mod-security-users Mailing List for ModSecurity (Page 554)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users — General discussion about mod_security
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(17) |
Aug
(7) |
Sep
(8) |
Oct
(11) |
Nov
(14) |
Dec
(19) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(46) |
Feb
(14) |
Mar
(20) |
Apr
(48) |
May
(15) |
Jun
(20) |
Jul
(36) |
Aug
(24) |
Sep
(31) |
Oct
(28) |
Nov
(23) |
Dec
(12) |
| 2005 |
Jan
(69) |
Feb
(61) |
Mar
(82) |
Apr
(53) |
May
(26) |
Jun
(71) |
Jul
(27) |
Aug
(52) |
Sep
(28) |
Oct
(49) |
Nov
(104) |
Dec
(74) |
| 2006 |
Jan
(61) |
Feb
(148) |
Mar
(82) |
Apr
(139) |
May
(65) |
Jun
(116) |
Jul
(92) |
Aug
(101) |
Sep
(84) |
Oct
(103) |
Nov
(174) |
Dec
(102) |
| 2007 |
Jan
(166) |
Feb
(161) |
Mar
(181) |
Apr
(152) |
May
(192) |
Jun
(250) |
Jul
(127) |
Aug
(165) |
Sep
(97) |
Oct
(135) |
Nov
(206) |
Dec
(56) |
| 2008 |
Jan
(160) |
Feb
(135) |
Mar
(98) |
Apr
(89) |
May
(115) |
Jun
(95) |
Jul
(188) |
Aug
(167) |
Sep
(153) |
Oct
(84) |
Nov
(82) |
Dec
(85) |
| 2009 |
Jan
(139) |
Feb
(133) |
Mar
(128) |
Apr
(105) |
May
(135) |
Jun
(79) |
Jul
(92) |
Aug
(134) |
Sep
(73) |
Oct
(112) |
Nov
(159) |
Dec
(80) |
| 2010 |
Jan
(100) |
Feb
(116) |
Mar
(130) |
Apr
(59) |
May
(88) |
Jun
(59) |
Jul
(69) |
Aug
(67) |
Sep
(82) |
Oct
(76) |
Nov
(59) |
Dec
(34) |
| 2011 |
Jan
(84) |
Feb
(74) |
Mar
(81) |
Apr
(94) |
May
(188) |
Jun
(72) |
Jul
(118) |
Aug
(109) |
Sep
(111) |
Oct
(80) |
Nov
(51) |
Dec
(44) |
| 2012 |
Jan
(80) |
Feb
(123) |
Mar
(46) |
Apr
(12) |
May
(40) |
Jun
(62) |
Jul
(95) |
Aug
(66) |
Sep
(65) |
Oct
(53) |
Nov
(42) |
Dec
(60) |
| 2013 |
Jan
(96) |
Feb
(96) |
Mar
(108) |
Apr
(72) |
May
(115) |
Jun
(111) |
Jul
(114) |
Aug
(87) |
Sep
(93) |
Oct
(97) |
Nov
(104) |
Dec
(82) |
| 2014 |
Jan
(96) |
Feb
(77) |
Mar
(71) |
Apr
(40) |
May
(48) |
Jun
(78) |
Jul
(54) |
Aug
(44) |
Sep
(58) |
Oct
(79) |
Nov
(51) |
Dec
(52) |
| 2015 |
Jan
(55) |
Feb
(59) |
Mar
(48) |
Apr
(40) |
May
(45) |
Jun
(63) |
Jul
(36) |
Aug
(49) |
Sep
(35) |
Oct
(58) |
Nov
(21) |
Dec
(47) |
| 2016 |
Jan
(35) |
Feb
(81) |
Mar
(43) |
Apr
(41) |
May
(77) |
Jun
(52) |
Jul
(39) |
Aug
(34) |
Sep
(107) |
Oct
(67) |
Nov
(54) |
Dec
(20) |
| 2017 |
Jan
(99) |
Feb
(37) |
Mar
(86) |
Apr
(47) |
May
(57) |
Jun
(55) |
Jul
(34) |
Aug
(31) |
Sep
(16) |
Oct
(49) |
Nov
(53) |
Dec
(33) |
| 2018 |
Jan
(25) |
Feb
(11) |
Mar
(79) |
Apr
(77) |
May
(5) |
Jun
(19) |
Jul
(17) |
Aug
(7) |
Sep
(13) |
Oct
(22) |
Nov
(13) |
Dec
(68) |
| 2019 |
Jan
(44) |
Feb
(17) |
Mar
(40) |
Apr
(39) |
May
(18) |
Jun
(14) |
Jul
(20) |
Aug
(31) |
Sep
(11) |
Oct
(35) |
Nov
(3) |
Dec
(10) |
| 2020 |
Jan
(32) |
Feb
(16) |
Mar
(10) |
Apr
(22) |
May
(2) |
Jun
(34) |
Jul
(1) |
Aug
(8) |
Sep
(36) |
Oct
(16) |
Nov
(13) |
Dec
(10) |
| 2021 |
Jan
(16) |
Feb
(23) |
Mar
(45) |
Apr
(28) |
May
(6) |
Jun
(17) |
Jul
(8) |
Aug
(1) |
Sep
(2) |
Oct
(35) |
Nov
|
Dec
(5) |
| 2022 |
Jan
|
Feb
(17) |
Mar
(23) |
Apr
(23) |
May
(9) |
Jun
(8) |
Jul
|
Aug
|
Sep
(7) |
Oct
(5) |
Nov
(16) |
Dec
(4) |
| 2023 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
(1) |
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
(7) |
Feb
(13) |
Mar
(18) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(1) |
Nov
(5) |
Dec
(3) |
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
(12) |
May
(12) |
Jun
(2) |
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: <d.b...@ge...> - 2005-09-08 11:14:43
|
Hello, Is there a change to build Mod Security Staticaly to Apache 2 or will = this work only for Apache 2 =20 Much thanks for your Help Dirk |
|
From: Ivan R. <iv...@we...> - 2005-09-08 08:30:04
|
Achim Hoffmann wrote: > for testing a live platform I need to disable mod_security. > I know that SecFilterSelective can be triggered on REMOTE_ADDR, but I'm > unshure if it can > be used to disable *all* tests for a specific IP without changing all > rules from > SecFilter to SecFilterSelective. The code in the CVS is now capable of dynamically enabling or disabling mod_security per request. It uses the MODSEC_ENABLE environment variable. If the variable exists it will override the SecFilterEngine directive. The parameters are the same (ie On, Off, DynamicOnly). Example: SetEnvIfNoCase Remote_Addr ^192\.168\.2\.12$ \ "MODSEC_ENABLE=Off" -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Ivan R. <iv...@we...> - 2005-09-05 09:39:11
|
marks mlists wrote: > > If we found a way to deliver that error page correctly, everything would > be great. Hi Mark, Thank you for the debugging information. Just from looking at it I could conclude the problem lies in the interaction between Apache and mod_jk2, possibly mod_security too. To investigate the problem further I will install mod_jk2 and Tomcat, and look at how it works. I'll try to do this by the end of the week. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: marks m. <ml...@ms...> - 2005-09-05 09:01:06
|
Hello Ryan, thanks for your answer. Please see my qutoes below. Thank you! -mark Ryan Barnett wrote: > Take a look at your debug output. It is catching the 404 text string in > the html body of the response and not the HTTP headers. The quick > answer to your situation is that the output filtering of mod_security > looks at the body of the response and not the HTTP header info. OK, but am I right when thinking that there is no difference between the two requests in the log regarding output filtering? In both cases the string is matched in the body (which is sufficient for me in this situation). But for the second request, the error page is not delivered. If we found a way to deliver that error page correctly, everything would be great. What do you think about the idea "...Maybe it is about communication betwenn apache and mod_jk, where modsecurity is not involved"."? Could that be a possible problem? > One thing that you could try would be to use proxying of some sort with > Apache. I found that when you use the proxy module, mod_security will > look at the entire response (headers + body). thanks for your suggestion. I think filtering with the upcoming proxy_ajp module could be working without a problem, but for now we cannot switch to mod_proxy because we need those load balancing features that mod_jk2 offers. I tested it with mod_proxy, and as you mentioned, there was no problem. Within the other pages (some are served with mod_proxy) output filtering is fine. > Give it a try and let me know. > > -- > Ryan C. Barnett > Web Application Security Consortium (WASC) Member > CIS Apache Benchmark Project Lead > SANS Instructor: Securing Apache > GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > > > On 9/2/05, *marks mlists* <ml...@ms... <mailto:ml...@ms...>> wrote: > > The only difference between the tomcat 404 and the webpage containing > exactly the same html code I can see is: > > 1. There is a trailing NULL at the end of the created webpage > 2. The header sent by tomcat. When accessing the file, tomcat sends > > HTTP/1.1 200 OK > ETag: W/"996-1125649082000" > Last-Modified: Fri, 02 Sep 2005 08:18:02 GMT > Content-Type: text/html > Content-Length: 996 > Date: Fri, 02 Sep 2005 09:04:44 GMT > Server: Apache-Coyote/1.1 > Connection: close > > and after removing the file tomcat outputs > > HTTP/1.1 404 /fpi/testi.html > Content-Type: text/html;charset=utf-8 > Content-Length: 997 > Date: Fri, 02 Sep 2005 09:05:55 GMT > Server: Apache-Coyote/1.1 > Connection: close > > Thanks in advance! > -mark > |
|
From: Ryan B. <rcb...@gm...> - 2005-09-02 11:05:50
|
Take a look at your debug output. It is catching the 404 text string in the= =20 html body of the response and not the HTTP headers. The quick answer to you= r=20 situation is that the output filtering of mod_security looks at the body of= =20 the response and not the HTTP header info. One thing that you could try=20 would be to use proxying of some sort with Apache. I found that when you us= e=20 the proxy module, mod_security will look at the entire response (headers += =20 body). Give it a try and let me know. --=20 Ryan C. Barnett Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GSNA, GCUX, GSEC=20 On 9/2/05, marks mlists <ml...@ms...> wrote:=20 >=20 >=20 > Hello Ivan, >=20 > first, it is the same with 404s. It is just a 404 header and message: >=20 > HTTP/1.1 404 Not Found > Date: Fri, 02 Sep 2005 08:19:54 GMT > Server: 5 > Connection: close > Content-Type: text/html; charset=3Diso-8859-1 >=20 > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> > <html><head> > <title>404 Not Found</title> > </head><body> > <h1>Not Found</h1> > <p>The requested URL /fpi/testi.html was not found on this server.</p> > <p>Additionally, a 404 Not Found > error was encountered while trying to use an ErrorDocument to handle > the request.</p> > </body></html> >=20 > Maybe I was able to find something new regarding that. I have to explain > that the intention was to catch tomcats 404 error pages and instead > redirect the user or show him the general webserver error page. So I > created a 404 output rule (see it below, normally it should read > SecFilterSelective OUTPUT "HTTP Status 4[0-9][0-9]" but anyway). > I used evilstring as a placeholder in my last email. In fact, matching > evilstring works just fine. The real evil message which does not work is > that tomcat 404 page. That means: having the two output rules found > below and browsing the tomcat context, acess to a file containing > "evilstring" is being restricted fine with no internal server error. So > no problem there. But if you are tring to access a document inside the > context which is not there causing tomcat to send a 404 page to the > webserver, the 404 is being matched, but the custom error page is not > being delivered. So we have a pattern match and we can control the > headers (the header will be what is in mod_security.conf) but apache > gives back the internal server error as above (Just as if it could not > find the error page). >=20 > OK, so I created a file (testi.html) containing exactly the tomcat error > message. You can browse that file, modsecurity matches the 404 output > and you get the configured error page as expected. When I removed that > file and tried to access it again, tomcat was sending his 404 code and > the described error occured. You can see the requests in the L9 debug. >=20 > The only difference between the tomcat 404 and the webpage containing > exactly the same html code I can see is: >=20 > 1. There is a trailing NULL at the end of the created webpage > 2. The header sent by tomcat. When accessing the file, tomcat sends >=20 > HTTP/1.1 200 OK > ETag: W/"996-1125649082000" > Last-Modified: Fri, 02 Sep 2005 08:18:02 GMT > Content-Type: text/html > Content-Length: 996 > Date: Fri, 02 Sep 2005 09:04:44 GMT > Server: Apache-Coyote/1.1 > Connection: close >=20 > and after removing the file tomcat outputs >=20 > HTTP/1.1 404 /fpi/testi.html > Content-Type: text/html;charset=3Dutf-8 > Content-Length: 997 > Date: Fri, 02 Sep 2005 09:05:55 GMT > Server: Apache-Coyote/1.1 > Connection: close >=20 > Maybe it is about communication betwenn apache and mod_jk, where > modsecurity is not involved. But we can match that 404!? > Just have a look at the attached log. Maybe you have got an idea. > And here is my (stripped) config: >=20 > SecChrootDir /usr/local/jail > SecFilterEngine On > SecFilterScanPOST On > SecFilterCheckURLEncoding On > SecFilterCheckUnicodeEncoding Off > SecFilterCheckCookieFormat On > SecFilterNormalizeCookies On > SecFilterScanOutput On > SecFilterOutputMimeTypes "(null) text/html text/plain" > SecFilterForceByteRange 8 255 > SecServerSignature "5" > SecAuditEngine RelevantOnly > SecAuditLog logs/audit_log > SecFilterDefaultAction "deny,log,pause:2231,status:404" > SecFilterDebugLog logs/modsec_debug_log > SecFilterDebugLevel 9 > SecFilterSelective OUTPUT "evilstring" > SecFilterSelective OUTPUT "404" >=20 >=20 > Thanks in advance! > -mark >=20 >=20 > Ivan Ristic wrote: > > marks mlists wrote: > > > >> Hello modsec guys, > >> > >> I am sure someone already used modsecurity on a webserver which is > >> connecting to tomcat servers. I am running into the following problem: > >> > >> Having rules like SecFilterSelective OUTPUT "evilstring" is working=20 > fine > >> as long as the document containing that evilstring is being served by > >> apache itself or of course, via mod_proxy. But it does not work like I > >> want it to with mod_jk(2). > >> > >> If I request a page within a context mapped by mod_jk, p.e. > >> /app/evilfile containing the string, I get a successful pattern match: > >> mod_security: Access denied with code 200. Pattern match "evilstring" > >> at OUTPUT [uri "/app/evilfile"] > > > > > > From the above log message it would appear mod_security is configured > > to respond with status code 200. > > > > What happens when you use: > > > > SecFilterSelective OUTPUT evilstring log,deny,status:404 > > > > ? > > > >> So does someone of you have a clue what to do or where to have a look > >> at? Thanks in advance. > > > > > > We need to look at your configuration files and, possibly, > > your debug log entries at level 9. Look here for the instructions: > > http://www.modsecurity.org/documentation/support-request-checklist.html > > >=20 >=20 > [/fpi/testi.html[2 sec_check_access_early: Early processing activated > [/fpi/testi.html[2 sec_check_access: Got called for request 187090 > [/fpi/testi.html[9 Stored msr (187ed8) in r (187090) > [/fpi/testi.html[4 Normalised REQUEST_URI: "/fpi/testi.html" > [/fpi/testi.html[2 Parsing arguments... > [/fpi/testi.html[3 Content-Type is not available > [/fpi/testi.html[2 read_post_payload: Content-Length not available,=20 > chunked encoding not detected - assuming no request body > [/fpi/testi.html[4 Time #1: 0 usec > [/fpi/testi.html[4 Time #2: 0 usec > [/fpi/testi.html[2 sec_check_access: Got called for request 187090 > [/fpi/testi.html[9 Found msr (187ed8) in r (187090) > [/fpi/testi.html[4 sec_check_access: Ignoring request that was already=20 > processed > [/fpi/testi.html[9 sec_insert_filter: Starting > [/fpi/testi.html[9 Found msr (187ed8) in r (187090) > [/fpi/testi.html[2 scan_pre: Adding output filter > [/fpi/testi.html[3 sec_filter_out: start > [/fpi/testi.html[9 Found msr (187ed8) in r (187090) > [/fpi/testi.html[3 sec_filter_out: Content-Type =3D "text/html" > [/fpi/testi.html[3 sec_filter_out: got Content-Length 996 > [/fpi/testi.html[3 sec_filter_out: got 996 bytes, bufused=3D0, buflen=3D9= 96 > [/fpi/testi.html[3 sec_filter_out: start > [/fpi/testi.html[3 sec_filter_out: done reading > [/fpi/testi.html[2 Checking signature "404" at OUTPUT > [/fpi/testi.html[4 Checking against "<html><head><title>Apache=20 > Tomcat/5.0.28 - Error report</title><style><!