mod-security-users Mailing List for ModSecurity (Page 550)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users — General discussion about mod_security
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(17) |
Aug
(7) |
Sep
(8) |
Oct
(11) |
Nov
(14) |
Dec
(19) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(46) |
Feb
(14) |
Mar
(20) |
Apr
(48) |
May
(15) |
Jun
(20) |
Jul
(36) |
Aug
(24) |
Sep
(31) |
Oct
(28) |
Nov
(23) |
Dec
(12) |
| 2005 |
Jan
(69) |
Feb
(61) |
Mar
(82) |
Apr
(53) |
May
(26) |
Jun
(71) |
Jul
(27) |
Aug
(52) |
Sep
(28) |
Oct
(49) |
Nov
(104) |
Dec
(74) |
| 2006 |
Jan
(61) |
Feb
(148) |
Mar
(82) |
Apr
(139) |
May
(65) |
Jun
(116) |
Jul
(92) |
Aug
(101) |
Sep
(84) |
Oct
(103) |
Nov
(174) |
Dec
(102) |
| 2007 |
Jan
(166) |
Feb
(161) |
Mar
(181) |
Apr
(152) |
May
(192) |
Jun
(250) |
Jul
(127) |
Aug
(165) |
Sep
(97) |
Oct
(135) |
Nov
(206) |
Dec
(56) |
| 2008 |
Jan
(160) |
Feb
(135) |
Mar
(98) |
Apr
(89) |
May
(115) |
Jun
(95) |
Jul
(188) |
Aug
(167) |
Sep
(153) |
Oct
(84) |
Nov
(82) |
Dec
(85) |
| 2009 |
Jan
(139) |
Feb
(133) |
Mar
(128) |
Apr
(105) |
May
(135) |
Jun
(79) |
Jul
(92) |
Aug
(134) |
Sep
(73) |
Oct
(112) |
Nov
(159) |
Dec
(80) |
| 2010 |
Jan
(100) |
Feb
(116) |
Mar
(130) |
Apr
(59) |
May
(88) |
Jun
(59) |
Jul
(69) |
Aug
(67) |
Sep
(82) |
Oct
(76) |
Nov
(59) |
Dec
(34) |
| 2011 |
Jan
(84) |
Feb
(74) |
Mar
(81) |
Apr
(94) |
May
(188) |
Jun
(72) |
Jul
(118) |
Aug
(109) |
Sep
(111) |
Oct
(80) |
Nov
(51) |
Dec
(44) |
| 2012 |
Jan
(80) |
Feb
(123) |
Mar
(46) |
Apr
(12) |
May
(40) |
Jun
(62) |
Jul
(95) |
Aug
(66) |
Sep
(65) |
Oct
(53) |
Nov
(42) |
Dec
(60) |
| 2013 |
Jan
(96) |
Feb
(96) |
Mar
(108) |
Apr
(72) |
May
(115) |
Jun
(111) |
Jul
(114) |
Aug
(87) |
Sep
(93) |
Oct
(97) |
Nov
(104) |
Dec
(82) |
| 2014 |
Jan
(96) |
Feb
(77) |
Mar
(71) |
Apr
(40) |
May
(48) |
Jun
(78) |
Jul
(54) |
Aug
(44) |
Sep
(58) |
Oct
(79) |
Nov
(51) |
Dec
(52) |
| 2015 |
Jan
(55) |
Feb
(59) |
Mar
(48) |
Apr
(40) |
May
(45) |
Jun
(63) |
Jul
(36) |
Aug
(49) |
Sep
(35) |
Oct
(58) |
Nov
(21) |
Dec
(47) |
| 2016 |
Jan
(35) |
Feb
(81) |
Mar
(43) |
Apr
(41) |
May
(77) |
Jun
(52) |
Jul
(39) |
Aug
(34) |
Sep
(107) |
Oct
(67) |
Nov
(54) |
Dec
(20) |
| 2017 |
Jan
(99) |
Feb
(37) |
Mar
(86) |
Apr
(47) |
May
(57) |
Jun
(55) |
Jul
(34) |
Aug
(31) |
Sep
(16) |
Oct
(49) |
Nov
(53) |
Dec
(33) |
| 2018 |
Jan
(25) |
Feb
(11) |
Mar
(79) |
Apr
(77) |
May
(5) |
Jun
(19) |
Jul
(17) |
Aug
(7) |
Sep
(13) |
Oct
(22) |
Nov
(13) |
Dec
(68) |
| 2019 |
Jan
(44) |
Feb
(17) |
Mar
(40) |
Apr
(39) |
May
(18) |
Jun
(14) |
Jul
(20) |
Aug
(31) |
Sep
(11) |
Oct
(35) |
Nov
(3) |
Dec
(10) |
| 2020 |
Jan
(32) |
Feb
(16) |
Mar
(10) |
Apr
(22) |
May
(2) |
Jun
(34) |
Jul
(1) |
Aug
(8) |
Sep
(36) |
Oct
(16) |
Nov
(13) |
Dec
(10) |
| 2021 |
Jan
(16) |
Feb
(23) |
Mar
(45) |
Apr
(28) |
May
(6) |
Jun
(17) |
Jul
(8) |
Aug
(1) |
Sep
(2) |
Oct
(35) |
Nov
|
Dec
(5) |
| 2022 |
Jan
|
Feb
(17) |
Mar
(23) |
Apr
(23) |
May
(9) |
Jun
(8) |
Jul
|
Aug
|
Sep
(7) |
Oct
(5) |
Nov
(16) |
Dec
(4) |
| 2023 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
(1) |
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
(7) |
Feb
(13) |
Mar
(18) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(1) |
Nov
(5) |
Dec
(3) |
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
(12) |
May
(12) |
Jun
(2) |
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Ivan R. <iv...@we...> - 2005-11-08 09:13:05
|
sioban wrote: >> Sure there is (in 1.9), look for SecFilterRemoveRule in the >> manual. > > missed that one, thanks ! > > of course a google on it, only point me on the CVS changelog :( > > surely because you are meaning SecFilterRemove. Yes, sorry. > I see it's working with id definition, quite interesting. > > I need to ask gotroot maintainer if he plan to add these id. > > >> You can whitelist any request using the "allow" action. >> > > even if another rule already blacklist that one ? No. You have to "allow" it before that. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: sioban <go...@si...> - 2005-11-08 09:08:39
|
> > Sure there is (in 1.9), look for SecFilterRemoveRule in the > manual. missed that one, thanks ! of course a google on it, only point me on the CVS changelog :( surely because you are meaning SecFilterRemove. I see it's working with id definition, quite interesting. I need to ask gotroot maintainer if he plan to add these id. > > You can whitelist any request using the "allow" action. > even if another rule already blacklist that one ? |
|
From: Ivan R. <iv...@we...> - 2005-11-08 08:58:38
|
sioban wrote: > Hello list. > > I use mod security quite a lot, it's a very good product for application filtering. > > But I came to a problem. > > I also use the gotroot rules, and the script which update the rules. > > So I implement rules globaly. > > I wonder if there's is a possibility for a location/vhost/directory > to make exception of a particular rule. Removing all rules > with SecfilterInheritance is not a good choice as I need to re include > all rules for the specific location. I don't want to modify the rules > as it will be broken in the next update process. Sure there is (in 1.9), look for SecFilterRemoveRule in the manual. > So I wonder if you can redefine a rule, or even whitelist a specific > request ? You can whitelist any request using the "allow" action. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: sioban <go...@si...> - 2005-11-08 08:55:35
|
Hello list. I use mod security quite a lot, it's a very good product for application filtering. But I came to a problem. I also use the gotroot rules, and the script which update the rules. So I implement rules globaly. I wonder if there's is a possibility for a location/vhost/directory to make exception of a particular rule. Removing all rules with SecfilterInheritance is not a good choice as I need to re include all rules for the specific location. I don't want to modify the rules as it will be broken in the next update process. So I wonder if you can redefine a rule, or even whitelist a specific request ? Thanks. Sioban |
|
From: Eli <eli...@ex...> - 2005-11-05 20:15:15
|
Ivan wrote: > There is no particular reason for that - I simply missed the > variable. I'll add it to the TODO list for the next release. Ah, awesome :) Saves me writing a patch for it. Thanks! Eli. |
|
From: <xx...@im...> - 2005-11-04 14:32:36
|
ok
I'll try (Need to convert the php code to html first...)
