mod-security-developers Mailing List for ModSecurity (Page 27)
Brought to you by:
victorhora,
zimmerletw
You can subscribe to this list here.
2006 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(8) |
Aug
(2) |
Sep
(1) |
Oct
|
Nov
(1) |
Dec
|
---|---|---|---|---|---|---|---|---|---|---|---|---|
2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2009 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(9) |
Sep
|
Oct
(1) |
Nov
|
Dec
(3) |
2010 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2011 |
Jan
|
Feb
(12) |
Mar
(42) |
Apr
(68) |
May
(30) |
Jun
(50) |
Jul
(17) |
Aug
(3) |
Sep
(5) |
Oct
(7) |
Nov
(3) |
Dec
(4) |
2012 |
Jan
(11) |
Feb
(11) |
Mar
(37) |
Apr
|
May
(21) |
Jun
(21) |
Jul
(12) |
Aug
(41) |
Sep
(19) |
Oct
(31) |
Nov
(24) |
Dec
(10) |
2013 |
Jan
(12) |
Feb
(18) |
Mar
(3) |
Apr
(8) |
May
(35) |
Jun
(5) |
Jul
(38) |
Aug
(5) |
Sep
(2) |
Oct
(4) |
Nov
(11) |
Dec
(6) |
2014 |
Jan
(3) |
Feb
(12) |
Mar
(11) |
Apr
(18) |
May
(2) |
Jun
(1) |
Jul
(11) |
Aug
(5) |
Sep
|
Oct
(15) |
Nov
(13) |
Dec
(9) |
2015 |
Jan
(2) |
Feb
(8) |
Mar
(7) |
Apr
(3) |
May
|
Jun
(1) |
Jul
(1) |
Aug
(1) |
Sep
(11) |
Oct
(14) |
Nov
(4) |
Dec
(1) |
2016 |
Jan
(11) |
Feb
(19) |
Mar
(20) |
Apr
(6) |
May
(3) |
Jun
(17) |
Jul
(5) |
Aug
|
Sep
(7) |
Oct
(2) |
Nov
(2) |
Dec
(12) |
2017 |
Jan
(4) |
Feb
(1) |
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
(3) |
Oct
(1) |
Nov
|
Dec
(15) |
2018 |
Jan
(13) |
Feb
(2) |
Mar
(14) |
Apr
(9) |
May
|
Jun
(6) |
Jul
(3) |
Aug
(1) |
Sep
(3) |
Oct
|
Nov
(13) |
Dec
(1) |
2019 |
Jan
(2) |
Feb
(9) |
Mar
(28) |
Apr
(4) |
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
|
Nov
|
Dec
(2) |
2020 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
2021 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(3) |
Aug
|
Sep
(4) |
Oct
|
Nov
|
Dec
|
2022 |
Jan
|
Feb
(10) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2024 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(4) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Breno S. <bre...@gm...> - 2012-09-23 15:58:15
|
Hello Ulisses, Your work on this task will help a lot of people! Let me point some comments 1 - Please take a look at http://www.apache.org/legal/3party.html. There is a list of authorized licenses to use. If you find some good library with a different kind of license we can try to determine if it is compatible of not. 2 - The first idea is to populate already used modsecurity collections ARGS, ARGS_NAMES etc. However we can discuss if necessary some additional collection for example JSON_*. Use ARGS* collection will make user's life easier to apply the current ruleset against JSON data. 3 - This is a good question. Currenlty we don't have exact numbers to make it. But we must keep in mind we don't want to add too much latency into http transactions. So we always try to work in a small range of microseconds. As you said, you can try to generate compatible dataset and compare the performance numbers. 4 - This is fine to discuss it here. Once we have defined what to do you can document it in the Jira ticket. Thanks Breno On Sun, Sep 23, 2012 at 8:31 AM, Ulisses Montenegro < uli...@gm...> wrote: > Team > > As my first attempt in contributing to mod_security I've decided to > tackle MODSEC-253, a JSON body processor. I've gone through the XML > and multipart body processors and found them apparently > straightforward. I would like some pointers on issues which I need to > address before deciding on my solution, though. > > 1. The XML body processor uses libxml for the actual XML parsing, I > assume adding a JSON parser library would be acceptable as well. If > so, what licenses would be acceptable? > 2. XML processor offers a XPath interface for rules to match XML > contents, which is a standard, but AFAIK there is nothing equivalent > for JSON (aside from evaluating Javascript object references). What > interface would work best for the rules to gain access to the JSON > contents? > 3. Are there any guidelines/rules regarding memory usage and > performance, i.e., how can if my code or the library I'm using is > performing acceptably? I know I can always benchmark/profile other > body processors and compare the results directly, but I'm looking more > towards hard numbers, if they're available. > 4. Finally, do these kind of questions go into JIRA? I decided to try > the mailing list first as I did not want to add possibly irrelevant > information to the JIRA issue, but I think at least items [1] and [2] > should be registered there -- is that how it usually works? > > Thanks a lot for the great work on mod_security > Ulisses > > -- > “If debugging is the process of removing software bugs, then > programming must be the process of putting them in.” - Edsger Dijkstra > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://ad.doubleclick.net/clk;258768047;13503038;j? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php |
From: Ulisses M. <uli...@gm...> - 2012-09-23 13:31:46
|
Team As my first attempt in contributing to mod_security I've decided to tackle MODSEC-253, a JSON body processor. I've gone through the XML and multipart body processors and found them apparently straightforward. I would like some pointers on issues which I need to address before deciding on my solution, though. 1. The XML body processor uses libxml for the actual XML parsing, I assume adding a JSON parser library would be acceptable as well. If so, what licenses would be acceptable? 2. XML processor offers a XPath interface for rules to match XML contents, which is a standard, but AFAIK there is nothing equivalent for JSON (aside from evaluating Javascript object references). What interface would work best for the rules to gain access to the JSON contents? 3. Are there any guidelines/rules regarding memory usage and performance, i.e., how can if my code or the library I'm using is performing acceptably? I know I can always benchmark/profile other body processors and compare the results directly, but I'm looking more towards hard numbers, if they're available. 4. Finally, do these kind of questions go into JIRA? I decided to try the mailing list first as I did not want to add possibly irrelevant information to the JIRA issue, but I think at least items [1] and [2] should be registered there -- is that how it usually works? Thanks a lot for the great work on mod_security Ulisses -- “If debugging is the process of removing software bugs, then programming must be the process of putting them in.” - Edsger Dijkstra |
From: Martin H. <mar...@sm...> - 2012-09-14 15:44:09
|
Hello, I guess "Write a Positive Learning Engine" means the Task mentioned here [1]. It sounds interesting, but I must admit I didn't really got what is asked by the Project. In particular I don't really understand what the mentioned link [2] has to do with the Project. :( I hope you can enlight me. Regards, Martin Haug [1] http://www.modsecurity.org/projects/gsoc/ "Automated Learning/Positive Security Model" [2] http://blog.spiderlabs.com/2011/08/implementing-appsensor-detection-points-in-modsecurity.html Am 13.09.2012 15:14, schrieb Breno Silva: > Hello Martin, > > There are many stuffs to work. I can give u some suggestions: > - Extend the current encryption engine to protect Cookies and > input/hidden fields > - Write a Positive (Learning) engine > > > Thanks > > Breno > > On Tue, Sep 11, 2012 at 6:10 PM, Ryan Barnett <RBa...@tr... > <mailto:RBa...@tr...>> wrote: > > Hey Martin, > Check out our GSOC page for some ideas - > - http://www.modsecurity.org/projects/gsoc/ > - > https://www.owasp.org/index.php/GSoC2012_Ideas#ModSecurity_Core_Rule_Set > > For the rules ideas - most of these could be quickly prototyped > using Lua > API. Depending on the idea, some of them could/should be integrated > directly into ModSecurity as C code. > > Let us know if any of these ideas spark your interest. > > FYI - we will probably be creating a proper Roadmap/Features page. > > Cheers. > > -- > Ryan Barnett > Trustwave SpiderLabs > ModSecurity Project Leader > OWASP ModSecurity CRS Project Leader > > > > > > On 9/11/12 6:10 PM, "Martin Haug" <mar...@sm... > <mailto:mar...@sm...>> wrote: > > >Hello, > >I'm doing a 6-month Internship starting on 1.3.2013. In this i will > >develop a Project of my own. I now have to submit a proposal for the > >Project. > >I don't have a good Idea yet, but it would be nice, if I could work > with > >an interesting Open Source Project, so my Question is if you have some > >Feature on your Wishlist witch you always wanted but nobody implements > >it and which is suitable for a 6-month internship. > > > >The Project has to be Security-related, but I can use a broad > Definition > >of "Security". :-) > >Best Regards, > >Martin Haug > > > >_________________________________________________________________ > >Free-Mail Postfach (bis zu 10 GB E-Mail-Speicher) > >SMS, MMS, Fax und vieles mehr - http://www.smart-mail.de > > > > > >-------------------------------------------------------------------------- > >---- > >Live Security Virtual Conference > >Exclusive live event will cover all the ways today's security and > >threat landscape has changed and how IT managers can respond. > Discussions > >will include endpoint security, mobile security and the latest in > malware > >threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > >_______________________________________________ > >mod-security-developers mailing list > >mod...@li... > <mailto:mod...@li...> > >https://lists.sourceforge.net/lists/listinfo/mod-security-developers > >ModSecurity Services from Trustwave's SpiderLabs: > >https://www.trustwave.com/spiderLabs.php > > > > > ________________________________ > > This transmission may contain information that is privileged, > confidential, and/or exempt from disclosure under applicable law. If > you are not the intended recipient, you are hereby notified that any > disclosure, copying, distribution, or use of the information > contained herein (including any reliance thereon) is STRICTLY > PROHIBITED. If you received this transmission in error, please > immediately contact the sender and destroy the material in its > entirety, whether in electronic or hard copy format. > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. > Discussions > will include endpoint security, mobile security and the latest in > malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > mod-security-developers mailing list > mod...@li... > <mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > > > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > _________________________________________________________________ Free-Mail Postfach (bis zu 10 GB E-Mail-Speicher) SMS, MMS, Fax und vieles mehr - http://www.smart-mail.de |
From: Breno S. <bre...@gm...> - 2012-09-13 13:14:27
|
Hello Martin, There are many stuffs to work. I can give u some suggestions: - Extend the current encryption engine to protect Cookies and input/hidden fields - Write a Positive (Learning) engine Thanks Breno On Tue, Sep 11, 2012 at 6:10 PM, Ryan Barnett <RBa...@tr...>wrote: > Hey Martin, > Check out our GSOC page for some ideas - > - http://www.modsecurity.org/projects/gsoc/ > - https://www.owasp.org/index.php/GSoC2012_Ideas#ModSecurity_Core_Rule_Set > > For the rules ideas - most of these could be quickly prototyped using Lua > API. Depending on the idea, some of them could/should be integrated > directly into ModSecurity as C code. > > Let us know if any of these ideas spark your interest. > > FYI - we will probably be creating a proper Roadmap/Features page. > > Cheers. > > -- > Ryan Barnett > Trustwave SpiderLabs > ModSecurity Project Leader > OWASP ModSecurity CRS Project Leader > > > > > > On 9/11/12 6:10 PM, "Martin Haug" <mar...@sm...> wrote: > > >Hello, > >I'm doing a 6-month Internship starting on 1.3.2013. In this i will > >develop a Project of my own. I now have to submit a proposal for the > >Project. > >I don't have a good Idea yet, but it would be nice, if I could work with > >an interesting Open Source Project, so my Question is if you have some > >Feature on your Wishlist witch you always wanted but nobody implements > >it and which is suitable for a 6-month internship. > > > >The Project has to be Security-related, but I can use a broad Definition > >of "Security". :-) > >Best Regards, > >Martin Haug > > > >_________________________________________________________________ > >Free-Mail Postfach (bis zu 10 GB E-Mail-Speicher) > >SMS, MMS, Fax und vieles mehr - http://www.smart-mail.de > > > > > >-------------------------------------------------------------------------- > >---- > >Live Security Virtual Conference > >Exclusive live event will cover all the ways today's security and > >threat landscape has changed and how IT managers can respond. Discussions > >will include endpoint security, mobile security and the latest in malware > >threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > >_______________________________________________ > >mod-security-developers mailing list > >mod...@li... > >https://lists.sourceforge.net/lists/listinfo/mod-security-developers > >ModSecurity Services from Trustwave's SpiderLabs: > >https://www.trustwave.com/spiderLabs.php > > > > > ________________________________ > > This transmission may contain information that is privileged, > confidential, and/or exempt from disclosure under applicable law. If you > are not the intended recipient, you are hereby notified that any > disclosure, copying, distribution, or use of the information contained > herein (including any reliance thereon) is STRICTLY PROHIBITED. If you > received this transmission in error, please immediately contact the sender > and destroy the material in its entirety, whether in electronic or hard > copy format. > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |
From: Ryan B. <RBa...@tr...> - 2012-09-11 23:11:03
|
Hey Martin, Check out our GSOC page for some ideas - - http://www.modsecurity.org/projects/gsoc/ - https://www.owasp.org/index.php/GSoC2012_Ideas#ModSecurity_Core_Rule_Set For the rules ideas - most of these could be quickly prototyped using Lua API. Depending on the idea, some of them could/should be integrated directly into ModSecurity as C code. Let us know if any of these ideas spark your interest. FYI - we will probably be creating a proper Roadmap/Features page. Cheers. -- Ryan Barnett Trustwave SpiderLabs ModSecurity Project Leader OWASP ModSecurity CRS Project Leader On 9/11/12 6:10 PM, "Martin Haug" <mar...@sm...> wrote: >Hello, >I'm doing a 6-month Internship starting on 1.3.2013. In this i will >develop a Project of my own. I now have to submit a proposal for the >Project. >I don't have a good Idea yet, but it would be nice, if I could work with >an interesting Open Source Project, so my Question is if you have some >Feature on your Wishlist witch you always wanted but nobody implements >it and which is suitable for a 6-month internship. > >The Project has to be Security-related, but I can use a broad Definition >of "Security". :-) >Best Regards, >Martin Haug > >_________________________________________________________________ >Free-Mail Postfach (bis zu 10 GB E-Mail-Speicher) >SMS, MMS, Fax und vieles mehr - http://www.smart-mail.de > > >-------------------------------------------------------------------------- >---- >Live Security Virtual Conference >Exclusive live event will cover all the ways today's security and >threat landscape has changed and how IT managers can respond. Discussions >will include endpoint security, mobile security and the latest in malware >threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >_______________________________________________ >mod-security-developers mailing list >mod...@li... >https://lists.sourceforge.net/lists/listinfo/mod-security-developers >ModSecurity Services from Trustwave's SpiderLabs: >https://www.trustwave.com/spiderLabs.php > ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Christian F. <chr...@ti...> - 2012-09-11 22:39:25
|
Hi Martin, An open-source cookie-store module for Apache would be awesome. Ideally, this would be a feature in ModSecurity or a standalone module. By cookie store I mean a piece of logic / store, that consumes Set-Cookie Response headers from the backend application (typically in a reverse proxy setting) and stores the cookies in a local session. The client no longer sees the cookies. But when the client issues a request, the cookies are attached to his request according to their definition (domain, path, secure-flag, expiry) again. So for the application, this is transparent and an attacker is no longer able to steal the cookies from the client anymore. Cheers, Christian On Wed, Sep 12, 2012 at 12:10:58AM +0200, Martin Haug wrote: > Hello, > I'm doing a 6-month Internship starting on 1.3.2013. In this i will > develop a Project of my own. I now have to submit a proposal for the > Project. > I don't have a good Idea yet, but it would be nice, if I could work with > an interesting Open Source Project, so my Question is if you have some > Feature on your Wishlist witch you always wanted but nobody implements > it and which is suitable for a 6-month internship. > > The Project has to be Security-related, but I can use a broad Definition > of "Security". :-) > Best Regards, > Martin Haug > > _________________________________________________________________ > Free-Mail Postfach (bis zu 10 GB E-Mail-Speicher) > SMS, MMS, Fax und vieles mehr - http://www.smart-mail.de > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php |
From: Martin H. <mar...@sm...> - 2012-09-11 22:11:54
|
Hello, I'm doing a 6-month Internship starting on 1.3.2013. In this i will develop a Project of my own. I now have to submit a proposal for the Project. I don't have a good Idea yet, but it would be nice, if I could work with an interesting Open Source Project, so my Question is if you have some Feature on your Wishlist witch you always wanted but nobody implements it and which is suitable for a 6-month internship. The Project has to be Security-related, but I can use a broad Definition of "Security". :-) Best Regards, Martin Haug _________________________________________________________________ Free-Mail Postfach (bis zu 10 GB E-Mail-Speicher) SMS, MMS, Fax und vieles mehr - http://www.smart-mail.de |
From: Breno S. <bre...@gm...> - 2012-09-10 20:05:56
|
The ModSecurity Development Team is pleased to announce the availability of ModSecurity 7.0-rc3 Release<http://www.modsecurity.org/download/modsecurity-apache_2.7.0-rc2.tar.gz>. The stability of this release is good and include bug fixed and new features. I think the most important one it to be able to handle Internationalization (I18N) and thus properly handle various data encodings including Unicode and UTF-8 in order to prevent not only evasion issues but also to minimize false positives Please check our blog for more information<http://blog.spiderlabs.com/2012/08/waf-normalization-and-i18n.html> . We also merged the Ngnix and IIS code from experimental branch.The IIS code should be stable now but Ngnix is still in experimental status. This should be the last -rc extra version until the stable. Please see the release notes included into CHANGES<http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/branches/2.7.x/CHANGES>file. For known problems and more information about bug fixes, please see the online ModSecurity Jira <https://www.modsecurity.org/tracker/>. Please report any bug to mod...@li...<http://lists.sourceforge.net/lists/listinfo/mod-security-developers> . Thanks Breno Silva |
