Thread: Re: [mod-security-users] mod-security-users Digest, Vol 6, Issue 22
Brought to you by:
victorhora,
zimmerletw
From: Dan R. <sp...@el...> - 2006-11-21 01:37:42
|
Hi, i was assuming this works as it is documented <Location /signup> SecFilterInheritance Off #SecFilterScanPOST On </Location> Are you saying for a particular location we have to set a completely different set of rules to overwrite the default ones ? Im considering using the set of configs from the got root website, there is like 4 or 5 configs full of rules. This would be a nightmare, id like to somehow just overright "some" default rules and tweak them for some locations and scripts. Ie a few files within this location is tripping the urlencoding filter because they have particularly badly formed query strings out of our control. I cant manage to install mod sec 2 at all, any ideas how to compile this into apache2, there was also meantioning of particular compile flags all over the place, still no specific compile example for max performance. > Hi Dan, > > I would appreciate if you could only send one email per problem. > Please consider that we have many subscribers that typically already > have to deal with a large volume of email. Thanks. > > I am assuming you are using ModSecurity 1.9.x: > > 1) "SecFilterInheritance Off" does not work because it's not a rule > that is causing your problem - it's a configuration directive. To > override configuration directives you simply configure another value. > > 2) It's also probably why you can't log and pass. Configuration > directives are processed before rules are and, if any problems are > found, requests are rejected. SecFilterDefaultAction only affect > rules. Personally I never liked this and that's why there are no > built-in checks in ModSecurity 2.x. > > 3) As for this message: "mod_security-message: Access denied with code > 403. Invalid parameters: Error normalising parameter value: Invalid > character detected [0] [severity "EMERGENCY"]" it is a result of your > restriction on the allowed byte range, configured with > SecFilterForceByteRange. You have this command somewhere in your > configuration. To remove this restriction change it to > "SecFilterForceByteRange 0 255". > > However, it is very unlikely there is a valid use for the null byte > character in the parameters. I have seen it legitimely used only once. > So you may want to look closer at that particular request. > > |
From: Dan R. <sp...@el...> - 2006-11-21 05:30:54
|
> > On 11/18/06, Dan Rossi <sp...@el...> wrote: > > > Hi Dan, > > I would appreciate if you could only send one email per problem. > Please consider that we have many subscribers that typically already > have to deal with a large volume of email. Thanks. > > I am assuming you are using ModSecurity 1.9.x: > > 1) "SecFilterInheritance Off" does not work because it's not a rule > that is causing your problem - it's a configuration directive. To > override configuration directives you simply configure another value. > > 2) It's also probably why you can't log and pass. Configuration > directives are processed before rules are and, if any problems are > found, requests are rejected. SecFilterDefaultAction only affect > rules. Personally I never liked this and that's why there are no > built-in checks in ModSecurity 2.x. > > 3) As for this message: "mod_security-message: Access denied with code > 403. Invalid parameters: Error normalising parameter value: Invalid > character detected [0] [severity "EMERGENCY"]" it is a result of your > restriction on the allowed byte range, configured with > SecFilterForceByteRange. You have this command somewhere in your > configuration. To remove this restriction change it to > "SecFilterForceByteRange 0 255". > > However, it is very unlikely there is a valid use for the null byte > character in the parameters. I have seen it legitimely used only once. > So you may want to look closer at that particular request. > > Ok another issue ive experienced now, is when we are blocking requests with no user agent, some things dont send user agents like php includes to other scripts, curl etc. How do we go about this. Ive also discovered rules like therule log,pass , doesnt end up using this action it ends up using the default action, will mod sec 2 definately be able to override some of the filters via virtualhost configs and allow the rest to passthrough ? Im also liking to send an email to myself when a rule is triggered, how is it possible to send the message to a perlscript in the configs ? |
From: Ivan R. <iva...@gm...> - 2006-11-21 10:56:28
|
On 11/21/06, Dan Rossi <sp...@el...> wrote: > > Ok another issue ive experienced now, is when we are blocking requests with > no user agent, some things dont send user agents like php includes to other > scripts, curl etc. How do we go about this. I don't think there's anything you can do about it. Not having an User-Agent is perfectly legal as far as HTTP is concerned. You could try to allow such clients only from specific IP addresses, for example. > Ive also discovered rules like therule log,pass , doesnt end up using this > action it ends up using the default action, will mod sec 2 definately be > able to override some of the filters via virtualhost configs and allow the > rest to passthrough ? I am not sure what problem you are describing. Can you be more specific please? Both ModSecurity 1.9.x and 2.x provide equal capabilities when it comes to rule overriding. You have options to either remove all rules and start from scratch, or remove only some rules (by their specific ID, ID range, or keyword that appears in the message). Look up SecRuleRemoveById and SecRuleRemoveByMsg in the manual. In both cases you can add new rules as you are pleased. > Im also liking to send an email to myself when a rule is triggered, how is > it possible to send the message to a perlscript in the configs ? You can implement that via en external script using the exec action. In general it's not a very good idea unless you implement throttling too, ie have a mechanism that will prevent uncontrolled sending of thousands of emails. -- Ivan Ristic |
From: Dan R. <sp...@el...> - 2006-11-21 11:22:08
|
Ivan Ristic wrote: > On 11/21/06, Dan Rossi <sp...@el...> wrote: >> > > I don't think there's anything you can do about it. Not having an > User-Agent is perfectly legal as far as HTTP is concerned. You could > try to allow such clients only from specific IP addresses, for > example. ok, just using some default rules. > > >> > > I am not sure what problem you are describing. Can you be more > specific please? Ok a rule for a cookie data check had a log,pass action was causing a 500 status from the default action deny,log,status:500 etc, i was also getting a default status of 403 when i set the default action to "auditlog,pass" so i can see what urls should be getting through but are tripping the audit log, so still allow the traffic until i tweak everything. > > Both ModSecurity 1.9.x and 2.x provide equal capabilities when it > comes to rule overriding. You have options to either remove all rules > and start from scratch, or remove only some rules (by their specific > ID, ID range, or keyword that appears in the message). Look up > SecRuleRemoveById and SecRuleRemoveByMsg in the manual. In both cases > you can add new rules as you are pleased. > Ok these two rulesets allow for remove all and some rules in a location / virtualhost > > You can implement that via en external script using the exec action. > In general it's not a very good idea unless you implement throttling > too, ie have a mechanism that will prevent uncontrolled sending of > thousands of emails. > I could look at some kind of "buffered smtp appender", what i was asking specicially how are we able to send the message as an argument to a perl script ie "deny,log,status:500,send:alert.pl themessagevarhere". I only really need this for the start , as it seems im getting alot of errornous audits which should be letting traffic through so i need to be aware of it so take action and tweak things. |
From: Ivan R. <iva...@gm...> - 2006-11-21 10:50:18
|
On 11/21/06, Dan Rossi <sp...@el...> wrote: > Hi, i was assuming this works as it is documented > > <Location /signup> > SecFilterInheritance Off > #SecFilterScanPOST On > > </Location> It is documented and it works. However, "SecFilterInheritance" prevents the rules from being inherited from the parent context but it does nothing to the configuration options. The configuration settings are always inherited. If you want something different to happen just provide different configuration. So, in your case you could do something like: <Location /signup> SecFilterInheritance Off SecFilterForceByteRange 0 255 </Location> > Are you saying for a particular location we have to set a completely > different set of rules to overwrite the default ones ? No. I am saying there are two different aspects that are inherited: rules and configuration. These are handled differently, as I explained above. > I cant manage to install mod sec 2 at all, any ideas how to compile this > into apache2 The instructions provided in the reference manual work for me. If you can be more specific about your troubles perhaps we can find out. Didn't Alberto just make the ModSecurity 2.x binaries for Debian available? -- Ivan Ristic |
From: Dan R. <sp...@el...> - 2006-11-21 11:13:28
|
