Re: [mod-security-users] Problem trying to catch malformed requests

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Ivan can speak better on this, however I believe that the problem is
that Apache does some processing early in the request loop cycle
before mod_security has a hook to inspect it.

Take a look here at the Apache request loop -
http://modperlbook.org/html/ch01_04.html.  Then compare this will the
hooks that mod_security has into Apache. -

module MODULE_VAR_EXPORT security_module =3D {
    STANDARD_MODULE_STUFF,
    sec_init,                   /* module initializer                  */
    sec_create_dir_config,      /* create per-dir    config structures */
    sec_merge_dir_config,       /* merge  per-dir    config structures */
    sec_create_srv_config,      /* create per-server config structures */
    sec_merge_srv_config,       /* merge  per-server config structures */
    sec_cmds,                   /* table of config file commands       */
    NULL,                       /* [#8] MIME-typed-dispatched handlers */
    NULL,                       /* [#1] URI to filename translation    */
    NULL,                       /* [#4] validate user id from request  */
    NULL,                       /* [#5] check if the user is ok _here_ */
    NULL,                       /* [#3] check access by host address   */
    NULL,                       /* [#6] determine MIME type            */
    sec_check_access,           /* [#7] pre-run fixups                 */
    sec_logger,                 /* [#9] log a transaction              */
    NULL,                       /* [#2] header parser                  */
    sec_child_init,             /* child_init                          */
    NULL,                       /* child_exit                          */
    NULL                        /* [#0] post read-request              */

Apache runs through steps 0 -  6 before mod_security has a hook to
perform any actions.

Ivan - please correct me if I am wrong here.  Are there any plans to
implement hooks earlier into the request loop?

--=20
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

On 8/12/05, Leandro Meiners <lme...@cy...> wrote:
> According to Apache documentation:
> "Although most error messages can be overriden, there are certain
> circumstances where the internal messages are used regardless of the sett=
ing
> of ErrorDocument. In particular, if a malformed request is detected, norm=
al
> request processing will be immediately halted and the internal error mess=
age
> returned. This is necessary to guard against security problems caused by =
bad
> requests."
>=20
> I've tried to catch malformed requests using mod_security but it seems th=
at
> they don't even reach mod_security.
>=20
> Does anyone know how to overcome this limitation?
>=20
> Regards,
>=20
> ------------------------------------------------
> Leandro Federico Meiners
> CYBSEC S.A. Security Systems
> E-mail: lme...@cy...
> Tel/Fax: [54-11] 4382-1600
> Web: http://www.cybsec.com
>=20
>=20
>=20
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practic=
es
> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & Q=
A
> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>