Re: [mod-security-users] Why doesn't my mod_security catch / log anything?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Why doesn't my mod_security catch / log anything?
|
From: Josh Amishav-Z. <ja...@gm...> - 2011-03-16 12:29:16
|
Not directly related, but it looks like you installed a really old version of modsecurity. The most recent version is 2.5.13. Lots has changed, for example the SecFilter directive you use is no longer supported. -- - Josh On Wed, Mar 16, 2011 at 2:13 PM, Emre Sevinc <emr...@gm...> wrote: > Hello, > > I installed mod_security on my Ubuntu GNU/Linux server but when I send > some simple requests to the web server that should match even the > simplest rules, I fail to see any alerts or any log files that were > supposed to exist in /var/log/apache2. What am I missing? > > Before proceeding further here's my system details: > > $ apache2ctl -t -D DUMP_MODULES | grep secu > Syntax OK > security2_module (shared) > > $ sudo lsof | grep mod_security > apache2 12773 root mem REG 202,0 268828 > 50225 /usr/lib/apache2/modules/mod_security2.so > apache2 15287 www-data mem REG 202,0 268828 > 50225 /usr/lib/apache2/modules/mod_security2.so > apache2 15288 www-data mem REG 202,0 268828 > 50225 /usr/lib/apache2/modules/mod_security2.so > ... > > I also checked for libxml2 and liblua5.1 and lsof reports that they > are opened by apache2 user. > > And here is the relevant part from my /etc/apache2/apache2.conf: > > <IfModule mod_security2.c> > # Basic configuration options > SecRuleEngine On > SecRequestBodyAccess On > SecResponseBodyAccess Off > > # Handling of file uploads > # TODO Choose a folder private to Apache. > # SecUploadDir /opt/apache-frontend/tmp/ > SecUploadKeepFiles Off > > # Debug log > SecDebugLog /var/log/apache2/modsec_debug.log > SecDebugLogLevel 3 > > # Serial audit log > #SecAuditEngine RelevantOnly > SecAuditEngine On > SecAuditLogRelevantStatus ^5 > SecAuditLogParts ABIFHZ > SecAuditLogType Serial > SecAuditLog /var/log/apache2/modsec_audit.log > > # Maximum request body size we will > # accept for buffering > SecRequestBodyLimit 131072 > > # Store up to 128 KB in memory > SecRequestBodyInMemoryLimit 131072 > # Buffer response bodies of up to # 512 KB in length > SecResponseBodyLimit 524288 > > # Configure default blocking policy > # see ModSecurity Handbook, p. 175 > # > #SecDefaultAction "phase:1,log,auditlog,pass" > > Include /etc/apache2/modsecurity-crs_2.0.6/*.conf > Include /etc/apache2/modsecurity-crs_2.0.6/base_rules/*.conf > > SecFilter "/bin/" > SecFilter "/cgi-bin" "deny,log,status:500" > > > # By default log and deny suspicious requests > # with HTTP status 500 > SecFilterDefaultAction "deny,log,status:500" > </IfModule> > > So I expect that if I try to visit my web site and send a request that > matches one of the filters I declared above using SecFilter or > anything that matches the base rules, etc. then I should see something > in those files: > > /var/log/apache2/modsec_debug.log > /var/log/apache2/modsec_audit.log > > > right? > > For example I try to visit my site using the following requests: > > http://www.myserver.com/cgi-bin > http://www.myserver.com/index.html?q=/cgi-bin > http://www.myserver.com/bin > http://www.myserver.com/index.html?q=/bin > http://www.myserver.com/index.html?q=/bin/ > > > But I don't see anything in the relevant files, they are still empty: > > $ ls -lh /var/log/apache2/modsec_* > -rw-r--r-- 1 www-data www-data 0 2011-03-16 10:31 > /var/log/apache2/modsec_audit.log > -rw-r--r-- 1 www-data www-data 0 2011-03-16 10:30 > /var/log/apache2/modsec_debug.log > > And in the /var/log/apache2/error.log I only see the usual 'File does > not exist' entries, no alerts related to mod_security. > > What am I missing? > > > -- > Emre Sevinc > > ------------------------------------------------------------------------------ > Colocation vs. Managed Hosting > A question and answer guide to determining the best fit > for your organization - today and in the future. > http://p.sf.net/sfu/internap-sfd2d > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > ModSecurity Services from Trustave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |
