mod-security-developers — Development discussion about mod_security

Re: [Mod-security-developers] Question about some rules

[Ryan B. <RBa...@tr...>]

On 3/7/12 9:33 AM, "Pavel Mateja" <pa...@ne...> wrote:

>> On Wed, Mar 7, 2012 at 3:23 PM, Pavel Mateja <pa...@ne...> wrote:
>> > I had to modify them slightly:
>> >
>> > rule 981243:
>> > -..\s*x?or|div|like|between|and\s[^\d]+[\w-]+.*\d)..
>> > -..\s*(x?or|div|like|between|and)\s[^\d]+[\w-]+.*\d)..
>> >
>> > rule 981244:
>> > -..\s*x?or|div|like|between|and[\w\s-]+..
>> > +..\s*x?(or|div|like|between|and)[\w\s-]+..
>> >
>> > rule 981248:
>> > -..(?:\d+\s*x?or|div|like|between|and\s*\d+\s*[\-+])..
>> > +..(?:\d+\s*(x?or|div|like|between|and)\s*\d+\s*[\-+])..
>> >
>> > Or am I missing something?
>>
>> Hi Pavel,
>>
>> The string 'like' is included to help protect against SQLi attacks. In
>>your
>> case its obviously a false positive. Having said that, customizing the
>>CRS
>> itself will make upgrading the ruleset more difficult. It's probably a
>> better idea to maintain a list of exceptions instead. Take a look at:
>>
>>http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week
>>-e
>> xception-handling.html
>
>OK,
>let's talk about part of the rule 981248:
>(?:\d+\s*x?or|div|like|between|and\s*\d+\s*[\-+])
>I think this one is for catching strings similar to:
>"5 like 8+"
>but the rule is positive on any words containing "like" because "|" has
>not as
>high priority as author thought it has.
>The "\s*\d+\s*[\-+]" part is tied to "(x)or" only and "\s*\d+\s*[\-+]"
>part is
>tied to "and" only.
>It's not customizing, it's fixing broken rules from my point of view.
>--
>Pavel Mateja

You are correct, the issue was with the regex.  We will be fixing it.

-Ryan


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] Question about some rules

[Pavel M. <pa...@ne...>]

> Pavel,
> You are correct.  I was just looking at this regexs myself and found the
> same issue.  Since the ) was missing, it wasn't grouping properly.  I will
> fix this issue.
> 
> As a side note - this is an OWASP ModSecurity CRS issue and we have a
> separate mail-list for that -
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

I didn't know that.
Sorry.
-- 
Pavel Mateja

Re: [Mod-security-developers] Question about some rules

[Ryan B. <RBa...@tr...>]

Pavel,
You are correct.  I was just looking at this regexs myself and found the
same issue.  Since the ) was missing, it wasn't grouping properly.  I will
fix this issue.

As a side note - this is an OWASP ModSecurity CRS issue and we have a
separate mail-list for that -
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Thanks.

ModSecurity--
Ryan Barnett
Trustwave SpiderLabsModSecurity Project Leader
OWASP ModSecurity CRS Project Leader




On 3/7/12 8:23 AM, "Pavel Mateja" <pa...@ne...> wrote:

>Hi,
>I got lot of false positives on modsecurity-crs_2.2.3 rules 981243,
>981244 and
>981248.
>They were catching "like" where I think they should not.
>
>Example:
>Parameter: passcode=boomlike
>Result:
>..[id "981243"] [msg "Detects classic SQL injection probings 2/2"] [data
>"like"] [severity "CRITICAL"]..
>..[id "981244"] [msg "Detects basic SQL authentication bypass attempts
>1/3"]
>[data "like"] [severity "CRITICAL"]..
>..[id "981248"] [msg "Detects chained SQL injection attempts 1/2"] [data
>"like"] [severity "CRITICAL"]..
>
>I had to modify them slightly:
>
>rule 981243:
>-..\s*x?or|div|like|between|and\s[^\d]+[\w-]+.*\d)..
>-..\s*(x?or|div|like|between|and)\s[^\d]+[\w-]+.*\d)..
>
>rule 981244:
>-..\s*x?or|div|like|between|and[\w\s-]+..
>+..\s*x?(or|div|like|between|and)[\w\s-]+..
>
>rule 981248:
>-..(?:\d+\s*x?or|div|like|between|and\s*\d+\s*[\-+])..
>+..(?:\d+\s*(x?or|div|like|between|and)\s*\d+\s*[\-+])..
>
>Or am I missing something?
>--
>Pavel Mateja
>
>--------------------------------------------------------------------------
>----
>Virtualization & Cloud Management Using Capacity Planning
>Cloud computing makes use of virtualization - but cloud computing
>also focuses on allowing computing to be delivered as a service.
>http://www.accelacomm.com/jaw/sfnl/114/51521223/
>_______________________________________________
>mod-security-developers mailing list
>mod...@li...
>https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>ModSecurity Services from Trustwave's SpiderLabs:
>https://www.trustwave.com/spiderLabs.php
>


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] Question about some rules

[Pavel M. <pa...@ne...>]

> On Wed, Mar 7, 2012 at 3:23 PM, Pavel Mateja <pa...@ne...> wrote:
> > I had to modify them slightly:
> > 
> > rule 981243:
> > -..\s*x?or|div|like|between|and\s[^\d]+[\w-]+.*\d)..
> > -..\s*(x?or|div|like|between|and)\s[^\d]+[\w-]+.*\d)..
> > 
> > rule 981244:
> > -..\s*x?or|div|like|between|and[\w\s-]+..
> > +..\s*x?(or|div|like|between|and)[\w\s-]+..
> > 
> > rule 981248:
> > -..(?:\d+\s*x?or|div|like|between|and\s*\d+\s*[\-+])..
> > +..(?:\d+\s*(x?or|div|like|between|and)\s*\d+\s*[\-+])..
> > 
> > Or am I missing something?
> 
> Hi Pavel,
> 
> The string 'like' is included to help protect against SQLi attacks. In your
> case its obviously a false positive. Having said that, customizing the CRS
> itself will make upgrading the ruleset more difficult. It's probably a
> better idea to maintain a list of exceptions instead. Take a look at:
> http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-e
> xception-handling.html

OK,
let's talk about part of the rule 981248:
(?:\d+\s*x?or|div|like|between|and\s*\d+\s*[\-+])
I think this one is for catching strings similar to:
"5 like 8+"
but the rule is positive on any words containing "like" because "|" has not as 
high priority as author thought it has.
The "\s*\d+\s*[\-+]" part is tied to "(x)or" only and "\s*\d+\s*[\-+]" part is 
tied to "and" only.
It's not customizing, it's fixing broken rules from my point of view.
-- 
Pavel Mateja

Re: [Mod-security-developers] Question about some rules

[Josh Amishav-Z. <ja...@gm...>]

On Wed, Mar 7, 2012 at 3:23 PM, Pavel Mateja <pa...@ne...> wrote:

>
> I had to modify them slightly:
>
> rule 981243:
> -..\s*x?or|div|like|between|and\s[^\d]+[\w-]+.*\d)..
> -..\s*(x?or|div|like|between|and)\s[^\d]+[\w-]+.*\d)..
>
> rule 981244:
> -..\s*x?or|div|like|between|and[\w\s-]+..
> +..\s*x?(or|div|like|between|and)[\w\s-]+..
>
> rule 981248:
> -..(?:\d+\s*x?or|div|like|between|and\s*\d+\s*[\-+])..
> +..(?:\d+\s*(x?or|div|like|between|and)\s*\d+\s*[\-+])..
>
> Or am I missing something?
>

Hi Pavel,

The string 'like' is included to help protect against SQLi attacks. In your
case its obviously a false positive. Having said that, customizing the CRS
itself will make upgrading the ruleset more difficult. It's probably a
better idea to maintain a list of exceptions instead. Take a look at:
http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html

--
 - Josh



> --
> Pavel Mateja
>
>
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>

[Mod-security-developers] Question about some rules

[Pavel M. <pa...@ne...>]

Hi,
I got lot of false positives on modsecurity-crs_2.2.3 rules 981243, 981244 and 
981248.
They were catching "like" where I think they should not.

Example:
Parameter: passcode=boomlike
Result:
..[id "981243"] [msg "Detects classic SQL injection probings 2/2"] [data 
"like"] [severity "CRITICAL"]..
..[id "981244"] [msg "Detects basic SQL authentication bypass attempts 1/3"] 
[data "like"] [severity "CRITICAL"]..
..[id "981248"] [msg "Detects chained SQL injection attempts 1/2"] [data 
"like"] [severity "CRITICAL"]..

I had to modify them slightly:

rule 981243:
-..\s*x?or|div|like|between|and\s[^\d]+[\w-]+.*\d)..
-..\s*(x?or|div|like|between|and)\s[^\d]+[\w-]+.*\d)..

rule 981244:
-..\s*x?or|div|like|between|and[\w\s-]+..
+..\s*x?(or|div|like|between|and)[\w\s-]+..

rule 981248:
-..(?:\d+\s*x?or|div|like|between|and\s*\d+\s*[\-+])..
+..(?:\d+\s*(x?or|div|like|between|and)\s*\d+\s*[\-+])..

Or am I missing something?
-- 
Pavel Mateja

Re: [Mod-security-developers] [ModSecurity 2.6.3] Session collection broken

[Jeroen De R. <voe...@gm...>]

Fixed on the first 2.6.3 box as well:

[Wed Mar 07 11:14:26 2012] [notice] caught SIGTERM, shutting down
[Wed Mar 07 11:14:27 2012] [notice] ModSecurity for Apache/2.6.4-rc1
(http://www.modsecurity.org/) configured.
[Wed Mar 07 11:14:27 2012] [notice] ModSecurity: APR compiled
version="1.4.5"; loaded version="1.4.5"
[Wed Mar 07 11:14:27 2012] [notice] ModSecurity: PCRE compiled
version="5.0"; loaded version="5.0 13-Sep-2004"
[Wed Mar 07 11:14:27 2012] [notice] ModSecurity: LUA compiled version="Lua 5.1"
[Wed Mar 07 11:14:27 2012] [notice] ModSecurity: LIBXML compiled
version="2.6.26"
[Wed Mar 07 11:14:28 2012] [notice] Apache/2.2.21 (Unix) configured --
resuming normal operations
[Wed Mar 07 11:14:40 2012] [error] [client 10.245.26.55] ModSecurity:
collection_retrieve_ex: Retrieving collection (name "default_SESSION",
filename "/code/dev/modsec/2.3/config/modsecurity/data/default_SESSION")
[hostname "10.151.49.35"] [uri "/"] [unique_id
"T1c1EH8AAAEAAFYIAgMAAAAA"]
[Wed Mar 07 11:14:40 2012] [error] [client 10.245.26.55] ModSecurity:
Warning. Unconditional match in SecAction. [file
"/code/dev/modsec/2.3/config/modsecurity/modsecurity_common.conf"]
[line "23"] [data "Reading session variable session.foo="] [hostname
"10.151.49.35"] [uri "/"] [unique_id "T1c1EH8AAAEAAFYIAgMAAAAA"]
[Wed Mar 07 11:14:40 2012] [error] [client 10.245.26.55] ModSecurity:
Warning. Unconditional match in SecAction. [file
"/code/dev/modsec/2.3/config/modsecurity/modsecurity_common.conf"]
[line "24"] [data "Incrementing session variable session.foo=1"]
[hostname "10.151.49.35"] [uri "/"] [unique_id
"T1c1EH8AAAEAAFYIAgMAAAAA"]
[Wed Mar 07 11:14:40 2012] [error] [client 10.245.26.55] ModSecurity:
collection_store: Retrieving collection (name "default_SESSION",
filename "/code/dev/modsec/2.3/config/modsecurity/data/default_SESSION")
[hostname "10.151.49.35"] [uri "/"] [unique_id
"T1c1EH8AAAEAAFYIAgMAAAAA"]
[Wed Mar 07 11:14:40 2012] [error] [client 10.245.26.55] ModSecurity:
collection_retrieve_ex: Retrieving collection (name "default_SESSION",
filename "/code/dev/modsec/2.3/config/modsecurity/data/default_SESSION")
[hostname "10.151.49.35"] [uri "/"] [unique_id
"T1c1EH8AAAEAAFYIAgQAAAAA"]
[Wed Mar 07 11:14:40 2012] [error] [client 10.245.26.55] ModSecurity:
Warning. Unconditional match in SecAction. [file
"/code/dev/modsec/2.3/config/modsecurity/modsecurity_common.conf"]
[line "23"] [data "Reading session variable session.foo=1"] [hostname
"10.151.49.35"] [uri "/"] [unique_id "T1c1EH8AAAEAAFYIAgQAAAAA"]
[Wed Mar 07 11:14:40 2012] [error] [client 10.245.26.55] ModSecurity:
Warning. Unconditional match in SecAction. [file
"/code/dev/modsec/2.3/config/modsecurity/modsecurity_common.conf"]
[line "24"] [data "Incrementing session variable session.foo=2"]
[hostname "10.151.49.35"] [uri "/"] [unique_id
"T1c1EH8AAAEAAFYIAgQAAAAA"]
[Wed Mar 07 11:14:40 2012] [error] [client 10.245.26.55] ModSecurity:
collection_store: Retrieving collection (name "default_SESSION",
filename "/code/dev/modsec/2.3/config/modsecurity/data/default_SESSION")
[hostname "10.151.49.35"] [uri "/"] [unique_id
"T1c1EH8AAAEAAFYIAgQAAAAA"]
[Wed Mar 07 11:15:02 2012] [error] [client 10.245.26.55] ModSecurity:
collection_retrieve_ex: Retrieving collection (name "default_SESSION",
filename "/code/dev/modsec/2.3/config/modsecurity/data/default_SESSION")
[hostname "10.151.49.35"] [uri "/"] [unique_id
"T1c1Jn8AAAEAAFYIAgUAAAAA"]
[Wed Mar 07 11:15:02 2012] [error] [client 10.245.26.55] ModSecurity:
Warning. Unconditional match in SecAction. [file
"/code/dev/modsec/2.3/config/modsecurity/modsecurity_common.conf"]
[line "23"] [data "Reading session variable session.foo=2"] [hostname
"10.151.49.35"] [uri "/"] [unique_id "T1c1Jn8AAAEAAFYIAgUAAAAA"]
[Wed Mar 07 11:15:02 2012] [error] [client 10.245.26.55] ModSecurity:
Warning. Unconditional match in SecAction. [file
"/code/dev/modsec/2.3/config/modsecurity/modsecurity_common.conf"]
[line "24"] [data "Incrementing session variable session.foo=3"]
[hostname "10.151.49.35"] [uri "/"] [unique_id
"T1c1Jn8AAAEAAFYIAgUAAAAA"]
[Wed Mar 07 11:15:02 2012] [error] [client 10.245.26.55] ModSecurity:
collection_store: Retrieving collection (name "default_SESSION",
filename "/code/dev/modsec/2.3/config/modsecurity/data/default_SESSION")
[hostname "10.151.49.35"] [uri "/"] [unique_id
"T1c1Jn8AAAEAAFYIAgUAAAAA"]