From: Alexander N. <ana...@gm...> - 2012-09-07 04:59:33
|
Hello! *Steps to reproduce:* 1. Install mod_security on Windows Server 2008 R2 x64, IIS 7.5 using msi installer 2. Setup mod_security for your website 3. In IIS go to advanced settings of application pool of your website 4. Set "Enable 32-Bit Applications" property to "True" 5. Restart the pool and your website 6. Make a request to the site *Actual result:* in response headers value of "Content-Size" header is enormous. Thus client actually loads contents but waits for the rest. If you try to load your site in a common browser such as Chrome loading will hang up. |
From: Parthasarathi K. <par...@ya...> - 2012-08-24 10:29:03
|
Please find the patch Thanks Partha --- modsecurity-apache/apache2/msc_util.c Fri Aug 24 02:23:52 2012 -0700 +++ modsecurity-apache/apache2/msc_util.c Fri Aug 24 03:26:42 2012 -0700 @@ -387,6 +387,7 @@ } else { d = strrchr(b, '\\'); if (d != NULL) *d = '\0'; + else b = apr_pstrdup(p, "."); } return b; @@ -401,7 +402,7 @@ c = strrchr(b, '/'); if (c != NULL) *c = '\0'; - + else b = apr_pstrdup(p, "."); return b; } #endif ________________________________ From: Breno Silva <bre...@gm...> To: mod...@li... Sent: Thursday, August 23, 2012 11:34 PM Subject: Re: [Mod-security-developers] SecAuditLogType concurrent, SecAuditLog has file name "audit.log" creates directory audit.log Hello, Yes, looks like a possible fix. I just need to make some tests. Could you send a patch ? Thanks Breno On Thu, Aug 23, 2012 at 12:49 PM, seema deepak <see...@gm...> wrote: Hi, > >Is this a known issue ? > >Let me explain the scenario little more. > >If we use the below configuration (without SecAuditLogStorageDir) ... > >-- -- -- -- -- > >SecRuleEngine On >SecAuditEngine On >SecAuditLogType concurrent >SecAuditLog ./audit.log >SecAuditLogParts ABCFHZ >-- -- -- -- -- > >when the server starts up, it creates "audit.log" file relative to the server's config directory ( <config dir>/audit.log ). >And when ModSecurity processes the request, logs the msg in the concurrent log file created relative to server's config directory ( e.g. <config dir>/20120823/20120823-0601/20120823-060111-fNOoe110000000000,0) and that file's info get logged in the audit.log file. >So we do see some entries in audit.log and the concurrent log. > >If we change AuditLog's location to some absolute path like /tmp/audit.log, >then audit.log is created in the /tmp dir and concurrent logs are also created in /tmp dir ( /tmp/20120823/20120823-0601/20120823-060111-fNOoe110000000000,0). > >Issue is when we specify just the filename for SecAuditLog. >-- -- -- -- -- > >SecRuleEngine On >SecAuditEngine On >SecAuditLogType concurrent >SecAuditLog audit.log >SecAuditLogParts ABCFHZ > -- -- -- -- -- > >At server startup, audit.log file gets created in the server's config directory ( <config dir>/audit.log ) . During request processing when ModSecurity tries to create the concurrent log file it tries to create <config dir>/audit.log/<date>/.. dirs but fails as audit.log already exists and is a file. > >Change in file_dirname() of msc_util.c to return "." when filename doesn't have "/" or "\" fixed the issue. >Please let us know if it is the right fix. > >Thanks, >Seema. > > > >On Tue, Aug 7, 2012 at 9:31 AM, Parthasarathi Kundu <par...@ya...> wrote: > >If the rule file contains SecAuditLog and provides the file name and there is no SecAuditLogStorageDir( it is not mandatory) , it creates audit.log as the directory instead of creating that as the index file. >> >> >> >>SecRuleEngine On >>SecAuditEngine On >>SecAuditLogType concurrent >>SecAuditLog audit.log >>SecAuditLogParts ABCFHZ >> >> >> >> >> >>The behaviour is different when SecAuditLog ./audit.log. >> >> >>The issue is with file_dirname(msr->mp, "audit.log")function. it returns "audit.log", where as >> >>file_dirname(msr->mp, "./audit.log" ) correctly returns "." as the directory. >> >> >>Should not it return "." even on file_dirname(msr->mp, "audit.log") ? >> >> >>Thanks >>Partha >> >> >> >> >>------------------------------------------------------------------------------ >>Live Security Virtual Conference >>Exclusive live event will cover all the ways today's security and >>threat landscape has changed and how IT managers can respond. Discussions >>will include endpoint security, mobile security and the latest in malware >>threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>_______________________________________________ >>mod-security-developers mailing list >>mod...@li... >>https://lists.sourceforge.net/lists/listinfo/mod-security-developers >>ModSecurity Services from Trustwave's SpiderLabs: >>https://www.trustwave.com/spiderLabs.php >> > >------------------------------------------------------------------------------ >Live Security Virtual Conference >Exclusive live event will cover all the ways today's security and >threat landscape has changed and how IT managers can respond. Discussions >will include endpoint security, mobile security and the latest in malware >threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >_______________________________________________ >mod-security-developers mailing list >mod...@li... >https://lists.sourceforge.net/lists/listinfo/mod-security-developers >ModSecurity Services from Trustwave's SpiderLabs: >https://www.trustwave.com/spiderLabs.php > ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ mod-security-developers mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-developers ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php |
From: Breno S. <bre...@gm...> - 2012-08-23 18:04:59
|
Hello, Yes, looks like a possible fix. I just need to make some tests. Could you send a patch ? Thanks Breno On Thu, Aug 23, 2012 at 12:49 PM, seema deepak <see...@gm...>wrote: > Hi, > > Is this a known issue ? > > Let me explain the scenario little more. > > If we use the below configuration (without SecAuditLogStorageDir) ... > > -- -- -- -- -- > > SecRuleEngine On > SecAuditEngine On > SecAuditLogType concurrent > SecAuditLog ./audit.log > SecAuditLogParts ABCFHZ > -- -- -- -- -- > > when the server starts up, it creates "audit.log" file relative to the > server's config directory ( <config dir>/audit.log ). > And when ModSecurity processes the request, logs the msg in the concurrent > log file created relative to server's config directory ( e.g. <config > dir>/20120823/20120823-0601/20120823-060111-fNOoe110000000000,0) and that > file's info get logged in the audit.log file. > So we do see some entries in audit.log and the concurrent log. > > If we change AuditLog's location to some absolute path like > /tmp/audit.log, > then audit.log is created in the /tmp dir and concurrent logs are also > created in /tmp dir ( > /tmp/20120823/20120823-0601/20120823-060111-fNOoe110000000000,0). > > Issue is when we specify just the filename for SecAuditLog. > -- -- -- -- -- > > SecRuleEngine On > SecAuditEngine On > SecAuditLogType concurrent > SecAuditLog audit.log > SecAuditLogParts ABCFHZ > -- -- -- -- -- > > At server startup, audit.log file gets created in the server's config > directory ( <config dir>/audit.log ) . During request processing when > ModSecurity tries to create the concurrent log file it tries to create > <config dir>/audit.log/<date>/.. dirs but fails as audit.log already exists > and is a file. > > Change in file_dirname() of msc_util.c to return "." when filename doesn't > have "/" or "\" fixed the issue. > Please let us know if it is the right fix. > > Thanks, > Seema. > > > On Tue, Aug 7, 2012 at 9:31 AM, Parthasarathi Kundu < > par...@ya...> wrote: > >> If the rule file contains SecAuditLog and provides the file name and >> there is no SecAuditLogStorageDir( it is not mandatory) , it creates >> audit.log as the directory instead of creating that as the index file. >> >> SecRuleEngine On >> SecAuditEngine On >> SecAuditLogType concurrent >> SecAuditLog audit.log >> SecAuditLogParts ABCFHZ >> >> >> The behaviour is different when SecAuditLog ./audit.log. >> >> The issue is with file_dirname(msr->mp, "audit.log")function. it returns >> "audit.log", where as >> file_dirname(msr->mp, "./audit.log" ) correctly returns "." as the >> directory. >> >> Should not it return "." even on file_dirname(msr->mp, "audit.log") ? >> >> Thanks >> Partha >> >> >> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> mod-security-developers mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-developers >> ModSecurity Services from Trustwave's SpiderLabs: >> https://www.trustwave.com/spiderLabs.php >> > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |
From: seema d. <see...@gm...> - 2012-08-23 17:49:41
|
