Re: [mod-security-users] Core Rule 960911 and SSL
Brought to you by:
victorhora,
zimmerletw
From: Brian R. <Bri...@br...> - 2007-10-29 20:21:40
|
Ofer Shezaf wrote: > I am the rules expert. Not the Apache expert :-) > > I hope some of the Apache experts on the list would help. > > Might be just the order the modules are loaded. I think that > mod_security should come after mod_ssl. That would be my first guess (that mod_ssl is loaded after mod_security2 ). Load the mod_security2.so last. Also, if you would, please try 2.1.4-rc2 to see if this fixes the problem. thanks, -B > > ~ Ofer > >> -----Original Message----- >> From: Sam Quigley [mailto:qu...@em...] >> Sent: Sunday, October 28, 2007 9:14 PM >> To: Ofer Shezaf >> Cc: mod...@li... >> Subject: Re: [mod-security-users] Core Rule 960911 and SSL >> >> Hey Ofer -- >> >> You're right: when rule 96911 is enabled, I can't perform *any* SSL >> requests -- and when I comment rule 960911 out, the problem goes >> away. How do I control the order in which the modules see the data? >> My Apache config is pretty heavily customized, but I'd be happy to >> post part of it if you tell me where to look... >> >> Thanks, >> -sq >> >> On Oct 28, 2007, at 12:49 AM, Ofer Shezaf wrote: >> >>> Hi Sam, >>> >>> Your problem is not related to issue you found mentioned below. The >>> referenced issue is mostly a nuisance only issue as the blocked >>> request >>> are keep alive requests and not real user traffic. If I understand >>> well, >>> in your case all SSL traffic is blocked. >>> >>> From the audit logs it seems that ModSecurity sees the SSL traffic >>> encrypted (see section B of the audit log) and therefore does not >>> understand the request. My guess would be that it has something to > do >>> with the order ModSecurity and mod_ssl are used. >>> >>> Does it work well when you comment out ModSecurity in httpd.conf? >>> >>> Can you send httpd.conf or at least the relevant portion? >>> >>> ~ Ofer >>> >>>> -----Original Message----- >>>> From: mod...@li... [mailto:mod- >>>> sec...@li...] On Behalf Of Sam >>>> Quigley >>>> Sent: Sunday, October 28, 2007 7:24 AM >>>> To: mod...@li... >>>> Subject: [mod-security-users] Core Rule 960911 and SSL >>>> >>>> Hey all-- >>>> >>>> I'm trying to use mod_security on an Apache 2.2 server that handles >> a >>>> fair amount of SSL traffic, but mod_security keeps throwing errors >>>> about rule 960911 (from the core rule set), and causing the SSL >>>> connection to fail. The audit logs contain messages like this: >>>> >>>> --f0752164-A-- >>>> [27/Oct/2007:21:47:39 --0700] SJYtLMCoAigAADUii0QAAAAM <browser IP> >>>> 51879 <server IP> 443 >>>> --f0752164-B-- >>>> ^V^C^A >>>> >>>> --f0752164-F-- >>>> >>>> --f0752164-H-- >>>> Message: Access denied with code 400 (phase 2). Match of "rx ^[a-z] >>>> {3,10}\\s*(?:\\w{3,7}?\\:\\/\\/[\\w\\-\\.\\/]*)??\\/[\\w\\-\\.\\/~ >>>> %:@&=+$,;]*(? >>>> :\\?[\\S]*)??\\s*http\\/\\d\\.\\d$" against "REQUEST_LINE" > required. >>>> [id "960911"] [msg "Invalid HTTP Request Line"] [severity >> "CRITICAL"] >>>> Action: Intercepted (phase 2) >>>> Stopwatch: 1193546859556140 746 (215 622 -) >>>> Producer: ModSecurity v2.1.2 (Apache 2.x) >>>> Server: Apache >>>> >>>> --f0752164-Z-- >>>> >>>> and the Apache error logs have messages like this: >>>> >>>> [2007 Oct 27 21:47:39] [error] [client <browser IP>] ModSecurity: >>>> Access denied with code 400 (phase 2). Match of "rx ^[a-z]{3,10}\\\ >>>> \s* >>>> (?:\\\\w{3,7}?\\\\:\\\\/\\\\/[\\\\w\\\\- >> \\\\.\\\\/]*)??\\\\/[\\\\w\\\ >>>> \-\\\\.\\\\/~%:@&=+$,;]*(?:\\\\?[\\\\S]*)??\\\\s*http\\\\/\\\\d\\\ >>>> \.\\ >>>> \\d$" against "REQUEST_LINE" required. [id "960911"] [msg "Invalid >>>> HTTP Request Line"] [severity "CRITICAL"] [uri ""] [unique_id >>>> "SJYtLMCoAigAADUii0QAAAAM"] >>>> >>>> and in the modsec debug logs: >>>> >>>> [27/Oct/2007:21:47:39 --0700] >> [www.wesabe.com/sid#680da0][rid#8ec868] >>>> [/][1] Access denied with code 400 (phase 2). Match of "rx ^[a-z] >>>> {3,10}\\s*(? >>>> :\\w{3,7}?\\:\\/\\/[\\w\\-\\.\\/]*)??\\/[\\w\\- >> \\.\\/~%:@&=+$,;]*(?:\ >>>> \?[\\S]*)??\\s*http\\/\\d\\.\\d$" against "REQUEST_LINE" required. >>>> [id "96091 >>>> 1"] [msg "Invalid HTTP Request Line"] [severity "CRITICAL"] >>>> >>>> A bit of googling shows that this might be a known issue -- eg, >>>> http://article.gmane.org/gmane.comp.apache.mod-security.user/3829 > -- >>>> but, if so, what's the solution? >>>> >>>> Thanks, >>>> -sq >>>> >>>> > --------------------------------------------------------------------- >> - >>> - >>>> -- >>>> This SF.net email is sponsored by: Splunk Inc. >>>> Still grepping through log files to find problems? Stop. >>>> Now Search log events and configuration files using AJAX and a >>> browser. >>>> Download your FREE copy of Splunk now >> http://get.splunk.com/ >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users -- Brian Rectanus Breach Security |