|
From: Marc S. <mar...@ap...> - 2019-02-28 15:23:49
|
I'm running v 2.9.3 built with --enable-request-early to have phase 1 rules running before receiving the body. If I sent a huge body, the request is well blocked in phase 1 but there's a huge processing time (10 min for 1.5 MB) on a strong machine after hook_insert_error_filter() Can somebody explain me what could happen and/or how to troubleshoot that. Isn't the phase 1 rule (with --enable-request-early) supposed to run before the request body is received by httpd? Here's the debug log (max level): [28/Feb/2019:14:27:50 +0100] [...][4] Ctl: Set requestBodyAccess to 0. [...] [28/Feb/2019:14:27:50 +0100] [...][4] Access denied with code 404 (phase 1). [...] [28/Feb/2019:14:27:50 +0100] [...][4] Hook insert_error_filter: Adding output filter (r 248029de120). [28/Feb/2019:14:37:20 +0100] [...][9] Output filter: Receiving output (f 24802c82a38, r 248029de120). [28/Feb/2019:14:37:20 +0100] [...][4] Skipping phase 3 as request was already intercepted. error log: [Thu Feb 28 14:27:50.864432 2019] [core:trace5] [pid 6060:tid 2008] protocol.c(614): [client ...] Request received from client: POST /... HTTP/1.1 [Thu Feb 28 14:37:20.529622 2019] [headers:debug] [pid 6060:tid 2008] mod_headers.c(908): AH01503: headers: ap_headers_error_filter() Marc |
|
From: Felipe C. <FC...@tr...> - 2019-03-11 13:23:05
|
I have seemed the behavior that you have described in servers with APR version mismatch. Other than that, I did not manage to emulate such behavior. Br., Felipe "Zimmerle" Costa Security Researcher, Lead Developer ModSecurity m: +55 81.98706.5547 [signature_480191669] www.trustwave.com<http://www.trustwave.com/> Recognized by industry analysts as a leader in managed security services.<https://www.trustwave.com/company/about-us/accolades/> ________________________________ From: Marc Stern <mar...@ap...> Sent: Thursday, February 28, 2019 11:49 AM To: mod...@li... Subject: [Mod-security-developers] Request body processed when blocking in phase 1 I'm running v 2.9.3 built with --enable-request-early to have phase 1 rules running before receiving the body. If I sent a huge body, the request is well blocked in phase 1 but there's a huge processing time (10 min for 1.5 MB) on a strong machine after hook_insert_error_filter() Can somebody explain me what could happen and/or how to troubleshoot that. Isn't the phase 1 rule (with --enable-request-early) supposed to run before the request body is received by httpd? Here's the debug log (max level): [28/Feb/2019:14:27:50 +0100] [...][4] Ctl: Set requestBodyAccess to 0. [...] [28/Feb/2019:14:27:50 +0100] [...][4] Access denied with code 404 (phase 1). [...] [28/Feb/2019:14:27:50 +0100] [...][4] Hook insert_error_filter: Adding output filter (r 248029de120). [28/Feb/2019:14:37:20 +0100] [...][9] Output filter: Receiving output (f 24802c82a38, r 248029de120). [28/Feb/2019:14:37:20 +0100] [...][4] Skipping phase 3 as request was already intercepted. error log: [Thu Feb 28 14:27:50.864432 2019] [core:trace5] [pid 6060:tid 2008] protocol.c(614): [client ...] Request received from client: POST /... HTTP/1.1 [Thu Feb 28 14:37:20.529622 2019] [headers:debug] [pid 6060:tid 2008] mod_headers.c(908): AH01503: headers: ap_headers_error_filter() Marc _______________________________________________ mod-security-developers mailing list mod...@li... https://scanmail.trustwave.com/?c=4062&d=kv333Abx-vXiIBZ1YneBxeM0MfaUkB_XCXnlDQQiBg&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php |
|
From: Marc S. <mar...@ap...> - 2019-03-12 18:13:57
|
