mod-security-users Mailing List for ModSecurity (Page 464)
Brought to you by:
victorhora,
zimmerletw
You can subscribe to this list here.
2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(17) |
Aug
(7) |
Sep
(8) |
Oct
(11) |
Nov
(14) |
Dec
(19) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2004 |
Jan
(46) |
Feb
(14) |
Mar
(20) |
Apr
(48) |
May
(15) |
Jun
(20) |
Jul
(36) |
Aug
(24) |
Sep
(31) |
Oct
(28) |
Nov
(23) |
Dec
(12) |
2005 |
Jan
(69) |
Feb
(61) |
Mar
(82) |
Apr
(53) |
May
(26) |
Jun
(71) |
Jul
(27) |
Aug
(52) |
Sep
(28) |
Oct
(49) |
Nov
(104) |
Dec
(74) |
2006 |
Jan
(61) |
Feb
(148) |
Mar
(82) |
Apr
(139) |
May
(65) |
Jun
(116) |
Jul
(92) |
Aug
(101) |
Sep
(84) |
Oct
(103) |
Nov
(174) |
Dec
(102) |
2007 |
Jan
(166) |
Feb
(161) |
Mar
(181) |
Apr
(152) |
May
(192) |
Jun
(250) |
Jul
(127) |
Aug
(165) |
Sep
(97) |
Oct
(135) |
Nov
(206) |
Dec
(56) |
2008 |
Jan
(160) |
Feb
(135) |
Mar
(98) |
Apr
(89) |
May
(115) |
Jun
(95) |
Jul
(188) |
Aug
(167) |
Sep
(153) |
Oct
(84) |
Nov
(82) |
Dec
(85) |
2009 |
Jan
(139) |
Feb
(133) |
Mar
(128) |
Apr
(105) |
May
(135) |
Jun
(79) |
Jul
(92) |
Aug
(134) |
Sep
(73) |
Oct
(112) |
Nov
(159) |
Dec
(80) |
2010 |
Jan
(100) |
Feb
(116) |
Mar
(130) |
Apr
(59) |
May
(88) |
Jun
(59) |
Jul
(69) |
Aug
(67) |
Sep
(82) |
Oct
(76) |
Nov
(59) |
Dec
(34) |
2011 |
Jan
(84) |
Feb
(74) |
Mar
(81) |
Apr
(94) |
May
(188) |
Jun
(72) |
Jul
(118) |
Aug
(109) |
Sep
(111) |
Oct
(80) |
Nov
(51) |
Dec
(44) |
2012 |
Jan
(80) |
Feb
(123) |
Mar
(46) |
Apr
(12) |
May
(40) |
Jun
(62) |
Jul
(95) |
Aug
(66) |
Sep
(65) |
Oct
(53) |
Nov
(42) |
Dec
(60) |
2013 |
Jan
(96) |
Feb
(96) |
Mar
(108) |
Apr
(72) |
May
(115) |
Jun
(111) |
Jul
(114) |
Aug
(87) |
Sep
(93) |
Oct
(97) |
Nov
(104) |
Dec
(82) |
2014 |
Jan
(96) |
Feb
(77) |
Mar
(71) |
Apr
(40) |
May
(48) |
Jun
(78) |
Jul
(54) |
Aug
(44) |
Sep
(58) |
Oct
(79) |
Nov
(51) |
Dec
(52) |
2015 |
Jan
(55) |
Feb
(59) |
Mar
(48) |
Apr
(40) |
May
(45) |
Jun
(63) |
Jul
(36) |
Aug
(49) |
Sep
(35) |
Oct
(58) |
Nov
(21) |
Dec
(47) |
2016 |
Jan
(35) |
Feb
(81) |
Mar
(43) |
Apr
(41) |
May
(77) |
Jun
(52) |
Jul
(39) |
Aug
(34) |
Sep
(107) |
Oct
(67) |
Nov
(54) |
Dec
(20) |
2017 |
Jan
(99) |
Feb
(37) |
Mar
(86) |
Apr
(47) |
May
(57) |
Jun
(55) |
Jul
(34) |
Aug
(31) |
Sep
(16) |
Oct
(49) |
Nov
(53) |
Dec
(33) |
2018 |
Jan
(25) |
Feb
(11) |
Mar
(79) |
Apr
(77) |
May
(5) |
Jun
(19) |
Jul
(17) |
Aug
(7) |
Sep
(13) |
Oct
(22) |
Nov
(13) |
Dec
(68) |
2019 |
Jan
(44) |
Feb
(17) |
Mar
(40) |
Apr
(39) |
May
(18) |
Jun
(14) |
Jul
(20) |
Aug
(31) |
Sep
(11) |
Oct
(35) |
Nov
(3) |
Dec
(10) |
2020 |
Jan
(32) |
Feb
(16) |
Mar
(10) |
Apr
(22) |
May
(2) |
Jun
(34) |
Jul
(1) |
Aug
(8) |
Sep
(36) |
Oct
(16) |
Nov
(13) |
Dec
(10) |
2021 |
Jan
(16) |
Feb
(23) |
Mar
(45) |
Apr
(28) |
May
(6) |
Jun
(17) |
Jul
(8) |
Aug
(1) |
Sep
(2) |
Oct
(35) |
Nov
|
Dec
(5) |
2022 |
Jan
|
Feb
(17) |
Mar
(23) |
Apr
(23) |
May
(9) |
Jun
(8) |
Jul
|
Aug
|
Sep
(7) |
Oct
(5) |
Nov
(16) |
Dec
(4) |
2023 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
(1) |
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
2024 |
Jan
(7) |
Feb
(13) |
Mar
(18) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
|
Nov
|
Dec
|
From: hanj <ma...@as...> - 2007-05-15 06:40:21
|
Hello All I'm still working on the migration from 1.9.4 to 2.1.1. I'm trying to forbid uploads by default (referenced in 1.x configs) SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data My new rule is: SecRule HTTP_Content_Type "^multipart/form-data" But uploads can still happen. Any ideas what the problem could be? Thanks! hanji |
From: hanj <ma...@as...> - 2007-05-15 06:37:53
|
On Fri, 11 May 2007 07:11:44 -0400 "Ryan Barnett" <Ryan.Barnett@Breach.com> wrote: > > I just recently updated to 2.1.1 from 1.9.4 and no matter what I can't > > get my approver script to be executed by mod_sec. I tried with both > > SecUploadKeepFiles On and Off, nothing happens with both. > [Ryan Barnett] What do you have SecTmpDir set to? Is it located within > the chroot jail? Is it writable by the Apache process user? > > > > I added > > ctl:debugLogLevel=9 and nothing shows up in my modsec_debug.log. > [Ryan Barnett] This would indicate that the rule is not running then. > If it did run, then it would show up. Can you provide a bit more > context to exactly where this rule is place within your entire ruleset? Okay.. had a few minutes to get on this again tonight. You were absolutely correct. I went with the recommendation in the config for /var/log/msa, and of course that is not writable by apache in the chroot. I changed the value to /tmp, and it worked. I had some issues with the approver script, but in the end I was able to get it working. Thanks for the info!!! hanji |
From: Brian R. <Bri...@br...> - 2007-05-14 20:34:28
|
Hello all. I have just released the first development release of ModSecurity on the way to 2.2.0. Please read my blog entry for more details... http://www.modsecurity.org/blog/ Thanks, -B -- Brian Rectanus Breach Security |
From: Brian R. <Bri...@br...> - 2007-05-14 18:58:28
|
Vince Tingey wrote: > Hi Everyone, > > My Mod Security Console stopped collecting logs from my web server. I > have reset the console machine and restarted the web server daemon. I > cant fully reboot the web server until a scheduled time. I have not > changed anything recently, and I see log items on the web server, they > are just not getting sent to the console any more. I saw a recent post > on here about someone having the same problem, any fix yet or do I have > to wait for the new collector script to come out? > > Thanks! > FYI, I am now accepting beta testers for the new mlogc log collector. If anyone is interested, send me a note off list. -B -- Brian Rectanus Breach Security |
From: Terje S. <te...@wa...> - 2007-05-14 17:39:55
|
Wow, very happy to hear that! And I don't even have to update my config, I did just that and the operator even has the same name... :) On 5/14/07, Brian Rectanus <Bri...@br...> wrote: > > Terje Sannum wrote: > > Hi, > > I've just started to play with mod_security, and find it very useful. > > But some of the thing I want to use it for does not seem possible. > > My first problem was to make rules that catches if certain client > > parameters I've added to the session suddenly change. E.g. this rule: > > > > SecRule SESSION:ip !^%{REMOTE_ADDR}$ > > > > Excuse me if I'm wrong, but I didn't find any suitable operator that > > allows variables in the rule parameter. I think that would be nice > > feature. I solved it by making a new operator that does call > > expand_macros on the parameter. > > > Well, very good timing. I am releasing the first 2.2.0 development > release today that has this feature in it :) See my blog entry later > today. The operator is @streq. So you will be able to write this in > 2.2.0: > > SecRule SESSION:ip !@streq %{REMOTE_ADDR} > > > > My next problem is access to the data mod_ssl provides. I haven't looked > > much into that yet, but the module provides serveral variables available > > for logging and I would find it useful to have these available in > > mod_security too. This seems more complicated, so any tips and comments > > are very welcome... :) > > > This feature is planned as well. Hopefully in 2.2.0. > > Try to access them via environment such as: > > SecRule ENV:SSL_PROTOCOL_VERSION ^YourPattern$ > > > -B > > > -- > Brian Rectanus > Breach Security > |
From: Brian R. <Bri...@br...> - 2007-05-14 17:03:41
|
Terje Sannum wrote: > Hi, > I've just started to play with mod_security, and find it very useful. > But some of the thing I want to use it for does not seem possible. > My first problem was to make rules that catches if certain client > parameters I've added to the session suddenly change. E.g. this rule: > > SecRule SESSION:ip !^%{REMOTE_ADDR}$ > > Excuse me if I'm wrong, but I didn't find any suitable operator that > allows variables in the rule parameter. I think that would be nice > feature. I solved it by making a new operator that does call > expand_macros on the parameter. Well, very good timing. I am releasing the first 2.2.0 development release today that has this feature in it :) See my blog entry later today. The operator is @streq. So you will be able to write this in 2.2.0: SecRule SESSION:ip !@streq %{REMOTE_ADDR} > My next problem is access to the data mod_ssl provides. I haven't looked > much into that yet, but the module provides serveral variables available > for logging and I would find it useful to have these available in > mod_security too. This seems more complicated, so any tips and comments > are very welcome... :) This feature is planned as well. Hopefully in 2.2.0. Try to access them via environment such as: SecRule ENV:SSL_PROTOCOL_VERSION ^YourPattern$ -B -- Brian Rectanus Breach Security |
From: Terje S. <te...@wa...> - 2007-05-14 16:54:55
|
Hi, I've just started to play with mod_security, and find it very useful. But some of the thing I want to use it for does not seem possible. My first problem was to make rules that catches if certain client parameters I've added to the session suddenly change. E.g. this rule: SecRule SESSION:ip !^%{REMOTE_ADDR}$ Excuse me if I'm wrong, but I didn't find any suitable operator that allows variables in the rule parameter. I think that would be nice feature. I solved it by making a new operator that does call expand_macros on the parameter. My next problem is access to the data mod_ssl provides. I haven't looked much into that yet, but the module provides serveral variables available for logging and I would find it useful to have these available in mod_security too. This seems more complicated, so any tips and comments are very welcome... :) -Terje |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-05-14 16:21:56
|
Can you run a sniffer (tcpdump or ngrep) to confirm if there is any traffic going from your web server to the console? If not, then it is a local problem. --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member Author: Preventing Web Attacks with Apache =20 > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Vince Tingey > Sent: Monday, May 14, 2007 12:19 PM > To: mod...@li... > Subject: [mod-security-users] Mod_Security Console Stopped Working >=20 > Hi Everyone, >=20 > My Mod Security Console stopped collecting logs from my web server. I > have reset the console machine and restarted the web server daemon. I > cant fully reboot the web server until a scheduled time. I have not > changed anything recently, and I see log items on the web server, they > are just not getting sent to the console any more. I saw a recent post > on here about someone having the same problem, any fix yet or do I have > to wait for the new collector script to come out? >=20 > Thanks! >=20 > -- >=20 > Vince | Michael Smith Laboratories > IT Systems Coordinator | University of British Columbia >=20 >=20 > ------------------------------------------------------------------------ - > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |
From: Vince T. <vt...@ms...> - 2007-05-14 16:18:41
|
Hi Everyone, My Mod Security Console stopped collecting logs from my web server. I have reset the console machine and restarted the web server daemon. I cant fully reboot the web server until a scheduled time. I have not changed anything recently, and I see log items on the web server, they are just not getting sent to the console any more. I saw a recent post on here about someone having the same problem, any fix yet or do I have to wait for the new collector script to come out? Thanks! -- Vince | Michael Smith Laboratories IT Systems Coordinator | University of British Columbia |
From: Brian K. <bp...@wi...> - 2007-05-14 02:43:45
|
I have two questions related to upgrading from 1.9.4 to 2.1.1: 1) I used to use an environment variable HTTP_MOD_SECURITY_MESSAGE to display a meaningful message to developers on certain trusted networks if they ran into one of the rules. This helped them to quickly identify a problem and work with me to fix either their code or my ruleset. I've found the setenv option in the new version but can't get any variable substitution working with it so at most I can have a generic message that comes up. Is there a way to duplicate the msg variable to an environment variable? 2) I also used to virus scan files on upload using clamd. Since clamd needs to run as its own user on my setup I relied on the fact that file were uploaded with 0640 permissions, and had the SecUploadDir set to a directory with the setgid bit on it so that the clamd daemon could scan the files using the approve script. It's hard to say for sure, but it seems that since I've updated to 2.1.1 files are uploaded with 0600 permissions and this setup doesn't work anymore. I could forgo the daemon and simply run clamscan, but that's much slower. Is the setting that controls file upload permissions configurable at all? Thanks, Brian |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-05-11 11:34:14
|
My mistake... Support for .htaccess files was discontinued in 2.x as it raised too many security issues. --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member Author: Preventing Web Attacks with Apache =20 > -----Original Message----- > From: Mark Zealey [mailto:mar...@pi...] > Sent: Friday, May 11, 2007 7:14 AM > To: Ryan Barnett; mod...@li... > Subject: RE: [mod-security-users] MODSEC_ENABLE and mod_security 2 >=20 > This doesn't seem to work as I get the same error as with trying the > SecRuleEngine, namely the apache error 'SecRule not allowed here' (even > when I specify AllowOverride All). I can't see any reference to > .htaccess files in the docs. >=20 > Mark >=20 >=20 > -- > Mark Zealey -- Reseller & Dedicated Servers Developer > Product Development * Pipex Hosting > mar...@pi... > This mail is subject to this disclaimer: > http://www.pipex.net/disclaimer.html |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-05-11 11:12:23
|
> -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of hanj > Sent: Friday, May 11, 2007 1:44 AM > To: mod...@li... > Subject: [mod-security-users] Issue with @inspectFile --- appears to not > be using my approver script >=20 > Hello >=20 > I posted this as a reply to a thread from a long time ago.. and I think > it's buried, so I thought I'd make a fresh post. Hope this is okay.. if > not, I apologize in advance.... >=20 >=20 > I just recently updated to 2.1.1 from 1.9.4 and no matter what I can't > get my approver script to be executed by mod_sec. I tried with both > SecUploadKeepFiles On and Off, nothing happens with both. [Ryan Barnett] What do you have SecTmpDir set to? Is it located within the chroot jail? Is it writable by the Apache process user? > I added > ctl:debugLogLevel=3D9 and nothing shows up in my modsec_debug.log. [Ryan Barnett] This would indicate that the rule is not running then. If it did run, then it would show up. Can you provide a bit more context to exactly where this rule is place within your entire ruleset? |
From: Mark Z. <mar...@pi...> - 2007-05-11 11:11:56
|
This doesn't seem to work as I get the same error as with trying the SecRuleEngine, namely the apache error 'SecRule not allowed here' (even when I specify AllowOverride All). I can't see any reference to .htaccess files in the docs. Mark=20 -- Mark Zealey -- Reseller & Dedicated Servers Developer Product Development * Pipex Hosting mar...@pi... This mail is subject to this disclaimer: http://www.pipex.net/disclaimer.html |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-05-11 11:02:27
|
You should be able to do this with Mod 2.x by using the "ctl" action - http://www.modsecurity.org/documentation/modsecurity-apache/2.1.0/modsec urity2-apache-reference.html#N10F9B. You could place a rule in an .htaccess file that can disable the Mod rule engine for that URL location like this - SecRule REQUEST_URI "^/path/to/dir/" \ phase:1,pass,nolog,t:none,ctl:ruleEngine=3DOff Where "/path/to/dir/" is the directory location under your DocumentRoot that has the .htaccess file in it. --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member Author: Preventing Web Attacks with Apache =20 > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Mark Zealey > Sent: Friday, May 11, 2007 6:51 AM > To: mod...@li... > Subject: [mod-security-users] MODSEC_ENABLE and mod_security 2 >=20 > Hi there, >=20 > I've been looking around on google etc, but I can't seem to find any > answers to this question! Basically, we run a shared hosting server > protected by mod_security 1.9. I'm looking at upgrading to 2 (2.1.1) but > we use an option on some accounts saying 'SetEnv MODSEC_ENABLE "Off"' in > the .htaccess file, if they have certain scripts etc that break > mod_security. This option is documented in the 1.9.3 docs, but I can't > find any mention of a way to disable mod_security 2 in any of the docs. > I've tried setting SecRuleEngine Off in .htaccess, and also > SecFilterEngine, but this causes a 500 with apache saying that these > directives can't exist in a .htaccess file. Needless to say, setting the > environment variable has no effect. A grep of the source code shows that > there are no checks for the environment variable; but there is nothing > in the changelog saying that this feature has been removed? >=20 > I guess then, I have two questions; firstly is there a way to disable > mod_security 2 via .htaccess, and secondly is it possible to re-code the > environment variable method as that would prevent us from having to > change any .htaccess files that use this method to disable mod_security > for their websites. >=20 > Thanks, >=20 > Mark >=20 > -- > Mark Zealey -- Reseller & Dedicated Servers Developer > Product Development * Pipex Hosting > mar...@pi... > This mail is subject to this disclaimer: > http://www.pipex.net/disclaimer.html >=20 > ------------------------------------------------------------------------ - > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |
From: Mark Z. <mar...@pi...> - 2007-05-11 10:48:43
|
Hi there, I've been looking around on google etc, but I can't seem to find any answers to this question! Basically, we run a shared hosting server protected by mod_security 1.9. I'm looking at upgrading to 2 (2.1.1) but we use an option on some accounts saying 'SetEnv MODSEC_ENABLE "Off"' in the .htaccess file, if they have certain scripts etc that break mod_security. This option is documented in the 1.9.3 docs, but I can't find any mention of a way to disable mod_security 2 in any of the docs. I've tried setting SecRuleEngine Off in .htaccess, and also SecFilterEngine, but this causes a 500 with apache saying that these directives can't exist in a .htaccess file. Needless to say, setting the environment variable has no effect. A grep of the source code shows that there are no checks for the environment variable; but there is nothing in the changelog saying that this feature has been removed? I guess then, I have two questions; firstly is there a way to disable mod_security 2 via .htaccess, and secondly is it possible to re-code the environment variable method as that would prevent us from having to change any .htaccess files that use this method to disable mod_security for their websites. Thanks, Mark -- Mark Zealey -- Reseller & Dedicated Servers Developer Product Development * Pipex Hosting mar...@pi... This mail is subject to this disclaimer: http://www.pipex.net/disclaimer.html |
From: hanj <ma...@as...> - 2007-05-11 05:44:55
|
Hello I posted this as a reply to a thread from a long time ago.. and I think it's buried, so I thought I'd make a fresh post. Hope this is okay.. if not, I apologize in advance.... I just recently updated to 2.1.1 from 1.9.4 and no matter what I can't get my approver script to be executed by mod_sec. I tried with both SecUploadKeepFiles On and Off, nothing happens with both.I added ctl:debugLogLevel=9 and nothing shows up in my modsec_debug.log. All other rule handling seem to work as expected, but sending 'good' and 'bad' files.. they all are being uploaded to the server. It almost appears that mod_sec is not executing the file at all. I'm also using mod_chroot and the environment is chroot'd. My approver script and associated binaries are in the jail. SecRule FILES_TMPNAMES "@inspectFile /approver/file.sh" \ t:none,ctl:debugLogLevel=9" I also tried SecRule FILES_TMPNAMES "@inspectFile /approver/file.sh" "phase:2,log,deny,t:none" Nothing happens with either change and the file is successfully uploaded. Here are my relevant packages: apache-2.0.58-r2 mod_security-2.1.1 mod_chroot-0.4 I also noticed if I move file.sh to file.sh.dump, it doesn't even complain that it's not there. I rolled back to mod_security-1.9.4 to verify that approver script is readable/executable in the chroot, and it worked flawlessly. It has to be something simple. Thanks for your help!!!! |
From: Ofer S. <OferS@Breach.com> - 2007-05-10 20:55:20
|
Danett Song wrote: >=20 > 3] I seen a post from Ivan Ristic where he pointed the > following: >=20 > >To fix this you need to install three rules: >=20 > >1.1) One rule to only accept "userid" as a valid > >parameter name. >=20 > >1.2) One rule to check that only one parameter with > >such name is provided. >=20 > >1.3) Finally one rule to make sure what is in the > >parameter is a number. >=20 > >Doing this will not only prevent the known SQL > >injection problem but also all other problems that > >might exist and you don't know about. >=20 > I never thinked it could be done with mod_security, > can you please show me a example of how to implement > this 3 steps. It's really intersting. > Writing such rules is pretty easy and pretty basic to ModSecurity. I think you need to elaborate more on what you are looking for that you thought was impossible with ModSecurity. =20 >=20 > 4] As discussed here before PHP IDS is really nice and > have some nice rules, that detect some variations of > attacks that mod_security doesn't, as it use regexpt, > I think that some rules can be learned from the other > project, for people who develop mod_security give a > try to this demo site: >=20 > http://phpids.heideri.ch/ >=20 > I think some rules in mod_security can be enhanced > using it, not? :) We are happy to learn from anyone, however: - I am not sure he has already actually released the code yet. It is only a preview. - There is always a licensing issue. We can't just copy anything if it does not have the right license. ~ Ofer |
From: hanj <ma...@as...> - 2007-05-10 19:55:56
|
On Sat, 24 Feb 2007 10:41:18 +0530 <Aru...@co...> wrote: > Hi Ariel > > We can use shell script to inspect the files....can u tell me in secdefaultaction what phase u have applied...generaly inspect upload files will run only in phase 2 > > In our environment i use the below rule to inspect the file > SecTmpDir /tmp > SecRule FILES_TMPNAMES "@inspectFile /bin/uploadparse.sh" "phase:2,log,deny,t:none" > SecUploadKeepFiles On > > One more problem i am facing in the above rule is if i turn Off the SecUploadKeepFiles then inspect files is not running...regarding this issue i send out a mail to this group but i have not got any reply. > > Regards, > Arun Hello I just recently updated to 2.1.1 from 1.9.4 and no matter what I can't get my approver script to be executed by mod_sec. I tried with both SecUploadKeepFiles On and Off, nothing happens with both.I added ctl:debugLogLevel=9 and nothing shows up in my modsec_debug.log. All other rule handling seem to work as expected, but sending 'good' and 'bad' files.. they all are being uploaded to the server. It almost appears that mod_sec is not executing the file at all. I'm also using mod_chroot and the environment is chroot'd. My approver script and associated binaries are in the jail. SecRule FILES_TMPNAMES "@inspectFile /approver/file.sh" \ t:none,ctl:debugLogLevel=9" I also tried SecRule FILES_TMPNAMES "@inspectFile /approver/file.sh" "phase:2,log,deny,t:none" Nothing happens with either change and the file is successfully uploaded. Here are my relevant packages: apache-2.0.58-r2 mod_security-2.1.1 mod_chroot-0.4 I also noticed if I move file.sh to file.sh.dump, it doesn't even complain that it's not there. I rolled back to mod_security-1.9.4 to verify that approver script is readable/executable in the chroot, and it worked flawlessly. It has to be something simple. Thanks for your help!!!! |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-05-10 14:14:28
|
In response to some of the mail-list queries concerning the performance issues with the open source Console, I have made a Blog post entry with some tuning steps that can be made to help alleviate this problem - http://www.modsecurity.org/blog/archives/2007/05/modsecurity_con_2.html =20 Let me know if there are any questions. =20 --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member Author: Preventing Web Attacks with Apache =20 =20 =20 |
From: Christian B. <ch...@jw...> - 2007-05-10 13:58:24
|
Am 10.05.2007 um 15:50 schrieb Christian Bockermann: >> 3] I seen a post from Ivan Ristic where he pointed the >> following: >> >>> To fix this you need to install three rules: >> >>> 1.1) One rule to only accept "userid" as a valid >>> parameter name. >> >>> 1.2) One rule to check that only one parameter with >>> such name is provided. >> >>> 1.3) Finally one rule to make sure what is in the >>> parameter is a number. >> >>> Doing this will not only prevent the known SQL >>> injection problem but also all other problems that >>> might exist and you don't know about. >> >> I never thinked it could be done with mod_security, >> can you please show me a example of how to implement >> this 3 steps. It's really intersting. >> > > > Looking at your list, the first thing can be done by > this rule: > > SecRule ARGS_NAMES !(userid) "phase:2,deny" > > If you want to provide a set of parameters p1,...,pN to > a url you can do this by > > SecRule ARGS_NAMES !(p1|...|pN) "phase:2,deny" > > To check, that a parameter "userid" is specified only > once, you can use > > SecRule &ARGS:userid "!@eq 1" "phase:2,deny" > > if the parameter is optional than you are better with > > SecRule &ARGS:userid "@gt 1" "phase:2,deny" > > > Last, but not least you need to check the parameter's > value: > > SecRule ARGS:userid ![0-9]* "phase:2,deny" > > This allows the parameter to be an integer of arbitrary > length. You can limit the length to a range by using > > SecRule ARGS:userid ![0-9]{min,max} "phase:2,deny" > > where min and max are positive integers. > Just as a short correction, the checks should better be done with the use of string-delimiters, i.e. SecRule ARGS:userid !^[0-9]*$ ... instead of the way I wrote before. This is more restrictive and matches your purpose mucht better ;-) Same thing applies for the other rules as well like using ^(p1|...|pN)$ and so on. Regards, Chris |
From: Christian B. <ch...@jw...> - 2007-05-10 13:50:52
|
Hi Danett! Am 10.05.2007 um 09:19 schrieb Danett song: > 2] I seen a post in the blog called "Handling False > Positives and Creating Custom Rules" where it teaches > how to deal and manage false positives. However when > we have a multi domain site, is possible generate this > exceptions by domain? > > For example in the vhost for domain www1.site.com the > XSS rules get like in the default core rules, but in > vhost info.site.com they generate a false positive, so > is possible to create it by domain? > The most straight forward solution for this would be to include the rules within the config of each virtual host. However, there are directives that do not work in virtual hosts and have to be set outside. (IIRC this is the case for SecTempDir, for example.) > 3] I seen a post from Ivan Ristic where he pointed the > following: > >> To fix this you need to install three rules: > >> 1.1) One rule to only accept "userid" as a valid >> parameter name. > >> 1.2) One rule to check that only one parameter with >> such name is provided. > >> 1.3) Finally one rule to make sure what is in the >> parameter is a number. > >> Doing this will not only prevent the known SQL >> injection problem but also all other problems that >> might exist and you don't know about. > > I never thinked it could be done with mod_security, > can you please show me a example of how to implement > this 3 steps. It's really intersting. > Looking at your list, the first thing can be done by this rule: SecRule ARGS_NAMES !(userid) "phase:2,deny" If you want to provide a set of parameters p1,...,pN to a url you can do this by SecRule ARGS_NAMES !(p1|...|pN) "phase:2,deny" To check, that a parameter "userid" is specified only once, you can use SecRule &ARGS:userid "!@eq 1" "phase:2,deny" if the parameter is optional than you are better with SecRule &ARGS:userid "@gt 1" "phase:2,deny" Last, but not least you need to check the parameter's value: SecRule ARGS:userid ![0-9]* "phase:2,deny" This allows the parameter to be an integer of arbitrary length. You can limit the length to a range by using SecRule ARGS:userid ![0-9]{min,max} "phase:2,deny" where min and max are positive integers. These rules are set to be in phase-2 as they also check parameters that are passed in the request-body. For this to work you need to enable body-access SecRequestBodyAccess On Another thing to note is that accessing parameters by use of the ARGS-collection does not distinguish between GET and POST parameters (QueryString vs. REQ-body). This will hopefully be enhanced in future versions. (Nice thing would be GET_ARGS and POST_ARGS for example.) Regards, Chris |
From: Christian F. <chr...@ti...> - 2007-05-10 10:08:59
|
On Thu, May 10, 2007 at 04:19:31AM -0300, Danett song wrote: > The (most part) of the input that generated it is > valid and is like this one: >=20 > title=3DVamos+estabelecer+servi%E7os+prestados+e+as+Ag%EAncias+tomaram+Pr= ovid%EAncias&date=3D22%2F07%2F2007&news=3D%3Cp+align%3D%22justify%22%3ENa+%= 26uacute%3Bltima+semana%2C+antes+da+unifica%26ccedil%3B%26atilde%3Bo+da+nov= a+equipe+para+saber+mais+%28link+dispon%26iacute%3Bvel+na+p%26aacute%3Bgina= +restrita%2C+em+%26ldquo%3Batos+normativos%26rdquo%3B%29.+%3Cbr >=20 > The system doesn't work well for latin users who speak > Portuguese, cause we use =C3=A1, =C3=A9, =C3=AD, =C3=BA, =C3=81, =C3=89, = =C3=8D, =C3=9A, =C3=A2, =C3=B4, > =C3=82, =C3=94, =C3=A0, =C3=81, =C3=A7, =C3=87. I have done a regex, that checks for these characters - among others. =20 It boils down to the following characters being valid: \x09\0A\x0D\x20-\x7E\x80\x82-\x8C\x8E\x91-\x9C\x9E\x9F\xA1-\xAC\xAE-\xFF This is based on the following table (long). Maybe it is of some help. Christian \x00 =00 NUL no escape sequence \x01 =01 SOH no escape sequence \x02 =02 STX no escape sequence \x03 =03 ETX no escape sequence \x04 =04 EOT no escape sequence \x05 =05 ENQ no escape sequence \x06 =06 ACK no escape sequence \x07 =07 BEL no escape sequence \x08 =08 BS no escape sequence \x09 ^I TAB yes \x0A ^J LF yes \x0B =0B VT no escape sequence \x0C =0C FF no escape sequence \x0D =0D CR yes \x0E =0E SO no escape sequence \x0F =0F SI no escape sequence \x10 =10 DLE no escape sequence \x11 =11 DC1 no escape sequence \x12 =12 DC2 no escape sequence \x13 =13 DC3 no escape sequence \x14 =14 DC4 no escape sequence \x15 =15 NAK no escape sequence \x16 =16 SYN no escape sequence \x17 =17 ETB no escape sequence \x18 =18 CAN no escape sequence \x19 =19 EM no escape sequence \x1A =1A SUB no escape sequence \x1B =1B Esc no escape sequence \x1C =1C FS no escape sequence \x1D =1D GS no escape sequence \x1E =1E RS no escape sequence \x1F =1F US no escape sequence \x20 SP yes \x21 ! yes \x22 " yes \x23 # yes \x24 $ yes \x25 % yes \x26 & yes \x27 ' yes \x28 ( yes \x29 ) yes \x2A * yes \x2B + yes \x2C , yes \x2D - yes \x2E . yes \x2F / yes \x30 0 yes \x31 1 yes \x32 2 yes \x33 3 yes \x34 4 yes \x35 5 yes \x36 6 yes \x37 7 yes \x38 8 yes \x39 9 yes \x3A : yes \x3B ; yes \x3C < yes \x3D =3D yes \x3E > yes \x3F ? yes \x40 @ yes \x41 A yes \x42 B yes \x43 C yes \x44 D yes \x45 E yes \x46 F yes \x47 G yes \x48 H yes \x49 I yes \x4A J yes \x4B K yes \x4C L yes \x4D M yes \x4E N yes \x4F O yes \x50 P yes \x51 Q yes \x52 R yes \x53 S yes \x54 T yes \x55 U yes \x56 V yes \x57 W yes \x58 X yes \x59 Y yes \x5A Z yes \x5B [ yes \x5C \ yes \x5D ] yes \x5E ^ yes \x5F _ yes \x60 ` yes \x61 a yes \x62 b yes \x63 c yes \x64 d yes \x65 e yes \x66 f yes \x67 g yes \x68 h yes \x69 i yes \x6A j yes \x6B k yes \x6C l yes \x6D m yes \x6E n yes \x6F o yes \x70 p yes \x71 q yes \x72 r yes \x73 s yes \x74 t yes \x75 u yes \x76 v yes \x77 w yes \x78 x yes \x79 y yes \x7A z yes \x7B { yes \x7C | yes \x7D } yes \x7E ~ yes \x7F =7F DEL no escape sequence=09 \x80 =C2=80 =C2=BF yes \x81 =C2=81 =C2=BF no do not know what it is \x82 =C2=82 =C2=BF yes \x83 =C2=83 =C2=BF yes \x84 =C2=84 =C2=BF yes \x85 =C2=85 =C2=BF yes \x86 =C2=86 =C2=BF yes \x87 =C2=87 =C2=BF yes \x88 =C2=88 =C2=BF yes \x89 =C2=89 =C2=BF yes \x8A =C2=8A =C2=BF yes \x8B =C2=8B =C2=BF yes \x8C =C2=8C =C2=BF yes \x8D =C2=8D =C2=BF no do not know what it is \x8E =C2=8E =C2=BF yes \x8F =C2=8F =C2=BF no do not know what it is \x90 =C2=90 =C2=BF no do not know what it is \x91 =C2=91 =C2=BF yes \x92 =C2=92 =C2=BF yes \x93 =C2=93 =C2=BF yes \x94 =C2=94 =C2=BF yes \x95 =C2=95 =C2=BF yes \x96 =C2=96 =C2=BF yes \x97 =C2=97 =C2=BF yes \x98 =C2=98 =C2=BF yes \x99 =C2=99 =C2=BF yes \x9A =C2=9A =C2=BF yes \x9B =C2=9B =C2=BF yes \x9C =C2=9C =C2=BF yes \x9D =C2=9D =C2=BF no do not know what it is \x9E =C2=9E =C2=BF yes \x9F =C2=9F =C2=BF yes \xA0 =C2=A0 no do not know what it is \xA1 =C2=A1 yes \xA2 =C2=A2 yes \xA3 =C2=A3 yes \xA4 =C2=A4 yes \xA5 =C2=A5 yes \xA6 =C2=A6 yes \xA7 =C2=A7 yes \xA8 =C2=A8 yes \xA9 =C2=A9 yes \xAA =C2=AA yes \xAB =C2=AB yes \xAC =C2=AC yes \xAD =C2=AD no do not know what it is \xAE =C2=AE yes \xAF =C2=AF yes \xB0 =C2=B0 yes \xB1 =C2=B1 yes \xB2 =C2=B2 yes \xB3 =C2=B3 yes \xB4 =C2=B4 yes \xB5 =C2=B5 yes \xB6 =C2=B6 yes \xB7 =C2=B7 yes \xB8 =C2=B8 yes \xB9 =C2=B9 yes \xBA =C2=BA yes \xBB =C2=BB yes \xBC =C2=BC yes \xBD =C2=BD yes \xBE =C2=BE yes \xBF =C2=BF yes \xC0 =C3=80 yes \xC1 =C3=81 yes \xC2 =C3=82 yes \xC3 =C3=83 yes \xC4 =C3=84 