Thread: [mod-security-users] Post installation issues - testing problems
Brought to you by:
victorhora,
zimmerletw
From: Dan D. <dd...@re...> - 2008-05-23 21:52:48
|
Hello list. I've completed an installation of modsecurity-apache_2.5.4 on an RHEL 4 server, seemingly without issue, however nothing is being logged to my audit log, and requests to the httpd server on the box that should trigger auditing do not. Using "curl -L <IP address>" I get the headers returned as modified by modsecurity with "Server: Apache/2.2.0 (Fedora)", so I know atleast rule 10 (config) is being read, however when I try the following... curl -A "paros" <IP address> The request gets through and generates a 200, with nothing being logged in the audit log. SecAuditEngine is set to On, and the log location is set. Permissions on the logs are world-writeable for testing. I've tried using the run-tests.pl script that came with the installation, but it's not working for me. I've used some testfile examples listed here, http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multi page/08-miscellaneous.html but the syntax the script seems to expect is reversed, like it's expecting the test files before the host. When I reverse these, I get the following errors: "Failed to read test data "testfile1": Search pattern not terminated at (eval 3) line 6, <CFG> line 6." This is the content of testfile1: # 01 Simple keyword filter # # mod_security is configured not to allow # the "/cgi-bin/keyword" pattern # GET /cgi-bin/keyword HTTP/1.0 My perl skills are pretty non-existent, so please excuse me if this is a noob issue. Any help is greatly appreciated. Sincerely, Dan |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2008-05-28 18:22:18
|
Hey Dan, I just tested with Mod 2.5.4 and the Core Rules 1.6.1 and ran the same test you did with curl and it worked fine - $ curl -A 'paros' www.example.com <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL / was not found on this server.</p> </body></html> [Sat Feb 16 09:37:23 2008] [error] [client 192.168.10.17] ModSecurity: Access denied with code 404 (phase 2). Pattern match "(?:\\b(?:m(?:ozilla\\/4\\.0 \\(compatible\\)|etis)|webtrends security analyzer|pmafind)\\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|webinspect|\\.nasl)" at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/core_rules-1.6.1/modsecurity_crs_35_bad_robots.c onf"] [line "19"] [id "990002"] [msg "Request Indicates a Security Scanner Scanned the Site"] [severity "CRITICAL"] [tag "AUTOMATION/SECURITY_SCANNER"] [hostname "www.example.com"] [uri "/"] [unique_id "dgRB-X8AAQEAAGpyByUAAAAA"] What do you have the SecRuleEngine set to? DetectionOnly perhaps? > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Dan Denton > Sent: Friday, May 23, 2008 5:52 PM > To: mod...@li... > Subject: [mod-security-users] Post installation issues - testing problems > > Hello list. I've completed an installation of modsecurity-apache_2.5.4 on > an > RHEL 4 server, seemingly without issue, however nothing is being logged to > my audit log, and requests to the httpd server on the box that should > trigger auditing do not. > > Using "curl -L <IP address>" I get the headers returned as modified by > modsecurity with "Server: Apache/2.2.0 (Fedora)", so I know atleast rule > 10 > (config) is being read, however when I try the following... > > curl -A "paros" <IP address> > > The request gets through and generates a 200, with nothing being logged in > the audit log. SecAuditEngine is set to On, and the log location is set. > Permissions on the logs are world-writeable for testing. > > I've tried using the run-tests.pl script that came with the installation, > but it's not working for me. I've used some testfile examples listed here, > > http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html- > multi > page/08-miscellaneous.html > > but the syntax the script seems to expect is reversed, like it's expecting > the test files before the host. When I reverse these, I get the following > errors: > > "Failed to read test data "testfile1": Search pattern not terminated at > (eval 3) line 6, <CFG> line 6." > > This is the content of testfile1: > > # 01 Simple keyword filter > # > # mod_security is configured not to allow > # the "/cgi-bin/keyword" pattern > # > GET /cgi-bin/keyword HTTP/1.0 > > My perl skills are pretty non-existent, so please excuse me if this is a > noob issue. Any help is greatly appreciated. > > Sincerely, > > Dan > > > > > ------------------------------------------------------------------------ - > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |
From: Dan D. <dd...@re...> - 2008-05-28 18:28:06
|
My apologies for the lack of a follow-up to this. I'm sure it's a noob mistake, but after recompiling an existing apache install to add mod_unique_id I forgot to add the directive loading mod_unique_id, and modsec wasn't running/filtering/blocking because of it. Now that I've resolved that, the product is working. I figured the moderator didn't forward my request since it's been 5 days since I posted. Thanks for the response... -----Original Message----- From: Ryan Barnett [mailto:Ryan.Barnett@Breach.com] Sent: Wednesday, May 28, 2008 1:22 PM To: Dan Denton; mod...@li... Subject: RE: [mod-security-users] Post installation issues - testing problems Hey Dan, I just tested with Mod 2.5.4 and the Core Rules 1.6.1 and ran the same test you did with curl and it worked fine - $ curl -A 'paros' www.example.com <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL / was not found on this server.</p> </body></html> [Sat Feb 16 09:37:23 2008] [error] [client 192.168.10.17] ModSecurity: Access denied with code 404 (phase 2). Pattern match "(?:\\b(?:m(?:ozilla\\/4\\.0 \\(compatible\\)|etis)|webtrends security analyzer|pmafind)\\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|webinspect|\\.nasl)" at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/core_rules-1.6.1/modsecurity_crs_35_bad_robots.c onf"] [line "19"] [id "990002"] [msg "Request Indicates a Security Scanner Scanned the Site"] [severity "CRITICAL"] [tag "AUTOMATION/SECURITY_SCANNER"] [hostname "www.example.com"] [uri "/"] [unique_id "dgRB-X8AAQEAAGpyByUAAAAA"] What do you have the SecRuleEngine set to? DetectionOnly perhaps? > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Dan Denton > Sent: Friday, May 23, 2008 5:52 PM > To: mod...@li... > Subject: [mod-security-users] Post installation issues - testing problems > > Hello list. I've completed an installation of modsecurity-apache_2.5.4 on > an > RHEL 4 server, seemingly without issue, however nothing is being logged to > my audit log, and requests to the httpd server on the box that should > trigger auditing do not. > > Using "curl -L <IP address>" I get the headers returned as modified by > modsecurity with "Server: Apache/2.2.0 (Fedora)", so I know atleast rule > 10 > (config) is being read, however when I try the following... > > curl -A "paros" <IP address> > > The request gets through and generates a 200, with nothing being logged in > the audit log. SecAuditEngine is set to On, and the log location is set. > Permissions on the logs are world-writeable for testing. > > I've tried using the run-tests.pl script that came with the installation, > but it's not working for me. I've used some testfile examples listed here, > > http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html- > multi > page/08-miscellaneous.html > > but the syntax the script seems to expect is reversed, like it's expecting > the test files before the host. When I reverse these, I get the following > errors: > > "Failed to read test data "testfile1": Search pattern not terminated at > (eval 3) line 6, <CFG> line 6." > > This is the content of testfile1: > > # 01 Simple keyword filter > # > # mod_security is configured not to allow > # the "/cgi-bin/keyword" pattern > # > GET /cgi-bin/keyword HTTP/1.0 > > My perl skills are pretty non-existent, so please excuse me if this is a > noob issue. Any help is greatly appreciated. > > Sincerely, > > Dan > > > > > ------------------------------------------------------------------------ - > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |