I am evaluating modsecurity, and am working through three deployment issues: outbound filtering, mlogc, and content deflating. I’m hoping the community can offer me some pointers.
I’ve manually built modsecurity and Apache 2.2.10 on a centos 5 box. I’ve then configured the modsecurity core rule set. In my tests of the core rule set, I can see that inbound attacks that it monitors for are being effectively controlled. However, outbound detection is not working. My test was to omit the following:
<b>Warning</b>: file_get_contents(crap) [<a href='function.file-get-contents'>function.file-get-contents</a>]: failed to open stream: No such file or directory in <b>/srv/public_html/michael/DDX/trunk/public_html/index.php</b> on line <b>2</b><br />
Which rule 970009 should pick up, but is not. I’ve made sure the following configure variables are set:
SecResponseBodyMimeType (null) text/html text/plain text/xml
Is there anything else I should be looking out for in order to make outbound filtering work?
Mlogc doesn’t appear to be working for me at all. It is just hanging. Whenever I fire it up manually, or apache opens it up, the process sits there unresponsive. Piped content from Apache never makes it to the console, and a packet sniffer (wireshark) shows nothing ever being transmitted from mlogc. The only way I can shut it down is to issue an SIGKILL to its PID.
The error log doesn’t show anything strange, but confirms that it has started up:
[Thu Oct 23 13:28:31 2008]  [25670/0] ModSecurity Audit Log Collector 2.5.7 started.
[Thu Oct 23 13:28:56 2008]  [25678/0] ModSecurity Audit Log Collector 2.5.7 delaying startup for 1000ms
I’ve come across a few other threads about mlogc, which makes me wonder if anyone has been able to get it working on a centos/rhel 5 box?
My initial Apache deployment pre modsecurity included mod_deflate with select types of outbound content being compressed:
With modsecurity’s incompatibilities with compressed outbound data, I’ve disabled it temporarily. I’ve been trying to figure out how to re-implement compression using mod_filter. Brian Rectanus’s post to this effect has been a great starting point (http://thread.gmane.org/gmane.comp.apache.mod-security.user/4609/focus=4617). However, my environment is different than what is described in that post (I don’t have a proxy server sitting in front – it’s a single consolidated web server environment). After numerous hours trying to figure out how to emulate AddOutputFilterByType functionality with mod_filter I’ve just about given up. Any gurus out there with some tips?
Please consider the environment before printing this email. E-mail messages may contain viruses, worms, or other malicious code. By reading the message and opening any attachments, the recipient accepts full responsibility for taking protective action against such code. Henry Schein is not liable for any loss or damage arising from this message. The information in this email is confidential and may be legally privileged. It is intended solely for the addressee(s). Access to this e-mail by anyone else is unauthorized.