Re: [Mod-security-developers] [ModSecurity 2.6.3] Session collection broken

[Jeroen De R. <voe...@gm...>]

Success! Tested this time on my home machine, where I had also
observed this to happen (this is the one where I linked against the
system PCRE library). I can test again tomorrow on the two boxes I
used for the original report, but I'm sure they'll work too.

Again three requests from a clean and rebooted apache:

[Tue Mar 06 19:53:29 2012] [notice] caught SIGTERM, shutting down
[Tue Mar 06 19:53:42 2012] [notice] ModSecurity for Apache/2.6.4-rc1
(http://www.modsecurity.org/) configured.
[Tue Mar 06 19:53:42 2012] [notice] ModSecurity: APR compiled
version="1.4.5"; loaded version="1.4.5"
[Tue Mar 06 19:53:42 2012] [notice] ModSecurity: PCRE compiled
version="8.12"; loaded version="8.12 2011-01-15"
[Tue Mar 06 19:53:42 2012] [notice] ModSecurity: LUA compiled version="Lua 5.1"
[Tue Mar 06 19:53:42 2012] [notice] ModSecurity: LIBXML compiled version="2.7.8"
[Tue Mar 06 19:53:42 2012] [notice] Digest: generating secret for
digest authentication ...
[Tue Mar 06 19:53:42 2012] [notice] Digest: done
[Tue Mar 06 19:53:53 2012] [notice] Apache/2.2.22 (Unix) PHP/5.4.0
configured -- resuming normal operations
[Tue Mar 06 19:53:53 2012] [error] [client 127.0.0.1] ModSecurity:
collection_retrieve_ex: Retrieving collection (name "default_SESSION",
filename "/opt/apache/modsecurity/data/default_SESSION") [hostname
"localhost"] [uri "/session/"] [unique_id "T1ZdQcCoALsAAAbOBqkAAAAF"]
[Tue Mar 06 19:53:53 2012] [error] [client 127.0.0.1] ModSecurity:
Warning. Unconditional match in SecAction. [file
"/opt/apache/conf/extra/httpd-modsecurity2.conf"] [line "13"] [data
"Reading session variable session.foo="] [hostname "localhost"] [uri
"/session/"] [unique_id "T1ZdQcCoALsAAAbOBqkAAAAF"]
[Tue Mar 06 19:53:53 2012] [error] [client 127.0.0.1] ModSecurity:
Warning. Unconditional match in SecAction. [file
"/opt/apache/conf/extra/httpd-modsecurity2.conf"] [line "14"] [data
"Incrementing session variable session.foo=1"] [hostname "localhost"]
[uri "/session/"] [unique_id "T1ZdQcCoALsAAAbOBqkAAAAF"]
[Tue Mar 06 19:53:53 2012] [error] [client 127.0.0.1] ModSecurity:
collection_store: Retrieving collection (name "default_SESSION",
filename "/opt/apache/modsecurity/data/default_SESSION") [hostname
"localhost"] [uri "/session/index.php"] [unique_id
"T1ZdQcCoALsAAAbOBqkAAAAF"]
[Tue Mar 06 19:54:07 2012] [error] [client 127.0.0.1] ModSecurity:
collection_retrieve_ex: Retrieving collection (name "default_SESSION",
filename "/opt/apache/modsecurity/data/default_SESSION") [hostname
"localhost"] [uri "/session/"] [unique_id "T1ZdT8CoALsAAAbOBqoAAAAI"]
[Tue Mar 06 19:54:07 2012] [error] [client 127.0.0.1] ModSecurity:
Warning. Unconditional match in SecAction. [file
"/opt/apache/conf/extra/httpd-modsecurity2.conf"] [line "13"] [data
"Reading session variable session.foo=1"] [hostname "localhost"] [uri
"/session/"] [unique_id "T1ZdT8CoALsAAAbOBqoAAAAI"]
[Tue Mar 06 19:54:07 2012] [error] [client 127.0.0.1] ModSecurity:
Warning. Unconditional match in SecAction. [file
"/opt/apache/conf/extra/httpd-modsecurity2.conf"] [line "14"] [data
"Incrementing session variable session.foo=2"] [hostname "localhost"]
[uri "/session/"] [unique_id "T1ZdT8CoALsAAAbOBqoAAAAI"]
[Tue Mar 06 19:54:07 2012] [error] [client 127.0.0.1] ModSecurity:
collection_store: Retrieving collection (name "default_SESSION",
filename "/opt/apache/modsecurity/data/default_SESSION") [hostname
"localhost"] [uri "/session/index.php"] [unique_id
"T1ZdT8CoALsAAAbOBqoAAAAI"]
[Tue Mar 06 19:54:10 2012] [error] [client 127.0.0.1] ModSecurity:
collection_retrieve_ex: Retrieving collection (name "default_SESSION",
filename "/opt/apache/modsecurity/data/default_SESSION") [hostname
"localhost"] [uri "/session/"] [unique_id "T1ZdUsCoALsAAAbOBqsAAAAI"]
[Tue Mar 06 19:54:10 2012] [error] [client 127.0.0.1] ModSecurity:
Warning. Unconditional match in SecAction. [file
"/opt/apache/conf/extra/httpd-modsecurity2.conf"] [line "13"] [data
"Reading session variable session.foo=2"] [hostname "localhost"] [uri
"/session/"] [unique_id "T1ZdUsCoALsAAAbOBqsAAAAI"]
[Tue Mar 06 19:54:10 2012] [error] [client 127.0.0.1] ModSecurity:
Warning. Unconditional match in SecAction. [file
"/opt/apache/conf/extra/httpd-modsecurity2.conf"] [line "14"] [data
"Incrementing session variable session.foo=3"] [hostname "localhost"]
[uri "/session/"] [unique_id "T1ZdUsCoALsAAAbOBqsAAAAI"]
[Tue Mar 06 19:54:10 2012] [error] [client 127.0.0.1] ModSecurity:
collection_store: Retrieving collection (name "default_SESSION",
filename "/opt/apache/modsecurity/data/default_SESSION") [hostname
"localhost"] [uri "/session/index.php"] [unique_id
"T1ZdUsCoALsAAAbOBqsAAAAI"]

Re: [Mod-security-developers] [ModSecurity 2.6.3] Session collection broken

[Jeroen De R. <voe...@gm...>]

Hi Breno,

Wow, that was fast. I'll be happy to test the tarball; I'll be able to
confirm the fix some time tonight (tomorrow if not).

Cheers,
Jeroen

Re: [Mod-security-developers] [ModSecurity 2.6.3] Session collection broken

[Breno S. <bre...@gm...>]

I have the fix.

Do you have time for testing ? I can send you the tarball

Thanks

Breno

On Tue, Mar 6, 2012 at 7:03 AM, Breno Silva <bre...@gm...> wrote:

