Re: [mod-security-users] Broke mlogc
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Broke mlogc
|
From: Dimitri Y. <dyi...@fi...> - 2010-02-11 18:25:30
|
Brian, ModSec is running on CentOS 4.7. Output of mlogc-error.log is at http://pastebin.com/d61a5c46c. Dimitri On Thursday 11 February 2010 11:53:27 am you wrote: > Nope, not very special. From the console logs > it looks like it is mis-interpreting a header > as a large integer. Are you on Solaris on a > SPARC arch? > > If you could re-post the pastebin data (or send > it to me), that would be helpful as it expired. > > thanks, > -B > > Christian Bockermann wrote: > > Hm... doesn't look very special to me. > > I imported it into my AuditConsole with no > > problem (screenshot attached). > > > > I don't know exactly, how the Community > > console deals with multiple rule-tags. I > > wasn't aware that multiple tags are in use, > > might be new in crs-2.0.5. This *might* be > > problematic. > > > > You could try to remove all of the [tag ...] > > strings and leave one in and try to reject > > the event-file with my jwall-tools, just to > > check whether this is causing problems: > > > > java -jar jwall-tools.jar send > > http://sensorName:sensorPass@192.168.1.3:8886 > >/rpc/auditLogReceiver > > /path/to/audit-event-file.dat > > > > This will re-send the event with my java-tool > > instead of mlogc, which is helpful for > > debugging. The jwall-tools.jar is available > > from > > > > https://secure.jwall.org/download/jwall-tool > >s.jar > > > > > > Best regards, > > Chris > > > > Am 10.02.2010 um 22:05 schrieb Dimitri Yioulos: > >> --8badcd76-A-- > >> [09/Feb/2010:11:19:38 --0500] > >> SM4XTcCoAQMAAHNbbhYAAAAG 174.129.62.166 > >> 60568 192.168.1.3 80 --8badcd76-B-- > >> HEAD /icons/apache_pb.gif HTTP/1.0 > >> Host: xx.xxx.xxx.xxx > >> Accept-Charset: > >> ISO-8859-1,utf-8;q=0.7,*;q=0.7 User-Agent: > >> Mozilla/5.0 (compatible; > >> NetcraftSurveyAgent/1.0; +in...@ne...) > >> Accept-Encoding: identity > >> Accept: > >> text/xml,application/xml,application/xhtml+x > >>ml,text/html;q=0.9,text/plain;q=0.8,image/png > >>,*/*;q=0.5 Accept-Language: en-gb,en;q=0.5 > >> Connection: close > >> > >> --8badcd76-F-- > >> HTTP/1.1 200 OK > >> Last-Modified: Tue, 24 Aug 1999 05:33:48 GMT > >> ETag: "19801a-916-bd9c2700" > >> Accept-Ranges: bytes > >> Content-Length: 2326 > >> Connection: close > >> Content-Type: image/gif > >> > >> --8badcd76-E-- > >> > >> --8badcd76-H-- > >> Message: Pattern match "^[\d.:]+$" at > >> REQUEST_HEADERS:Host. [file > >> "/etc/httpd/conf.d/modsecurity/base_rules/mo > >>dsecurity_crs_21_protocol_anomalies.conf"] > >> [line "97"] [id "960017"] [rev "2.0.5"] [msg > >> "Host header is a numeric IP address"] > >> [severity "CRITICAL"] [tag > >> "PROTOCOL_VIOLATION/IP_HOST"] [tag > >> "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] > >> [tag "PCI/6.5.10"] [tag > >> "http://technet.microsoft.com/en-us/magazine > >>/2005.01.hackerbasher.aspx"] Message: > >> Warning. Operator LT matched 20 at > >> TX:inbound_anomaly_score. [file > >> "/etc/httpd/conf.d/modsecurity/base_rules/mo > >>dsecurity_crs_60_correlation.conf"] [line > >> "31"] [msg "Inbound Anomaly Score (Total > >> Inbound Score: 5, SQLi=, XSS=): Host header > >> is a numeric IP address"] > >> Stopwatch: 1265732378564429 164232 (5049 > >> 154849 -) Response-Body-Transformed: > >> Dechunked Producer: ModSecurity for > >> Apache/2.5.12 (http://www.modsecurity.org/); > >> core ruleset/2.0.5. Server: Apache > >> > >> --8badcd76-Z-- > > > > --------------------------------------------- > >--------------------------------- SOLARIS 10 > > is the OS for Data Centers - provides > > features such as DTrace, Predictive Self > > Healing and Award Winning ZFS. Get Solaris 10 > > NOW http://p.sf.net/sfu/solaris-dev2dev > > _____________________________________________ > >__ mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/ > >mod-security-users Commercial ModSecurity > > Appliances, Rule Sets and Support: > > http://www.modsecurity.org/breach/index.html > > -- > Brian Rectanus > Breach Security -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |
