Re: [mod-security-users] Rule causing Modsecurity to Segfault
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Rule causing Modsecurity to Segfault
|
From: Breno S. <bre...@gm...> - 2011-08-22 17:24:24
|
Hi Kwenu,
Please follow this instructions and send me in private e-mail. What is your
ModSecurity and Apache version ? if it is 2.6.x please send me the libraries
versions you are using (you can get this info into error.log).
Make sure there is a core dump area with something like:
CoreDumpDirectory /tmp
Make sure limits are set to dump core:
ulimit -c unlimited
Restart and trigger the error. A core file should be in the directory
you specified.
Then use gdb to get a backtrace:
1) gdb /path/to/httpd /path/to/core
2) within gdb enter:
thread apply all bt full
You can get it into a file with something like:
gdb /path/to/httpd /path/to/core --batch --quiet \
-ex "thread apply all bt full" > backtrace.log
Please send me back the backtrace.log
Thanks
Breno
On Mon, Aug 22, 2011 at 12:05 PM, kwenu <uz...@ya...> wrote:
> **
> Hi
>
> We are using a custom install of apache httpd compiled against APR 1.49
> using MPM worker and PHP to server dynamic content
>
> The following rule here is causing the web server not to return any images
> but text only for intermittent requests
>
> The httpd error_log file emits the following error message
>
> [notice] child pid 25571 exit signal Segmentation fault (11)
>
> I have tried attaching gdb and strace (strace did provide some clues but
> not alot - "strace -v -f -p 12345 /tmp/httpd-strace" ) to it since i cannot
> get a coredump going at all even after setting CoreDumpDirectory /tmp and
> setting ulimit -c unlimited for the user that the process runs under
>
> When i remove the following line from
> modsecurity_crs_48_globalexceptions.conf web pages are returned correctly
> albeit error messages are still emitted
>
> SecRule
> &TX:'/981173-WEB_ATTACK/RESTRICTED_SQLI_CHARS-TX:restricted_sqli_char_count/'
> "@gt 0" "setvar:tx.anomaly_score=-4"
>
> The above rule was the only way i could set the anomaly score for rule
> 981173. I would have prefered updating the operator "@ge 4" instead but
> cannot find a way of doing this
>
> modsecurity_crs_41_sql_injection_attacks.conf:
> SecRule TX:RESTRICTED_SQLI_CHAR_COUNT "@ge 4"
> "phase:2,t:none,block,id:'981173',rev:'2.2.1',msg:'Restricted SQL Character
> Anomaly Detection Alert - Total # of special characters
> exceeded',logdata:'%{matched_var}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{
> rule.id}-WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
>
> Is there a better way of updating the above rules operator "@ge 4" so
> that i can increase count thereby dealing with the false positives that are
> created by this rule??
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> uberSVN's rich system and user administration capabilities and model
> configuration take the hassle out of deploying and managing Subversion and
> the tools developers use with it. Learn more about uberSVN and get a free
> download at: http://p.sf.net/sfu/wandisco-dev2dev
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/application-security.php
>
>
|