Re: [mod-security-users] http-version

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

----- Original Message ----- 
>   Are you using 1.9dev1? If you are it's a bug (fixed in the CVS). If
>   not... post your mod_security configuration and the audit log entry
>   for that request.

These are my system specs:

Linux 2.6.9-gentoo-r4 i686 Intel Pentium 4 CPU 1.80GHz
Portage 2.0.51-r15
gcc-3.3.5
glibc-2.3.4.20040808-r1
autoconf-2.59-r6
automake-1.8.5-r1
binutils-2.15.92.0.2-r1
libtool-1.5.2-r7
CFLAGS="-02 -march=i686 -fomit-frame-pointer"

Server version:  Apache/2.0.52
Server built:    Nov 21 2004 17:37:14
Server's Module Magic Number: 20020903:9
Architecture:    32-bit
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D HTTPD_ROOT="/usr"
 -D SUEXEC_BIN="/usr/sbin/suexec2"
 -D DEFAULT_PIDLOG="/var/run/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="/var/run/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="/etc/apache2/conf/mime.types"
 -D SERVER_CONFIG_FILE="/etc/apache2/conf/apache2.conf"

Compiled in modules:
    core.c
    prefork.c
    http_core.c
    mod_so.c

mod_security-1.7.6 (net-www/mod_security)

This is the latest stable version in portage when using "emerge -s 
mod_security" or "emerge -uDp mod_security".

>> 1) it shouldn't add any unmatched requests to the audit log when set to 
>> RelevantOnly
>
>   That depends. For example, I consider 414 responses to be relevant,
>   match or no match. 1.9 will have a conf. option to deal with that.

The manual says that "Relevant requests are those requests that caused a 
filter match".  I would agree with that description.  A 414 should be logged 
to the Apache error log, but not the mod_security audit log.

>> 2) "deny" command with "status:200" should just return the 200 header 
>> without any data
>
>   I'm not sure Apache will allow that but I'll try.

At least "deny" should take precedence over "status:200".  If I've denied 
the request but tried to pass a 200 status code, then the status code is 
what should not get passed if these are mutually exclusive.

>> 3) "nolog" should apply to the audit log too
>
>   I programmed it to apply to the audit log too. If it doesn't then
>   it's a bug.

It's definitely not working in this version...  I just changed my filter as 
follows:

SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" "nolog,deny,status:407"

And my request in the audit log looks like this:

========================================
Request: 65.126.137.220 - - [[02/Feb/2005:11:53:47 --0500]] "GET / JUNK/3.0" 
407 509
Handler: httpd/unix-directory
----------------------------------------
GET / JUNK/3.0
mod_security-message: Access denied with code 407. Pattern match "^$" at 
HEADER.
mod_security-action: 407

JUNK/3.0 407 Proxy Authentication Required
Vary: Accept-Encoding
Content-Length: 509
Connection: close
Content-Type: text/html; charset=iso-8859-1

But this may again be related to the "Handler: httpd/unix-directory", as the 
same request with "/index.html" instead of "/" does not get logged.

Tom

P.S. Please don't copy both me and the list.  I'm subscribed, so I'm getting 
it twice.  Thanks.