yes \xC5 =C3=85 yes \xC6 =C3=86 yes \xC7 =C3=87 yes \xC8 =C3=88 yes \xC9 =C3=89 yes \xCA =C3=8A yes \xCB =C3=8B yes \xCC =C3=8C yes \xCD =C3=8D yes \xCE =C3=8E yes \xCF =C3=8F yes \xD0 =C3=90 yes \xD1 =C3=91 yes \xD2 =C3=92 yes \xD3 =C3=93 yes \xD4 =C3=94 yes \xD5 =C3=95 yes \xD6 =C3=96 yes \xD7 =C3=97 yes \xD8 =C3=98 yes \xD9 =C3=99 yes \xDA =C3=9A yes \xDB =C3=9B yes \xDC =C3=9C yes \xDD =C3=9D yes \xDE =C3=9E yes \xDF =C3=9F yes \xE0 =C3=A0 yes \xE1 =C3=A1 yes \xE2 =C3=A2 yes \xE3 =C3=A3 yes \xE4 =C3=A4 yes \xE5 =C3=A5 yes \xE6 =C3=A6 yes \xE7 =C3=A7 yes \xE8 =C3=A8 yes \xE9 =C3=A9 yes \xEA =C3=AA yes \xEB =C3=AB yes \xEC =C3=AC yes \xED =C3=AD yes \xEE =C3=AE yes \xEF =C3=AF yes \xF0 =C3=B0 yes \xF1 =C3=B1 yes \xF2 =C3=B2 yes \xF3 =C3=B3 yes \xF4 =C3=B4 yes \xF5 =C3=B5 yes \xF6 =C3=B6 yes \xF7 =C3=B7 yes \xF8 =C3=B8 yes \xF9 =C3=B9 yes \xFA =C3=BA yes \xFB =C3=BB yes \xFC =C3=BC yes \xFD =C3=BD yes \xFE =C3=BE yes \xFF =C3=BF yes |
From: Danett s. <dan...@ya...> - 2007-05-10 07:19:44
|
Hi, Long time I don't post, I'm back :) 1] I notted that mod_security is generating false positive in my test system, with the following: Message: Warning. Found 3 byte(s) outside range: 1-255. The (most part) of the input that generated it is valid and is like this one: title=Vamos+estabelecer+servi%E7os+prestados+e+as+Ag%EAncias+tomaram+Provid%EAncias&date=22%2F07%2F2007&news=%3Cp+align%3D%22justify%22%3ENa+%26uacute%3Bltima+semana%2C+antes+da+unifica%26ccedil%3B%26atilde%3Bo+da+nova+equipe+para+saber+mais+%28link+dispon%26iacute%3Bvel+na+p%26aacute%3Bgina+restrita%2C+em+%26ldquo%3Batos+normativos%26rdquo%3B%29.+%3Cbr The system doesn't work well for latin users who speak Portuguese, cause we use á, é, í, ú, Á, É, Í, Ú, â, ô, Â, Ô, à, Á, ç, Ç. I would not like to disable the range protection, is there a way to add this specific caracters to the rules? 2] I seen a post in the blog called "Handling False Positives and Creating Custom Rules" where it teaches how to deal and manage false positives. However when we have a multi domain site, is possible generate this exceptions by domain? For example in the vhost for domain www1.site.com the XSS rules get like in the default core rules, but in vhost info.site.com they generate a false positive, so is possible to create it by domain? By name of variable is not a option, cause both vhosts have a variable with the same name, one cause the false positive and other not. 3] I seen a post from Ivan Ristic where he pointed the following: >To fix this you need to install three rules: >1.1) One rule to only accept "userid" as a valid >parameter name. >1.2) One rule to check that only one parameter with >such name is provided. >1.3) Finally one rule to make sure what is in the >parameter is a number. >Doing this will not only prevent the known SQL >injection problem but also all other problems that >might exist and you don't know about. I never thinked it could be done with mod_security, can you please show me a example of how to implement this 3 steps. It's really intersting. 4] As discussed here before PHP IDS is really nice and have some nice rules, that detect some variations of attacks that mod_security doesn't, as it use regexpt, I think that some rules can be learned from the other project, for people who develop mod_security give a try to this demo site: http://phpids.heideri.ch/ I think some rules in mod_security can be enhanced using it, not? :) 5] Some time ago were published in this maillist that hot rules (posted by users) for mod_security would be posted in a special section in the site, where is it? Ufffaaaa... Thank you and keep the good job. Cheers __________________________________________________ Fale com seus amigos de graça com o novo Yahoo! Messenger http://br.messenger.yahoo.com/ |
From: Brian K. <bp...@wi...> - 2007-05-09 21:17:16
|
I'm trying to update from v1.9.4. Previously I used the HTTP_MOD_SECURITY_MESSAGE to display a meaningful message to developers on our local network when they ran into one of the rules. I can't seem to find out how to do this anymore in v2.1.1. Can anyone point me in the right direction? Thanks, Brian |
From: Christian B. <ch...@jw...> - 2007-05-08 15:11:34
|
Am 08.05.2007 um 15:24 schrieb Russ Lavoie: > For some reason the modsec-auditlog-collector.pl file stopped logging > all of a sudden. But I am getting alerts in the mod_debug logs, > but no > where else... Nothing has changed from yesterday to today, it just > stopped working. > > Is there some alternative solution to logging on the console other > than > this external perl script? I do not know of any, but would appreciate a solution for this, too. A nice thing would be a unix- or tcp-socket to listen on that is directly integrated into the ModSecurity-module. This way writing tools that listen on the audit-log would be a little more comfortable. Regards, Chris |