[mod-security-users] Docs out there?
Brought to you by:
victorhora,
zimmerletw
From: Werthmann <wer...@fr...> - 2008-08-18 16:40:28
|
Thx for your advice, unfortunately I dont know where I installed it/where the programm resists. I only said rpm -i on command prompt, that was all. Anybody know where console will be usaly located after install? thx. stevie -----Ursprüngliche Nachricht----- Von: mod...@li... [mailto:mod...@li...] Im Auftrag von mod...@li... Gesendet: Montag, 18. August 2008 18:05 An: mod...@li... Betreff: [!! SPAM] mod-security-users Digest, Vol 27, Issue 22 Send mod-security-users mailing list submissions to mod...@li... To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/mod-security-users or, via email, send a message with subject or body 'help' to mod...@li... You can reach the person managing the list at mod...@li... When replying, please edit your Subject line so it is more specific than "Re: Contents of mod-security-users digest..." Today's Topics: 1. Re: Doc out there? (Clayton Dillard) 2. Question about PROTOCOL_VIOLATION/IP_HOST (Albert E. Whale) 3. Re: mlogc - bundled in? (Albert E. Whale) 4. Re: Question about PROTOCOL_VIOLATION/IP_HOST (Albert E. Whale) 5. Re: Question about PROTOCOL_VIOLATION/IP_HOST (Ryan Barnett) 6. Re: What does this mean? Why is it critical? (Albert E. Whale) 7. Re: lua pooa I dooa (Brian Rectanus) ---------------------------------------------------------------------- Message: 1 Date: Mon, 18 Aug 2008 07:50:13 -0400 From: Clayton Dillard <cla...@gm...> Subject: Re: [mod-security-users] Doc out there? To: Werthmann <wer...@fr...> Cc: mod...@li... Message-ID: <48A...@gm...> Content-Type: text/plain; charset=UTF-8 Werthmann, You should have a console.conf.default in the location where you installed the console. It has the default port number the console listens on (8888). You also need to make sure that you have met the prereqs as listed in the README file, which also has info on how to access the console once it is started. Hope this helps. Clayton Taylor Dillard Network Security Enthusiast Aim for the truth - it works! Werthmann wrote: > Hello, > > > after hours I installed modesecurity and console sucessfully. > But when I start console (./modsecurity-console start on Suse Linux prompt) > nothing happens...how can I reach this fancy webinterface??? Is there any > manual out or what is the trick? > > cu stevie > > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > ------------------------------ Message: 2 Date: Mon, 18 Aug 2008 11:21:37 -0400 From: "Albert E. Whale" <aewhale@ABS-CompTech.com> Subject: [mod-security-users] Question about PROTOCOL_VIOLATION/IP_HOST To: mod...@li... Message-ID: <48A99381.3050304@ABS-CompTech.com> Content-Type: text/plain; charset=ISO-8859-1 I originally thought that the reason that this rule was being triggered was due to the IP Address not being in DNS, but after connecting the IP Addresses into dns, and then restarting the server, I am still getting the following: Message: Access denied with code 400 (phase 2). Pattern match "^[\d\.]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/conf/modsecurity/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] Action: Intercepted (phase 2) What is triggering the event? Perhaps I am not understanding why the event is ocurring? TIA -- Albert E. Whale, CHS CISA CISSP Sr. Security, Network, Risk Assessment and Systems Consultant ------------------------------------------------------------------------ ABS Computer Technology, Inc. <http://www.ABS-CompTech.com> - Email, Internet and Security Consultants SPAMZapper <http://www.Spam-Zapper.com> - No-JunkMail.com <http://www.No-JunkMail.com> - *True Spam Elimination*. ------------------------------ Message: 3 Date: Mon, 18 Aug 2008 11:42:16 -0400 From: "Albert E. Whale" <aewhale@ABS-CompTech.com> Subject: Re: [mod-security-users] mlogc - bundled in? To: Brian Rectanus <Bri...@br...> Cc: mod...@li... Message-ID: <48A99858.2080507@ABS-CompTech.com> Content-Type: text/plain; charset=ISO-8859-1 Brian Rectanus wrote: > Albert E. Whale wrote: > >> OK, I see in the modsecurity2-apache-reference.pdf mention of mlogc. >> >> I cannot find it in the tar bundle, but I have found a mention in the >> mailing list. Where is it? >> >> Do I need this if I have vhosts? What about if I have vhosts, and >> separate audit logs? >> >> TIA >> > > It was accidentally left out of 2.5.6. > > http://blog.modsecurity.org/2008/08/modsecurity-256.html > > -B > > Thanks, I was wondering what happened to it. -- Albert E. Whale, CHS CISA CISSP Sr. Security, Network, Risk Assessment and Systems Consultant ------------------------------------------------------------------------ ABS Computer Technology, Inc. <http://www.ABS-CompTech.com> - Email, Internet and Security Consultants SPAMZapper <http://www.Spam-Zapper.com> - No-JunkMail.com <http://www.No-JunkMail.com> - *True Spam Elimination*. ------------------------------ Message: 4 Date: Mon, 18 Aug 2008 11:52:55 -0400 From: "Albert E. Whale" <aewhale@ABS-CompTech.com> Subject: Re: [mod-security-users] Question about PROTOCOL_VIOLATION/IP_HOST To: aewhale@ABS-CompTech.com Cc: mod...@li... Message-ID: <48A99AD7.2060408@ABS-CompTech.com> Content-Type: text/plain; charset=ISO-8859-1 Albert E. Whale wrote: > I originally thought that the reason that this rule was being triggered > was due to the IP Address not being in DNS, but after connecting the IP > Addresses into dns, and then restarting the server, I am still getting > the following: > > Message: Access denied with code 400 (phase 2). Pattern match > "^[\d\.]+$" at REQUEST_HEADERS:Host. [file > "/etc/httpd/conf/modsecurity/modsecurity_crs_21_protocol_anomalies.conf"] > [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] > [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] > Action: Intercepted (phase 2) > > What is triggering the event? Perhaps I am not understanding why the > event is ocurring? > > TIA > OK, I read the FAQ, I read the gname.org Atricle: This question has been asked/answered a few different times - http://article.gmane.org/gmane.comp.apache.mod-security.user/3892 However, the request is being presented via a VPN'd connection to a legitimate web page, and forwarded via a Java based application. Therefore, I am looking for guidance as to what should be done about the ruleset. Here's the logfile entry: --3dda4002-A-- [18/Aug/2008:11:07:49 --0400] VajzVX8AAAEAAG29PkIAAAAG 10.87.2.40 1454 10.87.69.9 80 --3dda4002-B-- GET /NorthstarNavs_test/Nsgoto.asp?navigate=eDocCheck&customercode=aru&deployid= test&user=rig&account_no=33032&occupant_code=0&debtor_no=3038720 HTTP/1.1 User-Agent: Java/1.4.2_13 Host: 10.87.69.9 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive --3dda4002-F-- HTTP/1.1 400 Bad Request Content-Length: 226 Connection: close Content-Type: text/html; charset=iso-8859-1 --3dda4002-H-- Message: Access denied with code 400 (phase 2). Pattern match "^[\d\.]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/conf/modsecurity/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] Action: Intercepted (phase 2) Apache-Handler: chiliasp Stopwatch: 1219072069530453 552 (193 371 -) Producer: ModSecurity for Apache/2.5.6 (http://www.modsecurity.org/); core ruleset/1.6.1. Server: Apache/2.0.46 (Red Hat) mod_perl/1.99_09 Perl/v5.8.0 DAV/2 PHP/4.3.2 mod_python/3.0.3 Python/2.2.3 mod_ssl/2.0.46 OpenSSL/0.9.7a Sun-ONE-ASP/4.0.2 --3dda4002-K-- SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,status:400,t:lowercase,t:replaceNulls,t:compressWhitespace,chain,t: none,deny,log,auditlog,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION" SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace,cha in,t:none,log,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:4" SecRule "REQUEST_HEADERS:Host" "@rx ^[\\d\\.]