mod-security-users Mailing List for ModSecurity (Page 6)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users — General discussion about mod_security
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(17) |
Aug
(7) |
Sep
(8) |
Oct
(11) |
Nov
(14) |
Dec
(19) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(46) |
Feb
(14) |
Mar
(20) |
Apr
(48) |
May
(15) |
Jun
(20) |
Jul
(36) |
Aug
(24) |
Sep
(31) |
Oct
(28) |
Nov
(23) |
Dec
(12) |
| 2005 |
Jan
(69) |
Feb
(61) |
Mar
(82) |
Apr
(53) |
May
(26) |
Jun
(71) |
Jul
(27) |
Aug
(52) |
Sep
(28) |
Oct
(49) |
Nov
(104) |
Dec
(74) |
| 2006 |
Jan
(61) |
Feb
(148) |
Mar
(82) |
Apr
(139) |
May
(65) |
Jun
(116) |
Jul
(92) |
Aug
(101) |
Sep
(84) |
Oct
(103) |
Nov
(174) |
Dec
(102) |
| 2007 |
Jan
(166) |
Feb
(161) |
Mar
(181) |
Apr
(152) |
May
(192) |
Jun
(250) |
Jul
(127) |
Aug
(165) |
Sep
(97) |
Oct
(135) |
Nov
(206) |
Dec
(56) |
| 2008 |
Jan
(160) |
Feb
(135) |
Mar
(98) |
Apr
(89) |
May
(115) |
Jun
(95) |
Jul
(188) |
Aug
(167) |
Sep
(153) |
Oct
(84) |
Nov
(82) |
Dec
(85) |
| 2009 |
Jan
(139) |
Feb
(133) |
Mar
(128) |
Apr
(105) |
May
(135) |
Jun
(79) |
Jul
(92) |
Aug
(134) |
Sep
(73) |
Oct
(112) |
Nov
(159) |
Dec
(80) |
| 2010 |
Jan
(100) |
Feb
(116) |
Mar
(130) |
Apr
(59) |
May
(88) |
Jun
(59) |
Jul
(69) |
Aug
(67) |
Sep
(82) |
Oct
(76) |
Nov
(59) |
Dec
(34) |
| 2011 |
Jan
(84) |
Feb
(74) |
Mar
(81) |
Apr
(94) |
May
(188) |
Jun
(72) |
Jul
(118) |
Aug
(109) |
Sep
(111) |
Oct
(80) |
Nov
(51) |
Dec
(44) |
| 2012 |
Jan
(80) |
Feb
(123) |
Mar
(46) |
Apr
(12) |
May
(40) |
Jun
(62) |
Jul
(95) |
Aug
(66) |
Sep
(65) |
Oct
(53) |
Nov
(42) |
Dec
(60) |
| 2013 |
Jan
(96) |
Feb
(96) |
Mar
(108) |
Apr
(72) |
May
(115) |
Jun
(111) |
Jul
(114) |
Aug
(87) |
Sep
(93) |
Oct
(97) |
Nov
(104) |
Dec
(82) |
| 2014 |
Jan
(96) |
Feb
(77) |
Mar
(71) |
Apr
(40) |
May
(48) |
Jun
(78) |
Jul
(54) |
Aug
(44) |
Sep
(58) |
Oct
(79) |
Nov
(51) |
Dec
(52) |
| 2015 |
Jan
(55) |
Feb
(59) |
Mar
(48) |
Apr
(40) |
May
(45) |
Jun
(63) |
Jul
(36) |
Aug
(49) |
Sep
(35) |
Oct
(58) |
Nov
(21) |
Dec
(47) |
| 2016 |
Jan
(35) |
Feb
(81) |
Mar
(43) |
Apr
(41) |
May
(77) |
Jun
(52) |
Jul
(39) |
Aug
(34) |
Sep
(107) |
Oct
(67) |
Nov
(54) |
Dec
(20) |
| 2017 |
Jan
(99) |
Feb
(37) |
Mar
(86) |
Apr
(47) |
May
(57) |
Jun
(55) |
Jul
(34) |
Aug
(31) |
Sep
(16) |
Oct
(49) |
Nov
(53) |
Dec
(33) |
| 2018 |
Jan
(25) |
Feb
(11) |
Mar
(79) |
Apr
(77) |
May
(5) |
Jun
(19) |
Jul
(17) |
Aug
(7) |
Sep
(13) |
Oct
(22) |
Nov
(13) |
Dec
(68) |
| 2019 |
Jan
(44) |
Feb
(17) |
Mar
(40) |
Apr
(39) |
May
(18) |
Jun
(14) |
Jul
(20) |
Aug
(31) |
Sep
(11) |
Oct
(35) |
Nov
(3) |
Dec
(10) |
| 2020 |
Jan
(32) |
Feb
(16) |
Mar
(10) |
Apr
(22) |
May
(2) |
Jun
(34) |
Jul
(1) |
Aug
(8) |
Sep
(36) |
Oct
(16) |
Nov
(13) |
Dec
(10) |
| 2021 |
Jan
(16) |
Feb
(23) |
Mar
(45) |
Apr
(28) |
May
(6) |
Jun
(17) |
Jul
(8) |
Aug
(1) |
Sep
(2) |
Oct
(35) |
Nov
|
Dec
(5) |
| 2022 |
Jan
|
Feb
(17) |
Mar
(23) |
Apr
(23) |
May
(9) |
Jun
(8) |
Jul
|
Aug
|
Sep
(7) |
Oct
(5) |
Nov
(16) |
Dec
(4) |
| 2023 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
(1) |
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
(7) |
Feb
(13) |
Mar
(18) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(1) |
Nov
(5) |
Dec
(3) |
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
(12) |
May
(12) |
Jun
(2) |
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: homesh j. <ho...@gm...> - 2022-06-15 09:46:29
|
Hi All, I wanted to know the variable name which holds modesecurity mode "engine_mode":"ENABLED" that I see in the audit logs but not sure what is the exact name of a variable. Thanks, Homesh |
|
From: homesh j. <ho...@gm...> - 2022-06-02 15:10:37
|
Dear Azurit, Tx.0 worked for me you are right it is there in the rule. Thanks a lot. Regards, Homesh On Wed, 1 Jun, 2022, 8:15 pm , <az...@po...> wrote: > Hi Homesh, > > probably tx.0 but try looking at the rule ID 11, on logdata action. > > azurit > > > > > > Citát homesh joshi <ho...@gm...>: > > > Dear Franziska, > > > > Thanks for the reply. > > I shared partial Json as I wanted to showcase the important part. > > My requirement is simple. I wanted to know the variable name that holds > the > > [data \"or 2=2\"] like rule.msg variable holds the [msg \"SQL > Injection\"] > > > > Thanks, > > Homesh > > > > > > On Wed, Jun 1, 2022 at 7:44 PM Franziska Buehler < > > fra...@gm...> wrote: > > > >> Hi Homesh, > >> > >> That doesn't appear to be valid JSON. Can you please describe what you > >> want to do exactly and how you tried to achieve this?? > >> > >> Best, > >> Franziska > >> > >> > >> > >> homesh joshi <ho...@gm...> schrieb am Di., 31. Mai 2022, 14:08: > >> > >>> Hi All, > >>> > >>> Please refer to the following from modsec logs in json format. > >>> > >>> [file \"/usr/share/modsec/rules/10_gen_rules.conf\"] [line \"283\"] [id > >>> \"11\"] [rev \"43\"] [msg \"SQL Injection\"] [data \"or 2=2\"] > [severity > >>> \"CRITICAL\"] > >>> > >>> I am able to get the values of msg, id & severity variables(using > >>> rule.msg,rule.id,rule.severity) but I can't find the variable name for > >>> data ([data \"or 2=2\"]) > >>> > >>> I have searched on google as well as on modsec handbook pdf but can't > >>> find the name. > >>> > >>> Can someone share some info on this please. > >>> > >>> Thanks, > >>> Homesh > >>> > >>> > >>> _______________________________________________ > >>> mod-security-users mailing list > >>> mod...@li... > >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users > >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > >>> http://www.modsecurity.org/projects/commercial/rules/ > >>> http://www.modsecurity.org/projects/commercial/support/ > >>> > >> _______________________________________________ > >> mod-security-users mailing list > >> mod...@li... > >> https://lists.sourceforge.net/lists/listinfo/mod-security-users > >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > >> http://www.modsecurity.org/projects/commercial/rules/ > >> http://www.modsecurity.org/projects/commercial/support/ > >> > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: <az...@po...> - 2022-06-01 14:41:39
|
Hi Homesh, probably tx.0 but try looking at the rule ID 11, on logdata action. azurit Citát homesh joshi <ho...@gm...>: > Dear Franziska, > > Thanks for the reply. > I shared partial Json as I wanted to showcase the important part. > My requirement is simple. I wanted to know the variable name that holds the > [data \"or 2=2\"] like rule.msg variable holds the [msg \"SQL Injection\"] > > Thanks, > Homesh > > > On Wed, Jun 1, 2022 at 7:44 PM Franziska Buehler < > fra...@gm...> wrote: > >> Hi Homesh, >> >> That doesn't appear to be valid JSON. Can you please describe what you >> want to do exactly and how you tried to achieve this?? >> >> Best, >> Franziska >> >> >> >> homesh joshi <ho...@gm...> schrieb am Di., 31. Mai 2022, 14:08: >> >>> Hi All, >>> >>> Please refer to the following from modsec logs in json format. >>> >>> [file \"/usr/share/modsec/rules/10_gen_rules.conf\"] [line \"283\"] [id >>> \"11\"] [rev \"43\"] [msg \"SQL Injection\"] [data \"or 2=2\"] [severity >>> \"CRITICAL\"] >>> >>> I am able to get the values of msg, id & severity variables(using >>> rule.msg,rule.id,rule.severity) but I can't find the variable name for >>> data ([data \"or 2=2\"]) >>> >>> I have searched on google as well as on modsec handbook pdf but can't >>> find the name. >>> >>> Can someone share some info on this please. >>> >>> Thanks, >>> Homesh >>> >>> >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> |
|
From: homesh j. <ho...@gm...> - 2022-06-01 14:19:34
|
Dear Franziska, Thanks for the reply. I shared partial Json as I wanted to showcase the important part. My requirement is simple. I wanted to know the variable name that holds the [data \"or 2=2\"] like rule.msg variable holds the [msg \"SQL Injection\"] Thanks, Homesh On Wed, Jun 1, 2022 at 7:44 PM Franziska Buehler < fra...@gm...> wrote: > Hi Homesh, > > That doesn't appear to be valid JSON. Can you please describe what you > want to do exactly and how you tried to achieve this?? > > Best, > Franziska > > > > homesh joshi <ho...@gm...> schrieb am Di., 31. Mai 2022, 14:08: > >> Hi All, >> >> Please refer to the following from modsec logs in json format. >> >> [file \"/usr/share/modsec/rules/10_gen_rules.conf\"] [line \"283\"] [id >> \"11\"] [rev \"43\"] [msg \"SQL Injection\"] [data \"or 2=2\"] [severity >> \"CRITICAL\"] >> >> I am able to get the values of msg, id & severity variables(using >> rule.msg,rule.id,rule.severity) but I can't find the variable name for >> data ([data \"or 2=2\"]) >> >> I have searched on google as well as on modsec handbook pdf but can't >> find the name. >> >> Can someone share some info on this please. >> >> Thanks, >> Homesh >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Franziska B. <fra...@gm...> - 2022-06-01 14:09:52
|
Hi Homesh, That doesn't appear to be valid JSON. Can you please describe what you want to do exactly and how you tried to achieve this?? Best, Franziska homesh joshi <ho...@gm...> schrieb am Di., 31. Mai 2022, 14:08: > Hi All, > > Please refer to the following from modsec logs in json format. > > [file \"/usr/share/modsec/rules/10_gen_rules.conf\"] [line \"283\"] [id > \"11\"] [rev \"43\"] [msg \"SQL Injection\"] [data \"or 2=2\"] [severity > \"CRITICAL\"] > > I am able to get the values of msg, id & severity variables(using > rule.msg,rule.id,rule.severity) but I can't find the variable name for > data ([data \"or 2=2\"]) > > I have searched on google as well as on modsec handbook pdf but can't find > the name. > > Can someone share some info on this please. > > Thanks, > Homesh > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: homesh j. <ho...@gm...> - 2022-05-31 12:06:18
|
Hi All, Please refer to the following from modsec logs in json format. [file \"/usr/share/modsec/rules/10_gen_rules.conf\"] [line \"283\"] [id \"11\"] [rev \"43\"] [msg \"SQL Injection\"] [data \"or 2=2\"] [severity \"CRITICAL\"] I am able to get the values of msg, id & severity variables(using rule.msg, rule.id,rule.severity) but I can't find the variable name for data ([data \"or 2=2\"]) I have searched on google as well as on modsec handbook pdf but can't find the name. Can someone share some info on this please. Thanks, Homesh |
|
From: homesh j. <ho...@gm...> - 2022-05-31 12:01:47
|
Dear Ervin, Rule id is different for each rule as otherwise apache reload will fail. I check by defining SecGeoLookupDb /etc/modsecurity/maxmind4.dat under security2.conf and removing it from each virtual host. It still works as expected. Also there are no improvements in memory consumption of apache which confirms apache does not keep multiple copies of the same file in memory even if I define it multiple times which is a good thing. Thanks, Homesh On Mon, May 30, 2022 at 10:35 AM Ervin Hegedüs <ai...@gm...> wrote: > Hi Homesh, > > On Mon, May 30, 2022 at 12:17:56AM +0530, homesh joshi wrote: > > I have multiple virtual host entries in apache > > > > in each virtual host I have rule like this > > > > SecGeoLookupDb /etc/modsecurity/maxmind4.dat > > SecRule REMOTE_ADDR "@geoLookup" > "phase:1,log,chain,id:2,drop,msg:'Geolocation Blocked'" > > SecRule GEO:COUNTRY_CODE "@pm CN PE IR" > > are you sure? I mean do you have these rules with *same id*? > > > My query is the line SecGeoLookupDb /etc/modsecurity/maxmind4.dat present > > in each virtual host. Is it required in each or can I define it once > > globally. > > you do not need to define it in each vhost. Also you can use the > SecRule with "id:2" above only once (except if you change the > country codes per vhost, of course). > > > > > a. > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Ervin H. <ai...@gm...> - 2022-05-30 05:01:17