--H1=20 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76= ;font-size:22px;}=20 > H2=20 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76= ;font-size:16px;}=20 > H3=20 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76= ;font-size:14px;}=20 > BODY=20 > {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;}= B=20 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76= ;}=20 > P=20 > {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-si= ze:12px;}A=20 > {color : black;}A.name {color : black;}HR {color : #525D76;}--></style>= =20 > </head><body><h1>HTTP Status 404 - /fpi/teti.html</h1><HR size=3D\"1\"=20 > noshade=3D\"noshade\"><p><b>type</b> Status report</p><p><b>message</b>= =20 > <u>/fpi/teti.html</u></p><p><b>description</b> <u>The requested resource= =20 > (/fpi/teti.html) is not available.</u></p><HR size=3D\"1\"=20 > noshade=3D\"noshade\"><h3>Apache Tomcat/5.0.28</h3></body></html>\x0 > [/fpi/testi.html[1 Access denied with code 404. Pattern match "404" at=20 > OUTPUT > [/fpi/testi.html[1 Pausing [/fpi/testi.html for 2231 ms > [/error.asis[2 sec_check_access_early: Early processing activated > [/error.asis[2 sec_check_access: Got called for request 18dc20 > [/error.asis[9 Found msr (187ed8) in r->prev (187090) > [/error.asis[2 sec_check_access: Filtering off, not an initial request > [/error.asis[2 sec_check_access: Got called for request 18dc20 > [/error.asis[9 Found msr (187ed8) in r->prev (187090) > [/error.asis[2 sec_check_access: Filtering off, not an initial request > [/error.asis[9 sec_insert_filter: Starting > [/error.asis[9 Found msr (187ed8) in r->prev (187090) > [/error.asis[2 sec_insert_filter: Skipping, output filtering already=20 > completed > [/error.asis[9 Found msr (187ed8) in r->prev (187090) > [/error.asis[2 sec_audit_logger_serial: start > [/error.asis[9 sec_audit_logger_serial: is_relevant=3D1,=20 > should_body_exist=3D0, is_body_read=3D0 > [/fpi/testi.html[2 sec_check_access_early: Early processing activated > [/fpi/testi.html[2 sec_check_access: Got called for request 189098 > [/fpi/testi.html[9 Stored msr (189ee0) in r (189098) > [/fpi/testi.html[4 Normalised REQUEST_URI: "/fpi/testi.html" > [/fpi/testi.html[2 Parsing arguments... > [/fpi/testi.html[3 Content-Type is not available > [/fpi/testi.html[2 read_post_payload: Content-Length not available,=20 > chunked encoding not detected - assuming no request body > [/fpi/testi.html[4 Time #1: 0 usec > [/fpi/testi.html[4 Time #2: 0 usec > [/fpi/testi.html[2 sec_check_access: Got called for request 189098 > [/fpi/testi.html[9 Found msr (189ee0) in r (189098) > [/fpi/testi.html[4 sec_check_access: Ignoring request that was already=20 > processed > [/fpi/testi.html[9 sec_insert_filter: Starting > [/fpi/testi.html[9 Found msr (189ee0) in r (189098) > [/fpi/testi.html[2 scan_pre: Adding output filter > [/fpi/testi.html[3 sec_filter_out: start > [/fpi/testi.html[9 Found msr (189ee0) in r (189098) > [/fpi/testi.html[3 sec_filter_out: Content-Type =3D=20 > "text/html;charset=3Dutf-8" > [/fpi/testi.html[3 sec_filter_out: got Content-Length 997 > [/fpi/testi.html[3 sec_filter_out: got 997 bytes, bufused=3D0, buflen=3D9= 97 > [/fpi/testi.html[3 sec_filter_out: start > [/fpi/testi.html[3 sec_filter_out: done reading > [/fpi/testi.html[2 Checking signature "404" at OUTPUT > [/fpi/testi.html[4 Checking against "<html><head><title>Apache=20 > Tomcat/5.0.28 - Error report</title><style><!--H1=20 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76= ;font-size:22px;}=20 > H2=20 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76= ;font-size:16px;}=20 > H3=20 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76= ;font-size:14px;}=20 > BODY=20 > {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;}= B=20 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76= ;}=20 > P=20 > {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-si= ze:12px;}A=20 > {color : black;}A.name {color : black;}HR {color : #525D76;}--></style>= =20 > </head><body><h1>HTTP Status 404 - /fpi/testi.html</h1><HR size=3D\"1\"= =20 > noshade=3D\"noshade\"><p><b>type</b> Status report</p><p><b>message</b>= =20 > <u>/fpi/testi.html</u></p><p><b>description</b> <u>The requested resource= =20 > (/fpi/testi.html) is not available.