Re: [mod-security-users] mod_unique_id
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] mod_unique_id
|
From: Ryan B. <Rya...@Br...> - 2007-07-23 13:09:37
|
This is not a problem with mod_unique_id. Everything is working as it =
should. What the error_log messages are telling you is the requests =
that you are sending are triggering ModSecurity rules. The rule that is =
being triggered in this case is Core Rule ID 960017 which does not allow =
IP addresses in the Host header. You have two choices -
=20
1) Comment out this rule during your testing, or
2) Edit your local hosts file (on the system that you are using your web =
browser on) and add an entry for that IP so that you can use a hostname =
in the URL instead of the IP address.
=20
--=20
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
=20
=20
________________________________
From: Emre [mailto:ku...@it...]=20
Sent: Monday, July 23, 2007 9:04 AM
To: Ryan Barnett; mod...@li...
Subject: RE: [mod-security-users] mod_unique_id
=20
=DD am sending the last 3 record of error.log file with mod_unique_id =
module
=20
[Mon Jul 23 15:54:23 2007] [notice] Apache/2.0.52 (Red Hat) configured =
-- resuming normal operations
[Mon Jul 23 15:54:25 2007] [error] [client 160.75.5.64] ModSecurity: =
Access denied with code 400 (phase 2). Pattern match "^[\\\\d\\\\.]+$" =
at REQUEST_HEADERS:Host. [id "960017"] [msg "Host header is a numeric IP =
address"] [severity "CRITICAL"] [hostname "160.75.5.130"] [uri "/"] =
[unique_id "xsP1ZX8AAAEAAA4SBAQAAAAA"]
[Mon Jul 23 15:54:25 2007] [error] [client 160.75.5.64] ModSecurity: =
Access denied with code 400 (phase 2). Pattern match "^[\\\\d\\\\.]+$" =
at REQUEST_HEADERS:Host. [id "960017"] [msg "Host header is a numeric IP =
address"] [severity "CRITICAL"] [hostname "160.75.5.130"] [uri =
"/favicon.ico"] [unique_id "xsQ5jn8AAAEAAA4TBwAAAAAB"]
=20
Without mod_unique_id
=20
[Mon Jul 23 15:52:57 2007] [notice] Apache/2.0.52 (Red Hat) configured =
-- resuming normal operations
[Mon Jul 23 15:53:01 2007] [error] ModSecurity: ModSecurity requires =
mod_unique_id to be installed.
[Mon Jul 23 15:53:01 2007] [error] ModSecurity: ModSecurity requires =
mod_unique_id to be installed.=20
=20
Note:I am not sure but it seems that i wrote the ip address on the url =
bar ("Host header is a numeric IP address") but there is one more thing =
that this computer i am working on is a test machine i have to enter the =
ip address on the bar.
=20
________________________________
From: Ryan Barnett [mailto:Rya...@Br...]=20
Sent: Monday, July 23, 2007 3:51 PM
To: Emre ; mod...@li...
Subject: RE: [mod-security-users] mod_unique_id
=20
ModSecurity needs mod_unique_id to be installed as it uses it for =
providing unique id tags to all transactions. It sounds like you added =
the module correctly to the httpd.conf file. What does your error_log =
file tell you about why Apache triggered the 400 status code?
=20
--=20
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
=20
=20
________________________________
From: mod...@li... =
[mailto:mod...@li...] On Behalf Of =
Emre=20
Sent: Monday, July 23, 2007 8:40 AM
To: mod...@li...
Subject: [mod-security-users] mod_unique_id
=20
Hi all,
=20
I am a newbie on modsecurity and i am trying to prepare .conf files. At =
this point i have a problem???
=20
When i add the mod_unique_id module (LoadModule unique_id_module =
modules/mod_unique_id.so) my web page does'n response(or lets say =
responses 400 bad request)
=20
Moreover, the unique_id module should be integrated to httpd.conf or =
modsecurity.conf (conf.d/*.conf)
=20
Thus, what should i do to make modsecurity run effectively,=20
=20
Should i disable mod_unique_id or there is a way to run both of two at =
the same time?
|
