Re: [mod-security-users] args ignored in POST - filter question

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Kamil,

Are you running the traffic through a web proxy like WebScarab or
Paros to make sure that the POST request body parameters are being
sent?

>> I tried the debug level 9 before I wrote the question. But I found
>> nothing suspicious in logs.

The debug log at level 9 shows the DNA of your ModSecurity app...  Log
only the 2 scenarios you described, zip it (it highly compresses;
probably less than 40k), email it to me and I'll look it at.

Cheers,
Stephen

On Wed, Jul 2, 2008 at 11:08 PM, Brian Rectanus
<Bri...@br...> wrote:
> Your config looks fine.  What is the full request you are sending?
> ModSecurity only handles these types:
>
> application/x-www-form-urlencoded
> multipart/form-data
>
> -B
>
> Kam...@bd... wrote:
>> Hi Stephen,
>>
>> I tried the debug level 9 before I wrote the question. But I found
>> nothing suspiciou in logs. I tried to google today and I found a log
>> that contains the following lines:
>>
>> Adding request argument (BODY): name "FirstName", value "asdfasfd"
>> [/index.php/contact.process/]
>> Adding request argument (BODY): name "LastName", value
>>
>> My log contains only lines of type
>>
>> Adding request argument (QUERY_STRING): name "Cmd" ...
>>
>> The problem is probably that it does not read the body part of the
>> request. I have the line 'SecRequestBodyAccess On' in my config file
>> (Christian's remark), I tried to experiment with the phases,
>> but without success. Maybe the problem is in other part of my apache
>> settings. Can you send me your minimal config that works with argument
>> send in POST body?
>>
>> Thank you
>>
>> Kamil
>>
>>
>>
>>
>>> -----Original Message-----
>>> From: Stephen Craig Evans [mailto:ste...@gm...]
>>> Sent: Tuesday, July 01, 2008 6:02 PM
>>> To: Golombek Kamil | BDO IT a.s.
>>> Cc: mod...@li...
>>> Subject: Re: [mod-security-users] args ignored in POST -
>>> filter question
>>>
>>> Hi Kamil,
>>>
>>> The best way to solve your problem is to enable debugging, crank it up
>>> to top level:
>>> SecDebugLog /etc/modsecurity/logs/modsec_debug.log
>>> SecDebugLogLevel 9
>>>
>>> Go to the page that's causing the problem.
>>> Restart Apache.
>>> Clear your browser cache; reload the page.
>>> Examine the debug file. It won't be very big. You'll see exactly
>>> what's going on.
>>>
>>> Whenever debugging, it's best to have only the minimal amount in the
>>> debug file as it can get large quickly. In Linux, just erase the debug
>>> log file ('rm -f ...') and create a new blank one ('touch ...'), then
>>> restart Apache and reproduce the problem.
>>>
>>> Stephen
>>>
>>> On Tue, Jul 1, 2008 at 10:28 PM,  <Kam...@bd...> wrote:
>>> > Hi,
>>> > I have modsecurity 2.2.5 with apache 2.2.3 in reverse proxy setup. I
>>> > can create rules for arguments passed directly in URL but
>>> my rules are
>>> > not triggered by argument sent by post.
>>> >
>>> > The following rules works well for URL in format
>>> > https://server.com/path_to_file/file.with.dots sent by
>>> GET/POST methods
>>> > with argument, ie.
>>> > https://server.com/path_to_file/file.with.dots?lng=foo.
>>> > But once I send the argument in body of request, it is not
>>> detected on
>>> > server. I tried to play with phase:1, phase:2 in rules but
>>> I it gave the
>>> >
>>> > same result. I tried also REQUEST_BODY without success. It seems my
>>> > proxy ignore the body of the request. What do I wrong?
>>> >
>>> > Thanks
>>> >
>>> > Kamil
>>> >
>>> >
>>> > My config:
>>> > ----------------
>>> > ProxyRequests Off
>>> >
>>> > <Proxy *>
>>> >       Order deny,allow
>>> >        Allow from all
>>> > </Proxy>
>>> >
>>> > ProxyPreserveHost on
>>> > ProxyPass        /path123/  http://127.0.0.3:8080/path123/
>>> >
>>> > SecRuleEngine On
>>> > SecRequestBodyAccess On
>>> > SecResponseBodyAccess Off
>>> > SecRequestBodyInMemoryLimit 131072
>>> > SecRequestBodyLimit 131072
>>> >
>>> > SecDefaultAction "phase:2,log,auditlog,deny,status:500"
>>> >
>>> > SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
>>> >        "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments
>>> > ARGS_NAMES=%{ARGS_NAMES}'"
>>> > SecRule ARGS_NAMES "!^(call|page|session)$"
>>> >
>>> > SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
>>> >        "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments
>>> > ARGS_NAMES=%{ARGS_NAMES}'"
>>> > SecRule ARGS:lng "!^(cz|en)$"
>>> >
>>> >
>>> --------------------------------------------------------------
>>> -----------
>>> > Check out the new SourceForge.net Marketplace.
>>> > It's the best place to buy or sell services for
>>> > just about anything Open Source.
>>> > http://sourceforge.net/services/buy/index.php
>>> > _______________________________________________
>>> > mod-security-users mailing list
>>> > mod...@li...
>>> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>> >
>>>
>>
>> -------------------------------------------------------------------------
>> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
>> Studies have shown that voting for your favorite open source project,
>> along with a healthy diet, reduces your potential for chronic lameness
>> and boredom. Vote Now at http://www.sourceforge.net/community/cca08
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>
>
>
> --
> Brian Rectanus
> Breach Security
>
> -------------------------------------------------------------------------
> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
> Studies have shown that voting for your favorite open source project,
> along with a healthy diet, reduces your potential for chronic lameness
> and boredom. Vote Now at http://www.sourceforge.net/community/cca08
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>