|
Hi Homesh, On Mon, May 30, 2022 at 12:17:56AM +0530, homesh joshi wrote: > I have multiple virtual host entries in apache > > in each virtual host I have rule like this > > SecGeoLookupDb /etc/modsecurity/maxmind4.dat > SecRule REMOTE_ADDR "@geoLookup" "phase:1,log,chain,id:2,drop,msg:'Geolocation Blocked'" > SecRule GEO:COUNTRY_CODE "@pm CN PE IR" are you sure? I mean do you have these rules with *same id*? > My query is the line SecGeoLookupDb /etc/modsecurity/maxmind4.dat present > in each virtual host. Is it required in each or can I define it once > globally. you do not need to define it in each vhost. Also you can use the SecRule with "id:2" above only once (except if you change the country codes per vhost, of course). a. |
|
From: homesh j. <ho...@gm...> - 2022-05-29 18:48:19
|
Hi All, I have multiple virtual host entries in apache in each virtual host I have rule like this SecGeoLookupDb /etc/modsecurity/maxmind4.dat SecRule REMOTE_ADDR "@geoLookup" "phase:1,log,chain,id:2,drop,msg:'Geolocation Blocked'" SecRule GEO:COUNTRY_CODE "@pm CN PE IR" My query is the line SecGeoLookupDb /etc/modsecurity/maxmind4.dat present in each virtual host. Is it required in each or can I define it once globally. will it cause apache to load the file multiple times in memory or it will load only once. Please suggest. Thanks, Homesh |
|
From: Ricardo M. <ri...@ri...> - 2022-05-22 21:14:03
|
Thank you very much, Azurit. I tried last week, and it seems it's working now. Thanks a lot!!! 🙏 Best Regards, Ricardo Martins On Thu, May 19, 2022 at 5:59 PM <az...@po...> wrote: > Hi, > > have you tried switching to 'concurrent' logging? See SecAuditLogType . > > > > > > > Citát Ricardo Martins <ri...@ri...>: > > > I'm facing the errors below for 2 months: > > > > ModSecurity: Audit log: *Failed to lock global mutex: Invalid argument* > > [hostname "xyz.com"] [uri "/some/url/index.php"] [unique_id > > "YoVhNjBIlODXmbU8zRObNAAAAAo"] > > > > ModSecurity: Audit log: Failed to *unlock* global mutex: Invalid argument > > [hostname "xyz.com"] [uri "/some/url/index.php"] [unique_id > > "YoVhNjBIlODXmbU8zRObNAAAAAo"] > > > > In the audit log I have the following: > > > >> --4f737934-A-- > >> [18/May/2022:21:12:23 +0000] YoVhNjBIlODXmbU8zRObNAAAAAo 98.142.102.10 > >> 55052 172.31.20.202 443 > >> --4f737934-B-- > >> POST /some/url HTTP/1.1 > >> Host: xyz.com > >> Accept: */* > >> Content-Length: 7 > >> Content-Type: application/x-www-form-urlencoded > >> > >> --4f737934-C-- > >> token=0 > >> --4f737934-F-- > >> HTTP/1.1 401 Unauthorized > >> Cache-Control: no-cache, private > >> Content-Length: 19 > >> Content-Type: text/html; charset=UTF-8 > >> > >> --4f737934-H-- > >> Message: Audit log: Failed to lock global mutex: Invalid argument > >> Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client > >> 98.142.102.10] ModSecurity: Audit log: Failed to lock global mutex: > Invalid > >> argument [hostname "xyz.com"] [uri "/some/url/index.php"] [unique_id > >> "YoVhNjBIlODXmbU8zRObNAAAAAo"] > >> Apache-Handler: application/x-httpd-php > >> Stopwatch: 1652908342996576 5468 (- - -) > >> Stopwatch2: 1652908342996576 5468; combined=1343, p1=443, p2=721, p3=0, > >> p4=0, p5=178, sr=83, sw=1, l=0, gc=0 > >> Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); > >> OWASP_CRS/3.2.0. > >> Server: Apache > >> Engine-Mode: "ENABLED" > >> > > > > I read it was related to logrotate. > > I tried to add "Mutext default" line to apache2.conf, also tried to use > > "Mutex posixem" to fix another mutex related error (AH02026: Failed to > > acquire SSL session cache lock)... > > > > I simply don't know what else to do to solve the problem, or if it's safe > > enough to disable mod_security. > > > > Any help is appreciated. > > > > System: Ubuntu 20.04.4 LTS > > Apache: 2.4 > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: <az...@po...> - 2022-05-19 07:55:16
|
Hi, have you tried switching to 'concurrent' logging? See SecAuditLogType . Citát Ricardo Martins <ri...@ri...>: > I'm facing the errors below for 2 months: > > ModSecurity: Audit log: *Failed to lock global mutex: Invalid argument* > [hostname "xyz.com"] [uri "/some/url/index.php"] [unique_id > "YoVhNjBIlODXmbU8zRObNAAAAAo"] > > ModSecurity: Audit log: Failed to *unlock* global mutex: Invalid argument > [hostname "xyz.com"] [uri "/some/url/index.php"] [unique_id > "YoVhNjBIlODXmbU8zRObNAAAAAo"] > > In the audit log I have the following: > >> --4f737934-A-- >> [18/May/2022:21:12:23 +0000] YoVhNjBIlODXmbU8zRObNAAAAAo 98.142.102.10 >> 55052 172.31.20.202 443 >> --4f737934-B-- >> POST /some/url HTTP/1.1 >> Host: xyz.com >> Accept: */* >> Content-Length: 7 >> Content-Type: application/x-www-form-urlencoded >> >> --4f737934-C-- >> token=0 >> --4f737934-F-- >> HTTP/1.1 401 Unauthorized >> Cache-Control: no-cache, private >> Content-Length: 19 >> Content-Type: text/html; charset=UTF-8 >> >> --4f737934-H-- >> Message: Audit log: Failed to lock global mutex: Invalid argument >> Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client >> 98.142.102.10] ModSecurity: Audit log: Failed to lock global mutex: Invalid >> argument [hostname "xyz.com"] [uri "/some/url/index.php"] [unique_id >> "YoVhNjBIlODXmbU8zRObNAAAAAo"] >> Apache-Handler: application/x-httpd-php >> Stopwatch: 1652908342996576 5468 (- - -) >> Stopwatch2: 1652908342996576 5468; combined=1343, p1=443, p2=721, p3=0, >> p4=0, p5=178, sr=83, sw=1, l=0, gc=0 >> Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); >> OWASP_CRS/3.2.0. >> Server: Apache >> Engine-Mode: "ENABLED" >> > > I read it was related to logrotate. > I tried to add "Mutext default" line to apache2.conf, also tried to use > "Mutex posixem" to fix another mutex related error (AH02026: Failed to > acquire SSL session cache lock)... > > I simply don't know what else to do to solve the problem, or if it's safe > enough to disable mod_security. > > Any help is appreciated. > > System: Ubuntu 20.04.4 LTS > Apache: 2.4 |
|
From: Ricardo M. <ri...@ri...> - 2022-05-19 01:30:47
|
I'm facing the errors below for 2 months: ModSecurity: Audit log: *Failed to lock global mutex: Invalid argument* [hostname "xyz.com"] [uri "/some/url/index.php"] [unique_id "YoVhNjBIlODXmbU8zRObNAAAAAo"] ModSecurity: Audit log: Failed to *unlock* global mutex: Invalid argument [hostname "xyz.com"] [uri "/some/url/index.php"] [unique_id "YoVhNjBIlODXmbU8zRObNAAAAAo"] In the audit log I have the following: > --4f737934-A-- > [18/May/2022:21:12:23 +0000] YoVhNjBIlODXmbU8zRObNAAAAAo 98.142.102.10 > 55052 172.31.20.202 443 > --4f737934-B-- > POST /some/url HTTP/1.1 > Host: xyz.com > Accept: */* > Content-Length: 7 > Content-Type: application/x-www-form-urlencoded > > --4f737934-C-- > token=0 > --4f737934-F-- > HTTP/1.1 401 Unauthorized > Cache-Control: no-cache, private > Content-Length: 19 > Content-Type: text/html; charset=UTF-8 > > --4f737934-H-- > Message: Audit log: Failed to lock global mutex: Invalid argument > Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client > 98.142.102.10] ModSecurity: Audit log: Failed to lock global mutex: Invalid > argument [hostname "xyz.com"] [uri "/some/url/index.php"] [unique_id > "YoVhNjBIlODXmbU8zRObNAAAAAo"] > Apache-Handler: application/x-httpd-php > Stopwatch: 1652908342996576 5468 (- - -) > Stopwatch2: 1652908342996576 5468; combined=1343, p1=443, p2=721, p3=0, > p4=0, p5=178, sr=83, sw=1, l=0, gc=0 > Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); > OWASP_CRS/3.2.0. > Server: Apache > Engine-Mode: "ENABLED" > I read it was related to logrotate. I tried to add "Mutext default" line to apache2.conf, also tried to use "Mutex posixem" to fix another mutex related error (AH02026: Failed to acquire SSL session cache lock)... I simply don't know what else to do to solve the problem, or if it's safe enough to disable mod_security. Any help is appreciated. System: Ubuntu 20.04.4 LTS Apache: 2.4 |
|
From: Christian F. <chr...@ne...> - 2022-05-10 10:32:54
|
Thanks for letting us know! Christian On Tue, May 10, 2022 at 03:18:19PM +0800, Franklin Weng wrote: > Hi, > > An update to this: We found that 2.9.5 didn't work but 2.9.3 worked. > Maybe the dll file packaged in 2.9.5 is corrupted. > > Franklin > > Christian Folini <chr...@ne...> 於 2022年4月27日 週三 下午5:21寫道: > > > Hello Franklin, > > > > There is very little information about ModSec on IIS. From the scarce > > number > > of questions we are getting about it here and from what I can tell after 15 > > years of consulting around ModSecurity, this is a road rarely travelled. > > > > So I reckon you are mostly on your own. > > > > The easier approach would probably be to put an Apache in front of the IIS. > > Possibly on the same machine. This adds another system to the setup, but > > it is known to work on Windows and no annoying surprises. > > > > Just my 2 cents. > > > > Christian > > > > On Wed, Apr 27, 2022 at 03:44:26PM +0800, Franklin Weng wrote: > > > Hi, > > > > > > > > > A problem has bothered us for several weeks and would like to get help > > here. > > > > > > We installed a fresh Windows 2019 (Datacenter) server with a whole new > > IIS > > > server. Then we installed ModSecurity 2.9.5 WIndows version. It was > > > installed successfully. The installer file was downloaded from > > > https://sourceforge.net/projects/modsecurity.mirror/files/v2.9.5/ > > > > > > But when we tried to connect to http://localhost what we got is 503 > > error. > > > And the log in IIS showed "Can not load > > > C:\Windows\System32\inetsrv\ModSecurityIIS.dll, data is the error" > > > (translated back from Chinese). > > > > > > We tried to installed 64 bit only which seemed to work (at least no 503 > > > error), but the test rule we set did not work. No logs were generated > > > either. > > > > > > We've searched plenty of pages on Internet, including github issues, but > > no > > > luck. > > > > > > Any help would be appreciated. If you need more info feel free to tell > > me. > > > > > > > > > Thanks, Franklin > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > > -- > Franklin Weng > 中華民國軟體自由協會理事長 > LibreOffice 導入專家 > LibreOffice 法人代表文件基金會董事會副主席、認證委員會委員 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Franklin W. <fwe...@gm...> - 2022-05-10 07:19:04
|
Hi, An update to this: We found that 2.9.5 didn't work but 2.9.3 worked. Maybe the dll file packaged in 2.9.5 is corrupted. Franklin Christian Folini <chr...@ne...> 於 2022年4月27日 週三 下午5:21寫道: > Hello Franklin, > > There is very little information about ModSec on IIS. From the scarce > number > of questions we are getting about it here and from what I can tell after 15 > years of consulting around ModSecurity, this is a road rarely travelled. > > So I reckon you are mostly on your own. > > The easier approach would probably be to put an Apache in front of the IIS. > Possibly on the same machine. This adds another system to the setup, but > it is known to work on Windows and no annoying surprises. > > Just my 2 cents. > > Christian > > On Wed, Apr 27, 2022 at 03:44:26PM +0800, Franklin Weng wrote: > > Hi, > > > > > > A problem has bothered us for several weeks and would like to get help > here. > > > > We installed a fresh Windows 2019 (Datacenter) server with a whole new > IIS > > server. Then we installed ModSecurity 2.9.5 WIndows version. It was > > installed successfully. The installer file was downloaded from > > https://sourceforge.net/projects/modsecurity.mirror/files/v2.9.5/ > > > > But when we tried to connect to http://localhost what we got is 503 > error. > > And the log in IIS showed "Can not load > > C:\Windows\System32\inetsrv\ModSecurityIIS.dll, data is the error" > > (translated back from Chinese). > > > > We tried to installed 64 bit only which seemed to work (at least no 503 > > error), but the test rule we set did not work. No logs were generated > > either. > > > > We've searched plenty of pages on Internet, including github issues, but > no > > luck. > > > > Any help would be appreciated. If you need more info feel free to tell > me. > > > > > > Thanks, Franklin > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > -- Franklin Weng 中華民國軟體自由協會理事長 LibreOffice 導入專家 LibreOffice 法人代表文件基金會董事會副主席、認證委員會委員 |
|
From: Franziska B. <fra...@gm...> - 2022-04-30 18:48:02
|
Hi! OWASP Core Rule Set Dev-On-Duty here. The rule 920440 checks the variable tx.restricted_extensions ( https://github.com/coreruleset/coreruleset/blob/v4.0/dev/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L1064 ). This variable can be set in the crs-setup.conf file. So you have to uncomment and edit (remove .com) the following rule 900240: https://github.com/coreruleset/coreruleset/blob/v4.0/dev/crs-setup.conf.example#L473 Best regards, Franziska Am Fr., 29. Apr. 2022 um 19:07 Uhr schrieb s kwok <mrs...@gm...>: > Hi, > > I'd like to exclude .com from restricted_extensions only for rule 920440. > Can someone please tell me how to do that? Thanks! > > Best > skwok > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: s k. <mrs...@gm...> - 2022-04-29 17:04:43
|
Hi, I'd like to exclude .com from restricted_extensions only for rule 920440. Can someone please tell me how to do that? Thanks! Best skwok |
|
From: Walter H. <mo...@sp...> - 2022-04-28 20:00:27
|
The OWASP ModSecurity Core Rule Set team is proud to announce the Release Candidate 1 for the upcoming CRS v4.0.0 release. The release candidate is available from our installation page: https://coreruleset.org/installation/ <https://coreruleset.org/installation/> CRS 4 contains many important changes, such as: - A plugin architecture for extending CRS and minimizing attack surface. Application exclusion sets and less-used functionality have been migrated from the CRS to plugins: https://coreruleset.org/docs/configuring/plugins/ <https://coreruleset.org/docs/configuring/plugins/> (See our plugin registry at https://github.com/coreruleset/plugin-registry <https://github.com/coreruleset/plugin-registry> for the extensive list of existing plugins.) - Early blocking: https://coreruleset.org/20220302/the-case-for-early-blocking/ <https://coreruleset.org/20220302/the-case-for-early-blocking/> - Granular control over reporting levels - All formerly PCRE-only regular expressions have been updated to be compatible with Re2/Hyperscan WAF engines - We now publish nightly packages of the development branch: https://github.com/coreruleset/coreruleset/releases <https://github.com/coreruleset/coreruleset/releases> - We refactored and renamed the anomaly scoring variables and paranoia level definitions - HTTP/0.9 support has been dropped to resolve false positives. CRS 4 contains many new detections: - Detect Log4j / Log4Shell - Detect Spring4Shell - Detect JavaScript prototype pollution - Detect common webshells by inspecting response - Detect path traversal in file upload - Detect common IP-based SSRF targets - Detect email protocol attacks - Improved RCE detection - Improved SQLi detection - Expanded blocklists to prevent access to AWS cli files, /proc and /sys files, and many other sensitive files - Detect many new scanners and bots CRS 4 also contains many improvements to lower the amount of false alarms. Also, we fixed a number of bypasses in existing rules. We also addressed various performance and ReDoS issues. A lot of effort also went into improving our test suite, so that 100% of our rules are now covered by tests! Finally, we have worked on creating extensive documentation about all aspects of the CRS. You can find it under the Documentation section of our website: https://coreruleset.org/docs/ <https://coreruleset.org/docs/>. If you would like to make improvements, please go to the repository https://github.com/coreruleset/documentation/ <https://github.com/coreruleset/documentation/> and submit your pull request! For those wanting to try CRS 4, it is important to quickly touch upon the new plugin architecture. Some parts of CRS 3, such as the application exclusion rules (WordPress, Drupal, etc.), were split off into "plugins". As an admin, you can choose to install plugins or leave them out. In this way, we can more swiftly update plugins (for instance to deal with application updates), and we decrease the attack surface for admins who are not interested in their functionality. If you used the application exclusions in CRS 3, you will need to download the relevant plugin files and put them in your plugins subdirectory in CRS 4. See here for extended information about working with plugins: https://coreruleset.org/docs/configuring/plugins/ <https://coreruleset.org/docs/configuring/plugins/> Please see the CHANGES file for a full list of the more than 200 changes, improvements and fixes: https://github.com/coreruleset/coreruleset/blob/v4.0/main/CHANGES <https://github.com/coreruleset/coreruleset/blob/v4.0/main/CHANGES>. Each CHANGES entry links to the relevant pull requests, so you can dive into the specifics of a certain change. If you try out our release candidate, we will be very eager to receive your feedback. You can report any issues on GitHub: https://github.com/coreruleset/coreruleset/issues/new/choose <https://github.com/coreruleset/coreruleset/issues/new/choose>. Be sure to mention the CRS version, so we can handle RC issues as quickly as possible. Depending on the feedback, we will possibly release more Release Candidates, while we get a firmer picture and finalize our schedule for the final release. If you have questions, the quickest way to get in touch with us directly is to join the #coreruleset channel on the OWASP Slack: https://coreruleset.org/20181003/owasp-crs-slack/ <https://coreruleset.org/20181003/owasp-crs-slack/> I want to thank all our developers and outside contributors for helping us make the best CRS version yet! Kind regards, Walter Hop Core Rule Set Co-Lead |
|
From: Walter H. <mo...@sp...> - 2022-04-28 20:00:25
|
The OWASP ModSecurity Core Rule Set team is proud to announce the Release Candidate 1 for the upcoming CRS v4.0.0 release. The release candidate is available from our installation page: https://coreruleset.org/installation/ CRS 4 contains many important changes, such as: - A plugin architecture for extending CRS and minimizing attack surface. Application exclusion sets and less-used functionality have been migrated from the CRS to plugins: https://coreruleset.org/docs/configuring/plugins/ - Early blocking: https://coreruleset.org/20220302/the-case-for-early-blocking/ - Granular control over reporting levels - All formerly PCRE-only regular expressions have been updated to be compatible with Re2/Hyperscan WAF engines - We now publish nightly packages of the development branch: https://github.com/coreruleset/coreruleset/releases - We refactored and renamed the anomaly scoring variables and paranoia level definitions - HTTP/0.9 support has been dropped to resolve false positives. CRS 4 contains many new detections: - Detect Log4j / Log4Shell - Detect Spring4Shell - Detect JavaScript prototype pollution - Detect common webshells by inspecting response - Detect path traversal in file upload - Detect common IP-based SSRF targets - Detect email protocol attacks - Improved RCE detection - Improved SQLi detection - Expanded blocklists to prevent access to AWS cli files, /proc and /sys files, and many other sensitive files - Detect many new scanners and bots CRS 4 also contains many improvements to lower the amount of false alarms. Also, we fixed a number of bypasses in existing rules. We also addressed various performance and ReDoS issues. A lot of effort also went into improving our test suite, so that 100% of our rules are now covered by tests! Finally, we have worked on creating extensive documentation about all aspects of the CRS. You can find it under the Documentation section of our website: https://coreruleset.org/docs/. If you would like to make improvements, please go to the repository https://github.com/coreruleset/documentation/ and submit your pull request! For those wanting to try CRS 4, it is important to quickly touch upon the new plugin architecture. Some parts of CRS 3, such as the application exclusion rules (WordPress, Drupal, etc.), were split off into "plugins". As an admin, you can choose to install plugins or leave them out. In this way, we can more swiftly update plugins (for instance to deal with application updates), and we decrease the attack surface for admins who are not interested in their functionality. If you used the application exclusions in CRS 3, you will need to download the relevant plugin files and put them in your plugins subdirectory in CRS 4. See here for extended information about working with plugins: https://coreruleset.org/docs/configuring/plugins/ Please see the CHANGES file for a full list of the more than 200 changes, improvements and fixes: https://github.com/coreruleset/coreruleset/blob/v4.0/main/CHANGES. Each CHANGES entry links to the relevant pull requests, so you can dive into the specifics of a certain change. If you try out our release candidate, we will be very eager to receive your feedback. You can report any issues on GitHub: https://github.com/coreruleset/coreruleset/issues/new/choose. Be sure to mention the CRS version, so we can handle RC issues as quickly as possible. Depending on the feedback, we will possibly release more Release Candidates, while we get a firmer picture and finalize our schedule for the final release. If you have questions, the quickest way to get in touch with us directly is to join the #coreruleset channel on the OWASP Slack: https://coreruleset.org/20181003/owasp-crs-slack/ I want to thank all our developers and outside contributors for helping us make the best CRS version yet! Kind regards, Walter Hop Core Rule Set Co-Lead |
|
From: Christian F. <chr...@ne...> - 2022-04-27 09:16:42
|
Hello Franklin, There is very little information about ModSec on IIS. From the scarce number of questions we are getting about it here and from what I can tell after 15 years of consulting around ModSecurity, this is a road rarely travelled. So I reckon you are mostly on your own. The easier approach would probably be to put an Apache in front of the IIS. Possibly on the same machine. This adds another system to the setup, but it is known to work on Windows and no annoying surprises. Just my 2 cents. Christian On Wed, Apr 27, 2022 at 03:44:26PM +0800, Franklin Weng wrote: > Hi, > > > A problem has bothered us for several weeks and would like to get help here. > > We installed a fresh Windows 2019 (Datacenter) server with a whole new IIS > server. Then we installed ModSecurity 2.9.5 WIndows version. It was > installed successfully. The installer file was downloaded from > https://sourceforge.net/projects/modsecurity.mirror/files/v2.9.5/ > > But when we tried to connect to http://localhost what we got is 503 error. > And the log in IIS showed "Can not load > C:\Windows\System32\inetsrv\ModSecurityIIS.dll, data is the error" > (translated back from Chinese). > > We tried to installed 64 bit only which seemed to work (at least no 503 > error), but the test rule we set did not work. No logs were generated > either. > > We've searched plenty of pages on Internet, including github issues, but no > luck. > > Any help would be appreciated. If you need more info feel free to tell me. > > > Thanks, Franklin > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Franklin W. <fwe...@gm...> - 2022-04-27 07:45:14
