mod-security-users Mailing List for ModSecurity (Page 539)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users — General discussion about mod_security
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(17) |
Aug
(7) |
Sep
(8) |
Oct
(11) |
Nov
(14) |
Dec
(19) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(46) |
Feb
(14) |
Mar
(20) |
Apr
(48) |
May
(15) |
Jun
(20) |
Jul
(36) |
Aug
(24) |
Sep
(31) |
Oct
(28) |
Nov
(23) |
Dec
(12) |
| 2005 |
Jan
(69) |
Feb
(61) |
Mar
(82) |
Apr
(53) |
May
(26) |
Jun
(71) |
Jul
(27) |
Aug
(52) |
Sep
(28) |
Oct
(49) |
Nov
(104) |
Dec
(74) |
| 2006 |
Jan
(61) |
Feb
(148) |
Mar
(82) |
Apr
(139) |
May
(65) |
Jun
(116) |
Jul
(92) |
Aug
(101) |
Sep
(84) |
Oct
(103) |
Nov
(174) |
Dec
(102) |
| 2007 |
Jan
(166) |
Feb
(161) |
Mar
(181) |
Apr
(152) |
May
(192) |
Jun
(250) |
Jul
(127) |
Aug
(165) |
Sep
(97) |
Oct
(135) |
Nov
(206) |
Dec
(56) |
| 2008 |
Jan
(160) |
Feb
(135) |
Mar
(98) |
Apr
(89) |
May
(115) |
Jun
(95) |
Jul
(188) |
Aug
(167) |
Sep
(153) |
Oct
(84) |
Nov
(82) |
Dec
(85) |
| 2009 |
Jan
(139) |
Feb
(133) |
Mar
(128) |
Apr
(105) |
May
(135) |
Jun
(79) |
Jul
(92) |
Aug
(134) |
Sep
(73) |
Oct
(112) |
Nov
(159) |
Dec
(80) |
| 2010 |
Jan
(100) |
Feb
(116) |
Mar
(130) |
Apr
(59) |
May
(88) |
Jun
(59) |
Jul
(69) |
Aug
(67) |
Sep
(82) |
Oct
(76) |
Nov
(59) |
Dec
(34) |
| 2011 |
Jan
(84) |
Feb
(74) |
Mar
(81) |
Apr
(94) |
May
(188) |
Jun
(72) |
Jul
(118) |
Aug
(109) |
Sep
(111) |
Oct
(80) |
Nov
(51) |
Dec
(44) |
| 2012 |
Jan
(80) |
Feb
(123) |
Mar
(46) |
Apr
(12) |
May
(40) |
Jun
(62) |
Jul
(95) |
Aug
(66) |
Sep
(65) |
Oct
(53) |
Nov
(42) |
Dec
(60) |
| 2013 |
Jan
(96) |
Feb
(96) |
Mar
(108) |
Apr
(72) |
May
(115) |
Jun
(111) |
Jul
(114) |
Aug
(87) |
Sep
(93) |
Oct
(97) |
Nov
(104) |
Dec
(82) |
| 2014 |
Jan
(96) |
Feb
(77) |
Mar
(71) |
Apr
(40) |
May
(48) |
Jun
(78) |
Jul
(54) |
Aug
(44) |
Sep
(58) |
Oct
(79) |
Nov
(51) |
Dec
(52) |
| 2015 |
Jan
(55) |
Feb
(59) |
Mar
(48) |
Apr
(40) |
May
(45) |
Jun
(63) |
Jul
(36) |
Aug
(49) |
Sep
(35) |
Oct
(58) |
Nov
(21) |
Dec
(47) |
| 2016 |
Jan
(35) |
Feb
(81) |
Mar
(43) |
Apr
(41) |
May
(77) |
Jun
(52) |
Jul
(39) |
Aug
(34) |
Sep
(107) |
Oct
(67) |
Nov
(54) |
Dec
(20) |
| 2017 |
Jan
(99) |
Feb
(37) |
Mar
(86) |
Apr
(47) |
May
(57) |
Jun
(55) |
Jul
(34) |
Aug
(31) |
Sep
(16) |
Oct
(49) |
Nov
(53) |
Dec
(33) |
| 2018 |
Jan
(25) |
Feb
(11) |
Mar
(79) |
Apr
(77) |
May
(5) |
Jun
(19) |
Jul
(17) |
Aug
(7) |
Sep
(13) |
Oct
(22) |
Nov
(13) |
Dec
(68) |
| 2019 |
Jan
(44) |
Feb
(17) |
Mar
(40) |
Apr
(39) |
May
(18) |
Jun
(14) |
Jul
(20) |
Aug
(31) |
Sep
(11) |
Oct
(35) |
Nov
(3) |
Dec
(10) |
| 2020 |
Jan
(32) |
Feb
(16) |
Mar
(10) |
Apr
(22) |
May
(2) |
Jun
(34) |
Jul
(1) |
Aug
(8) |
Sep
(36) |
Oct
(16) |
Nov
(13) |
Dec
(10) |
| 2021 |
Jan
(16) |
Feb
(23) |
Mar
(45) |
Apr
(28) |
May
(6) |
Jun
(17) |
Jul
(8) |
Aug
(1) |
Sep
(2) |
Oct
(35) |
Nov
|
Dec
(5) |
| 2022 |
Jan
|
Feb
(17) |
Mar
(23) |
Apr
(23) |
May
(9) |
Jun
(8) |
Jul
|
Aug
|
Sep
(7) |
Oct
(5) |
Nov
(16) |
Dec
(4) |
| 2023 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
(1) |
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
(7) |
Feb
(13) |
Mar
(18) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(1) |
Nov
(5) |
Dec
(3) |
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
(12) |
May
(12) |
Jun
(2) |
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Carles B. <cbo...@is...> - 2006-02-16 11:28:14
|
