Re: [mod-security-users] Rule causing Modsecurity to Segfault
Brought to you by:
victorhora,
zimmerletw
From: Breno S. <bre...@gm...> - 2011-08-22 17:24:24
|
Hi Kwenu, Please follow this instructions and send me in private e-mail. What is your ModSecurity and Apache version ? if it is 2.6.x please send me the libraries versions you are using (you can get this info into error.log). Make sure there is a core dump area with something like: CoreDumpDirectory /tmp Make sure limits are set to dump core: ulimit -c unlimited Restart and trigger the error. A core file should be in the directory you specified. Then use gdb to get a backtrace: 1) gdb /path/to/httpd /path/to/core 2) within gdb enter: thread apply all bt full You can get it into a file with something like: gdb /path/to/httpd /path/to/core --batch --quiet \ -ex "thread apply all bt full" > backtrace.log Please send me back the backtrace.log Thanks Breno On Mon, Aug 22, 2011 at 12:05 PM, kwenu <uz...@ya...> wrote: > ** > Hi > > We are using a custom install of apache httpd compiled against APR 1.49 > using MPM worker and PHP to server dynamic content > > The following rule here is causing the web server not to return any images > but text only for intermittent requests > > The httpd error_log file emits the following error message > > [notice] child pid 25571 exit signal Segmentation fault (11) > > I have tried attaching gdb and strace (strace did provide some clues but > not alot - "strace -v -f -p 12345 /tmp/httpd-strace" ) to it since i cannot > get a coredump going at all even after setting CoreDumpDirectory /tmp and > setting ulimit -c unlimited for the user that the process runs under > > When i remove the following line from > modsecurity_crs_48_globalexceptions.conf web pages are returned correctly > albeit error messages are still emitted > > SecRule > &TX:'/981173-WEB_ATTACK/RESTRICTED_SQLI_CHARS-TX:restricted_sqli_char_count/' > "@gt 0" "setvar:tx.anomaly_score=-4" > > The above rule was the only way i could set the anomaly score for rule > 981173. I would have prefered updating the operator "@ge 4" instead but > cannot find a way of doing this > > modsecurity_crs_41_sql_injection_attacks.conf: > SecRule TX:RESTRICTED_SQLI_CHAR_COUNT "@ge 4" > "phase:2,t:none,block,id:'981173',rev:'2.2.1',msg:'Restricted SQL Character > Anomaly Detection Alert - Total # of special characters > exceeded',logdata:'%{matched_var}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{ > rule.id}-WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}" > > Is there a better way of updating the above rules operator "@ge 4" so > that i can increase count thereby dealing with the false positives that are > created by this rule?? > > > > > > > ------------------------------------------------------------------------------ > uberSVN's rich system and user administration capabilities and model > configuration take the hassle out of deploying and managing Subversion and > the tools developers use with it. Learn more about uberSVN and get a free > download at: http://p.sf.net/sfu/wandisco-dev2dev > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/application-security.php > > |