Ivan Ristic wrote: > > It is documented and it works. However, "SecFilterInheritance" > prevents the rules from being inherited from the parent context but it > does nothing to the configuration options. The configuration settings > are always inherited. If you want something different to happen just > provide different configuration. So, in your case you could do > something like: > > <Location /signup> > SecFilterInheritance Off > SecFilterForceByteRange 0 255 > </Location> > Ok what im saying here is, every rule set as default will have to be overwritten as u have here, ie the ones we need to override for etc, so mod sec cant be turned off per virtualhost for instance ? > > The instructions provided in the reference manual work for me. If you > can be more specific about your troubles perhaps we can find out. > > Didn't Alberto just make the ModSecurity 2.x binaries for Debian > available? > Im not sure i think it requires a heap of dependancies im not so keen on, and this install is for a freebsd 5.4 system also. I tried to do the source compile and it hasnt worked yet. Ill have to resend what i get sorry. |
From: Ivan R. <iva...@gm...> - 2006-11-21 11:16:20
|
On 11/21/06, Dan Rossi <sp...@el...> wrote: > Ivan Ristic wrote: > > > > It is documented and it works. However, "SecFilterInheritance" > > prevents the rules from being inherited from the parent context but it > > does nothing to the configuration options. The configuration settings > > are always inherited. If you want something different to happen just > > provide different configuration. So, in your case you could do > > something like: > > > > <Location /signup> > > SecFilterInheritance Off > > SecFilterForceByteRange 0 255 > > </Location> > > > > Ok what im saying here is, every rule set as default will have to be > overwritten as u have here, ie the ones we need to override for etc, so > mod sec cant be turned off per virtualhost for instance ? Sure it can: <VirtualHost whatever> SecFilterEngine Off SecAuditEngine Off </VirtualHost> -- Ivan Ristic |
From: Dan R. <sp...@el...> - 2006-11-27 06:15:56
|
Ivan Ristic wrote: > On 11/21/06, Dan Rossi <sp...@el...> wrote: >> Ivan Ristic wrote: >> > >> > It is documented and it works. However, "SecFilterInheritance" >> > prevents the rules from being inherited from the parent context but it >> > does nothing to the configuration options. The configuration settings >> > are always inherited. If you want something different to happen just >> > provide different configuration. So, in your case you could do >> > something like: >> > >> > <Location /signup> >> > SecFilterInheritance Off >> > SecFilterForceByteRange 0 255 >> > </Location> >> > >> >> Ok what im saying here is, every rule set as default will have to be >> overwritten as u have here, ie the ones we need to override for etc, so >> mod sec cant be turned off per virtualhost for instance ? > > Sure it can: > > <VirtualHost whatever> > SecFilterEngine Off > SecAuditEngine Off > </VirtualHost> > Hi Ivan, i just put these rules inside virtualhost for mod sec 2 and i get this Invalid command 'SecFilterEngine', perhaps mis-spelled or defined by a module not included in the server configuration if i do SecRuleEngine Off SecAuditEngine Off its ok however for some of our zend encoded files something happens with the posts, i dont get any errors but it seems modsec is doing something even though ive turned if off in that path and redirects back to the file . I cant go into the code and look because its encoded and there is no log :\ |
From: Ivan R. <iva...@gm...> - 2006-11-21 11:29:42
|
On 11/21/06, Dan Rossi <sp...@el...> wrote: > > > I am not sure what problem you are describing. Can you be more > > specific please? > > Ok a rule for a cookie data check had a log,pass action was causing a > 500 status from the default action deny,log,status:500 etc, i was also > getting a default status of 403 when i set the default action to > "auditlog,pass" so i can see what urls should be getting through but are > tripping the audit log, so still allow the traffic until i tweak > everything. To me sounds like the situation I explained in one of my previous emails. In ModSecurity 1.9.x (not so in 2.x) there is a number of checks that are enabled with configuration, not with rules. If any of those checks are triggered access will be forbidden. The default action list only affects rules. If you don't like this you need to relax the checks in configuration. > > You can implement that via en external script using the exec action. > > In general it's not a very good idea unless you implement throttling > > too, ie have a mechanism that will prevent uncontrolled sending of > > thousands of emails. > > > > I could look at some kind of "buffered smtp appender", what i was asking > specicially how are we able to send the message as an argument to a perl > script ie "deny,log,status:500,send:alert.pl themessagevarhere". I only > really need this for the start , as it seems im getting alot of > errornous audits which should be letting traffic through so i need to be > aware of it so take action and tweak things. All the information should be in the environment variables. Just print all of them and you'll see what I mean. -- Ivan Ristic |
From: Dan R. <sp...@el...> - 2006-11-21 12:03:51
|
