mod-security-users Mailing List for ModSecurity (Page 534)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users — General discussion about mod_security
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(17) |
Aug
(7) |
Sep
(8) |
Oct
(11) |
Nov
(14) |
Dec
(19) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(46) |
Feb
(14) |
Mar
(20) |
Apr
(48) |
May
(15) |
Jun
(20) |
Jul
(36) |
Aug
(24) |
Sep
(31) |
Oct
(28) |
Nov
(23) |
Dec
(12) |
| 2005 |
Jan
(69) |
Feb
(61) |
Mar
(82) |
Apr
(53) |
May
(26) |
Jun
(71) |
Jul
(27) |
Aug
(52) |
Sep
(28) |
Oct
(49) |
Nov
(104) |
Dec
(74) |
| 2006 |
Jan
(61) |
Feb
(148) |
Mar
(82) |
Apr
(139) |
May
(65) |
Jun
(116) |
Jul
(92) |
Aug
(101) |
Sep
(84) |
Oct
(103) |
Nov
(174) |
Dec
(102) |
| 2007 |
Jan
(166) |
Feb
(161) |
Mar
(181) |
Apr
(152) |
May
(192) |
Jun
(250) |
Jul
(127) |
Aug
(165) |
Sep
(97) |
Oct
(135) |
Nov
(206) |
Dec
(56) |
| 2008 |
Jan
(160) |
Feb
(135) |
Mar
(98) |
Apr
(89) |
May
(115) |
Jun
(95) |
Jul
(188) |
Aug
(167) |
Sep
(153) |
Oct
(84) |
Nov
(82) |
Dec
(85) |
| 2009 |
Jan
(139) |
Feb
(133) |
Mar
(128) |
Apr
(105) |
May
(135) |
Jun
(79) |
Jul
(92) |
Aug
(134) |
Sep
(73) |
Oct
(112) |
Nov
(159) |
Dec
(80) |
| 2010 |
Jan
(100) |
Feb
(116) |
Mar
(130) |
Apr
(59) |
May
(88) |
Jun
(59) |
Jul
(69) |
Aug
(67) |
Sep
(82) |
Oct
(76) |
Nov
(59) |
Dec
(34) |
| 2011 |
Jan
(84) |
Feb
(74) |
Mar
(81) |
Apr
(94) |
May
(188) |
Jun
(72) |
Jul
(118) |
Aug
(109) |
Sep
(111) |
Oct
(80) |
Nov
(51) |
Dec
(44) |
| 2012 |
Jan
(80) |
Feb
(123) |
Mar
(46) |
Apr
(12) |
May
(40) |
Jun
(62) |
Jul
(95) |
Aug
(66) |
Sep
(65) |
Oct
(53) |
Nov
(42) |
Dec
(60) |
| 2013 |
Jan
(96) |
Feb
(96) |
Mar
(108) |
Apr
(72) |
May
(115) |
Jun
(111) |
Jul
(114) |
Aug
(87) |
Sep
(93) |
Oct
(97) |
Nov
(104) |
Dec
(82) |
| 2014 |
Jan
(96) |
Feb
(77) |
Mar
(71) |
Apr
(40) |
May
(48) |
Jun
(78) |
Jul
(54) |
Aug
(44) |
Sep
(58) |
Oct
(79) |
Nov
(51) |
Dec
(52) |
| 2015 |
Jan
(55) |
Feb
(59) |
Mar
(48) |
Apr
(40) |
May
(45) |
Jun
(63) |
Jul
(36) |
Aug
(49) |
Sep
(35) |
Oct
(58) |
Nov
(21) |
Dec
(47) |
| 2016 |
Jan
(35) |
Feb
(81) |
Mar
(43) |
Apr
(41) |
May
(77) |
Jun
(52) |
Jul
(39) |
Aug
(34) |
Sep
(107) |
Oct
(67) |
Nov
(54) |
Dec
(20) |
| 2017 |
Jan
(99) |
Feb
(37) |
Mar
(86) |
Apr
(47) |
May
(57) |
Jun
(55) |
Jul
(34) |
Aug
(31) |
Sep
(16) |
Oct
(49) |
Nov
(53) |
Dec
(33) |
| 2018 |
Jan
(25) |
Feb
(11) |
Mar
(79) |
Apr
(77) |
May
(5) |
Jun
(19) |
Jul
(17) |
Aug
(7) |
Sep
(13) |
Oct
(22) |
Nov
(13) |
Dec
(68) |
| 2019 |
Jan
(44) |
Feb
(17) |
Mar
(40) |
Apr
(39) |
May
(18) |
Jun
(14) |
Jul
(20) |
Aug
(31) |
Sep
(11) |
Oct
(35) |
Nov
(3) |
Dec
(10) |
| 2020 |
Jan
(32) |
Feb
(16) |
Mar
(10) |
Apr
(22) |
May
(2) |
Jun
(34) |
Jul
(1) |
Aug
(8) |
Sep
(36) |
Oct
(16) |
Nov
(13) |
Dec
(10) |
| 2021 |
Jan
(16) |
Feb
(23) |
Mar
(45) |
Apr
(28) |
May
(6) |
Jun
(17) |
Jul
(8) |
Aug
(1) |
Sep
(2) |
Oct
(35) |
Nov
|
Dec
(5) |
| 2022 |
Jan
|
Feb
(17) |
Mar
(23) |
Apr
(23) |
May
(9) |
Jun
(8) |
Jul
|
Aug
|
Sep
(7) |
Oct
(5) |
Nov
(16) |
Dec
(4) |
| 2023 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
(1) |
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
(7) |
Feb
(13) |
Mar
(18) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(1) |
Nov
(5) |
Dec
(3) |
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
(12) |
May
(12) |
Jun
(2) |
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Tom A. <tan...@oa...> - 2006-03-20 15:49:58
|
Sub Zero wrote:
> Access denied with code 406. Pattern match "!^[0-9a-f]*$" at
> ARG("PHPSESSID")
>
> How do I add ; to the argument seperators?
Put in the character set "!^[0-9a-f;]*$"
Tom
|
|
From: Sub Z. <Su...@su...> - 2006-03-20 06:03:39
|
Hi,
I get requests like:
/forum/index.php?PHPSESSID=a93e99e5fddf254eeab23bd5b9725579; HTTP/1.1
/frm/index.php?PHPSESSID=234f4650986e927142bf23c33d807ee6;topic=137.new
HTTP/1.1
/frm/index.php?PHPSESSID=234f4650986e927142bf23c33d807ee6;board=10.0
HTTP/1.1
/forum/index.php?PHPSESSID=77d5ed1dfdb8dc18e8e3b61ff7896c1c;topic=9.new
HTTP/1.1
/forum/index.php?PHPSESSID=44739390b8bc8980c9fccf0606fb5c79;topic=9.new
HTTP/1.1
and they are all blocked with:
Access denied with code 406. Pattern match "!^[0-9a-f]*$" at
ARG("PHPSESSID")
How do I add ; to the argument seperators?
Awaiting answers. Have a nice day.
--
SubZero
|
|
From: Alberto G. I. <ag...@in...> - 2006-03-19 17:03:57
|
On Sat, Mar 18, 2006 at 08:57:56PM +0000, Ivan Ristic wrote: > Zach Roberts wrote: > > "P.S. There is no support for Apache 1.x in this development release.= " > >=20 > > I hadn't had time to look into the 2.0.0 release for a bit aside from > > reading the notes on the mailing list. > >=20 > > Does this mean that 2.0.0 is going to support Apache 2+ only or will = it > > be made for 1.3 too? >=20 > I haven't decided yet. But I can tell you that I have no need for > ModSecurity to run with Apache 1.3.x and that maintaining two > versions requires a lot of my time. >=20 > It would be nice to know how many people are actually running > ModSecurity with Apache 1.3.x, but that's very difficult to > tell considering ModSecurity is an open source project. Perhaps > a survey would be a good idea... >=20 My new servers usually end up with Apache 2.x, but the ones already working (and perfectly) are mostly using Apache 1.3.x and I won't bother on moving them in some years. I guess this kind of situation is quite common. But you asked for stats, so here there are some: http://popcon.debian.org/by_inst (WARNING: 5 MB file) To sum up: mod-security-common 245 installations=20 (common package for both the Apache 2.x and the Apache 1.3.x packages) libapache2-mod-security 175 installs libapache-mod-security 99 installs (probably more than one has both installed) Also to be mentioned that the tool used to make this stats was made an install decision on Sarge (new installs) so probably there's a bunch of Woodys using it not listed (i.e. my oldest servers). Regards, Alberto --=20 Alberto Gonzalez Iniesta | Formaci=F3n, consultor=EDa y soporte t=E9cn= ico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint =3D 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 |
|
From: Zach R. <ad...@li...> - 2006-03-18 21:52:54
|
I can give you several reasons why supporting Apache 1.3.x is a must. 1) cPanel does not support any version of Apache higher than 1.3 at this time. There is no clear timetable for the support of Apache 2. As the dominate control panel this will limit many of us to 1.9.x. 2) Many that haven't upgraded to Apache 2 just see no reason. Apache 1.3.x has served our needs well and continues to do so. 3) I really want that RBL support and I use cPanel. :) Zach Ivan Ristic wrote: > Zach Roberts wrote: > >> "P.S. There is no support for Apache 1.x in this development release." >> >> I hadn't had time to look into the 2.0.0 release for a bit aside from >> reading the notes on the mailing list. >> >> Does this mean that 2.0.0 is going to support Apache 2+ only or will it >> be made for 1.3 too? >> > > I haven't decided yet. But I can tell you that I have no need for > ModSecurity to run with Apache 1.3.x and that maintaining two > versions requires a lot of my time. > > It would be nice to know how many people are actually running > ModSecurity with Apache 1.3.x, but that's very difficult to > tell considering ModSecurity is an open source project. Perhaps > a survey would be a good idea... > > |
|
From: Ivan R. <iv...@we...> - 2006-03-18 20:56:14
|
Zach Roberts wrote: > "P.S. There is no support for Apache 1.x in this development release." > > I hadn't had time to look into the 2.0.0 release for a bit aside from > reading the notes on the mailing list. > > Does this mean that 2.0.0 is going to support Apache 2+ only or will it > be made for 1.3 too? I haven't decided yet. But I can tell you that I have no need for ModSecurity to run with Apache 1.3.x and that maintaining two versions requires a lot of my time. It would be nice to know how many people are actually running ModSecurity with Apache 1.3.x, but that's very difficult to tell considering ModSecurity is an open source project. Perhaps a survey would be a good idea... -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall Apache Security (O'Reilly): http://www.apachesecurity.net |
|
From: Zach R. <ad...@li...> - 2006-03-18 13:38:42
|
"P.S. There is no support for Apache 1.x in this development release." I hadn't had time to look into the 2.0.0 release for a bit aside from reading the notes on the mailing list. Does this mean that 2.0.0 is going to support Apache 2+ only or will it be made for 1.3 too? -- Zach |
|
From: Ivan R. <iv...@we...> - 2006-03-15 09:24:32
|
j liu wrote:
> hi
> I am reading the source for win32-----"mod_security.c" , it is from
> "1.9.2" /apache2,
Hi,
Please report any problems to me directly as this is a list for
the users. I doubt the others are interested in the C source code.
Also, if your purpose is to find bugs I suggest you read the latest
code from the CVS (for either branch).
> I think I discovered two mistakes:
> 1. In the function of "cmd_filter_remove", I think that it is the
> same as "cmd_filter_import"
It isn't. Look closer, there's a small difference.
> 2. In the function of "cmd_filter_selective",
>
> " v->type = VAR_UNKNOWN;
> v->name = NULL;
>
> /* when ! is the first character in the variable
> * name, that means that the restrictions need to be
> * relaxed for that variable (within the filter scope)
> */
> if (t[0] == '!') {
> v->action = VAR_ACTION_ALLOW;
> sig->is_negative = 1;
> sig->requires_parsed_args =
> 1; ----------------------------------------- v->type=?
v->type will be assigned later. It's not determined yet.
> x++;
> }
> else {
> v->action = VAR_ACTION_DENY;
> }
>
> .......................................
>
> if (v->type == VAR_UNKNOWN) {
> ------------------------------------------------the same as " t[0] ==
> '!' " ?
No, it's not. Why do you think that?
> v->name = apr_pstrdup(cmd->pool, "UKNOWN");
> return apr_psprintf(cmd->pool, "Unknown variable name: %s", x);
> }
> if ((v->type == VAR_ARGS_NAMES)||(v->type == VAR_ARGS_VALUES))
> sig->requires_parsed_args = 1;
> -----------------------------------------it is impossible that
> "((v->type == VAR_ARGS_NAMES)||(v->type == VAR_ARGS_VALUES)) "
> "
It's possible, v->type can have one of many values. Why do you
think otherwise?
--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net
|
|
From: j l. <no...@gm...> - 2006-03-15 08:19:26
|
hi
I am reading the source for win32-----"mod_security.c" , it is from "
1.9.2" /apache2,
I think I discovered two mistakes:
1. In the function of "cmd_filter_remove", I think that it is the same
as "cmd_filter_import"
2. In the function of "cmd_filter_selective",
" v->type =3D VAR_UNKNOWN;
v->name =3D NULL;
/* when ! is the first character in the variable
* name, that means that the restrictions need to be
* relaxed for that variable (within the filter scope)
*/
if (t[0] =3D=3D '!') {
v->action =3D VAR_ACTION_ALLOW;
sig->is_negative =3D 1;
sig->requires_parsed_args =3D
1; ----------------------------------------- v->type=3D?
x++;
}
else {
v->action =3D VAR_ACTION_DENY;
}
.......................................
if (v->type =3D=3D VAR_UNKNOWN) {
------------------------------------------------the same as " t[0] =3D=3D '=
!' "
?
v->name =3D apr_pstrdup(cmd->pool, "UKNOWN");
return apr_psprintf(cmd->pool, "Unknown variable name: %s", x);
}
if ((v->type =3D=3D VAR_ARGS_NAMES)||(v->type =3D=3D VAR_ARGS_VALUE=
S))
sig->requires_parsed_args =3D 1;
-----------------------------------------it is impossible that
"((v->type =3D=3D VAR_ARGS_NAMES)||(v->type =3D=3D VAR_ARGS_VALUES)) "
"
I am confused of these above.
|
|
From: Ivan R. <iv...@we...> - 2006-03-14 15:12:13
|
Thomas Behrend wrote:
> Terry Dooher wrote:
>
>> This rule will esssentially do nothing at all. pass allows you to log
>> matching entries with actions such as 'log,pass'. Using it on its own or
>> with nolog will do nothing.
>>
>> To explicitly accept a request based on a match, you need to use the
>> allow action:
>>
>> SecFilterSelective THE_REQUEST "\|+.*[\%u20AC].*\|" allow,nolog
>>
>> Of course, you'll have to be careful where exaclty this rule appears. If
>> you put it at the top, then anyone can subvert the reset of your rule
>> set by simply inserting a euro character in their request. It's good
>> practice to put your allow rules right at the bottom of the list. Of
>> course, if one of your other rules triggering a 'deny' on similar
>> content, then the request will never reach this rule and you'll have to
>> figure out some sort of chaining.
>>
>> I can't comment on the regular expression itself, however. I run a
>> vBulletin 3.0 system myself and I curious as to what you're trying to
>> match with the \|+ and \| at either end of it.
>>
>> Terry.
>>
> It was one of many trys to get it working, but none worked, not allow,
> not pass, no QUERY_STRING rule, realy noting. The only workaround for it
> was to deactivate the CheckURLEncoding option. For now its working
> without postscanning, but i will try it without ajax, maybe i have more
> luck without it.
It didn't work because:
1) URL-encoding is checked before any rules are run.
2) You used THE_REQUEST as the target:
SecFilterSelective THE_REQUEST "\|+.*[\%u20AC].*\|" pass,nolog
and the problem was in the request payload (POST_PAYLOAD).
BTW, please subscribe to the list to have your posts go directly
through.
--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net
|
|
From: Thomas B. <web...@sp...> - 2006-03-14 15:04:45
|
Terry Dooher wrote: > > This rule will esssentially do nothing at all. pass allows you to log > matching entries with actions such as 'log,pass'. Using it on its own or > with nolog will do nothing. > > To explicitly accept a request based on a match, you need to use the > allow action: > > SecFilterSelective THE_REQUEST "\|+.*[\%u20AC].*\|" allow,nolog > > Of course, you'll have to be careful where exaclty this rule appears. If > you put it at the top, then anyone can subvert the reset of your rule > set by simply inserting a euro character in their request. It's good > practice to put your allow rules right at the bottom of the list. Of > course, if one of your other rules triggering a 'deny' on similar > content, then the request will never reach this rule and you'll have to > figure out some sort of chaining. > > I can't comment on the regular expression itself, however. I run a > vBulletin 3.0 system myself and I curious as to what you're trying to > match with the \|+ and \| at either end of it. > > Terry. > > > It was one of many trys to get it working, but none worked, not allow, not pass, no QUERY_STRING rule, realy noting. The only workaround for it was to deactivate the CheckURLEncoding option. For now its working without postscanning, but i will try it without ajax, maybe i have more luck without it. MFG Thomas Behrend |
|
From: Thomas B. <web...@sp...> - 2006-03-14 14:56:03
|
Ivan Ristic wrote: > > > The above (%u20AC) is not a valid URL-encoded character. I suspect > this is a programming error in vbulletin. I also suspect they > should encode the character like this: %25u20AC. > > You can allow it simply by turning URL-encoding validation off: > > SecFilterCheckURLEncoding Off > I deactivated this Option for testing, and it worked. But i hoped someone know how to set a filter rule for this problem. Anyway, for now its working well, i dont think its very risky to deactivate this option. Thanks for help. MFG Thomas Behrend |
|
From: <li...@32...> - 2006-03-14 14:37:39
|
Kewl! So it will run on a unix server running OS X? on 3/14/06 9:14 AM, Ivan Ristic at iv...@we... wrote: > li...@32... wrote: >> Ivan, >> >> What are the requirements going to be for the forthcoming ModSecurity >> Console? PHP/MySQL? > > Nope, just JRE 1.4.x/1.5.x. > (web server and database will be included, although external database > will be supported). > > The Console is going to be much more than a simple frontend > for a database. PHP doesn't cut it. |
|
From: Ivan R. <iv...@we...> - 2006-03-14 14:13:54
|
li...@32... wrote: > Ivan, > > What are the requirements going to be for the forthcoming ModSecurity > Console? PHP/MySQL? Nope, just JRE 1.4.x/1.5.x. (web server and database will be included, although external database will be supported). The Console is going to be much more than a simple frontend for a database. PHP doesn't cut it. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall Apache Security (O'Reilly): http://www.apachesecurity.net |
|
From: <li...@32...> - 2006-03-14 14:04:09
|
Ivan, What are the requirements going to be for the forthcoming ModSecurity Console? PHP/MySQL? |
|
From: Ivan R. <iv...@we...> - 2006-03-14 14:01:51
|
Thomas Behrend wrote:
> Since the installation of the latest vbulletin version, we have some
> trouble with the =80 (%u20AC).
>
> ...
>
> mod_security-message: Access denied with code 500. Error parsing POST
> parameters: Error normalizing parameter value: Invalid URL encoding
> detected: invalid characters used
>
> ...
>
> ajax=3D1&ajax_lastpost=3D1141671043&message=3Dsdsdsdfsfsdfdsf%20%u20AC
The above (%u20AC) is not a valid URL-encoded character. I suspect
this is a programming error in vbulletin. I also suspect they
should encode the character like this: %25u20AC.
You can allow it simply by turning URL-encoding validation off:
SecFilterCheckURLEncoding Off
--=20
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net
|
|
From: Terry D. <tdo...@na...> - 2006-03-14 11:40:49
|
Thomas Behrend wrote: [snip] > > SecFilterSelective THE_REQUEST "\|+.*[\%u20AC].*\|" pass,nolog > This rule will esssentially do nothing at all. pass allows you to log matching entries with actions such as 'log,pass'. Using it on its own or with nolog will do nothing. To explicitly accept a request based on a match, you need to use the allow action: SecFilterSelective THE_REQUEST "\|+.*[\%u20AC].*\|" allow,nolog Of course, you'll have to be careful where exaclty this rule appears. If you put it at the top, then anyone can subvert the reset of your rule set by simply inserting a euro character in their request. It's good practice to put your allow rules right at the bottom of the list. Of course, if one of your other rules triggering a 'deny' on similar content, then the request will never reach this rule and you'll have to figure out some sort of chaining. I can't comment on the regular expression itself, however. I run a vBulletin 3.0 system myself and I curious as to what you're trying to match with the \|+ and \| at either end of it. Terry. |
|
From: Thomas B. <web...@sp...> - 2006-03-14 08:01:48
|
Since the installation of the latest vbulletin version, we have some trouble with the =80 (%u20AC). When someone try to use the quick-answer function, it hangs on submit and i got this log entry: #########################################################################= ########################## =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Request: 84.181.222.208 - - [06/Mar/2006:20:22:52 +0100] "POST /newreply.php HTTP/1.1" 500 132018 Handler: (null) ---------------------------------------- POST /newreply.php HTTP/1.1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=3D0.9,text/pla= in;q=3D0.8,image/png,*/*;q=3D0.5 Accept-Charset: ISO-8859-15,utf-8;q=3D0.7,*;q=3D0.7 Accept-Language: de Cache-Control: no-cache Connection: keep-alive Content-Length: 154 Content-Type: application/x-www-form-urlencoded Cookie: vbulletin_collapse=3Dvbindex_poll%0Avbindex_customblock1%0Avbindex_online= users%0Avbindex_customblock2%0Avbindex_customblock5%0Avbindex_customblock= 3%0Avbindex_customblock4%0Amodule_18%0Amodule_4_2223%0Amodule_4_2129%0Amo= dule_14%0Amodule_10%0Amodule_7%0Amodule_16%0Asimilarthreads%0Aforumrules%= 0Amodule_17%0Amodule_6%0Amodule_13%0Amodule_15%0Amodule_3%0Amodule_19%0Am= odule_20; bbstyleid=3D8; bblastactivity=3D0; bbpassword=3D45607a9db79ae5183869714014f52482; bblastactivity=3D0; bbpassword=3D45607a9db79ae5183869714014f52482; bbuserid=3D116; bbuserid=3D= 116; bblastvisit=3D1137987506; bblastvisit=3D1119689584; bbsessionhash=3D459be9994d399f34f77a72320b48203c; bbthread_lastview=3D18660539a878ce8c1d3c4b58eb661985a-3-%7Bi-1984_i-11416= 64362_i-2385_i-1141669965_i-2401_i-1141671043_%7D; bbforum_view=3D914767cf6ea023144ed3f3764dac98eca-1-%7Bi-32_i-1141670455_%= 7D Host: www.spieleplanet.ch Keep-Alive: 300 Pragma: no-cache User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; de-AT; rv:1.7.8) Gecko/20050511 mod_security-message: Access denied with code 500. Error parsing POST parameters: Error normalizing parameter value: Invalid URL encoding detected: invalid characters used mod_security-action: 500 154 ajax=3D1&ajax_lastpost=3D1141671043&message=3Dsdsdsdfsfsdfdsf%20%u20AC&wy= siwyg=3D0&signature=3D1&fromquickreply=3D1&s=3D&do=3Dpostreply&t=3D2401&p= =3Dwho%20cares&parseurl=3D1&s=3D HTTP/1.1 500 Internal Server Error Vary: * Last-Modified: Wed, 09 Jun 2004 23:18:33 GMT ETag: "f5c3e0-203b2-40c79ac9" Accept-Ranges: bytes Content-Length: 132018 Connection: close Content-Type: image/jpeg #########################################################################= ########################## same thing with postedit.php, so i try to make a rule in httpd.conf: SecFilterSelective THE_REQUEST "\|+.*[\%u20AC].*\|" pass,nolog and <LocationMatch "/newreply.php"> SecFilterSelective THE_REQUEST "\.*[\xu20AC].*\" pass,nolog </LocationMatch> Can anyone help me with this rule, i try anything i know, but both wont work atm. Maybe its a problem with the ajay function, but i dont have any clue how to solve it. MFG Thomas Behrend |
|
From: Tom A. <tan...@oa...> - 2006-03-10 14:25:50
|
Jason Haar wrote: > FYI about caching... > > I am just going through an issue with the lack of *NEGATIVE TTL* caching > (DNS NCACHE support) within djbdns's dnscache. It really hits the > performance of SpamAssassin from far-away countries (from the RBL > servers) like mine (New Zealand). > > Be aware that you probably want to cache both *successful* and > *unsuccessful* lookups as you cannot rely on the DNS server your OS is > using to do it for you. The negative caching especially is important, as > realistically, 99.9% of the IPs that connect to a Web server won't be in > any RBL. I hope that such a cache would also allow local blacklisting of non-RBL'd addresses so that prior failures of other rules could trigger (through a "blacklist" action) the rejection of all requests from that address without having to run the full gamut of rules on each subsequent hit. Tom |
|
From: Ivan R. <iv...@we...> - 2006-03-10 08:53:37
|
Jason Haar wrote: > Ivan Ristic wrote: >> ModSecurity 2.0.0-dev1 is out and it includes support for RBL >> operation. Example (it's documented in the manual too): >> >> SecFilterSelective REMOTE_ADDR "@rblCheck sbl-xbl.spamhaus.org" >> >> Regex backreferences will be supported in 2.0.0-dev2 (they >> are supported already in the CVS BTW). Caching is not supported >> at the moment. I do plan to support it in 2.0.0-dev2. >> > FYI about caching... > > I am just going through an issue with the lack of *NEGATIVE TTL* caching > (DNS NCACHE support) within djbdns's dnscache. It really hits the > performance of SpamAssassin from far-away countries (from the RBL > servers) like mine (New Zealand). > > Be aware that you probably want to cache both *successful* and > *unsuccessful* lookups as you cannot rely on the DNS server your OS is > using to do it for you. The negative caching especially is important, as > realistically, 99.9% of the IPs that connect to a Web server won't be in > any RBL. Noted. BTW, it should be possible to use the IP blacklisting mechanism for caching even now (the drawback is you won't be able to use it for something else). The following works in 2.0.0-dev1: # Enable IP tracking SecIpInfo On SecDataDir /var/lib/msa # Deny access to those we know are in the RBL SecFilterSelective IP_BLOCK_MESSAGE "INRBL" log,deny,status:403 # Do not lookup the addresses we saw recently SecFilterSelective IP_IS_BLOCKED "@eq 1" skip:2 # Block addresses in RBL SecFilterSelective REMOTE_ADDR "@rblCheck sbl-xbl.spamhaus.org" \ "log,deny,status:403,blockip:3600,msg:'INRBL'" # Put all addresses on the list but with a different message SecFilterSelective REMOTE_ADDR !^$ nolog,pass,blockip:3600,msg:'NOTRBL' -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall Apache Security (O'Reilly): http://www.apachesecurity.net |
|
From: Jason H. <Jas...@tr...> - 2006-03-10 02:32:37
|
Ivan Ristic wrote: > ModSecurity 2.0.0-dev1 is out and it includes support for RBL > operation. Example (it's documented in the manual too): > > SecFilterSelective REMOTE_ADDR "@rblCheck sbl-xbl.spamhaus.org" > > Regex backreferences will be supported in 2.0.0-dev2 (they > are supported already in the CVS BTW). Caching is not supported > at the moment. I do plan to support it in 2.0.0-dev2. > FYI about caching... I am just going through an issue with the lack of *NEGATIVE TTL* caching (DNS NCACHE support) within djbdns's dnscache. It really hits the performance of SpamAssassin from far-away countries (from the RBL servers) like mine (New Zealand). Be aware that you probably want to cache both *successful* and *unsuccessful* lookups as you cannot rely on the DNS server your OS is using to do it for you. The negative caching especially is important, as realistically, 99.9% of the IPs that connect to a Web server won't be in any RBL. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 |
|
From: Ivan R. <iv...@we...> - 2006-03-09 16:33:20
|
ste...@gm... wrote: >> --- Urspr=FCngliche Nachricht --- >> Von: Ivan Ristic <iv...@we...> >> An: mod...@li... >> Betreff: [mod-security-users] RBL support available in 2.0.0-dev1 >> Datum: Thu, 09 Mar 2006 11:52:42 +0000 >> >> >> ModSecurity 2.0.0-dev1 is out and it includes support for RBL >> operation. Example (it's documented in the manual too): >> >> SecFilterSelective REMOTE_ADDR "@rblCheck sbl-xbl.spamhaus.org" >> >> Regex backreferences will be supported in 2.0.0-dev2 (they >> are supported already in the CVS BTW). Caching is not supported >> at the moment. I do plan to support it in 2.0.0-dev2. >> > Would you recomend using 2.0.0-dev2 in production? Or do I have to expe= ct > alot of problems? You mean 2.0.0-dev1. It should be stable but, still, it is a development release. --=20 Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall Apache Security (O'Reilly): http://www.apachesecurity.net |
|
From: Ivan R. <iv...@we...> - 2006-03-09 16:32:17
|
ste...@gm... wrote: > > > Sounds to me Apache is crashing because you don't have enough > > RAM to run all those rules. > > > Okay. The system has 1GB memory. Did not know, that mod_security does take > that much memory for the rules. In a way it does not really matter how efficient ModSecurity is - you can always kill it by using too many rules. Plus, it depends on the type of traffic. Large requests translates to using a lot of memory to process them. The number of concurrent requests also plays a role. >> FYI, 1.9.3 uses less memory so you may be able to use that >> without crashing. >> > Will install 1.9.3 right now. BTW, it's still 1.9.3-rc1. Let us know how you fare. >> Either way, you are killing the performance with such a large >> number of rules. Blacklisting, in particular, is much better >> done with an RBL-style protection. >> > How to implement RBL-style protection with mod_security? I didn't necessarily mean to use ModSecurity for it. Incidently, 2.0.0-dev1 supports it - see my earlier post or the documentation. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall Apache Security (O'Reilly): http://www.apachesecurity.net |
|
From: <ste...@gm...> - 2006-03-09 16:30:26
|
> --- Ursprüngliche Nachricht --- > Von: Ivan Ristic <iv...@we...> > An: mod...@li... > Betreff: [mod-security-users] RBL support available in 2.0.0-dev1 > Datum: Thu, 09 Mar 2006 11:52:42 +0000 > > > ModSecurity 2.0.0-dev1 is out and it includes support for RBL > operation. Example (it's documented in the manual too): > > SecFilterSelective REMOTE_ADDR "@rblCheck sbl-xbl.spamhaus.org" > > Regex backreferences will be supported in 2.0.0-dev2 (they > are supported already in the CVS BTW). Caching is not supported > at the moment. I do plan to support it in 2.0.0-dev2. > Would you recomend using 2.0.0-dev2 in production? Or do I have to expect alot of problems? > -- > Ivan Ristic, Technical Director > Thinking Stone, http://www.thinkingstone.com > ModSecurity: Open source Web Application Firewall > Apache Security (O'Reilly): http://www.apachesecurity.net > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting > language > that extends applications into web and mobile media. Attend the live > webcast > and join the prime developer group breaking into this new coding > territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > -- "Feel free" mit GMX FreeMail! Monat für Monat 10 FreeSMS inklusive! http://www.gmx.net |
|
From: <ste...@gm...> - 2006-03-09 16:25:42
|
> --- Ursprüngliche Nachricht --- > Von: Ivan Ristic <iv...@we...> > An: ste...@gm... > Kopie: mod...@li... > Betreff: Re: [mod-security-users] Getting Segmentation fault with to much > rules > Datum: Thu, 09 Mar 2006 09:33:44 +0000 > > ste...@gm... wrote: > > I have mod_security 1.9.2 on Gentoo Linux, compiled with hardened gcc > 3.4.5. > > The system has PaX and grsecurity active. mod_security is compiled with > > "-march=athlon-tbird -O2 -pipe -mmmx -m3dnow -fforce-addr > > -fomit-frame-pointer -falign-functions=4". Apache is 2.0.55. > > > > When I load to much rules (like the ones from > > http://www.gotroot.com/downloads/ftp/mod_security/blacklist.conf) into > > mod_security, then mod_security starts to get segmentation faults. > > > > I don't know why? Maybe the Propolice patch is catching somethig? > > Sounds to me Apache is crashing because you don't have enough > RAM to run all those rules. > Okay. The system has 1GB memory. Did not know, that mod_security does take that much memory for the rules. > FYI, 1.9.3 uses less memory so you may be able to use that > without crashing. > Will install 1.9.3 right now. > Either way, you are killing the performance with such a large > number of rules. Blacklisting, in particular, is much better > done with an RBL-style protection. > How to implement RBL-style protection with mod_security? > -- > Ivan Ristic, Technical Director > Thinking Stone, http://www.thinkingstone.com > ModSecurity: Open source Web Application Firewall > Apache Security (O'Reilly): http://www.apachesecurity.net > -- Bis zu 70% Ihrer Onlinekosten sparen: GMX SmartSurfer! Kostenlos downloaden: http://www.gmx.net/de/go/smartsurfer |
|
From: Ivan R. <iv...@we...> - 2006-03-09 11:52:18
|
ModSecurity 2.0.0-dev1 is out and it includes support for RBL operation. Example (it's documented in the manual too): SecFilterSelective REMOTE_ADDR "@rblCheck sbl-xbl.spamhaus.org" Regex backreferences will be supported in 2.0.0-dev2 (they are supported already in the CVS BTW). Caching is not supported at the moment. I do plan to support it in 2.0.0-dev2. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall Apache Security (O'Reilly): http://www.apachesecurity.net |
139 messages has been excluded from this view by a project administrator.
