Re: [mod-security-users] args ignored in POST - filter question
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] args ignored in POST - filter question
|
From: <Kam...@bd...> - 2008-07-03 07:19:04
|
He Stephen,
the first thing - using lokal proxy - of course :-) (both)
the second thing - I'm going to prepare it
thanks
Kamil
> -----Original Message-----
> From: Stephen Craig Evans [mailto:ste...@gm...]
> Sent: Thursday, July 03, 2008 3:06 AM
> To: Golombek Kamil | BDO IT a.s.
> Cc: mod...@li...
> Subject: Re: [mod-security-users] args ignored in POST -
> filter question
>
> Hi Kamil,
>
> Are you running the traffic through a web proxy like WebScarab or
> Paros to make sure that the POST request body parameters are being
> sent?
>
> >> I tried the debug level 9 before I wrote the question. But I found
> >> nothing suspicious in logs.
>
> The debug log at level 9 shows the DNA of your ModSecurity app... Log
> only the 2 scenarios you described, zip it (it highly compresses;
> probably less than 40k), email it to me and I'll look it at.
>
> Cheers,
> Stephen
>
>
> On Wed, Jul 2, 2008 at 11:08 PM, Brian Rectanus
> <Bri...@br...> wrote:
> > Your config looks fine. What is the full request you are sending?
> > ModSecurity only handles these types:
> >
> > application/x-www-form-urlencoded
> > multipart/form-data
> >
> > -B
> >
> > Kam...@bd... wrote:
> >> Hi Stephen,
> >>
> >> I tried the debug level 9 before I wrote the question. But I found
> >> nothing suspiciou in logs. I tried to google today and I
> found a log
> >> that contains the following lines:
> >>
> >> Adding request argument (BODY): name "FirstName", value "asdfasfd"
> >> [/index.php/contact.process/]
> >> Adding request argument (BODY): name "LastName", value
> >>
> >> My log contains only lines of type
> >>
> >> Adding request argument (QUERY_STRING): name "Cmd" ...
> >>
> >> The problem is probably that it does not read the body part of the
> >> request. I have the line 'SecRequestBodyAccess On' in my
> config file
> >> (Christian's remark), I tried to experiment with the phases,
> >> but without success. Maybe the problem is in other part of
> my apache
> >> settings. Can you send me your minimal config that works
> with argument
> >> send in POST body?
> >>
> >> Thank you
> >>
> >> Kamil
> >>
> >>
> >>
> >>
> >>> -----Original Message-----
> >>> From: Stephen Craig Evans [mailto:ste...@gm...]
> >>> Sent: Tuesday, July 01, 2008 6:02 PM
> >>> To: Golombek Kamil | BDO IT a.s.
> >>> Cc: mod...@li...
> >>> Subject: Re: [mod-security-users] args ignored in POST -
> >>> filter question
> >>>
> >>> Hi Kamil,
> >>>
> >>> The best way to solve your problem is to enable
> debugging, crank it up
> >>> to top level:
> >>> SecDebugLog /etc/modsecurity/logs/modsec_debug.log
> >>> SecDebugLogLevel 9
> >>>
> >>> Go to the page that's causing the problem.
> >>> Restart Apache.
> >>> Clear your browser cache; reload the page.
> >>> Examine the debug file. It won't be very big. You'll see exactly
> >>> what's going on.
> >>>
> >>> Whenever debugging, it's best to have only the minimal
> amount in the
> >>> debug file as it can get large quickly. In Linux, just
> erase the debug
> >>> log file ('rm -f ...') and create a new blank one ('touch
> ...'), then
> >>> restart Apache and reproduce the problem.
> >>>
> >>> Stephen
> >>>
> >>> On Tue, Jul 1, 2008 at 10:28 PM,
> <Kam...@bd...> wrote:
> >>> > Hi,
> >>> > I have modsecurity 2.2.5 with apache 2.2.3 in reverse
> proxy setup. I
> >>> > can create rules for arguments passed directly in URL but
> >>> my rules are
> >>> > not triggered by argument sent by post.
> >>> >
> >>> > The following rules works well for URL in format
> >>> > https://server.com/path_to_file/file.with.dots sent by
> >>> GET/POST methods
> >>> > with argument, ie.
> >>> > https://server.com/path_to_file/file.with.dots?lng=foo.
> >>> > But once I send the argument in body of request, it is not
> >>> detected on
> >>> > server. I tried to play with phase:1, phase:2 in rules but
> >>> I it gave the
> >>> >
> >>> > same result. I tried also REQUEST_BODY without success.
> It seems my
> >>> > proxy ignore the body of the request. What do I wrong?
> >>> >
> >>> > Thanks
> >>> >
> >>> > Kamil
> >>> >
> >>> >
> >>> > My config:
> >>> > ----------------
> >>> > ProxyRequests Off
> >>> >
> >>> > <Proxy *>
> >>> > Order deny,allow
> >>> > Allow from all
> >>> > </Proxy>
> >>> >
> >>> > ProxyPreserveHost on
> >>> > ProxyPass /path123/ http://127.0.0.3:8080/path123/
> >>> >
> >>> > SecRuleEngine On
> >>> > SecRequestBodyAccess On
> >>> > SecResponseBodyAccess Off
> >>> > SecRequestBodyInMemoryLimit 131072
> >>> > SecRequestBodyLimit 131072
> >>> >
> >>> > SecDefaultAction "phase:2,log,auditlog,deny,status:500"
> >>> >
> >>> > SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
> >>> >
> "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments
> >>> > ARGS_NAMES=%{ARGS_NAMES}'"
> >>> > SecRule ARGS_NAMES "!^(call|page|session)$"
> >>> >
> >>> > SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
> >>> >
> "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments
> >>> > ARGS_NAMES=%{ARGS_NAMES}'"
> >>> > SecRule ARGS:lng "!^(cz|en)$"
> >>> >
> >>> >
> >>> --------------------------------------------------------------
> >>> -----------
> >>> > Check out the new SourceForge.net Marketplace.
> >>> > It's the best place to buy or sell services for
> >>> > just about anything Open Source.
> >>> > http://sourceforge.net/services/buy/index.php
> >>> > _______________________________________________
> >>> > mod-security-users mailing list
> >>> > mod...@li...
> >>> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> >>> >
> >>>
> >>
> >>
> --------------------------------------------------------------
> -----------
> >> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
> >> Studies have shown that voting for your favorite open
> source project,
> >> along with a healthy diet, reduces your potential for
> chronic lameness
> >> and boredom. Vote Now at http://www.sourceforge.net/community/cca08
> >> _______________________________________________
> >> mod-security-users mailing list
> >> mod...@li...
> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> >>
> >
> >
> > --
> > Brian Rectanus
> > Breach Security
> >
> >
> --------------------------------------------------------------
> -----------
> > Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
> > Studies have shown that voting for your favorite open
> source project,
> > along with a healthy diet, reduces your potential for
> chronic lameness
> > and boredom. Vote Now at http://www.sourceforge.net/community/cca08
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> >
>
|
