f4cf4cc9000-7f4cf4ec8000 ---p 00004000 08:01 266113
> /lib/x86_64-linux-gnu/libuuid.so.1.3.0
> 7f4cf4ec8000-7f4cf4ec9000 r--p 00003000 08:01 266113
> Aborted
>
>
>
> Regards,
>
> Yorkng
>
>
>


-- 
Regards,

Yorkng

Re: [Mod-security-developers] Advanced Slow DoS Mitigation

[Oleg G. <ole...@ya...>]

Hello,

Has anyone had a chance to compare efficiency of mod_sec vs. QoS when it comes to mitigating against slow HTTP attacks? I've heard different opinions, e.g. that mod_sec might work well for slow reads, but not writes, while QoS is good for both. 

Are there any research papers or just objective data that can confirm that or prove opposite?

The other question is related to performance impact in both solutions when it comes to high volume systems.

Any pointers are highly appreciated.  

--- On Thu, 7/7/11, Christian Folini <chr...@ti...> wrote:

From: Christian Folini <chr...@ti...>
Subject: Re: [Mod-security-developers] Advanced Slow DoS Mitigation
To: mod...@li...
Date: Thursday, July 7, 2011, 1:34 AM

Hi there,

On Wed, Jul 06, 2011 at 07:42:50AM -0500, Ryan Barnett wrote:
> Great preso and really highlights the threat.  I was wondering what
> percentage of WikiLeaks DoS attacks were utilizing Slowloris-type
> techniques.

Me2. ;)

To be honest there was too much noise to do any sort of measurements.
We have seen a lot of things, also a lot of vanilla slowloris,
but we also must have missed a lot of other interesting attacks.

> Specifically, phase:1 was moved by Ivan awhile ago to be the same as
> phase:2 (instead of Apache post-read-request) due to many users wanting to
> use phase:1 rules inside Apache scope directives like <Location>.  I
> personally do not agree with this change and we are reviewing a potential
> change back.

I bumped into the old phase:1 / Location issue before so I understand
the motivation. But I thought it would have been the better
countermeasure to have apache refuse to start with a phase:1 rule
inside a location.

> Regardless - I believe that we should consider a "phase:0" option that
> would essentially work at the Apache Filter level hook.  So, this would
> not be parsed like the other variables but could give basic access to src
> IP data and the entire request payload as perhaps a new variable -
> THE_REQUEST.

That sounds nice.

> The main issue that I see with a Filter level hook is that mod_uniqueid is
> not yet available and that is used by ModSecurity for proper logging.

That does not sound very nice, though.

Was not there a discussion on the Apache ML to hand over mod_uniqueid
(functionality) to ModSecurity? I think that would be wrong, but maybe
it is possible to introduce a patch to have mod_uniqueid run at this
early hook too (and before phase:0).

Cheers,

Christian


-- 
If we could read the secret history of our enemies, we should find in
each man's life sorrow and suffering enough to disarm all hostility.
-- Henry Wadsworth Longfellow

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
mod-security-developers mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php

[Mod-security-developers] [JIRA] Resolved: (MODSEC-320) Mos Security compile Issue

[Breno S. P. (JIRA) <no...@mo...>]

     [ https://www.modsecurity.org/tracker/browse/MODSEC-320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Breno Silva Pinto resolved MODSEC-320.
--------------------------------------

    Resolution: Won't Fix

Closing this. No feedback

> Mos Security compile Issue
> --------------------------
>
>                 Key: MODSEC-320
>                 URL: https://www.modsecurity.org/tracker/browse/MODSEC-320
>             Project: ModSecurity
>          Issue Type: Bug
>      Security Level: Normal
>          Components: Build System
>    Affects Versions: 2.6.6
>         Environment: SunOS 5.10      Generic Patch   January 2005
>            Reporter: Vishal Prabhu
>            Assignee: Breno Silva Pinto
>            Priority: Urgent
>
> After Building mod security issues having with compiling, please help.
> /opt/modsecurity-apache_2.6.6
>  # ./configure --with-apxs=/opt/apache2/bin/apxs --with-apr=/opt/apache2/bin/apr-1-config --with-apu=/opt/apache2/bin/apu-1-config --with-pcre=/opt/pcre-8.20/pcre-config.in 
> checking for a BSD-compatible install... build/install-sh -c
> checking whether build environment is sane... yes
> checking for a thread-safe mkdir -p... build/install-sh -c -d
> checking for gawk... no
> checking for mawk... no
> checking for nawk... nawk
> checking whether make sets $(MAKE)... yes
> checking build system type... sparc-sun-solaris2.10
> checking host system type... sparc-sun-solaris2.10
> checking for style of include used by make... GNU
> checking for gcc... gcc
> checking whether the C compiler works... yes
> checking for C compiler default output file name... a.out
> checking for suffix of executables... 
> checking whether we are cross compiling... no
> checking for suffix of object files... o
> checking whether we are using the GNU C compiler... yes
> checking whether gcc accepts -g... yes
> checking for gcc option to accept ISO C89... none needed
> checking dependency style of gcc... gcc3
> checking for a sed that does not truncate output... /usr/bin/sed
> checking for grep that handles long lines and -e... /usr/local/bin/grep
> checking for egrep... /usr/local/bin/grep -E
> checking for fgrep... /usr/local/bin/grep -F
> checking for ld used by gcc... /usr/ccs/bin/ld
> checking if the linker (/usr/ccs/bin/ld) is GNU ld... no
> checking for BSD- or MS-compatible name lister (nm)... /usr/xpg4/bin/nm -p
> checking the name lister (/usr/xpg4/bin/nm -p) interface... BSD nm
> checking whether ln -s works... yes
> checking the maximum length of command line arguments... 786240
> checking whether the shell understands some XSI constructs... yes
> checking whether the shell understands "+="... no
> checking for /usr/ccs/bin/ld option to reload object files... -r
> checking for objdump... no
> checking how to recognize dependent libraries... pass_all
> checking for ar... ar
> checking for strip... no
> checking for ranlib... no
> checking command to parse /usr/xpg4/bin/nm -p output from gcc object... ok
> checking how to run the C preprocessor... gcc -E
> checking for ANSI C header files... yes
> checking for sys/types.h... yes
> checking for sys/stat.h... yes
> checking for stdlib.h... yes
> checking for string.h... yes
> checking for memory.h... yes
> checking for strings.h... yes
> checking for inttypes.h... yes
> checking for stdint.h... yes
> checking for unistd.h... yes
> checking for dlfcn.h... yes
> checking for objdir... .libs
> checking if gcc supports -fno-rtti -fno-exceptions... no
> checking for gcc option to produce PIC... -fPIC -DPIC
> checking if gcc PIC flag -fPIC -DPIC works... yes
> checking if gcc static flag -static works... no
> checking if gcc supports -c -o file.o... yes
> checking if gcc supports -c -o file.o... (cached) yes
> checking whether the gcc linker (/usr/ccs/bin/ld) supports shared libraries... yes
> checking whether -lc should be explicitly linked in... yes
> checking dynamic linker characteristics... solaris2.10 ld.so
> checking how to hardcode library paths into programs... immediate
> checking for shl_load... no
> checking for shl_load in -ldld... no
> checking for dlopen... yes
> checking whether a program can dlopen itself... yes
> checking whether a statically linked program can dlopen itself... yes
> checking whether stripping libraries is possible... no
> checking if libtool supports shared libraries... yes
> checking whether to build shared libraries... yes
> checking whether to build static libraries... yes
> checking for gawk... (cached) nawk
> checking for gcc... (cached) gcc
> checking whether we are using the GNU C compiler... (cached) yes
> checking whether gcc accepts -g... (cached) yes
> checking for gcc option to accept ISO C89... (cached) none needed
> checking dependency style of gcc... (cached) gcc3
> checking how to run the C preprocessor... gcc -E
> checking whether ln -s works... yes
> checking whether make sets $(MAKE)... (cached) yes
> checking for grep that handles long lines and -e... (cached) /usr/local/bin/grep
> checking for perl... /usr/bin/perl
> checking for env... /usr/bin/env
> checking for ANSI C header files... (cached) yes
> checking fcntl.h usability... yes
> checking fcntl.h presence... yes
> checking for fcntl.h... yes
> checking limits.h usability... yes
> checking limits.h presence... yes
> checking for limits.h... yes
> checking for stdlib.h... (cached) yes
> checking for string.h... (cached) yes
