Re: [mod-security-users] Help! Can't even get a basic configuration working! :(

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Boocock, John (CSS) wrote:
> I am having frustrating problems in that I can=92t get even the most ba=
sic=20
> configuration to work with mod_security, I was trying to set it up so=20
> that initially I can stop our Apache 1.3 (+Tomcat 3) web server=20
> servicing requests which feature =93..=94, and if this worked removing=20
> multiple forward slashes in requests as we get odd results from=20
> accessing apps if you enter multiple slashes such as=20
> http://domain.com//app1//
 >
 > ...
 > SecFilter "\.\./"
 >
> However if I go to http://domain.com/somepath/../ I can still get the=20
> front page on the web server and nothing appears in the audit log.

   That's because Apache normalizes the URI before it reaches
   mod_security. If you send a request like this one:

   http://domain.com/somepath/?x=3D../tra/la/la

   ..it would get caught by mod_security.

   You may be able to use mod_rewrite though. It may be that it gets
   to run before Apache performs normalisation.

> I know mod_security is doing something as if I turn the debug log on, o=
r=20
> change SecAuditEngine to On I see inbound connections being logged, the=
=20
> problem is I still can use ../ in URLS and nothing is logged.

   If you crank up the debug log level you should see mod_security
   accessing a normalized URI.

> I hope someone can help as I=92m very disappointed with myself especial=
ly=20
> that I can=92t even get this working!

   Don't worry, it's not your fault :) It's Apache and its peculiarities.

> Also, does mod_security work with piped logs like apache? Just wonderin=
g=20
> as some extra modules such as mod_jk (or at least the version of mod_jk=
=20
> I have) won=92t work with them and I=92d like to rotate them with crono=
log=20
> if possible.

   It doesn't. It's possible to add piped logging for the debug log but
   since one should always use a debug level of zero in production this
   is not a very useful feature. It is not possible to support piped
   logging for the audit log because it (piped logging) does not support
   locking and audit log spans multiple lines.

--=20
Ivan Ristic (http://www.modsecurity.org)