En/na David De Maeyer ha escrit: >What I would like to do is to only log in the Apache >access.log the requests containing "origin" in the >POST request AND calling "test.php" by properly >configuring mod_security. > >I looked at the SecFilter, SecFilterSelective and >SecFilterDefaultAction and did a few tests... e.g. I >tried: > >SecFilterSelective QUERY_STRING !"test\.php?origin=3D" >"nolog" > >But this didn't do the job. Not to say that everything >got logged into access.log... > >Any help would be appreciated! ;-) > >Best regards, >David > =20 > AFAIK mod_sedcurity has nothing to do with apache access file, whenever=20 you configure mod_security to log requests, its messages go to the file=20 it's set with ErrorLog directive. From modsec documentation=20 http://www.modsecurity.org/documentation/modsecurity-apache/stable/05-act= ions.html Action log ->Log filter match to the Apache error log. BTW, based upon my little knowledge of regular expressions, I guess that=20 your filter SecFilterSelective QUERY_STRING !"test\.php?origin=3D" "nolog" should be enough to remove other requests than the ones you're interested= in, from appearing in the ErrorLog file. bye. --=20 _________________________________ Carles Bonamusa P=E9rez Ingeniero de Software Dpto. Desarrollo de Soluciones cbo...@is... Internet Security Auditors, S.L. c. Santander, 101. Edif. A. 2=BA 1=AA 08030 Barcelona Tel: 93 305 13 18 Fax: 93 278 22 48 www.isecauditors.com ____________________________________ Este mensaje y los documentos que, en su caso lleve anexos, pueden contener informaci=F3n confidencial. Por ello, se informa a quien lo reciba por error que la informaci=F3n contenida en el mismo es reservada y su uso no autorizado est=E1 prohibido legalmente, por lo que en tal caso le rogamos que nos lo comunique por la misma v=EDa o por tel=E9fono (93 305 13 18), se abstenga de realizar copias del mensaje o remitirlo o entregarlo a otra persona y proceda a borrarlo de inmediato. En cumplimiento de la Ley Org=E1nica 15/1999 de 13 de diciembre de protecci=F3n de datos de car=E1cter personal, Internet Security Auditors S.L., le informa de que sus datos personales se han incluido en ficheros informatizados titularidad de Internet Security Auditors S.L., que ser=E1 el =FAnico destinatario de dichos datos, y cuya finalida= d exclusiva es la gesti=F3n de clientes y acciones de comunicaci=F3n comercial, y de que tiene la posibilidad de ejercer los derechos de acceso, rectificaci=F3n, cancelaci=F3n y oposici=F3n previstos en la ley mediante carta dirigida a Internet Security Auditors, c. Santander, 101. Edif. A. 2=BA 1=AA, 08030 Barcelona, o v=EDa e-mail a la siguiente direcci=F3n de correo: le...@is... |
|
From: David De M. <bio...@ya...> - 2006-02-16 10:36:35
|
Hi all, I have installed mod_security on one of our corporate servers (mod_security: 1.9.2, apache: 2.0.55, OS: FreeBSD 6, PHP: 5.1.2) and it works fine. I first installed mod_security for its ability to log POST requests. This works fine for me. I was wondering if I could use it for filtering and rejecting all the requests which are not identified/addressed by/to a specific web application; logging only the successful requests into access.log. Say a client sends a POST request containing a variable "origin" to a PHP script called "test.php" served by the server on which mod_security is installed and configured. What I would like to do is to only log in the Apache access.log the requests containing "origin" in the POST request AND calling "test.php" by properly configuring mod_security. I looked at the SecFilter, SecFilterSelective and SecFilterDefaultAction and did a few tests... e.g. I tried: SecFilterSelective QUERY_STRING !"test\.php?origin=" "nolog" But this didn't do the job. Not to say that everything got logged into access.log... Any help would be appreciated! ;-) Best regards, David ___________________________________________________________________________ Nouveau : téléphonez moins cher avec Yahoo! Messenger ! Découvez les tarifs exceptionnels pour appeler la France et l'international. Téléchargez sur http://fr.messenger.yahoo.com |
|
From: Ivan R. <iv...@we...> - 2006-02-16 09:41:06
|
John Thomas wrote: > I would like to ban people that break too many mod security rules. I > see, in my error logs, machines breaking 20-50 rules at a time. These, > in my view, seem to be some script looking for a known vulnerability. > > Is there a way to automagically add these *&*&^ to my host.deny file? Not without a little bit of work: you could configure SEC (Simple Event Correlator) to watch the error log and act on the information seen there. I am planning to add similar functionality to httpd-guardian pretty soon though. This script can already protect the web server from DoS attacks and I'll extend it to track rule violations per IP address too. Once a violation is established it can block the offending IP address on the firewall level (either locally, using iptables or pf, or remote, via SnortSam). The interesting thing about httpd-guardian is that it can also receive data via Spread - making it a possible solution for web server clusters too. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: Ivan R. <iv...@we...> - 2006-02-16 09:19:40
|
Gerwin Krist -|- Digitalus Webhosting wrote: > Heya Ivan and others :) > > Some customer trying to upload certain stuff gets the following error: > > [Thu Feb 16 00:19:29 2006] [error] [client 80.57.1.99] mod_security > Access denied with code 406. Error processing request body: Multipart: > invalid Content-Disposition header (-11): form-data; > name="uploadedFiles0"; filename="DSCF1848.jpg"; modification-date="ma, > 13 feb 2006 13:03:48 CET" [hostname "www.xxxxx.nl"] [uri > "/cms/adm_meetings_upload.php"] [unique_id "iy26GsGKnQQAABAuYQYAAAAd"] > > No clue what this means, a little glitch? The Content-Disposition header of the multipart part appears to be invalid. The "modification-date" attribute is not defined in the multipart RFC and this is the first time I encounter someone using it. The content of the parameter does not appear to be valid either: "ma, 13 feb 2006 13:03:48 CET". The problem with many of the relevant RFCs is that they are open to interpretation. For example RFC 2183 describes the format of the Content-Disposition header when used in MIME messages but none of the parameter make sense when used in context of the multipart upload. Which browser/device was used to submit this request? -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: Gerwin K. -|- D. W. <ge...@di...> - 2006-02-16 08:44:38
|
Heya Ivan and others :) Some customer trying to upload certain stuff gets the following error: [Thu Feb 16 00:19:29 2006] [error] [client 80.57.1.99] mod_security Access denied with code 406. Error processing request body: Multipart: invalid Content-Disposition header (-11): form-data; name="uploadedFiles0"; filename="DSCF1848.jpg"; modification-date="ma, 13 feb 2006 13:03:48 CET" [hostname "www.xxxxx.nl"] [uri "/cms/adm_meetings_upload.php"] [unique_id "iy26GsGKnQQAABAuYQYAAAAd"] No clue what this means, a little glitch? Greetings, Gerwin |
|
From: John T. <gma...@jt...> - 2006-02-15 21:11:25
|
I would like to ban people that break too many mod security rules. I see, in my error logs, machines breaking 20-50 rules at a time. These, in my view, seem to be some script looking for a known vulnerability. Is there a way to automagically add these *&*&^ to my host.deny file? |
|
From: Ivan R. <iv...@we...> - 2006-02-15 00:32:24
|
De Vries, Richard wrote: > Strange, I am running 1.9.2 on Apache 2.0.55 and my virtual includes > appear to be just fine. > > To be quite honest with you, I am by default not using virtual includes, > but for the sake of testing I temporarily enabled it, and did not see > any issues. > > What apache version are you running? I assume you applied the > "AddOutputFilter INCLUDES xxxx" directive to your httpd.conf? I've replicated the same problem using the virtual() function from PHP. Perhaps you are not buffering output in your configuration? I've sent a fix to Jeff to try it out. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: De V. R. <Ric...@bm...> - 2006-02-15 00:14:02
|
