mod-security-users Mailing List for ModSecurity (Page 463)
Brought to you by:
victorhora,
zimmerletw
You can subscribe to this list here.
2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(17) |
Aug
(7) |
Sep
(8) |
Oct
(11) |
Nov
(14) |
Dec
(19) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2004 |
Jan
(46) |
Feb
(14) |
Mar
(20) |
Apr
(48) |
May
(15) |
Jun
(20) |
Jul
(36) |
Aug
(24) |
Sep
(31) |
Oct
(28) |
Nov
(23) |
Dec
(12) |
2005 |
Jan
(69) |
Feb
(61) |
Mar
(82) |
Apr
(53) |
May
(26) |
Jun
(71) |
Jul
(27) |
Aug
(52) |
Sep
(28) |
Oct
(49) |
Nov
(104) |
Dec
(74) |
2006 |
Jan
(61) |
Feb
(148) |
Mar
(82) |
Apr
(139) |
May
(65) |
Jun
(116) |
Jul
(92) |
Aug
(101) |
Sep
(84) |
Oct
(103) |
Nov
(174) |
Dec
(102) |
2007 |
Jan
(166) |
Feb
(161) |
Mar
(181) |
Apr
(152) |
May
(192) |
Jun
(250) |
Jul
(127) |
Aug
(165) |
Sep
(97) |
Oct
(135) |
Nov
(206) |
Dec
(56) |
2008 |
Jan
(160) |
Feb
(135) |
Mar
(98) |
Apr
(89) |
May
(115) |
Jun
(95) |
Jul
(188) |
Aug
(167) |
Sep
(153) |
Oct
(84) |
Nov
(82) |
Dec
(85) |
2009 |
Jan
(139) |
Feb
(133) |
Mar
(128) |
Apr
(105) |
May
(135) |
Jun
(79) |
Jul
(92) |
Aug
(134) |
Sep
(73) |
Oct
(112) |
Nov
(159) |
Dec
(80) |
2010 |
Jan
(100) |
Feb
(116) |
Mar
(130) |
Apr
(59) |
May
(88) |
Jun
(59) |
Jul
(69) |
Aug
(67) |
Sep
(82) |
Oct
(76) |
Nov
(59) |
Dec
(34) |
2011 |
Jan
(84) |
Feb
(74) |
Mar
(81) |
Apr
(94) |
May
(188) |
Jun
(72) |
Jul
(118) |
Aug
(109) |
Sep
(111) |
Oct
(80) |
Nov
(51) |
Dec
(44) |
2012 |
Jan
(80) |
Feb
(123) |
Mar
(46) |
Apr
(12) |
May
(40) |
Jun
(62) |
Jul
(95) |
Aug
(66) |
Sep
(65) |
Oct
(53) |
Nov
(42) |
Dec
(60) |
2013 |
Jan
(96) |
Feb
(96) |
Mar
(108) |
Apr
(72) |
May
(115) |
Jun
(111) |
Jul
(114) |
Aug
(87) |
Sep
(93) |
Oct
(97) |
Nov
(104) |
Dec
(82) |
2014 |
Jan
(96) |
Feb
(77) |
Mar
(71) |
Apr
(40) |
May
(48) |
Jun
(78) |
Jul
(54) |
Aug
(44) |
Sep
(58) |
Oct
(79) |
Nov
(51) |
Dec
(52) |
2015 |
Jan
(55) |
Feb
(59) |
Mar
(48) |
Apr
(40) |
May
(45) |
Jun
(63) |
Jul
(36) |
Aug
(49) |
Sep
(35) |
Oct
(58) |
Nov
(21) |
Dec
(47) |
2016 |
Jan
(35) |
Feb
(81) |
Mar
(43) |
Apr
(41) |
May
(77) |
Jun
(52) |
Jul
(39) |
Aug
(34) |
Sep
(107) |
Oct
(67) |
Nov
(54) |
Dec
(20) |
2017 |
Jan
(99) |
Feb
(37) |
Mar
(86) |
Apr
(47) |
May
(57) |
Jun
(55) |
Jul
(34) |
Aug
(31) |
Sep
(16) |
Oct
(49) |
Nov
(53) |
Dec
(33) |
2018 |
Jan
(25) |
Feb
(11) |
Mar
(79) |
Apr
(77) |
May
(5) |
Jun
(19) |
Jul
(17) |
Aug
(7) |
Sep
(13) |
Oct
(22) |
Nov
(13) |
Dec
(68) |
2019 |
Jan
(44) |
Feb
(17) |
Mar
(40) |
Apr
(39) |
May
(18) |
Jun
(14) |
Jul
(20) |
Aug
(31) |
Sep
(11) |
Oct
(35) |
Nov
(3) |
Dec
(10) |
2020 |
Jan
(32) |
Feb
(16) |
Mar
(10) |
Apr
(22) |
May
(2) |
Jun
(34) |
Jul
(1) |
Aug
(8) |
Sep
(36) |
Oct
(16) |
Nov
(13) |
Dec
(10) |
2021 |
Jan
(16) |
Feb
(23) |
Mar
(45) |
Apr
(28) |
May
(6) |
Jun
(17) |
Jul
(8) |
Aug
(1) |
Sep
(2) |
Oct
(35) |
Nov
|
Dec
(5) |
2022 |
Jan
|
Feb
(17) |
Mar
(23) |
Apr
(23) |
May
(9) |
Jun
(8) |
Jul
|
Aug
|
Sep
(7) |
Oct
(5) |
Nov
(16) |
Dec
(4) |
2023 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
(1) |
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
2024 |
Jan
(7) |
Feb
(13) |
Mar
(17) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Russ L. <rl...@nc...> - 2007-05-16 03:17:33
|
Hello all, I was just wondering how much modsecuirty console is.=20 Thanks, Russ |
From: Christian B. <ch...@jw...> - 2007-05-15 16:22:48
|
Am 15.05.2007 um 18:13 schrieb hanj: > Hello > > I have a question about a rule. Is there way to add an additional > condition to a rule? I'm guess chain, but quite sure how to pull this > off. The rule in question is in 21_protocol_anomalies.conf. Currently, > I'm using mon to monitor my server, and it's getting flagged because > there is no Accept header in the request. I would like to still use > this rule, but add another condition to exclude the IP address of the > mon server? > > 21_protocol_anomalies.conf > You can as well use the "skip"-action and match a specific adress. The skip action has a parameter N and will skip the next N rules in the same phase. Thus you can prepend a rule like SecRule REMOTE_ADDR "a\.b\.c\.d$" "skip:1" This rule will inherit the phase of the default-action and skip the subsequent rule that belongs to the same phase. Regards, Chris |