> checking for unistd.h... (cached) yes
> checking for sys/types.h... (cached) yes
> checking for sys/stat.h... (cached) yes
> checking for an ANSI C-conforming const... yes
> checking for inline... inline
> checking for C/C++ restrict keyword... __restrict
> checking for pid_t... yes
> checking for size_t... yes
> checking whether struct tm is in sys/time.h or time.h... time.h
> checking for uint8_t... yes
> checking for stdlib.h... (cached) yes
> checking for GNU libc compatible malloc... yes
> checking for working memcmp... yes
> checking for atexit... yes
> checking for getcwd... yes
> checking for memmove... yes
> checking for memset... yes
> checking for strcasecmp... yes
> checking for strchr... yes
> checking for strdup... yes
> checking for strerror... yes
> checking for strncasecmp... yes
> checking for strrchr... yes
> checking for strstr... yes
> checking for strtol... yes
> checking for fchmod... yes
> Checking plataform... Identified as Solaris
> configure: looking for Apache module support via DSO through APXS
> configure: found apxs at /opt/apache2/bin/apxs
> configure: checking httpd version
> configure: httpd is recent enough
> checking for libpcre config script... /opt/pcre-8.20/pcre-config.in
> configure: using pcre v@PACKAGE_VERSION@
> checking for libapr config script... /opt/apache2/bin/apr-1-config
> configure: using apr v1.4.5
> checking for libapu config script... /opt/apache2/bin/apu-1-config
> configure: using apu v1.3.12
> checking for libxml2 config script... /usr/bin/xml2-config
> configure: using libxml2 v2.6.23
> checking for pkg-config... /usr/bin/pkg-config
> checking pkg-config is at least version 0.9.0... yes
> checking for liblua config script... no
> checking for lua install... no
> configure: optional lua library not found
> checking for libcurl config script... no
> configure: *** curl library not found.
> configure: NOTE: curl library is only required for building mlogc
> configure: creating ./config.status
> config.status: creating Makefile
> config.status: creating tools/Makefile
> config.status: creating apache2/Makefile
> config.status: creating build/apxs-wrapper
> config.status: creating mlogc/mlogc-batch-load.pl
> config.status: creating tests/run-unit-tests.pl
> config.status: creating tests/run-regression-tests.pl
> config.status: creating tests/gen_rx-pm.pl
> config.status: creating tests/csv_rx-pm.pl
> config.status: creating tests/regression/server_root/conf/httpd.conf
> config.status: creating tools/rules-updater.pl
> config.status: creating mlogc/Makefile
> config.status: creating tests/Makefile
> config.status: creating apache2/modsecurity_config_auto.h
> config.status: executing depfiles commands
> config.status: executing libtool commands
> root@devappf29   12:03 PM   Tue Jul 17
> /opt/modsecurity-apache_2.6.6
>  # make
> Making all in tools
> Making all in apache2
> make  all-am
> /bin/bash ../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I.  -DSOLARIS2=10 -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -D_LARGEFILE64_SOURCE  -I/opt/apache2/include  -I/opt/apache2/include   -I/opt/apache2/include   -I@includedir@ @PCRE_STATIC_CFLAG@ -I/usr/include/libxml2  -DWITH_PCRE_STUDY -DMODSEC_PCRE_MATCH_LIMIT=1500 -DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500 -g -O2 -MT mod_security2_la-mod_security2.lo -MD -MP -MF .deps/mod_security2_la-mod_security2.Tpo -c -o mod_security2_la-mod_security2.lo `test -f 'mod_security2.c' || echo './'`mod_security2.c
> libtool: compile:  gcc -DHAVE_CONFIG_H -I. -DSOLARIS2=10 -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -D_LARGEFILE64_SOURCE -I/opt/apache2/include -I/opt/apache2/include -I/opt/apache2/include -I@includedir@ @PCRE_STATIC_CFLAG@ -I/usr/include/libxml2 -DWITH_PCRE_STUDY -DMODSEC_PCRE_MATCH_LIMIT=1500 -DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500 -g -O2 -MT mod_security2_la-mod_security2.lo -MD -MP -MF .deps/mod_security2_la-mod_security2.Tpo -c mod_security2.c  -fPIC -DPIC -o .libs/mod_security2_la-mod_security2.o
> ../libtool: line 969: gcc: command not found
> *** Error code 1
> make: Fatal error: Command failed for target `mod_security2_la-mod_security2.lo'
> Current working directory /opt/modsecurity-apache_2.6.6/apache2
> *** Error code 1
> make: Fatal error: Command failed for target `all'
> Current working directory /opt/modsecurity-apache_2.6.6/apache2
> *** Error code 1
> The following command caused the error:
> fail= failcom='exit 1'; \
> for f in x $MAKEFLAGS; do \
>   case $f in \
>     *=* | --[!k]*);; \
>     *k*) failcom='fail=yes';; \
>   esac; \
> done; \
> dot_seen=no; \
> target=`echo all-recursive | sed s/-recursive//`; \
> list='tools apache2 mlogc tests'; for subdir in $list; do \
>   echo "Making $target in $subdir"; \
>   if test "$subdir" = "."; then \
>     dot_seen=yes; \
>     local_target="$target-am"; \
>   else \
>     local_target="$target"; \
>   fi; \
>   (CDPATH="${ZSH_VERSION+.}:" && cd $subdir && make  $local_target) \
>   || eval $failcom; \
> done; \
> if test "$dot_seen" = "no"; then \
>   make  "$target-am" || exit 1; \
> fi; test -z "$fail"
> make: Fatal error: Command failed for target `all-recursive'