> Hi Jeroen,
>
> Looks like we have a bug in the code. I will work to fix it in the next
> 2.6.4 release.
>
> Thanks
>
>
> On Tue, Mar 6, 2012 at 4:20 AM, Jeroen De Ridder <
> voe...@gm...> wrote:
>
>> I'm currently encountering some trouble with the optional
>> modsecurity_crs_16_session_hijacking.conf ruleset (v.2.2.4) in
>> ModSecurity 2.6.3. An initial uncookied request sent to the server is
>> accepted, but every subsequent request is blocked by rule 981059
>> because of an IP hash mismatch:
>>
>> SecRule TX:IP_HASH "!@streq %{SESSION.IP_HASH}"
>>
>> "phase:1,id:'981059',t:none,block,setvar:tx.sticky_session_anomaly=+1,msg:'Warning
>> - Sticky SessionID Data Changed - IP Address
>>
>> Mismatch.',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{
>> rule.id}-WEB_ATTACK/SESSION_HIJACK-%{matched_var_name}=%{tx.0}"
>>
>> (I'm running in traditional mode, so the "block" action equals "deny").
>>
>> I understand the logic of these rules, and I've poured over the debug
>> logs to see what's going on. The logic itself seems fine; all the
>> values being passed around are correct, but the problem seems to be
>> that subsequent requests fail to load the session collection data that
>> was saved in the initial request that created it. I've confirmed this
>> by inserting an adding the following rule inbetween rules 981055 and
>> 981056 to print the loaded session collection data:
>>
>> SecAction "phase:1,t:none,pass,log,logdata:'_DEBUG_ Initialized
>> session using key %{tx.sessionid};
>> session.sessionid=%{session.sessionid};
>> session.valid=%{session.valid}; session.ip_hash=%{session.ip_hash};
>> session.ua_hash=%{session.ua_hash};'"
>>
>> The tx.sessionid value is correct (ie. the same as was used to the
>> setsid call in the initial request), but the session collection seem
>> to be completely empty. This naturally causes tx.ip_hash to not match
>> session.ip_hash, resulting in the block. Note that this debug rule is
>> not reached unless the client sent a session cookie and the session
>> collection was hence initialized by setsid:%{matched_var} in rule
>> 981054, whose value I've also confirmed to be correct.
>>
>> To isolate and demonstrate the problem, I've created a very minimal
>> testcase and ran them on both ModSecurity 2.5.11 and 2.6.3. No other
>> rulesets were loaded, not even crs_10_config. The machine running
>> 2.5.11 is a somewhat older box running Apache 2.0.63 on RHEL4, the
>> machine running 2.6.3 is running Apache 2.2.21 on RHEL5.
>>
>> SecRuleEngine On
>> SecDebugLogLevel 9
>> SecDataDir config/modsecurity/data
>> SecRequestBodyAccess On
>> SecAction "phase:1,pass,log,setsid:'abcd1234',logdata:'Reading session
>> variable session.foo=%{session.foo}'"
>> SecAction "phase:1,pass,log,setsid:'abcd1234',logdata:'Incrementing
>> session variable session.foo=%{session.foo}',setvar:session.foo=+1"
>>
>> After cleaning out the ModSec data dirs and rebooting the Apache
>> servers, here's the apache error log output for three subsequent
>> requests to the same page from ModSecurity 2.5.11:
>>
>> [Tue Mar 06 11:07:49 2012] [notice] caught SIGTERM, shutting down
>> [Tue Mar 06 11:07:50 2012] [notice] ModSecurity for Apache/2.5.11
>> (http://www.modsecurity.org/) configured.
>> [Tue Mar 06 11:07:51 2012] [notice] Apache/2.0.63 (Unix)
>> mod_ssl/2.0.63 OpenSSL/0.9.7m configured -- resuming normal operations
>> [Tue Mar 06 11:08:03 2012] [error] [client 10.245.26.55] ModSecurity:
>> Warning. Unconditional match in SecAction. [file
>> "/code/lk7/modsec/active/config/httpd_front_poc_apache_web.conf"]
>> [line "31"] [data "Reading session variable session.foo="] [hostname
>> "10.151.49.29"] [uri "/"] [unique_id "N-YWGX8AAAEAACcGTWUAAAAA"]
>> [Tue Mar 06 11:08:03 2012] [error] [client 10.245.26.55] ModSecurity:
>> Warning. Unconditional match in SecAction. [file
>> "/code/lk7/modsec/active/config/httpd_front_poc_apache_web.conf"]
>> [line "32"] [data "Incrementing session variable session.foo=1"]
>> [hostname "10.151.49.29"] [uri "/"] [unique_id
>> "N-YWGX8AAAEAACcGTWUAAAAA"]
>> [Tue Mar 06 11:08:08 2012] [error] [client 10.245.26.55] ModSecurity:
>> Warning. Unconditional match in SecAction. [file
>> "/code/lk7/modsec/active/config/httpd_front_poc_apache_web.conf"]
>> [line "31"] [data "Reading session variable session.foo=1"] [hostname
>> "10.151.49.29"] [uri "/"] [unique_id "OEU9jX8AAAEAACcGTWYAAAAA"]
>> [Tue Mar 06 11:08:08 2012] [error] [client 10.245.26.55] ModSecurity:
>> Warning. Unconditional match in SecAction. [file
>> "/code/lk7/modsec/active/config/httpd_front_poc_apache_web.conf"]
>> [line "32"] [data "Incrementing session variable session.foo=2"]
>> [hostname "10.151.49.29"] [uri "/"] [unique_id
>> "OEU9jX8AAAEAACcGTWYAAAAA"]
>> [Tue Mar 06 11:08:11 2012] [error] [client 10.245.26.55] ModSecurity:
>> Warning. Unconditional match in SecAction. [file
>> "/code/lk7/modsec/active/config/httpd_front_poc_apache_web.conf"]
>> [line "31"] [data "Reading session variable session.foo=2"] [hostname
>> "10.151.49.29"] [uri "/"] [unique_id "OHLo4X8AAAEAACcGTWcAAAAA"]
>> [Tue Mar 06 11:08:11 2012] [error] [client 10.245.26.55] ModSecurity:
>> Warning. Unconditional match in SecAction. [file
>> "/code/lk7/modsec/active/config/httpd_front_poc_apache_web.conf"]
>> [line "32"] [data "Incrementing session variable session.foo=3"]
>> [hostname "10.151.49.29"] [uri "/"] [unique_id
>> "OHLo4X8AAAEAACcGTWcAAAAA"]
>>
>> And the same for ModSecurity 2.6.3:
>>
>> [Tue Mar 06 11:04:25 2012] [notice] caught SIGTERM, shutting down
>> [Tue Mar 06 11:04:27 2012] [notice] ModSecurity for Apache/2.6.3
>> (http://www.modsecurity.org/) configured.
>> [Tue Mar 06 11:04:27 2012] [notice] ModSecurity: APR compiled
>> version="1.4.5"; loaded version="1.4.5"
>> [Tue Mar 06 11:04:27 2012] [notice] ModSecurity: PCRE compiled
>> version="5.0"; loaded version="5.0 13-Sep-2004"
>> [Tue Mar 06 11:04:27 2012] [notice] ModSecurity: LUA compiled
>> version="Lua 5.1"
>> [Tue Mar 06 11:04:27 2012] [notice] ModSecurity: LIBXML compiled
>> version="2.6.26"
>> [Tue Mar 06 11:04:28 2012] [notice] Apache/2.2.21 (Unix) configured --
>> resuming normal operations
>> [Tue Mar 06 11:04:38 2012] [error] [client 10.245.26.55] ModSecurity:
>> Warning. Unconditional match in SecAction. [file
>> "/code/dev/modsec/2.3/config/modsecurity/modsecurity_common.conf"]
>> [line "24"] [data "Reading session variable session.foo="] [hostname
>> "10.151.49.35"] [uri "/"] [unique_id "T1XhNn8AAAEAABcJAu0AAAAA"]
>> [Tue Mar 06 11:04:38 2012] [error] [client 10.245.26.55] ModSecurity:
>> Warning. Unconditional match in SecAction. [file
>> "/code/dev/modsec/2.3/config/modsecurity/modsecurity_common.conf"]
>> [line "25"] [data "Incrementing session variable session.foo=1"]
>> [hostname "10.151.49.35"] [uri "/"] [unique_id
>> "T1XhNn8AAAEAABcJAu0AAAAA"]
>> [Tue Mar 06 11:04:38 2012] [error] [client 10.245.26.55] ModSecurity:
>> Warning. Unconditional match in SecAction. [file
>> "/code/dev/modsec/2.3/config/modsecurity/modsecurity_common.conf"]
>> [line "24"] [data "Reading session variable session.foo="] [hostname
>> "10.151.49.35"] [uri "/"] [unique_id "T1XhNn8AAAEAABcJAu4AAAAA"]
>> [Tue Mar 06 11:04:38 2012] [error] [client 10.245.26.55] ModSecurity:
>> Warning. Unconditional match in SecAction. [file
>> "/code/dev/modsec/2.3/config/modsecurity/modsecurity_common.conf"]
>> [line "25"] [data "Incrementing session variable session.foo=1"]
>> [hostname "10.151.49.35"] [uri "/"] [unique_id
>> "T1XhNn8AAAEAABcJAu4AAAAA"]
>> [Tue Mar 06 11:04:39 2012] [error] [client 10.245.26.55] ModSecurity:
>> Warning. Unconditional match in SecAction. [file
>> "/code/dev/modsec/2.3/config/modsecurity/modsecurity_common.conf"]
>> [line "24"] [data "Reading session variable session.foo="] [hostname
>> "10.151.49.35"] [uri "/"] [unique_id "T1XhN38AAAEAABcJAu8AAAAA"]
>> [Tue Mar 06 11:04:39 2012] [error] [client 10.245.26.55] ModSecurity:
>> Warning. Unconditional match in SecAction. [file
>> "/code/dev/modsec/2.3/config/modsecurity/modsecurity_common.conf"]
>> [line "25"] [data "Incrementing session variable session.foo=1"]
>> [hostname "10.151.49.35"] [uri "/"] [unique_id
>> "T1XhN38AAAEAABcJAu8AAAAA"]
>>
>> I've made sure the modsecurity data dir has full 0777 access to see if
>> perhaps that's the problem, but no dice. I can see it create the
>> default_SESSION.(dir|pag) files, and I can spot some of the saved
>> values in there, but they just don't seem to get reloaded on the next
>> request. I've actually tried this both on a 2.6.3 instance with PCRE
>> linked statically against Apache's bundled distro, as well as on an
>> instance linked against a system libpcre, but it occurs on both.
>>
>> Can anyone confirm and/or advise? I'll be happy to provide debug logs,
>> but in the interest of not cluttering up this report I'll leave them
>> for another reply (if needed).
>>
>>
>> ------------------------------------------------------------------------------
>> Keep Your Developer Skills Current with LearnDevNow!
>> The most comprehensive online learning library for Microsoft developers
>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>> Metro Style Apps, more. Free future releases when you subscribe now!
>> http://p.sf.net/sfu/learndevnow-d2d
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
>
>

Re: [Mod-security-developers] [ModSecurity 2.6.3] Session collection broken

[Breno S. <bre...@gm...>]

Hi Jeroen,

Looks like we have a bug in the code. I will work to fix it in the next
2.6.4 release.

Thanks

On Tue, Mar 6, 2012 at 4:20 AM, Jeroen De Ridder <
voe...@gm...> wrote:

> I'm currently encountering some trouble with the optional
> modsecurity_crs_16_session_hijacking.conf ruleset (v.2.2.4) in
> ModSecurity 2.6.3. An initial uncookied request sent to the server is
> accepted, but every subsequent request is blocked by rule 981059
> because of an IP hash mismatch:
>
> SecRule TX:IP_HASH "!@streq %{SESSION.IP_HASH}"
>
> "phase:1,id:'981059',t:none,block,setvar:tx.sticky_session_anomaly=+1,msg:'Warning
> - Sticky SessionID Data Changed - IP Address
>
> Mismatch.',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{
> rule.id}-WEB_ATTACK/SESSION_HIJACK-%{matched_var_name}=%{tx.0}"
>
> (I'm running in traditional mode, so the "block" action equals "deny").
>
> I understand the logic of these rules, and I've poured over the debug
> logs to see what's going on. The logic itself seems fine; all the
> values being passed around are correct, but the problem seems to be
> that subsequent requests fail to load the session collection data that
> was saved in the initial request that created it. I've confirmed this
> by inserting an adding the following rule inbetween rules 981055 and
> 981056 to print the loaded session collection data:
>
> SecAction "phase:1,t:none,pass,log,logdata:'_DEBUG_ Initialized
> session using key %{tx.sessionid};
> session.sessionid=%{session.sessionid};
> session.valid=%{session.valid}; session.ip_hash=%{session.ip_hash};
> session.ua_hash=%{session.ua_hash};'"
>
> The tx.sessionid value is correct (ie. the same as was used to the
> setsid call in the initial request), but the session collection seem
> to be completely empty. This naturally causes tx.ip_hash to not match
> session.ip_hash, resulting in the block. Note that this debug rule is
> not reached unless the client sent a session cookie and the session
> collection was hence initialized by setsid:%{matched_var} in rule
> 981054, whose value I've also confirmed to be correct.
>
> To isolate and demonstrate the problem, I've created a very minimal
> testcase and ran them on both ModSecurity 2.5.11 and 2.6.3. No other
> rulesets were loaded, not even crs_10_config. The machine running
> 2.5.11 is a somewhat older box running Apache 2.0.63 on RHEL4, the
> machine running 2.6.3 is running Apache 2.2.21 on RHEL5.
>
> SecRuleEngine On
> SecDebugLogLevel 9
> SecDataDir config/modsecurity/data
> SecRequestBodyAccess On
> SecAction "phase:1,pass,log,setsid:'abcd1234',logdata:'Reading session
> variable session.foo=%{session.foo}'"
> SecAction "phase:1,pass,log,setsid:'abcd1234',logdata:'Incrementing
> session variable session.foo=%{session.foo}',setvar:session.foo=+1"
>
> After cleaning out the ModSec data dirs and rebooting the Apache
> servers, here's the apache error log output for three subsequent
> requests to the same page from ModSecurity 2.5.11:
>
> [Tue Mar 06 11:07:49 2012] [notice] caught SIGTERM, shutting down
> [Tue Mar 06 11:07:50 2012] [notice] ModSecurity for Apache/2.5.11
> (http://www.modsecurity.org/) configured.
> [Tue Mar 06 11:07:51 2012] [notice] Apache/2.0.63 (Unix)
> mod_ssl/2.0.63 OpenSSL/0.9.7m configured -- resuming normal operations
> [Tue Mar 06 11:08:03 2012] [error] [client 10.245.26.55] ModSecurity:
> Warning. Unconditional match in SecAction. [file
> "/code/lk7/modsec/active/config/httpd_front_poc_apache_web.conf"]
> [line "31"] [data "Reading session variable session.foo="] [hostname
> "10.151.49.29"] [uri "/"] [unique_id "N-YWGX8AAAEAACcGTWUAAAAA"]
> [Tue Mar 06 11:08:03 2012] [error] [client 10.245.26.55] ModSecurity:
> Warning. Unconditional match in SecAction. [file
> "/code/lk7/modsec/active/config/httpd_front_poc_apache_web.conf"]
> [line "32"] [data "Incrementing session variable session.foo=1"]
> [hostname "10.151.49.29"] [uri "/"] [unique_id
> "N-YWGX8AAAEAACcGTWUAAAAA"]
> [Tue Mar 06 11:08:08 2012] [error] [client 10.245.26.55] ModSecurity:
> Warning. Unconditional match in SecAction. [file
> "/code/lk7/modsec/active/config/httpd_front_poc_apache_web.conf"]
> [line "31"] [data "Reading session variable session.foo=1"] [hostname
> "10.151.49.29"] [uri "/"] [unique_id "OEU9jX8AAAEAACcGTWYAAAAA"]
> [Tue Mar 06 11:08:08 2012] [error] [client 10.245.26.55] ModSecurity:
> Warning. Unconditional match in SecAction. [file
> "/code/lk7/modsec/active/config/httpd_front_poc_apache_web.conf"]
> [line "32"] [data "Incrementing session variable session.foo=2"]
> [hostname "10.151.49.29"] [uri "/"] [unique_id
> "OEU9jX8AAAEAACcGTWYAAAAA"]
> [Tue Mar 06 11:08:11 2012] [error] [client 10.245.26.55] ModSecurity:
> Warning. Unconditional match in SecAction. [file
> "/code/lk7/modsec/active/config/httpd_front_poc_apache_web.conf"]
> [line "31"] [data "Reading session variable session.foo=2"] [hostname
> "10.151.49.29"] [uri "/"] [unique_id "OHLo4X8AAAEAACcGTWcAAAAA"]
> [Tue Mar 06 11:08:11 2012] [error] [client 10.245.26.55] ModSecurity:
> Warning. Unconditional match in SecAction. [file
> "/code/lk7/modsec/active/config/httpd_front_poc_apache_web.conf"]
> [line "32"] [data "Incrementing session variable session.foo=3"]
> [hostname "10.151.49.29"] [uri "/"] [unique_id
> "OHLo4X8AAAEAACcGTWcAAAAA"]
>
> And the same for ModSecurity 2.6.3:
>
> [Tue Mar 06 11:04:25 2012] [notice] caught SIGTERM, shutting down
> [Tue Mar 06 11:04:27 2012] [notice] ModSecurity for Apache/2.6.3
> (http://www.modsecurity.org/) configured.
> [Tue Mar 06 11:04:27 2012] [notice] ModSecurity: APR compiled
> version="1.4.5"; loaded version="1.4.5"
> [Tue Mar 06 11:04:27 2012] [notice] ModSecurity: PCRE compiled
> version="5.0"; loaded version="5.0 13-Sep-2004"
> [Tue Mar 06 11:04:27 2012] [notice] ModSecurity: LUA compiled version="Lua
> 5.1"
> [Tue Mar 06 11:04:27 2012] [notice] ModSecurity: LIBXML compiled
> version="2.6.26"
> [Tue Mar 06 11:04:28 2012] [notice] Apache/2.2.21 (Unix) configured --
> resuming normal operations
> [Tue Mar 06 11:04:38 2012] [error] [client 10.245.26.55] ModSecurity:
> Warning. Unconditional match in SecAction. [file
> "/code/dev/modsec/2.3/config/modsecurity/modsecurity_common.conf"]
> [line "24"] [data "Reading session variable session.foo="] [hostname
> "10.151.49.35"] [uri "/"] [unique_id "T1XhNn8AAAEAABcJAu0AAAAA"]
> [Tue Mar 06 11:04:38 2012] [error] [client 10.245.26.55] ModSecurity:
> Warning. Unconditional match in SecAction. [file
> "/code/dev/modsec/2.3/config/modsecurity/modsecurity_common.conf"]
> [line "25"] [data "Incrementing session variable session.foo=1"]
> [hostname "10.151.49.35"] [uri "/"] [unique_id
> "T1XhNn8AAAEAABcJAu0AAAAA"]
> [Tue Mar 06 11:04:38 2012] [error] [client 10.245.26.55] ModSecurity:
> Warning. Unconditional match in SecAction. [file
> "/code/dev/modsec/2.3/config/modsecurity/modsecurity_common.conf"]
> [line "24"] [data "Reading session variable session.foo="] [hostname
> "10.151.49.35"] [uri "/"] [unique_id "T1XhNn8AAAEAABcJAu4AAAAA"]
> [Tue Mar 06 11:04:38 2012] [error] [client 10.245.26.55] ModSecurity:
> Warning. Unconditional match in SecAction. [file
> "/code/dev/modsec/2.3/config/modsecurity/modsecurity_common.conf"]
> [line "25"] [data "Incrementing session variable session.foo=1"]
> [hostname "10.151.49.35"] [uri "/"] [unique_id
> "T1XhNn8AAAEAABcJAu4AAAAA"]
> [Tue Mar 06 11:04:39 2012] [error] [client 10.245.26.55] ModSecurity:
> Warning. Unconditional match in SecAction. [file
> "/code/dev/modsec/2.3/config/modsecurity/modsecurity_common.conf"]
> [line "24"] [data "Reading session variable session.foo="] [hostname
> "10.151.49.35"] [uri "/"] [unique_id "T1XhN38AAAEAABcJAu8AAAAA"]
> [Tue Mar 06 11:04:39 2012] [error] [client 10.245.26.55] ModSecurity:
> Warning. Unconditional match in SecAction. [file
> "/code/dev/modsec/2.3/config/modsecurity/modsecurity_common.conf"]
> [line "25"] [data "Incrementing session variable session.foo=1"]
> [hostname "10.151.49.35"] [uri "/"] [unique_id
> "T1XhN38AAAEAABcJAu8AAAAA"]
>
> I've made sure the modsecurity data dir has full 0777 access to see if
> perhaps that's the problem, but no dice. I can see it create the
> default_SESSION.(dir|pag) files, and I can spot some of the saved
> values in there, but they just don't seem to get reloaded on the next
> request. I've actually tried this both on a 2.6.3 instance with PCRE
> linked statically against Apache's bundled distro, as well as on an
> instance linked against a system libpcre, but it occurs on both.
>
> Can anyone confirm and/or advise? I'll be happy to provide debug logs,
> but in the interest of not cluttering up this report I'll leave them
> for another reply (if needed).
>
>
> ------------------------------------------------------------------------------
> Keep Your Developer Skills Current with LearnDevNow!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-d2d
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>

[Mod-security-developers] [ModSecurity 2.6.3] Session collection broken

[Jeroen De R. <voe...@gm...>]

I'm currently encountering some trouble with the optional
modsecurity_crs_16_session_hijacking.conf ruleset (v.2.2.4) in
ModSecurity 2.6.3. An initial uncookied request sent to the server is
accepted, but every subsequent request is blocked by rule 981059
because of an IP hash mismatch:

SecRule TX:IP_HASH "!@streq %{SESSION.IP_HASH}"
"phase:1,id:'981059',t:none,block,setvar:tx.sticky_session_anomaly=+1,msg:'Warning
- Sticky SessionID Data Changed - IP Address
Mismatch.',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SESSION_HIJACK-%{matched_var_name}=%{tx.0}"

(I'm running in traditional mode, so the "block" action equals "deny").

I understand the logic of these rules, and I've poured over the debug
logs to see what's going on. The logic itself seems fine; all the
values being passed around are correct, but the problem seems to be
that subsequent requests fail to load the session collection data that
was saved in the initial request that created it. I've confirmed this
by inserting an adding the following rule inbetween rules 981055 and
981056 to print the loaded session collection data:

SecAction "phase:1,t:none,pass,log,logdata:'_DEBUG_ Initialized
session using key %{tx.sessionid};
session.sessionid=%{session.sessionid};
session.valid=%{session.valid}; session.ip_hash=%{session.ip_hash};
session.ua_hash=%{session.ua_hash};'"

The tx.sessionid value is correct (ie. the same as was used to the
setsid call in the initial request), but the session collection seem
to be completely empty. This naturally causes tx.ip_hash to not match
session.ip_hash, resulting in the block. Note that this debug rule is
not reached unless the client sent a session cookie and the session
collection was hence initialized by setsid:%{matched_var} in rule
981054, whose value I've also confirmed to be correct.

To isolate and demonstrate the problem, I've created a very minimal
testcase and ran them on both ModSecurity 2.5.11 and 2.6.3. No other
rulesets were loaded, not even crs_10_config. The machine running
2.5.11 is a somewhat older box running Apache 2.0.63 on RHEL4, the
machine running 2.6.3 is running Apache 2.2.21 on RHEL5.

SecRuleEngine On
SecDebugLogLevel 9
SecDataDir config/modsecurity/data
SecRequestBodyAccess On
SecAction "phase:1,pass,log,setsid:'abcd1234',logdata:'Reading session
variable session.foo=%{session.foo}'"
SecAction "phase:1,pass,log,setsid:'abcd1234',logdata:'Incrementing
session variable session.foo=%{session.foo}',setvar:session.foo=+1"

After cleaning out the ModSec data dirs and rebooting the Apache
servers, here's the apache error log output for three subsequent
requests to the same page from ModSecurity 2.5.11:

[Tue Mar 06 11:07:49 2012] [notice] caught SIGTERM, shutting down
[Tue Mar 06 11:07:50 2012] [notice] ModSecurity for Apache/2.5.11
(http://www.modsecurity.org/) configured.
[Tue Mar 06 11:07:51 2012] [notice] Apache/2.0.63 (Unix)
mod_ssl/2.0.63 OpenSSL/0.9.7m configured -- resuming normal operations
[Tue Mar 06 11:08:03 2012] [error] [client 10.245.26.55] ModSecurity:
Warning. Unconditional match in SecAction. [file
"/code/lk7/modsec/active/config/httpd_front_poc_apache_web.conf"]
[line "31"] [data "Reading session variable session.foo="] [hostname
"10.151.49.29"] [uri "/"] [unique_id "N-YWGX8AAAEAACcGTWUAAAAA"]
[Tue Mar 06 11:08:03 2012] [error] [client 10.245.26.55] ModSecurity:
Warning. Unconditional match in SecAction. [file
"/code/lk7/modsec/active/config/httpd_front_poc_apache_web.conf"]
[line "32"] [data "Incrementing session variable session.foo=1"]
[hostname "10.151.49.29"] [uri "/"] [unique_id
"N-YWGX8AAAEAACcGTWUAAAAA"]
[Tue Mar 06 11:08:08 2012] [error] [client 10.245.26.55] ModSecurity:
Warning. Unconditional match in SecAction. [file
"/code/lk7/modsec/active/config/httpd_front_poc_apache_web.conf"]
[line "31"] [data "Reading session variable session.foo=1"] [hostname
"10.151.49.29"] [uri "/"] [unique_id "OEU9jX8AAAEAACcGTWYAAAAA"]
[Tue Mar 06 11:08:08 2012] [error] [client 10.245.26.55] ModSecurity:
Warning. Unconditional match in SecAction. [file
"/code/lk7/modsec/active/config/httpd_front_poc_apache_web.conf"]
[line "32"] [data "Incrementing session variable session.foo=2"]
[hostname "10.151.49.29"] [uri "/"] [unique_id
"OEU9jX8AAAEAACcGTWYAAAAA"]
[Tue Mar 06 11:08:11 2012] [error] [client 10.245.26.55] ModSecurity:
Warning. Unconditional match in SecAction. [file
"/code/lk7/modsec/active/config/httpd_front_poc_apache_web.conf"]
[line "31"] [data "Reading session variable session.foo=2"] [hostname
"10.151.49.29"] [uri "/"] [unique_id "OHLo4X8AAAEAACcGTWcAAAAA"]
[Tue Mar 06 11:08:11 2012] [error] [client 10.245.26.55] ModSecurity:
Warning. Unconditional match in SecAction. [file
"/code/lk7/modsec/active/config/httpd_front_poc_apache_web.conf"]
[line "32"] [data "Incrementing session variable session.foo=3"]
[hostname "10.151.49.29"] [uri "/"] [unique_id
"OHLo4X8AAAEAACcGTWcAAAAA"]

And the same for ModSecurity 2.6.3:

[Tue Mar 06 11:04:25 2012] [notice] caught SIGTERM, shutting down
[Tue Mar 06 11:04:27 2012] [notice] ModSecurity for Apache/2.6.3
(http://www.modsecurity.org/) configured.
[Tue Mar 06 11:04:27 2012] [notice] ModSecurity: APR compiled
version="1.4.5"; loaded version="1.4.5"
[Tue Mar 06 11:04:27 2012] [notice] ModSecurity: PCRE compiled
version="5.0"; loaded version="5.0 13-Sep-2004"
[Tue Mar 06 11:04:27 2012] [notice] ModSecurity: LUA compiled version="Lua 5.1"
[Tue Mar 06 11:04:27 2012] [notice] ModSecurity: LIBXML compiled
version="2.6.26"
[Tue Mar 06 11:04:28 2012] [notice] Apache/2.2.21 (Unix) configured --
resuming normal operations
[Tue Mar 06 11:04:38 2012] [error] [client 10.245.26.55] ModSecurity:
Warning. Unconditional match in SecAction. [file
"/code/dev/modsec/2.3/config/modsecurity/modsecurity_common.conf"]
[line "24"] [data "Reading session variable session.foo="] [hostname
"10.151.49.35"] [uri "/"] [unique_id "T1XhNn8AAAEAABcJAu0AAAAA"]
[Tue Mar 06 11:04:38 2012] [error] [client 10.245.26.55] ModSecurity:
Warning. Unconditional match in SecAction. [file
"/code/dev/modsec/2.3/config/modsecurity/modsecurity_common.conf"]
[line "25"] [data "Incrementing session variable session.foo=1"]
[hostname "10.151.49.35"] [uri "/"] [unique_id
"T1XhNn8AAAEAABcJAu0AAAAA"]
[Tue Mar 06 11:04:38 2012] [error] [client 10.245.26.55] ModSecurity:
Warning. Unconditional match in SecAction. [file
"/code/dev/modsec/2.3/config/modsecurity/modsecurity_common.conf"]
[line "24"] [data "Reading session variable session.foo="] [hostname
"10.151.49.35"] [uri "/"] [unique_id "T1XhNn8AAAEAABcJAu4AAAAA"]
[Tue Mar 06 11:04:38 2012] [error] [client 10.245.26.55] ModSecurity:
Warning. Unconditional match in SecAction. [file
"/code/dev/modsec/2.3/config/modsecurity/modsecurity_common.conf"]
[line "25"] [data "Incrementing session variable session.foo=1"]
[hostname "10.151.49.35"] [uri "/"] [unique_id
"T1XhNn8AAAEAABcJAu4AAAAA"]
[Tue Mar 06 11:04:39 2012] [error] [client 10.245.26.55] ModSecurity:
Warning. Unconditional match in SecAction. [file
"/code/dev/modsec/2.3/config/modsecurity/modsecurity_common.conf"]
[line "24"] [data "Reading session variable session.foo="] [hostname
"10.151.49.35"] [uri "/"] [unique_id "T1XhN38AAAEAABcJAu8AAAAA"]
[Tue Mar 06 11:04:39 2012] [error] [client 10.245.26.55] ModSecurity:
Warning. Unconditional match in SecAction. [file
"/code/dev/modsec/2.3/config/modsecurity/modsecurity_common.conf"]
[line "25"] [data "Incrementing session variable session.foo=1"]
[hostname "10.151.49.35"] [uri "/"] [unique_id
"T1XhN38AAAEAABcJAu8AAAAA"]

I've made sure the modsecurity data dir has full 0777 access to see if
perhaps that's the problem, but no dice. I can see it create the
default_SESSION.(dir|pag) files, and I can spot some of the saved
values in there, but they just don't seem to get reloaded on the next
request. I've actually tried this both on a 2.6.3 instance with PCRE
linked statically against Apache's bundled distro, as well as on an
instance linked against a system libpcre, but it occurs on both.

Can anyone confirm and/or advise? I'll be happy to provide debug logs,
but in the interest of not cluttering up this report I'll leave them
for another reply (if needed).

Re: [Mod-security-developers] Seeking help with a port to Nginx

[dreamice <dre...@gm...>]

I want to be one of the members. I just use the modsecurity for more than 3
years, read some of the codes. From last year, I begin to analyze the nginx
code. Now I am an engineer of the WAF project in my company.


2012/3/6 Ryan Barnett <RBa...@tr...>

>  Hello everyone,
> If you have not heard, we are actively seeking to port the ModSecurity
>  module to other web server platforms (https://modsecurity.org/projects/).
>  We are seeking Nginx expertise to assist with a port so that Nginx users
> can directly leverage ModSecurity's rules such as the OWASP ModSecurity
> Core Rule Set -
> https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
> .
>
>  I posted an email to the Nginx Dev list today and I have seen a few new
> list subscriptions come in so I am hoping that they are from Nginx :)
>
>  If anyone wants to help with this effort, please let me know and I will
> setup some meetings.
>
>  Thanks for your help.
>
>   --
> Ryan Barnett
> Trustwave SpiderLabs
> ModSecurity Project Leader
> OWASP ModSecurity CRS Project Leader
>
> ------------------------------
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
> received this transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in electronic or hard
> copy format.
>
>
> ------------------------------------------------------------------------------
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>

Re: [Mod-security-developers] Seeking help with a port to Nginx

[dreamice <dre...@gm...>]

It is a good idea! I hope this can be set up immediately:)

2012/3/6 Ryan Barnett <RBa...@tr...>

>  Hello everyone,
> If you have not heard, we are actively seeking to port the ModSecurity
>  module to other web server platforms (https://modsecurity.org/projects/).
>  We are seeking Nginx expertise to assist with a port so that Nginx users
> can directly leverage ModSecurity's rules such as the OWASP ModSecurity
> Core Rule Set -
> https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
> .
>
>  I posted an email to the Nginx Dev list today and I have seen a few new
> list subscriptions come in so I am hoping that they are from Nginx :)
>
>  If anyone wants to help with this effort, please let me know and I will
> setup some meetings.
>
>  Thanks for your help.
>
>   --
> Ryan Barnett
> Trustwave SpiderLabs
> ModSecurity Project Leader
> OWASP ModSecurity CRS Project Leader
>
> ------------------------------
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
> received this transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in electronic or hard
> copy format.
>
>
> ------------------------------------------------------------------------------
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>

[Mod-security-developers] Seeking help with a port to Nginx

[Ryan B. <RBa...@tr...>]

Hello everyone,
If you have not heard, we are actively seeking to port the ModSecurity  module to other web server platforms (https://modsecurity.org/projects/).  We are seeking Nginx expertise to assist with a port so that Nginx users can directly leverage ModSecurity's rules such as the OWASP ModSecurity Core Rule Set - https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project.

I posted an email to the Nginx Dev list today and I have seen a few new list subscriptions come in so I am hoping that they are from Nginx :)

If anyone wants to help with this effort, please let me know and I will setup some meetings.

Thanks for your help.

--
Ryan Barnett
Trustwave SpiderLabs
ModSecurity Project Leader
OWASP ModSecurity CRS Project Leader

________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] Issue compiling "modsecurity-apache_2.6.4-rc1"

[J M <jer...@gm...>]

Breno,

   Unfortunately, --with-pcre on apache 2.0.64 is not an option anymore...

configure: WARNING: unrecognized options: --with-pcre

thank you,

On Mon, Feb 27, 2012 at 11:13 AM, Breno Silva <bre...@gm...> wrote:

> Make sure your apache and modsecurity were compiled with the same lib
> versions.
>  Breno
>
> On 2/27/12, J M <jer...@gm...> wrote:
> > at last.. now i was able to make it work....
> >
> > just as reference...
> >
> > if you do..
> >
> > --with-pcre=/usr/local/bin/pcre-config
> >
> > it still uses the pcre.h from the pcre built into apache..
> >
> > i replaced the pcre.h from apache2/include with pcre.h of source
> > installation
> >
> >
> > tia,
> >
> >
> >
> >
> >
> > On Mon, Feb 27, 2012 at 10:12 AM, Breno Silva <bre...@gm...>
> wrote:
> >
> >> Where is your pcre headers (pcre.h etc ) ?  Can you try copy them to
> >> /usr/include ?
> >>
> >> Breno
> >>
> >>
> >> On Mon, Feb 27, 2012 at 9:03 AM, J M <jer...@gm...> wrote:
> >>
> >>> Yes, I did that as well..
> >>>
> >>> below is a snapshot or the previous compile:
> >>>
> >>> Use of uninitialized value in concatenation (.) or string at
> >>> /usr/local/apache2/bin/apxs line 237.
> >>> checking for libpcre config script... /usr/local/bin/pcre-config
> >>> configure: using pcre v8.21
> >>> checking for libapr config script... /usr/local/apache2/bin/apr-config
> >>> configure: using apr v0.9.19
> >>> checking for libapu config script... /usr/local/apache2/bin/apu-config
> >>> configure: using apu v0.9.19
> >>> checking for libxml2 config script... /usr/bin/xml2-config
> >>> configure: using libxml2 v2.6.26
> >>>
> >>> same error:
> >>>
> >>> libtool: compile:  gcc -DHAVE_CONFIG_H -I. -DLINUX=2 -D_REENTRANT
> >>> -D_GNU_SOURCE -I/usr/local/apache2/include -I/usr/local/apache2/include
> >>> -I/usr/local/apache2/include -I/usr/local/include
> -I/usr/include/libxml2
> >>> -DWITH_PCRE_STUDY -DMODSEC_PCRE_MATCH_LIMIT=1500
> >>> -DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500 -g -O2 -MT
> >>> mod_security2_la-msc_pcre.lo -MD -MP -MF
> >>> .deps/mod_security2_la-msc_pcre.Tpo -c msc_pcre.c  -fPIC -DPIC -o
> >>> .libs/mod_security2_la-msc_pcre.o
> >>> msc_pcre.c: In function ‘msc_pregcomp_ex’:
> >>> msc_pcre.c:70: error: invalid application of ‘sizeof’ to incomplete
> type
> >>> ‘pcre_extra’
> >>> msc_pcre.c:74: error: invalid application of ‘sizeof’ to incomplete
> type
> >>> ‘pcre_extra’
> >>> make[2]: *** [mod_security2_la-msc_pcre.lo] Error 1
> >>> make[2]: Leaving directory
> >>> `/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
> >>> make[1]: *** [all] Error 2
> >>> make[1]: Leaving directory
> >>> `/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
> >>> make: *** [all-recursive] Error 1
> >>>
> >>>
> >>>
> >>>
> >>> On Mon, Feb 27, 2012 at 9:54 AM, Ryan Barnett
> >>> <RBa...@tr...>wrote:
> >>>
> >>>>   Have to tried installing PCRE as a separate package and then
> pointing
> >>>> ModSecurity configure flags to it?
> >>>>
> >>>>  --
> >>>> Ryan Barnett
> >>>>
> >>>>   From: J M <jer...@gm...>
> >>>> Reply-To: "mod...@li..." <
> >>>> mod...@li...>
> >>>> Date: Mon, 27 Feb 2012 08:29:24 -0600
> >>>> To: "mod...@li..." <
> >>>> mod...@li...>
> >>>> Subject: [Mod-security-developers] Issue compiling
> >>>> "modsecurity-apache_2.6.4-rc1"
> >>>>
> >>>>  Hi All,
> >>>>
> >>>>
> >>>>   I was trying to use 2.6.3 and thought that moving to 2.6.4 will
> help,
> >>>> unfortunately I'm stuck with the same issue:
> >>>>
> >>>>   Configure:
> >>>>       ./configure --with-apxs=/usr/local/
> >>>> apache2/bin/apxs  --with-apu=/usr/local/apache2/bin/apu-config
> >>>> --with-apr=/usr/local/apache2/bin/apr-config
> >>>>
> >>>>   OS: Redhat 5 - 64bit
> >>>>   Apache 2.0.64
> >>>>
> >>>>
> >>>>   Error:
> >>>>
> >>>>   libtool: compile:  gcc -DHAVE_CONFIG_H -I. -DLINUX=2 -D_REENTRANT
> >>>> -D_GNU_SOURCE -I/usr/local/apache2/include
> -I/usr/local/apache2/include
> >>>> -I/usr/local/apache2/include -I/usr/local/include
> -I/usr/include/libxml2
> >>>> -DWITH_PCRE_STUDY -DMODSEC_PCRE_MATCH_LIMIT=1500
> >>>> -DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500 -g -O2 -MT
> >>>> mod_security2_la-msc_pcre.lo -MD -MP -MF
> >>>> .deps/mod_security2_la-msc_pcre.Tpo -c msc_pcre.c  -fPIC -DPIC -o
> >>>> .libs/mod_security2_la-msc_pcre.o
> >>>> msc_pcre.c: In function ‘msc_pregcomp_ex’:
> >>>> msc_pcre.c:70: error: invalid application of ‘sizeof’ to incomplete
> type
> >>>> ‘pcre_extra’
> >>>> msc_pcre.c:74: error: invalid application of ‘sizeof’ to incomplete
> type
> >>>> ‘pcre_extra’
> >>>> make[2]: *** [mod_security2_la-msc_pcre.lo] Error 1
> >>>> make[2]: Leaving directory
> >>>> `/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
> >>>> make[1]: *** [all] Error 2
> >>>> make[1]: Leaving directory
> >>>> `/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
> >>>> make: *** [all-recursive] Error 1
> >>>>
> >>>>
> >>>>
> >>>> tia,
> >>>>
> >>>>
> >>>> ------------------------------
> >>>> This transmission may contain information that is privileged,
> >>>> confidential, and/or exempt from disclosure under applicable law. If
> you
> >>>> are not the intended recipient, you are hereby notified that any
> >>>> disclosure, copying, distribution, or use of the information contained
> >>>> herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
> >>>> received this transmission in error, please immediately contact the
> >>>> sender
> >>>> and destroy the material in its entirety, whether in electronic or
> hard
> >>>> copy format.
> >>>>
> >>>>
> >>>>
> ------------------------------------------------------------------------------
> >>>> Try before you buy = See our experts in action!
> >>>> The most comprehensive online learning library for Microsoft
> developers
> >>>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3,
> MVC3,
> >>>> Metro Style Apps, more. Free future releases when you subscribe now!
> >>>> http://p.sf.net/sfu/learndevnow-dev2
> >>>> _______________________________________________
> >>>> mod-security-developers mailing list
> >>>> mod...@li...
> >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> >>>> ModSecurity Services from Trustwave's SpiderLabs:
> >>>> https://www.trustwave.com/spiderLabs.php
> >>>>
> >>>
> >>>
> >>>
> >>>
> ------------------------------------------------------------------------------
> >>> Try before you buy = See our experts in action!
> >>> The most comprehensive online learning library for Microsoft developers
> >>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3,
> MVC3,
> >>> Metro Style Apps, more. Free future releases when you subscribe now!
> >>> http://p.sf.net/sfu/learndevnow-dev2
> >>> _______________________________________________
> >>> mod-security-developers mailing list
> >>> mod...@li...
> >>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> >>> ModSecurity Services from Trustwave's SpiderLabs:
> >>> https://www.trustwave.com/spiderLabs.php
> >>>
> >>
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Try before you buy = See our experts in action!
> >> The most comprehensive online learning library for Microsoft developers
> >> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> >> Metro Style Apps, more. Free future releases when you subscribe now!
> >> http://p.sf.net/sfu/learndevnow-dev2
> >> _______________________________________________
> >> mod-security-developers mailing list
> >> mod...@li...
> >> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> >> ModSecurity Services from Trustwave's SpiderLabs:
> >> https://www.trustwave.com/spiderLabs.php
> >>
> >
>
>
> ------------------------------------------------------------------------------
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>