From: hanj <ma...@as...> - 2007-05-15 16:15:04
|
Hello I have a question about a rule. Is there way to add an additional condition to a rule? I'm guess chain, but quite sure how to pull this off. The rule in question is in 21_protocol_anomalies.conf. Currently, I'm using mon to monitor my server, and it's getting flagged because there is no Accept header in the request. I would like to still use this rule, but add another condition to exclude the IP address of the mon server? 21_protocol_anomalies.conf SecRule &REQUEST_HEADERS:Accept "@eq 0" \ "chain,skip:1,log,auditlog,msg:'Request Missing an Accept Header 1',severity:'2',id:'960015'" so something like @eq 0 AND !xxx.xxx.xxx.xxx Thanks in advance! hanji |
From: Brian R. <Bri...@br...> - 2007-05-15 15:56:13
|
Ryan Barnett wrote: >> -----Original Message----- >> From: mod...@li... [mailto:mod- >> sec...@li...] On Behalf Of hanj >> Sent: Tuesday, May 15, 2007 11:36 AM >> To: mod...@li... >> Subject: Re: [mod-security-users] forbid uploads by default in 2.x >> [SOLVED] >> >> On Tue, 15 May 2007 08:32:49 -0400 >> "Ryan Barnett" <Ryan.Barnett@Breach.com> wrote: >> >>> Hanji, >>> The first item to note is that the HTTP_ variable syntax is not > going to >>> be supported any longer (it has actually been totally removed from > the >>> 2.2.0-dev1 release). >>> >>> So, you should use the REQUEST_HEADERS:Content-Type variable > instead. >>> Other than that, I would need to see more information about an > upload. >>> Do you have an audit_log entry of a successful upload? >> >> Interesting, I changed: >> >> SecRule HTTP_Content_Type "^multipart/form-data" >> >> to >> >> SecRule REQUEST_HEADERS:Content_Type "^multipart/form-data" >> >> >> and it worked. Could it be it's not supported in 2.1.1? > [Ryan Barnett] No, it is still there in 2.1.1. My guess is that it > would have worked if you used - HTTP_Content-Type instead. Some of the > CGI style HTTP variables were a bit flakey if you used an underscore "_" > vs a dash "-" in the variable name. Yep, HTTP_Content-Type, not HTTP_CONTENT_TYPE. Support for HTTP_ CGI style vars is gone in 2.2.0 because it is too confusing and differently implemented than 1.9. In 1.9.x _ was changed to -, but that was not done in 2.x for some reason. And that should have been: REQUEST_HEADERS:Content-Type (-, not _) -B -- Brian Rectanus Breach Security |
From: Brian R. <Bri...@br...> - 2007-05-15 15:51:55
|
Marc Stern wrote: > I tried this: > > SecDefaultAction > "phase:2,...,setenv:mod_sec_error=1,redirect:/error/security.html" > [ ... all security rules ...] > RewriteCond %{ENV:mod_sec_error} !^$ > RewriteRule ^(.*)$ %1SecurityID=%{UNIQUE_ID} [L,R] Won't work because a redirect is done before the RewriteCond/RewriteRule. The UNIQUE_ID will be different anyway as it will be a new request from the browser. > > and even > > SecDefaultAction "phase:2,...,setenv:mod_sec_error=1,pass" > [ ... all security rules ...] > RewriteCond %{ENV:mod_sec_error} !^$ > RewriteRule ^.*$ /error/security.html?SecurityID=%{UNIQUE_ID} [L,R] > > but none of this works; I suppose there is a syntax problem. RewriteEngine On? Enable and take a look at the RewriteLog with RewriteLogLevel 3. > Anyway, the second try has a big drawback: it will process the request > before redirecting it instead of blocking it immediately. > Using SSI is obviously an easy solution, but I wouldn't like enabling > SSI only for that. You don't have to enable SSI, you could use any other CGI or other dynamic page. You could also only enable SSI for the /error/ directory. Using an ErrorDocument is easiest because the UNIQUE_ID is already passed to it. When doing this you need to use the REDIRECT_* vars (see http://httpd.apache.org/docs/2.2/custom-error.html) ErrorDocument 403 /error/security.cgi SecDefaultAction "phase:2,...,deny,status=403" #!/bin/sh # # security.cgi # echo "Content-Type: text/plain" echo echo "UNIQUE_ID: $REDIRECT_UNIQUE_ID" ... -B -- Brian Rectanus Breach Security |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-05-15 15:48:47
|
> -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of hanj > Sent: Tuesday, May 15, 2007 11:36 AM > To: mod...@li... > Subject: Re: [mod-security-users] forbid uploads by default in 2.x > [SOLVED] >=20 > On Tue, 15 May 2007 08:32:49 -0400 > "Ryan Barnett" <Ryan.Barnett@Breach.com> wrote: >=20 > > Hanji, > > The first item to note is that the HTTP_ variable syntax is not going to > > be supported any longer (it has actually been totally removed from the > > 2.2.0-dev1 release). > > > > So, you should use the REQUEST_HEADERS:Content-Type variable instead. > > > > Other than that, I would need to see more information about an upload. > > Do you have an audit_log entry of a successful upload? >=20 >=20 > Interesting, I changed: >=20 > SecRule HTTP_Content_Type "^multipart/form-data" >=20 > to >=20 > SecRule REQUEST_HEADERS:Content_Type "^multipart/form-data" >=20 >=20 > and it worked. Could it be it's not supported in 2.1.1? [Ryan Barnett] No, it is still there in 2.1.1. My guess is that it would have worked if you used - HTTP_Content-Type instead. Some of the CGI style HTTP variables were a bit flakey if you used an underscore "_" vs a dash "-" in the variable name. |
From: Murch, J. <jm...@wi...> - 2007-05-15 15:45:34
|
Does anyone know of a starting point or document to help me to implement this?=20 Regards, Jeff |
From: hanj <ma...@as...> - 2007-05-15 15:37:00
|
On Tue, 15 May 2007 08:32:49 -0400 "Ryan Barnett" <Ryan.Barnett@Breach.com> wrote: > Hanji, > The first item to note is that the HTTP_ variable syntax is not going to > be supported any longer (it has actually been totally removed from the > 2.2.0-dev1 release). > > So, you should use the REQUEST_HEADERS:Content-Type variable instead. > > Other than that, I would need to see more information about an upload. > Do you have an audit_log entry of a successful upload? Interesting, I changed: SecRule HTTP_Content_Type "^multipart/form-data" to SecRule REQUEST_HEADERS:Content_Type "^multipart/form-data" and it worked. Could it be it's not supported in 2.1.1? Thanks! hanji |
From: Marc S. <mar...@ad...> - 2007-05-15 15:16:20
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> I tried this:<br> <blockquote>SecDefaultAction "phase:2,...,setenv:mod_sec_error=1,redirect:/error/security.html"<br> [ ... all security rules ...]<br> RewriteCond %{ENV:mod_sec_error} !^$<br> RewriteRule ^(.*)$ %1SecurityID=%{UNIQUE_ID} [L,R]<br> </blockquote> and even<br> <blockquote>SecDefaultAction "phase:2,...,setenv:mod_sec_error=1,pass"<br> [ ... all security rules ...]<br> RewriteCond %{ENV:mod_sec_error} !^$<br> RewriteRule ^.*$ /error/security.html?SecurityID=%{UNIQUE_ID} [L,R]<br> </blockquote> but none of this works; I suppose there is a syntax problem.<br> <br> Anyway, the second try has a big drawback: it will process the request before redirecting it instead of blocking it immediately.<br> Using SSI is obviously an easy solution, but I wouldn't like enabling SSI only for that.<br> <br> Marc<br> <br> </body> </html> |
From: Christian B. <ch...@jw...> - 2007-05-15 14:47:43
|
Hi Gonen! Am 15.05.2007 um 16:10 schrieb Ryan Barnett: > ModSecurity can still be used for Virtual Patching if =20 > vulnerabilities are discovered in the future with Apache and/or =20 > with other modules that you may be using. A great example of this =20 > is the Chunked Encoding vuln awhile back. > Don=92t forget =96 ModSecurity=92s Audit Engine is invaluable for =20 > auditing and trouble-shooting purposes as it captures the entire =20 > transaction data (request/response data including the POST payload =20 > contents) that is normally not present in standard logging mechanisms. In addition to the things mentioned by Ryan you might probably find =20 the "marketing"-rules of the core-ruleset interesting. These give =20 information on crawler-access to your site and might be related to =20 information-leakage. See http://www.searchbistro.com/index.php?/archives/39-Hacking-With-=20= Google-And-Other-Free-Courses.html and other examples. There are enough on the web. You can find them =20 with google ;-) This is probably not really related to web-application security, but =20 concerns information security in general. Regards, Chris= |
From: Brian R. <Bri...@br...> - 2007-05-15 14:40:45
|
Mark Zealey wrote: > Hi there, > > I've just been profiling some servers we're about to deploy, and I've > been using `strace httpd -X` to look at the performance. When we run the > server normally, the strace output is pretty short, but when we add > mod_security2.1.1 to the mix (using gotroot.com rules, with one or two > disabled but without the blacklists, and a few of our own rules), we get > something like 1750 gettimeofday() calls, aprox every 50 microseconds, > between the lstat64() of the file that has been requested (a 20-byte > html file), and its open(). What is the purpose of these calls? I'm > guessing it's something like regex speed debugging, but is it really > needed? Is there some way to disable this in apache config or in source? Turn off/down the debug_log and that will help as a gettimeofday is called for each log entry. You can do something like this (I'll change that for the next release as well): Index: apache2/re.c =================================================================== --- apache2/re.c (revision 247) +++ apache2/re.c (working copy) @@ -1181,7 +1181,9 @@ var->value_len)); } - time_before_regex = apr_time_now(); /* IMP1 time_before_regex? */ + if (msr->txcfg->debuglog_level >= 4) { + time_before_regex = apr_time_now(); /* IMP1 time_before_regex? */ + } rc = rule->op_metadata->execute(msr, rule, var, &my_error_msg); if (msr->txcfg->debuglog_level >= 4) { msr_log(msr, 4, "Operator completed in %" APR_TIME_T_FMT " usec.", I doubt it is that much overhead, but you could modify the record_time_checkpoint() function in apache2_util.c to not call apr_time_now() and then modify msc_logging.c to not set the Stopwatch header in the audit log. Now, if you are just trying to filter this out of strace, use -e 'trace=!gettimeofday' :) If you see a huge difference in your profiling, then let me know. thanks, -B -- Brian Rectanus Breach Security |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-05-15 14:10:40
|
Excellent question. There are two reasons why I would still recommend installing and using ModSecurity even though you run a "static" site - =20 1. ModSecurity can still be used for Virtual Patching if vulnerabilities are discovered in the future with Apache and/or with other modules that you may be using. A great example of this is the Chunked Encoding vuln awhile back. 2. Don't forget - ModSecurity's Audit Engine is invaluable for auditing and trouble-shooting purposes as it captures the entire transaction data (request/response data including the POST payload contents) that is normally not present in standard logging mechanisms. =20 Hope this helps.=20 =20 --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache =20 =20 ________________________________ From: mod...@li... [mailto:mod...@li...] On Behalf Of Gonen Radai Sent: Tuesday, May 15, 2007 9:58 AM To: mod...@li... Subject: [mod-security-users] plain html security - do i need mod security ? =20 Hi, i have one server that has only one big site, that contains html only. i'm not running any php\cgi\other server side scripts on this server. do i need mod security on that server or plain html is not vulnerable (in modsecurity meanings) ?=20 thanks gonen |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-05-15 14:05:59
|
Please review the following Blog post - http://www.modsecurity.org/blog/archives/2007/03/modsecurity_con_1.html =20 --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache =20 =20 ________________________________ From: mod...@li... [mailto:mod...@li...] On Behalf Of Gonen Radai Sent: Tuesday, May 15, 2007 9:58 AM To: mod...@li... Subject: [mod-security-users] installation of modsecurity console =20 Hi, I downloaded the console from https://bsn.breach.com/ but i couldn't find any documentation about how to install it. i installed it on a windows XP machine, and noticed it acts like a web server, but i don't know how to configure new sensors.=20 i found on the about page, a link to a perl script, which suppose to do something in the server side (listening and sending log entries to the console) but it's said there that this script is not perfect, especially if you have a lot of servers which you want to monitor.=20 is that perl script the only way to get information to the console ? is there any other way ? if so - what is it and where is it documented ? thanks, gonen |
From: Gonen R. <go...@gm...> - 2007-05-15 13:58:38
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=UTF-8" http-equiv="Content-Type"> </head> <body dir="ltr" bgcolor="#ffffff" text="#000000"> <p style="margin-bottom: 0cm; margin-top: 0pt;">Hi,<br> <br> I downloaded the console from <a href="https://bsn.breach.com/">https://bsn.breach.com/</a><br> but i couldn't find any documentation about how to install it.<br> <br> i installed it on a windows XP machine, and noticed it acts like a web server, but i don't know how to configure new sensors. <br> <br> i found on the about page, a link to a perl script, which suppose to do something in the server side (listening and sending log entries<br> to the console) but it's said there that this script is not perfect, especially if you have a lot of servers which you want to monitor. <br> <br> is that perl script the only way to get information to the console ?<br> is there any other way ? if so - what is it and where is it documented ?<br> <br> thanks,<br> gonen</p> </body> </html> |
From: Gonen R. <go...@gm...> - 2007-05-15 13:58:04
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=UTF-8" http-equiv="Content-Type"> </head> <body dir="ltr" bgcolor="#ffffff" text="#000000"> <p style="margin-bottom: 0cm; margin-top: 0pt;">Hi,<br> <br> i have one server that has only one big site, that contains html only.<br> i'm not running any php\cgi\other server side scripts on this server.<br> <br> do i need mod security on that server or plain html is not vulnerable (in modsecurity meanings) ? <br> <br> thanks<br> gonen</p> </body> </html> |
From: Avi A. <av...@br...> - 2007-05-15 12:55:23
|
Yes, we are aware of the problem. In fact, Ryan already came up with a fix to the regular expression, and we will put it in the next core rules version. In the meantime, replace the original rule (in file #20) with this one: # Check decodings SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Refere r "@validateUrlEncoding" \ "chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',,id:'950107',severity:'4'" SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Refere r "\%(?!$|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" Avi=20 -----Original Message----- From: mod...@li... [mailto:mod...@li...] On Behalf Of Marc Stern Sent: Tuesday, May 15, 2007 2:26 PM To: Mod Security Subject: [mod-security-users] Core rule 950107 Hello, I had to disable this rule, as it forbids any % character in "normal"=20 input forms, like "100%". Could we fine-tune it in order to block some bad encodings ? Marc ------------------------------------------------------------------------ - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users |
