Re: [Mod-security-developers] Request body processed when blocking in phase 1
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] Request body processed when blocking in phase 1
|
From: Marc S. <mar...@ap...> - 2019-03-15 08:45:27
|
Everything is compiled with the same version of VS. Same result on CentOS 7 fully update with the platform httpd and only MS custom compiled. If I compile without --enable-request-early, phase 1 rules will actually run in phase 2, so the request body will indeed be received by httpd. This is the expected behaviour, no? On 14-03-19 15:18, Felipe Zimmerle wrote: Great, so we have: Apache on Windows running a customized version ModSecurity compiled with VisualStudio. Let me ask you this: are the libApr, Apache and ModSecurity compiled with the same VisualStudio family? Do the Apache binaries cames from Apache Lounge? Without the "--enable-request-early" but, yet, with a custom windows compilation, did you manage to see a different result? Br., Felipe. On Wed, Mar 13, 2019 at 5:24 AM Marc Stern <mar...@ap...<mailto:mar...@ap...>> wrote: I'm using the Apache version (also) under Windows. I defined REQUEST_EARLY in Visual Studio. Marc On 13-03-19 03:01, Felipe Costa wrote: How you have recompiled the windows version with enable-request-early? What is your IIS version? Br., Felipe “Zimmerle” Costa Security Researcher, Lead Developer ModSecurity. Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Marc Stern <mar...@ap...><mailto:mar...@ap...> Reply-To: Marc Stern <mar...@ap...><mailto:mar...@ap...> Date: Tuesday, March 12, 2019 at 12:39 PM To: Felipe Costa <FC...@tr...><mailto:FC...@tr...>, "mod...@li..."<mailto:mod...@li...> <mod...@li...><mailto:mod...@li...> Subject: Re: Request body processed when blocking in phase 1 I reproduced this behaviour even in Windows with everything compiled together Marc On 11-03-19 14:22, Felipe Costa wrote: I have seemed the behavior that you have described in servers with APR version mismatch. Other than that, I did not manage to emulate such behavior. Br., Felipe "Zimmerle" Costa Security Researcher, Lead Developer ModSecurity m: +55 81.98706.5547 [signature_480191669] www.trustwave.com<http://www.trustwave.com/> Recognized by industry analysts as a leader in managed security services.<https://www.trustwave.com/company/about-us/accolades/> ________________________________ From: Marc Stern <mar...@ap...><mailto:mar...@ap...> Sent: Thursday, February 28, 2019 11:49 AM To: mod...@li...<mailto:mod...@li...> Subject: [Mod-security-developers] Request body processed when blocking in phase 1 I'm running v 2.9.3 built with --enable-request-early to have phase 1 rules running before receiving the body. If I sent a huge body, the request is well blocked in phase 1 but there's a huge processing time (10 min for 1.5 MB) on a strong machine after hook_insert_error_filter() Can somebody explain me what could happen and/or how to troubleshoot that. Isn't the phase 1 rule (with --enable-request-early) supposed to run before the request body is received by httpd? Here's the debug log (max level): [28/Feb/2019:14:27:50 +0100] [...][4] Ctl: Set requestBodyAccess to 0. [...] [28/Feb/2019:14:27:50 +0100] [...][4] Access denied with code 404 (phase 1). [...] [28/Feb/2019:14:27:50 +0100] [...][4] Hook insert_error_filter: Adding output filter (r 248029de120). [28/Feb/2019:14:37:20 +0100] [...][9] Output filter: Receiving output (f 24802c82a38, r 248029de120). [28/Feb/2019:14:37:20 +0100] [...][4] Skipping phase 3 as request was already intercepted. error log: [Thu Feb 28 14:27:50.864432 2019] [core:trace5] [pid 6060:tid 2008] protocol.c(614): [client ...] Request received from client: POST /... HTTP/1.1 [Thu Feb 28 14:37:20.529622 2019] [headers:debug] [pid 6060:tid 2008] mod_headers.c(908): AH01503: headers: ap_headers_error_filter() Marc _______________________________________________ mod-security-developers mailing list mod...@li...<mailto:mod...@li...> https://scanmail.trustwave.com/?c=4062&d=kv333Abx-vXiIBZ1YneBxeM0MfaUkB_XCXnlDQQiBg&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers<https://scanmail.trustwave.com/?c=4062&d=yNKH3MMlr2fvDpZSllszGJ_gvfkIiM0oQRMGgD8iLQ&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers> ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php _______________________________________________ mod-security-developers mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-developers ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php -- Br., Felipe Zimmerle |
