Re: [Mod-security-developers] Request body processed when blocking in phase 1
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] Request body processed when blocking in phase 1
|
From: Felipe Z. <fe...@zi...> - 2019-03-14 14:48:35
|
Great, so we have: Apache on Windows running a customized version ModSecurity compiled with VisualStudio. Let me ask you this: are the libApr, Apache and ModSecurity compiled with the same VisualStudio family? Do the Apache binaries cames from Apache Lounge? Without the "--enable-request-early" but, yet, with a custom windows compilation, did you manage to see a different result? Br., Felipe. On Wed, Mar 13, 2019 at 5:24 AM Marc Stern <mar...@ap...> wrote: > I'm using the Apache version (also) under Windows. > I defined REQUEST_EARLY in Visual Studio. > > Marc > > On 13-03-19 03:01, Felipe Costa wrote: > > How you have recompiled the windows version with enable-request-early? > What is your IIS version? > > > > Br., > > *Felipe “Zimmerle” Costa* > > Security Researcher, Lead Developer ModSecurity. > > > > *Trustwave* | SMART SECURITY ON DEMAND > > *www.trustwave.com <http://www.trustwave.com/>* > > > > > > *From: *Marc Stern <mar...@ap...> <mar...@ap...> > *Reply-To: *Marc Stern <mar...@ap...> <mar...@ap...> > *Date: *Tuesday, March 12, 2019 at 12:39 PM > *To: *Felipe Costa <FC...@tr...> <FC...@tr...>, > "mod...@li..." > <mod...@li...> > <mod...@li...> > <mod...@li...> > *Subject: *Re: Request body processed when blocking in phase 1 > > > > I reproduced this behaviour even in Windows with everything compiled > together > > Marc > > On 11-03-19 14:22, Felipe Costa wrote: > > I have seemed the behavior that you have described in servers with APR > version mismatch. Other than that, I did not manage to emulate such > behavior. > > > > > > Br., > > *Felipe "Zimmerle" Costa* > > Security Researcher, Lead Developer ModSecurity > > m: +55 81.98706.5547 > > > > [image: signature_480191669] > > *www.trustwave.com <http://www.trustwave.com/>* > > > > *Recognized by industry analysts as a leader in managed security services. > <https://www.trustwave.com/company/about-us/accolades/>* > > > ------------------------------ > > *From:* Marc Stern <mar...@ap...> <mar...@ap...> > *Sent:* Thursday, February 28, 2019 11:49 AM > *To:* mod...@li... > *Subject:* [Mod-security-developers] Request body processed when blocking > in phase 1 > > > > I'm running v 2.9.3 built with --enable-request-early to have phase 1 > rules running before receiving the body. > If I sent a huge body, the request is well blocked in phase 1 but > there's a huge processing time (10 min for 1.5 MB) on a strong machine > after hook_insert_error_filter() > Can somebody explain me what could happen and/or how to troubleshoot that. > Isn't the phase 1 rule (with --enable-request-early) supposed to run > before the request body is received by httpd? > > Here's the debug log (max level): > [28/Feb/2019:14:27:50 +0100] [...][4] Ctl: Set requestBodyAccess to 0. > [...] > [28/Feb/2019:14:27:50 +0100] [...][4] Access denied with code 404 (phase > 1). [...] > [28/Feb/2019:14:27:50 +0100] [...][4] Hook insert_error_filter: Adding > output filter (r 248029de120). > [28/Feb/2019:14:37:20 +0100] [...][9] Output filter: Receiving output (f > 24802c82a38, r 248029de120). > [28/Feb/2019:14:37:20 +0100] [...][4] Skipping phase 3 as request was > already intercepted. > > error log: > [Thu Feb 28 14:27:50.864432 2019] [core:trace5] [pid 6060:tid 2008] > protocol.c(614): [client ...] Request received from client: POST /... > HTTP/1.1 > [Thu Feb 28 14:37:20.529622 2019] [headers:debug] [pid 6060:tid 2008] > mod_headers.c(908): AH01503: headers: ap_headers_error_filter() > > Marc > > _______________________________________________ > mod-security-developers mailing list > mod...@li... > > https://scanmail.trustwave.com/?c=4062&d=kv333Abx-vXiIBZ1YneBxeM0MfaUkB_XCXnlDQQiBg&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers > <https://scanmail.trustwave.com/?c=4062&d=yNKH3MMlr2fvDpZSllszGJ_gvfkIiM0oQRMGgD8iLQ&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers> > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > > > > > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php -- Br., Felipe Zimmerle |