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[Mod-security-developers] Code style Guidelines

[Breno S. <bre...@gm...>]

Hello everybody,

We are seeing more community involvement with the ModSecurity source code!
Yeah that's great! and we would like to see more!
For that reason we updated the modsecurity.org with some code style
requirements.

Please take a look at
http://www.modsecurity.org/developers/#CodeStylebefore submit a patch
or commit.

That will help us to have a better source code

Thanks for you attention

Breno Silva

Re: [Mod-security-developers] when ModSecurit Nginx exit cause system trace

[Alan S. <ala...@ac...>]

Hi Zhuo, 

What's your version of another mod security library dependencies? In what case it occurred? Update your source tree with svn? Show your ModSec.data too, please!

[ ]'s

Alan


On Wednesday, August 15, 2012 at 6:25 AM, yorkng zhuo wrote:

> hi all,
> i compile ModSecurity Nginx project with Nginx-1.2.1, and the nginx.conf set like this
> 
> daemon off;
> matser_process off;
> server {
>      listen      80;
>      server_name   192.168.10.34;
>      location / {
>            root html;
>            index intex.html;
>            ModsecurityConfig /opt/modsec-2.7-iis-nginx-1.2.3/conf.d/ModSec.data;
>            ModSecurityEnabled On;
>     }
> }
> 
> 
> when nginx exit, the system print trace information bellow, i think libapr(apr_pool operations) cause this, and its a nginx version regardless bug(cause at nginx-1.1.20 also), but i cant identity exactly reason of this. anyone know it?
> ------------------------------------------------
> $/opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx
> ^C*** glibc detected *** /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx: double free or corruption (!prev): 0x0000000001ee9630 ***
> ======= Backtrace: =========
> /lib/x86_64-linux-gnu/libc.so.6(+0x7e626)[0x7f4cf4f48626]
> /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x4f55e4]
> /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(+0x1ed48)[0x7f4cf6110d48]
> /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(apr_pool_destroy+0x57)[0x7f4cf610fbd7]
> /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(apr_pool_destroy+0x3a)[0x7f4cf610fbba]
> /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(apr_pool_terminate+0x39)[0x7f4cf610f707]
> /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(apr_terminate+0x22)[0x7f4cf6112b15]
> /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x4ac7da]
> /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x4aba46]
> /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x436926]
> /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x4095f4]
> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7f4cf4eeb76d]
> /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x408f61]
> ======= Memory map: ========
> 00400000-006e2000 r-xp 00000000 08:01 2113858                            /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx
> 008e1000-008e2000 r--p 002e1000 08:01 2113858                            /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx
> 008e2000-00902000 rw-p 002e2000 08:01 2113858                            /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx
> 00902000-00916000 rw-p 00000000 00:00 0
> 01e60000-01f18000 rw-p 00000000 00:00 0                                  [heap]
> 7f4cf3923000-7f4cf3938000 r-xp 00000000 08:01 266625                     /lib/x86_64-linux-gnu/libgcc_s.so.1
> 7f4cf3938000-7f4cf3b37000 ---p 00015000 08:01 266625                     /lib/x86_64-linux-gnu/libgcc_s.so.1
> 7f4cf3b37000-7f4cf3b38000 r--p 00014000 08:01 266625                     /lib/x86_64-linux-gnu/libgcc_s.so.1
> 7f4cf3b38000-7f4cf3b39000 rw-p 00015000 08:01 266625                     /lib/x86_64-linux-gnu/libgcc_s.so.1
> 7f4cf3b39000-7f4cf3b45000 r-xp 00000000 08:01 276110                     /lib/x86_64-linux-gnu/libnss_files-2.15.so (http://libnss_files-2.15.so)
> 7f4cf3b45000-7f4cf3d44000 ---p 0000c000 08:01 276110                     /lib/x86_64-linux-gnu/libnss_files-2.15.so (http://libnss_files-2.15.so)
> 7f4cf3d44000-7f4cf3d45000 r--p 0000b000 08:01 276110                     /lib/x86_64-linux-gnu/libnss_files-2.15.so (http://libnss_files-2.15.so)
> 7f4cf3d45000-7f4cf3d46000 rw-p 0000c000 08:01 276110                     /lib/x86_64-linux-gnu/libnss_files-2.15.so (http://libnss_files-2.15.so)
> 7f4cf3d46000-7f4cf3d50000 r-xp 00000000 08:01 276111                     /lib/x86_64-linux-gnu/libnss_nis-2.15.so (http://libnss_nis-2.15.so)
> 7f4cf3d50000-7f4cf3f50000 ---p 0000a000 08:01 276111                     /lib/x86_64-linux-gnu/libnss_nis-2.15.so (http://libnss_nis-2.15.so)
> 7f4cf3f50000-7f4cf3f51000 r--p 0000a000 08:01 276111                     /lib/x86_64-linux-gnu/libnss_nis-2.15.so (http://libnss_nis-2.15.so)
> 7f4cf3f51000-7f4cf3f52000 rw-p 0000b000 08:01 276111                     /lib/x86_64-linux-gnu/libnss_nis-2.15.so (http://libnss_nis-2.15.so)
> 7f4cf3f52000-7f4cf3f69000 r-xp 00000000 08:01 268342                     /lib/x86_64-linux-gnu/libnsl-2.15.so (http://libnsl-2.15.so)
> 7f4cf3f69000-7f4cf4168000 ---p 00017000 08:01 268342                     /lib/x86_64-linux-gnu/libnsl-2.15.so (http://libnsl-2.15.so)
> 7f4cf4168000-7f4cf4169000 r--p 00016000 08:01 268342                     /lib/x86_64-linux-gnu/libnsl-2.15.so (http://libnsl-2.15.so)
> 7f4cf4169000-7f4cf416a000 rw-p 00017000 08:01 268342                     /lib/x86_64-linux-gnu/libnsl-2.15.so (http://libnsl-2.15.so)
> 7f4cf416a000-7f4cf416c000 rw-p 00000000 00:00 0
> 7f4cf416c000-7f4cf4174000 r-xp 00000000 08:01 276113                     /lib/x86_64-linux-gnu/libnss_compat-2.15.so (http://libnss_compat-2.15.so)
> 7f4cf4174000-7f4cf4373000 ---p 00008000 08:01 276113                     /lib/x86_64-linux-gnu/libnss_compat-2.15.so (http://libnss_compat-2.15.so)
> 7f4cf4373000-7f4cf4374000 r--p 00007000 08:01 276113                     /lib/x86_64-linux-gnu/libnss_compat-2.15.so (http://libnss_compat-2.15.so)
> 7f4cf4374000-7f4cf4375000 rw-p 00008000 08:01 276113                     /lib/x86_64-linux-gnu/libnss_compat-2.15.so (http://libnss_compat-2.15.so)
> 7f4cf4375000-7f4cf446e000 r-xp 00000000 08:01 267092                     /lib/x86_64-linux-gnu/libm-2.15.so (http://libm-2.15.so)
> 7f4cf446e000-7f4cf466d000 ---p 000f9000 08:01 267092                     /lib/x86_64-linux-gnu/libm-2.15.so (http://libm-2.15.so)
> 7f4cf466d000-7f4cf466e000 r--p 000f8000 08:01 267092                     /lib/x86_64-linux-gnu/libm-2.15.so (http://libm-2.15.so)
> 7f4cf466e000-7f4cf466f000 rw-p 000f9000 08:01 267092                     /lib/x86_64-linux-gnu/libm-2.15.so (http://libm-2.15.so)
> 7f4cf466f000-7f4cf468c000 r-xp 00000000 08:01 2246869                    /opt/modsec-2.7-iis-nginx-1.2.3/lib/zlib-1.2.4/lib/libz.so.1.2.4
> 7f4cf468c000-7f4cf488c000 ---p 0001d000 08:01 2246869                    /opt/modsec-2.7-iis-nginx-1.2.3/lib/zlib-1.2.4/lib/libz.so.1.2.4
> 7f4cf488c000-7f4cf488d000 r--p 0001d000 08:01 2246869                    /opt/modsec-2.7-iis-nginx-1.2.3/lib/zlib-1.2.4/lib/libz.so.1.2.4
> 7f4cf488d000-7f4cf488e000 rw-p 0001e000 08:01 2246869                    /opt/modsec-2.7-iis-nginx-1.2.3/lib/zlib-1.2.4/lib/libz.so.1.2.4
> 7f4cf488e000-7f4cf4898000 r-xp 00000000 08:01 2113179                    /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-iconv-1.2.1/lib/libapriconv-1.so.0.2.1
> 7f4cf4898000-7f4cf4a98000 ---p 0000a000 08:01 2113179                    /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-iconv-1.2.1/lib/libapriconv-1.so.0.2.1
> 7f4cf4a98000-7f4cf4a9a000 r--p 0000a000 08:01 2113179                    /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-iconv-1.2.1/lib/libapriconv-1.so.0.2.1
> 7f4cf4a9a000-7f4cf4a9b000 rw-p 0000c000 08:01 2113179                    /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-iconv-1.2.1/lib/libapriconv-1.so.0.2.1
> 7f4cf4a9b000-7f4cf4ac2000 r-xp 00000000 08:01 266041                     /lib/x86_64-linux-gnu/libexpat.so.1.5.2
> 7f4cf4ac2000-7f4cf4cc2000 ---p 00027000 08:01 266041                     /lib/x86_64-linux-gnu/libexpat.so.1.5.2
> 7f4cf4cc2000-7f4cf4cc4000 r--p 00027000 08:01 266041                     /lib/x86_64-linux-gnu/libexpat.so.1.5.2
> 7f4cf4cc4000-7f4cf4cc5000 rw-p 00029000 08:01 266041                     /lib/x86_64-linux-gnu/libexpat.so.1.5.2
> 7f4cf4cc5000-7f4cf4cc9000 r-xp 00000000 08:01 266113                     /lib/x86_64-linux-gnu/libuuid.so.1.3.0
> 7f4cf4cc9000-7f4cf4ec8000 ---p 00004000 08:01 266113                     /lib/x86_64-linux-gnu/libuuid.so.1.3.0
> 7f4cf4ec8000-7f4cf4ec9000 r--p 00003000 08:01 266113                  Aborted
> 
> 
> 
> Regards,
> 
> Yorkng
> 