</u></p><HR size=3D\"1\"=20 > noshade=3D\"noshade\"><h3>Apache Tomcat/5.0.28</h3></body></html> > [/fpi/testi.html[1 Access denied with code 404. Pattern match "404" at=20 > OUTPUT > [/fpi/testi.html[1 Pausing [/fpi/testi.html for 2231 ms > [/fpi/testi.html[9 Found msr (189ee0) in r (189098) > [/fpi/testi.html[2 sec_audit_logger_serial: start > [/fpi/testi.html[9 sec_audit_logger_serial: is_relevant=3D1,=20 > should_body_exist=3D0, is_body_read=3D0 >=20 >=20 > SunOS xx 5.9 Generic_118558-06 sun4u sparc SUNW,Sun-Fire-V210 >=20 > Server version: Apache/2.0.54 > Server built: May 24 2005 17:07:25 > Server's Module Magic Number: 20020903:9 > Architecture: 32-bit > Server compiled with.... > -D APACHE_MPM_DIR=3D"server/mpm/prefork" > -D APR_HAS_SENDFILE > -D APR_HAS_MMAP > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > -D APR_USE_FCNTL_SERIALIZE > -D APR_USE_PTHREAD_SERIALIZE > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > -D APR_HAS_OTHER_CHILD > -D AP_HAVE_RELIABLE_PIPED_LOGS > -D HTTPD_ROOT=3D"/usr/local/apache2" > -D SUEXEC_BIN=3D"/usr/local/apache2/bin/suexec" > -D DEFAULT_PIDLOG=3D"logs/httpd.pid" > -D DEFAULT_SCOREBOARD=3D"logs/apache_runtime_status" > -D DEFAULT_LOCKFILE=3D"logs/accept.lock" > -D DEFAULT_ERRORLOG=3D"logs/error_log" > -D AP_TYPES_CONFIG_FILE=3D"conf/mime.types" > -D SERVER_CONFIG_FILE=3D"conf/httpd.conf" >=20 > Compiled in modules: > core.c > prefork.c > http_core.c > mod_so.c >=20 >=20 >=20 > |
|
From: marks m. <ml...@ms...> - 2005-09-02 09:25:03
|
Hello Ivan, first, it is the same with 404s. It is just a 404 header and message: HTTP/1.1 404 Not Found Date: Fri, 02 Sep 2005 08:19:54 GMT Server: 5 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /fpi/testi.html was not found on this server.</p> <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> </body></html> Maybe I was able to find something new regarding that. I have to explain that the intention was to catch tomcats 404 error pages and instead redirect the user or show him the general webserver error page. So I created a 404 output rule (see it below, normally it should read SecFilterSelective OUTPUT "HTTP Status 4[0-9][0-9]" but anyway). I used evilstring as a placeholder in my last email. In fact, matching evilstring works just fine. The real evil message which does not work is that tomcat 404 page. That means: having the two output rules found below and browsing the tomcat context, acess to a file containing "evilstring" is being restricted fine with no internal server error. So no problem there. But if you are tring to access a document inside the context which is not there causing tomcat to send a 404 page to the webserver, the 404 is being matched, but the custom error page is not being delivered. So we have a pattern match and we can control the headers (the header will be what is in mod_security.conf) but apache gives back the internal server error as above (Just as if it could not find the error page). OK, so I created a file (testi.html) containing exactly the tomcat error message. You can browse that file, modsecurity matches the 404 output and you get the configured error page as expected. When I removed that file and tried to access it again, tomcat was sending his 404 code and the described error occured. You can see the requests in the L9 debug. The only difference between the tomcat 404 and the webpage containing exactly the same html code I can see is: 1. There is a trailing NULL at the end of the created webpage 2. The header sent by tomcat. When accessing the file, tomcat sends HTTP/1.1 200 OK ETag: W/"996-1125649082000" Last-Modified: Fri, 02 Sep 2005 08:18:02 GMT Content-Type: text/html Content-Length: 996 Date: Fri, 02 Sep 2005 09:04:44 GMT Server: Apache-Coyote/1.1 Connection: close and after removing the file tomcat outputs HTTP/1.1 404 /fpi/testi.html Content-Type: text/html;charset=utf-8 Content-Length: 997 Date: Fri, 02 Sep 2005 09:05:55 GMT Server: Apache-Coyote/1.1 Connection: close Maybe it is about communication betwenn apache and mod_jk, where modsecurity is not involved. But we can match that 404!? Just have a look at the attached log. Maybe you have got an idea. And here is my (stripped) config: SecChrootDir /usr/local/jail SecFilterEngine On SecFilterScanPOST On SecFilterCheckURLEncoding On SecFilterCheckUnicodeEncoding Off SecFilterCheckCookieFormat On SecFilterNormalizeCookies On