Hi, Is this a known issue ? Let me explain the scenario little more. If we use the below configuration (without SecAuditLogStorageDir) ... -- -- -- -- -- SecRuleEngine On SecAuditEngine On SecAuditLogType concurrent SecAuditLog ./audit.log SecAuditLogParts ABCFHZ -- -- -- -- -- when the server starts up, it creates "audit.log" file relative to the server's config directory ( <config dir>/audit.log ). And when ModSecurity processes the request, logs the msg in the concurrent log file created relative to server's config directory ( e.g. <config dir>/20120823/20120823-0601/20120823-060111-fNOoe110000000000,0) and that file's info get logged in the audit.log file. So we do see some entries in audit.log and the concurrent log. If we change AuditLog's location to some absolute path like /tmp/audit.log, then audit.log is created in the /tmp dir and concurrent logs are also created in /tmp dir ( /tmp/20120823/20120823-0601/20120823-060111-fNOoe110000000000,0). Issue is when we specify just the filename for SecAuditLog. -- -- -- -- -- SecRuleEngine On SecAuditEngine On SecAuditLogType concurrent SecAuditLog audit.log SecAuditLogParts ABCFHZ -- -- -- -- -- At server startup, audit.log file gets created in the server's config directory ( <config dir>/audit.log ) . During request processing when ModSecurity tries to create the concurrent log file it tries to create <config dir>/audit.log/<date>/.. dirs but fails as audit.log already exists and is a file. Change in file_dirname() of msc_util.c to return "." when filename doesn't have "/" or "\" fixed the issue. Please let us know if it is the right fix. Thanks, Seema. On Tue, Aug 7, 2012 at 9:31 AM, Parthasarathi Kundu < par...@ya...> wrote: > If the rule file contains SecAuditLog and provides the file name and > there is no SecAuditLogStorageDir( it is not mandatory) , it creates > audit.log as the directory instead of creating that as the index file. > > SecRuleEngine On > SecAuditEngine On > SecAuditLogType concurrent > SecAuditLog audit.log > SecAuditLogParts ABCFHZ > > > The behaviour is different when SecAuditLog ./audit.log. > > The issue is with file_dirname(msr->mp, "audit.log")function. it returns > "audit.log", where as > file_dirname(msr->mp, "./audit.log" ) correctly returns "." as the > directory. > > Should not it return "." even on file_dirname(msr->mp, "audit.log") ? > > Thanks > Partha > > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |
From: yorkng z. <yor...@gm...> - 2012-08-19 15:57:50
|
hi Alan, i think there is some minor errors in my last letter, nginx versions i had use are 1.2.3 and 1.1.20, not 1.2.1. *ur question: What's your version of another mod security library dependencies?* im not understand the question exactly, compile nginx , i aways use apr package for the official site, and are the lastest version: apr-1.4.6 apr-iconv-1.2.1 apr-util-1.4.1 *ur question: In what case it occurred?* when nginx(compile with mod security) run, as long as use web client(such as curl) access the site which setup by nginx, and then nginx exit(CTRL-C), the case occur. but nginx run and exit, havent use web client access the site, this case would not occur. *ur question:Update your source tree with svn?* yes, i update the mod security source tree with svn. *ur questiong: Show your ModSec.data * ModSec.data's context is simple: SecRuleEngine on SecRule REQUEST_URI "secret" "id:999,phase:1,deny" Regards yorkng On Wed, Aug 15, 2012 at 8:23 PM, Alan Silva <ala...@ac...> wrote: > Hi Zhuo, > > What's your version of another mod security library dependencies? In what > case it occurred? Update your source tree with svn? Show your ModSec.data > too, please! > > [ ]'s > > Alan > > On Wednesday, August 15, 2012 at 6:25 AM, yorkng zhuo wrote: > > hi all, > i compile ModSecurity Nginx project with Nginx-1.2.1, and the nginx.conf > set like this > > *daemon off; > matser_process off;* > server { > listen 80; > server_name 192.168.10.34; > location / { > root html; > index intex.html; > ModsecurityConfig > /opt/modsec-2.7-iis-nginx-1.2.3/conf.d/ModSec.data; > ModSecurityEnabled On; > } > } > > > when nginx exit, the system print trace information bellow, i think > libapr(apr_pool operations) cause this, and its a nginx version regardless > bug(cause at nginx-1.1.20 also), but i cant identity exactly reason of > this. anyone know it? > ------------------------------------------------ > $/opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx > ^C*** glibc detected *** /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx: > double free or corruption (!prev): 0x0000000001ee9630 *** > ======= Backtrace: ========= > /lib/x86_64-linux-gnu/libc.so.6(+0x7e626)[0x7f4cf4f48626] > /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x4f55e4] > > /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(+0x1ed48)[0x7f4cf6110d48] > > /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(apr_pool_destroy+0x57)[0x7f4cf610fbd7] > > /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(apr_pool_destroy+0x3a)[0x7f4cf610fbba] > > /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(apr_pool_terminate+0x39)[0x7f4cf610f707] > > /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(apr_terminate+0x22)[0x7f4cf6112b15] > /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x4ac7da] > /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x4aba46] > /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x436926] > /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x4095f4] > /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7f4cf4eeb76d] > /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x408f61] > ======= Memory map: ======== > 00400000-006e2000 r-xp 00000000 08:01 2113858 > /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx > 008e1000-008e2000 r--p 002e1000 08:01 2113858 > /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx > 008e2000-00902000 rw-p 002e2000 08:01 2113858 > /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx > 00902000-00916000 rw-p 00000000 00:00 0 > 01e60000-01f18000 rw-p 00000000 00:00 0 > [heap] > 7f4cf3923000-7f4cf3938000 r-xp 00000000 08:01 266625 > /lib/x86_64-linux-gnu/libgcc_s.so.1 > 7f4cf3938000-7f4cf3b37000 ---p 00015000 08:01 266625 > /lib/x86_64-linux-gnu/libgcc_s.so.1 > 7f4cf3b37000-7f4cf3b38000 r--p 00014000 08:01 266625 > /lib/x86_64-linux-gnu/libgcc_s.so.1 > 7f4cf3b38000-7f4cf3b39000 rw-p 00015000 08:01 266625 > /lib/x86_64-linux-gnu/libgcc_s.so.1 > 7f4cf3b39000-7f4cf3b45000 r-xp 00000000 08:01 276110 > /lib/x86_64-linux-gnu/libnss_files-2.15.so > 7f4cf3b45000-7f4cf3d44000 ---p 0000c000 08:01 276110 > /lib/x86_64-linux-gnu/libnss_files-2.15.so > 7f4cf3d44000-7f4cf3d45000 r--p 0000b000 08:01 276110 > /lib/x86_64-linux-gnu/libnss_files-2.15.so > 7f4cf3d45000-7f4cf3d46000 rw-p 0000c000 08:01 276110 > /lib/x86_64-linux-gnu/libnss_files-2.15.so > 7f4cf3d46000-7f4cf3d50000 r-xp 00000000 08:01 276111 > /lib/x86_64-linux-gnu/libnss_nis-2.15.so > 7f4cf3d50000-7f4cf3f50000 ---p 0000a000 08:01 276111 > /lib/x86_64-linux-gnu/libnss_nis-2.15.so > 7f4cf3f50000-7f4cf3f51000 r--p 0000a000 08:01 276111 > /lib/x86_64-linux-gnu/libnss_nis-2.15.so > 7f4cf3f51000-7f4cf3f52000 rw-p 0000b000 08:01 276111 > /lib/x86_64-linux-gnu/libnss_nis-2.15.so > 7f4cf3f52000-7f4cf3f69000 r-xp 00000000 08:01 268342 > /lib/x86_64-linux-gnu/libnsl-2.15.so > 7f4cf3f69000-7f4cf4168000 ---p 00017000 08:01 268342 > /lib/x86_64-linux-gnu/libnsl-2.15.so > 7f4cf4168000-7f4cf4169000 r--p 00016000 08:01 268342 > /lib/x86_64-linux-gnu/libnsl-2.15.so > 7f4cf4169000-7f4cf416a000 rw-p 00017000 08:01 268342 > /lib/x86_64-linux-gnu/libnsl-2.15.so > 7f4cf416a000-7f4cf416c000 rw-p 00000000 00:00 0 > 7f4cf416c000-7f4cf4174000 r-xp 00000000 08:01 276113 > /lib/x86_64-linux-gnu/libnss_compat-2.15.so > 7f4cf4174000-7f4cf4373000 ---p 00008000 08:01 276113 > /lib/x86_64-linux-gnu/libnss_compat-2.15.so > 7f4cf4373000-7f4cf4374000 r--p 00007000 08:01 276113 > /lib/x86_64-linux-gnu/libnss_compat-2.15.so > 7f4cf4374000-7f4cf4375000 rw-p 00008000 08:01 276113 > /lib/x86_64-linux-gnu/libnss_compat-2.15.so > 7f4cf4375000-7f4cf446e000 r-xp 00000000 08:01 267092 > /lib/x86_64-linux-gnu/libm-2.15.so > 7f4cf446e000-7f4cf466d000 ---p 000f9000 08:01 267092 > /lib/x86_64-linux-gnu/libm-2.15.so > 7f4cf466d000-7f4cf466e000 r--p 000f8000 08:01 267092 > /lib/x86_64-linux-gnu/libm-2.15.so > 7f4cf466e000-7f4cf466f000 rw-p 000f9000 08:01 267092 > /lib/x86_64-linux-gnu/libm-2.15.so > 7f4cf466f000-7f4cf468c000 r-xp 00000000 08:01 2246869 > /opt/modsec-2.7-iis-nginx-1.2.3/lib/zlib-1.2.4/lib/libz.so.1.2.4 > 7f4cf468c000-7f4cf488c000 ---p 0001d000 08:01 2246869 > /opt/modsec-2.7-iis-nginx-1.2.3/lib/zlib-1.2.4/lib/libz.so.1.2.4 > 7f4cf488c000-7f4cf488d000 r--p 0001d000 08:01 2246869 > /opt/modsec-2.7-iis-nginx-1.2.3/lib/zlib-1.2.4/lib/libz.so.1.2.4 > 7f4cf488d000-7f4cf488e000 rw-p 0001e000 08:01 2246869 > /opt/modsec-2.7-iis-nginx-1.2.3/lib/zlib-1.2.4/lib/libz.so.1.2.4 > 7f4cf488e000-7f4cf4898000 r-xp 00000000 08:01 2113179 > /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-iconv-1.2.1/lib/libapriconv-1.so.0.2.1 > 7f4cf4898000-7f4cf4a98000 ---p 0000a000 08:01 2113179 > /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-iconv-1.2.1/lib/libapriconv-1.so.0.2.1 > 7f4cf4a98000-7f4cf4a9a000 r--p 0000a000 08:01 2113179 > /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-iconv-1.2.1/lib/libapriconv-1.so.0.2.1 > 7f4cf4a9a000-7f4cf4a9b000 rw-p 0000c000 08:01 2113179 > /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-iconv-1.2.1/lib/libapriconv-1.so.0.2.1 > 7f4cf4a9b000-7f4cf4ac2000 r-xp 00000000 08:01 266041 > /lib/x86_64-linux-gnu/libexpat.so.1.5.2 > 7f4cf4ac2000-7f4cf4cc2000 ---p 00027000 08:01 266041 > /lib/x86_64-linux-gnu/libexpat.so.1.5.2 > 7f4cf4cc2000-7f4cf4cc4000 r--p 00027000 08:01 266041 > /lib/x86_64-linux-gnu/libexpat.so.1.5.2 > 7f4cf4cc4000-7f4cf4cc5000 rw-p 00029000 08:01 266041 > /lib/x86_64-linux-gnu/libexpat.so.1.5.2 > 7f4cf4cc5000-7f4cf4cc9000 r-xp 00000000 08:01 266113 > /lib/x86_64-linux-gnu/libuuid.so.1.3.0 > 7f4cf4cc9000-7f4cf4ec8000 ---p 00004000 08:01 266113 > /lib/x86_64-linux-gnu/libuuid.so.1.3.0 > 7f4cf4ec8000-7f4cf4ec9000 r--p 00003000 08:01 266113 > Aborted > > > > Regards, > > Yorkng > > > -- Regards, Yorkng |
