mod-security-users Mailing List for ModSecurity (Page 540)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users — General discussion about mod_security
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(17) |
Aug
(7) |
Sep
(8) |
Oct
(11) |
Nov
(14) |
Dec
(19) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(46) |
Feb
(14) |
Mar
(20) |
Apr
(48) |
May
(15) |
Jun
(20) |
Jul
(36) |
Aug
(24) |
Sep
(31) |
Oct
(28) |
Nov
(23) |
Dec
(12) |
| 2005 |
Jan
(69) |
Feb
(61) |
Mar
(82) |
Apr
(53) |
May
(26) |
Jun
(71) |
Jul
(27) |
Aug
(52) |
Sep
(28) |
Oct
(49) |
Nov
(104) |
Dec
(74) |
| 2006 |
Jan
(61) |
Feb
(148) |
Mar
(82) |
Apr
(139) |
May
(65) |
Jun
(116) |
Jul
(92) |
Aug
(101) |
Sep
(84) |
Oct
(103) |
Nov
(174) |
Dec
(102) |
| 2007 |
Jan
(166) |
Feb
(161) |
Mar
(181) |
Apr
(152) |
May
(192) |
Jun
(250) |
Jul
(127) |
Aug
(165) |
Sep
(97) |
Oct
(135) |
Nov
(206) |
Dec
(56) |
| 2008 |
Jan
(160) |
Feb
(135) |
Mar
(98) |
Apr
(89) |
May
(115) |
Jun
(95) |
Jul
(188) |
Aug
(167) |
Sep
(153) |
Oct
(84) |
Nov
(82) |
Dec
(85) |
| 2009 |
Jan
(139) |
Feb
(133) |
Mar
(128) |
Apr
(105) |
May
(135) |
Jun
(79) |
Jul
(92) |
Aug
(134) |
Sep
(73) |
Oct
(112) |
Nov
(159) |
Dec
(80) |
| 2010 |
Jan
(100) |
Feb
(116) |
Mar
(130) |
Apr
(59) |
May
(88) |
Jun
(59) |
Jul
(69) |
Aug
(67) |
Sep
(82) |
Oct
(76) |
Nov
(59) |
Dec
(34) |
| 2011 |
Jan
(84) |
Feb
(74) |
Mar
(81) |
Apr
(94) |
May
(188) |
Jun
(72) |
Jul
(118) |
Aug
(109) |
Sep
(111) |
Oct
(80) |
Nov
(51) |
Dec
(44) |
| 2012 |
Jan
(80) |
Feb
(123) |
Mar
(46) |
Apr
(12) |
May
(40) |
Jun
(62) |
Jul
(95) |
Aug
(66) |
Sep
(65) |
Oct
(53) |
Nov
(42) |
Dec
(60) |
| 2013 |
Jan
(96) |
Feb
(96) |
Mar
(108) |
Apr
(72) |
May
(115) |
Jun
(111) |
Jul
(114) |
Aug
(87) |
Sep
(93) |
Oct
(97) |
Nov
(104) |
Dec
(82) |
| 2014 |
Jan
(96) |
Feb
(77) |
Mar
(71) |
Apr
(40) |
May
(48) |
Jun
(78) |
Jul
(54) |
Aug
(44) |
Sep
(58) |
Oct
(79) |
Nov
(51) |
Dec
(52) |
| 2015 |
Jan
(55) |
Feb
(59) |
Mar
(48) |
Apr
(40) |
May
(45) |
Jun
(63) |
Jul
(36) |
Aug
(49) |
Sep
(35) |
Oct
(58) |
Nov
(21) |
Dec
(47) |
| 2016 |
Jan
(35) |
Feb
(81) |
Mar
(43) |
Apr
(41) |
May
(77) |
Jun
(52) |
Jul
(39) |
Aug
(34) |
Sep
(107) |
Oct
(67) |
Nov
(54) |
Dec
(20) |
| 2017 |
Jan
(99) |
Feb
(37) |
Mar
(86) |
Apr
(47) |
May
(57) |
Jun
(55) |
Jul
(34) |
Aug
(31) |
Sep
(16) |
Oct
(49) |
Nov
(53) |
Dec
(33) |
| 2018 |
Jan
(25) |
Feb
(11) |
Mar
(79) |
Apr
(77) |
May
(5) |
Jun
(19) |
Jul
(17) |
Aug
(7) |
Sep
(13) |
Oct
(22) |
Nov
(13) |
Dec
(68) |
| 2019 |
Jan
(44) |
Feb
(17) |
Mar
(40) |
Apr
(39) |
May
(18) |
Jun
(14) |
Jul
(20) |
Aug
(31) |
Sep
(11) |
Oct
(35) |
Nov
(3) |
Dec
(10) |
| 2020 |
Jan
(32) |
Feb
(16) |
Mar
(10) |
Apr
(22) |
May
(2) |
Jun
(34) |
Jul
(1) |
Aug
(8) |
Sep
(36) |
Oct
(16) |
Nov
(13) |
Dec
(10) |
| 2021 |
Jan
(16) |
Feb
(23) |
Mar
(45) |
Apr
(28) |
May
(6) |
Jun
(17) |
Jul
(8) |
Aug
(1) |
Sep
(2) |
Oct
(35) |
Nov
|
Dec
(5) |
| 2022 |
Jan
|
Feb
(17) |
Mar
(23) |
Apr
(23) |
May
(9) |
Jun
(8) |
Jul
|
Aug
|
Sep
(7) |
Oct
(5) |
Nov
(16) |
Dec
(4) |
| 2023 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
(1) |
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
(7) |
Feb
(13) |
Mar
(18) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(1) |
Nov
(5) |
Dec
(3) |
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
(12) |
May
(12) |
Jun
(2) |
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Ivan R. <iv...@we...> - 2006-02-13 18:57:32
|
li...@32... wrote: > >> Please do not tell us if it worked. BTW, the ModSecurity manual is >> right here: >> >> http://www.modsecurity.org/documentation/modsecurity-apache/stable/ > > Ivan, Not sure why the attitude? If I did not need help figuring this out, > then I would not bother the list. Well, I'll explain, since I have to now. I was not giving you attitude, I was merely trying to give you a hint that the collective time of the list members is wasted because, IMHO, you don't want to spend some time reading the manual. I wrote the manual *specifically* to avoid answering trivial questions. Not all aspects of ModSecurity are easy, I'll give you that, but to write the simplest possible rule *is* trivial. It's simply starting to get to me that out of all ModSecurity-related questions I get (and there are a lot), answers to more than 90% of them are already in the manual. Now, let's stop wasting everyone's time. Send us the debug log snippets so that we can see if everything is working as expected. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: <li...@32...> - 2006-02-13 18:39:11
|
on 2/13/06 1:28 PM, Ivan Ristic at iv...@we... wrote: > li...@32... wrote: >> > >> Can someone else help me write a rule that looks for the word 'goober' in >> the uri? > > You should really start using the "reply to all" function in your > email client - I was the only recipient of your email. Sorry about that, normally don't do that with other lists. :) >> Can someone else help me write a rule that looks for the word 'goober' in >> the uri? >> >> I just want to see if modsec is working. I can then delete that >> rule. Did not realize it was that big of a request. :/ > > Here is the rule: SecFilter goober > > Please do not tell us if it worked. BTW, the ModSecurity manual is > right here: > > http://www.modsecurity.org/documentation/modsecurity-apache/stable/ Ivan, Not sure why the attitude? If I did not need help figuring this out, then I would not bother the list. I apologize if I have offended you somehow. I know where the manual is, but it is not helping me figure this out. I looked at the debug log, but do not see anything that might be causing the filters to not work. I can send you a snippet, if you would be willing to look at it? |
|
From: Christopher M. <mu...@to...> - 2006-02-13 18:34:19
|
On a side note i'm at my desk eating lunch and found this thread very amusing :) -- Regards, -Chris _______________________________________________ Christopher Murley Network Administrator TownNews.Com 800.293.9576 Ivan Ristic wrote: > > li...@32... wrote: >> > >> Can someone else help me write a rule that looks for the word 'goober' >> in >> the uri? > > You should really start using the "reply to all" function in your > email client - I was the only recipient of your email. > > >> Can someone else help me write a rule that looks for the word 'goober' >> in >> the uri? >> >> I just want to see if modsec is working. I can then delete that >> rule. Did not realize it was that big of a request. :/ > > Here is the rule: SecFilter goober > > Please do not tell us if it worked. BTW, the ModSecurity manual is > right here: > > http://www.modsecurity.org/documentation/modsecurity-apache/stable/ > > -- > Ivan Ristic, Technical Director > Thinking Stone, http://www.thinkingstone.com > ModSecurity: Open source Web Application Firewall > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log > files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > |
|
From: Ivan R. <iv...@we...> - 2006-02-13 18:28:35
|
li...@32... wrote: > > Can someone else help me write a rule that looks for the word 'goober' in > the uri? You should really start using the "reply to all" function in your email client - I was the only recipient of your email. > Can someone else help me write a rule that looks for the word 'goober' in > the uri? > > I just want to see if modsec is working. I can then delete that > rule. Did not realize it was that big of a request. :/ Here is the rule: SecFilter goober Please do not tell us if it worked. BTW, the ModSecurity manual is right here: http://www.modsecurity.org/documentation/modsecurity-apache/stable/ -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: Ivan R. <iv...@we...> - 2006-02-13 18:14:01
|
li...@32... wrote: > on 2/13/06 12:53 PM, Ivan Ristic at iv...@we... wrote: > >>> OK, that made it start spitting info. Everything looks fine, but I am still >>> not seeing as much filtering as before my upgrade. >>> >>> Can you give me a test rule to see what is up? >> No, there's no such thing as a test rule. Just read the debug log - it >> will tell you everything you need to know... > > Really, not even a rule that looks for 'goober' in a GET argument? Really. Why would you want your adversaries to have the ability to test whether ModSecurity is running or not? > I am sure > that can be done? What, to have a test rule? It can be done but it's not a smart thing to do. > Then I can 'test' to see if it catches it. Or, you could read the debug log as already I suggested. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: Ivan R. <iv...@we...> - 2006-02-13 17:52:46
|
li...@32... wrote: > on 2/13/06 11:20 AM, Ivan Ristic at iv...@we... wrote: > >> There's nothing related to ModSecurity in the above output. The warning >> comes from Apache itself. >> >> BTW, Tiger uses Apache 1.3.x? > > > Tiger uses 1.3 by default. Apple still has not made Apache2 the default yet. > > >>> Any ideas why it will not even log, let alone block anything? >>> >>> >>> -Mike >>> >>> P.S. It worked perfect on Panther server. >> You can't get it to even produce debug output at level 9? If that's >> the case it is probably never invoked. > > > OK, that made it start spitting info. Everything looks fine, but I am still > not seeing as much filtering as before my upgrade. > > Can you give me a test rule to see what is up? No, there's no such thing as a test rule. Just read the debug log - it will tell you everything you need to know... -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: Ivan R. <iv...@we...> - 2006-02-13 16:21:18
|
li...@32... wrote: > > Hello, > > I upgraded my server from Mac OS X 10.3 (panther) to 10.4.4(tiger). > > I attempted to install modsecurity 1.9.2 and it will not work. > > Here is what is returned when I install it... > > > t# apxs -cia mod_security.c > gcc -DDARWIN -DUSE_HSREGEX -DUSE_EXPAT -I../lib/expat-lite -g -Os -pipe > -DHARD_SERVER_LIMIT=2048 -DEAPI -DSHARED_MODULE -I/usr/include/httpd -c > mod_security.c > In file included from /usr/include/httpd/ap_config.h:1129, > from /usr/include/httpd/httpd.h:29, > from mod_security.c:26: > /usr/include/httpd/hsregex.h:22:1: warning: "ap_private_extern" redefined > In file included from /usr/include/httpd/httpd.h:29, > from mod_security.c:26: > /usr/include/httpd/ap_config.h:1025:1: warning: this is the location of the > previous definition > cc -bundle -undefined suppress -flat_namespace -Wl,-bind_at_load -o > mod_security.so mod_security.o > [activating module `security' in /private/etc/httpd/httpd.conf] > cp mod_security.so /usr/libexec/httpd/mod_security.so > chmod 755 /usr/libexec/httpd/mod_security.so > cp /private/etc/httpd/httpd.conf /private/etc/httpd/httpd.conf.bak > cp /private/etc/httpd/httpd.conf.new /private/etc/httpd/httpd.conf > rm /private/etc/httpd/httpd.conf.new There's nothing related to ModSecurity in the above output. The warning comes from Apache itself. BTW, Tiger uses Apache 1.3.x? > Any ideas why it will not even log, let alone block anything? > > > -Mike > > P.S. It worked perfect on Panther server. You can't get it to even produce debug output at level 9? If that's the case it is probably never invoked. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: <li...@32...> - 2006-02-13 15:47:47
|
Hello,
I upgraded my server from Mac OS X 10.3 (panther) to 10.4.4(tiger).
I attempted to install modsecurity 1.9.2 and it will not work.
Here is what is returned when I install it...
t# apxs -cia mod_security.c
gcc -DDARWIN -DUSE_HSREGEX -DUSE_EXPAT -I../lib/expat-lite -g -Os -pipe
-DHARD_SERVER_LIMIT=2048 -DEAPI -DSHARED_MODULE -I/usr/include/httpd -c
mod_security.c
In file included from /usr/include/httpd/ap_config.h:1129,
from /usr/include/httpd/httpd.h:29,
from mod_security.c:26:
/usr/include/httpd/hsregex.h:22:1: warning: "ap_private_extern" redefined
In file included from /usr/include/httpd/httpd.h:29,
from mod_security.c:26:
/usr/include/httpd/ap_config.h:1025:1: warning: this is the location of the
previous definition
cc -bundle -undefined suppress -flat_namespace -Wl,-bind_at_load -o
mod_security.so mod_security.o
[activating module `security' in /private/etc/httpd/httpd.conf]
cp mod_security.so /usr/libexec/httpd/mod_security.so
chmod 755 /usr/libexec/httpd/mod_security.so
cp /private/etc/httpd/httpd.conf /private/etc/httpd/httpd.conf.bak
cp /private/etc/httpd/httpd.conf.new /private/etc/httpd/httpd.conf
rm /private/etc/httpd/httpd.conf.new
Any ideas why it will not even log, let alone block anything?
-Mike
P.S. It worked perfect on Panther server.
|
|
From: Ivan R. <iv...@we...> - 2006-02-08 18:32:29
|
CASTELLE Thomas wrote: > Hello, > > Another small question about modsecurity rules : > > Is it possible to improve these rules : > > SecFilterSelective ARGS "select.+from" > SecFilterSelective ARGS "union.+select" > SecFilterSelective ARGS "update.+set.+=" > > Because we have quite a few false positives on our websites. That's a difficult one, because SQL is essentially English. It may be possible to reduce the number of false positives (but not avoid them altogether) with something like: SecFilterSelective ARGS_VALUES "select[[:space:]].+[[:space:]]from" Looking at parameters individually is likely to reduce the number although it allows for one part of the injection string to go into one parameter and the other into some other parameter. Also, even the original signature does not address this type of attack completely. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: Tom A. <tan...@oa...> - 2006-02-08 14:25:32
|
CASTELLE Thomas wrote: > Is it possible to improve these rules : > > SecFilterSelective ARGS "select.+from" > SecFilterSelective ARGS "union.+select" > SecFilterSelective ARGS "update.+set.+=" > > Because we have quite a few false positives on our websites. For instance : > > http://www.foo.net/blablabla/toto.jsp?test=blabla%20SELECTION%20blabla&test2=29300230&test3=+&test4=+&test5=+&test4=%2Fblablabla%26fromblablabla > <http://www.foo.net/blablabla/toto.jsp?test=blabla%20SELECTION%20blabla&test2=29300230&test3=+&test4=+&test5=+&test4=%2Fblablabla%26fromblablabla> These rules are way too inclusive and generic. They will tend to match nearly any sufficiently long text. You need to make them much more specific. Since it's nearly impossible to consider every possible combination of strings which could possibly be executed as SQL, including extra spacing and ignored characters, you need to limit such filters only to programs and variables which deal directly with database queries. Any other use is superfluous anyway. For instance, if you wanted to protect a program called "search.cgi", where a form field called "string" is used to construct an SQL query, and there is no sanitation written into "search.cgi", and you cannot add it, you might use this filter: SecFilterSelective THE_REQUEST "search.cgi" chain SecFilterSelective ARG_string "update.+?set.+?=" Of course, this might cause a problem if your site is a search engine, encyclopedia, or discussion forum which might include topics about SQL or even interior decorating (eg. "I want to update my dining room set to something more formal"). That's why it's better to sanitize input such as this (escape special characters, etc.) rather than filter it. Tom |
|
From: CASTELLE T. <tca...@ge...> - 2006-02-08 09:08:44
|
Hello, Another small question about modsecurity rules : Is it possible to improve these rules : SecFilterSelective ARGS "select.+from" SecFilterSelective ARGS "union.+select" SecFilterSelective ARGS "update.+set.+=3D" Because we have quite a few false positives on our websites. For = instance : http://www.foo.net/blablabla/toto.jsp?test=3Dblabla%20SELECTION%20blabla= &test2 =3D29300230&test3=3D+&test4=3D+&test5=3D+&test4=3D%2Fblablabla%26frombla= blabla Regards, Thomas. -----Message d'origine----- De=A0: Ivan Ristic [mailto:iv...@we...]=20 Envoy=E9=A0: mercredi 1 f=E9vrier 2006 15:07 =C0=A0: CASTELLE Thomas Cc=A0: mod...@li... Objet=A0: Re: [mod-security-users] mod_security rules feature request + = pro duction tools ? CASTELLE Thomas wrote: > Well, I looked quickly on the Internet and it seems that it could = happen > with IE-specific websites : > http://msdn.microsoft.com/library/default.asp?url=3D/workshop/author/dht= ml/ref erence/events.asp Yes, but that would already be handled with onSelect[[:space:]]*=3D I don't think the second part =3D[[:space:]]*onSelect is needed. > Two other questions : > - Do you think you'll provide a simple tool to automatically download > new rulesets, compare them with the ones in production, detect = changes > and integrate them in the production environment, like the > "rule-du-jour" script for spamassassin ? I don't have any immediate plans. It's like this: I can either choose to work on ModSecurity itself or on the related utilities. = ModSecurity wins every time. I appreciate that it's not easy to start = contributing to ModSecurity because of the complexities involved but it'd be = really nice to see someone step up and work on the related utilities. (Also I am not sure there is a need for something like that because I don't see the generic rules changing often.) > - Do you know if a modsecurity log analysis tool exists ? One that = could > generate a human-readable report daily with the different events > detected or blocked ? No, but I am working on a commercial tool for real-time log aggregation and reporting at the moment. A beta should be available in the next couple of weeks. --=20 Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com Tel: +44 20 8141 2161, Fax: +44 87 0762 3934 |
|
From: Jason H. <Jas...@tr...> - 2006-02-08 01:53:24
|
Tom Anderson wrote: > You need to search through the apache logs and find the query which > resulted in the compromise. That will tell you which software is > allowing the upload to /tmp, and it will give you some insight into > how to block that query. For instance, I know that AWStats does not > do proper sanitizing of some input because it once lead to a worm > compromising my machine. And this is why everyone who can should use the chroot feature... If your Website doesn't use CGI (i.e. it sticks to php), then sticking it in a chroot jail stops all this nonsense. I ran a (Redhat-5.0) Apache 1.X server for 4 years - unpatched - in a jail. Several Apache and OpenSSL exploits later and it NEVER got compromised (and there were a lot of attempts). I'm not saying it's a "silver bullet", but it ruins a lot of these sorts of automated attacks IMHO: Anyone running a Reverse proxy in a security role should be doing jails. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 |
|
From: Ivan R. <iv...@we...> - 2006-02-07 19:45:26
|
Dan Spear wrote: >> Is there a proper CRLF at the end the final boundary? Which >> brower/client are you using? Feel free to send the raw data. > > There is a proper CRLF, I checked that. I am using my own application to post > the data. If I post it with an HTML form in IE, it works fine. This is the > data that is posted with Content-Type: multipart/form-data;boundary=6G+f Your data works fine for me here. I am attaching a complete request file (you can use ./util/run-test.pl to submit it to the web server). The other possibility is that you are sending an incorrect Content-Length header. If the value there is too small data will be cut-off from the end. Either way, let's continue the discussion in private. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: Dan S. <da...@la...> - 2006-02-07 18:05:33
|
> Is there a proper CRLF at the end the final boundary? Which > brower/client are you using? Feel free to send the raw data. There is a proper CRLF, I checked that. I am using my own application to post the data. If I post it with an HTML form in IE, it works fine. This is the data that is posted with Content-Type: multipart/form-data;boundary=6G+f --6G+f Content-Disposition: form-data; name="name" Joe User --6G+f Content-Disposition: form-data; name="email" jo...@ya... --6G+f Content-Disposition: form-data; name="fileatt"; filename="Upload.extbase" Content-Type: text/plain Test Data --6G+f-- |
|
From: Ivan R. <iv...@we...> - 2006-02-07 14:50:29
|
Servedio, Allen (Matrix) wrote: > Hi, > > I believe that I have a bug in my mod_security configuration. On a > LimitRequestBody error, we are not being redirected to the > /limiterror.html page we set up to respond to a 413. Instead, > mod_security appears to be intercepting it (I am not sure what I have > misconfigured that is causing this…). Turning mod_security off allows > the user to be redirected to /limiterror.html > > ... > > mod_security-message: Access denied with redirect to [/]. > ap_setup_client_block failed with 413 I think this is a case of ModSecurity being overly cautious. Its attempt to read the request body fails with return code 413 and ModSecurity simply does not want to take any chances. However, I don't like the fact it is breaking Apache functionality so I'll fix this in the next release. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: Servedio, A. \(Matrix\) <All...@ic...> - 2006-02-07 14:05:15
|
Hi,
=20
I believe that I have a bug in my mod_security configuration. On a
LimitRequestBody error, we are not being redirected to the
/limiterror.html page we set up to respond to a 413. Instead,
mod_security appears to be intercepting it (I am not sure what I have
misconfigured that is causing this...). Turning mod_security off allows
the user to be redirected to /limiterror.html
=20
We have added the following configuration to our httpd.conf for Apache
1.3.33:
=20
LimitRequestBody 200000
=20
ErrorDocument 413 /limiterror.html
=20
Running mod_security 1.9.1 with the configuration below, we get the
following entry in our audit_log file (we are getting this instead of
being redirected to /limiterror.html):
(snipped down to relevant parts)
=20
POST /my/request HTTP/1.1
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=3D0.9,text/pla=
i
n;q=3D0.8,image/png,*/*;q=3D0.5
Accept-Charset: ISO-8859-1,utf-8;q=3D0.7,*;q=3D0.7
Accept-Encoding: gzip
Accept-Language: en-us,en;q=3D0.5
Cache-Control: no-cache, max-age=3D0
Connection: TE, keep-alive
TE: chunked;q=3D1.0
Content-Length: 2770541
Content-Type: multipart/form-data;
boundary=3D---------------------------285355041
Pragma: no-cache
=20
mod_security-message: Access denied with redirect to [/].
ap_setup_client_block failed with 413
mod_security-action: 302
=20
28
[POST payload not available]
=20
HTTP/1.1 302 Found
Location: /
Keep-Alive: timeout=3D15, max=3D99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=3Diso-8859-1
--0000337d--
=20
Here is the configuration for mod_security:
<IfModule mod_security.c>
SecFilterEngine On
SecAuditEngine RelevantOnly
=20
SecAuditLog logs/audit_log
SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 0
=20
SecFilterScanPOST On
=20
SecFilterDefaultAction "deny,log,redirect:/" =20
SecFilterSignatureAction "deny,log,redirect:/"
=20
SecFilter "<[[:space:]]*script" id:1001
=20
SecFilter "<.+>" id:1002=20
=20
SecFilterSignatureAction
deny,log,redirect:http://localhost/removecookies
SecFilterSelective HTTP_Cookie "<[[:space:]]*script" id:1100
SecFilterSelective HTTP_Cookie "<[[:space:]]*img" id:1101
SecFilterSelective HTTP_Cookie "<[[:space:]]*iframe" id:1102
SecFilterSelective HTTP_Cookie "<[[:space:]]*frame" id:1103
SecFilterSelective HTTP_Cookie "<[[:space:]]*object" id:1104
SecFilterSelective HTTP_Cookie "<[[:space:]]*applet" id:1105
SecFilterSelective HTTP_Cookie "<[[:space:]]*link" id:1106
SecFilterSelective HTTP_Cookie "<[[:space:]]*embed" id:1107
SecFilterSelective HTTP_Cookie "<[[:space:]]*form" id:1108
=20
</IfModule>
=20
Thanks!
Allen
|
|
From: Ivan R. <iv...@we...> - 2006-02-07 10:11:27
|
Jesse W. Asher wrote: > > I would like to log the contents of all POST requests passing through > Apache in proxy mode. I'm especially interested in logging any instant > messaging posts that are going through the server such as those that > would go to Yahoo or AOL (AIM). Any pointers on how to do this with > mod_security would be appreciated! Many thanks!! Logging POST is trivial - look up "audit logging" in the manual. However, I am not sure if IM programs actually use HTTP to talk to the servers. They could be simply using the CONNECT method to use Apache as a simple TCP/IP proxy, in which case you won't get any of the traffic in the Apache audit log. If this shows to be true you could either 1) use a TCP/IP traffic logger or 2) write a custom Apache module to log CONNECT traffic or 3) use something else as a proxy, which comes with the logging feature built-in. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: Jesse W. A. <ja...@ta...> - 2006-02-07 07:03:39
|
I would like to log the contents of all POST requests passing through Apache in proxy mode. I'm especially interested in logging any instant messaging posts that are going through the server such as those that would go to Yahoo or AOL (AIM). Any pointers on how to do this with mod_security would be appreciated! Many thanks!! |
|
From: Ivan R. <iv...@we...> - 2006-02-06 23:52:35
|
Dan Spear wrote: > I am getting "Multipart: final boundary missing" when I use my application to > post to a script. I have looked at the data being posted and it has a proper > final boundary. Is there anything else that could explain why this error is > occurring? Is there a proper CRLF at the end the final boundary? Which brower/client are you using? Feel free to send the raw data. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: Dan S. <da...@la...> - 2006-02-06 23:40:37
|
I am getting "Multipart: final boundary missing" when I use my application to post to a script. I have looked at the data being posted and it has a proper final boundary. Is there anything else that could explain why this error is occurring? |
|
From: Ivan R. <iv...@we...> - 2006-02-06 11:41:44
|
Harald Volz wrote:
> Hi,
> I have still problems with special characters:
>
> ...
>
>
> gsmanagement%20und%20Teamentwicklung&F_Abgelaufen=0
> &Gesperrt=offen&-token=Ver%e4nderungsmanagement%2
There's an invalid bit in the above URL.. here ^^
It's missing the second character. You can allow the requests
with invalid URL encoding through by changing:
SecFilterCheckURLEncoding On
to
SecFilterCheckURLEncoding Off
--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
|
|
From: Harald V. <har...@un...> - 2006-02-06 11:36:18
|
Hi, I have still problems with special characters: Request: ourserver requesting_ip - -=20 [05/Feb/2006:04:39:54 +0100] "GET=20 /kurse/FMPro?-db=3Durzkurse&-lay=3Dkurseweb&-format=3DSuch _ErgebnisseT.htm&-error=3DSuchen_Fehler.htm&-sortfield=3DDatum&Themengebiet= =3DVer%e4nderungsmanagement%20und%20Teamentwicklung&F_Abgelaufen=3D0&Gesp errt=3Doffen&-token=3DVer%e4nderungsmanagement%2=20 HTTP/1.0" 302 230 "-" "search.ch V1.4.2=20 (spi...@se...; http://www.search.ch)" - "-" Handler: proxy-server ---------------------------------------- GET=20 /kurse/FMPro?-db=3Durzkurse&-lay=3Dkurseweb&-format=3DSuch_ErgebnisseT.htm&-= error=3DSuchen_Fehler.htm&-sortfield=3DDatum&Themengebiet=3DVer%e4nderun gsmanagement%20und%20Teamentwicklung&F_Abgelaufen=3D0&Gesperrt=3Doffen&-toke= n=3DVer%e4nderungsmanagement%2=20 HTTP/1.0 Accept: text/html, text/plain,* Accept-Language: de,fr,it,en,* mod_security-message: Access denied with code=20 400. Error normalising REQUEST_URI: Invalid URL=20 encoding detected: not enough characters httpd.conf settings for this virtual host: SecFilterCheckURLEncoding On SecFilterCheckUnicodeEncoding Off SecFilterForceByteRange 1 255 Any help? Kind regards, Harald At 21:42 02.02.2006, Ivan Ristic wrote: >Harald Volz wrote: > > Hi > > I am using the last version (1.9.2) and have problems with the german > > "umlaut" and other special charactes in URL and other Headerparts. > > > > SecFilterCheckUnicodeEncoding On > > SecFilterCheckUnicodeEncoding should be "off" in your case. > > > > Header Problem 2: strange Agent coming from japanese site.... > > Request: ourserver requestor - - [01/Feb/2006:11:18:10 +0100] "GET > > /favicon.ico HTTP/1.0" 302 230 "-" "\xf0\x05\xe1\x07X9\xb > > 5\x05\x08" - "-" > > User-Agent: =F0^E=E1^GX9=B5^ > > mod_security-message: Access denied with code 400. Error validating > > header value (User-Agent): Invalid character detected [5] > > This message is not consistent with "SecFilterForceByteRange 1 255", > ie should not happen. Did you use a different configuration when > you got that error? > >-- >Ivan Ristic, Technical Director >Thinking Stone, http://www.thinkingstone.com ------------------------------------------------------------------------ Harald Volz har...@un... Universitaetsrechenzentrum Tel: (++41) (0) 61 267 22 67 Universitaet Basel Fax: (++41) (0) 61 267 22 82 Klingelbergstr. 70 CH-4056 Basel ------------------------------------------------------------------------ |
|
From: Augie S. <aug...@gm...> - 2006-02-04 01:14:23
|
On 2/3/06, li...@32... <li...@32...> wrote: > I just had an attempt made on my server to exploit it. The user was able = to > upload a folder call .sgurz into the tmp folder, this folder had 2 files, > boink and .boink2. > I do not think it did anything except use up all the apache processes. > What would the filer need to be in order to block this type of attack in = the > future? Turn mod_security on and watch the logs to see what gets through; you may find that something like this helps: # command execution attack wget SecFilterSignatureAction "log,deny,status:403,msg:'wget command execution attack'" SecFilterSelective ARGS_VALUES ";[[:space:]]*wget[[:space:]]*" But take Ivan's advice and remount /tmp noexec. We ended up just symlinking /var/tmp /usr/tmp and /tmp to /dev/shm and remounting that noexec, as those are all the popular spots for script kiddies to put their junk. Augie. -- Registered Linux user #229905 GPG Public Key: http://www.schwer.us/schwer.asc Key fingerprint =3D 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072 |
|
From: Tom A. <tan...@oa...> - 2006-02-03 20:30:38
|
li...@32... wrote: > I just had an attempt made on my server to exploit it. The user was able to > upload a folder call .sgurz into the tmp folder, this folder had 2 files, > boink and .boink2. > > I do not think it did anything except use up all the apache processes. > > What would the filer need to be in order to block this type of attack in the > future? You need to search through the apache logs and find the query which resulted in the compromise. That will tell you which software is allowing the upload to /tmp, and it will give you some insight into how to block that query. For instance, I know that AWStats does not do proper sanitizing of some input because it once lead to a worm compromising my machine. I then created a rule that prevents queries which involve "awstats" and several of its optional variables which I don't personally use: SecFilterSelective THE_REQUEST "awstats" chain SecFilterSelective ARGS "(pluginmode|loadplugin|debug|configdir|perl|cgi|chmod |exec|print)" The exploit ran perl code through one of these variables, which I found in my apache access log. Grep'ing for "perl" might make your search easier. However, your case might have involved a different tack. In fact, it's possible a low-priviledge account was brute-force hacked through ssh, not through apache. I've had that happen too. Are the files in /tmp owned by the apache user? Either way, run "ps ax" and search for running processes (perhaps masquerading as "init" or some other system program) which don't look like they belong, either because of the user that started it, the time it started, or the resources it's using. That's probably your zombie. Note the name and owner, and kill that process. Grep your ssh log for the username that launched it (or that own the files in /tmp), if not apache, to see if a brute-force attack was launched against it. Hope that helps. Tom |
|
From: Ivan R. <iv...@we...> - 2006-02-03 19:22:40
|
li...@32... wrote: > Hello, > > I just had an attempt made on my server to exploit it. The user was able to > upload a folder call .sgurz into the tmp folder, this folder had 2 files, > boink and .boink2. > > I do not think it did anything except use up all the apache processes. > > What would the filer need to be in order to block this type of attack in the > future? I don't think it's possible to do that. You could have a filter in place to watch for strings "boink" and such but that would be too easy to defeat simply by changing the names of the files. Were the files in the /tmp folder executable? Preventing execution in /tmp is always a good idea (either by mounting it non-executable or by using mandatory access controls via grsecurity or SELinux). -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com |
139 messages has been excluded from this view by a project administrator.
