Excellent!  Thank you kindly Christian!  I appreciate the information and look forward to getting my systems secured!

Thanks again!

Christian Bockermann wrote:
As the audit-log states, it is a missing Accept-header that leads to the
rejection of the request. Thus, in your rule-files you have a rule that
is like

    SecFilterSelective REQUEST_HEADERS:Accept ^$ "deny,status:500,log,auditlog,.."

or similar.

A short grep on your files should reveal a list of possible locations:

    grep -H Accept /etc/httpd/conf/mod*.conf /etc/httpd/modules.d/82_mod_sec*

This will show a list of all files that have a rule that validates the Accept-header.
What you can then do, is to skip this rule in case of the remote-addr being the local
host. In case you have the above rule in one of your files you can prepend a
rule to that, which skips this check for local connections:

    SecFilterSelective REMOTE_ADDR "127\.0\.0\.1" "skipnext:1"
    SecFilterSelective REQUEST_HEADERS:Accept ^$ "deny,status:500,log,auditlog,.."

An alternative would be to use the "chain" action:

    SecFilterSelective REMOTE_ADDR "!127\.0\.0\.1" "chain"
    SecFilterSelective REQUEST_HEADERS:Accept ^$ "deny,status:500,log,auditlog,.."

Which should invoke the Accept-header-rule only, in case the first rule matched, which
says "not from localhost".

If you want to disable rule-checking for all local connections you might also specify

    SecFilterSelective REMOTE_ADDR "127\.0\.0\.1" allow

as the first rule after your basic settings, which will disable the filter for all
requests coming from the local host.


Regards,
    Chris


Am 29.05.2007 um 03:30 schrieb Albert E. Whale:

I think that it depends on the release of Mandriva. For apache-mod_security-1.9.4-1mlcs4 for CS4, this version includes

/etc/httpd/conf/mod_security-snortrules.conf
/etc/httpd/conf/modsecurity-experimental.conf
/etc/httpd/conf/modsecurity-general.conf
/etc/httpd/conf/modsecurity-hardening.conf
/etc/httpd/conf/modsecurity-output.conf
/etc/httpd/conf/modsecurity-php.conf
/etc/httpd/modules.d/82_mod_security.conf

However, the function I am trying to permit is the polling by Nagios for the Local WebServer.  Here is the output of the Audit Log


==4ede536b==============================
Request: www.ABS-CompTech.com 127.0.0.1 - - [28/May/2007:19:40:03 --0400] "GET / HTTP/1.0" 500 1058 "-" "check_http/1.89 (nagios-plugins 1.4.3)" RJ9HmX8AAAEAAHIRaSoAAAAA "-"
Handler: type-map
----------------------------------------
GET / HTTP/1.0
User-Agent: check_http/1.89 (nagios-plugins 1.4.3)
Host: 127.0.0.1
mod_security-message: Access denied with code 500. Pattern match "^$" at HEADER("Accept") [severity "EMERGENCY"]
mod_security-action: 500

HTTP/1.1 500 Internal Server Error
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Language: en
Expires: Mon, 28 May 2007 23:40:03 GMT
--4ede536b--

Can you help me identify the correct action to permit the connection from Nagios?

Ofer Shezaf wrote:
What rule set does the Mandriva package uses?



~ Ofer



From: Albert E. Whale [mailto:aewhale@ABS-CompTech.com]
Sent: Monday, May 28, 2007 5:57 PM
To: Ofer Shezaf
Cc: Christian Bockermann; mod-security-users@lists.sourceforge.net
Subject: Re: [mod-security-users] What is this? Can you please explain?



Thank you.  Since this is a Mandriva release of the Mod_Security package I can review the information and fix it for me, and also the Mandriva distribution ... this may help a few other newcomers as well.

Thank you!

Ofer Shezaf wrote:

Actually Albert might be right. Some versions of Apache use an internalkeep alive pinger that issues a request without a host name. The Core Rule Set have a specific exclusion for that, but this rule isprobably not part of the Core Rule Set (no rule ID) and blocks thisrequest. In order to verify we will need the entire request as you can find inthe audit log. So in order to permit it: either use the core rule set instead of therules you use or refer to Ryan's recent blog entry on creatingexceptionshttp://www.modsecurity.org/blog/archives/2007/02/handling_false.html ~ Ofer   -----Original Message----- From: mod-security-users-bounces@lists.sourceforge.net [mailto:mod- security-users-bounces@lists.sourceforge.net] On Behalf Of Christian Bockermann Sent: Monday, May 28, 2007 11:20 AM To: aewhale@ABS-CompTech.com Cc: mod-security-users@lists.sourceforge.net Subject: Re: [mod-security-users] What is this? Can you please     explain?  Hi Albert!   In this case it is not the fact that it's the localhost, but a matter of a missing/empty Accept-Header in the request. Do you use the     core-rules  or any custom-made ruleset?   The core rules contain some checks that complain if an Accept-header     is  missing. This is a problem I observed with some RSS-clients for example. According to the RFC the Accept-header is optional.   Regards,      Chris     Am 28.05.2007 um 05:26 schrieb Albert E. Whale:                       Too me this appears to indicate that the localhost is not permitted to test the root level of the web Server.  Why?   [Sun May 27 23:24:03 2007] [error] [client 127.0.0.1] mod_security: Access denied with code 500. Pattern match "^$" at HEADER("Accept") [severity "EMERGENCY"] [hostname "127.0.0.1"] [uri "/"] [unique_id "R9xVQH8AAAEAAAN2kzoAAAAF"]   Where can I permit this?   -- Albert E. Whale, CHS CISA CISSP Sr. Security, Network, Risk Assessment and Systems Consultant ABS Computer Technology, Inc. - Email, Internet and Security Consultants SPAMZapper - No-JunkMail.com - True Spam Elimination.         ---------------------------------------------------------------------  -     --- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ mod-security-users mailing list mod-security-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users               -----------------------------------------------------------------------  -- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ mod-security-users mailing list mod-security-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users      -------------------------------------------------------------------------This SF.net email is sponsored by DB2 ExpressDownload DB2 Express C - the FREE version of DB2 express and takecontrol of your XML. No limits. Just data. Click to get it now.http://sourceforge.net/powerbar/db2/_______________________________________________mod-security-users mailing listmod-security-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/mod-security-users


--Albert E. Whale, CHS CISA CISSP
Sr. Security, Network, Risk Assessment and Systems Consultant

ABS Computer Technology, Inc. - Email, Internet and Security Consultants
SPAMZapper - No-JunkMail.com - True Spam Elimination.



--Albert E. Whale, CHS CISA CISSP
Sr. Security, Network, Risk Assessment and Systems Consultant
ABS Computer Technology, Inc. - Email, Internet and Security Consultants
SPAMZapper - No-JunkMail.com - True Spam Elimination.
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users



--
Albert E. Whale, CHS CISA CISSP
Sr. Security, Network, Risk Assessment and Systems Consultant

ABS Computer Technology, Inc. - Email, Internet and Security Consultants
SPAMZapper - No-JunkMail.com - True Spam Elimination.