From: Oleg G. <ole...@ya...> - 2012-08-18 04:27:36
|
Hello, Has anyone had a chance to compare efficiency of mod_sec vs. QoS when it comes to mitigating against slow HTTP attacks? I've heard different opinions, e.g. that mod_sec might work well for slow reads, but not writes, while QoS is good for both. Are there any research papers or just objective data that can confirm that or prove opposite? The other question is related to performance impact in both solutions when it comes to high volume systems. Any pointers are highly appreciated. --- On Thu, 7/7/11, Christian Folini <chr...@ti...> wrote: From: Christian Folini <chr...@ti...> Subject: Re: [Mod-security-developers] Advanced Slow DoS Mitigation To: mod...@li... Date: Thursday, July 7, 2011, 1:34 AM Hi there, On Wed, Jul 06, 2011 at 07:42:50AM -0500, Ryan Barnett wrote: > Great preso and really highlights the threat. I was wondering what > percentage of WikiLeaks DoS attacks were utilizing Slowloris-type > techniques. Me2. ;) To be honest there was too much noise to do any sort of measurements. We have seen a lot of things, also a lot of vanilla slowloris, but we also must have missed a lot of other interesting attacks. > Specifically, phase:1 was moved by Ivan awhile ago to be the same as > phase:2 (instead of Apache post-read-request) due to many users wanting to > use phase:1 rules inside Apache scope directives like <Location>. I > personally do not agree with this change and we are reviewing a potential > change back. I bumped into the old phase:1 / Location issue before so I understand the motivation. But I thought it would have been the better countermeasure to have apache refuse to start with a phase:1 rule inside a location. > Regardless - I believe that we should consider a "phase:0" option that > would essentially work at the Apache Filter level hook. So, this would > not be parsed like the other variables but could give basic access to src > IP data and the entire request payload as perhaps a new variable - > THE_REQUEST. That sounds nice. > The main issue that I see with a Filter level hook is that mod_uniqueid is > not yet available and that is used by ModSecurity for proper logging. That does not sound very nice, though. Was not there a discussion on the Apache ML to hand over mod_uniqueid (functionality) to ModSecurity? I think that would be wrong, but maybe it is possible to introduce a patch to have mod_uniqueid run at this early hook too (and before phase:0). Cheers, Christian -- If we could read the secret history of our enemies, we should find in each man's life sorrow and suffering enough to disarm all hostility. -- Henry Wadsworth Longfellow ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ mod-security-developers mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-developers ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php |
From: Breno S. P. (JIRA) <no...@mo...> - 2012-08-17 18:38:03
|
[ https://www.modsecurity.org/tracker/browse/MODSEC-320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Breno Silva Pinto resolved MODSEC-320. -------------------------------------- Resolution: Won't Fix Closing this. No feedback > Mos Security compile Issue > -------------------------- > > Key: MODSEC-320 > URL: https://www.modsecurity.org/tracker/browse/MODSEC-320 > Project: ModSecurity > Issue Type: Bug > Security Level: Normal > Components: Build System > Affects Versions: 2.6.6 > Environment: SunOS 5.10 Generic Patch January 2005 > Reporter: Vishal Prabhu > Assignee: Breno Silva Pinto > Priority: Urgent > > After Building mod security issues having with compiling, please help. > /opt/modsecurity-apache_2.6.6 > # ./configure --with-apxs=/opt/apache2/bin/apxs --with-apr=/opt/apache2/bin/apr-1-config --with-apu=/opt/apache2/bin/apu-1-config --with-pcre=/opt/pcre-8.20/pcre-config.in > checking for a BSD-compatible install... build/install-sh -c > checking whether build environment is sane... yes > checking for a thread-safe mkdir -p... build/install-sh -c -d > checking for gawk... no > checking for mawk... no > checking for nawk... nawk > checking whether make sets $(MAKE)... yes > checking build system type... sparc-sun-solaris2.10 > checking host system type... sparc-sun-solaris2.10 > checking for style of include used by make... GNU > checking for gcc... gcc > checking whether the C compiler works... yes > checking for C compiler default output file name... a.out > checking for suffix of executables... > checking whether we are cross compiling... no > checking for suffix of object files... o > checking whether we are using the GNU C compiler... yes > checking whether gcc accepts -g... yes > checking for gcc option to accept ISO C89... none needed > checking dependency style of gcc... gcc3 > checking for a sed that does not truncate output... /usr/bin/sed > checking for grep that handles long lines and -e... /usr/local/bin/grep > checking for egrep... /usr/local/bin/grep -E > checking for fgrep... /usr/local/bin/grep -F > checking for ld used by gcc... /usr/ccs/bin/ld > checking if the linker (/usr/ccs/bin/ld) is GNU ld... no > checking for BSD- or MS-compatible name lister (nm)... /usr/xpg4/bin/nm -p > checking the name lister (/usr/xpg4/bin/nm -p) interface... BSD nm > checking whether ln -s works... yes > checking the maximum length of command line arguments... 786240 > checking whether the shell understands some XSI constructs... yes > checking whether the shell understands "+="... no > checking for /usr/ccs/bin/ld option to reload object files... -r > checking for objdump... no > checking how to recognize dependent libraries... pass_all > checking for ar... ar > checking for strip... no > checking for ranlib... no > checking command to parse /usr/xpg4/bin/nm -p output from gcc object... ok > checking how to run the C preprocessor... gcc -E > checking for ANSI C header files... yes > checking for sys/types.h... yes > checking for sys/stat.h... yes > checking for stdlib.h... yes > checking for string.h... yes > checking for memory.h... yes > checking for strings.h... yes > checking for inttypes.h... yes > checking for stdint.h... yes > checking for unistd.h... yes > checking for dlfcn.h... yes > checking for objdir... .libs > checking if gcc supports -fno-rtti -fno-exceptions... no > checking for gcc option to produce PIC... -fPIC -DPIC > checking if gcc PIC flag -fPIC -DPIC works... yes > checking if gcc static flag -static works... no > checking if gcc supports -c -o file.o... yes > checking if gcc supports -c -o file.o... (cached) yes > checking whether the gcc linker (/usr/ccs/bin/ld) supports shared libraries... yes > checking whether -lc should be explicitly linked in... yes > checking dynamic linker characteristics... solaris2.10 ld.so > checking how to hardcode library paths into programs... immediate > checking for shl_load... no > checking for shl_load in -ldld... no > checking for dlopen... yes > checking whether a program can dlopen itself... yes > checking whether a statically linked program can dlopen itself... yes > checking whether stripping libraries is possible... no > checking if libtool supports shared libraries... yes > checking whether to build shared libraries... yes > checking whether to build static libraries... yes > checking for gawk... (cached) nawk > checking for gcc... (cached) gcc > checking whether we are using the GNU C compiler... (cached) yes > checking whether gcc accepts -g... (cached) yes > checking for gcc option to accept ISO C89... (cached) none needed > checking dependency style of gcc... (cached) gcc3 > checking how to run the C preprocessor... gcc -E > checking whether ln -s works... yes > checking whether make sets $(MAKE)... (cached) yes > checking for grep that handles long lines and -e... (cached) /usr/local/bin/grep > checking for perl... /usr/bin/perl > checking for env... /usr/bin/env > checking for ANSI C header files... (cached) yes > checking fcntl.h usability... yes > checking fcntl.h presence... yes > checking for fcntl.h... yes > checking limits.h usability... yes > checking limits.h presence... yes > checking for limits.h... yes > checking for stdlib.h... (cached) yes > checking for string.h... (cached) yes > checking for unistd.h... (cached) yes > checking for sys/types.h... (cached) yes > checking for sys/stat.h... (cached) yes > checking for an ANSI C-conforming const... yes > checking for inline... inline > checking for C/C++ restrict keyword... __restrict > checking for pid_t... yes > checking for size_t... yes > checking whether struct tm is in sys/time.h or time.h... time.h > checking for uint8_t... yes > checking for stdlib.h... (cached) yes > checking for GNU libc compatible malloc... yes > checking for working memcmp... yes > checking for atexit... yes > checking for getcwd... yes > checking for memmove... yes > checking for memset... yes > checking for strcasecmp... yes > checking for strchr... yes > checking for strdup... yes > checking for strerror... yes > checking for strncasecmp... yes > checking for strrchr... yes > checking for strstr... yes > checking for strtol... yes > checking for fchmod... yes > Checking plataform... Identified as Solaris > configure: looking for Apache module support via DSO through APXS > configure: found apxs at /opt/apache2/bin/apxs > configure: checking httpd version > configure: httpd is recent enough > checking for libpcre config script... /opt/pcre-8.20/pcre-config.in > configure: using pcre v@PACKAGE_VERSION@ > checking for libapr config script... /opt/apache2/bin/apr-1-config > configure: using apr v1.4.5 > checking for libapu config script... /opt/apache2/bin/apu-1-config > configure: using apu v1.3.12 > checking for libxml2 config script... /usr/bin/xml2-config > configure: using libxml2 v2.6.23 > checking for pkg-config... /usr/bin/pkg-config > checking pkg-config is at least version 0.9.0... yes > checking for liblua config script... no > checking for lua install... no > configure: optional lua library not found > checking for libcurl config script... no > configure: *** curl library not found. > configure: NOTE: curl library is only required for building mlogc > configure: creating ./config.status > config.status: creating Makefile > config.status: creating tools/Makefile > config.status: creating apache2/Makefile > config.status: creating build/apxs-wrapper > config.status: creating mlogc/mlogc-batch-load.pl > config.status: creating tests/run-unit-tests.pl > config.status: creating tests/run-regression-tests.pl > config.status: creating tests/gen_rx-pm.pl > config.status: creating tests/csv_rx-pm.pl > config.status: creating tests/regression/server_root/conf/httpd.conf > config.status: creating tools/rules-updater.pl > config.status: creating mlogc/Makefile > config.status: creating tests/Makefile > config.status: creating apache2/modsecurity_config_auto.h > config.status: executing depfiles commands > config.status: executing libtool commands > root@devappf29 12:03 PM Tue Jul 17 > /opt/modsecurity-apache_2.6.6 > # make > Making all in tools > Making all in apache2 > make all-am > /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -DSOLARIS2=10 -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -D_LARGEFILE64_SOURCE -I/opt/apache2/include -I/opt/apache2/include -I/opt/apache2/include -I@includedir@ @PCRE_STATIC_CFLAG@ -I/usr/include/libxml2 -DWITH_PCRE_STUDY -DMODSEC_PCRE_MATCH_LIMIT=1500 -DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500 -g -O2 -MT mod_security2_la-mod_security2.lo -MD -MP -MF .deps/mod_security2_la-mod_security2.Tpo -c -o mod_security2_la-mod_security2.lo `test -f 'mod_security2.c' || echo './'`mod_security2.c > libtool: compile: gcc -DHAVE_CONFIG_H -I. -DSOLARIS2=10 -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -D_LARGEFILE64_SOURCE -I/opt/apache2/include -I/opt/apache2/include -I/opt/apache2/include -I@includedir@ @PCRE_STATIC_CFLAG@ -I/usr/include/libxml2 -DWITH_PCRE_STUDY -DMODSEC_PCRE_MATCH_LIMIT=1500 -DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500 -g -O2 -MT mod_security2_la-mod_security2.lo -MD -MP -MF .deps/mod_security2_la-mod_security2.Tpo -c mod_security2.c -fPIC -DPIC -o .libs/mod_security2_la-mod_security2.o > ../libtool: line 969: gcc: command not found > *** Error code 1 > make: Fatal error: Command failed for target `mod_security2_la-mod_security2.lo' > Current working directory /opt/modsecurity-apache_2.6.6/apache2 > *** Error code 1 > make: Fatal error: Command failed for target `all' > Current working directory /opt/modsecurity-apache_2.6.6/apache2 > *** Error code 1 > The following command caused the error: > fail= failcom='exit 1'; \ > for f in x $MAKEFLAGS; do \ > case $f in \ > *=* | --[!k]*);; \ > *k*) failcom='fail=yes';; \ > esac; \ > done; \ > dot_seen=no; \ > target=`echo all-recursive | sed s/-recursive//`; \ > list='tools apache2 mlogc tests'; for subdir in $list; do \ > echo "Making $target in $subdir"; \ > if test "$subdir" = "."; then \ > dot_seen=yes; \ > local_target="$target-am"; \ > else \ > local_target="$target"; \ > fi; \ > (CDPATH="${ZSH_VERSION+.}:" && cd $subdir && make $local_target) \ > || eval $failcom; \ > done; \ > if test "$dot_seen" = "no"; then \ > make "$target-am" || exit 1; \ > fi; test -z "$fail" > make: Fatal error: Command failed for target `all-recursive' -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira |
From: Breno S. <bre...@gm...> - 2012-08-15 13:16:08
|
Hello everybody, We are seeing more community involvement with the ModSecurity source code! Yeah that's great! and we would like to see more! For that reason we updated the modsecurity.org with some code style requirements. Please take a look at http://www.modsecurity.org/developers/#CodeStylebefore submit a patch or commit. That will help us to have a better source code Thanks for you attention Breno Silva |
From: Alan S. <ala...@ac...> - 2012-08-15 12:23:35
|
Hi Zhuo, What's your version of another mod security library dependencies? In what case it occurred? Update your source tree with svn? Show your ModSec.data too, please! [ ]'s Alan On Wednesday, August 15, 2012 at 6:25 AM, yorkng zhuo wrote: > hi all, > i compile ModSecurity Nginx project with Nginx-1.2.1, and the nginx.conf set like this > > daemon off; > matser_process off; > server { > listen 80; > server_name 192.168.10.34; > location / { > root html; > index intex.html; > ModsecurityConfig /opt/modsec-2.7-iis-nginx-1.2.3/conf.d/ModSec.data; > ModSecurityEnabled On; > } > } > > > when nginx exit, the system print trace information bellow, i think libapr(apr_pool operations) cause this, and its a nginx version regardless bug(cause at nginx-1.1.20 also), but i cant identity exactly reason of this. anyone know it? > ------------------------------------------------ > $/opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx > ^C*** glibc detected *** /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx: double free or corruption (!prev): 0x0000000001ee9630 *** > ======= Backtrace: ========= > /lib/x86_64-linux-gnu/libc.so.6(+0x7e626)[0x7f4cf4f48626] > /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x4f55e4] > /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(+0x1ed48)[0x7f4cf6110d48] > /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(apr_pool_destroy+0x57)[0x7f4cf610fbd7] > /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(apr_pool_destroy+0x3a)[0x7f4cf610fbba] > /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(apr_pool_terminate+0x39)[0x7f4cf610f707] > /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(apr_terminate+0x22)[0x7f4cf6112b15] > /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x4ac7da] > /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x4aba46] > /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x436926] > /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x4095f4] > /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7f4cf4eeb76d] > /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x408f61] > ======= Memory map: ======== > 00400000-006e2000 r-xp 00000000 08:01 2113858 /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx > 008e1000-008e2000 r--p 002e1000 08:01 2113858 /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx > 008e2000-00902000 rw-p 002e2000 08:01 2113858 /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx > 00902000-00916000 rw-p 00000000 00:00 0 > 01e60000-01f18000 rw-p 00000000 00:00 0 [heap] > 7f4cf3923000-7f4cf3938000 r-xp 00000000 08:01 266625 /lib/x86_64-linux-gnu/libgcc_s.so.1 > 7f4cf3938000-7f4cf3b37000 ---p 00015000 08:01 266625 /lib/x86_64-linux-gnu/libgcc_s.so.1 > 7f4cf3b37000-7f4cf3b38000 r--p 00014000 08:01 266625 /lib/x86_64-linux-gnu/libgcc_s.so.1 > 7f4cf3b38000-7f4cf3b39000 rw-p 00015000 08:01 266625 /lib/x86_64-linux-gnu/libgcc_s.so.1 > 7f4cf3b39000-7f4cf3b45000 r-xp 00000000 08:01 276110 /lib/x86_64-linux-gnu/libnss_files-2.15.so (http://libnss_files-2.15.so) > 7f4cf3b45000-7f4cf3d44000 ---p 0000c000 08:01 276110 /lib/x86_64-linux-gnu/libnss_files-2.15.so (http://libnss_files-2.15.so) > 7f4cf3d44000-7f4cf3d45000 r--p 0000b000 08:01 276110 /lib/x86_64-linux-gnu/libnss_files-2.15.so (http://libnss_files-2.15.so) > 7f4cf3d45000-7f4cf3d46000 rw-p 0000c000 08:01 276110 /lib/x86_64-linux-gnu/libnss_files-2.15.so (http://libnss_files-2.15.so) > 7f4cf3d46000-7f4cf3d50000 r-xp 00000000 08:01 276111 /lib/x86_64-linux-gnu/libnss_nis-2.15.so (http://libnss_nis-2.15.so) > 7f4cf3d50000-7f4cf3f50000 ---p 0000a000 08:01 276111 /lib/x86_64-linux-gnu/libnss_nis-2.15.so (http://libnss_nis-2.15.so) > 7f4cf3f50000-7f4cf3f51000 r--p 0000a000 08:01 276111 /lib/x86_64-linux-gnu/libnss_nis-2.15.so (http://libnss_nis-2.15.so) > 7f4cf3f51000-7f4cf3f52000 rw-p 0000b000 08:01 276111 /lib/x86_64-linux-gnu/libnss_nis-2.15.so (http://libnss_nis-2.15.so) > 7f4cf3f52000-7f4cf3f69000 r-xp 00000000 08:01 268342 /lib/x86_64-linux-gnu/libnsl-2.15.so (http://libnsl-2.15.so) > 7f4cf3f69000-7f4cf4168000 ---p 00017000 08:01 268342 /lib/x86_64-linux-gnu/libnsl-2.15.so (http://libnsl-2.15.so) > 7f4cf4168000-7f4cf4169000 r--p 00016000 08:01 268342 /lib/x86_64-linux-gnu/libnsl-2.15.so (http://libnsl-2.15.so) > 7f4cf4169000-7f4cf416a000 rw-p 00017000 08:01 268342 /lib/x86_64-linux-gnu/libnsl-2.15.so (http://libnsl-2.15.so) > 7f4cf416a000-7f4cf416c000 rw-p 00000000 00:00 0 > 7f4cf416c000-7f4cf4174000 r-xp 00000000 08:01 276113 /lib/x86_64-linux-gnu/libnss_compat-2.15.so (http://libnss_compat-2.15.so) > 7f4cf4174000-7f4cf4373000 ---p 00008000 08:01 276113 /lib/x86_64-linux-gnu/libnss_compat-2.15.so (http://libnss_compat-2.15.so) > 7f4cf4373000-7f4cf4374000 r--p 00007000 08:01 276113 /lib/x86_64-linux-gnu/libnss_compat-2.15.so (http://libnss_compat-2.15.so) > 7f4cf4374000-7f4cf4375000 rw-p 00008000 08:01 276113 /lib/x86_64-linux-gnu/libnss_compat-2.15.so (http://libnss_compat-2.15.so) > 7f4cf4375000-7f4cf446e000 r-xp 00000000 08:01 267092 /lib/x86_64-linux-gnu/libm-2.15.so (http://libm-2.15.so) > 7f4cf446e000-7f4cf466d000 ---p 000f9000 08:01 267092 /lib/x86_64-linux-gnu/libm-2.15.so (http://libm-2.15.so) > 7f4cf466d000-7f4cf466e000 r--p 000f8000 08:01 267092 /lib/x86_64-linux-gnu/libm-2.15.so (http://libm-2.15.so) > 7f4cf466e000-7f4cf466f000 rw-p 000f9000 08:01 267092 /lib/x86_64-linux-gnu/libm-2.15.so (http://libm-2.15.so) > 7f4cf466f000-7f4cf468c000 r-xp 00000000 08:01 2246869 /opt/modsec-2.7-iis-nginx-1.2.3/lib/zlib-1.2.4/lib/libz.so.1.2.4 > 7f4cf468c000-7f4cf488c000 ---p 0001d000 08:01 2246869 /opt/modsec-2.7-iis-nginx-1.2.3/lib/zlib-1.2.4/lib/libz.so.1.2.4 > 7f4cf488c000-7f4cf488d000 r--p 0001d000 08:01 2246869 /opt/modsec-2.7-iis-nginx-1.2.3/lib/zlib-1.2.4/lib/libz.so.1.2.4 > 7f4cf488d000-7f4cf488e000 rw-p 0001e000 08:01 2246869 /opt/modsec-2.7-iis-nginx-1.2.3/lib/zlib-1.2.4/lib/libz.so.1.2.4 > 7f4cf488e000-7f4cf4898000 r-xp 00000000 08:01 2113179 /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-iconv-1.2.1/lib/libapriconv-1.so.0.2.1 > 7f4cf4898000-7f4cf4a98000 ---p 0000a000 08:01 2113179 /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-iconv-1.2.1/lib/libapriconv-1.so.0.2.1 > 7f4cf4a98000-7f4cf4a9a000 r--p 0000a000 08:01 2113179 /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-iconv-1.2.1/lib/libapriconv-1.so.0.2.1 > 7f4cf4a9a000-7f4cf4a9b000 rw-p 0000c000 08:01 2113179 /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-iconv-1.2.1/lib/libapriconv-1.so.0.2.1 > 7f4cf4a9b000-7f4cf4ac2000 r-xp 00000000 08:01 266041 /lib/x86_64-linux-gnu/libexpat.so.1.5.2 > 7f4cf4ac2000-7f4cf4cc2000 ---p 00027000 08:01 266041 /lib/x86_64-linux-gnu/libexpat.so.1.5.2 > 7f4cf4cc2000-7f4cf4cc4000 r--p 00027000 08:01 266041 /lib/x86_64-linux-gnu/libexpat.so.1.5.2 > 7f4cf4cc4000-7f4cf4cc5000 rw-p 00029000 08:01 266041 /lib/x86_64-linux-gnu/libexpat.so.1.5.2 > 7f4cf4cc5000-7f4cf4cc9000 r-xp 00000000 08:01 266113 /lib/x86_64-linux-gnu/libuuid.so.1.3.0 > 7f4cf4cc9000-7f4cf4ec8000 ---p 00004000 08:01 266113 /lib/x86_64-linux-gnu/libuuid.so.1.3.0 > 7f4cf4ec8000-7f4cf4ec9000 r--p 00003000 08:01 266113 Aborted > > > > Regards, > > Yorkng > |
From: yorkng z. <yor...@gm...> - 2012-08-15 09:25:39
|
hi all, i compile ModSecurity Nginx project with Nginx-1.2.1, and the nginx.conf set like this *daemon off; matser_process off;* server { listen 80; server_name 192.168.10.34; location / { root html; index intex.html; ModsecurityConfig /opt/modsec-2.7-iis-nginx-1.2.3/conf.d/ModSec.data; ModSecurityEnabled On; } } when nginx exit, the system print trace information bellow, i think libapr(apr_pool operations) cause this, and its a nginx version regardless bug(cause at nginx-1.1.20 also), but i cant identity exactly reason of this. anyone know it? ------------------------------------------------ $/opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx ^C*** glibc detected *** /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx: double free or corruption (!prev): 0x0000000001ee9630 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x7e626)[0x7f4cf4f48626] /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x4f55e4] /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(+0x1ed48)[0x7f4cf6110d48] /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(apr_pool_destroy+0x57)[0x7f4cf610fbd7] /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(apr_pool_destroy+0x3a)[0x7f4cf610fbba] /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(apr_pool_terminate+0x39)[0x7f4cf610f707] /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-1.4.6/lib/libapr-1.so.0(apr_terminate+0x22)[0x7f4cf6112b15] /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x4ac7da] /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x4aba46] /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x436926] /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x4095f4] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7f4cf4eeb76d] /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx[0x408f61] ======= Memory map: ======== 00400000-006e2000 r-xp 00000000 08:01 2113858 /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx 008e1000-008e2000 r--p 002e1000 08:01 2113858 /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx 008e2000-00902000 rw-p 002e2000 08:01 2113858 /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx 00902000-00916000 rw-p 00000000 00:00 0 01e60000-01f18000 rw-p 00000000 00:00 0 [heap] 7f4cf3923000-7f4cf3938000 r-xp 00000000 08:01 266625 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f4cf3938000-7f4cf3b37000 ---p 00015000 08:01 266625 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f4cf3b37000-7f4cf3b38000 r--p 00014000 08:01 266625 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f4cf3b38000-7f4cf3b39000 rw-p 00015000 08:01 266625 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f4cf3b39000-7f4cf3b45000 r-xp 00000000 08:01 276110 /lib/x86_64-linux-gnu/libnss_files-2.15.so 7f4cf3b45000-7f4cf3d44000 ---p 0000c000 08:01 276110 /lib/x86_64-linux-gnu/libnss_files-2.15.so 7f4cf3d44000-7f4cf3d45000 r--p 0000b000 08:01 276110 /lib/x86_64-linux-gnu/libnss_files-2.15.so 7f4cf3d45000-7f4cf3d46000 rw-p 0000c000 08:01 276110 /lib/x86_64-linux-gnu/libnss_files-2.15.so 7f4cf3d46000-7f4cf3d50000 r-xp 00000000 08:01 276111 /lib/x86_64-linux-gnu/libnss_nis-2.15.so 7f4cf3d50000-7f4cf3f50000 ---p 0000a000 08:01 276111 /lib/x86_64-linux-gnu/libnss_nis-2.15.so 7f4cf3f50000-7f4cf3f51000 r--p 0000a000 08:01 276111 /lib/x86_64-linux-gnu/libnss_nis-2.15.so 7f4cf3f51000-7f4cf3f52000 rw-p 0000b000 08:01 276111 /lib/x86_64-linux-gnu/libnss_nis-2.15.so 7f4cf3f52000-7f4cf3f69000 r-xp 00000000 08:01 268342 /lib/x86_64-linux-gnu/libnsl-2.15.so 7f4cf3f69000-7f4cf4168000 ---p 00017000 08:01 268342 /lib/x86_64-linux-gnu/libnsl-2.15.so 7f4cf4168000-7f4cf4169000 r--p 00016000 08:01 268342 /lib/x86_64-linux-gnu/libnsl-2.15.so 7f4cf4169000-7f4cf416a000 rw-p 00017000 08:01 268342 /lib/x86_64-linux-gnu/libnsl-2.15.so 7f4cf416a000-7f4cf416c000 rw-p 00000000 00:00 0 7f4cf416c000-7f4cf4174000 r-xp 00000000 08:01 276113 /lib/x86_64-linux-gnu/libnss_compat-2.15.so 7f4cf4174000-7f4cf4373000 ---p 00008000 08:01 276113 /lib/x86_64-linux-gnu/libnss_compat-2.15.so 7f4cf4373000-7f4cf4374000 r--p 00007000 08:01 276113 /lib/x86_64-linux-gnu/libnss_compat-2.15.so 7f4cf4374000-7f4cf4375000 rw-p 00008000 08:01 276113 /lib/x86_64-linux-gnu/libnss_compat-2.15.so 7f4cf4375000-7f4cf446e000 r-xp 00000000 08:01 267092 /lib/x86_64-linux-gnu/libm-2.15.so 7f4cf446e000-7f4cf466d000 ---p 000f9000 08:01 267092 /lib/x86_64-linux-gnu/libm-2.15.so 7f4cf466d000-7f4cf466e000 r--p 000f8000 08:01 267092 /lib/x86_64-linux-gnu/libm-2.15.so 7f4cf466e000-7f4cf466f000 rw-p 000f9000 08:01 267092 /lib/x86_64-linux-gnu/libm-2.15.so 7f4cf466f000-7f4cf468c000 r-xp 00000000 08:01 2246869 /opt/modsec-2.7-iis-nginx-1.2.3/lib/zlib-1.2.4/lib/libz.so.1.2.4 7f4cf468c000-7f4cf488c000 ---p 0001d000 08:01 2246869 /opt/modsec-2.7-iis-nginx-1.2.3/lib/zlib-1.2.4/lib/libz.so.1.2.4 7f4cf488c000-7f4cf488d000 r--p 0001d000 08:01 2246869 /opt/modsec-2.7-iis-nginx-1.2.3/lib/zlib-1.2.4/lib/libz.so.1.2.4 7f4cf488d000-7f4cf488e000 rw-p 0001e000 08:01 2246869 /opt/modsec-2.7-iis-nginx-1.2.3/lib/zlib-1.2.4/lib/libz.so.1.2.4 7f4cf488e000-7f4cf4898000 r-xp 00000000 08:01 2113179 /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-iconv-1.2.1/lib/libapriconv-1.so.0.2.1 7f4cf4898000-7f4cf4a98000 ---p 0000a000 08:01 2113179 /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-iconv-1.2.1/lib/libapriconv-1.so.0.2.1 7f4cf4a98000-7f4cf4a9a000 r--p 0000a000 08:01 2113179 /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-iconv-1.2.1/lib/libapriconv-1.so.0.2.1 7f4cf4a9a000-7f4cf4a9b000 rw-p 0000c000 08:01 2113179 /opt/modsec-2.7-iis-nginx-1.2.3/lib/apr-iconv-1.2.1/lib/libapriconv-1.so.0.2.1 7f4cf4a9b000-7f4cf4ac2000 r-xp 00000000 08:01 266041 /lib/x86_64-linux-gnu/libexpat.so.1.5.2 7f4cf4ac2000-7f4cf4cc2000 ---p 00027000 08:01 266041 /lib/x86_64-linux-gnu/libexpat.so.1.5.2 7f4cf4cc2000-7f4cf4cc4000 r--p 00027000 08:01 266041 /lib/x86_64-linux-gnu/libexpat.so.1.5.2 7f4cf4cc4000-7f4cf4cc5000 rw-p 00029000 08:01 266041 /lib/x86_64-linux-gnu/libexpat.so.1.5.2 7f4cf4cc5000-7f4cf4cc9000 r-xp 00000000 08:01 266113 /lib/x86_64-linux-gnu/libuuid.so.1.3.0 7f4cf4cc9000-7f4cf4ec8000 ---p 00004000 08:01 266113 /lib/x86_64-linux-gnu/libuuid.so.1.3.0 7f4cf4ec8000-7f4cf4ec9000 r--p 00003000 08:01 266113 Aborted Regards, Yorkng |
From: yorkng z. <yor...@gm...> - 2012-08-15 07:59:34
|
hi all, i had compile 2.7-iis-nginx with Nginx-1.2.3(lasest stable version) at Ubuntu 12.04, and this bug also existence,GDB debug,crash scene bellow: (gdb) r Starting program: /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx [Thread debugging using libthread_db enabled] Program received signal SIGSEGV, Segmentation fault. 0x00000000004ac091 in ngx_http_modsecurity_access_handler ( req=0x943240) at /home/yorkng/nginx-1.2.3/src/addon/2.7-iis-nginx/nginx/modsecurity/ngx_http_modsecurity_module.c:393 393 ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "request body: %s", req->request_body->bufs); (gdb) p req->request_body->bufs Cannot access memory at address 0x8 (gdb) On Mon, Aug 13, 2012 at 6:23 PM, yorkng zhuo <yor...@gm...> wrote: > hello all, > i'm testing ModSecurity nginx at ubuntu 12.04, nginx version 1.1.20 > when i use curl like this: curl http://localhost/secret, then the nginx > worker process crash. i use gdb debug it, trouble spots is here > > 2.7-iis-nginx/nginx/modsecurity/ngx_http_modsecurity_module.c > ---------------------------------------- > 392 ngx_http_read_request_body(req, ngx_http_dummy_payload_hander); > 393 *ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "request > body: %s", req->request_body->bufs);* > 394 > 395 if(status == DECLIEND) > > ---------------------------------------- > > *when GET request have no body, the req->request_body->bufs is > undefined, like this:* > ----------------------------------------- > Starting program: /opt/modsec-2.7-iis-nginx/sbin/nginx > [Thread debugging using libthread_db enabled] > > Breakpoint 1, ngx_http_modsecurity_access_handler (req=0x942100) > at > /home/yorkng/project/svn/nginxsec/branch/nsafe/src/addon/2.7-iis-nginx/nginx/modsecurity/ngx_http_modsecurity_module.c:392 > warning: Source file is more recent than executable. > 392 ngx_http_read_request_body(req, ngx_http_dummy_payload_handler); > (gdb) p req->request_body->bufs > Cannot access memory at address 0x8 > (gdb) > ------------------------------------------ > > my resolve patch is bellow:* > > *--- nginx/modsecurity/ngx_http_modsecurity_module.c (revision 2018) > +++ nginx/modsecurity/ngx_http_modsecurity_module.c (working copy) > @@ -390,19 +390,25 @@ > ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "status: %d", > status); > > ngx_http_read_request_body(req, ngx_http_dummy_payload_handler); > - ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "request body: > %s", req->request_body->bufs); > + if (req->headers_in.content_length) { > + ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "request body: > %s", req->request_body->bufs); > + } > + else { > + ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "request body: > "); > + } > > if(status == DECLINED) > {* > * > -- Regards, Yorkng |
From: Breno S. <bre...@gm...> - 2012-08-14 12:34:34
|
Thanks Seema! i'm going to fix it. On Tue, Aug 14, 2012 at 3:36 AM, seema deepak <see...@gm...>wrote: > Hi, > > Document ( > http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#INBOUND_ERROR_DATA) says INBOUND_ERROR_DATA whereas 2.6.6 version of ModSecurity code > (re_variables.c) uses INBOUND_DATA_ERROR as the variable name. Using > INBOUND_ERROR_DATA causes "Unknown variable" error. > This should be fixed the document. > > Also, OUTBOUND_DATA_ERROR variable has not been documented. > > Thanks and Regards, > Seema. > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |
From: Alan S. <ala...@ac...> - 2012-08-14 12:03:18
|
Hi, I try to fixing and close the stable version of module in nginx-1.2.1, try to work in this version I think is better for us for now, because of Greg speak, NGINX has numerous versions and any version has new features. I've testing here and I still have commit some fixes and talk to us. Regards, Alan On Tuesday, August 14, 2012 at 4:51 AM, yorkng zhuo wrote: > hi Greg, > > thanks for reply, i will update my nginx to latest version, and test that. > > Regards, > > Yorkng > > > On Tue, Aug 14, 2012 at 3:26 PM, Greg Wroblewski <gwr...@ho... (mailto:gwr...@ho...)> wrote: > > I did not hit this bug, which makes me think that it is an nginx 1.1.20 specific thing. We developed and briefly tested the module using nginx 1.2.0 (I will use 1.2.3 going forward). > > > > The numerous versions of nginx might be problematic in the long term, so IMHO we should always focus on the latest stable one. > > > > Regardless of the version issue, I think that the bug is worth fixing, it makes the module more robust. > > > > Greg > > > > > Date: Mon, 13 Aug 2012 18:23:46 +0800 > > > From: yorkng zhuo <yor...@gm... (mailto:yor...@gm...)> > > > Subject: [Mod-security-developers] simple GET request cause > > > ModSecurity nginx crash > > > To: mod...@li... (mailto:mod...@li...) > > > Message-ID: > > > <CAKV5U6=echSziA=h=7RVLGe7gaQd7tkeir=g+p...@ma... (mailto:g%2Bp...@ma...)> > > > Content-Type: text/plain; charset="iso-8859-1" > > > > > > hello all, > > > i'm testing ModSecurity nginx at ubuntu 12.04, nginx version 1.1.20 > > > when i use curl like this: curl http://localhost/secret, then the nginx > > > worker process crash. i use gdb debug it, trouble spots is here > > > > > > > > > ------------------------------------------------------------------------------ > > Live Security Virtual Conference > > Exclusive live event will cover all the ways today's security and > > threat landscape has changed and how IT managers can respond. Discussions > > will include endpoint security, mobile security and the latest in malware > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > _______________________________________________ > > mod-security-developers mailing list > > mod...@li... (mailto:mod...@li...) > > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > > ModSecurity Services from Trustwave's SpiderLabs: > > https://www.trustwave.com/spiderLabs.php > > > > -- > Regards, > > Yorkng > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > _______________________________________________ > mod-security-developers mailing list > mod...@li... (mailto:mod...@li...) > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > > |
From: seema d. <see...@gm...> - 2012-08-14 08:36:42
|
Hi, Document ( http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#INBOUND_ERROR_DATA) says INBOUND_ERROR_DATA whereas 2.6.6 version of ModSecurity code (re_variables.c) uses INBOUND_DATA_ERROR as the variable name. Using INBOUND_ERROR_DATA causes "Unknown variable" error. This should be fixed the document. Also, OUTBOUND_DATA_ERROR variable has not been documented. Thanks and Regards, Seema. |
From: yorkng z. <yor...@gm...> - 2012-08-14 07:51:34
|
hi Greg, thanks for reply, i will update my nginx to latest version, and test that. Regards, Yorkng On Tue, Aug 14, 2012 at 3:26 PM, Greg Wroblewski <gwr...@ho...>wrote: > I did not hit this bug, which makes me think that it is an nginx 1.1.20 > specific thing. We developed and briefly tested the module using nginx > 1.2.0 (I will use 1.2.3 going forward). > > The numerous versions of nginx might be problematic in the long term, so > IMHO we should always focus on the latest stable one. > > Regardless of the version issue, I think that the bug is worth fixing, it > makes the module more robust. > > Greg > > > Date: Mon, 13 Aug 2012 18:23:46 +0800 > > From: yorkng zhuo <yor...@gm...> > > Subject: [Mod-security-developers] simple GET request cause > > ModSecurity nginx crash > > To: mod...@li... > > Message-ID: > > <CAKV5U6=echSziA=h=7RVLGe7gaQd7tkeir=g+p...@ma...> > > Content-Type: text/plain; charset="iso-8859-1" > > > > hello all, > > i'm testing ModSecurity nginx at ubuntu 12.04, nginx version 1.1.20 > > when i use curl like this: curl http://localhost/secret, then the nginx > > worker process crash. i use gdb debug it, trouble spots is here > > > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > -- Regards, Yorkng |
From: Greg W. <gwr...@ho...> - 2012-08-14 07:26:55
|
I did not hit this bug, which makes me think that it is an nginx 1.1.20 specific thing. We developed and briefly tested the module using nginx 1.2.0 (I will use 1.2.3 going forward). The numerous versions of nginx might be problematic in the long term, so IMHO we should always focus on the latest stable one. Regardless of the version issue, I think that the bug is worth fixing, it makes the module more robust. Greg > Date: Mon, 13 Aug 2012 18:23:46 +0800 > From: yorkng zhuo <yor...@gm...> > Subject: [Mod-security-developers] simple GET request cause > ModSecurity nginx crash > To: mod...@li... > Message-ID: > <CAKV5U6=echSziA=h=7RVLGe7gaQd7tkeir=g+p...@ma...> > Content-Type: text/plain; charset="iso-8859-1" > > hello all, > i'm testing ModSecurity nginx at ubuntu 12.04, nginx version 1.1.20 > when i use curl like this: curl http://localhost/secret, then the nginx > worker process crash. i use gdb debug it, trouble spots is here > |
From: yorkng z. <yor...@gm...> - 2012-08-14 02:37:39
|
hi, Alan 2.7-iis-nginx works at nginx release-1.1.20(Ubuntu 12.04) regular request can't be response, i use curl like ** $curl http://localhost/ <html> <head><title>500 Internal Server Error</title></head> <body bgcolor="white"> <center><h1>500 Internal Server Error</h1></center> <hr><center>nginx/1.1.20</center> </body> </html> my config file *conf/nginx.conf* server { listen 80; server_name 192.168.10.34; location / { root html; index index.html; ModSecurityConfig /opt/2.7-iis-nginx/conf.d/ModSec.data; ModSecurityEnabled On; } *conf.d/ModSec.data* SecRuleEngine on SecRule REQUEST_URI "secret" "id:999, phase:1,deny,status:403" i use GDB trace the code, i don't know why code like this: -------------------------------------------------- 400 if(status == DECLINED) 401 { 402 // this function would work here, but it is only internal 403 //ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); 404 //return (NGX_DECLINED); 405 406 // If DECLINED, finalize connection (sent FIN) and return HTTP 500 407 ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "Invalid Requ est"); 408 ngx_http_finalize_request(req, NGX_HTTP_INTERNAL_SERVER_ERROR); 409 return NGX_HTTP_INTERNAL_SERVER_ERROR; 410 } 413 return NGX_OK; 414 } ---------------------------------------------- when regular request happens, the status == DECLINED, why* return NGX_HTTP_INTERNAL_SERVER_ERROR*? and the right code* return (NGX_DECLINED)*is commented。 another pazzle,when the secrule match, the return code should return status code defineded in SecRule, in this expemle, should return 403, but in the source code,* return NGX_OK*, why? i have check HTTP return status code defined in APACHE and NGINX, all compliance the RFC 2616. so my patch bellow: if(status == DECLINED) { // this function would work here, but it is only internal //ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); - //return (NGX_DECLINED); + return (NGX_DECLINED); // If DECLINED, finalize connection (sent FIN) and return HTTP 500 ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "Invalid Request"); ngx_http_finalize_request(req, NGX_HTTP_INTERNAL_SERVER_ERROR); return NGX_HTTP_INTERNAL_SERVER_ERROR; } - - return NGX_OK; + return status; } Regards, Yorkng |