Re: [mod-security-users] Modsecurity 2.7.2 phase:3 not running
Brought to you by:
victorhora,
zimmerletw
From: Ben W. <ben...@jo...> - 2013-02-21 22:45:45
|
After some more trouble shooting, I've narrowed the problem down to occurring with mod_fastcgi 2.4.6 when a virtual host configured as follows Alias /fcgi-bin/ /var/www/vhost/fcgi-bin/ <Location /fcgi-bin> SetHandler fastcgi-script Options +ExecCGI </Location> AddHandler php-cgi-script .php Action php-cgi-script /fcgi-bin/php-cgi On Thu, Feb 21, 2013 at 5:46 PM, Ben WIlliams < ben...@jo...> wrote: > Thanks for checking, but my requests are being serviced by apache and not > being cached. > It may be a problem with my php cgi setup. Seems to work correctly until a > php script is requested, then the rule doesn't run. > > > On Thu, Feb 21, 2013 at 1:57 PM, Breno Silva <bre...@gm...>wrote: > >> I tested here. Can you confirm if your request is not cached ? >> Looks like it is working fine: >> >> Returned: >> >> HTTP/1.1 200 OK >> Date: Wed, 20 Feb 2013 14:24:02 GMT >> Server: Apache/2.2.14 (Ubuntu) mod_ssl/2.2.14 OpenSSL/0.9.8k >> mod_fcgid/2.3.4 >> Accept-Ranges: bytes >> Vary: Accept-Encoding >> Content-Encoding: gzip >> Content-Length: 165 >> Keep-Alive: timeout=300 >> Connection: Keep-Alive >> Content-Type: text/html >> >> Debug.log: >> >> [20/Feb/2013:10:24:02 --0400] [ >> 192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][4<http://192.168.0.105/sid#20dd7a90][rid%2320df3fd0][/index.html][4>] >> Starting phase RESPONSE_HEADERS. >> [20/Feb/2013:10:24:02 --0400] [ >> 192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][9<http://192.168.0.105/sid#20dd7a90][rid%2320df3fd0][/index.html][9>] >> This phase consists of 1 rule(s). >> [20/Feb/2013:10:24:02 --0400] [ >> 192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][4<http://192.168.0.105/sid#20dd7a90][rid%2320df3fd0][/index.html][4>] >> Recipe: Invoking rule 20d99638; [file >> "/etc/apache2/modsecurity/modsecurity_crs_15_customrules.conf"] [line >> "596"] [id "1500000"]. >> [20/Feb/2013:10:24:02 --0400] [ >> 192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][5<http://192.168.0.105/sid#20dd7a90][rid%2320df3fd0][/index.html][5>] >> Rule 20d99638: SecAction >> "phase:3,auditlog,log,pass,msg:phase3isWorking,id:1500000" >> [20/Feb/2013:10:24:02 --0400] [ >> 192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][4<http://192.168.0.105/sid#20dd7a90][rid%2320df3fd0][/index.html][4>] >> Transformation completed in 3 usec. >> [20/Feb/2013:10:24:02 --0400] [ >> 192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][4<http://192.168.0.105/sid#20dd7a90][rid%2320df3fd0][/index.html][4>] >> Executing operator "unconditionalMatch" with param "" against REMOTE_ADDR. >> [20/Feb/2013:10:24:02 --0400] [ >> 192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][9<http://192.168.0.105/sid#20dd7a90][rid%2320df3fd0][/index.html][9>] >> Target value: "192.168.0.104" >> [20/Feb/2013:10:24:02 --0400] [ >> 192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][4<http://192.168.0.105/sid#20dd7a90][rid%2320df3fd0][/index.html][4>] >> Operator completed in 1 usec. >> [20/Feb/2013:10:24:02 --0400] [ >> 192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][2<http://192.168.0.105/sid#20dd7a90][rid%2320df3fd0][/index.html][2>] >> Warning. Unconditional match in SecAction. [file >> "/etc/apache2/modsecurity/modsecurity_crs_15_customrules.conf"] [line >> "596"] [id "1500000"] [msg "phase3isWorking"] >> [20/Feb/2013:10:24:02 --0400] [ >> 192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][4<http://192.168.0.105/sid#20dd7a90][rid%2320df3fd0][/index.html][4>] >> Rule returned 1. >> >> >> On Wed, Feb 20, 2013 at 8:06 PM, Ben WIlliams < >> ben...@jo...> wrote: >> >>> Yes, enabled debug log level 9 but in the case of requesting the >>> text/html document the rule doesn't even get evaluated (nothing in debug >>> log for that rule). >>> >>> >>> On Thu, Feb 21, 2013 at 11:39 AM, Ryan Barnett <RBa...@tr...>wrote: >>> >>>> Did you turn up debug log to 9, test and review it? >>>> >>>> -- >>>> Ryan Barnett >>>> Lead Security Researcher >>>> Trustwave - SpiderLabs >>>> >>>> On Feb 20, 2013, at 5:37 PM, "Ben WIlliams" < >>>> ben...@jo...> wrote: >>>> >>>> > Please can someone verify if this is a bug in modsecurity or just my >>>> installation. >>>> > >>>> > SecResponseBodyAccess On >>>> > SecResponseBodyMimeType text/plain text/html text/xml >>>> > SecResponseBodyLimit 524288 >>>> > SecResponseBodyLimitAction ProcessPartial >>>> > >>>> > SecAction "phase:3,log,pass,msg:'phase3isWorking',id:'1500000'" >>>> > >>>> > >>>> > Request a resource that returns content type text/html and the above >>>> rule does not run. >>>> > Request a resource that returns content type image/png image/jpeg etc >>>> and rule runs ok. >>>> > >>>> > Thanks >>>> > Ben >>>> > >>>> ------------------------------------------------------------------------------ >>>> > Everyone hates slow websites. So do we. >>>> > Make your web apps faster with AppDynamics >>>> > Download AppDynamics Lite for free today: >>>> > http://p.sf.net/sfu/appdyn_d2d_feb >>>> > _______________________________________________ >>>> > mod-security-users mailing list >>>> > mod...@li... >>>> > https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> > http://www.modsecurity.org/projects/commercial/rules/ >>>> > http://www.modsecurity.org/projects/commercial/support/ >>>> >>>> ________________________________ >>>> >>>> This transmission may contain information that is privileged, >>>> confidential, and/or exempt from disclosure under applicable law. If you >>>> are not the intended recipient, you are hereby notified that any >>>> disclosure, copying, distribution, or use of the information contained >>>> herein (including any reliance thereon) is STRICTLY PROHIBITED. If you >>>> received this transmission in error, please immediately contact the sender >>>> and destroy the material in its entirety, whether in electronic or hard >>>> copy format. >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Everyone hates slow websites. So do we. >>> Make your web apps faster with AppDynamics >>> Download AppDynamics Lite for free today: >>> http://p.sf.net/sfu/appdyn_d2d_feb >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> >> > |