Strange, I am running 1.9.2 on Apache 2.0.55 and my virtual includes appear to be just fine. To be quite honest with you, I am by default not using virtual includes, but for the sake of testing I temporarily enabled it, and did not see any issues. What apache version are you running? I assume you applied the "AddOutputFilter INCLUDES xxxx" directive to your httpd.conf? R -----Original Message----- From: mod...@li... [mailto:mod...@li...] On Behalf Of Ivan Ristic Sent: Tuesday, February 14, 2006 16:11 To: Jeff Taylor Cc: mod...@li... Subject: Re: [mod-security-users] Problems Upgrading from 1.8.7 to 1.9.2 with shtml "virtual" includes Jeff Taylor wrote: > I am having issues with one of my sites after upgrading to version 1.9.2 of=20 > mod_security. I did not change my mod_security file at all. =20 > The problem: all "virtual" includes (ie: <!--#include virtual=3D"/include/ > header.inc" --> ) do not work. No errors are generated in the html that is=20 > exported. No errors are generated in the apache error log. no errors are logged=20 > in the SecAuditLog. If i disable mod_security for this particular vhost=20 > everything works fine.=20 > There is no output (with SecFilterDebugLog set to level 9) that contains=20 > "header.inc" in it.=20 >=20 > I am getting this message for "footer.inc" however: =20 > [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ > include/footer.inc][2] Detection phase starting (request 9b64028): "GET /t.php=20 > HTTP/1.1" > [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ > include/footer.inc][9] Found msr (9b6a218) in r->main (9bb4488) > [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ > include/footer.inc][2] sec_check_access: Filtering off, not an initial request > [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ > include/footer.inc][9] sec_insert_filter: Starting > [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ > include/footer.inc][9] Found msr (9b6a218) in r->main (9bb4488) > [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ > include/footer.inc][2] scan_pre: Adding output filter > [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ > include/footer.inc][3] sec_filter_out: start > [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ > include/footer.inc][9] Found msr (9b6a218) in r->main (9bb4488) > [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ > include/footer.inc][3] sec_filter_out: Content-Type =3D "(null)" > [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ > include/footer.inc][3] sec_filter_out: got 567 bytes, bufused=3D0, buflen=3D16384 Is this all? I would expect more messages here. ModSecurity is reading the output of footer.inc here, waiting for the end (EOS). Once that happens it is supposed to check the output and forward it further. Try disabling output filtering as a workaround. If you have more output in the debug log send me that (to my private address), along with your complete Apache configuration. I'll try to replicate the problem in my setup. --=20 Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D103432&bid=3D230486&dat=3D= 121642 _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users |
|
From: Ivan R. <iv...@we...> - 2006-02-14 22:09:40
|
Jeff Taylor wrote: > I am having issues with one of my sites after upgrading to version 1.9.2 of > mod_security. I did not change my mod_security file at all. > The problem: all "virtual" includes (ie: <!--#include virtual="/include/ > header.inc" --> ) do not work. No errors are generated in the html that is > exported. No errors are generated in the apache error log. no errors are logged > in the SecAuditLog. If i disable mod_security for this particular vhost > everything works fine. > There is no output (with SecFilterDebugLog set to level 9) that contains > "header.inc" in it. > > I am getting this message for "footer.inc" however: > [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ > include/footer.inc][2] Detection phase starting (request 9b64028): "GET /t.php > HTTP/1.1" > [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ > include/footer.inc][9] Found msr (9b6a218) in r->main (9bb4488) > [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ > include/footer.inc][2] sec_check_access: Filtering off, not an initial request > [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ > include/footer.inc][9] sec_insert_filter: Starting > [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ > include/footer.inc][9] Found msr (9b6a218) in r->main (9bb4488) > [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ > include/footer.inc][2] scan_pre: Adding output filter > [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ > include/footer.inc][3] sec_filter_out: start > [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ > include/footer.inc][9] Found msr (9b6a218) in r->main (9bb4488) > [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ > include/footer.inc][3] sec_filter_out: Content-Type = "(null)" > [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ > include/footer.inc][3] sec_filter_out: got 567 bytes, bufused=0, buflen=16384 Is this all? I would expect more messages here. ModSecurity is reading the output of footer.inc here, waiting for the end (EOS). Once that happens it is supposed to check the output and forward it further. Try disabling output filtering as a workaround. If you have more output in the debug log send me that (to my private address), along with your complete Apache configuration. I'll try to replicate the problem in my setup. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: Jeff T. <jt...@tc...> - 2006-02-14 21:41:24
|
I am having issues with one of my sites after upgrading to version 1.9.2 of mod_security. I did not change my mod_security file at all. The problem: all "virtual" includes (ie: <!--#include virtual="/include/ header.inc" --> ) do not work. No errors are generated in the html that is exported. No errors are generated in the apache error log. no errors are logged in the SecAuditLog. If i disable mod_security for this particular vhost everything works fine. There is no output (with SecFilterDebugLog set to level 9) that contains "header.inc" in it. I am getting this message for "footer.inc" however: [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ include/footer.inc][2] Detection phase starting (request 9b64028): "GET /t.php HTTP/1.1" [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ include/footer.inc][9] Found msr (9b6a218) in r->main (9bb4488) [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ include/footer.inc][2] sec_check_access: Filtering off, not an initial request [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ include/footer.inc][9] sec_insert_filter: Starting [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ include/footer.inc][9] Found msr (9b6a218) in r->main (9bb4488) [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ include/footer.inc][2] scan_pre: Adding output filter [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ include/footer.inc][3] sec_filter_out: start [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ include/footer.inc][9] Found msr (9b6a218) in r->main (9bb4488) [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ include/footer.inc][3] sec_filter_out: Content-Type = "(null)" [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/ include/footer.inc][3] sec_filter_out: got 567 bytes, bufused=0, buflen=16384 when i've done searches for some of these things all i've found are references back to the source code of mod_security. i am completely baffled by this, have tried everything i can think of and searched everywhere i can think of. The fact that there are no errors generated anywhere is what has me completely confused. Oh, everything works just fine with mod_security 1.8.7. any help would be very much appriciated. Thanks .jeff. |
|
From: Tom A. <tan...@oa...> - 2006-02-14 17:17:08
|
BassPlayer wrote:
> I would like to filter these user agents
>=20
> User Agents:
> [360] Mozilla/4.75 [en] (X11, U; Nessus)
> [2] Nessus
>=20
>>From reading the manual I'm not sure what locations are equivilent to t=
he
> User-Agent: entry in the log.
>=20
>>From this entry in the manual
>=20
> HTTP_header =96 search request header "header" (HEADER_header also work=
s as
> of 1.9)
>=20
> I would guess it would be something like
>=20
> SecFilterSelective HEADER_User-Agent Nessus
I actually handle those with mod_rewrite instead:
RewriteCond %{HTTP_USER_AGENT} Nessus [NC]
RewriteRule .* - [F,L]
That's just because I was blocking useragents before I started using=20
mod_security. I wonder if there is any advantage to using one or the=20
other in this case.
Tom
|
|
From: Ivan R. <iv...@we...> - 2006-02-14 16:38:09
|
BassPlayer wrote: > I would like to filter these user agents > > User Agents: > [360] Mozilla/4.75 [en] (X11, U; Nessus) > [2] Nessus > > From reading the manual I'm not sure what locations are equivilent to the > User-Agent: entry in the log. > > From this entry in the manual > > HTTP_header – search request header "header" (HEADER_header also works as > of 1.9) > > I would guess it would be something like > > SecFilterSelective HEADER_User-Agent Nessus Yup, that should do it. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: BassPlayer <bas...@an...> - 2006-02-14 16:15:35
|
I would like to filter these user agents
User Agents:
[360] Mozilla/4.75 [en] (X11, U; Nessus)
[2] Nessus
From reading the manual I'm not sure what locations are equivilent to the
User-Agent: entry in the log.
From this entry in the manual
HTTP_header =96 search request header "header" (HEADER_header also works =
as
of 1.9)
I would guess it would be something like
SecFilterSelective HEADER_User-Agent Nessus
|
|
From: Ivan R. <iv...@we...> - 2006-02-14 00:20:27
|
CK wrote:
> Hello all there!
>
> I would like to disable mod_security rules on a single domain where many domains
> are hosted on same server.
Like this:
<VirtualHost ...>
SecFilterEngine Off
SecAuditEngine Off
</VirtualHost>
<Location>, <Directory>, <File>, and even .htaccess files also work.
--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
|
|
From: CK <ck...@ph...> - 2006-02-14 00:10:37
|
Hello all there! I would like to disable mod_security rules on a single domain where many domains are hosted on same server. Thanks in advance for your help. Regards, Cem |
|
From: Ivan R. <iv...@we...> - 2006-02-13 21:50:59
|
De Vries, Richard wrote: > Understood. Thanks for the feedback. > > So there is no way to have mod_security delete these files, even though > they triggered an alarm? You should be able to use "noauditlog" action to disable audit logging for that rule alone. > It's important to have these attempts logged; I just don't know if we > would actually want to keep the offending files. Especially if these are > quite large. I doubt you will have that rule triggered very often. But if you really start getting many PUT requests you can simply set-up a cronjob to delete files older than X days. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: De V. R. <Ric...@bm...> - 2006-02-13 21:45:15
|
Understood. Thanks for the feedback. So there is no way to have mod_security delete these files, even though they triggered an alarm? It's important to have these attempts logged; I just don't know if we would actually want to keep the offending files. Especially if these are quite large. R -----Original Message----- From: mod...@li... [mailto:mod...@li...] On Behalf Of Ivan Ristic Sent: Monday, February 13, 2006 15:40 To: De Vries, Richard Cc: mod...@li... Subject: Re: [mod-security-users] Blocking PUT requests De Vries, Richard wrote: > > I was wondering whether or not it'd be wise to block PUT requests. I > don't foresee needing file-uploads ... does anyone know whether "PUT" is > used for anything else? They are often used for various RPC calls, but normally not in "normal" web applications. > Hmm, even though I set the following rule: >=20 > SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$" >=20 > I still see the following file being created in /tmp if I do a PUT >=20 > /tmp/20060213-153039-172.18.60.128-request_body-TnaGyO >=20 > Additionally, these files are not automatically being cleaned up. > Suggestions anyone? You should configure a different directory for those files, some place where only httpd can access. (Just to be on the safe side.) Other than that, the file is probably not erased because it is referenced in the audit log. --=20 Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D103432&bid=3D230486&dat=3D= 121642 _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users |
|
From: Ivan R. <iv...@we...> - 2006-02-13 21:39:07
|
De Vries, Richard wrote: > > I was wondering whether or not it'd be wise to block PUT requests. I > don't foresee needing file-uploads ... does anyone know whether "PUT" is > used for anything else? They are often used for various RPC calls, but normally not in "normal" web applications. > Hmm, even though I set the following rule: > > SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$" > > I still see the following file being created in /tmp if I do a PUT > > /tmp/20060213-153039-172.18.60.128-request_body-TnaGyO > > Additionally, these files are not automatically being cleaned up. > Suggestions anyone? You should configure a different directory for those files, some place where only httpd can access. (Just to be on the safe side.) Other than that, the file is probably not erased because it is referenced in the audit log. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: De V. R. <Ric...@bm...> - 2006-02-13 21:34:06
|
Hmm, even though I set the following rule:
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$"
I still see the following file being created in /tmp if I do a PUT
/tmp/20060213-153039-172.18.60.128-request_body-TnaGyO
Additionally, these files are not automatically being cleaned up.
Suggestions anyone?
R
-----Original Message-----
From: mod...@li...
[mailto:mod...@li...] On Behalf Of De
Vries, Richard
Sent: Monday, February 13, 2006 15:25
To: mod...@li...
Subject: [mod-security-users] Blocking PUT requests
I was wondering whether or not it'd be wise to block PUT requests. I
don't foresee needing file-uploads ... does anyone know whether "PUT" is
used for anything else?
R
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=3Dk&kid=103432&bid#0486&dat=121642
_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
|
|
From: De V. R. <Ric...@bm...> - 2006-02-13 21:25:54
|
I was wondering whether or not it'd be wise to block PUT requests. I don't foresee needing file-uploads ... does anyone know whether "PUT" is used for anything else? R |
|
From: <li...@32...> - 2006-02-13 19:23:05
|
on 2/13/06 1:57 PM, Ivan Ristic at iv...@we... wrote: > It's simply starting to get to me that out of all ModSecurity-related > questions I get (and there are a lot), answers to more than 90% > of them are already in the manual. Yes, Ivan was correct , it was in the manual, page 44 :-( I apologize for being what I hate most ;-) Now I can eat my lunch :-) -Mike |
|
From: Christopher M. <mu...@to...> - 2006-02-13 19:11:16
|
> What did you have for lunch BTW? :) You beat me, taco bell :) - but mashed potatoes sounds wonderful! > I had sausages with mashed potatoes. Let me tell you, putting some > chopped flat-leaf parsley and black pepper (in addition to butter, > salt, and milk, of course) does wonders for the mashed potatoes. I was reading the manual (ie google) and found a great recipe for garlic mashed potatoes if your interested :) I like to contribute as well! INGREDIENTS: 2 pounds of potatoes 1 cup of milk 6 tablespoons of butter Salt and pepper Start a large pot of water boiling. You want to add just enough water to cover all the potatoes. Peel and quarter the spuds and you are ready to make great mashed potatoes at home. HOW TO MAKE AT HOME 1. Add some salt to the boiling water and cook until the potatoes are tender. (About 15 minutes) 3. Drain the potatoes and mash by your method of choice. (I prefer a potato ricer) 4. Blend in butter and milk. 5. Season with salt and pepper. and of course: 6. (Optional) Add chopped flat-leaf parsley and black pepper. Enjoy your lunch Ivan! |
|
From: <li...@32...> - 2006-02-13 19:06:02
|
on 2/13/06 1:57 PM, Ivan Ristic at iv...@we... wrote: > li...@32... wrote: >> >>> Please do not tell us if it worked. BTW, the ModSecurity manual is >>> right here: >>> >>> http://www.modsecurity.org/documentation/modsecurity-apache/stable/ >> >> Ivan, Not sure why the attitude? If I did not need help figuring this out, >> then I would not bother the list. > > Well, I'll explain, since I have to now. > > I was not giving you attitude, I was merely trying to give you a hint > that the collective time of the list members is wasted because, > IMHO, you don't want to spend some time reading the manual. I wrote the > manual *specifically* to avoid answering trivial questions. Not all aspects > of ModSecurity are easy, I'll give you that, but to write the > simplest possible rule *is* trivial. > > It's simply starting to get to me that out of all ModSecurity-related > questions I get (and there are a lot), answers to more than 90% > of them are already in the manual. > > Now, let's stop wasting everyone's time. Send us the debug log snippets so > that we can see if everything is working as expected. No need, I fixed it but do not know why it broke. Previously, I had... SecFilterEngine DynamicOnly And everything worked fine. When I upgraded to Tiger, it no longer worked. Changing it to .. SecFilterEngine On Made things start working again. BTW, I am not a noob, I checked the manual first, but as you can now see, this has nothing to do with 'not reading the manual'. As a developer myself, I want to know if something is not working or not. And yes I get frustrated with noobs myself, when they do not try to figure something out for themselves first. |
|
From: Ivan R. <iv...@we...> - 2006-02-13 19:02:23
|
Christopher Murley wrote: > On a side note i'm at my desk eating lunch and found this thread very > amusing :) What did you have for lunch BTW? :) I had sausages with mashed potatoes. Let me tell you, putting some chopped flat-leaf parsley and black pepper (in addition to butter, salt, and milk, of course) does wonders for the mashed potatoes. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: BassPlayer <bas...@an...> - 2006-02-13 18:58:59
|
I run a fairly basic set of rules (i've added 3 filters) and I get a crap load of matches. I can send you my audit_log and it would give you more URI's than you want that would trigger a match. I'm also using Apache 1.3.x. BP li...@32... wrote: > on 2/13/06 1:28 PM, Ivan Ristic at iv...@we... wrote: > >> li...@32... wrote: >>> >> >>> Can someone else help me write a rule that looks for the word 'goober' >>> in >>> the uri? >> >> You should really start using the "reply to all" function in your >> email client - I was the only recipient of your email. > > > Sorry about that, normally don't do that with other lists. :) > >>> Can someone else help me write a rule that looks for the word 'goober' >>> in >>> the uri? >>> >>> I just want to see if modsec is working. I can then delete that >>> rule. Did not realize it was that big of a request. :/ >> >> Here is the rule: SecFilter goober >> >> Please do not tell us if it worked. BTW, the ModSecurity manual is >> right here: >> >> http://www.modsecurity.org/documentation/modsecurity-apache/stable/ > > Ivan, Not sure why the attitude? If I did not need help figuring this out, > then I would not bother the list. I apologize if I have offended you > somehow. I know where the manual is, but it is not helping me figure this > out. > > I looked at the debug log, but do not see anything that might be causing > the > filters to not work. > > I can send you a snippet, if you would be willing to look at it? > > > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log > files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > !DSPAM:43f0d6df213311238317075! > |
139 messages has been excluded from this view by a project administrator.
