Re: [mod-security-users] ctl:ruleRemoveByTag segfault with modsec 2.7.0
Brought to you by:
victorhora,
zimmerletw
From: Breno S. <bre...@gm...> - 2012-10-22 22:48:27
|
Fixed the issue. Thanks On Mon, Oct 22, 2012 at 4:40 PM, Breno Silva <bre...@gm...> wrote: > Looks like the issue happens with chained rules. > > I will work on this. > > > On Mon, Oct 22, 2012 at 4:21 PM, Breno Silva <bre...@gm...>wrote: > >> Hello, >> >> It is working fine here: >> >> 22/Oct/2012:06:38:26 --0400] [ >> 192.168.0.101/sid#216453d0][rid#2165d0b8][/index.php][5<http://192.168.0.101/sid#216453d0][rid%232165d0b8][/index.php][5>] >> Rule 21600928: SecRule "REQUEST_FILENAME" "@rx index" >> "phase:2,log,auditlog,pass,id:10041,ctl:ruleRemoveByTag=LEAKAGE/SOURCE_CODE_PHP" >> [22/Oct/2012:06:38:26 --0400] [ >> 192.168.0.101/sid#216453d0][rid#2165d0b8][/index.php][4<http://192.168.0.101/sid#216453d0][rid%232165d0b8][/index.php][4>] >> Transformation completed in 2 usec. >> [22/Oct/2012:06:38:26 --0400] [ >> 192.168.0.101/sid#216453d0][rid#2165d0b8][/index.php][4<http://192.168.0.101/sid#216453d0][rid%232165d0b8][/index.php][4>] >> Executing operator "rx" with param "index" against REQUEST_FILENAME. >> [22/Oct/2012:06:38:26 --0400] [ >> 192.168.0.101/sid#216453d0][rid#2165d0b8][/index.php][9<http://192.168.0.101/sid#216453d0][rid%232165d0b8][/index.php][9>] >> Target value: "/index.php" >> [22/Oct/2012:06:38:26 --0400] [ >> 192.168.0.101/sid#216453d0][rid#2165d0b8][/index.php][4<http://192.168.0.101/sid#216453d0][rid%232165d0b8][/index.php][4>] >> Operator completed in 14 usec. >> [22/Oct/2012:06:38:26 --0400] [ >> 192.168.0.101/sid#216453d0][rid#2165d0b8][/index.php][4<http://192.168.0.101/sid#216453d0][rid%232165d0b8][/index.php][4>] >> Ctl: Removed rule by tag : LEAKAGE/SOURCE_CODE_PHP. >> [22/Oct/2012:06:38:26 --0400] [ >> 192.168.0.101/sid#216453d0][rid#2165d0b8][/index.php][2<http://192.168.0.101/sid#216453d0][rid%232165d0b8][/index.php][2>] >> Warning. Pattern match "index" at REQUEST_FILENAME. [file >> "/etc/apache2/modsecurity/modsecurity_crs_15_customrules.conf"] [line >> "547"] [id "10041"] >> [22/Oct/2012:06:38:26 --0400] [ >> 192.168.0.101/sid#216453d0][rid#2165d0b8][/index.php][4<http://192.168.0.101/sid#216453d0][rid%232165d0b8][/index.php][4>] >> Rule returned 1. >> [22/Oct/2012:06:38:26 --0400] [ >> 192.168.0.101/sid#216453d0][rid#2165d0b8][/index.php][9<http://192.168.0.101/sid#216453d0][rid%232165d0b8][/index.php][9>] >> Match -> mode NEXT_RULE. >> [22/Oct/2012:06:38:26 --0400] [ >> 192.168.0.101/sid#216453d0][rid#2165d0b8][/index.php][9<http://192.168.0.101/sid#216453d0][rid%232165d0b8][/index.php][9>] >> Checking removal of rule tag="LEAKAGE/SOURCE_CODE_PHP" against: >> LEAKAGE/SOURCE_CODE_PHP >> [22/Oct/2012:06:38:26 --0400] [ >> 192.168.0.101/sid#216453d0][rid#2165d0b8][/index.php][9<http://192.168.0.101/sid#216453d0][rid%232165d0b8][/index.php][9>] >> Checking removal of rule tag="WASCTC/WASC-19" against: >> LEAKAGE/SOURCE_CODE_PHP >> [22/Oct/2012:06:38:26 --0400] [ >> 192.168.0.101/sid#216453d0][rid#2165d0b8][/index.php][9<http://192.168.0.101/sid#216453d0][rid%232165d0b8][/index.php][9>] >> Checking removal of rule tag="OWASP_TOP_10/A1" against: >> LEAKAGE/SOURCE_CODE_PHP >> [22/Oct/2012:06:38:26 --0400] [ >> 192.168.0.101/sid#216453d0][rid#2165d0b8][/index.php][9<http://192.168.0.101/sid#216453d0][rid%232165d0b8][/index.php][9>] >> Checking removal of rule tag="OWASP_AppSensor/CIE1" against: >> LEAKAGE/SOURCE_CODE_PHP >> [22/Oct/2012:06:38:26 --0400] [ >> 192.168.0.101/sid#216453d0][rid#2165d0b8][/index.php][9<http://192.168.0.101/sid#216453d0][rid%232165d0b8][/index.php][9>] >> Checking removal of rule tag="PCI/6.5.2" against: LEAKAGE/SOURCE_CODE_PHP >> [22/Oct/2012:06:38:26 --0400] [ >> 192.168.0.101/sid#216453d0][rid#2165d0b8][/index.php][5<http://192.168.0.101/sid#216453d0][rid%232165d0b8][/index.php][5>] >> Not processing rule id="981319": removed by ctl action >> >> Are you using the CRS ? >> What files are you loading ? >> >> Thanks >> >> Breno >> >> >> On Mon, Oct 22, 2012 at 3:27 PM, <rp-...@be...> wrote: >> >>> - Example of rule that causes apache child segfault: >>> >>> SecRule REQUEST_FILENAME "@strmatch foobar.html" >>> "id:'10041',ctl:ruleRemoveByTag=LEAKAGE/SOURCE_CODE_PHP" >>> >>> - Here's what happened with a request to foobar.html that hits the >>> ctl:ruleRemoveByTag rule: >>> [notice] child pid 9554 exit signal Segmentation fault (11) >>> >>> - Version info: >>> [notice] ModSecurity for Apache/2.7.0 (http://www.modsecurity.org/) >>> configured. >>> [notice] ModSecurity: APR compiled version="1.2.7"; loaded >>> version="1.2.7" >>> [notice] ModSecurity: PCRE compiled version="6.6 "; loaded version="6.6 >>> 06-Feb-2006" >>> [notice] ModSecurity: LIBXML compiled version="2.7.8" >>> [notice] Apache configured -- resuming normal operations >>> >>> >>> -RP >>> >>> >>> ------------------------------------------------------------------------------ >>> Everyone hates slow websites. So do we. >>> Make your web apps faster with AppDynamics >>> Download AppDynamics Lite for free today: >>> http://p.sf.net/sfu/appdyn_sfd2d_oct >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >> >> > |