Re: [Mod-security-developers] Issue compiling "modsecurity-apache_2.6.4-rc1"

[Breno S. <bre...@gm...>]

Make sure your apache and modsecurity were compiled with the same lib versions.
 Breno

On 2/27/12, J M <jer...@gm...> wrote:
> at last.. now i was able to make it work....
>
> just as reference...
>
> if you do..
>
> --with-pcre=/usr/local/bin/pcre-config
>
> it still uses the pcre.h from the pcre built into apache..
>
> i replaced the pcre.h from apache2/include with pcre.h of source
> installation
>
>
> tia,
>
>
>
>
>
> On Mon, Feb 27, 2012 at 10:12 AM, Breno Silva <bre...@gm...> wrote:
>
>> Where is your pcre headers (pcre.h etc ) ?  Can you try copy them to
>> /usr/include ?
>>
>> Breno
>>
>>
>> On Mon, Feb 27, 2012 at 9:03 AM, J M <jer...@gm...> wrote:
>>
>>> Yes, I did that as well..
>>>
>>> below is a snapshot or the previous compile:
>>>
>>> Use of uninitialized value in concatenation (.) or string at
>>> /usr/local/apache2/bin/apxs line 237.
>>> checking for libpcre config script... /usr/local/bin/pcre-config
>>> configure: using pcre v8.21
>>> checking for libapr config script... /usr/local/apache2/bin/apr-config
>>> configure: using apr v0.9.19
>>> checking for libapu config script... /usr/local/apache2/bin/apu-config
>>> configure: using apu v0.9.19
>>> checking for libxml2 config script... /usr/bin/xml2-config
>>> configure: using libxml2 v2.6.26
>>>
>>> same error:
>>>
>>> libtool: compile:  gcc -DHAVE_CONFIG_H -I. -DLINUX=2 -D_REENTRANT
>>> -D_GNU_SOURCE -I/usr/local/apache2/include -I/usr/local/apache2/include
>>> -I/usr/local/apache2/include -I/usr/local/include -I/usr/include/libxml2
>>> -DWITH_PCRE_STUDY -DMODSEC_PCRE_MATCH_LIMIT=1500
>>> -DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500 -g -O2 -MT
>>> mod_security2_la-msc_pcre.lo -MD -MP -MF
>>> .deps/mod_security2_la-msc_pcre.Tpo -c msc_pcre.c  -fPIC -DPIC -o
>>> .libs/mod_security2_la-msc_pcre.o
>>> msc_pcre.c: In function ‘msc_pregcomp_ex’:
>>> msc_pcre.c:70: error: invalid application of ‘sizeof’ to incomplete type
>>> ‘pcre_extra’
>>> msc_pcre.c:74: error: invalid application of ‘sizeof’ to incomplete type
>>> ‘pcre_extra’
>>> make[2]: *** [mod_security2_la-msc_pcre.lo] Error 1
>>> make[2]: Leaving directory
>>> `/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
>>> make[1]: *** [all] Error 2
>>> make[1]: Leaving directory
>>> `/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
>>> make: *** [all-recursive] Error 1
>>>
>>>
>>>
>>>
>>> On Mon, Feb 27, 2012 at 9:54 AM, Ryan Barnett
>>> <RBa...@tr...>wrote:
>>>
>>>>   Have to tried installing PCRE as a separate package and then pointing
>>>> ModSecurity configure flags to it?
>>>>
>>>>  --
>>>> Ryan Barnett
>>>>
>>>>   From: J M <jer...@gm...>
>>>> Reply-To: "mod...@li..." <
>>>> mod...@li...>
>>>> Date: Mon, 27 Feb 2012 08:29:24 -0600
>>>> To: "mod...@li..." <
>>>> mod...@li...>
>>>> Subject: [Mod-security-developers] Issue compiling
>>>> "modsecurity-apache_2.6.4-rc1"
>>>>
>>>>  Hi All,
>>>>
>>>>
>>>>   I was trying to use 2.6.3 and thought that moving to 2.6.4 will help,
>>>> unfortunately I'm stuck with the same issue:
>>>>
>>>>   Configure:
>>>>       ./configure --with-apxs=/usr/local/
>>>> apache2/bin/apxs  --with-apu=/usr/local/apache2/bin/apu-config
>>>> --with-apr=/usr/local/apache2/bin/apr-config
>>>>
>>>>   OS: Redhat 5 - 64bit
>>>>   Apache 2.0.64
>>>>
>>>>
>>>>   Error:
>>>>
>>>>   libtool: compile:  gcc -DHAVE_CONFIG_H -I. -DLINUX=2 -D_REENTRANT
>>>> -D_GNU_SOURCE -I/usr/local/apache2/include -I/usr/local/apache2/include
>>>> -I/usr/local/apache2/include -I/usr/local/include -I/usr/include/libxml2
>>>> -DWITH_PCRE_STUDY -DMODSEC_PCRE_MATCH_LIMIT=1500
>>>> -DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500 -g -O2 -MT
>>>> mod_security2_la-msc_pcre.lo -MD -MP -MF
>>>> .deps/mod_security2_la-msc_pcre.Tpo -c msc_pcre.c  -fPIC -DPIC -o
>>>> .libs/mod_security2_la-msc_pcre.o
>>>> msc_pcre.c: In function ‘msc_pregcomp_ex’:
>>>> msc_pcre.c:70: error: invalid application of ‘sizeof’ to incomplete type
>>>> ‘pcre_extra’
>>>> msc_pcre.c:74: error: invalid application of ‘sizeof’ to incomplete type
>>>> ‘pcre_extra’
>>>> make[2]: *** [mod_security2_la-msc_pcre.lo] Error 1
>>>> make[2]: Leaving directory
>>>> `/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
>>>> make[1]: *** [all] Error 2
>>>> make[1]: Leaving directory
>>>> `/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
>>>> make: *** [all-recursive] Error 1
>>>>
>>>>
>>>>
>>>> tia,
>>>>
>>>>
>>>> ------------------------------
>>>> This transmission may contain information that is privileged,
>>>> confidential, and/or exempt from disclosure under applicable law. If you
>>>> are not the intended recipient, you are hereby notified that any
>>>> disclosure, copying, distribution, or use of the information contained
>>>> herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
>>>> received this transmission in error, please immediately contact the
>>>> sender
>>>> and destroy the material in its entirety, whether in electronic or hard
>>>> copy format.
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Try before you buy = See our experts in action!
>>>> The most comprehensive online learning library for Microsoft developers
>>>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>>>> Metro Style Apps, more. Free future releases when you subscribe now!
>>>> http://p.sf.net/sfu/learndevnow-dev2
>>>> _______________________________________________
>>>> mod-security-developers mailing list
>>>> mod...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>>>> ModSecurity Services from Trustwave's SpiderLabs:
>>>> https://www.trustwave.com/spiderLabs.php
>>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Try before you buy = See our experts in action!
>>> The most comprehensive online learning library for Microsoft developers
>>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>>> Metro Style Apps, more. Free future releases when you subscribe now!
>>> http://p.sf.net/sfu/learndevnow-dev2
>>> _______________________________________________
>>> mod-security-developers mailing list
>>> mod...@li...
>>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>>> ModSecurity Services from Trustwave's SpiderLabs:
>>> https://www.trustwave.com/spiderLabs.php
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Try before you buy = See our experts in action!
>> The most comprehensive online learning library for Microsoft developers
>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>> Metro Style Apps, more. Free future releases when you subscribe now!
>> http://p.sf.net/sfu/learndevnow-dev2
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
>

Re: [Mod-security-developers] Issue compiling "modsecurity-apache_2.6.4-rc1"

[J M <jer...@gm...>]

at last.. now i was able to make it work....

just as reference...

if you do..

--with-pcre=/usr/local/bin/pcre-config

it still uses the pcre.h from the pcre built into apache..

i replaced the pcre.h from apache2/include with pcre.h of source
installation


tia,





On Mon, Feb 27, 2012 at 10:12 AM, Breno Silva <bre...@gm...> wrote:

> Where is your pcre headers (pcre.h etc ) ?  Can you try copy them to
> /usr/include ?
>
> Breno
>
>
> On Mon, Feb 27, 2012 at 9:03 AM, J M <jer...@gm...> wrote:
>
>> Yes, I did that as well..
>>
>> below is a snapshot or the previous compile:
>>
>> Use of uninitialized value in concatenation (.) or string at
>> /usr/local/apache2/bin/apxs line 237.
>> checking for libpcre config script... /usr/local/bin/pcre-config
>> configure: using pcre v8.21
>> checking for libapr config script... /usr/local/apache2/bin/apr-config
>> configure: using apr v0.9.19
>> checking for libapu config script... /usr/local/apache2/bin/apu-config
>> configure: using apu v0.9.19
>> checking for libxml2 config script... /usr/bin/xml2-config
>> configure: using libxml2 v2.6.26
>>
>> same error:
>>
>> libtool: compile:  gcc -DHAVE_CONFIG_H -I. -DLINUX=2 -D_REENTRANT
>> -D_GNU_SOURCE -I/usr/local/apache2/include -I/usr/local/apache2/include
>> -I/usr/local/apache2/include -I/usr/local/include -I/usr/include/libxml2
>> -DWITH_PCRE_STUDY -DMODSEC_PCRE_MATCH_LIMIT=1500
>> -DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500 -g -O2 -MT
>> mod_security2_la-msc_pcre.lo -MD -MP -MF
>> .deps/mod_security2_la-msc_pcre.Tpo -c msc_pcre.c  -fPIC -DPIC -o
>> .libs/mod_security2_la-msc_pcre.o
>> msc_pcre.c: In function ‘msc_pregcomp_ex’:
>> msc_pcre.c:70: error: invalid application of ‘sizeof’ to incomplete type
>> ‘pcre_extra’
>> msc_pcre.c:74: error: invalid application of ‘sizeof’ to incomplete type
>> ‘pcre_extra’
>> make[2]: *** [mod_security2_la-msc_pcre.lo] Error 1
>> make[2]: Leaving directory
>> `/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
>> make[1]: *** [all] Error 2
>> make[1]: Leaving directory
>> `/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
>> make: *** [all-recursive] Error 1
>>
>>
>>
>>
>> On Mon, Feb 27, 2012 at 9:54 AM, Ryan Barnett <RBa...@tr...>wrote:
>>
>>>   Have to tried installing PCRE as a separate package and then pointing
>>> ModSecurity configure flags to it?
>>>
>>>  --
>>> Ryan Barnett
>>>
>>>   From: J M <jer...@gm...>
>>> Reply-To: "mod...@li..." <
>>> mod...@li...>
>>> Date: Mon, 27 Feb 2012 08:29:24 -0600
>>> To: "mod...@li..." <
>>> mod...@li...>
>>> Subject: [Mod-security-developers] Issue compiling
>>> "modsecurity-apache_2.6.4-rc1"
>>>
>>>  Hi All,
>>>
>>>
>>>   I was trying to use 2.6.3 and thought that moving to 2.6.4 will help,
>>> unfortunately I'm stuck with the same issue:
>>>
>>>   Configure:
>>>       ./configure --with-apxs=/usr/local/
>>> apache2/bin/apxs  --with-apu=/usr/local/apache2/bin/apu-config
>>> --with-apr=/usr/local/apache2/bin/apr-config
>>>
>>>   OS: Redhat 5 - 64bit
>>>   Apache 2.0.64
>>>
>>>
>>>   Error:
>>>
>>>   libtool: compile:  gcc -DHAVE_CONFIG_H -I. -DLINUX=2 -D_REENTRANT
>>> -D_GNU_SOURCE -I/usr/local/apache2/include -I/usr/local/apache2/include
>>> -I/usr/local/apache2/include -I/usr/local/include -I/usr/include/libxml2
>>> -DWITH_PCRE_STUDY -DMODSEC_PCRE_MATCH_LIMIT=1500
>>> -DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500 -g -O2 -MT
>>> mod_security2_la-msc_pcre.lo -MD -MP -MF
>>> .deps/mod_security2_la-msc_pcre.Tpo -c msc_pcre.c  -fPIC -DPIC -o
>>> .libs/mod_security2_la-msc_pcre.o
>>> msc_pcre.c: In function ‘msc_pregcomp_ex’:
>>> msc_pcre.c:70: error: invalid application of ‘sizeof’ to incomplete type
>>> ‘pcre_extra’
>>> msc_pcre.c:74: error: invalid application of ‘sizeof’ to incomplete type
>>> ‘pcre_extra’
>>> make[2]: *** [mod_security2_la-msc_pcre.lo] Error 1
>>> make[2]: Leaving directory
>>> `/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
>>> make[1]: *** [all] Error 2
>>> make[1]: Leaving directory
>>> `/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
>>> make: *** [all-recursive] Error 1
>>>
>>>
>>>
>>> tia,
>>>
>>>
>>> ------------------------------
>>> This transmission may contain information that is privileged,
>>> confidential, and/or exempt from disclosure under applicable law. If you
>>> are not the intended recipient, you are hereby notified that any
>>> disclosure, copying, distribution, or use of the information contained
>>> herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
>>> received this transmission in error, please immediately contact the sender
>>> and destroy the material in its entirety, whether in electronic or hard
>>> copy format.
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Try before you buy = See our experts in action!
>>> The most comprehensive online learning library for Microsoft developers
>>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>>> Metro Style Apps, more. Free future releases when you subscribe now!
>>> http://p.sf.net/sfu/learndevnow-dev2
>>> _______________________________________________
>>> mod-security-developers mailing list
>>> mod...@li...
>>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>>> ModSecurity Services from Trustwave's SpiderLabs:
>>> https://www.trustwave.com/spiderLabs.php
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Try before you buy = See our experts in action!
>> The most comprehensive online learning library for Microsoft developers
>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>> Metro Style Apps, more. Free future releases when you subscribe now!
>> http://p.sf.net/sfu/learndevnow-dev2
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
>
>
>
> ------------------------------------------------------------------------------
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>

Re: [Mod-security-developers] Issue compiling "modsecurity-apache_2.6.4-rc1"

[J M <jer...@gm...>]

i have 3 pcre.h

/usr/include/pcre.h
/usr/local/include/pcre.h
/usr/local/src/httpd-2.0.64/srclib/pcre/pcre.h


1 is RPM based.. came from stock installation..
v 6.6
 ./configure --with-apxs=/usr/local/apache2/bin/apxs
--with-apu=/usr/local/apache2/bin/apu-config
--with-apr=/usr/local/apache2/bin/apr-config
--with-pcre=/usr/bin/pcre-config


1 from source..
v 8.21
 ./configure --with-apxs=/usr/local/apache2/bin/apxs
--with-apu=/usr/local/apache2/bin/apu-config
--with-apr=/usr/local/apache2/bin/apr-config
--with-pcre=/usr/local/bin/pcre-config


both resulted to the same error..

btw, i even used the version that comes with apache v3.9

tia,

On Mon, Feb 27, 2012 at 10:12 AM, Breno Silva <bre...@gm...> wrote:

> Where is your pcre headers (pcre.h etc ) ?  Can you try copy them to
> /usr/include ?
>
> Breno
>
>
> On Mon, Feb 27, 2012 at 9:03 AM, J M <jer...@gm...> wrote:
>
>> Yes, I did that as well..
>>
>> below is a snapshot or the previous compile:
>>
>> Use of uninitialized value in concatenation (.) or string at
>> /usr/local/apache2/bin/apxs line 237.
>> checking for libpcre config script... /usr/local/bin/pcre-config
>> configure: using pcre v8.21
>> checking for libapr config script... /usr/local/apache2/bin/apr-config
>> configure: using apr v0.9.19
>> checking for libapu config script... /usr/local/apache2/bin/apu-config
>> configure: using apu v0.9.19
>> checking for libxml2 config script... /usr/bin/xml2-config
>> configure: using libxml2 v2.6.26
>>
>> same error:
>>
>> libtool: compile:  gcc -DHAVE_CONFIG_H -I. -DLINUX=2 -D_REENTRANT
>> -D_GNU_SOURCE -I/usr/local/apache2/include -I/usr/local/apache2/include
>> -I/usr/local/apache2/include -I/usr/local/include -I/usr/include/libxml2
>> -DWITH_PCRE_STUDY -DMODSEC_PCRE_MATCH_LIMIT=1500
>> -DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500 -g -O2 -MT
>> mod_security2_la-msc_pcre.lo -MD -MP -MF
>> .deps/mod_security2_la-msc_pcre.Tpo -c msc_pcre.c  -fPIC -DPIC -o
>> .libs/mod_security2_la-msc_pcre.o
>> msc_pcre.c: In function ‘msc_pregcomp_ex’:
>> msc_pcre.c:70: error: invalid application of ‘sizeof’ to incomplete type
>> ‘pcre_extra’
>> msc_pcre.c:74: error: invalid application of ‘sizeof’ to incomplete type
>> ‘pcre_extra’
>> make[2]: *** [mod_security2_la-msc_pcre.lo] Error 1
>> make[2]: Leaving directory
>> `/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
>> make[1]: *** [all] Error 2
>> make[1]: Leaving directory
>> `/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
>> make: *** [all-recursive] Error 1
>>
>>
>>
>>
>> On Mon, Feb 27, 2012 at 9:54 AM, Ryan Barnett <RBa...@tr...>wrote:
>>
>>>   Have to tried installing PCRE as a separate package and then pointing
>>> ModSecurity configure flags to it?
>>>
>>>  --
>>> Ryan Barnett
>>>
>>>   From: J M <jer...@gm...>
>>> Reply-To: "mod...@li..." <
>>> mod...@li...>
>>> Date: Mon, 27 Feb 2012 08:29:24 -0600
>>> To: "mod...@li..." <
>>> mod...@li...>
>>> Subject: [Mod-security-developers] Issue compiling
>>> "modsecurity-apache_2.6.4-rc1"
>>>
>>>  Hi All,
>>>
>>>
>>>   I was trying to use 2.6.3 and thought that moving to 2.6.4 will help,
>>> unfortunately I'm stuck with the same issue:
>>>
>>>   Configure:
>>>       ./configure --with-apxs=/usr/local/
>>> apache2/bin/apxs  --with-apu=/usr/local/apache2/bin/apu-config
>>> --with-apr=/usr/local/apache2/bin/apr-config
>>>
>>>   OS: Redhat 5 - 64bit
>>>   Apache 2.0.64
>>>
>>>
>>>   Error:
>>>
>>>   libtool: compile:  gcc -DHAVE_CONFIG_H -I. -DLINUX=2 -D_REENTRANT
>>> -D_GNU_SOURCE -I/usr/local/apache2/include -I/usr/local/apache2/include
>>> -I/usr/local/apache2/include -I/usr/local/include -I/usr/include/libxml2
>>> -DWITH_PCRE_STUDY -DMODSEC_PCRE_MATCH_LIMIT=1500
>>> -DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500 -g -O2 -MT
>>> mod_security2_la-msc_pcre.lo -MD -MP -MF
>>> .deps/mod_security2_la-msc_pcre.Tpo -c msc_pcre.c  -fPIC -DPIC -o
>>> .libs/mod_security2_la-msc_pcre.o
>>> msc_pcre.c: In function ‘msc_pregcomp_ex’:
>>> msc_pcre.c:70: error: invalid application of ‘sizeof’ to incomplete type
>>> ‘pcre_extra’
>>> msc_pcre.c:74: error: invalid application of ‘sizeof’ to incomplete type
>>> ‘pcre_extra’
>>> make[2]: *** [mod_security2_la-msc_pcre.lo] Error 1
>>> make[2]: Leaving directory
>>> `/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
>>> make[1]: *** [all] Error 2
>>> make[1]: Leaving directory
>>> `/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
>>> make: *** [all-recursive] Error 1
>>>
>>>
>>>
>>> tia,
>>>
>>>
>>> ------------------------------
>>> This transmission may contain information that is privileged,
>>> confidential, and/or exempt from disclosure under applicable law. If you
>>> are not the intended recipient, you are hereby notified that any
>>> disclosure, copying, distribution, or use of the information contained
>>> herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
>>> received this transmission in error, please immediately contact the sender
>>> and destroy the material in its entirety, whether in electronic or hard
>>> copy format.
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Try before you buy = See our experts in action!
>>> The most comprehensive online learning library for Microsoft developers
>>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>>> Metro Style Apps, more. Free future releases when you subscribe now!
>>> http://p.sf.net/sfu/learndevnow-dev2
>>> _______________________________________________
>>> mod-security-developers mailing list
>>> mod...@li...
>>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>>> ModSecurity Services from Trustwave's SpiderLabs:
>>> https://www.trustwave.com/spiderLabs.php
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Try before you buy = See our experts in action!
>> The most comprehensive online learning library for Microsoft developers
>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>> Metro Style Apps, more. Free future releases when you subscribe now!
>> http://p.sf.net/sfu/learndevnow-dev2
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
>
>
>
> ------------------------------------------------------------------------------
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>

Re: [Mod-security-developers] Issue compiling "modsecurity-apache_2.6.4-rc1"

[Breno S. <bre...@gm...>]

Where is your pcre headers (pcre.h etc ) ?  Can you try copy them to
/usr/include ?

Breno

On Mon, Feb 27, 2012 at 9:03 AM, J M <jer...@gm...> wrote:

> Yes, I did that as well..
>
> below is a snapshot or the previous compile:
>
> Use of uninitialized value in concatenation (.) or string at
> /usr/local/apache2/bin/apxs line 237.
> checking for libpcre config script... /usr/local/bin/pcre-config
> configure: using pcre v8.21
> checking for libapr config script... /usr/local/apache2/bin/apr-config
> configure: using apr v0.9.19
> checking for libapu config script... /usr/local/apache2/bin/apu-config
> configure: using apu v0.9.19
> checking for libxml2 config script... /usr/bin/xml2-config
> configure: using libxml2 v2.6.26
>
> same error:
>
> libtool: compile:  gcc -DHAVE_CONFIG_H -I. -DLINUX=2 -D_REENTRANT
> -D_GNU_SOURCE -I/usr/local/apache2/include -I/usr/local/apache2/include
> -I/usr/local/apache2/include -I/usr/local/include -I/usr/include/libxml2
> -DWITH_PCRE_STUDY -DMODSEC_PCRE_MATCH_LIMIT=1500
> -DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500 -g -O2 -MT
> mod_security2_la-msc_pcre.lo -MD -MP -MF
> .deps/mod_security2_la-msc_pcre.Tpo -c msc_pcre.c  -fPIC -DPIC -o
> .libs/mod_security2_la-msc_pcre.o
> msc_pcre.c: In function ‘msc_pregcomp_ex’:
> msc_pcre.c:70: error: invalid application of ‘sizeof’ to incomplete type
> ‘pcre_extra’
> msc_pcre.c:74: error: invalid application of ‘sizeof’ to incomplete type
> ‘pcre_extra’
> make[2]: *** [mod_security2_la-msc_pcre.lo] Error 1
> make[2]: Leaving directory
> `/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
> make[1]: *** [all] Error 2
> make[1]: Leaving directory
> `/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
> make: *** [all-recursive] Error 1
>
>
>
>
> On Mon, Feb 27, 2012 at 9:54 AM, Ryan Barnett <RBa...@tr...>wrote:
>
>>   Have to tried installing PCRE as a separate package and then pointing
>> ModSecurity configure flags to it?
>>
>>  --
>> Ryan Barnett
>>
>>   From: J M <jer...@gm...>
>> Reply-To: "mod...@li..." <
>> mod...@li...>
>> Date: Mon, 27 Feb 2012 08:29:24 -0600
>> To: "mod...@li..." <
>> mod...@li...>
>> Subject: [Mod-security-developers] Issue compiling
>> "modsecurity-apache_2.6.4-rc1"
>>
>>  Hi All,
>>
>>
>>   I was trying to use 2.6.3 and thought that moving to 2.6.4 will help,
>> unfortunately I'm stuck with the same issue:
>>
>>   Configure:
>>       ./configure --with-apxs=/usr/local/
>> apache2/bin/apxs  --with-apu=/usr/local/apache2/bin/apu-config
>> --with-apr=/usr/local/apache2/bin/apr-config
>>
>>   OS: Redhat 5 - 64bit
>>   Apache 2.0.64
>>
>>
>>   Error:
>>
>>   libtool: compile:  gcc -DHAVE_CONFIG_H -I. -DLINUX=2 -D_REENTRANT
>> -D_GNU_SOURCE -I/usr/local/apache2/include -I/usr/local/apache2/include
>> -I/usr/local/apache2/include -I/usr/local/include -I/usr/include/libxml2
>> -DWITH_PCRE_STUDY -DMODSEC_PCRE_MATCH_LIMIT=1500
>> -DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500 -g -O2 -MT
>> mod_security2_la-msc_pcre.lo -MD -MP -MF
>> .deps/mod_security2_la-msc_pcre.Tpo -c msc_pcre.c  -fPIC -DPIC -o
>> .libs/mod_security2_la-msc_pcre.o
>> msc_pcre.c: In function ‘msc_pregcomp_ex’:
>> msc_pcre.c:70: error: invalid application of ‘sizeof’ to incomplete type
>> ‘pcre_extra’
>> msc_pcre.c:74: error: invalid application of ‘sizeof’ to incomplete type
>> ‘pcre_extra’
>> make[2]: *** [mod_security2_la-msc_pcre.lo] Error 1
>> make[2]: Leaving directory
>> `/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
>> make[1]: *** [all] Error 2
>> make[1]: Leaving directory
>> `/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
>> make: *** [all-recursive] Error 1
>>
>>
>>
>> tia,
>>
>>
>> ------------------------------
>> This transmission may contain information that is privileged,
>> confidential, and/or exempt from disclosure under applicable law. If you
>> are not the intended recipient, you are hereby notified that any
>> disclosure, copying, distribution, or use of the information contained
>> herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
>> received this transmission in error, please immediately contact the sender
>> and destroy the material in its entirety, whether in electronic or hard
>> copy format.
>>
>>
>> ------------------------------------------------------------------------------
>> Try before you buy = See our experts in action!
>> The most comprehensive online learning library for Microsoft developers
>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>> Metro Style Apps, more. Free future releases when you subscribe now!
>> http://p.sf.net/sfu/learndevnow-dev2
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
>
>
>
> ------------------------------------------------------------------------------
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>

Re: [Mod-security-developers] Issue compiling "modsecurity-apache_2.6.4-rc1"

[J M <jer...@gm...>]

Yes, I did that as well..

below is a snapshot or the previous compile:

Use of uninitialized value in concatenation (.) or string at
/usr/local/apache2/bin/apxs line 237.
checking for libpcre config script... /usr/local/bin/pcre-config
configure: using pcre v8.21
checking for libapr config script... /usr/local/apache2/bin/apr-config
configure: using apr v0.9.19
checking for libapu config script... /usr/local/apache2/bin/apu-config
configure: using apu v0.9.19
checking for libxml2 config script... /usr/bin/xml2-config
configure: using libxml2 v2.6.26

same error:
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -DLINUX=2 -D_REENTRANT
-D_GNU_SOURCE -I/usr/local/apache2/include -I/usr/local/apache2/include
-I/usr/local/apache2/include -I/usr/local/include -I/usr/include/libxml2
-DWITH_PCRE_STUDY -DMODSEC_PCRE_MATCH_LIMIT=1500
-DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500 -g -O2 -MT
mod_security2_la-msc_pcre.lo -MD -MP -MF
.deps/mod_security2_la-msc_pcre.Tpo -c msc_pcre.c  -fPIC -DPIC -o
.libs/mod_security2_la-msc_pcre.o
msc_pcre.c: In function ‘msc_pregcomp_ex’:
msc_pcre.c:70: error: invalid application of ‘sizeof’ to incomplete type
‘pcre_extra’
msc_pcre.c:74: error: invalid application of ‘sizeof’ to incomplete type
‘pcre_extra’
make[2]: *** [mod_security2_la-msc_pcre.lo] Error 1
make[2]: Leaving directory
`/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
make[1]: *** [all] Error 2
make[1]: Leaving directory
`/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
make: *** [all-recursive] Error 1




On Mon, Feb 27, 2012 at 9:54 AM, Ryan Barnett <RBa...@tr...>wrote:

>   Have to tried installing PCRE as a separate package and then pointing
> ModSecurity configure flags to it?
>
>  --
> Ryan Barnett
>
>   From: J M <jer...@gm...>
> Reply-To: "mod...@li..." <
> mod...@li...>
> Date: Mon, 27 Feb 2012 08:29:24 -0600
> To: "mod...@li..." <
> mod...@li...>
> Subject: [Mod-security-developers] Issue compiling
> "modsecurity-apache_2.6.4-rc1"
>
>  Hi All,
>
>
>   I was trying to use 2.6.3 and thought that moving to 2.6.4 will help,
> unfortunately I'm stuck with the same issue:
>
>   Configure:
>       ./configure --with-apxs=/usr/local/
> apache2/bin/apxs  --with-apu=/usr/local/apache2/bin/apu-config
> --with-apr=/usr/local/apache2/bin/apr-config
>
>   OS: Redhat 5 - 64bit
>   Apache 2.0.64
>
>
>   Error:
>
>   libtool: compile:  gcc -DHAVE_CONFIG_H -I. -DLINUX=2 -D_REENTRANT
> -D_GNU_SOURCE -I/usr/local/apache2/include -I/usr/local/apache2/include
> -I/usr/local/apache2/include -I/usr/local/include -I/usr/include/libxml2
> -DWITH_PCRE_STUDY -DMODSEC_PCRE_MATCH_LIMIT=1500
> -DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500 -g -O2 -MT
> mod_security2_la-msc_pcre.lo -MD -MP -MF
> .deps/mod_security2_la-msc_pcre.Tpo -c msc_pcre.c  -fPIC -DPIC -o
> .libs/mod_security2_la-msc_pcre.o
> msc_pcre.c: In function ‘msc_pregcomp_ex’:
> msc_pcre.c:70: error: invalid application of ‘sizeof’ to incomplete type
> ‘pcre_extra’
> msc_pcre.c:74: error: invalid application of ‘sizeof’ to incomplete type
> ‘pcre_extra’
> make[2]: *** [mod_security2_la-msc_pcre.lo] Error 1
> make[2]: Leaving directory
> `/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
> make[1]: *** [all] Error 2
> make[1]: Leaving directory
> `/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
> make: *** [all-recursive] Error 1
>
>
>
> tia,
>
>
> ------------------------------
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
> received this transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in electronic or hard
> copy format.
>
>
> ------------------------------------------------------------------------------
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>

Re: [Mod-security-developers] Issue compiling "modsecurity-apache_2.6.4-rc1"

[Ryan B. <RBa...@tr...>]

Have to tried installing PCRE as a separate package and then pointing ModSecurity configure flags to it?

--
Ryan Barnett

From: J M <jer...@gm...<mailto:jer...@gm...>>
Reply-To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Date: Mon, 27 Feb 2012 08:29:24 -0600
To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Subject: [Mod-security-developers] Issue compiling "modsecurity-apache_2.6.4-rc1"

Hi All,


  I was trying to use 2.6.3 and thought that moving to 2.6.4 will help, unfortunately I'm stuck with the same issue:

  Configure:
      ./configure --with-apxs=/usr/local/
apache2/bin/apxs  --with-apu=/usr/local/apache2/bin/apu-config --with-apr=/usr/local/apache2/bin/apr-config

  OS: Redhat 5 - 64bit
  Apache 2.0.64


  Error:

  libtool: compile:  gcc -DHAVE_CONFIG_H -I. -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -I/usr/local/apache2/include -I/usr/local/apache2/include -I/usr/local/apache2/include -I/usr/local/include -I/usr/include/libxml2 -DWITH_PCRE_STUDY -DMODSEC_PCRE_MATCH_LIMIT=1500 -DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500 -g -O2 -MT mod_security2_la-msc_pcre.lo -MD -MP -MF .deps/mod_security2_la-msc_pcre.Tpo -c msc_pcre.c  -fPIC -DPIC -o .libs/mod_security2_la-msc_pcre.o
msc_pcre.c: In function ‘msc_pregcomp_ex’:
msc_pcre.c:70: error: invalid application of ‘sizeof’ to incomplete type ‘pcre_extra’
msc_pcre.c:74: error: invalid application of ‘sizeof’ to incomplete type ‘pcre_extra’
make[2]: *** [mod_security2_la-msc_pcre.lo] Error 1
make[2]: Leaving directory `/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
make: *** [all-recursive] Error 1



tia,

________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-developers] Issue compiling "modsecurity-apache_2.6.4-rc1"

[J M <jer...@gm...>]

Hi All,


  I was trying to use 2.6.3 and thought that moving to 2.6.4 will help,
unfortunately I'm stuck with the same issue:

  Configure:
      ./configure --with-apxs=/usr/local/
apache2/bin/apxs  --with-apu=/usr/local/apache2/bin/apu-config
--with-apr=/usr/local/apache2/bin/apr-config

  OS: Redhat 5 - 64bit
  Apache 2.0.64


  Error:

  libtool: compile:  gcc -DHAVE_CONFIG_H -I. -DLINUX=2 -D_REENTRANT
-D_GNU_SOURCE -I/usr/local/apache2/include -I/usr/local/apache2/include
-I/usr/local/apache2/include -I/usr/local/include -I/usr/include/libxml2
-DWITH_PCRE_STUDY -DMODSEC_PCRE_MATCH_LIMIT=1500
-DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500 -g -O2 -MT
mod_security2_la-msc_pcre.lo -MD -MP -MF
.deps/mod_security2_la-msc_pcre.Tpo -c msc_pcre.c  -fPIC -DPIC -o
.libs/mod_security2_la-msc_pcre.o
msc_pcre.c: In function ‘msc_pregcomp_ex’:
msc_pcre.c:70: error: invalid application of ‘sizeof’ to incomplete type
‘pcre_extra’
msc_pcre.c:74: error: invalid application of ‘sizeof’ to incomplete type
‘pcre_extra’
make[2]: *** [mod_security2_la-msc_pcre.lo] Error 1
make[2]: Leaving directory
`/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
make[1]: *** [all] Error 2
make[1]: Leaving directory
`/usr/local/src/modsecurity-apache_2.6.4-rc1/apache2'
make: *** [all-recursive] Error 1



tia,

[Mod-security-developers] Availability of ModSecurity 2.6.4-rc1 Release

[Breno S. <bre...@gm...>]

The ModSecurity Development Team is pleased to announce the availability of
ModSecurity 2.6.4-rc1 Release.
The stability of this release should be good and it includes some bug fixes
and small improvements for data sanitization.
Please see the release notes included into CHANGES file.

For known problems and more information about bug fixes, please see the
online ModSecurity Jira. Please report any bug to
mod...@li....

Thanks

Breno Silva

[Mod-security-developers] [JIRA] Resolved: (MODSEC-289) Add sanitiseMatchedBytes support to verifyCC/verifySSN/verifyCPF

[Breno S. P. (JIRA) <no...@mo...>]

     [ https://www.modsecurity.org/tracker/browse/MODSEC-289?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Breno Silva Pinto resolved MODSEC-289.
--------------------------------------

    Resolution: Fixed

> Add sanitiseMatchedBytes support to verifyCC/verifySSN/verifyCPF
> ----------------------------------------------------------------
>
>                 Key: MODSEC-289
>                 URL: https://www.modsecurity.org/tracker/browse/MODSEC-289
>             Project: ModSecurity
>          Issue Type: Improvement
>      Security Level: Normal
>          Components: Operators
>    Affects Versions: 2.6.3
>            Reporter: Breno Silva Pinto
>            Assignee: Breno Silva Pinto
>             Fix For: 2.6.4
>
>


--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira