Re: [mod-security-users] compiling against PCRE
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] compiling against PCRE
|
From: Zach R. <ad...@li...> - 2005-12-22 22:13:28
|
You need to abandon the blacklist.conf completely. You just cannot load
that ruleset under a heavy load and keep your server stable. Also change
from On to DynamicOnly.
Load the badips.conf IPs into your firewall, keep the blacklist2.conf,
and load these rules from the blacklist.conf into your rules.conf:
SecFilterSelective REQUEST_URI "!(horde/imp/compose\.php\?)" chain
SecFilterSelective THE_REQUEST "Subject\:" chain
SecFilterSelective ARG_Bcc ".*\@"
SecFilterSelective REQUEST_URI "!(horde/imp/compose\.php\?)" chain
SecFilterSelective POST_PAYLOAD "Subject\:" chain
SecFilterSelective POST_PAYLOAD "\s*bcc\:"
SecFilterSelective REQUEST_URI "!(horde/imp/compose\.php\?)" chain
SecFilterSelective POST_PAYLOAD "\s*bcc\:\s*[a-z0-9._%-]+@[A-Z0-9.-]+\.[a-z]{2,}"
SecFilterSelective REQUEST_URI "!(horde/imp/compose\.php\?)" chain
SecFilterSelective ARGS_VALUES "\s*bcc\:\s*[a-z0-9._%-]+\@.*\.[a-z]{2,}"
SecFilterSelective HTTP_x-aaaaaaaaa|HTTP_XAAAAAAAAA ".+$"
SecFilterSelective HTTP_x-aaaaaaaaaaa|HTTP_XAAAAAAAAAAA ".+$"
SecFilterSelective HTTP_x-aaaaaaaaaaaa|HTTP_X_AAAAAAAAAAAA ".+$"
That will help quite a bit. :)
Zach
Justin Grindea wrote:
> ok, my finding are not so good. load didn't go down drastically on a
> quite busy server loaded with quite a lot
> rules from gotroot.
> Trying to load gotroot's blacklist.conf immediatelly raised the load
> way above normal use and I had it off in 10
> seconds.
>
> thanks,
> Justin
>
>
> Ivan Ristic wrote:
>
>> Justin Grindea wrote:
>>
>>> hmm, forgot to paste the output...
>>> here it is:
>>
>>
>>
>> Try this first:
>> <apache1-home>/bin/apxs -DUSE_PCRE -cia mod_security.c
>>
>> If that works but you still need to use LoadFile
>> use:
>>
>> LoadFile /usr/lib/libpcre.so
>>
>> Otherwise just download the source from pcre.org
>> and install it exactly as described in the manual.
>>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files
> for problems? Stop! Download the new AJAX search engine that makes
> searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
|