Ivan Ristic wrote: > > All the information should be in the environment variables. Just print > all of them and you'll see what I mean. > Hi great ! ill have a poke around on the env vars. I might take a look at throttling requests anyway. Ill also have a go at a compile of 2.0 again and show my errors its not so specific creating a module like 1.9 with apxs. |
From: Dan R. <sp...@el...> - 2006-11-22 04:16:28
|
Hi this is the specific error i get compiling with apache2 and mod sec 2 "Makefile", line 10: Could not find /usr/local/build/special.mk make: fatal errors encountered -- cannot continue top_dir = /usr/local/apache thats where apache is installed with a ports install on freebsd. Ivan Ristic wrote: > On 11/21/06, Dan Rossi <sp...@el...> wrote: >> >> > I am not sure what problem you are describing. Can you be more >> > specific please? >> >> Ok a rule for a cookie data check had a log,pass action was causing a >> 500 status from the default action deny,log,status:500 etc, i was also >> getting a default status of 403 when i set the default action to >> "auditlog,pass" so i can see what urls should be getting through but are >> tripping the audit log, so still allow the traffic until i tweak >> everything. > > To me sounds like the situation I explained in one of my previous > emails. In ModSecurity 1.9.x (not so in 2.x) there is a number of > checks that are enabled with configuration, not with rules. If any of > those checks are triggered access will be forbidden. The default > action list only affects rules. If you don't like this you need to > relax the checks in configuration. > >> > You can implement that via en external script using the exec action. >> > In general it's not a very good idea unless you implement throttling >> > too, ie have a mechanism that will prevent uncontrolled sending of >> > thousands of emails. >> > >> >> I could look at some kind of "buffered smtp appender", what i was asking >> specicially how are we able to send the message as an argument to a perl >> script ie "deny,log,status:500,send:alert.pl themessagevarhere". I only >> really need this for the start , as it seems im getting alot of >> errornous audits which should be letting traffic through so i need to be >> aware of it so take action and tweak things. > > All the information should be in the environment variables. Just print > all of them and you'll see what I mean. > |
From: Ann H. <sea...@ha...> - 2006-11-22 04:24:04
|
The instructions are wrong, it means the source directory. It was the same problem I had. The file is in the source directory. Dan Rossi wrote: > Hi this is the specific error i get compiling with apache2 and mod sec 2 > > "Makefile", line 10: Could not find /usr/local/build/special.mk > make: fatal errors encountered -- cannot continue > > top_dir = /usr/local/apache > > thats where apache is installed with a ports install on freebsd. > > Ivan Ristic wrote: >> On 11/21/06, Dan Rossi <sp...@el...> wrote: >>>> I am not sure what problem you are describing. Can you be more >>>> specific please? >>> Ok a rule for a cookie data check had a log,pass action was causing a >>> 500 status from the default action deny,log,status:500 etc, i was also >>> getting a default status of 403 when i set the default action to >>> "auditlog,pass" so i can see what urls should be getting through but are >>> tripping the audit log, so still allow the traffic until i tweak >>> everything. >> To me sounds like the situation I explained in one of my previous >> emails. In ModSecurity 1.9.x (not so in 2.x) there is a number of >> checks that are enabled with configuration, not with rules. If any of >> those checks are triggered access will be forbidden. The default >> action list only affects rules. If you don't like this you need to >> relax the checks in configuration. >> >>>> You can implement that via en external script using the exec action. >>>> In general it's not a very good idea unless you implement throttling >>>> too, ie have a mechanism that will prevent uncontrolled sending of >>>> thousands of emails. >>>> >>> I could look at some kind of "buffered smtp appender", what i was asking >>> specicially how are we able to send the message as an argument to a perl >>> script ie "deny,log,status:500,send:alert.pl themessagevarhere". I only >>> really need this for the start , as it seems im getting alot of >>> errornous audits which should be letting traffic through so i need to be >>> aware of it so take action and tweak things. >> All the information should be in the environment variables. Just print >> all of them and you'll see what I mean. >> > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > |
From: Dan R. <sp...@el...> - 2006-11-22 04:20:56
|
I ended up finding it however it is looking for the source in the apache ports install :) /bin/sh /usr/local/share/apache2/build/libtool --silent --mode=compile cc -O2 -g -Wuninitialized -Wall -Wmissing-prototypes -Wshadow -Wunused-variable -Wunused-value -Wchar-subscripts -Wsign-compare -DWITH_LIBXML2 -D_REENTRANT -D_THREAD_SAFE -DAP_HAVE_DESIGNATED_INITIALIZER -I /usr/include/libxml2 -I/usr/ports/www/apache20/work/httpd-2.0.59/srclib/apr/include -I/usr/ports/www/apache20/work/httpd-2.0.59/srclib/apr-util/include -I/usr/local/include -I. -I/usr/local/share/apache2/os/unix -I/usr/local/share/apache2/server/mpm/prefork -I/usr/local/share/apache2/modules/http -I/usr/local/share/apache2/modules/filters -I/usr/local/share/apache2/modules/proxy -I/usr/local/share/apache2/include -I/usr/local/share/apache2/modules/generators -I/usr/include/openssl -I/usr/local/share/apache2/modules/dav/main -prefer-pic -c mod_security2.c && touch mod_security2.slo mod_security2.c:15:23: http_core.h: No such file or directory mod_security2.c:16:26: http_request.h: No such file or directory In file included from modsecurity.h:36, from mod_security2.c:18: msc_multipart.h:24:25: apr_general.h: No such file or directory msc_multipart.h:25:24: apr_tables.h: No such file or directory In file included from modsecurity.h:36, etc Ivan Ristic wrote: > On 11/21/06, Dan Rossi <sp...@el...> wrote: >> >> > I am not sure what problem you are describing. Can you be more >> > specific please? >> >> Ok a rule for a cookie data check had a log,pass action was causing a >> 500 status from the default action deny,log,status:500 etc, i was also >> getting a default status of 403 when i set the default action to >> "auditlog,pass" so i can see what urls should be getting through but are >> tripping the audit log, so still allow the traffic until i tweak >> everything. > > To me sounds like the situation I explained in one of my previous > emails. In ModSecurity 1.9.x (not so in 2.x) there is a number of > checks that are enabled with configuration, not with rules. If any of > those checks are triggered access will be forbidden. The default > action list only affects rules. If you don't like this you need to > relax the checks in configuration. > >> > You can implement that via en external script using the exec action. >> > In general it's not a very good idea unless you implement throttling >> > too, ie have a mechanism that will prevent uncontrolled sending of >> > thousands of emails. >> > >> >> I could look at some kind of "buffered smtp appender", what i was asking >> specicially how are we able to send the message as an argument to a perl >> script ie "deny,log,status:500,send:alert.pl themessagevarhere". I only >> really need this for the start , as it seems im getting alot of >> errornous audits which should be letting traffic through so i need to be >> aware of it so take action and tweak things. > > All the information should be in the environment variables. Just print > all of them and you'll see what I mean. > |
From: Dan R. <sp...@el...> - 2006-11-22 04:29:13
|
This part is also confusing, i have no idea which PCRE apache is compiled with, the production server seems to be compiled via source, the dev server is via freebsd ports. One has its apache prefix in /www/apache the other is /usr/local so where exactly do i put the top directory /usr/local/share/apache2 only has a build directory in it. If you have compiled Apache yourself you might experience problems compiling ModSecurity against PCRE. This is because Apache bundles PCRE but this library is also typically provided by the operating system. I would expect most (all) vendor-packaged Apache distributions to be configured to use an external PCRE library (so this should not be a problem). You want to avoid Apache using the bundled PCRE library and ModSecurity linking against the one provided by the operating system. The easiest way to do this is to compile Apache against the PCRE library provided by the operating system (or you can compile it against the latest PCRE version you downloaded from the main PCRE distribution site). You can do this at configure time using the --with-pcre switch. If you are not in a position to recompile Apache then, to compile ModSecurity successfully, you'd still need to have access to the bundled PCRE headers (they are available only in the Apache source code) and change the include path for ModSecurity (as you did in step 7 above) to point to them. Do note that if your Apache is using an external PCRE library you can compile ModSecurity with WITH_PCRE_STUDY defined, which would possibly give you a slight performance edge in regular expression processing. |
From: Dan R. <sp...@el...> - 2006-11-22 04:37:11
|