[Mod-security-developers] when ModSecurit Nginx exit cause system trace

[yorkng z. <yor...@gm...>]

hi all,
i compile ModSecurity Nginx project with Nginx-1.2.1, and the nginx.conf
set like this

*daemon off;
matser_process off;*
server {
     listen      80;
     server_name   192.168.10.34;
     location / {
           root html;
           index intex.html;
           ModsecurityConfig
/opt/modsec-2.7-iis-nginx-1.2.3/conf.d/ModSec.data;
           ModSecurityEnabled On;
    }
}


when nginx exit, the system print trace information bellow, i think
libapr(apr_pool operations) cause this, and its a nginx version regardless
bug(cause at nginx-1.1.20 also), but i cant identity exactly reason of
this. anyone know it?
------------------------------------------------
$/opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx
^C*** glibc detected *** /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx: double
free or corruption (!prev): 0x0000000001ee9630 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7e626)[0x7f4cf4f48626]
/opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x4f55e4]
/opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(+0x1ed48)[0x7f4cf6110d48]
/opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(apr_pool_destroy+0x57)[0x7f4cf610fbd7]
/opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(apr_pool_destroy+0x3a)[0x7f4cf610fbba]
/opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(apr_pool_terminate+0x39)[0x7f4cf610f707]
/opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(apr_terminate+0x22)[0x7f4cf6112b15]
/opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x4ac7da]
/opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x4aba46]
/opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x436926]
/opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x4095f4]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7f4cf4eeb76d]
/opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x408f61]
======= Memory map: ========
00400000-006e2000 r-xp 00000000 08:01 2113858
/opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx
008e1000-008e2000 r--p 002e1000 08:01 2113858
/opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx
008e2000-00902000 rw-p 002e2000 08:01 2113858
/opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx
00902000-00916000 rw-p 00000000 00:00 0
01e60000-01f18000 rw-p 00000000 00:00 0
[heap]
7f4cf3923000-7f4cf3938000 r-xp 00000000 08:01 266625
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f4cf3938000-7f4cf3b37000 ---p 00015000 08:01 266625
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f4cf3b37000-7f4cf3b38000 r--p 00014000 08:01 266625
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f4cf3b38000-7f4cf3b39000 rw-p 00015000 08:01 266625
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f4cf3b39000-7f4cf3b45000 r-xp 00000000 08:01 276110
/lib/x86_64-linux-gnu/libnss_files-2.15.so
7f4cf3b45000-7f4cf3d44000 ---p 0000c000 08:01 276110
/lib/x86_64-linux-gnu/libnss_files-2.15.so
7f4cf3d44000-7f4cf3d45000 r--p 0000b000 08:01 276110
/lib/x86_64-linux-gnu/libnss_files-2.15.so
7f4cf3d45000-7f4cf3d46000 rw-p 0000c000 08:01 276110
/lib/x86_64-linux-gnu/libnss_files-2.15.so
7f4cf3d46000-7f4cf3d50000 r-xp 00000000 08:01 276111
/lib/x86_64-linux-gnu/libnss_nis-2.15.so
7f4cf3d50000-7f4cf3f50000 ---p 0000a000 08:01 276111
/lib/x86_64-linux-gnu/libnss_nis-2.15.so
7f4cf3f50000-7f4cf3f51000 r--p 0000a000 08:01 276111
/lib/x86_64-linux-gnu/libnss_nis-2.15.so
7f4cf3f51000-7f4cf3f52000 rw-p 0000b000 08:01 276111
/lib/x86_64-linux-gnu/libnss_nis-2.15.so
7f4cf3f52000-7f4cf3f69000 r-xp 00000000 08:01 268342
/lib/x86_64-linux-gnu/libnsl-2.15.so
7f4cf3f69000-7f4cf4168000 ---p 00017000 08:01 268342
/lib/x86_64-linux-gnu/libnsl-2.15.so
7f4cf4168000-7f4cf4169000 r--p 00016000 08:01 268342
/lib/x86_64-linux-gnu/libnsl-2.15.so
7f4cf4169000-7f4cf416a000 rw-p 00017000 08:01 268342
/lib/x86_64-linux-gnu/libnsl-2.15.so
7f4cf416a000-7f4cf416c000 rw-p 00000000 00:00 0
7f4cf416c000-7f4cf4174000 r-xp 00000000 08:01 276113
/lib/x86_64-linux-gnu/libnss_compat-2.15.so
7f4cf4174000-7f4cf4373000 ---p 00008000 08:01 276113
/lib/x86_64-linux-gnu/libnss_compat-2.15.so
7f4cf4373000-7f4cf4374000 r--p 00007000 08:01 276113
/lib/x86_64-linux-gnu/libnss_compat-2.15.so
7f4cf4374000-7f4cf4375000 rw-p 00008000 08:01 276113
/lib/x86_64-linux-gnu/libnss_compat-2.15.so
7f4cf4375000-7f4cf446e000 r-xp 00000000 08:01 267092
/lib/x86_64-linux-gnu/libm-2.15.so
7f4cf446e000-7f4cf466d000 ---p 000f9000 08:01 267092
/lib/x86_64-linux-gnu/libm-2.15.so
7f4cf466d000-7f4cf466e000 r--p 000f8000 08:01 267092
/lib/x86_64-linux-gnu/libm-2.15.so
7f4cf466e000-7f4cf466f000 rw-p 000f9000 08:01 267092
/lib/x86_64-linux-gnu/libm-2.15.so
7f4cf466f000-7f4cf468c000 r-xp 00000000 08:01 2246869
/opt/modsec-2.7-iis-nginx-1.2.3/lib/zlib-1.2.4/lib/libz.so.1.2.4
7f4cf468c000-7f4cf488c000 ---p 0001d000 08:01 2246869
/opt/modsec-2.7-iis-nginx-1.2.3/lib/zlib-1.2.4/lib/libz.so.1.2.4
7f4cf488c000-7f4cf488d000 r--p 0001d000 08:01 2246869
/opt/modsec-2.7-iis-nginx-1.2.3/lib/zlib-1.2.4/lib/libz.so.1.2.4
7f4cf488d000-7f4cf488e000 rw-p 0001e000 08:01 2246869
/opt/modsec-2.7-iis-nginx-1.2.3/lib/zlib-1.2.4/lib/libz.so.1.2.4
7f4cf488e000-7f4cf4898000 r-xp 00000000 08:01 2113179
/opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-iconv-1.2.1/lib/libapriconv-1.so.0.2.1
7f4cf4898000-7f4cf4a98000 ---p 0000a000 08:01 2113179
/opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-iconv-1.2.1/lib/libapriconv-1.so.0.2.1
7f4cf4a98000-7f4cf4a9a000 r--p 0000a000 08:01 2113179
/opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-iconv-1.2.1/lib/libapriconv-1.so.0.2.1
7f4cf4a9a000-7f4cf4a9b000 rw-p 0000c000 08:01 2113179
/opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-iconv-1.2.1/lib/libapriconv-1.so.0.2.1
7f4cf4a9b000-7f4cf4ac2000 r-xp 00000000 08:01 266041
/lib/x86_64-linux-gnu/libexpat.so.1.5.2
7f4cf4ac2000-7f4cf4cc2000 ---p 00027000 08:01 266041
/lib/x86_64-linux-gnu/libexpat.so.1.5.2
7f4cf4cc2000-7f4cf4cc4000 r--p 00027000 08:01 266041
/lib/x86_64-linux-gnu/libexpat.so.1.5.2
7f4cf4cc4000-7f4cf4cc5000 rw-p 00029000 08:01 266041
/lib/x86_64-linux-gnu/libexpat.so.1.5.2
7f4cf4cc5000-7f4cf4cc9000 r-xp 00000000 08:01 266113
/lib/x86_64-linux-gnu/libuuid.so.1.3.0
7f4cf4cc9000-7f4cf4ec8000 ---p 00004000 08:01 266113
/lib/x86_64-linux-gnu/libuuid.so.1.3.0
7f4cf4ec8000-7f4cf4ec9000 r--p 00003000 08:01 266113
Aborted



Regards,

Yorkng

Re: [Mod-security-developers] simple GET request cause ModSecurity nginx crash

[yorkng z. <yor...@gm...>]

hi all,
i had compile 2.7-iis-nginx with Nginx-1.2.3(lasest stable version) at
Ubuntu 12.04, and this bug also existence，GDB debug，crash scene bellow：
(gdb) r
Starting program: /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0x00000000004ac091 in ngx_http_modsecurity_access_handler (
    req=0x943240)
    at
/home/yorkng/nginx-1.2.3/src/addon/2.7-iis-nginx/nginx/modsecurity/ngx_http_modsecurity_module.c:393
393       ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "request
body: %s", req->request_body->bufs);
(gdb) p req->request_body->bufs
Cannot access memory at address 0x8
(gdb)


On Mon, Aug 13, 2012 at 6:23 PM, yorkng zhuo <yor...@gm...> wrote:

> hello all,
> i'm testing ModSecurity nginx at ubuntu 12.04, nginx version 1.1.20
> when i use curl like this: curl http://localhost/secret, then the nginx
> worker process crash. i use gdb debug it, trouble spots is here
>
> 2.7-iis-nginx/nginx/modsecurity/ngx_http_modsecurity_module.c
> ----------------------------------------
> 392    ngx_http_read_request_body(req, ngx_http_dummy_payload_hander);
> 393    *ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "request
> body: %s", req->request_body->bufs);*
> 394
> 395    if(status == DECLIEND)
>
> ----------------------------------------
>
> *when GET request have no body,  the req->request_body->bufs is
> undefined, like this:*
> -----------------------------------------
> Starting program: /opt/modsec-2.7-iis-nginx/sbin/nginx
> [Thread debugging using libthread_db enabled]
>
> Breakpoint 1, ngx_http_modsecurity_access_handler (req=0x942100)
>     at
> /home/yorkng/project/svn/nginxsec/branch/nsafe/src/addon/2.7-iis-nginx/nginx/modsecurity/ngx_http_modsecurity_module.c:392
> warning: Source file is more recent than executable.
> 392       ngx_http_read_request_body(req, ngx_http_dummy_payload_handler);
> (gdb) p req->request_body->bufs
> Cannot access memory at address 0x8
> (gdb)
> ------------------------------------------
>
> my resolve patch is bellow:*
>
> *--- nginx/modsecurity/ngx_http_modsecurity_module.c     (revision 2018)
> +++ nginx/modsecurity/ngx_http_modsecurity_module.c     (working copy)
> @@ -390,19 +390,25 @@
>    ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "status: %d",
> status);
>
>    ngx_http_read_request_body(req, ngx_http_dummy_payload_handler);
> -  ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "request body:
> %s", req->request_body->bufs);
> +  if (req->headers_in.content_length) {
> +    ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "request body:
> %s", req->request_body->bufs);
> +  }
> +  else {
> +    ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "request body:
> ");
> +  }
>
>    if(status == DECLINED)
>    {*
> *
>



-- 
Regards,

Yorkng

Re: [Mod-security-developers] INBOUND_ERROR_DATA or INBOUND_DATA_ERROR

[Breno S. <bre...@gm...>]

Thanks Seema! i'm going to fix it.

On Tue, Aug 14, 2012 at 3:36 AM, seema deepak <see...@gm...>wrote:

> Hi,
>
> Document (
> http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#INBOUND_ERROR_DATA) says INBOUND_ERROR_DATA  whereas 2.6.6 version of ModSecurity code
> (re_variables.c) uses INBOUND_DATA_ERROR as the variable name. Using
> INBOUND_ERROR_DATA causes "Unknown variable" error.
> This should be fixed the document.
>
> Also, OUTBOUND_DATA_ERROR variable has not been documented.
>
> Thanks and Regards,
> Seema.
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>

Re: [Mod-security-developers] how can i Involved in the project that modsecurity for nginx (yorkng zhuo)

[Alan S. <ala...@ac...>]

Hi,

I try to fixing and close the stable version of module in nginx-1.2.1, try to work in this version I think is better for us for now, because of Greg speak, NGINX has numerous versions and any version has new features.

I've testing here and I still have commit some fixes and talk to us.

Regards,

Alan


On Tuesday, August 14, 2012 at 4:51 AM, yorkng zhuo wrote:

> hi Greg,
> 
> thanks for reply, i will update my nginx to latest version, and test that.
> 
> Regards,
> 
> Yorkng
> 
> 
> On Tue, Aug 14, 2012 at 3:26 PM, Greg Wroblewski <gwr...@ho... (mailto:gwr...@ho...)> wrote:
> > I did not hit this bug, which makes me think that it is an nginx 1.1.20 specific thing. We developed and briefly tested the module using nginx 1.2.0 (I will use 1.2.3 going forward).
> >  
> > The numerous versions of nginx might be problematic in the long term, so IMHO we should always focus on the latest stable one.
> >  
> > Regardless of the version issue, I think that the bug is worth fixing, it makes the module more robust.
> >  
> > Greg
> >  
> > > Date: Mon, 13 Aug 2012 18:23:46 +0800
> > > From: yorkng zhuo <yor...@gm... (mailto:yor...@gm...)>
> > > Subject: [Mod-security-developers] simple GET request cause
> > > ModSecurity nginx crash
> > > To: mod...@li... (mailto:mod...@li...)
> > > Message-ID:
> > > <CAKV5U6=echSziA=h=7RVLGe7gaQd7tkeir=g+p...@ma... (mailto:g%2Bp...@ma...)>
> > > Content-Type: text/plain; charset="iso-8859-1"
> > > 
> > > hello all,
> > > i'm testing ModSecurity nginx at ubuntu 12.04, nginx version 1.1.20
> > > when i use curl like this: curl http://localhost/secret, then the nginx
> > > worker process crash. i use gdb debug it, trouble spots is here
> > > 
> > 
> > 
> > ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > mod-security-developers mailing list
> > mod...@li... (mailto:mod...@li...)
> > https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> > ModSecurity Services from Trustwave's SpiderLabs:
> > https://www.trustwave.com/spiderLabs.php
> 
> 
> 
> -- 
> Regards,
> 
> Yorkng
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> 
> _______________________________________________
> mod-security-developers mailing list
> mod...@li... (mailto:mod...@li...)
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
> 
> 

[Mod-security-developers] INBOUND_ERROR_DATA or INBOUND_DATA_ERROR

[seema d. <see...@gm...>]

Hi,

Document (
http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#INBOUND_ERROR_DATA)
says INBOUND_ERROR_DATA  whereas 2.6.6 version of ModSecurity code
(re_variables.c) uses INBOUND_DATA_ERROR as the variable name. Using
INBOUND_ERROR_DATA causes "Unknown variable" error.
This should be fixed the document.

Also, OUTBOUND_DATA_ERROR variable has not been documented.

Thanks and Regards,
Seema.

Re: [Mod-security-developers] how can i Involved in the project that modsecurity for nginx (yorkng zhuo)

[yorkng z. <yor...@gm...>]

hi Greg,

thanks for reply, i will update my nginx to latest version, and test that.

Regards,

Yorkng


On Tue, Aug 14, 2012 at 3:26 PM, Greg Wroblewski <gwr...@ho...>wrote:

> I did not hit this bug, which makes me think that it is an nginx 1.1.20
> specific thing. We developed and briefly tested the module using nginx
> 1.2.0 (I will use 1.2.3 going forward).
>
> The numerous versions of nginx might be problematic in the long term, so
> IMHO we should always focus on the latest stable one.
>
> Regardless of the version issue, I think that the bug is worth fixing, it
> makes the module more robust.
>
> Greg
>
> > Date: Mon, 13 Aug 2012 18:23:46 +0800
> > From: yorkng zhuo <yor...@gm...>
> > Subject: [Mod-security-developers] simple GET request cause
> > ModSecurity nginx crash
> > To: mod...@li...
> > Message-ID:
> > <CAKV5U6=echSziA=h=7RVLGe7gaQd7tkeir=g+p...@ma...>
> > Content-Type: text/plain; charset="iso-8859-1"
> >
> > hello all,
> > i'm testing ModSecurity nginx at ubuntu 12.04, nginx version 1.1.20
> > when i use curl like this: curl http://localhost/secret, then the nginx
> > worker process crash. i use gdb debug it, trouble spots is here
> >
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>



-- 
Regards,

Yorkng

Re: [Mod-security-developers] how can i Involved in the project that modsecurity for nginx (yorkng zhuo)

[Greg W. <gwr...@ho...>]

I did not hit this bug, which makes me think that it is an nginx 1.1.20 specific thing. We developed and briefly tested the module using nginx 1.2.0 (I will use 1.2.3 going forward). The numerous versions of nginx might be problematic in the long term, so IMHO we should always focus on the latest stable one. Regardless of the version issue, I think that the bug is worth fixing, it makes the module more robust. Greg > Date: Mon, 13 Aug 2012 18:23:46 +0800
> From: yorkng zhuo <yor...@gm...>
> Subject: [Mod-security-developers] simple GET request cause
> 	ModSecurity	nginx crash
> To: mod...@li...
> Message-ID:
> 	<CAKV5U6=echSziA=h=7RVLGe7gaQd7tkeir=g+p...@ma...>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> hello all,
> i'm testing ModSecurity nginx at ubuntu 12.04, nginx version 1.1.20
> when i use curl like this: curl http://localhost/secret, then the nginx
> worker process crash. i use gdb debug it, trouble spots is here
> 
 		 	   		  

[Mod-security-developers] ModSecurity Nginx, regular request can't be response, and deny action can‘t return status code which defined in the SecRule

[yorkng z. <yor...@gm...>]

hi, Alan
2.7-iis-nginx works at nginx release-1.1.20(Ubuntu 12.04)
regular request can't be response, i use curl like
**
$curl http://localhost/
<html>
<head><title>500 Internal Server Error</title></head>
<body bgcolor="white">
<center><h1>500 Internal Server Error</h1></center>
<hr><center>nginx/1.1.20</center>
</body>
</html>

my config file

*conf/nginx.conf*

server {
   listen          80;
   server_name     192.168.10.34;
   location / {
        root html;
        index index.html;
        ModSecurityConfig /opt/2.7-iis-nginx/conf.d/ModSec.data;
        ModSecurityEnabled On;
   }

*conf.d/ModSec.data*

SecRuleEngine on
SecRule REQUEST_URI "secret" "id:999, phase:1,deny,status:403"

i use GDB trace the code, i don't know why code like this:
--------------------------------------------------
400   if(status == DECLINED)
401   {
402     // this function would work here, but it is only internal
403     //ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
404     //return (NGX_DECLINED);
405
406     // If DECLINED, finalize connection (sent FIN) and return HTTP 500
407     ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "Invalid
Requ    est");
408     ngx_http_finalize_request(req, NGX_HTTP_INTERNAL_SERVER_ERROR);
409     return NGX_HTTP_INTERNAL_SERVER_ERROR;
410   }
413     return NGX_OK;
414 }
----------------------------------------------
when regular request happens, the status == DECLINED, why* return
NGX_HTTP_INTERNAL_SERVER_ERROR*? and the right code* return
(NGX_DECLINED)*is commented。


another pazzle，when the secrule match, the return code should return status
code defineded in SecRule, in this expemle, should return 403, but in the
source code,* return NGX_OK*, why?
i have check HTTP return status code defined in APACHE and NGINX, all
compliance the RFC 2616. so my patch bellow：


   if(status == DECLINED)
   {
     // this function would work here, but it is only internal
     //ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
-    //return (NGX_DECLINED);
+    return (NGX_DECLINED);

     // If DECLINED, finalize connection (sent FIN) and return HTTP 500
     ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "Invalid
Request");
     ngx_http_finalize_request(req, NGX_HTTP_INTERNAL_SERVER_ERROR);
     return NGX_HTTP_INTERNAL_SERVER_ERROR;
   }
-
-    return NGX_OK;
+   return status;
 }


Regards,

Yorkng