mod-security-users — General discussion about mod_security

Re: [mod-security-users] include snort rules

[Javier Fernandez-S. <jfe...@ge...>]

Peter VE wrote:
> 
>>
>>
>>Peter VE wrote:
>>
>>>Hi,
>>>
>>>I wrote a script that pulls down multiple sets of snort rules, and
>>>converts specific rulefiles to SecFilters.
>>
>> You shouldn't have, there's a script included with ModSecurity
>> that does just that :)
> 
> 
> I'm using the ModSecurity script to convert, but it is launched from
> within my own script, which

BTW, are you open to sharing that script so that Ivan can add it to 
the util/ directory? I provided a nessus2modsec script a while back 
[1] which is now available there [2] and I would encourage others to 
do the same. These scripts are valid tools and helps other get up to 
speed when using mod-security. Contributing them back also makes it 
possible for the community to maintain them.

> - downloads various sets of rules (snort, bleeding, community)
> - extracts the rules
> - only converts the rules that I need
> - rips out some rules that I don't want/need
> (after converting snort rules, I noticed that the converted file
> contains a couple of  SecFilter ""   and SecFilter "="  entries,
> which kinda break basic functionality... )

This last comment (the SecFilter "" issue) looks to me like it is 
because you are using an older version of the script that does not 
skip Snort rules that do not apply to HTTP. I provided a patch [3]
to snor2modsec that fixed that.

Ivan applied that patch [4] (minus the documentation I added, but that 
is also available in the 'snortmodsec-rules.txt' file already).

If you are not willing to share the code, ut would be nice if you 
could tell us:

- which rules you don't think apply, and should not be converted
- what rules that do apply get converted to problematic SecFilters

Regards

Javier

[1] 
http://sourceforge.net/mailarchive/forum.php?thread_id=5857485&forum_id=33492
[2] 
http://cvs.sourceforge.net/viewcvs.py/mod-security/mod_security/util/nessus2modsec.pl?rev=1.1&view=markup
[3] 
http://sourceforge.net/mailarchive/forum.php?thread_id=5857484&forum_id=33492
[4]
http://cvs.sourceforge.net/viewcvs.py/mod-security/mod_security/util/snort2modsec.pl?r1=1.1&r2=1.2
> 
>>
>>>When I update the files with newer files, will mod_security
>>>automatically use the newer file ? Or does Apache need a restart ?
>>
>> You need to restart Apache.
>>
> 
> Will Apache start when one of the mod_security SecFilters is wrong ?
> After all, this is an automated process - there is a chance that
> something is wrong with the original snort rules, or with converting
> those rules into filters...
> 
>>>If it automatically uses the newer file, what happens at the very
>>
>>time
>>
>>>the file gets overwritten?
>>
>> Nothing. When Apache is started rules are read in memory. What
>> you do with the file afterwards is not important.
>>
> 
> Thanks !
> 
> 
>>-- 
>>Ivan Ristic
>>Apache Security (O'Reilly) - http://www.apachesecurity.net
>>Open source web application firewall - http://www.modsecurity.org
>>
>>
>>-------------------------------------------------------
>>This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
>>Register for a JBoss Training Course.  Free Certification Exam
>>for All Training Attendees Through End of 2005. For more info visit:
>>http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
>>_______________________________________________
>>mod-security-users mailing list
>>mod...@li...
>>https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>
>>
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
> Register for a JBoss Training Course.  Free Certification Exam
> for All Training Attendees Through End of 2005. For more info visit:
> http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 

[mod-security-users] Need some help with mod security and PostNuke .761

[Christopher P. <chr...@ve...>]

Hello folks,

 

Well I've been doing some tightening of security on my webserver but it
seems that I've made things too tight. The problem is that I can't figure
out how to best let PostNuke do what it needs to do. Right now several of my
filters stop the execution of a large number of commands that I need to have
available in postnuke. I'll start off by posting my current modsecurity.conf
file:

 

SecFilterEngine On

SecFilterScanPOST On

SecAuditEngine On

SecAuditLog logs/audit_log

SecFilterSelective HTTP_Transfer-Encoding "!^$"

SecFilterDefaultAction "deny,log,status:500"

SecFilter "<( |\n)*script*"

SecFilterInheritance Off

SecFilterCheckUnicodeEncoding On

SecFilterCheckURLEncoding On

SecServerResponseToken Off

SecFilter /bin/sh

SecFilter hidden

SecServerSignature "Microsoft-IIS/5.0"

SecFilter "\.\./"

SecFilterSelective ARGS "bin/"

 

And here's the audit log of one of several stops I get when I try and do
something simple like update a block:

 

========================================
UNIQUE_ID: davA638AAAEAAGm3ay8AAAAB
Request: 67.190.166.65 - - [16/Nov/2005:23:54:53 --0600] "POST
/index.php?module=Blocks&type=admin&func=update HTTP/1.1" 500 623
Handler: (null)
----------------------------------------
POST /index.php?module=Blocks&type=admin&func=update HTTP/1.1
Host: www.venomstats.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12)
Gecko/20050915 Firefox/1.0.7
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=
0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
http://www.venomstats.com/index.php?module=Blocks&type=admin&func=modify&bid
=39
Content-Type: application/x-www-form-urlencoded
Content-Length: 3382
mod_security-message: Access denied with code 500. Pattern match "bin/" at
POST_PAYLOAD
mod_security-action: 500

 

Thanks for the help.

 

 

Christopher Patricca

Server Administrator

 

Re: [mod-security-users] include snort rules

[Ivan R. <iv...@we...>]

Peter VE wrote:
>>>I'm using the ModSecurity script to convert, but it is launched from
>>>within my own script, which
>>>- downloads various sets of rules (snort, bleeding, community)
>>>- extracts the rules
>>>- only converts the rules that I need
>>>- rips out some rules that I don't want/need
>>>(after converting snort rules, I noticed that the converted file
>>>contains a couple of  SecFilter ""   and SecFilter "="  entries,
>>>which kinda break basic functionality... )
>>
>> Nice. How long have you been using the Snort rules for? Are you
>> happy with them for web intrusion detection?
>>
> 
> snort rules for mod_security : 2 days
> this is the first webserver, so I really don't know how good/bad they
> are...
> Has anyone else played  with the snort rules for
> - IDS (snort itself)
> - SecFilters (mod_security) ?
> If so, what are your findings ?

  I didn't use them in practice but, after looking at them,
  I thought they were too broad.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] HTTP_REFERER

[Ivan R. <iv...@we...>]

Andras Got wrote:
> Hi,
> 
> I have a rule (i had actually) HTTP_REFERER that i renamed
> HTTP_HTTP_REFERER, because simply HTTP_REFERER searched in the whole
> header. I only need to ban some referers (forums actually), where links
> posted which cause a DoS to the server. It's a free webhosting service.
> :) The question is which rule is the correct? :)

  Why don't you post the rule and we'll tell you :)
  (I don't see how HTTP_HTTP_REFERER could work though.)


> P.S: Ivan I would do the translation of mod_sec 1.9 as we emailed
> earlier. :) Is the HTML version ready for this?

  It is. If you do it in DocBook, though, I will be able to produce
  PDF, single-page HTML, and multi-page HTML all at once.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

[mod-security-users] HTTP_REFERER

[Andras G. <an...@an...>]

Hi,

I have a rule (i had actually) HTTP_REFERER that i renamed HTTP_HTTP_REFERER, because simply 
HTTP_REFERER searched in the whole header. I only need to ban some referers (forums actually), where 
links posted which cause a DoS to the server. It's a free webhosting service. :) The question is 
which rule is the correct? :)

P.S: Ivan I would do the translation of mod_sec 1.9 as we emailed earlier. :) Is the HTML version 
ready for this?

Thx,
Andrej

Re: [mod-security-users] include snort rules

[Peter VE <xx...@im...>]

> >
> > I'm using the ModSecurity script to convert, but it is launched from
> > within my own script, which
> > - downloads various sets of rules (snort, bleeding, community)
> > - extracts the rules
> > - only converts the rules that I need
> > - rips out some rules that I don't want/need
> > (after converting snort rules, I noticed that the converted file
> > contains a couple of  SecFilter ""   and SecFilter "="  entries,
> > which kinda break basic functionality... )
> 
>  Nice. How long have you been using the Snort rules for? Are you
>  happy with them for web intrusion detection?
> 
snort rules for mod_security : 2 days
this is the first webserver, so I really don't know how good/bad they
are...
Has anyone else played  with the snort rules for
- IDS (snort itself)
- SecFilters (mod_security) ?
If so, what are your findings ?

> 
> >>>When I update the files with newer files, will mod_security
> >>>automatically use the newer file ? Or does Apache need a restart ?
> >>
> >> You need to restart Apache.
> >>
> > 
> > Will Apache start when one of the mod_security SecFilters is wrong ?
> 
>  No. But you can preserve the previous version of the configuration
>  file, run Apache with "configtest" first, actually restarting only
>  if everything's fine.
> 
great ! thanks
> 
> -- 
> Ivan Ristic
> Apache Security (O'Reilly) - http://www.apachesecurity.net
> Open source web application firewall - http://www.modsecurity.org
> 
> 

Re: [mod-security-users] include snort rules

[Ivan R. <iv...@we...>]

Peter VE wrote:
>
> I'm using the ModSecurity script to convert, but it is launched from
> within my own script, which
> - downloads various sets of rules (snort, bleeding, community)
> - extracts the rules
> - only converts the rules that I need
> - rips out some rules that I don't want/need
> (after converting snort rules, I noticed that the converted file
> contains a couple of  SecFilter ""   and SecFilter "="  entries,
> which kinda break basic functionality... )

  Nice. How long have you been using the Snort rules for? Are you
  happy with them for web intrusion detection?


>>>When I update the files with newer files, will mod_security
>>>automatically use the newer file ? Or does Apache need a restart ?
>>
>> You need to restart Apache.
>>
> 
> Will Apache start when one of the mod_security SecFilters is wrong ?

  No. But you can preserve the previous version of the configuration
  file, run Apache with "configtest" first, actually restarting only
  if everything's fine.


-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] include snort rules

[Peter VE <xx...@im...>]

> 
> 
> 
> Peter VE wrote:
> > Hi,
> > 
> > I wrote a script that pulls down multiple sets of snort rules, and
> > converts specific rulefiles to SecFilters.
> 
>  You shouldn't have, there's a script included with ModSecurity
>  that does just that :)

I'm using the ModSecurity script to convert, but it is launched from
within my own script, which
- downloads various sets of rules (snort, bleeding, community)
- extracts the rules
- only converts the rules that I need
- rips out some rules that I don't want/need
(after converting snort rules, I noticed that the converted file
contains a couple of  SecFilter ""   and SecFilter "="  entries,
which kinda break basic functionality... )

> 
> 
> > When I update the files with newer files, will mod_security
> > automatically use the newer file ? Or does Apache need a restart ?
> 
>  You need to restart Apache.
> 
Will Apache start when one of the mod_security SecFilters is wrong ?
After all, this is an automated process - there is a chance that
something is wrong with the original snort rules, or with converting
those rules into filters...
> 
> > If it automatically uses the newer file, what happens at the very
> time
> > the file gets overwritten?
> 
>  Nothing. When Apache is started rules are read in memory. What
>  you do with the file afterwards is not important.
> 
Thanks !

> -- 
> Ivan Ristic
> Apache Security (O'Reilly) - http://www.apachesecurity.net
> Open source web application firewall - http://www.modsecurity.org
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
> Register for a JBoss Training Course.  Free Certification Exam
> for All Training Attendees Through End of 2005. For more info visit:
> http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 
> 

Re: [mod-security-users] include snort rules

[Ivan R. <iv...@we...>]

Peter VE wrote:
> Hi,
> 
> I wrote a script that pulls down multiple sets of snort rules, and
> converts specific rulefiles to SecFilters.

  You shouldn't have, there's a script included with ModSecurity
  that does just that :)


> When I update the files with newer files, will mod_security
> automatically use the newer file ? Or does Apache need a restart ?

  You need to restart Apache.


> If it automatically uses the newer file, what happens at the very time
> the file gets overwritten?

  Nothing. When Apache is started rules are read in memory. What
  you do with the file afterwards is not important.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

[mod-security-users] include snort rules

[Peter VE <xx...@im...>]

Hi,

I wrote a script that pulls down multiple sets of snort rules, and
converts specific rulefiles to SecFilters.
The httpd.conf file contains an include statement for every converted
ruleset file.
When I update the files with newer files, will mod_security
automatically use the newer file ? Or does Apache need a restart ?
If it automatically uses the newer file, what happens at the very time
the file gets overwritten ? Will that cause a locking issue, or will
mod_security all of a sudden - just for a millisecond or so - run
without the included filters ?

thanks

[mod-security-users] ModSecurity 1.9 FINAL has been released

[Ivan R. <iv...@we...>]

ModSecurity 1.9 FINAL has been released. It is available for
immediate download from:

    http://www.modsecurity.org/download/

After more than a year in development, ModSecurity 1.9 introduces
a number of changes that further increase usefulness of this
web application security tool.


Changes (since 1.8)
-------------------

Major enhancements include:

* A brand new audit logging subsystem aimed at supporting
  real time aggregation of the forensic logs. It is now possible
  to fine-tune forensic logging and even log complete responses.

* Significant rule engine enhancements that increase flexibility,
  introduce meta-data facilities, and allow for safe inclusion of
  third-party produced rule databases.

* A new stateful request monitoring mechanism, which includes
  tools for defence against Denial of Service attacks.

* Many smaller improvements throughout, including: performance
  measurement, ten new actions, seventeen new variables,
  output status filtering, performance improvements, support for
  methods other than GET and POST, ClamAV integration, and so on.

For a list with more details please visit:
http://www.modsecurity.org/blog/archives/2005/09/whats_new_in_mo.html


About ModSecurity
-----------------
ModSecurity is a web application firewall designed to protect
vulnerable applications and reject manual and automated attacks.
It is an open source intrusion detection and prevention system. It
can work embedded in Apache, or as a standalone security device when
configured to work as part of an Apache-based reverse proxy.

Optionally, ModSecurity creates application audit logs, which contain
the full request body in addition to all other details. Requests are
filtered using regular expressions. Some of the things possible are:

  * Apply filters against any part of the request (URI,
    headers, either GET or POST)
  * Apply filters against individual parameters
  * Reject SQL injection attacks
  * Reject Cross site scripting attacks
  * Store the files uploaded through the web server, and have them
    checked by external scripts

With a few general rules ModSecurity can protect from both known
and unknown vulnerabilities. It excels as a tool for HTTP traffic
monitoring and just-in-time patching.

ModSecurity is dual-licensed. It can be used at no cost under the
terms of GPL v2. Support and commercial licences (for end-users
and OEM distributors) can be obtained from Thinking Stone
(http://www.thinkingstone.com).

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] Unresolved Variable Error in Apache Logs

[David D. <dev...@gm...>]

Ivan.

Thank you for your response.

I've solved the problem and it was due to some php rules that were included
in the gotroot rules I downloaded. I do not use php.

I have created a custom rulset with some of the examples from the gotroot
folks, many thanks!

At this time the errors are gone and I have put mod_security into
production. I had a few malicious attempts this past weekend. These attempt=
s
are now being blocked. Before mod_security I had the hardest time doing
anything with POST URL's in apache.

Thank you.
David

On 11/13/05, Ivan Ristic <iv...@we...> wrote:
>
> David DeVault wrote:
> > Hello.
> >
> > I'm getting the following error in my apache logs.
> >
> > What I want to know is does this have something to do with my rules or
> > is there a problem somewhere else? I'm also not getting audit logs.
> >
> > [Sat Nov 12 20:13:00 2005] [error] [client 71.134.92.201<http://71.134.=
92.201>
> > <http://71.134.92.201>] mod_security: get_variable: unresolved variable
> > type 9 (internal error) [hostname "host.com <http://host.com> <
> http://host.com>"] [uri
> > "/index.html"] [unique_id "Q3a9S0B8NNQAAGMqYYM"]
> >
> > I'm using Apache 1.3 and I downloaded and compiled the latest
> > mod_security module for apache1.
>
> Hi David,
>
> I suspect "OUTPUT" is used somewhere in your ModSecurity
> configuration. This variable is only supported in the version
> for Apache 2.x but ModSecurity does not complain if an attempt
> to use "OUTPUT" with Apache 1.x is made. (At least not at the
> moment; I'll add the check to one of the future releases.)
>
> If you find it simply comment out the rules - they are not
> doing anything for Apache 1.3.x anyway.
>
> --
> Ivan Ristic
> Apache Security (O'Reilly) - http://www.apachesecurity.net
> Open source web application firewall - http://www.modsecurity.org
>

Re: [mod-security-users] couple of questions about mod_security

[Ivan R. <iv...@we...>]

Justin Grindea wrote:
> hello,
> 
> I'm interested in upgrading mod_security to 1.9 and have a couple of
> questions:
> 
> First, how do I upgrade? I'm on apache 1.3, installed using apxs -cia
> mod_security.so.

  Just do the same again, then stop and start Apache.


> Second, I've heard that now rules can be ignored per v-host and I'm
> interested in implementing this.
> Most of the rules I use are from gotroot. I have the main file, that
> includes all other files like rules.conf,
> agents.conf, etc.
> How can I disable one rule or more per v-host entry?

  You would have to assign a unique ID to the rule and then
  use SecFilterRemove in the virtual host later on. Look SecFilterRemove
  in the manual.


> Lastly, I'm interested in cutting the audit_log into small files, for
> each v-host on the server, so
> my clients can see the relevant entries from the log and be able to
> adjust scripts as needed or be aware of
> attacking attempts.

  If you use the concurrent audit log format (new to 1.9) the audit
  log entries will already be separated for you. You only need to
  write a script to parse the index file (which contains the host
  field) and copy/move the audit log entries to the customers'
  folders.

  But, if you are using <VirtualHost> for hosting note that you
  can spread the audit log into multiple files easily, simply
  by putting a different SecAuditLog /path/to/file line into each
  one.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

[mod-security-users] couple of questions about mod_security

[Justin G. <web...@sw...>]

hello,

I'm interested in upgrading mod_security to 1.9 and have a couple of questions:

First, how do I upgrade? I'm on apache 1.3, installed using apxs -cia mod_security.so.

Second, I've heard that now rules can be ignored per v-host and I'm interested in implementing this.
Most of the rules I use are from gotroot. I have the main file, that includes all other files like rules.conf,
agents.conf, etc.
How can I disable one rule or more per v-host entry?

Lastly, I'm interested in cutting the audit_log into small files, for each v-host on the server, so
my clients can see the relevant entries from the log and be able to adjust scripts as needed or be aware of
attacking attempts.

many thanks for this class A product,

						Justin

Re: [mod-security-users] Unresolved Variable Error in Apache Logs

[Ivan R. <iv...@we...>]

David DeVault wrote:
> Hello.
> 
> I'm getting the following error in my apache logs.
> 
> What I want to know is does this have something to do with my rules or
> is there a problem somewhere else?  I'm also not getting audit logs.
> 
> [Sat Nov 12 20:13:00 2005] [error] [client 71.134.92.201
> <http://71.134.92.201>] mod_security: get_variable: unresolved variable
> type 9 (internal error) [hostname "host.com <http://host.com>"] [uri
> "/index.html"] [unique_id "Q3a9S0B8NNQAAGMqYYM"]
> 
> I'm using Apache 1.3 and I downloaded and compiled the latest
> mod_security module for apache1.

  Hi David,

  I suspect "OUTPUT" is used somewhere in your ModSecurity
  configuration. This variable is only supported in the version
  for Apache 2.x but ModSecurity does not complain if an attempt
  to use "OUTPUT" with Apache 1.x is made. (At least not at the
  moment; I'll add the check to one of the future releases.)

  If you find it simply comment out the rules - they are not
  doing anything for Apache 1.3.x anyway.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

[mod-security-users] Unresolved Variable Error in Apache Logs

[David D. <dev...@gm...>]

Hello.

I'm getting the following error in my apache logs.

What I want to know is does this have something to do with my rules or is
there a problem somewhere else? I'm also not getting audit logs.

[Sat Nov 12 20:13:00 2005] [error] [client 71.134.92.201<http://71.134.92.2=
01>]
mod_security: get_variable: unresolved variable type 9 (internal error)
[hostname "host.com <http://host.com>"] [uri "/index.html"] [unique_id
"Q3a9S0B8NNQAAGMqYYM"]

I'm using Apache 1.3 and I downloaded and compiled the latest mod_security
module for apache1.

Don't know if this matters or not, but I'm running this on Solaris 8.

Please help as this error is being logged with each request.

Thank you,
David

Re: [mod-security-users] Unable to have mod_security 'exec' as default action.

[Ivan R. <iv...@we...>]

Jason Z wrote:
>
> It turns out that ModSecurity requires all exec commands to print
> something back out ('1' for example) in order to actually accept the
> execution.  I didn't think that a logging script would need to provide
> any feedback to ModSecurity.  After watching the debug output (as you
> suggested) I changed the extension from . to .pl and had it just print a
> 1 at the end and ModSecurity became happy.

  Ah, there's a reason for that. There are cases (or at least there were
  when I looked at it) where it is not possible to differentiate between
  a script failing to execute and a script executing but not writing
  anything to stdout.

  I'll make a note of it in the documentation.

  Thanks for bringing the problem to my attention.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

[Fwd: Re: [mod-security-users] Unable to have mod_security 'exec' as default action.]

[Ivan R. <iv...@we...>]

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] Unable to have mod_security 'exec' as default action.

[Ivan R. <iv...@we...>]

Jason Z wrote:
> I am currently in the beginning phase of deploying MS on multiple web
> servers and am looking for a simple way to monitor what would trigger MS
> without actually blocking anything, yet.

  Why not configure audit logging to take place only when there is
  a rule match and then monitor the audit logs?


> The simplest method I thought of was to have the default action trigger
> a script which (for now) just reads the ENV variables and then builds a
> log file of potential alerts.  

  You can have the same from the debug log if you use it at level 1.


> Anyway, my configuration is shown before.  Every time I trigger a rule I
> am getting (mod_security-executed: /tmp/test.pl (failed)).  The server
> currently is not chrooted and if I copy/paste the script into the
> command line it executes just file, so the path and file name are
> correct.  The script is currently owned by the user/group the web
> service is running as and the permissions are currently 755.
> 
> I can't find any reason as to why this script fails to execute from
> within the MS system.
> 
> Any help in this matter would be greatly appreciated.

  Try to turn debug logging on, configure at a higher level (e.g. 9)
  and try to catch one failed attempt to execute. There may be
  more information in the error log.

  Are you using suExec?

  Which version of ModSecurity are you using, and on which platform?

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

[mod-security-users] Unable to have mod_security 'exec' as default action.

[Jason Z <jzm...@gm...>]

I am currently in the beginning phase of deploying MS on multiple web
servers and am looking for a simple way to monitor what would trigger MS
without actually blocking anything, yet.

The simplest method I thought of was to have the default action trigger a
script which (for now) just reads the ENV variables and then builds a log
file of potential alerts. In the future a similar script will be used to
modify firewalls, etc..

Anyway, my configuration is shown before. Every time I trigger a rule I am
getting (mod_security-executed: /tmp/test.pl (failed)). The server currentl=
y
is not chrooted and if I copy/paste the script into the command line it
executes just file, so the path and file name are correct. The script is
currently owned by the user/group the web service is running as and the
permissions are currently 755.

I can't find any reason as to why this script fails to execute from within
the MS system.

Any help in this matter would be greatly appreciated.

----------------------------------------------
#mod_security.conf snippet
SecFilterDefaultAction "exec:/tmp/test.pl,allow"
----------------------------------------------

Thank you,
Jason Ziemba

Re: [mod-security-users] huge performance hit with mod_security on "legacy" SPARC hardware

[Ivan R. <iv...@we...>]

Francois Boulanger wrote:
> We've been sticking to Apache 1.3 because of time and budget constraints
> (It's a pretty long story, it's actually more a political issue than a
> technological one).
> 
> But this performance issue just might be the occasion to push for a
> migration to 2.0. I'll compile with Apache 2.0 and do a few tests.

  The entirely new branch of Apache, 2.2.0, is expected soon. You may
  want to wait just a bit longer and jump straight away to that one.
  I, for one, hope we get to have only one branch and leave 1.3.x
  behind.


> If I
> have enough time I'll add a few counters in the code to try to locate
> the bottleneck (if there is one)

  Focus just on the speed of the regular expressions. There shouldn't
  be any bottlenecks in the ModSecurity code.


> We're using roughly 250 rules; That doesn't sound to me as too much?

  No, it doesn't. (Feel free to send me the rules to my private address.
  I can test them on my development server for you if you wish.)


> However the validations are system wide, that just might be the problem.

  Just to check, are you using the audit log at all? On a couple of
  occasions I was called to investigate performance problems the
  audit log was enabled (RelevantOnly) but there was a rule that
  emitted a warning (and thus caused the request to be logged) on
  every request.

  BTW, how many requests per second do you get?

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] huge performance hit with mod_security on "legacy" SPARC hardware

[Francois B. <fra...@gm...>]

We've been sticking to Apache 1.3 because of time and budget constraints
(It's a pretty long story, it's actually more a political issue than a
technological one).

But this performance issue just might be the occasion to push for a
migration to 2.0. I'll compile with Apache 2.0 and do a few tests. If I hav=
e
enough time I'll add a few counters in the code to try to locate the
bottleneck (if there is one)

We're using roughly 250 rules; That doesn't sound to me as too much? Howeve=
r
the validations are system wide, that just might be the problem. Thanks for
the suggestion, I'll try to make mod_sec only monitor the requests that are
aimed to our app server and our perl pages.

I'll post my findings on the thread! Thanks Ivan.

Francois

On 11/8/05, Ivan Ristic <iv...@we... > wrote:
>
> Francois Boulanger wrote:
> > Hello list!
> >
> > I'm using mod_sec with Apache 1.3.33 and mod_security is a great
> > product, but here the performance tradeoff is pretty bad.
> > Our Apache server is a Sun Entreprise 450 equipped with 2 SPARC-II 400
> > MHZ processors, with 1 GB ram and a few SCSI 10000 rpm drive (no raid
> > setup on the disk Apache is using). We're running Solaris 9.
> >
> > With mod_security disabled (in the httpd.conf file) the server is very
> > responsive and CPU usage averages 21% with peaks up to 50%.
> >
> > With mod_security enabled, during peak hours the CPU is floored at 100%
> > and our website is very slow to display, whether or not we are in the
> > peak hours.
> >
> > System is not out of ram, is not swapping or disk trashing. Debug is
> > disabled on mod_security.
> >
> > Our config file uses roughly a third of gotroot's rules for Apache 1.3.=
.
> .
>
> And how many rules is that? Personally I don't believe ModSecurity
> should be used with very large rule sets.
>
> I have only used x86 architectures myself and Apache 2.x. ModSecurity
> usually spends around 10 microseconds on a signature. Most of my
> rule sets execute under 1 millisecond.
>
> ModSecurity relies on the regular expression engine built into
> Apache. There is very little overhead on top of that. I have heard
> rumours the regular expression engine of Apache 1.3.x is slow (or
> at least slower than PCRE from Apache 2.x).
>
> Out of curiosity - why aren't you moving to Apache 2.x?
>
>
> > Anybody else has similar hardware, or similar performance issues? Any
> > pointers to what i could look for?
>
> If you have the time it would be nice if you could add some
> bits of code to ModSecurity to benchmark it (using gettimeofday,
> which returns values in microseconds).
>
> >
> > If someone thinks it might be a config file issue, i'll gladly sanitize
> > my config file and post it here.
> >
> > Any input is greatly appreciated! Thanks!
>
> Have you tried configuring ModSecurity not to work on static
> resources, focusing on dynamic ones only?
>
> --
> Ivan Ristic
> Apache Security (O'Reilly) - http://www.apachesecurity.net
> Open source web application firewall - http://www.modsecurity.org
>

[mod-security-users] Unable to have mod_security exec as default action.

[Jason Z <jzm...@gm...>]

I am currently in the beginning phase of deploying MS on multiple web
servers and am looking for a simple way to monitor what would trigger MS
without actually blocking anything, yet.

The simplest method I thought of was to have the default action trigger a
script which (for now) just reads the ENV variables and then builds a log
file of potential alerts. In the future a similar script will be used to
modify firewalls, etc..

Anyway, my configuration is shown before. Every time I trigger a rule I am
getting (mod_security-executed: /tmp/test.pl (failed)). The server currentl=
y
is not chrooted and if I copy/paste the script into the command line it
executes just file, so the path and file name are correct. The script is
currently owned by the user/group the web service is running as and the
permissions are currently 755.

I can't find any reason as to why this script fails to execute from within
the MS system.

Any help in this matter would be greatly appreciated.

----------------------------------------------
#mod_security.conf snippet
SecFilterDefaultAction "exec:/tmp/test.pl,allow"
----------------------------------------------

Thank you,
Jason Ziemba

Re: [mod-security-users] huge performance hit with mod_security on "legacy" SPARC hardware

[Ivan R. <iv...@we...>]

Francois Boulanger wrote:
> Hello list!
> 
> I'm using mod_sec with Apache 1.3.33 and mod_security is a great
> product, but here the performance tradeoff is pretty bad.
> Our Apache server is a Sun Entreprise 450 equipped with 2 SPARC-II 400
> MHZ processors, with 1 GB ram and a few  SCSI 10000 rpm drive (no raid
> setup on the disk Apache is using). We're running Solaris 9.
> 
> With mod_security disabled (in the httpd.conf file) the server is very
> responsive and CPU usage averages 21% with peaks up to 50%.
> 
> With mod_security enabled, during peak hours the CPU is floored at 100%
> and our website is very slow to display, whether or not we are in the
> peak hours.
> 
> System is not out of ram, is not swapping or disk trashing. Debug is
> disabled on mod_security.
> 
> Our config file uses roughly a third of gotroot's rules for Apache 1.3...

  And how many rules is that? Personally I don't believe ModSecurity
  should be used with very large rule sets.

  I have only used x86 architectures myself and Apache 2.x. ModSecurity
  usually spends around 10 microseconds on a signature. Most of my
  rule sets execute under 1 millisecond.

  ModSecurity relies on the regular expression engine built into
  Apache. There is very little overhead on top of that. I have heard
  rumours the regular expression engine of Apache 1.3.x is slow (or
  at least slower than PCRE from Apache 2.x).

  Out of curiosity - why aren't you moving to Apache 2.x?


> Anybody else has similar hardware, or similar performance issues? Any
> pointers to what i could look for?

  If you have the time it would be nice if you could add some
  bits of code to ModSecurity to benchmark it (using gettimeofday,
  which returns values in microseconds).

> 
> If someone thinks it might be a config file issue, i'll gladly sanitize
> my config file and post it here.
> 
> Any input is greatly appreciated! Thanks!

  Have you tried configuring ModSecurity not to work on static
  resources, focusing on dynamic ones only?

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

[mod-security-users] huge performance hit with mod_security on "legacy" SPARC hardware

[Francois B. <fra...@gm...>]

Hello list!

I'm using mod_sec with Apache 1.3.33 and mod_security is a great product,
but here the performance tradeoff is pretty bad.
Our Apache server is a Sun Entreprise 450 equipped with 2 SPARC-II 400 MHZ
processors, with 1 GB ram and a few SCSI 10000 rpm drive (no raid setup on
the disk Apache is using). We're running Solaris 9.

With mod_security disabled (in the httpd.conf file) the server is very
responsive and CPU usage averages 21% with peaks up to 50%.

With mod_security enabled, during peak hours the CPU is floored at 100% and
our website is very slow to display, whether or not we are in the peak
hours.

System is not out of ram, is not swapping or disk trashing. Debug is
disabled on mod_security.

Our config file uses roughly a third of gotroot's rules for Apache 1.3...

Anybody else has similar hardware, or similar performance issues? Any
pointers to what i could look for?

If someone thinks it might be a config file issue, i'll gladly sanitize my
config file and post it here.

Any input is greatly appreciated! Thanks!

Francois Boulanger