SecFilterScanOutput On SecFilterOutputMimeTypes "(null) text/html text/plain" SecFilterForceByteRange 8 255 SecServerSignature "5" SecAuditEngine RelevantOnly SecAuditLog logs/audit_log SecFilterDefaultAction "deny,log,pause:2231,status:404" SecFilterDebugLog logs/modsec_debug_log SecFilterDebugLevel 9 SecFilterSelective OUTPUT "evilstring" SecFilterSelective OUTPUT "404" Thanks in advance! -mark Ivan Ristic wrote: > marks mlists wrote: > >> Hello modsec guys, >> >> I am sure someone already used modsecurity on a webserver which is >> connecting to tomcat servers. I am running into the following problem: >> >> Having rules like SecFilterSelective OUTPUT "evilstring" is working fine >> as long as the document containing that evilstring is being served by >> apache itself or of course, via mod_proxy. But it does not work like I >> want it to with mod_jk(2). >> >> If I request a page within a context mapped by mod_jk, p.e. >> /app/evilfile containing the string, I get a successful pattern match: >> mod_security: Access denied with code 200. Pattern match "evilstring" >> at OUTPUT [uri "/app/evilfile"] > > > From the above log message it would appear mod_security is configured > to respond with status code 200. > > What happens when you use: > > SecFilterSelective OUTPUT evilstring log,deny,status:404 > > ? > >> So does someone of you have a clue what to do or where to have a look >> at? Thanks in advance. > > > We need to look at your configuration files and, possibly, > your debug log entries at level 9. Look here for the instructions: > http://www.modsecurity.org/documentation/support-request-checklist.html > |
|
From: Ivan R. <iv...@we...> - 2005-09-01 15:37:52
|
marks mlists wrote: > Hello modsec guys, > > I am sure someone already used modsecurity on a webserver which is > connecting to tomcat servers. I am running into the following problem: > > Having rules like SecFilterSelective OUTPUT "evilstring" is working fine > as long as the document containing that evilstring is being served by > apache itself or of course, via mod_proxy. But it does not work like I > want it to with mod_jk(2). > > If I request a page within a context mapped by mod_jk, p.e. > /app/evilfile containing the string, I get a successful pattern match: > mod_security: Access denied with code 200. Pattern match "evilstring" > at OUTPUT [uri "/app/evilfile"] From the above log message it would appear mod_security is configured to respond with status code 200. What happens when you use: SecFilterSelective OUTPUT evilstring log,deny,status:404 ? > So does someone of you have a clue what to do or where to have a look > at? Thanks in advance. We need to look at your configuration files and, possibly, your debug log entries at level 9. Look here for the instructions: http://www.modsecurity.org/documentation/support-request-checklist.html -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: marks m. <ml...@ms...> - 2005-09-01 11:07:35
|
Hello modsec guys, I am sure someone already used modsecurity on a webserver which is connecting to tomcat servers. I am running into the following problem: Having rules like SecFilterSelective OUTPUT "evilstring" is working fine as long as the document containing that evilstring is being served by apache itself or of course, via mod_proxy. But it does not work like I want it to with mod_jk(2). If I request a page within a context mapped by mod_jk, p.e. /app/evilfile containing the string, I get a successful pattern match: mod_security: Access denied with code 200. Pattern match "evilstring" at OUTPUT [uri "/app/evilfile"] but I am not receiving my standard error page for 404, 200, 500, 302 or whatever I configure. I always get this reply (Yes I use 200s): HTTP/1.1 200 OK Date: Thu, 01 Sep 2005 10:54:19 GMT Server: masked 1.0 Connection: close Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>200 OK</title> </head><body> <h1>OK</h1> <p>The server encountered an internal error or misconfiguration and was unable to complete your request.</p> <p>Please contact the server administrator, xxx and inform them of the time the error occurred, and anything you might have done that may have caused the error.</p> <p>More information about this error may be available in the server error log.</p> <p>Additionally, a 200 OK error was encountered while trying to use an ErrorDocument to handle the request.</p> </body></html> which is obviously only half of what I want. With Apache served pages, the reply is a perfect friendly 404(200). There is no information in the error_log. The effect is the same both when using 1.8.7 oder 1.9dev3; also going with the early hook does not change things (I confirmed it by sending TRACE requests). So does someone of you have a clue what to do or where to have a look at? Thanks in advance. -mark |
|
From: Achim H. <ah...@se...> - 2005-08-30 15:32:50
|
>> .. new filter at the top of your rules file .. that's exactly what I was looking for! Think I should learn to read ;-) Thank's very much Achim Ryan Barnett wrote on 30.08.2005 17:12: > OK, well then you should be able to place a new filter at the top of > your rules file to tell mod_security to allow all requests from that > specific IP by changing the default action to "allow" - > > SecFilterSelective REMOTE_ADDR 192.168.1.100 <http://192.168.1.100> allow > > See the user manual (pg. 21) - > http://www.modsecurity.org/documentation/modsecurity-manual.pdf > > -Ryan > > > On 8/30/05, *Achim Hoffmann* <ki...@se... > <mailto:ki...@se...>> wrote: > > my goal is to have mod_security active all the time (SecFilterEngine > On), but > not active for a specific IP. > I'm asking for a simple general switch like "SecFilterEngine > Off" but just for > an IP. I want to have all rules disabled for that IP while still > active for all > others ('cause it is a live server). > > Does this better describe what I need? > > > Ryan Barnett wrote on 30.08.2005 16:30: > > Not sure if I am missing what you are trying to test, however > based on > > your first sentence, you should just be able to set SecFilterEngine > > Off. If you only want to disable the tests for specific > > SecFilterSelective REMOTE_ADDR XXX.XXX.XXX.XXX rules, you may be > out of > > luck. > > >The SecFilterEngine directive is an all or nothing setting. > > That's how I understand it and why I'm asking here ;-) > > > > > > -- > > Ryan C. Barnett > > Web Application Security Consortium (WASC) Member > > CIS Apache Benchmark Project Lead > > SANS Instructor: Securing Apache > > GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > > > > > > On 8/30/05, *Achim Hoffmann* <ki...@se... > <mailto:ki...@se...> > > <mailto: ki...@se... <mailto:ki...@se...>>> wrote: > > > > for testing a live platform I need to disable mod_security. > > I know that SecFilterSelective can be triggered on > REMOTE_ADDR, but > > I'm unshure if it can > > be used to disable *all* tests for a specific IP without changing > > all rules from > > SecFilter to SecFilterSelective. > > > > Does someone have an example to achieve this? > > > > Thanks > > Achim > > > > > > ------------------------------------------------------- > > SF.Net email is Sponsored by the Better Software Conference & > EXPO > > September 19-22, 2005 * San Francisco, CA * Development > Lifecycle > > Practices > > Agile & Plan-Driven Development * Managing Projects & Teams * > > Testing & QA > > Security * Process Improvement & Measurement * > > http://www.sqe.com/bsce5sf > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > <mailto:mod...@li...> > > <mailto:mod...@li... > <mailto:mod...@li...>> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle > Practices > Agile & Plan-Driven Development * Managing Projects & Teams * > Testing & QA > Security * Process Improvement & Measurement * > http://www.sqe.com/bsce5sf > _______________________________________________ > mod-security-users mailing list > mod...@li... > <mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > -- > Ryan C. Barnett > Web Application Security Consortium (WASC) Member > CIS Apache Benchmark Project Lead > SANS Instructor: Securing Apache > GCIA, GCFA, GCIH, GSNA, GCUX, GSEC |
|
From: Ivan R. <iv...@we...> - 2005-08-30 15:25:44
|
Ryan Barnett wrote: > OK, well then you should be able to place a new filter at the top of > your rules file to tell mod_security to allow all requests from that > specific IP by changing the default action to "allow" - > > SecFilterSelective REMOTE_ADDR 192.168.1.100 allow That's better written as ^192\.168\.1\.100$ > See the user manual (pg. 21) - > http://www.modsecurity.org/documentation/modsecurity-manual.pdf But that's not the same as SecFilterEngine Off. The default processing would still go on, as would POST buffering. Perhaps another variable, to conditionally stop mod_security execution (to be used together with SetEnvIf) is in order? I'll give it a try tomorrow. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Ryan B. <rcb...@gm...> - 2005-08-30 15:13:09
|
