Re: [mod-security-users] ModSecurity Logging not working

[Brian R. <Bri...@br...>]

Gaurav Pruthi wrote:
> Hi All,

Hi.  See my comments inline below...

> 
> I am still clueless about the issue i am facing. Can anybody help me out?
> 
> Gaurav
> 
> On Tue, Mar 25, 2008 at 6:43 PM, Gaurav Pruthi <gkp...@gm...
> <mailto:gkp...@gm...>> wrote:
> 
>     I have seen the same documentation which i am following for the same
>     version of modsecurity which i am trying to install.
> 
>     http://www.modsecurity.org/documentation/modsecurity-apache/2.5.1/modsecurity2-apache-reference.html#installation
> 
>     Kindly confirm if this is outdated.


No, it is up-to-date.


> 
>     Also the link which you have provided asks to configure the apache
>     root path. This option was available in modsecurity 2.1.5 (last
>     version i used) and is not available in modsec 2.5.1
> 
>     Kindly confirm as i may be wrong.


You are referring to this link?

http://www.modsecurity.org/documentation/faq.html#d0e216

If so, then this is for 2.0 (and still valid in 2.1) and points to this
set of install instructions:

http://www.modsecurity.org/documentation/modsecurity-apache/2.1.0/modsecurity2-apache-reference.html#02-installation


For 2.5, follow the new install instructions here:

http://www.modsecurity.org/documentation/modsecurity-apache/2.5.1/modsecurity2-apache-reference.html#installation

See more comments inline below...

> 
> 
>     Thanks,
>     Gaurav Pruthi
> 
> 
> 
>     On Tue, Mar 25, 2008 at 6:08 PM, Ryan Barnett
>     <Rya...@br... <mailto:Rya...@br...>> wrote:
> 
>         You are using the older 1.x rules language.  Take a look at this
>         section of the FAQ -
>         http://www.modsecurity.org/documentation/faq.html#d0e216.


Ryan is correct, you are using the 1.9 directives (see more comments below).

>          
> 
>             ------------------------------------------------------------------------
>             *From:* mod...@li...
>             <mailto:mod...@li...>
>             [mailto:mod...@li...
>             <mailto:mod...@li...>]
>             *On Behalf Of *Gaurav Pruthi
>             *Sent:* Tuesday, March 25, 2008 3:41 AM
>             *To:* mod...@li...
>             <mailto:mod...@li...>
>             *Subject:* [mod-security-users] ModSecurity Logging not working
> 
>             Hi,
> 
>             I am using Apache 2.2.6 with mod security 2.5.1. I have
>             installed mod_security using the installation instrcutions
>             given in the link below.
> 
> 
>             http://www.modsecurity.org/documentation/modsecurity-apache/2.5.1/html-multipage/installation.html
> 
> 
>             Mod_security compiled successfully. I also loaded module in
>             httpd.conf
> 
>             LoadFile /usr/lib/libxml2.so
>             LoadFile /usr/lib/liblua-5.1.so <http://5.1.so>
>             LoadModule security2_module modules/mod_security2.so
> 
>             My problem is that i am not getting any logs in modsecurity
>             log file. Here is my modsecurity.conf file
> 
>             <IfModule mod_security.c>
> 

Here you have said that if Modsecurity 1.x is loaded, then use this
block.  These are 1.x directives, not 2.x.  If you were using these
directives with 2.1.5 previously, then this block *was not used* and
most likely you were just loading the module without a configuration.
You needed to use <IfModule mod_security2.c> (or <IfModule
security2_module> with Apache 2.2 as you stated you are using).

I imagine if you go back to 2.1.5 and then correct the module name in
the IfModule line, you will get the same error as with 2.5.



>             ##### Configuration #####
> 
>             SecFilterEngine On
>             SecFilterScanPost On
>             SecFilterCheckCookieFormat On
>             SecFilterNormalizeCookies On
>             SecFilterScanOutput On
>             SecFilterOutputMimeTypes "(null) text/html text/plain"
> 
>             ##### Validation #####
> 
>             SecFilterCheckURLEncoding On
>             SecUploadDir /tmp
>             SecUploadKeepFiles Off
>             SecFilterCheckUnicodeEncoding Off
>             SecFilterForceByteRange 1 255
>             SecFilterDefaultAction "log,deny,status:404"
> 
>             ##### Logging #####
> 
>             SecFilterDebugLog logs/modsec_debug.log
>             SecFilterDebugLevel 1
>             SecAuditEngine RelevantOnly
>             SecAuditLog logs/modsec_audit.log
> 
>             </IfModule>
> 
> 
>             Also when i checked on the net regarding the same issue, i
>             got the answer that i should use <IfModule mod_security2.c>
>             instead of <IfModule mod_security.c>
> 
>             But when i put <IfModule mod_security2.c> my apache don't
>             starts at all. It gives me error
> 
>             Starting httpd: Syntax error on line 5 of modsecurity.conf:
>             Invalid command 'SecFilterEngine', perhaps misspelled or
>             defined by a module not included in the server configuration

Exactly.  Because you have then included ModSecurity 1.x directives with
a 2.x module.  There is no 'SecFilterEngine' directive in 2.x and Apache
is telling you that.  By using mod_security.c this entire block was not
used when ModSecurity 2.x is loaded and thus no syntax error (although
you had no configuration and thus no protection either).


> 
>             I believe mod_security module is not working in my apache
>             environment but unable to resolve the issue.

No, ModSecurity seems to be fine, but your configuration need updated to
the 2.x syntax.

thanks,
-B

-- 
Brian Rectanus
Breach Security