Fixed
error_log

[Mon Aug 29 11:21:55 2011] [notice] ModSecurity for Apache/2.6.1 (http://www.modsecurity.org/) configured.
[Mon Aug 29 11:21:55 2011] [notice] ModSecurity: APR compiled version="1.3.12"; loaded version="1.3.12"
[Mon Aug 29 11:21:55 2011] [notice] ModSecurity: PCRE compiled version="8.12"; loaded version="8.12 2011-01-15"
[Mon Aug 29 11:21:55 2011] [notice] ModSecurity: LIBXML compiled version="2.6.23"


To resolve this issue i had to recompile our rpms - that is apache 2.2.19 and modsecurity 2.6.1 with apr, apr-util (1.3.12) and PCRE 8.12

Apache configuration from ./configure

        --with-pcre=/usr/local/pcre/8.12/pcre-config \
        --with-apr=/usr/local/apr/1.3.12/bin/apr-1-config   \
        --with-apr-util=/usr/local/apr-util/1.3.12/apu-1-config 

Modsecurity was slightly more complex - this is what i had to do because for some reason running configure broke on our build sytem



%define external_pcre        1

%if %{external_pcre}
. %{component_prefix}/%{TM_Pcre}-%{TM_Pcre_Build_Number}
%endif

if test -n ${PCRE_BINDIR}; then
   if test -x ${PCRE_BINDIR}/pcre-config ; then
      # fix to allow pcre libs and headers to be used
      CFLAGS="$RPM_OPT_FLAGS `${PCRE_BINDIR}/pcre-config --cflags | sed 's/ *$//'`"
      PCRE_LDADD="$PCRE_LDADD `${PCRE_BINDIR}/pcre-config --libs`"
   fi
fi
export CFLAGS PRCE_LDADD


%if %{external_pcre}
            --enable-pcre-study \
            --with-pcre=${PCRE_BINDIR}/pcre-config \
%endif
            --with-apr=$APR_BINDIR/apr-1-config   \
            --with-apu=$APR_UTIL_BINDIR/apu-1-config \

i have a simple


Testing proves that content is being returned correctly - i do get a segmentation fault but only one after a cold restart

So this works thus far - will update when i get into work as i will spider crawl the test website

Its a bank holiday here so have to wash and take the family out

Thanks for your help Breno



On 25/08/11 02:45, Breno Silva wrote:
Hey Kwenu,

Another user sent me informations in the same thread you open and i think it was you. So my suggestions is not for you :)
Sorry for that confusion ...

Please if you can send me your dump i will help you

thanks

Breno

On Wed, Aug 24, 2011 at 7:45 AM, Breno Silva <breno.silva@gmail.com> wrote:
Ok kwenu,

Did you set the SecPcre*  directives i mention ?

Thanks

Breno


On Wed, Aug 24, 2011 at 5:50 AM, kwenu <uzoka_a@yahoo.co.uk> wrote:
Im using modsecurity 2.6.1 and crs 2.2.1

I managed to figure out why dumps were not  being created and this was due to the init script that calls a external script that checks to see whether a variable for ulimit -c is set and if not defaults the setting to 0.

That done the crash dumps were practically useless - urhhhhhh

Anyway im going to have to use apaches bundled version of pcre and hack it somewhat to work with our customised version of modsecurity spec file

Thats the only way around this since recompiling apaches against OS pcre is out of the question for now

Ill let you know if this works




On 23/08/11 13:47, Breno Silva wrote:
Kwenu,

Another important stuff is to have the same PCRE library compiled with apache and modsecurity. The crashes we saw until now is 100% caused by different library versions.

What modsecurity version are u using ?

thanks

Breno

On Tue, Aug 23, 2011 at 7:32 AM, Breno Silva <breno.silva@gmail.com> wrote:
Hi Kwenu,

Did you set ?


On Tue, Aug 23, 2011 at 6:06 AM, kwenu <uzoka_a@yahoo.co.uk> wrote:
I cannot get a core dump - we have a customised build of apache using our own modules -

Im currently using ltrace as strace did not show anything other than mprotect call that was followed by a kill SIGSEGV

Ill ltrace this and send as soon as

On 22/08/11 18:24, Breno Silva wrote:
Hi Kwenu,

Please follow this  instructions and send me in private e-mail. What is your ModSecurity and Apache version ? if it is 2.6.x please send me the libraries versions you are using (you can get this info into error.log).

Make sure there is a core dump area with something like:

  CoreDumpDirectory /tmp

Make sure limits are set to dump core:

  ulimit -c unlimited

Restart and trigger the error.  A core file should be in the directory
you specified.

Then use gdb to get a backtrace:

1) gdb /path/to/httpd /path/to/core
2) within gdb enter:

  thread apply all bt full

You can get it into a file with something like:

gdb /path/to/httpd /path/to/core --batch --quiet \
  -ex "thread apply all bt full" > backtrace.log


Please send me back the backtrace.log

Thanks

Breno

On Mon, Aug 22, 2011 at 12:05 PM, kwenu <uzoka_a@yahoo.co.uk> wrote:
Hi

We are using a custom install of apache httpd compiled against APR 1.49 using MPM worker and PHP to server dynamic content

The following rule here is causing the web server not to return any images but text only for intermittent requests

The httpd error_log file emits the following error message

[notice] child pid 25571 exit signal Segmentation fault (11)

I have tried attaching gdb and strace (strace did provide some clues but not alot - "strace -v -f -p 12345 /tmp/httpd-strace" ) to it since i cannot get a coredump going at all even after setting CoreDumpDirectory /tmp and setting ulimit -c unlimited for the  user that the process runs under

When i remove the following line from modsecurity_crs_48_globalexceptions.conf web pages are returned correctly albeit error messages are still emitted

SecRule &TX:'/981173-WEB_ATTACK/RESTRICTED_SQLI_CHARS-TX:restricted_sqli_char_count/' "@gt 0" "setvar:tx.anomaly_score=-4"

The above rule was the  only way i could set the anomaly score for rule
981173I would have prefered updating the operator "@ge 4" instead but cannot find a way of doing this

modsecurity_crs_41_sql_injection_attacks.conf:
SecRule TX:RESTRICTED_SQLI_CHAR_COUNT "@ge 4" "phase:2,t:none,block,id:'981173',rev:'2.2.1',msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',logdata:'%{matched_var}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"

Is there a better way of updating the above rules operator
"@ge 4"  so that i can increase count thereby dealing with the false positives that are created by this rule??





------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities and model
configuration take the hassle out of deploying and managing Subversion and
the tools developers use with it. Learn more about uberSVN and get a free
download at:  http://p.sf.net/sfu/wandisco-dev2dev

_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php


------------------------------------------------------------------------------ uberSVN's rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________ mod-security-users mailing list mod-security-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/application-security.php



------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________ mod-security-users mailing list mod-security-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/application-security.php



------------------------------------------------------------------------------ EMC VNX: the world's simplest storage, starting under $10K The only unified storage solution that offers unified management Up to 160% more powerful than alternatives and 25% more efficient. Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________ mod-security-users mailing list mod-security-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/application-security.php