I reproduced this behaviour even in Windows with everything compiled together Marc On 11-03-19 14:22, Felipe Costa wrote: I have seemed the behavior that you have described in servers with APR version mismatch. Other than that, I did not manage to emulate such behavior. Br., Felipe "Zimmerle" Costa Security Researcher, Lead Developer ModSecurity m: +55 81.98706.5547 [signature_480191669] www.trustwave.com<http://www.trustwave.com/> Recognized by industry analysts as a leader in managed security services.<https://www.trustwave.com/company/about-us/accolades/> ________________________________ From: Marc Stern <mar...@ap...><mailto:mar...@ap...> Sent: Thursday, February 28, 2019 11:49 AM To: mod...@li...<mailto:mod...@li...> Subject: [Mod-security-developers] Request body processed when blocking in phase 1 I'm running v 2.9.3 built with --enable-request-early to have phase 1 rules running before receiving the body. If I sent a huge body, the request is well blocked in phase 1 but there's a huge processing time (10 min for 1.5 MB) on a strong machine after hook_insert_error_filter() Can somebody explain me what could happen and/or how to troubleshoot that. Isn't the phase 1 rule (with --enable-request-early) supposed to run before the request body is received by httpd? Here's the debug log (max level): [28/Feb/2019:14:27:50 +0100] [...][4] Ctl: Set requestBodyAccess to 0. [...] [28/Feb/2019:14:27:50 +0100] [...][4] Access denied with code 404 (phase 1). [...] [28/Feb/2019:14:27:50 +0100] [...][4] Hook insert_error_filter: Adding output filter (r 248029de120). [28/Feb/2019:14:37:20 +0100] [...][9] Output filter: Receiving output (f 24802c82a38, r 248029de120). [28/Feb/2019:14:37:20 +0100] [...][4] Skipping phase 3 as request was already intercepted. error log: [Thu Feb 28 14:27:50.864432 2019] [core:trace5] [pid 6060:tid 2008] protocol.c(614): [client ...] Request received from client: POST /... HTTP/1.1 [Thu Feb 28 14:37:20.529622 2019] [headers:debug] [pid 6060:tid 2008] mod_headers.c(908): AH01503: headers: ap_headers_error_filter() Marc _______________________________________________ mod-security-developers mailing list mod...@li...<mailto:mod...@li...> https://scanmail.trustwave.com/?c=4062&d=kv333Abx-vXiIBZ1YneBxeM0MfaUkB_XCXnlDQQiBg&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php |
|
From: Felipe C. <FC...@tr...> - 2019-03-13 02:01:51
|
How you have recompiled the windows version with enable-request-early? What is your IIS version? Br., Felipe “Zimmerle” Costa Security Researcher, Lead Developer ModSecurity. Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Marc Stern <mar...@ap...> Reply-To: Marc Stern <mar...@ap...> Date: Tuesday, March 12, 2019 at 12:39 PM To: Felipe Costa <FC...@tr...>, "mod...@li..." <mod...@li...> Subject: Re: Request body processed when blocking in phase 1 I reproduced this behaviour even in Windows with everything compiled together Marc On 11-03-19 14:22, Felipe Costa wrote: I have seemed the behavior that you have described in servers with APR version mismatch. Other than that, I did not manage to emulate such behavior. Br., Felipe "Zimmerle" Costa Security Researcher, Lead Developer ModSecurity m: +55 81.98706.5547 [signature_480191669] www.trustwave.com<http://www.trustwave.com/> Recognized by industry analysts as a leader in managed security services.<https://www.trustwave.com/company/about-us/accolades/> ________________________________ From: Marc Stern <mar...@ap...><mailto:mar...@ap...> Sent: Thursday, February 28, 2019 11:49 AM To: mod...@li...<mailto:mod...@li...> Subject: [Mod-security-developers] Request body processed when blocking in phase 1 I'm running v 2.9.3 built with --enable-request-early to have phase 1 rules running before receiving the body. If I sent a huge body, the request is well blocked in phase 1 but there's a huge processing time (10 min for 1.5 MB) on a strong machine after hook_insert_error_filter() Can somebody explain me what could happen and/or how to troubleshoot that. Isn't the phase 1 rule (with --enable-request-early) supposed to run before the request body is received by httpd? Here's the debug log (max level): [28/Feb/2019:14:27:50 +0100] [...][4] Ctl: Set requestBodyAccess to 0. [...] [28/Feb/2019:14:27:50 +0100] [...][4] Access denied with code 404 (phase 1). [...] [28/Feb/2019:14:27:50 +0100] [...][4] Hook insert_error_filter: Adding output filter (r 248029de120). [28/Feb/2019:14:37:20 +0100] [...][9] Output filter: Receiving output (f 24802c82a38, r 248029de120). [28/Feb/2019:14:37:20 +0100] [...][4] Skipping phase 3 as request was already intercepted. error log: [Thu Feb 28 14:27:50.864432 2019] [core:trace5] [pid 6060:tid 2008] protocol.c(614): [client ...] Request received from client: POST /... HTTP/1.1 [Thu Feb 28 14:37:20.529622 2019] [headers:debug] [pid 6060:tid 2008] mod_headers.c(908): AH01503: headers: ap_headers_error_filter() Marc _______________________________________________ mod-security-developers mailing list mod...@li...<mailto:mod...@li...> https://scanmail.trustwave.com/?c=4062&d=kv333Abx-vXiIBZ1YneBxeM0MfaUkB_XCXnlDQQiBg&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers<https://scanmail.trustwave.com/?c=4062&d=yNKH3MMlr2fvDpZSllszGJ_gvfkIiM0oQRMGgD8iLQ&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers> ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php |
|
From: Marc S. <mar...@ap...> - 2019-03-13 08:23:50
|
I'm using the Apache version (also) under Windows. I defined REQUEST_EARLY in Visual Studio. Marc On 13-03-19 03:01, Felipe Costa wrote: How you have recompiled the windows version with enable-request-early? What is your IIS version? Br., Felipe “Zimmerle” Costa Security Researcher, Lead Developer ModSecurity. Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Marc Stern <mar...@ap...><mailto:mar...@ap...> Reply-To: Marc Stern <mar...@ap...><mailto:mar...@ap...> Date: Tuesday, March 12, 2019 at 12:39 PM To: Felipe Costa <FC...@tr...><mailto:FC...@tr...>, "mod...@li..."<mailto:mod...@li...> <mod...@li...><mailto:mod...@li...> Subject: Re: Request body processed when blocking in phase 1 I reproduced this behaviour even in Windows with everything compiled together Marc On 11-03-19 14:22, Felipe Costa wrote: I have seemed the behavior that you have described in servers with APR version mismatch. Other than that, I did not manage to emulate such behavior. Br., Felipe "Zimmerle" Costa Security Researcher, Lead Developer ModSecurity m: +55 81.98706.5547 [signature_480191669] www.trustwave.com<http://www.trustwave.com/> Recognized by industry analysts as a leader in managed security services.<https://www.trustwave.com/company/about-us/accolades/> ________________________________ From: Marc Stern <mar...@ap...><mailto:mar...@ap...> Sent: Thursday, February 28, 2019 11:49 AM To: mod...@li...<mailto:mod...@li...> Subject: [Mod-security-developers] Request body processed when blocking in phase 1 I'm running v 2.9.3 built with --enable-request-early to have phase 1 rules running before receiving the body. If I sent a huge body, the request is well blocked in phase 1 but there's a huge processing time (10 min for 1.5 MB) on a strong machine after hook_insert_error_filter() Can somebody explain me what could happen and/or how to troubleshoot that. Isn't the phase 1 rule (with --enable-request-early) supposed to run before the request body is received by httpd? Here's the debug log (max level): [28/Feb/2019:14:27:50 +0100] [...][4] Ctl: Set requestBodyAccess to 0. [...] [28/Feb/2019:14:27:50 +0100] [...][4] Access denied with code 404 (phase 1). [...] [28/Feb/2019:14:27:50 +0100] [...][4] Hook insert_error_filter: Adding output filter (r 248029de120). [28/Feb/2019:14:37:20 +0100] [...][9] Output filter: Receiving output (f 24802c82a38, r 248029de120). [28/Feb/2019:14:37:20 +0100] [...][4] Skipping phase 3 as request was already intercepted. error log: [Thu Feb 28 14:27:50.864432 2019] [core:trace5] [pid 6060:tid 2008] protocol.c(614): [client ...] Request received from client: POST /... HTTP/1.1 [Thu Feb 28 14:37:20.529622 2019] [headers:debug] [pid 6060:tid 2008] mod_headers.c(908): AH01503: headers: ap_headers_error_filter() Marc _______________________________________________ mod-security-developers mailing list mod...@li...<mailto:mod...@li...> https://scanmail.trustwave.com/?c=4062&d=kv333Abx-vXiIBZ1YneBxeM0MfaUkB_XCXnlDQQiBg&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers<https://scanmail.trustwave.com/?c=4062&d=yNKH3MMlr2fvDpZSllszGJ_gvfkIiM0oQRMGgD8iLQ&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers> ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php |
|
From: Felipe Z. <fe...@zi...> - 2019-03-14 14:48:35
|