Best regards / Vriendelijke groeten,
Peter Van Eeckhoutte
IT Security Officer
System Administrator
European Lotus Notes Administrator
Sara Lee Foods Europe
Imperial Coordination Center nv --- SLFE's CoE in Telecoms and Security
Grote Baan 200 B-9920 Lovendegem, Belgium
Tel : +32 9 370 02 11 Fax : +32 9 372 50 00
Email : pet...@sa...
Ivan Ristic <iv...@we...>
04/11/2005 15:31
To
xx...@im...
cc
mod_security mailinglist <mod...@li...>,
rcb...@gm...
Subject
Re: [mod-security-users] mod_security status 200
xx...@im... wrote:
> I can see the custom 404 error page,
> but the SecFilterSelective doesn't work
> (the SecFilterSelective looks for text in the custom 404 page)
>
> The debug log says "Filtering off for a subrequest"
You don't need mod_security for the approach I suggested.
You only need to put some code in error404.php like
this:
<?
header("HTTP/1.0 200 OK");
echo("Error page...");
?>
--
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org
|
|
From: <xx...@im...> - 2005-11-04 14:30:37
|
One addition : when I call the custom 404 error page directly from my browser, I'm getting a 200 OK code... The debug log says "Access denied with code 200. Pattern match "<my pattern>" at OUTPUT - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - I can see the custom 404 error page, but the SecFilterSelective doesn't work (the SecFilterSelective looks for text in the custom 404 page) The debug log says "Filtering off for a subrequest" Ivan Ristic <iv...@we...> 04/11/2005 14:49 To Peter VE <xx...@im...> cc mod_security mailinglist <mod...@li...>, rcb...@gm... Subject Re: [mod-security-users] mod_security status 200 Peter VE wrote: > Ok, I forgot to turn on SecFilterScanOutput > > SecFilterScanOutput On > SecFilterSelective OUTPUT "was not found on this server." status:200 > > After enabling ScanOutput, I'm seeing "scan_pre: adding the output > filter to the filter list" in the log... but it still doesn't work > > any ideas ? Actually, the output filter is not triggered for Apache-produced pages. (I'll have to look into that to figure out exactly why.) So the above only works for "normal" pages. But there is another way. Do this: ErrorDocument 404 /error404.php And then have the script explicitly respond with code 200 in addition to outputing a human-readable message. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Ivan R. <iv...@we...> - 2005-11-04 14:29:56
|
xx...@im... wrote:
> I can see the custom 404 error page,
> but the SecFilterSelective doesn't work
> (the SecFilterSelective looks for text in the custom 404 page)
>
> The debug log says "Filtering off for a subrequest"
You don't need mod_security for the approach I suggested.
You only need to put some code in error404.php like
this:
<?
header("HTTP/1.0 200 OK");
echo("Error page...");
?>
--
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org
|
|
From: <xx...@im...> - 2005-11-04 14:27:03
|
I can see the custom 404 error page, but the SecFilterSelective doesn't work (the SecFilterSelective looks for text in the custom 404 page) The debug log says "Filtering off for a subrequest" Ivan Ristic <iv...@we...> 04/11/2005 14:49 To Peter VE <xx...@im...> cc mod_security mailinglist <mod...@li...>, rcb...@gm... Subject Re: [mod-security-users] mod_security status 200 Peter VE wrote: > Ok, I forgot to turn on SecFilterScanOutput > > SecFilterScanOutput On > SecFilterSelective OUTPUT "was not found on this server." status:200 > > After enabling ScanOutput, I'm seeing "scan_pre: adding the output > filter to the filter list" in the log... but it still doesn't work > > any ideas ? Actually, the output filter is not triggered for Apache-produced pages. (I'll have to look into that to figure out exactly why.) So the above only works for "normal" pages. But there is another way. Do this: ErrorDocument 404 /error404.php And then have the script explicitly respond with code 200 in addition to outputing a human-readable message. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Ivan R. <iv...@we...> - 2005-11-04 13:48:48
|
Peter VE wrote: > Ok, I forgot to turn on SecFilterScanOutput > > SecFilterScanOutput On > SecFilterSelective OUTPUT "was not found on this server." status:200 > > After enabling ScanOutput, I'm seeing "scan_pre: adding the output > filter to the filter list" in the log... but it still doesn't work > > any ideas ? Actually, the output filter is not triggered for Apache-produced pages. (I'll have to look into that to figure out exactly why.) So the above only works for "normal" pages. But there is another way. Do this: ErrorDocument 404 /error404.php And then have the script explicitly respond with code 200 in addition to outputing a human-readable message. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Ivan R. <iv...@we...> - 2005-11-04 13:38:52
|
xx...@im... wrote: > Can I do this from withing a specific directive ? > I have a global mod_security configuration section, > but I want to use a separate configuration for a specific directive If I understand what you mean - yes, you can. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Olivier K. <oka...@no...> - 2005-11-04 13:36:14
|
|
From: Tomas H. S. <thi...@te...> - 2005-11-04 13:25:53
|
Thanks Ivan!!! I am going to make the tests with more tranquillity. Too much work! To you I will maintain informed... ;-) Many thanks for you help. Tom=E1s Hidalgo Salvador thi...@te... Dpto. Sistemas Unix Tlf.: 2333 DSF Almariya -----Mensaje original----- De: Ivan Ristic [mailto:iv...@we...]=20 Enviado el: viernes, 04 de noviembre de 2005 14:22 Para: Tomas Hidalgo Salvador CC: mod...@li... Asunto: Re: [mod-security-users] Directive SecUploadApproveScript Tomas Hidalgo Salvador wrote: > Ivan Ristic wrote: >=20 >> SecUploadApproveScript does not support a custom action list yet. >> (I've added your request to my TODO list too). >> >> Try something like this (just an idea, I haven't tried it myself): >> >> <Location /path/to/your/upload/script> >> SecFilterDefaultAction ... >> SecUploadApproveScript ... >> </Location> >=20 > I have test the following option in my apache. It has not worked. :-( > Also I have proven the same configuration without the option of = SecFilterInheritance. > The mod_security-action would have to be 444, instead of 403. >=20 > a) > <Directory "/myscripts"> > SecFilterInheritance Off > SecFilterDefaultAction "pass,log,status:444" > SecUploadApproveScript /myscripts/verificar_upload_webmail.pl > Options FollowSymLinks > AllowOverride None > Order allow,deny > Allow from all > </Directory> "status" only works if it is used together with "deny". If you use "pass" ModSecurity won't do anything about a problem it encounters. --=20 Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: <xx...@im...> - 2005-11-04 13:23:52
|
Can I do this from withing a specific directive ? I have a global mod_security configuration section, but I want to use a separate configuration for a specific directive Ivan Ristic <iv...@we...> Sent by: mod...@li... 04/11/2005 14:20 To Peter VE <xx...@im...> cc mod_security mailinglist <mod...@li...> Subject Re: [mod-security-users] snort Peter VE wrote: > Hi, > > What would be the easiest way to include a file containing snort-based > (but converted) SecFilters ? > The file will be updated automatically, so I can't copy/paste the > entries directly into my httpd.conf file From your httpd.conf: Include conf/modsec-snort-rules.conf -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users |
|
From: Ivan R. <iv...@we...> - 2005-11-04 13:21:03
|
Tomas Hidalgo Salvador wrote: > Ivan Ristic wrote: > >> SecUploadApproveScript does not support a custom action list yet. >> (I've added your request to my TODO list too). >> >> Try something like this (just an idea, I haven't tried it myself): >> >> <Location /path/to/your/upload/script> >> SecFilterDefaultAction ... >> SecUploadApproveScript ... >> </Location> > > I have test the following option in my apache. It has not worked. :-( > Also I have proven the same configuration without the option of SecFilterInheritance. > The mod_security-action would have to be 444, instead of 403. > > a) > <Directory "/myscripts"> > SecFilterInheritance Off > SecFilterDefaultAction "pass,log,status:444" > SecUploadApproveScript /myscripts/verificar_upload_webmail.pl > Options FollowSymLinks > AllowOverride None > Order allow,deny > Allow from all > </Directory> "status" only works if it is used together with "deny". If you use "pass" ModSecurity won't do anything about a problem it encounters. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Ivan R. <iv...@we...> - 2005-11-04 13:19:38
|
Peter VE wrote: > Hi, > > What would be the easiest way to include a file containing snort-based > (but converted) SecFilters ? > The file will be updated automatically, so I can't copy/paste the > entries directly into my httpd.conf file From your httpd.conf: Include conf/modsec-snort-rules.conf -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Tomas H. S. <thi...@te...> - 2005-11-04 12:59:35
|
Ivan Ristic wrote:
> SecUploadApproveScript does not support a custom action list yet.
> (I've added your request to my TODO list too).
>
> Try something like this (just an idea, I haven't tried it myself):
>
> <Location /path/to/your/upload/script>
> SecFilterDefaultAction ...
> SecUploadApproveScript ...
> </Location>
I have test the following option in my apache. It has not worked. :-(
Also I have proven the same configuration without the option of =
SecFilterInheritance.
The mod_security-action would have to be 444, instead of 403.
a)
<Directory "/myscripts">
SecFilterInheritance Off
SecFilterDefaultAction "pass,log,status:444"
SecUploadApproveScript /myscripts/verificar_upload_webmail.pl
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
b)
<Location "/myscripts">
SecFilterInheritance Off
SecFilterDefaultAction "pass,log,status:444"
SecUploadApproveScript /myscritps/verificar_upload_webmail.pl
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Location>
The log:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
UNIQUE_ID: kf7FOMCoyZgAAEUGB28AAAAJ
Request: 192.168.207.1 - - [04/Nov/2005:13:37:37 +0100] "POST =
/webmail/upload.php?sid=3D{436B52D24EDEE-436B52D253C10-1131107026} =
HTTP/1.1" 403 220
Handler: php-script
----------------------------------------
POST /webmail/upload.php?sid=3D{436B52D24EDEE-436B52D253C10-1131107026} =
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, =
application/x-shockwave-flash, application/vnd.ms-excel, =
application/vnd.ms-powerpoint, application/msword, */*
Referer: =
https://correo.test.es/webmail/upload.php?sid=3D{436B52D24EDEE-436B52D253=
C10-1131107026}&tid=3D0&lid=3D0
Accept-Language: es
Content-Type: multipart/form-data; =
boundary=3D---------------------------7d5239e1604bc
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; =
InfoPath.1)
Host: correo.test.es
Content-Length: 882
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: =
{436B52D24EDEE-436B52D253C10-1131107026}=3D%7B436B52D24EDEE-436B52D253C10=
-1131107026%7D
mod_security-message: Error verifying files: File =
"/tmp/20051104-133736-192.168.207.1-clam.cab" rejected by the approver =
script "/myscripts/verificar_upload_webmail.pl"
mod_security-action: 403
57
[@file:20051104-133736-192.168.207.1-request_body-EYLTfT]
HTTP/1.1 403 Forbidden
Content-Length: 220
Connection: close
Content-Type: text/html; charset=3Diso-8859-1
The apache error-log:
[Fri Nov 04 13:37:37 2005] [error] [client 192.168.207.1] mod_security: =
Access denied with code 403. Error verifying files: File =
"/tmp/20051104-133736-192.168.207.1-clam.cab" rejected by the approver =
script "/myscripts/verificar_upload_webmail.pl" [hostname =
"correo.test.es"] [uri =
"/webmail/upload.php?sid=3D{436B52D24EDEE-436B52D253C10-1131107026}"] =
[unique_id kf7FOMCoyZgAAEUGB28AAAAJ]
Many thanks for you help.
Tom=E1s Hidalgo Salvador
thi...@te...
Dpto. Sistemas Unix
Tlf.: 2333
DSF Almariya
|
|
From: Peter VE <xx...@im...> - 2005-11-04 12:54:52
|
Ok, I forgot to turn on SecFilterScanOutput
SecFilterScanOutput On
SecFilterSelective OUTPUT "was not found on this server." status:200
After enabling ScanOutput, I'm seeing "scan_pre: adding the output
filter to the filter list" in the log... but it still doesn't work
any ideas ?
On Fri, 2005-11-04 at 13:26 +0000, Peter VE wrote:
> Ryan,
>
> the SecFilterSelective OUTPUT doesn't work.
> In the debug log, I'm seeing "sec_pre: output filtering is off here"
>
> I've just started setting it up
> (using mod_security for the first time)
>
> This is what I have so far :
>
> <IfModule mod_security.c>
> SecFilterEngine On
> SecFilterDefaultAction "deny,log,status:200"
> SecFilterScanPOST On
> SecFilterCheckCookieFormat Off
> SecFilterCheckURLEncoding On
> SecFilterCheckUnicodeEncoding Off
> SecFilterForceByteRange 1 255
> SecAuditEngine On
> SecAuditLog /var/log/www/modsecurity.log
> SecFilterDebugLog /var/log/www/modsecurity_debug.log
> SecFilterDebugLevel 5
> SecFilter "\.\./"
> SecFilter "favicon.ico"
> SecFilterSelective OUTPUT "was not found on this server." status:200
> SecFilter "<(.|\n)*script"
> SecFilter "<.|\n+>"
> </IfModule>
>
>
> To your point, I don't care about the 200 messages, because no regular
> users should connect to my server. I'm only using it for server to
> server communication, but in theory, it is possible that a user tries to
> connect. In that case, I'll try to fool the user while hiding/protecting
> the real information by securing the application itself
>
> I hope this makes sense
>
> thanks
>
> P
|
|
From: Peter VE <xx...@im...> - 2005-11-04 12:27:45
|
Ryan,
the SecFilterSelective OUTPUT doesn't work.
In the debug log, I'm seeing "sec_pre: output filtering is off here"
I've just started setting it up
(using mod_security for the first time)
This is what I have so far :
<IfModule mod_security.c>
SecFilterEngine On
SecFilterDefaultAction "deny,log,status:200"
SecFilterScanPOST On
SecFilterCheckCookieFormat Off
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off
SecFilterForceByteRange 1 255
SecAuditEngine On
SecAuditLog /var/log/www/modsecurity.log
SecFilterDebugLog /var/log/www/modsecurity_debug.log
SecFilterDebugLevel 5
SecFilter "\.\./"
SecFilter "favicon.ico"
SecFilterSelective OUTPUT "was not found on this server." status:200
SecFilter "<(.|\n)*script"
SecFilter "<.|\n+>"
</IfModule>
To your point, I don't care about the 200 messages, because no regular
users should connect to my server. I'm only using it for server to
server communication, but in theory, it is possible that a user tries to
connect. In that case, I'll try to fool the user while hiding/protecting
the real information by securing the application itself
I hope this makes sense
thanks
P
|
|
From: Peter VE <xx...@im...> - 2005-11-04 12:21:22
|
Hi, What would be the easiest way to include a file containing snort-based (but converted) SecFilters ? The file will be updated automatically, so I can't copy/paste the entries directly into my httpd.conf file thanks P |
|
From: Ryan B. <rcb...@gm...> - 2005-11-04 12:08:32
|
Are you just interested in fooling scanners? If so, then you can trap outbound 404 html data with mod_security's output filter like this - SecFilterSelective OUTOUT "The requested file you request does not exist" status:200 You need to trigger on the html text of your 404 pages rather then HTTP Status code line as the output filter does not capture that data. I believe that Ivan is implementing a new directive to allow you to trap outbound status codes. Keep in mind, however that while this will change the status code to 200, the html text that will be displayed will not of much help to real users wh= o have requested a non-existent page. For example, with my Apache setup this is what is returned - HTTP/1.1 200 OK Date: Fri, 04 Nov 2005 12:07:24 GMT Server: Microsoft-IIS/5.0 Content-Length: 497 Connection: close Content-Type: text/html; charset=3Diso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>200 OK</title> </head><body> <h1>OK</h1> <p>The server encountered an internal error or misconfiguration and was unable to complete your request.</p> <p>Please contact the server administrator, yo...@ex... and inform them of the time the error occurred, and anything you might have done that may have caused the error.</p> <p>More information about this error may be available in the server error log.</p> </body></html> Connection closed by foreign host. -Ryan On 11/4/05, Peter VE <xx...@im...> wrote: > > Hi, > > I would like to set up my Apache 2.0.55 (with mod_security 1.8.7) to > return a 200 OK for every single request that is made to a non-existing > page. > How can I do this ? > (or do I need to use mod_rewrite for this) > > thanks > > P > > > > > ------------------------------------------------------- > SF.Net email is sponsored by: > Tame your development challenges with Apache's Geronimo App Server. > Download > it for free - -and be entered to win a 42" plasma tv or your very own > Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > -- Ryan C. Barnett Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache |
|
From: Peter VE <xx...@im...> - 2005-11-04 09:53:55
|
Hi, I would like to set up my Apache 2.0.55 (with mod_security 1.8.7) to return a 200 OK for every single request that is made to a non-existing page. How can I do this ? (or do I need to use mod_rewrite for this) thanks P |
|
From: Ivan R. <iv...@we...> - 2005-11-03 10:48:04
|
Philippe Bourcier wrote: > > Hi, > > On a reverse proxy, I'm trying to filter HTTP 404 and HTTP 500 errors. > > I'm using the following rule : > SecFilterSelective OUTPUT "HTTP\/(0\.9|1\.0|1\.1) 404 Not Found" > and the 500 one is similar. > > I've tried a few other ones, but this one looks fine to me. > > It doesn't work, why ? > Could it be that the headers are not part of "OUTPUT" ? That's exactly why. In 1.9 there is a new variable OUTPUT_STATUS. It contains only the response code. Try using that. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Ivan R. <iv...@we...> - 2005-11-03 10:46:39
|
Tomas Hidalgo Salvador wrote: > Thanks to both!! > > I am going to continue making tests with your indications. > > According to the table 12-1 of the book of Ivan, I believe > that THE_REQUEST=REQUEST_METOD + REQUEST_URI + REQUEST_PROTOCOL. Yes, but it's the other way round. REQUEST_METHOD, REQUEST_URI and REQUEST_PROTOCOL are created out of THE_REQUEST. > As he would be formulates it for POST_PAYLOAD? > As it is the result of POST_PAYLOAD - THE_REQUEST? Can you please rephrase the question? I am not sure I understand it. > :-( Some reference to know more on headers HTTP? How about the HTTP 1.1 RFC? http://www.ietf.org/rfc/rfc2616.txt -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Ivan R. <iv...@we...> - 2005-11-03 10:43:51
|
Tomas Hidalgo Salvador wrote:
>
> This work fine:
>
> SecUploadApproveScript /usr/local/apache2/bin/verify_upload_webmail.pl
>
> But, this not work fine:
>
> SecUploadApproveScript
> /usr/local/apache2/bin/verificar_upload_webmail.pl “log,pass”
>
> The error:
>
> Syntax error on line 32 of /usr/local/apache2/conf/mod-security.conf:
> SecUploadApproveScript takes one argument, The path to the script that
> will be called to approve every uploaded file
>
> How I can control the default action with SecUploadApproveScript?
>
> I would like to warn the user that its file is infected by virus.
SecUploadApproveScript does not support a custom action list yet.
(I've added your request to my TODO list too).
Try something like this (just an idea, I haven't tried it myself):
<Location /path/to/your/upload/script>
SecFilterDefaultAction ...
SecUploadApproveScript ...
</Location>
--
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org
|
139 messages has been excluded from this view by a project administrator.