From: Michael R. <mre...@ot...> - 2007-05-15 12:52:54
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi. > Does anybody know a way to show the unique id generated by ModSecurity > to the user, maybe via a redirection ? I use server-side includes (via mod_include) to display the UNIQUE_ID in a custom error page. A description of that can be found at http://madwifi.org/wiki/FightingTracSpam#UsingUNIQUE_IDfortroubleshooting Background: I use mod-security to block spam that is posted to our Trac-driven website. In case a request is blocked by one of my rules a custom error page is displayed. This page gives a short introduction why the page is shown, and also mentions the UNIQUE_ID in case a user want to report a case of "false positive". The description linked above refers to the "old" implementation of the spam filter, which relied on mod-security 1.8.7. Meanwhile we have switched to mod-security 2.x and thus I had to rework the rules - which works fine, but is not yet publically documented. This should be no problem, as the basic concept of using mod_include to display the UNIQUE_ID is independant of the mod-security version you use. Nevertheless I'll try to update the description during the next weeks and post here once I'm done (it might be a "cool rules" candidate ;)). hth Bye, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iEYEARECAAYFAkZJrRgACgkQa3V7dXg8JKtJ6ACeMaQMw33bTe5Yu8r77CO4/Jnt N7YAnilIAZmtwX1rc/ziRmrK0J+VV6pO =8SQ1 -----END PGP SIGNATURE----- |
From: Christian B. <ch...@jw...> - 2007-05-15 12:36:40
|
This is from the unique-id documentation: "Summary This module provides a magic token for each request which is guaranteed to be unique across "all" requests under very specific conditions. The unique identifier is even unique across multiple machines in a properly configured cluster of machines. The environment variable UNIQUE_ID is set to the identifier for each request. Unique identifiers are useful for various reasons which are beyond the scope of this document." This could be used to do a specific redirect. Imagine you have some rule in your setup that is making "problems" to the user. SecRule "...." "..actions.." You can add some variable to the scope of the request by adding SecRule "...." "..actions...,setenv:trouble=1" Then you can access the environment variable "trouble" and do a redirect based on this: RewriteCond %{ENV:trouble} ^1$ RewriteRule .* /error.php?UniqueID=%{UNIQUE_ID} [R,L] Similar setup can be found on http://www.jwall.org/re_proxy.jsp Regards, Chris Am 15.05.2007 um 14:19 schrieb Marc Stern: > Does anybody know a way to show the unique id generated by ModSecurity > to the user, maybe via a redirection ? > This would be very handy when trying to help a customer knowing he had > the problem "between 2 and 3, on a page where you can upload a > file ... > etc.". > > Marc > > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-05-15 12:33:31
|
Hanji, The first item to note is that the HTTP_ variable syntax is not going to be supported any longer (it has actually been totally removed from the 2.2.0-dev1 release). So, you should use the REQUEST_HEADERS:Content-Type variable instead. Other than that, I would need to see more information about an upload. Do you have an audit_log entry of a successful upload? --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache =20 =20 > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of hanj > Sent: Tuesday, May 15, 2007 2:39 AM > To: mod...@li... > Subject: [mod-security-users] forbid uploads by default in 2.x >=20 > Hello All >=20 > I'm still working on the migration from 1.9.4 to 2.1.1. I'm trying to > forbid uploads by default (referenced in 1.x configs) >=20 > SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data >=20 > My new rule is: >=20 > SecRule HTTP_Content_Type "^multipart/form-data" >=20 > But uploads can still happen. Any ideas what the problem could be? >=20 >=20 > Thanks! > hanji >=20 > ------------------------------------------------------------------------ - > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |
From: Marc S. <mar...@ad...> - 2007-05-15 12:19:32
|
Does anybody know a way to show the unique id generated by ModSecurity to the user, maybe via a redirection ? This would be very handy when trying to help a customer knowing he had the problem "between 2 and 3, on a page where you can upload a file ... etc.". Marc |
From: Marc S. <mar...@ad...> - 2007-05-15 11:26:29
|
Hello, I had to disable this rule, as it forbids any % character in "normal" input forms, like "100%". Could we fine-tune it in order to block some bad encodings ? Marc |
From: Mark Z. <mar...@pi...> - 2007-05-15 10:18:30
|
Hi there, I've just been profiling some servers we're about to deploy, and I've been using `strace httpd -X` to look at the performance. When we run the server normally, the strace output is pretty short, but when we add mod_security2.1.1 to the mix (using gotroot.com rules, with one or two disabled but without the blacklists, and a few of our own rules), we get something like 1750 gettimeofday() calls, aprox every 50 microseconds, between the lstat64() of the file that has been requested (a 20-byte html file), and its open(). What is the purpose of these calls? I'm guessing it's something like regex speed debugging, but is it really needed? Is there some way to disable this in apache config or in source? Thanks, Mark -- Mark Zealey Product Development * Pipex Hosting mar...@pi... This mail is subject to this disclaimer: http://www.pipex.net/disclaimer.html |
From: hanj <ma...@as...> - 2007-05-15 06:40:21
|
Hello All I'm still working on the migration from 1.9.4 to 2.1.1. I'm trying to forbid uploads by default (referenced in 1.x configs) SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data My new rule is: SecRule HTTP_Content_Type "^multipart/form-data" But uploads can still happen. Any ideas what the problem could be? Thanks! hanji |
From: hanj <ma...@as...> - 2007-05-15 06:37:53
|
On Fri, 11 May 2007 07:11:44 -0400 "Ryan Barnett" <Ryan.Barnett@Breach.com> wrote: > > I just recently updated to 2.1.1 from 1.9.4 and no matter what I can't > > get my approver script to be executed by mod_sec. I tried with both > > SecUploadKeepFiles On and Off, nothing happens with both. > [Ryan Barnett] What do you have SecTmpDir set to? Is it located within > the chroot jail? Is it writable by the Apache process user? > > > > I added > > ctl:debugLogLevel=9 and nothing shows up in my modsec_debug.log. > [Ryan Barnett] This would indicate that the rule is not running then. > If it did run, then it would show up. Can you provide a bit more > context to exactly where this rule is place within your entire ruleset? Okay.. had a few minutes to get on this again tonight. You were absolutely correct. I went with the recommendation in the config for /var/log/msa, and of course that is not writable by apache in the chroot. I changed the value to /tmp, and it worked. I had some issues with the approver script, but in the end I was able to get it working. Thanks for the info!!! hanji |
From: Brian R. <Bri...@br...> - 2007-05-14 20:34:28
|
Hello all. I have just released the first development release of ModSecurity on the way to 2.2.0. Please read my blog entry for more details... http://www.modsecurity.org/blog/ Thanks, -B -- Brian Rectanus Breach Security |