mod-security-users Mailing List for ModSecurity (Page 532)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users — General discussion about mod_security
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(17) |
Aug
(7) |
Sep
(8) |
Oct
(11) |
Nov
(14) |
Dec
(19) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(46) |
Feb
(14) |
Mar
(20) |
Apr
(48) |
May
(15) |
Jun
(20) |
Jul
(36) |
Aug
(24) |
Sep
(31) |
Oct
(28) |
Nov
(23) |
Dec
(12) |
| 2005 |
Jan
(69) |
Feb
(61) |
Mar
(82) |
Apr
(53) |
May
(26) |
Jun
(71) |
Jul
(27) |
Aug
(52) |
Sep
(28) |
Oct
(49) |
Nov
(104) |
Dec
(74) |
| 2006 |
Jan
(61) |
Feb
(148) |
Mar
(82) |
Apr
(139) |
May
(65) |
Jun
(116) |
Jul
(92) |
Aug
(101) |
Sep
(84) |
Oct
(103) |
Nov
(174) |
Dec
(102) |
| 2007 |
Jan
(166) |
Feb
(161) |
Mar
(181) |
Apr
(152) |
May
(192) |
Jun
(250) |
Jul
(127) |
Aug
(165) |
Sep
(97) |
Oct
(135) |
Nov
(206) |
Dec
(56) |
| 2008 |
Jan
(160) |
Feb
(135) |
Mar
(98) |
Apr
(89) |
May
(115) |
Jun
(95) |
Jul
(188) |
Aug
(167) |
Sep
(153) |
Oct
(84) |
Nov
(82) |
Dec
(85) |
| 2009 |
Jan
(139) |
Feb
(133) |
Mar
(128) |
Apr
(105) |
May
(135) |
Jun
(79) |
Jul
(92) |
Aug
(134) |
Sep
(73) |
Oct
(112) |
Nov
(159) |
Dec
(80) |
| 2010 |
Jan
(100) |
Feb
(116) |
Mar
(130) |
Apr
(59) |
May
(88) |
Jun
(59) |
Jul
(69) |
Aug
(67) |
Sep
(82) |
Oct
(76) |
Nov
(59) |
Dec
(34) |
| 2011 |
Jan
(84) |
Feb
(74) |
Mar
(81) |
Apr
(94) |
May
(188) |
Jun
(72) |
Jul
(118) |
Aug
(109) |
Sep
(111) |
Oct
(80) |
Nov
(51) |
Dec
(44) |
| 2012 |
Jan
(80) |
Feb
(123) |
Mar
(46) |
Apr
(12) |
May
(40) |
Jun
(62) |
Jul
(95) |
Aug
(66) |
Sep
(65) |
Oct
(53) |
Nov
(42) |
Dec
(60) |
| 2013 |
Jan
(96) |
Feb
(96) |
Mar
(108) |
Apr
(72) |
May
(115) |
Jun
(111) |
Jul
(114) |
Aug
(87) |
Sep
(93) |
Oct
(97) |
Nov
(104) |
Dec
(82) |
| 2014 |
Jan
(96) |
Feb
(77) |
Mar
(71) |
Apr
(40) |
May
(48) |
Jun
(78) |
Jul
(54) |
Aug
(44) |
Sep
(58) |
Oct
(79) |
Nov
(51) |
Dec
(52) |
| 2015 |
Jan
(55) |
Feb
(59) |
Mar
(48) |
Apr
(40) |
May
(45) |
Jun
(63) |
Jul
(36) |
Aug
(49) |
Sep
(35) |
Oct
(58) |
Nov
(21) |
Dec
(47) |
| 2016 |
Jan
(35) |
Feb
(81) |
Mar
(43) |
Apr
(41) |
May
(77) |
Jun
(52) |
Jul
(39) |
Aug
(34) |
Sep
(107) |
Oct
(67) |
Nov
(54) |
Dec
(20) |
| 2017 |
Jan
(99) |
Feb
(37) |
Mar
(86) |
Apr
(47) |
May
(57) |
Jun
(55) |
Jul
(34) |
Aug
(31) |
Sep
(16) |
Oct
(49) |
Nov
(53) |
Dec
(33) |
| 2018 |
Jan
(25) |
Feb
(11) |
Mar
(79) |
Apr
(77) |
May
(5) |
Jun
(19) |
Jul
(17) |
Aug
(7) |
Sep
(13) |
Oct
(22) |
Nov
(13) |
Dec
(68) |
| 2019 |
Jan
(44) |
Feb
(17) |
Mar
(40) |
Apr
(39) |
May
(18) |
Jun
(14) |
Jul
(20) |
Aug
(31) |
Sep
(11) |
Oct
(35) |
Nov
(3) |
Dec
(10) |
| 2020 |
Jan
(32) |
Feb
(16) |
Mar
(10) |
Apr
(22) |
May
(2) |
Jun
(34) |
Jul
(1) |
Aug
(8) |
Sep
(36) |
Oct
(16) |
Nov
(13) |
Dec
(10) |
| 2021 |
Jan
(16) |
Feb
(23) |
Mar
(45) |
Apr
(28) |
May
(6) |
Jun
(17) |
Jul
(8) |
Aug
(1) |
Sep
(2) |
Oct
(35) |
Nov
|
Dec
(5) |
| 2022 |
Jan
|
Feb
(17) |
Mar
(23) |
Apr
(23) |
May
(9) |
Jun
(8) |
Jul
|
Aug
|
Sep
(7) |
Oct
(5) |
Nov
(16) |
Dec
(4) |
| 2023 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
(1) |
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
(7) |
Feb
(13) |
Mar
(18) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(1) |
Nov
(5) |
Dec
(3) |
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
(12) |
May
(12) |
Jun
(2) |
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Ivan R. <iv...@we...> - 2006-04-07 16:41:03
|
ze...@vo... wrote: > Hi, > > I face a big problem using Mod Security 1.9.2. > > My web server architecture uses Siteminder and i use this kind of URL to > change or modify password: > > https://www.myserver.com/siteminderagent/pwcgi/smpwservicescgi.exe The URL works fine work me. Are you sure you get the same result with "SecFilterCheckURLEncoding Off"? > ModSecurity logs as following: Can you get me the audit log entry for this problem? > [06/Apr/2006:17:45:06 +0200] > [www.myserver.com/sid#115800][rid#32ef88][/siteminderagent/pwcgi/smpwservicescgi. > exe][1] Access denied with code 403. Error normalising REQUEST_URI: > Invalid URL encoding detected: not enough characters This message would typically appear when there's an % at the end of the URI but the two hexadecimal characters that need to follow it aren't. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall Apache Security (O'Reilly): http://www.apachesecurity.net |
|
From: <ze...@vo...> - 2006-04-07 14:08:22
|
Hi, I face a big problem using Mod Security 1.9.2. My web server architecture uses Siteminder and i use this kind of URL to change or modify password: https://www.myserver.com/siteminderagent/pwcgi/smpwservicescgi.exe?SMENC=UTF-8&SMTOKEN={RC2}GuFcF7I/F5Sl03RqtNrPsMPlYiQZg/B1e2KFVDxfbVrnyC2MPyEDnDn1fDzHRadtrowaa0dtXRcvNGiN+cwPaCYlGkzRryxlqAMQ33n/JFc//j8GS51FTS31e00c0C0x4dszYnBMJfwIFO/TQ0vyWFW1RyszdoiTDAp8ZSwqgO0=&USERNAME=test_Users&SMAUTHREASON=20&SMAGENTNAME=-SM-fshUMrkQm%2fB7%2bk8CAU%2fak459pCXPADL1l0bEfFr6ZGrq3HJ%2fv720ACDphqn4Rhzb&TARGET=-SM-https%3a%2f%2fwww%2emyserver%2ecom%2fURI%2fhome%2ehtml%3fSMLOCALE=FR-FR ModSecurity logs as following: [06/Apr/2006:17:45:06 +0200] [www.myserver.com/sid#115800][rid#32ef88][/siteminderagent/pwcgi/smpwservicescgi. exe][1] Access denied with code 403. Error normalising REQUEST_URI: Invalid URL encoding detected: not enough characters When i replace the %3f by the "?", then my change password service runs well. My ModSec configuration in quite simple way is like the following: # Turn ModSecurity On SecFilterEngine On # Reject requests with status 403 SecFilterDefaultAction "deny,log,status:403" # Some sane defaults SecFilterScanPOST Off SecFilterCheckURLEncoding On # for UTF8 encoding SecFilterCheckUnicodeEncoding Off # Accept almost all byte values SecFilterForceByteRange 1 255 # Server masking is optional SecServerSignature " " # Only record the interesting stuff SecAuditEngine RelevantOnly SecAuditLog logs/modsec_log # You normally won't need debug logging SecFilterDebugLevel 0 SecFilterDebugLog logs/modsec_debug_log #Deny all unwanted characters by default SecFilter "'" id:1000 SecFilterSelective REQUEST_URI "!\?" "chain,id:1001,msg:'1001 matched'" SecFilter "/\." SecFilterSelective REQUEST_URI "\?" "chain,id:2001,msg:'2001 matched'" SecFilterSelective REQUEST_URI ".*/\..*\?" I tried to activate or de activate "SecFilterCheckURLEncoding", "SecFilterCheckUnicodeEncoding " but the result was unsuccessful. Could you help me to resolve this problem? Regards, Christophe |
|
From: <go...@si...> - 2006-04-06 14:40:36
|
>> Ivan's first recommendation is almost always - "Look in the mod_security >> debug log file". It should give you some more detailed info than the >> normal Apache error log. quite huge.. I've done it so, but I don't know what to look for in it... > Feel free to send me your configuration information, as specified Done. > That message, "Filtering against POST payload..." is something you'd > get with SecFilterScanPOST set to off. Yes, my fault. First I didn't found any error message and when I finally found this one, I was happy and thought that was enough for you to help me, seems I was totally wrong ;) Thanks. |
|
From: Ivan R. <iv...@we...> - 2006-04-06 12:46:52
|
Ryan Barnett wrote: > My first reaction was - Are you using Apache 2.X branch? I have seen > similar messages when trying to enable/scan POST payloads with Apache > 1.X versions as that functionality is not available. I see, however, > that you are using 2.055-4 version. > > Ivan's first recommendation is almost always - "Look in the mod_security > debug log file". It should give you some more detailed info than the > normal Apache error log. What Ryan said :) Feel free to send me your configuration information, as specified here: http://www.thinkingstone.com/download/ModSecurity_Support_Request_Preparation_Guide.pdf to my private email address. That message, "Filtering against POST payload..." is something you'd get with SecFilterScanPOST set to off. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall Apache Security (O'Reilly): http://www.apachesecurity.net |
|
From: Ryan B. <rcb...@gm...> - 2006-04-06 12:42:54
|
My first reaction was - Are you using Apache 2.X branch? I have seen similar messages when trying to enable/scan POST payloads with Apache 1.Xversions as that functionality is not available. I see, however, that you are using 2.055-4 version. Ivan's first recommendation is almost always - "Look in the mod_security debug log file". It should give you some more detailed info than the norma= l Apache error log. -- Ryan C. Barnett Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache On 4/6/06, go...@si... <go...@si...> wrote: > > Hello, > > I wanted to filter some of my website on POST payload because I got some > blog spammed by POST requests. > > So I've activated SecFilterScanPOST On > > but now, when I want to POST a new story (which is rather legitimate ;)) > I get these errors in apache logs and a blank page in the webblog : > > Wed Apr 05 10:20:42 2006 error client xx.yy.ww.zz mod_security: > Filtering against POST payload requested but payload is not available > hostname "www.aaaaa.net" uri "/admin/story.php" > > Any idea ? > > I'm using : > - Debian 3.1 (mixed testing/unstable) > - Apache 2.055-4 > - Mod_security 1.9.2-rc3-1 > - Php4 4.4.2-1 > > Sioban. > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting > language > that extends applications into web and mobile media. Attend the live > webcast > and join the prime developer group breaking into this new coding > territory! > http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat= =3D121642 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > |
|
From: <go...@si...> - 2006-04-06 12:37:48
|
Hello, I wanted to filter some of my website on POST payload because I got some blog spammed by POST requests. So I've activated SecFilterScanPOST On but now, when I want to POST a new story (which is rather legitimate ;)) I get these errors in apache logs and a blank page in the webblog : Wed Apr 05 10:20:42 2006 error client xx.yy.ww.zz mod_security: Filtering against POST payload requested but payload is not available hostname "www.aaaaa.net" uri "/admin/story.php" Any idea ? I'm using : - Debian 3.1 (mixed testing/unstable) - Apache 2.055-4 - Mod_security 1.9.2-rc3-1 - Php4 4.4.2-1 Sioban. |
|
From: Ivan R. <iv...@we...> - 2006-04-06 08:17:30
|
Darren wrote:
> I installed mod_security and all is well except one odd behavior. The
> J/S used is this:
>
> <script type="text/javascript">
> <!--
> document.write('<img src="/cgi-bin/ax.pl?trans.gif&ref=');
> document.write(document.referrer);
> document.write('" height="1" width="1" alt="" />');
> // -->
> </script><noscript>
> <p> <img src="/cgi-bin/ax.pl?trans.gif" height="1" width="1"
> alt="" />
> </p>
> </noscript>
>
> Instead of tracking referers correctly, all requests now say: arrived
> from "page" and visited cgi-bin/ax.pl
>
> I assume one of the rules I installed is causing this.
I don't think that's the case. ModSecurity does not modify
requests in any way. It blocks them if configured to do so, but
in that case there wouldn't have been any "hits" in the tracking
logs. Look into your error log for ModSecurity messages.
--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net
|
|
From: Darren <sa...@nc...> - 2006-04-05 23:23:39
|
I installed mod_security and all is well except one odd behavior. The =
J/S used is this:
<script type=3D"text/javascript">
<!--
document.write('<img src=3D"/cgi-bin/ax.pl?trans.gif&ref=3D');
document.write(document.referrer);
document.write('" height=3D"1" width=3D"1" alt=3D"" />');
// -->
</script><noscript>
<p> <img src=3D"/cgi-bin/ax.pl?trans.gif" height=3D"1" =
width=3D"1" alt=3D"" />
</p>
</noscript>
Instead of tracking referers correctly, all requests now say: arrived =
from "page" and visited cgi-bin/ax.pl
I assume one of the rules I installed is causing this. Is there a way =
to exclude these requests?
Thanks in advance,
Darren |
|
From: BassPlayer <bas...@an...> - 2006-04-04 16:06:25
|
Enjoy BP Augie Schwer wrote: > On 1/26/06, BassPlayer <bas...@an...> wrote: >> I've done some google searches and checked the site and I didn't see any >> sort of audit_log parser and report generator. Anyone have any scripts >> already developed? > > When I looked a month or so ago I found the same void ; here are the > few links I did find, but like I said it's not much: > > http://textsnippets.com/posts/show/9 > http://orderamidchaos.com/modsec/modsec_auditlog_parser > http://prwdot.org/code/modsecauditlogparse.txt > ego pfe wrote: > Hi all, > > I wanna now if there are some "log-parsers" for mod_security' audit_log or > customlog such as webalizer, sarg etc. > any tool that correlate apache logs with modsecurity logs is needed. > > what do you suggest ? > > > Thanks in advance > > Federico > > > !DSPAM:44329871218801781912415! > |
|
From: ego p. <eg...@gm...> - 2006-04-04 15:33:46
|
Hi all, I wanna now if there are some "log-parsers" for mod_security' audit_log or customlog such as webalizer, sarg etc. any tool that correlate apache logs with modsecurity logs is needed. what do you suggest ? Thanks in advance Federico |
|
From: Ivan R. <iv...@we...> - 2006-04-03 08:11:55
|
=CE=D2=B0=AE=B3=F4=B6=B9=B8=AF wrote: > hi > i use mod_security 1.9.2 and httpd 2.0.55 test some php software . > on some case i need filter chinaese word in web software . > for example > SecFilterSelective POST_PAYLOAD =D6=D0=CE=C4 > SecFilterSelective POST_PAYLOAD testa > is "SecFilterSelective POST_PAYLOAD testa " is pass .but > SecFilterSelective POST_PAYLOAD =D6=D0=CE=C4 is not :( That may be caused by the differences in the encodings used to define the signature and to enter the content. Can you send me (to my private email address) your raw (binary) audit log entry and I'll see if I can do anything about it. --=20 Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall Apache Security (O'Reilly): http://www.apachesecurity.net |
|
From: <hao...@gm...> - 2006-04-03 06:47:21
|
aGkKaSB1c2UgbW9kX3NlY3VyaXR5IDEuOS4yIGFuZCBodHRwZCAyLjAuNTUgdGVzdCBzb21lIHBo cCBzb2Z0d2FyZSAuCm9uIHNvbWUgY2FzZSBpIG5lZWQgZmlsdGVyIGNoaW5hZXNlIHdvcmQgaW4g d2ViIHNvZnR3YXJlIC4KZm9yIGV4YW1wbGUKU2VjRmlsdGVyU2VsZWN0aXZlIFBPU1RfUEFZTE9B RCDW0M7EClNlY0ZpbHRlclNlbGVjdGl2ZSBQT1NUX1BBWUxPQUQgdGVzdGEKaXMgIlNlY0ZpbHRl clNlbGVjdGl2ZSBQT1NUX1BBWUxPQUQgdGVzdGEgIiBpcyBwYXNzIC5idXQgU2VjRmlsdGVyU2Vs ZWN0aXZlClBPU1RfUEFZTE9BRCDW0M7EIGlzIG5vdCA6KAoKdGhpcyBsb2cgaXMgZm9yIHRlc3Rh IDoKPT0yOWFlNTMzOT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQpSZXF1ZXN0OiAxOTIu MTY4LjIwMi40NyAyMTEuMTU3LjIyNy4yOSAtIC0gWzAzL0Fwci8yMDA2OjE0OjM4OjQ1ICswODAw XQoiUE9TVCAvNy9wb3N0LnBocD9hY3Rpb249cmVwbHkmZmlkPTImdGlkPTQmZXh0cmE9cGFnZSUz RDEmcmVwbHlzdWJtaXQ9eWVzCkhUVFAvMS4xIiA0MDMgMjg3ICIKaHR0cDovLzE5Mi4xNjguMjAy LjQ3LzcvcG9zdC5waHA/YWN0aW9uPXJlcGx5JmZpZD0yJnRpZD00JmV4dHJhPXBhZ2UlM0QxIgoi TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyB6aC1DTjsgcnY6MS44LjAu MSkgR2Vja28vMjAwNjAxMTEKRmlyZWZveC8xLjUuMC4xIiAtICItIgotLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tClBPU1QgLzcvcG9zdC5waHA/YWN0aW9uPXJlcGx5JmZp ZD0yJnRpZD00JmV4dHJhPXBhZ2UlM0QxJnJlcGx5c3VibWl0PXllcwpIVFRQLzEuMQpIb3N0OiAx OTIuMTY4LjIwMi40NwpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93 cyBOVCA1LjE7IHpoLUNOOyBydjoxLjguMC4xKQpHZWNrby8yMDA2MDExMSBGaXJlZm94LzEuNS4w LjEKQWNjZXB0OiB0ZXh0L3htbCxhcHBsaWNhdGlvbi94bWwsYXBwbGljYXRpb24veGh0bWwreG1s LHRleHQvaHRtbDtxPTAuOQosdGV4dC9wbGFpbjtxPTAuOCxpbWFnZS9wbmcsKi8qO3E9MC41CkFj Y2VwdC1MYW5ndWFnZTogemgtY24semg7cT0wLjUKQWNjZXB0LUVuY29kaW5nOiBnemlwLGRlZmxh dGUKQWNjZXB0LUNoYXJzZXQ6IGdiMjMxMix1dGYtODtxPTAuNywqO3E9MC43CktlZXAtQWxpdmU6 IDMwMApDb25uZWN0aW9uOiBrZWVwLWFsaXZlClJlZmVyZXI6Cmh0dHA6Ly8xOTIuMTY4LjIwMi40 Ny83L3Bvc3QucGhwP2FjdGlvbj1yZXBseSZmaWQ9MiZ0aWQ9NCZleHRyYT1wYWdlJTNEMQpDb29r aWU6IGNkYl9zaWQ9NjVGMVk2OyBjZGJfb2xkdG9waWNzPUQ0RDNEMkQxRDsgY2RiX2ZpZDE9MTE0 NDA0NDg3MjsKY2RiX2Nvb2tpZXRpbWU9MjU5MjAwMDsgY2RiX2NwY29sbGFwc2VkPTA7IGNkYl9m aWQyPTExNDQwNDYyOTM7CmNkYl92aXNpdGVkZmlkPTI7IGNkYl9hdXRoPVVGSUhVQXBSVUFnSFZR d0VBRk1DRGd4V1hGc0VVRlpSVVZZUEJRUUhWQUZyYWdRCkNvbnRlbnQtVHlwZTogbXVsdGlwYXJ0 L2Zvcm0tZGF0YTsKYm91bmRhcnk9LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tNTE1MDk0ODEx MzAxMQpDb250ZW50LUxlbmd0aDogNDI1Mgptb2Rfc2VjdXJpdHktYWN0aW9uOiA0MDMKbW9kX3Nl Y3VyaXR5LW1lc3NhZ2U6IEFjY2VzcyBkZW5pZWQgd2l0aCBjb2RlIDQwMy4gUGF0dGVybiBtYXRj aCAidGVzdGEiIGF0ClBPU1RfUEFZTE9BRAoKCgoKCnNvIGlmICB5b3UgaGF2ZSBzb21lIHRpcHMg LnBscyBtYWlsIHRvIHRoaXMgbWFpbCBsaXN0IC4KdGhhbmsgeW91Ci0tCmh0dHA6Ly93YW5naGFv LmN1YmxvZy5jbgo= |
|
From: Chuck C. <za...@td...> - 2006-03-31 19:57:48
|
How do I link mod_security for apache 1.x against PCRE when compiling statically? The documentation does not explain how to do tis, only how to do so for DSO support. |
|
From: Ivan R. <iv...@we...> - 2006-03-31 16:03:54
|
E R wrote: > > Ivan: > Is there a combination of Apache/ModSecurity that you know will work for > this problem? I don't know, sorry. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall Apache Security (O'Reilly): http://www.apachesecurity.net |
|
From: Ivan R. <iv...@we...> - 2006-03-31 16:03:28
|
Zetafil Skywalker wrote: > I found a "commercial" software very similar to mod_security, their config format is also in Hi Zetafil Skywalker, Thank you for your email and for your concern, > SecFilterSelective LOCATION KEYWORD [ACTIONS] > > The software is called dotDefender, you can download eval software at www.dotdefender.com > > Ivan Ristic, are you here? Is that company related to you? If not, I think you may want to contact them to clarify. My understanding is they have implemented a subset of the ModSecurity Rule Language, and that they are going to clarify this issue in the documentation of their future releases. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall Apache Security (O'Reilly): http://www.apachesecurity.net |
|
From: Zetafil S. <ze...@wh...> - 2006-03-31 15:57:22
|
I found a "commercial" software very similar to mod_security, their config = format is also in=20 SecFilterSelective LOCATION KEYWORD [ACTIONS] The software is called dotDefender, you can download eval software at www.d= otdefender.com Ivan Ristic, are you here? Is that company related to you? If not, I think = you may want to contact them to clarify. Regards, Skywalker ps. I only tried their IIS/5.0 version only. --=20 ___________________________________________________ Play 100s of games for FREE! http://games.mail.com/ |
|
From: E R <e3...@gm...> - 2006-03-30 20:33:11
|
No, I'm not using virtual hosts. It appears that the mod_security side is catching the output, throwing the 404 error, but not using the custom server-level ErrorDocument directive. This only happens when requesting non-existing content served from the app server. Requesting non-existent html pages works properly. Ivan: Is there a combination of Apache/ModSecurity that you know will work for this problem? -Eric On 3/30/06, Ryan Barnett <rcb...@gm...> wrote: > > Are you using virtual hosts? If you have defined virtual hosts, then you > need to specify both the proxy rules and errordocument directives within = the > same virtual host conatainer. > > I have implemented a similar mod_security mechanism to catch failed > authentications for internal Oracle web apps. I have mod_security inspec= t > the OUTPUT html returned by the proxied app server and look for the Oracl= e > Error message. If it sees this, it will trigger a 401 status code and th= en > use the CGI script that I specified in the ErorrDocument. > > <LocationMatch "/application1/login.do"> > SecFilterSelective OUTPUT "ORA-01017\: invalid username\/password\; > logon denied" status:401 > </LocationMatch> > > This works fine for me, however I had to specify all of this within the > SSL/443 virtual host container. > > -- > Ryan C. Barnett > Web Application Security Consortium (WASC) Member > CIS Apache Benchmark Project Lead > SANS Instructor: Securing Apache > GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > Author: Preventing Web Attacks with Apache > > > On 3/30/06, Eric <e3...@gm...> wrote: > > > > Hi, > > > > I am currently using apache as a proxy for serving content from a > > backend > > application server. I am using modsecurity to send requests for > > non-existent > > pages to a custom 404 page. The command that I am using is > > SecFilterSelective > > OUTPUT "..." "log,status:404" with the 404 as a custom page I define > > with > > ErrorDocument 404 /404/error/page. And it seems to be catching the rul= e > > fine. > > > > The problem that I am having is what Error Page is returned. When the > content > is comming from apache the Custom error page is returned, but when the > content > is coming from the app server the default 404 message is displayed. In > both > cases the SecFilter rule is catching the "..." correctly, but its just no= t > displaying the custom 404 page. > > Any ideas why the custom page is not being displayed? > > Thanks. > > -Eric > > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting > language > that extends applications into web and mobile media. Attend the live > webcast > and join the prime developer group breaking into this new coding > territory! > http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat= =3D121642 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > |
|
From: Ryan B. <rcb...@gm...> - 2006-03-30 16:48:54
|
Are you using virtual hosts? If you have defined virtual hosts, then you need to specify both the proxy rules and errordocument directives within th= e same virtual host conatainer. I have implemented a similar mod_security mechanism to catch failed authentications for internal Oracle web apps. I have mod_security inspect the OUTPUT html returned by the proxied app server and look for the Oracle Error message. If it sees this, it will trigger a 401 status code and then use the CGI script that I specified in the ErorrDocument. <LocationMatch "/application1/login.do"> SecFilterSelective OUTPUT "ORA-01017\: invalid username\/password\; logo= n denied" status:401 </LocationMatch> This works fine for me, however I had to specify all of this within the SSL/443 virtual host container. -- Ryan C. Barnett Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache On 3/30/06, Eric <e3...@gm...> wrote: > > Hi, > > I am currently using apache as a proxy for serving content from a backend > application server. I am using modsecurity to send requests for > non-existent > pages to a custom 404 page. The command that I am using is > SecFilterSelective > OUTPUT "..." "log,status:404" with the 404 as a custom page I define with > ErrorDocument 404 /404/error/page. And it seems to be catching the rule > fine. > > The problem that I am having is what Error Page is returned. When the > content > is comming from apache the Custom error page is returned, but when the > content > is coming from the app server the default 404 message is displayed. In > both > cases the SecFilter rule is catching the "..." correctly, but its just no= t > displaying the custom 404 page. > > Any ideas why the custom page is not being displayed? > > Thanks. > > -Eric > > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting > language > that extends applications into web and mobile media. Attend the live > webcast > and join the prime developer group breaking into this new coding > territory! > http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat= =3D121642 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > |
|
From: Ivan R. <iv...@we...> - 2006-03-30 16:34:10
|
Eric wrote: > > The problem that I am having is what Error Page is returned. When the content > is comming from apache the Custom error page is returned, but when the content > is coming from the app server the default 404 message is displayed. In both > cases the SecFilter rule is catching the "..." correctly, but its just not > displaying the custom 404 page. > > > Any ideas why the custom page is not being displayed? I think it's an Apache issue, i.e. the ErrorDocument feature is not working correctly. I have noticed it myself, although I am not really sure if it's the same with all versions. Apache has this feature called content filters. When a problem is discovered in output it is the (ModSecurity) filter that is reporting the problem. It seems that Apache does not handle that case correctly. It is something I will look into shortly. In the first instance (e.g. 2.0) I was thinking of enabling ModSecurity to create error pages directly. This would also allow one to use the same error code with different pages, which I think is needed in real life. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall Apache Security (O'Reilly): http://www.apachesecurity.net |
|
From: Eric <e3...@gm...> - 2006-03-30 16:20:50
|
Hi, I am currently using apache as a proxy for serving content from a backend application server. I am using modsecurity to send requests for non-existent pages to a custom 404 page. The command that I am using is SecFilterSelective OUTPUT "..." "log,status:404" with the 404 as a custom page I define with ErrorDocument 404 /404/error/page. And it seems to be catching the rule fine. The problem that I am having is what Error Page is returned. When the content is comming from apache the Custom error page is returned, but when the content is coming from the app server the default 404 message is displayed. In both cases the SecFilter rule is catching the "..." correctly, but its just not displaying the custom 404 page. Any ideas why the custom page is not being displayed? Thanks. -Eric |
|
From: Ivan R. <iv...@we...> - 2006-03-30 09:54:11
|
Skye Poier wrote: > > What is apr_global_mutex_child_init() doing? > I guess I'll look through the Apache2 source next. Sometimes, after a fork, the child process needs to initialise a mutex in order to be able to access it. This isn't necessary on all platforms but I don't know the details. I've never had a child-access permission problem on Unix. > I recall reading that POSIX semaphores may not be safe with > mod_security. Not that I know of. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall Apache Security (O'Reilly): http://www.apachesecurity.net |
|
From: Skye P. <sk...@f4...> - 2006-03-30 09:09:33
|
Investigating the Apache2 source seems to have found the problem. In FreeBSD ports at least, the default APR locking method is APR_USE_FLOCK_SERIALIZE. I'm sure flock() doesn't work well with a chroot() between calls :) I wonder what would happen if the flock fd was pointing at a lockfile inside the chroot jail? The man page doesn't say what happens to open file fds... Looks like mod_security and mod_rewrite are affected at least (both use locking on their log files) Maybe some other default APR locking method (like SysV semaphores) is safe on FreeBSD 6. I recall reading that POSIX semaphores may not be safe with mod_security. Thanks Skye |
|
From: Skye P. <sk...@f4...> - 2006-03-30 08:40:28
|
Ivan Ristic <ivanr <at> webkreator.com> writes: > > You've probably left the mod_rewrite log outside the jail and > mod_rewrite does not like that. Move it back in. > OK, I tried that. No difference at all. I didn't have RewriteLog on before. The RewriteLog directive is not chrooted (to /home for me), it needed the full path (/home/var/log/rewrite.log) I even tried creating both a /home/var/log/ and a /home/home/var/log just in case it was using the former before chroot and the latter after chroot, no luck. Shouldn't all log files be opened before Apache is chrooted by mod_security? Seems like that is the case. Here's a post I found with someone having the same problem: http://www.telana.com/pipermail/peruser/2005-July/000078.html quote: "it seems RewriteLogLevel 0 isnt enough i commented out the following in mod_rewrite.c, and mod_rewrite still seems to work /* rv = apr_global_mutex_child_init(&rewrite_log_lock, NULL, p); if (rv != APR_SUCCESS) { ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s, "mod_rewrite: could not init rewrite log lock in child"); } */ " What is apr_global_mutex_child_init() doing? I guess I'll look through the Apache2 source next. Thanks, Skye |
|
From: Ivan R. <iv...@we...> - 2006-03-30 08:02:53
|
Skye Poier wrote: > Hi, thanks for mod_security!!!! Made chrooting my Apache2 relatively easy. > > However I'm getting a lot of these in my httpd-error.log > > [Wed Mar 29 22:52:29 2006] [notice] mod_security: chroot checkpoint #1 (pid=1599 > ppid=1594) > [Wed Mar 29 22:52:29 2006] [notice] mod_security/1.9.2 configured > [Wed Mar 29 22:52:29 2006] [notice] mod_security: chroot checkpoint #2 (pid=1600 > ppid=1) > [Wed Mar 29 22:52:29 2006] [notice] mod_security: chroot successful, path=/home > [Wed Mar 29 22:52:29 2006] [crit] (2)No such file or directory: mod_rewrite: > could not init rewrite log lock in child You've probably left the mod_rewrite log outside the jail and mod_rewrite does not like that. Move it back in. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall Apache Security (O'Reilly): http://www.apachesecurity.net |
|
From: Ivan R. <iv...@we...> - 2006-03-30 08:01:15
|
Steve West wrote: > ModSecurity version: 1.9.2 > Apache version: 1.3.34 > OS: Red Hat Enterprise Linux ES release 3 (Taroon Update 7) > Kernel: Linux 2.4.21-40.ELsmp #1 SMP Thu Feb 2 22:22:39 EST 2006 i686 > i686 i386 GNU/Linux > Browser: IE 6 and Firefox 1.5.1 > > Hi folks, > > We have a cgi script which works fine except for one function which > mod_security blocks when users click on a link sent to their email to > approve their mailing list subscription (double opt-in). > > ... > > The mod_security audit log shows the following: > > ... > > Error: Premature end of script headers: > /hsphere/shared/apache/htdocs/cgi-bin/mail.cgi Whenever mod_security does something it outputs a message into error log to tell you about it. That does not appear to be the case here. It look to me simply as though the CGI script is malfunctioning somehow. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall Apache Security (O'Reilly): http://www.apachesecurity.net |
139 messages has been excluded from this view by a project administrator.