|
Hi, A problem has bothered us for several weeks and would like to get help here. We installed a fresh Windows 2019 (Datacenter) server with a whole new IIS server. Then we installed ModSecurity 2.9.5 WIndows version. It was installed successfully. The installer file was downloaded from https://sourceforge.net/projects/modsecurity.mirror/files/v2.9.5/ But when we tried to connect to http://localhost what we got is 503 error. And the log in IIS showed "Can not load C:\Windows\System32\inetsrv\ModSecurityIIS.dll, data is the error" (translated back from Chinese). We tried to installed 64 bit only which seemed to work (at least no 503 error), but the test rule we set did not work. No logs were generated either. We've searched plenty of pages on Internet, including github issues, but no luck. Any help would be appreciated. If you need more info feel free to tell me. Thanks, Franklin |
|
From: <877...@qq...> - 2022-04-16 06:03:38
|
to fix https://github.com/SpiderLabs/ModSecurity-nginx seems only way to get scheme ------------------ 原始邮件 ------------------ 发件人: "huiming" <877...@qq...>; 发送时间: 2022年4月16日(星期六) 中午1:59 收件人: "mod-security-users"<mod...@li...>; 主题: 回复: [mod-security-users] 回复: Variable that holds scheme I had try to search for scheme, but not found. only method as I know is to change method, to copy schema info above to modsecurity's transaction ------------------ 原始邮件 ------------------ 发件人: "mod-security-users" <ehs...@gm...>; 发送时间: 2022年4月15日(星期五) 晚上9:42 收件人: "mod-security-users"<mod...@li...>; 主题: Re: [mod-security-users] 回复: Variable that holds scheme Dear huiming, hi Do you think that there is variable in the config or do you suggest editing the source codes? On Fri, Apr 15, 2022 at 6:28 AM huiming via mod-security-users <mod...@li...> wrote: seems scheme can be get from ngx_http_request_s->schema ------------------ 原始邮件 ------------------ 发件人: "huiming" <877...@qq...>; 发送时间: 2022年4月15日(星期五) 上午9:01 收件人: "mod-security-users"<mod...@li...>; 主题: 回复: [mod-security-users] Variable that holds scheme seems https://github.com/SpiderLabs/ModSecurity-nginx does not copy scheme from nginx to modsecurity. so mod can not get it. ------------------ 原始邮件 ------------------ 发件人: "mod-security-users" <ehs...@gm...>; 发送时间: 2022年4月14日(星期四) 下午4:37 收件人: "mod-security-users"<mod...@li...>; 主题: Re: [mod-security-users] Variable that holds scheme Hi Andrew Yes, I am trying to answer the question, but not to treat them differently. I just need to log the scheme in the Modsecurity Audit log. I have tried different variables like REQUEST_URI, REQUEST_URI_RAW and etc. none of them contain the scheme! On Wed, Apr 13, 2022 at 3:38 PM Andrew Howe <and...@lo...> wrote: Hi Ehsan, > This question might look basic, but I could not find the variable that holds or contains the (http|https) scheme. Where are you trying to pull the scheme from? The scheme isn't typically* transmitted in an HTTP request. A URL will usually be broken up into an HTTP request line and a Host header, which usually looks something like: GET /docs/ HTTP/2 Host: coreruleset.org No scheme/protocol. What are you trying to achieve? Are you trying to answer the question "did this request come in as plain text HTTP or has TLS termination been performed", and then treat the two cases differently? Thanks, Andrew *You may find request lines containing a full 'absolute URI' which includes the scheme, for example with a proxy server. -- Andrew Howe Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ -- regards Ehsan Mahdavi Computer Engineering Ph.D. _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ -- regards Ehsan Mahdavi Computer Engineering Ph.D. |
|
From: <877...@qq...> - 2022-04-16 05:59:44
|
I had try to search for scheme, but not found. only method as I know is to change method, to copy schema info above to modsecurity's transaction ------------------ 原始邮件 ------------------ 发件人: "mod-security-users" <ehs...@gm...>; 发送时间: 2022年4月15日(星期五) 晚上9:42 收件人: "mod-security-users"<mod...@li...>; 主题: Re: [mod-security-users] 回复: Variable that holds scheme Dear huiming, hi Do you think that there is variable in the config or do you suggest editing the source codes? On Fri, Apr 15, 2022 at 6:28 AM huiming via mod-security-users <mod...@li...> wrote: seems scheme can be get from ngx_http_request_s->schema ------------------ 原始邮件 ------------------ 发件人: "huiming" <877...@qq...>; 发送时间: 2022年4月15日(星期五) 上午9:01 收件人: "mod-security-users"<mod...@li...>; 主题: 回复: [mod-security-users] Variable that holds scheme seems https://github.com/SpiderLabs/ModSecurity-nginx does not copy scheme from nginx to modsecurity. so mod can not get it. ------------------ 原始邮件 ------------------ 发件人: "mod-security-users" <ehs...@gm...>; 发送时间: 2022年4月14日(星期四) 下午4:37 收件人: "mod-security-users"<mod...@li...>; 主题: Re: [mod-security-users] Variable that holds scheme Hi Andrew Yes, I am trying to answer the question, but not to treat them differently. I just need to log the scheme in the Modsecurity Audit log. I have tried different variables like REQUEST_URI, REQUEST_URI_RAW and etc. none of them contain the scheme! On Wed, Apr 13, 2022 at 3:38 PM Andrew Howe <and...@lo...> wrote: Hi Ehsan, > This question might look basic, but I could not find the variable that holds or contains the (http|https) scheme. Where are you trying to pull the scheme from? The scheme isn't typically* transmitted in an HTTP request. A URL will usually be broken up into an HTTP request line and a Host header, which usually looks something like: GET /docs/ HTTP/2 Host: coreruleset.org No scheme/protocol. What are you trying to achieve? Are you trying to answer the question "did this request come in as plain text HTTP or has TLS termination been performed", and then treat the two cases differently? Thanks, Andrew *You may find request lines containing a full 'absolute URI' which includes the scheme, for example with a proxy server. -- Andrew Howe Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ -- regards Ehsan Mahdavi Computer Engineering Ph.D. _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ -- regards Ehsan Mahdavi Computer Engineering Ph.D. |
|
From: Ehsan M. <ehs...@gm...> - 2022-04-16 05:44:17
|
Hi Arlen, the HSTS is not always there (even while using https). Forcing it will impose restrictions on the problem. Using it means forcing https, which might not always be desirable. The REQUEST_URI_RAW, as I've mentioned in previous emails, doesn't do the job. I've tried that and it's not guaranteed to always contain http(s). On Fri, Apr 15, 2022 at 11:02 PM Arlen Walker <pu...@ar...> wrote: > Just a couple of thoughts: > > You could try looking for the request header for HSTS > (Strict-Transport-Security). Won’t catch all browsers, but if you use it on > your server it’ll catch most of them. (And why wouldn’t you use it?) > > Doesn’t REQUEST_URI_RAW work for this? I thought it gave the full URI as a > text string. > > > Have fun, > Arlen > > On Apr 14, 2022, at 3:12 AM, Ehsan Mahdavi <ehs...@gm...> > wrote: > > > Hi ervin, > > The env.ssl_cipher or sth like that sounds good, if it works in Nginx. > I'll try that and get back to you. > > On Wed, Apr 13, 2022 at 3:51 PM Ervin Hegedüs <ai...@gm...> wrote: > >> Hi there, >> >> On Wed, Apr 13, 2022 at 12:04:39PM +0100, Andrew Howe wrote: >> > >> > What are you trying to achieve? Are you trying to answer the question >> > "did this request come in as plain text HTTP or has TLS termination >> > been performed", and then treat the two cases differently? >> >> may be (the official poster) should try the ENV variable: >> >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#ENV >> >> See the example: >> >> # Reading an environment variable from other Apache module (mod_ssl) >> SecRule TX:ANOMALY_SCORE "@gt 0" "phase:5,id:16,msg:'%{env.ssl_cipher}'" >> >> >> and the comment below: >> >> Note : Use setenv to set environment variables to be accessed by Apache. >> >> >> As I know, ENV works in libmodsecurity too, but I have no idea >> how can it set through Nginx (if the server is it). >> > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > -- regards Ehsan Mahdavi Computer Engineering Ph.D. |
|
From: Ehsan M. <ehs...@gm...> - 2022-04-16 05:38:35
|
Hi Andrew, About inferring the scheme from the destination port (SERVER_PORT variable), No. There are sites on multiple non-standard ports. And also there are many sites. So it is confusing. About X-Forwarded-Proto, I've tried that before. Seems that modsecurity acts before proxy_set_header <http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header> and more_set_headers <https://github.com/openresty/headers-more-nginx-module#more_set_headers>. So these heuristics won't do the job for me. On Fri, Apr 15, 2022 at 8:56 PM Andrew Howe <and...@lo...> wrote: > Hi Ehsan, > > Something that only just occurred to me: can you not infer the scheme > from the destination port in the audit logs? E.g.: > > ---YERQU2yt---A-- > [15/Apr/2022:16:04:31 +0000] 1650038671 172.20.0.1 44940 172.20.0.3 80 > > An example of a plain text HTTP request (note port 80 at the very end > of the line). > > You could also maybe make use of ModSecurity's SERVER_PORT variable > and do something with that (see > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#server_port > ). > > It's also fairly common practice for reverse proxies to add the > request header "X-Forwarded-Proto", set to either "http" or "https", > when TLS/SSL termination is involved. Maybe you could instruct Nginx > to add such a header (although I don't know how the order of execution > works in Nginx: it might add headers _after_ giving the request to > ModSecurity, so that might not work.) > > You could also, if absolutely necessary, put a reverse proxy in front > of your Nginx instance (maybe even just define an Nginx proxy), and > have *that* proxy insert an "X-Forwarded-Proto" header which would > then be passed to your ModSecurity instance. That's probably the > least-good solution, though. > > Thanks, > Andrew > > -- > Andrew Howe > Loadbalancer.org Ltd. > www.loadbalancer.org > +1 888 867 9504 / +44 (0)330 380 1064 > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > -- regards Ehsan Mahdavi Computer Engineering Ph.D. |
|
From: Ervin H. <ai...@gm...> - 2022-04-15 18:54:16
|
Hi there, On Fri, Apr 15, 2022 at 12:51:56PM -0500, Arlen Walker wrote: > Just a couple of thoughts: > > You could try looking for the request header for HSTS (Strict-Transport-Security). Won’t catch all browsers, but if you use it on your server it’ll catch most of them. (And why wouldn’t you use it?) > > Doesn’t REQUEST_URI_RAW work for this? I thought it gave the full URI as a text string. Arlen is right, REQUEST_URI_RAW seems contain the scheme too: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#REQUEST_URI_RAW a. |
139 messages has been excluded from this view by a project administrator.