Great, so we have: Apache on Windows running a customized version ModSecurity compiled with VisualStudio. Let me ask you this: are the libApr, Apache and ModSecurity compiled with the same VisualStudio family? Do the Apache binaries cames from Apache Lounge? Without the "--enable-request-early" but, yet, with a custom windows compilation, did you manage to see a different result? Br., Felipe. On Wed, Mar 13, 2019 at 5:24 AM Marc Stern <mar...@ap...> wrote: > I'm using the Apache version (also) under Windows. > I defined REQUEST_EARLY in Visual Studio. > > Marc > > On 13-03-19 03:01, Felipe Costa wrote: > > How you have recompiled the windows version with enable-request-early? > What is your IIS version? > > > > Br., > > *Felipe “Zimmerle” Costa* > > Security Researcher, Lead Developer ModSecurity. > > > > *Trustwave* | SMART SECURITY ON DEMAND > > *www.trustwave.com <http://www.trustwave.com/>* > > > > > > *From: *Marc Stern <mar...@ap...> <mar...@ap...> > *Reply-To: *Marc Stern <mar...@ap...> <mar...@ap...> > *Date: *Tuesday, March 12, 2019 at 12:39 PM > *To: *Felipe Costa <FC...@tr...> <FC...@tr...>, > "mod...@li..." > <mod...@li...> > <mod...@li...> > <mod...@li...> > *Subject: *Re: Request body processed when blocking in phase 1 > > > > I reproduced this behaviour even in Windows with everything compiled > together > > Marc > > On 11-03-19 14:22, Felipe Costa wrote: > > I have seemed the behavior that you have described in servers with APR > version mismatch. Other than that, I did not manage to emulate such > behavior. > > > > > > Br., > > *Felipe "Zimmerle" Costa* > > Security Researcher, Lead Developer ModSecurity > > m: +55 81.98706.5547 > > > > [image: signature_480191669] > > *www.trustwave.com <http://www.trustwave.com/>* > > > > *Recognized by industry analysts as a leader in managed security services. > <https://www.trustwave.com/company/about-us/accolades/>* > > > ------------------------------ > > *From:* Marc Stern <mar...@ap...> <mar...@ap...> > *Sent:* Thursday, February 28, 2019 11:49 AM > *To:* mod...@li... > *Subject:* [Mod-security-developers] Request body processed when blocking > in phase 1 > > > > I'm running v 2.9.3 built with --enable-request-early to have phase 1 > rules running before receiving the body. > If I sent a huge body, the request is well blocked in phase 1 but > there's a huge processing time (10 min for 1.5 MB) on a strong machine > after hook_insert_error_filter() > Can somebody explain me what could happen and/or how to troubleshoot that. > Isn't the phase 1 rule (with --enable-request-early) supposed to run > before the request body is received by httpd? > > Here's the debug log (max level): > [28/Feb/2019:14:27:50 +0100] [...][4] Ctl: Set requestBodyAccess to 0. > [...] > [28/Feb/2019:14:27:50 +0100] [...][4] Access denied with code 404 (phase > 1). [...] > [28/Feb/2019:14:27:50 +0100] [...][4] Hook insert_error_filter: Adding > output filter (r 248029de120). > [28/Feb/2019:14:37:20 +0100] [...][9] Output filter: Receiving output (f > 24802c82a38, r 248029de120). > [28/Feb/2019:14:37:20 +0100] [...][4] Skipping phase 3 as request was > already intercepted. > > error log: > [Thu Feb 28 14:27:50.864432 2019] [core:trace5] [pid 6060:tid 2008] > protocol.c(614): [client ...] Request received from client: POST /... > HTTP/1.1 > [Thu Feb 28 14:37:20.529622 2019] [headers:debug] [pid 6060:tid 2008] > mod_headers.c(908): AH01503: headers: ap_headers_error_filter() > > Marc > > _______________________________________________ > mod-security-developers mailing list > mod...@li... > > https://scanmail.trustwave.com/?c=4062&d=kv333Abx-vXiIBZ1YneBxeM0MfaUkB_XCXnlDQQiBg&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers > <https://scanmail.trustwave.com/?c=4062&d=yNKH3MMlr2fvDpZSllszGJ_gvfkIiM0oQRMGgD8iLQ&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers> > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > > > > > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php -- Br., Felipe Zimmerle |
|
From: Marc S. <mar...@ap...> - 2019-03-15 08:45:27
|
Everything is compiled with the same version of VS. Same result on CentOS 7 fully update with the platform httpd and only MS custom compiled. If I compile without --enable-request-early, phase 1 rules will actually run in phase 2, so the request body will indeed be received by httpd. This is the expected behaviour, no? On 14-03-19 15:18, Felipe Zimmerle wrote: Great, so we have: Apache on Windows running a customized version ModSecurity compiled with VisualStudio. Let me ask you this: are the libApr, Apache and ModSecurity compiled with the same VisualStudio family? Do the Apache binaries cames from Apache Lounge? Without the "--enable-request-early" but, yet, with a custom windows compilation, did you manage to see a different result? Br., Felipe. On Wed, Mar 13, 2019 at 5:24 AM Marc Stern <mar...@ap...<mailto:mar...@ap...>> wrote: I'm using the Apache version (also) under Windows. I defined REQUEST_EARLY in Visual Studio. Marc On 13-03-19 03:01, Felipe Costa wrote: How you have recompiled the windows version with enable-request-early? What is your IIS version? Br., Felipe “Zimmerle” Costa Security Researcher, Lead Developer ModSecurity. Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Marc Stern <mar...@ap...><mailto:mar...@ap...> Reply-To: Marc Stern <mar...@ap...><mailto:mar...@ap...> Date: Tuesday, March 12, 2019 at 12:39 PM To: Felipe Costa <FC...@tr...><mailto:FC...@tr...>, "mod...@li..."<mailto:mod...@li...> <mod...@li...><mailto:mod...@li...> Subject: Re: Request body processed when blocking in phase 1 I reproduced this behaviour even in Windows with everything compiled together Marc On 11-03-19 14:22, Felipe Costa wrote: I have seemed the behavior that you have described in servers with APR version mismatch. Other than that, I did not manage to emulate such behavior. Br., Felipe "Zimmerle" Costa Security Researcher, Lead Developer ModSecurity m: +55 81.98706.5547 [signature_480191669] www.trustwave.com<http://www.trustwave.com/> Recognized by industry analysts as a leader in managed security services.<https://www.trustwave.com/company/about-us/accolades/> ________________________________ From: Marc Stern <mar...@ap...><mailto:mar...@ap...> Sent: Thursday, February 28, 2019 11:49 AM To: mod...@li...<mailto:mod...@li...> Subject: [Mod-security-developers] Request body processed when blocking in phase 1 I'm running v 2.9.3 built with --enable-request-early to have phase 1 rules running before receiving the body. If I sent a huge body, the request is well blocked in phase 1 but there's a huge processing time (10 min for 1.5 MB) on a strong machine after hook_insert_error_filter() Can somebody explain me what could happen and/or how to troubleshoot that. Isn't the phase 1 rule (with --enable-request-early) supposed to run before the request body is received by httpd? Here's the debug log (max level): [28/Feb/2019:14:27:50 +0100] [...][4] Ctl: Set requestBodyAccess to 0. [...] [28/Feb/2019:14:27:50 +0100] [...][4] Access denied with code 404 (phase 1). [...] [28/Feb/2019:14:27:50 +0100] [...][4] Hook insert_error_filter: Adding output filter (r 248029de120). [28/Feb/2019:14:37:20 +0100] [...][9] Output filter: Receiving output (f 24802c82a38, r 248029de120). [28/Feb/2019:14:37:20 +0100] [...][4] Skipping phase 3 as request was already intercepted. error log: [Thu Feb 28 14:27:50.864432 2019] [core:trace5] [pid 6060:tid 2008] protocol.c(614): [client ...] Request received from client: POST /... HTTP/1.1 [Thu Feb 28 14:37:20.529622 2019] [headers:debug] [pid 6060:tid 2008] mod_headers.c(908): AH01503: headers: ap_headers_error_filter() Marc _______________________________________________ mod-security-developers mailing list mod...@li...<mailto:mod...@li...> https://scanmail.trustwave.com/?c=4062&d=kv333Abx-vXiIBZ1YneBxeM0MfaUkB_XCXnlDQQiBg&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers<https://scanmail.trustwave.com/?c=4062&d=yNKH3MMlr2fvDpZSllszGJ_gvfkIiM0oQRMGgD8iLQ&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers> ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php _______________________________________________ mod-security-developers mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-developers ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php -- Br., Felipe Zimmerle |