Sorry, ive just tried to use the ports install on the freebsd dev system, it had the module commented out, i uncommented and attempted a restart Syntax error on line 279 of /usr/local/etc/apache2/httpd.conf: Can't locate API module structure `security_module' in file /usr/local/libexec/apache2/mod_security.so: Undefined symbol "security_module" LoadModule security_module libexec/apache2/mod_security.so Ivan Ristic wrote: > On 11/21/06, Dan Rossi <sp...@el...> wrote: >> >> > I am not sure what problem you are describing. Can you be more >> > specific please? >> >> Ok a rule for a cookie data check had a log,pass action was causing a >> 500 status from the default action deny,log,status:500 etc, i was also >> getting a default status of 403 when i set the default action to >> "auditlog,pass" so i can see what urls should be getting through but are >> tripping the audit log, so still allow the traffic until i tweak >> everything. > > To me sounds like the situation I explained in one of my previous > emails. In ModSecurity 1.9.x (not so in 2.x) there is a number of > checks that are enabled with configuration, not with rules. If any of > those checks are triggered access will be forbidden. The default > action list only affects rules. If you don't like this you need to > relax the checks in configuration. > >> > You can implement that via en external script using the exec action. >> > In general it's not a very good idea unless you implement throttling >> > too, ie have a mechanism that will prevent uncontrolled sending of >> > thousands of emails. >> > >> >> I could look at some kind of "buffered smtp appender", what i was asking >> specicially how are we able to send the message as an argument to a perl >> script ie "deny,log,status:500,send:alert.pl themessagevarhere". I only >> really need this for the start , as it seems im getting alot of >> errornous audits which should be letting traffic through so i need to be >> aware of it so take action and tweak things. > > All the information should be in the environment variables. Just print > all of them and you'll see what I mean. > |
From: Dan R. <sp...@el...> - 2006-11-22 08:59:34
|
Hi mate it seems the source install is also broken on our production server which had a source apache install rather than package install. A more informative method would be nice as everything seems broken, maybe a configure script or how 1.9 installs so modules. the ports install didnt install the module properly in the configuration and it seems the source doesnt copy the module over properly, here is my error /home/danielr/sources/modsecurity-apache_2.0.4/apache2$ make install /usr/local/bin/bash /www/apache/build/libtool --silent --mode=install cp mod_security2.la /www/apache/modules/ Warning! dlname not found in /www/apache/modules/mod_security2.la. Assuming installing a .so rather than a libtool archive. the only files installed are mod_security2.a mod_security2.la Ivan Ristic wrote: > On 11/21/06, Dan Rossi <sp...@el...> wrote: >> >> > I am not sure what problem you are describing. Can you be more >> > specific please? >> >> Ok a rule for a cookie data check had a log,pass action was causing a >> 500 status from the default action deny,log,status:500 etc, i was also >> getting a default status of 403 when i set the default action to >> "auditlog,pass" so i can see what urls should be getting through but are >> tripping the audit log, so still allow the traffic until i tweak >> everything. > > To me sounds like the situation I explained in one of my previous > emails. In ModSecurity 1.9.x (not so in 2.x) there is a number of > checks that are enabled with configuration, not with rules. If any of > those checks are triggered access will be forbidden. The default > action list only affects rules. If you don't like this you need to > relax the checks in configuration. > >> > You can implement that via en external script using the exec action. >> > In general it's not a very good idea unless you implement throttling >> > too, ie have a mechanism that will prevent uncontrolled sending of >> > thousands of emails. >> > >> >> I could look at some kind of "buffered smtp appender", what i was asking >> specicially how are we able to send the message as an argument to a perl >> script ie "deny,log,status:500,send:alert.pl themessagevarhere". I only >> really need this for the start , as it seems im getting alot of >> errornous audits which should be letting traffic through so i need to be >> aware of it so take action and tweak things. > > All the information should be in the environment variables. Just print > all of them and you'll see what I mean. > |
From: Ofer S. <OferS@Breach.com> - 2006-11-28 13:51:15
|
=20 'SecFilterEngine' is a 1.9.x directive. You got it right and SecRuleEngine is the correct directive for ModSecurity 2.x. Sorry for the typo. =20 ~ Ofer =20 ________________________________ From: mod...@li... [mailto:mod...@li...] On Behalf Of Dan Rossi Sent: Monday, November 27, 2006 8:15 AM To: Ivan Ristic Cc: mod...@li... Subject: Re: [mod-security-users] mod-security-users Digest, Vol 6, Issue 22 =20 Ivan Ristic wrote:=20 On 11/21/06, Dan Rossi <sp...@el...> <mailto:sp...@el...> wrote:=20 Ivan Ristic wrote:=20 >=20 > It is documented and it works. However, "SecFilterInheritance"=20 > prevents the rules from being inherited from the parent context but it > does nothing to the configuration options. The configuration settings=20 > are always inherited. If you want something different to happen just=20 > provide different configuration. So, in your case you could do=20 > something like:=20 >=20 > <Location /signup>=20 > SecFilterInheritance Off=20 > SecFilterForceByteRange 0 255=20 > </Location>=20 >=20 Ok what im saying here is, every rule set as default will have to be=20 overwritten as u have here, ie the ones we need to override for etc, so=20 mod sec cant be turned off per virtualhost for instance ?=20 Sure it can:=20 <VirtualHost whatever>=20 SecFilterEngine Off=20 SecAuditEngine Off=20 </VirtualHost>=20 Hi Ivan, i just put these rules inside virtualhost for mod sec 2 and i get this Invalid command 'SecFilterEngine', perhaps mis-spelled or defined by a module not included in the server configuration if i do SecRuleEngine Off=20 SecAuditEngine Off=20 its ok however for some of our zend encoded files something happens with the posts, i dont get any errors but it seems modsec is doing something even though ive turned if off in that path and redirects back to the file . I cant go into the code and look because its encoded and there is no log :\ |
From: Dan R. <sp...@el...> - 2006-11-29 04:11:51
|
Hi it also seems i was loading mod sec 2.0.3 on my dev, im now using 2.0.4 and now im unable to set an id and message in the default action ! I need this so i can identify where rules are in the log, and also turn them off by id due to the location limitation ?? Syntax error on line 25 of /etc/mod_security/default/bad_robots.conf: ModSecurity: SecDefaultAction must not contain any metadata actions (id, rev, msg). SecDefaultAction "auditlog,pass,id:90900,phase:2,t:lowercase,msg:'(default/bad_robots.conf)'" Do i guess i must go through every rule without an action and add one :\ Ofer Shezaf wrote: > > > > 'SecFilterEngine' is a 1.9.x directive. You got it right and > SecRuleEngine is the correct directive for ModSecurity 2.x. Sorry for > the typo. > > > > ~ Ofer > > > > ------------------------------------------------------------------------ > > *From:* mod...@li... > [mailto:mod...@li...] *On Behalf > Of *Dan Rossi > *Sent:* Monday, November 27, 2006 8:15 AM > *To:* Ivan Ristic > *Cc:* mod...@li... > *Subject:* Re: [mod-security-users] mod-security-users Digest, Vol 6, > Issue 22 > > > > Ivan Ristic wrote: > > On 11/21/06, Dan Rossi <sp...@el...> > <mailto:sp...@el...> wrote: > > Ivan Ristic wrote: > > > > It is documented and it works. However, "SecFilterInheritance" > > prevents the rules from being inherited from the parent context but it > > does nothing to the configuration options. The configuration settings > > are always inherited. If you want something different to happen just > > provide different configuration. So, in your case you could do > > something like: > > > > <Location /signup> > > SecFilterInheritance Off > > SecFilterForceByteRange 0 255 > > </Location> > > > > Ok what im saying here is, every rule set as default will have to be > overwritten as u have here, ie the ones we need to override for etc, so > mod sec cant be turned off per virtualhost for instance ? > > > Sure it can: > > <VirtualHost whatever> > SecFilterEngine Off > SecAuditEngine Off > </VirtualHost> > > Hi Ivan, i just put these rules inside virtualhost for mod sec 2 and > i get this > > Invalid command 'SecFilterEngine', perhaps mis-spelled or defined by a > module not included in the server configuration > > > if i do > > SecRuleEngine Off > SecAuditEngine Off > > > its ok however for some of our zend encoded files something happens > with the posts, i dont get any errors but it seems modsec is doing > something even though ive turned if off in that path and redirects > back to the file . I cant go into the code and look because its > encoded and there is no log :\ > > |
From: Dan R. <sp...@el...> - 2006-11-29 06:04:35
|
im still going through the rules , this seems to create a false positive for pda phones Message: Warning. Pattern match "(?:[\\+\\@\\%#\"\\']|\\|\\||\\-\\-)" at REQUEST_HEADERS:x-wap-profile-diff. [id "50905"] [msg "(default/generic_attacks.conf) SQL Injection Attack"] [severity "WARNING"] x-wap-profile-diff: 1; <?xml version="1.0" encoding="iso-8859-1"?><rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#" xmlns:prf="http://www.openmobilealliance.org/tech/profiles/UAPROF/ccppschema-20021212 #"><rdf:Description rdf:ID="DeviceProfile"><prf:component><rdf:Description rdf:ID="BrowserUA"><prf:TablesCapable>No</prf:TablesCapable><prf:JavaScriptEnabled>No</prf:JavaScriptEnabled></rdf:Description></prf:component></rdf:Description></rdf:RDF> SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\b(?:rel(?:(?:nam|typ)e|kind)|a(?:ttn(?:ame|um)|scii)|c(?:o(?:nver|un)t|ha?r)|s(?:hutdown|elect)|to_(?:numbe|cha)r|u(?:pdate|nion)|d(?:elete|rop)|group\b\W*\bby|having|insert|length|where)\b" \ "chain,auditlog,id:50905,severity:4,msg:'(default/generic_attacks.conf) SQL Injection Attack'" SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:[\+\@\%#\"\']|\|\||\-\-)" any ideas what this is doin , i had to turn it off for a location ? Ofer Shezaf wrote: > > > > 'SecFilterEngine' is a 1.9.x directive. You got it right and > SecRuleEngine is the correct directive for ModSecurity 2.x. Sorry for > the typo. > > > > ~ Ofer > > > > ------------------------------------------------------------------------ > > *From:* mod...@li... > [mailto:mod...@li...] *On Behalf > Of *Dan Rossi > *Sent:* Monday, November 27, 2006 8:15 AM > *To:* Ivan Ristic > *Cc:* mod...@li... > *Subject:* Re: [mod-security-users] mod-security-users Digest, Vol 6, > Issue 22 > > > > Ivan Ristic wrote: > > On 11/21/06, Dan Rossi <sp...@el...> > <mailto:sp...@el...> wrote: > > Ivan Ristic wrote: > > > > It is documented and it works. However, "SecFilterInheritance" > > prevents the rules from being inherited from the parent context but it > > does nothing to the configuration options. The configuration settings > > are always inherited. If you want something different to happen just > > provide different configuration. So, in your case you could do > > something like: > > > > <Location /signup> > > SecFilterInheritance Off > > SecFilterForceByteRange 0 255 > > </Location> > > > > Ok what im saying here is, every rule set as default will have to be > overwritten as u have here, ie the ones we need to override for etc, so > mod sec cant be turned off per virtualhost for instance ? > > > Sure it can: > > <VirtualHost whatever> > SecFilterEngine Off > SecAuditEngine Off > </VirtualHost> > > Hi Ivan, i just put these rules inside virtualhost for mod sec 2 and > i get this > > Invalid command 'SecFilterEngine', perhaps mis-spelled or defined by a > module not included in the server configuration > > > if i do > > SecRuleEngine Off > SecAuditEngine Off > > > its ok however for some of our zend encoded files something happens > with the posts, i dont get any errors but it seems modsec is doing > something even though ive turned if off in that path and redirects > back to the file . I cant go into the code and look because its > encoded and there is no log :\ > > |
From: Dan R. <sp...@el...> - 2006-11-29 06:40:25
|
Ok im not really good at this im trying to override one of the rules to not check for urls in the request which some of the scripts use SecRuleRemoveById 50905 300018 300040 50013 10006 SecRule ARGS (!referer) "chain,auditlog,id:300018,rev:3,severity:2,msg:'(gotroot/rules.conf) Generic PHP code injection protection via ARGS'" SecRule ARGS "(ht|f)tps?:/") so dont check when there is a referer= however im getting this Error parsing actions: Unknown action: ) I wonder how its possible to chain the current rule to not filter for that argument only ? Ofer Shezaf wrote: > > > > 'SecFilterEngine' is a 1.9.x directive. You got it right and > SecRuleEngine is the correct directive for ModSecurity 2.x. Sorry for > the typo. > > > > ~ Ofer > > > > ------------------------------------------------------------------------ > > *From:* mod...@li... > [mailto:mod...@li...] *On Behalf > Of *Dan Rossi > *Sent:* Monday, November 27, 2006 8:15 AM > *To:* Ivan Ristic > *Cc:* mod...@li... > *Subject:* Re: [mod-security-users] mod-security-users Digest, Vol 6, > Issue 22 > > > > Ivan Ristic wrote: > > On 11/21/06, Dan Rossi <sp...@el...> > <mailto:sp...@el...> wrote: > > Ivan Ristic wrote: > > > > It is documented and it works. However, "SecFilterInheritance" > > prevents the rules from being inherited from the parent context but it > > does nothing to the configuration options. The configuration settings > > are always inherited. If you want something different to happen just > > provide different configuration. So, in your case you could do > > something like: > > > > <Location /signup> > > SecFilterInheritance Off > > SecFilterForceByteRange 0 255 > > </Location> > > > > Ok what im saying here is, every rule set as default will have to be > overwritten as u have here, ie the ones we need to override for etc, so > mod sec cant be turned off per virtualhost for instance ? > > > Sure it can: > > <VirtualHost whatever> > SecFilterEngine Off > SecAuditEngine Off > </VirtualHost> > > Hi Ivan, i just put these rules inside virtualhost for mod sec 2 and > i get this > > Invalid command 'SecFilterEngine', perhaps mis-spelled or defined by a > module not included in the server configuration > > > if i do > > SecRuleEngine Off > SecAuditEngine Off > > > its ok however for some of our zend encoded files something happens > with the posts, i dont get any errors but it seems modsec is doing > something even though ive turned if off in that path and redirects > back to the file . I cant go into the code and look because its > encoded and there is no log :\ > > |