+$" "phase:2,status:400,t:lowercase,t:replaceNulls,t:compressWhitespace,t:none,d eny,log,auditlog,msg:'Host header is a numeric IP address',severity:2,id:960017,tag:PROTOCOL_VIOLATION/IP_HOST" SecRule "RESPONSE_STATUS" "@rx ^400$" "phase:5,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace,t:none,c hain,log,auditlog,pass,msg:'Invalid request',id:960913,severity:2" --3dda4002-Z-- I do not know if I should whitelist all valid IP Addresses, the Apache-Handler: chiliasp or comment the rule out. If I am going to accept this from the Apache-handler: chiliasp, how do I do this? -- Albert E. Whale, CHS CISA CISSP Sr. Security, Network, Risk Assessment and Systems Consultant ------------------------------------------------------------------------ ABS Computer Technology, Inc. <http://www.ABS-CompTech.com> - Email, Internet and Security Consultants SPAMZapper <http://www.Spam-Zapper.com> - No-JunkMail.com <http://www.No-JunkMail.com> - *True Spam Elimination*. ------------------------------ Message: 5 Date: Mon, 18 Aug 2008 11:47:57 -0400 From: "Ryan Barnett" <Ryan.Barnett@Breach.com> Subject: Re: [mod-security-users] Question about PROTOCOL_VIOLATION/IP_HOST To: <aewhale@ABS-CompTech.com>, <mod...@li...> Message-ID: <50E...@mi...> Content-Type: text/plain; charset="utf-8" This rule is inspecting the inbound Host request header - Host: www.example.com If the header contains an IP address instead of a hostname (example Host: 192.168.1.100) then it is blocked. This rule was created since many web-based worms (remember CodeRed and Nimda?) propagated based on IP. Bottomline is that "normal client" use hostnames so this catches many scripted attacks. Ryan C. Barnett Director of Application Security Breach Security, Inc. Ryan.Barnett@Breach.com <blocked::mailto:Ryan.Barnett@Breach.com> www.Breach.com <http://www.breach.com/> ----- Original Message ----- From: mod...@li... <mod...@li...> To: mod...@li... <mod...@li...> Sent: Mon Aug 18 11:21:37 2008 Subject: [mod-security-users] Question about PROTOCOL_VIOLATION/IP_HOST I originally thought that the reason that this rule was being triggered was due to the IP Address not being in DNS, but after connecting the IP Addresses into dns, and then restarting the server, I am still getting the following: Message: Access denied with code 400 (phase 2). Pattern match "^[\d\.]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/conf/modsecurity/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] Action: Intercepted (phase 2) What is triggering the event? Perhaps I am not understanding why the event is ocurring? TIA -- Albert E. Whale, CHS CISA CISSP Sr. Security, Network, Risk Assessment and Systems Consultant ------------------------------------------------------------------------ ABS Computer Technology, Inc. <http://www.ABS-CompTech.com> - Email, Internet and Security Consultants SPAMZapper <http://www.Spam-Zapper.com> - No-JunkMail.com <http://www.No-JunkMail.com> - *True Spam Elimination*. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users ------------------------------ Message: 6 Date: Mon, 18 Aug 2008 12:02:05 -0400 From: "Albert E. Whale" <aewhale@ABS-CompTech.com> Subject: Re: [mod-security-users] What does this mean? Why is it critical? To: Ryan Barnett <Ryan.Barnett@Breach.com> Cc: mod...@li... Message-ID: <48A99CFD.1070309@ABS-CompTech.com> Content-Type: text/plain; charset=ISO-8859-1 Ryan Barnett wrote: >> -----Original Message----- >> From: mod...@li... [mailto:mod- >> sec...@li...] On Behalf Of Albert E. >> > Whale > >> Sent: Friday, August 15, 2008 4:13 PM >> To: mod...@li... >> Subject: [mod-security-users] What does this mean? Why is it critical? >> >> Message: Access denied with code 400 (phase 2). Pattern match >> "^[\d\.]+$" at REQUEST_HEADERS:Host. [file >> >> > "/etc/httpd/conf/modsecurity/modsecurity_crs_21_protocol_anomalies.conf" > ] > >> [line "60"] [id "960017"] *[msg "Host header is a numeric IP >> > address"]* > >> [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] >> >> Why is this a Critical error? >> > [Ryan Barnett] Please review the FAQ - > http://www.modsecurity.org/documentation/faq.html#d0e78 > > This question has been asked/answered a few different times - > http://article.gmane.org/gmane.comp.apache.mod-security.user/3892 > > I reviewed these both, but still have a question which I posted today. Neither of these helped me to resolve the question, and I certainly understand that these may have been asked (and answered) previously, but I found nothing in the mail logs which can assist my resolution. Thank you. I do appreciate your point out the Mailing List archives on source forge, I will make use of that. Thank you. -- Albert E. Whale, CHS CISA CISSP Sr. Security, Network, Risk Assessment and Systems Consultant ------------------------------------------------------------------------ ABS Computer Technology, Inc. <http://www.ABS-CompTech.com> - Email, Internet and Security Consultants SPAMZapper <http://www.Spam-Zapper.com> - No-JunkMail.com <http://www.No-JunkMail.com> - *True Spam Elimination*. ------------------------------ Message: 7 Date: Mon, 18 Aug 2008 09:04:38 -0700 From: Brian Rectanus <Bri...@br...> Subject: Re: [mod-security-users] lua pooa I dooa To: marty <ma...@go...> Cc: mod...@li... Message-ID: <48A...@br...> Content-Type: text/plain; charset=ISO-8859-1; format=flowed This should be fixed in 2.5.7 (I plan on releasing a -dev1 soon so you can test it). No need to resort to name calling ;) -B marty wrote: > I am not on a dist. > This is my source build Linux. > I never link static libs. > > I am using mod 2.5.5. > lua 5.1.3 > > root@dumburger:~# ls -l /usr/lib/liblua.so > -rw-r--r-- 1 root root 191827 Jul 4 13:03 /usr/lib/liblua.so > > --with-lua=/usr > > This is from configure which says no lua install was found. > > LUA_CONFIG="pkg-config" > LUA_PKGNAMES="lua5.1 lua5 lua" > LUA_CFLAGS="" > LUA_LIBS="" > > This change identified the shared lib and it decided to use it. > This is what seems to work on my host. Time will tell... > > LUA_CONFIG="" > LUA_PKGNAMES="" > LUA_CFLAGS="" > LUA_LIBS="liblua.so" > > Marty B. > > > > > Brian Rectanus wrote: > > I believe the latest ModSecurity (2.5.5 and 2.5.4 as well) look for a > > lib if pkg-config fails. > > > > What version of ModSecurity are you using? > > > > -B > > > > marty wrote: > >> > What we support when it comes to Lua is documented--you probably > >> > missed it. Look up the @inspectFile and SecRuleScript documentation. > >> > > >> > >> yes, I just updated my docs and found 3 new references to lua; > >> SecRuleScript,inspectFile, and exec. > >> > >> After building liblua.so I had to tweak modsec's configure script > >> because it > >> looked for a pkg-config instead of a lib. No big deal. Built ok. > >> > >> Thanks much, > >> > >> Marty B. > >> -- > >> Electile Dysfunction : the inability to become aroused over any of the > >> choices for President put forth by either party in the 2008 election. > >> > > > > > > > > -- > Electile Dysfunction : the inability to become aroused over any of the > choices for President put forth by either party in the 2008 election. > > > -- Brian Rectanus Breach Security ------------------------------ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ------------------------------ _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users End of mod-security-users Digest, Vol 27, Issue 22 ************************************************** |