OK, well then you should be able to place a new filter at the top of your= =20 rules file to tell mod_security to allow all requests from that specific IP= =20 by changing the default action to "allow" - SecFilterSelective REMOTE_ADDR 192.168.1.100 <http://192.168.1.100> allow See the user manual (pg. 21) -=20 http://www.modsecurity.org/documentation/modsecurity-manual.pdf -Ryan On 8/30/05, Achim Hoffmann <ki...@se...> wrote:=20 >=20 > my goal is to have mod_security active all the time (SecFilterEngine On),= =20 > but > not active for a specific IP. > I'm asking for a simple general switch like "SecFilterEngine Off" but jus= t=20 > for > an IP. I want to have all rules disabled for that IP while still active= =20 > for all > others ('cause it is a live server). >=20 > Does this better describe what I need? >=20 >=20 > Ryan Barnett wrote on 30.08.2005 16:30: > > Not sure if I am missing what you are trying to test, however based on > > your first sentence, you should just be able to set SecFilterEngine > > Off. If you only want to disable the tests for specific > > SecFilterSelective REMOTE_ADDR XXX.XXX.XXX.XXX rules, you may be out of > > luck. >=20 > >The SecFilterEngine directive is an all or nothing setting. >=20 > That's how I understand it and why I'm asking here ;-) >=20 >=20 > > > > -- > > Ryan C. Barnett > > Web Application Security Consortium (WASC) Member > > CIS Apache Benchmark Project Lead > > SANS Instructor: Securing Apache > > GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > > > > > > On 8/30/05, *Achim Hoffmann* <ki...@se... > > <mailto:ki...@se...>> wrote: > > > > for testing a live platform I need to disable mod_security. > > I know that SecFilterSelective can be triggered on REMOTE_ADDR, but > > I'm unshure if it can > > be used to disable *all* tests for a specific IP without changing > > all rules from > > SecFilter to SecFilterSelective. > > > > Does someone have an example to achieve this? > > > > Thanks > > Achim > > > > > > ------------------------------------------------------- > > SF.Net email is Sponsored by the Better Software Conference & EXPO > > September 19-22, 2005 * San Francisco, CA * Development Lifecycle > > Practices > > Agile & Plan-Driven Development * Managing Projects & Teams * > > Testing & QA > > Security * Process Improvement & Measurement * > > http://www.sqe.com/bsce5sf > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > <mailto:mod...@li...> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > >=20 >=20 > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle=20 > Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & Q= A > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users >=20 --=20 Ryan C. Barnett Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GSNA, GCUX, GSEC |
|
From: Achim H. <ki...@se...> - 2005-08-30 15:01:37
|
my goal is to have mod_security active all the time (SecFilterEngine On), but
not active for a specific IP.
I'm asking for a simple general switch like "SecFilterEngine Off" but just for
an IP. I want to have all rules disabled for that IP while still active for all
others ('cause it is a live server).
Does this better describe what I need?
Ryan Barnett wrote on 30.08.2005 16:30:
> Not sure if I am missing what you are trying to test, however based on
> your first sentence, you should just be able to set SecFilterEngine
> Off. If you only want to disable the tests for specific
> SecFilterSelective REMOTE_ADDR XXX.XXX.XXX.XXX rules, you may be out of
> luck.
>The SecFilterEngine directive is an all or nothing setting.
That's how I understand it and why I'm asking here ;-)
>
> --
> Ryan C. Barnett
> Web Application Security Consortium (WASC) Member
> CIS Apache Benchmark Project Lead
> SANS Instructor: Securing Apache
> GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
>
>
> On 8/30/05, *Achim Hoffmann* <ki...@se...
> <mailto:ki...@se...>> wrote:
>
> for testing a live platform I need to disable mod_security.
> I know that SecFilterSelective can be triggered on REMOTE_ADDR, but
> I'm unshure if it can
> be used to disable *all* tests for a specific IP without changing
> all rules from
> SecFilter to SecFilterSelective.
>
> Does someone have an example to achieve this?
>
> Thanks
> Achim
>
>
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle
> Practices
> Agile & Plan-Driven Development * Managing Projects & Teams *
> Testing & QA
> Security * Process Improvement & Measurement *
> http://www.sqe.com/bsce5sf
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> <mailto:mod...@li...>
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
>
>
>
|
|
From: Achim H. <ki...@se...> - 2005-08-30 14:03:03
|
for testing a live platform I need to disable mod_security. I know that SecFilterSelective can be triggered on REMOTE_ADDR, but I'm unshure if it can be used to disable *all* tests for a specific IP without changing all rules from SecFilter to SecFilterSelective. Does someone have an example to achieve this? Thanks Achim |
|
From: Leandro M. <lme...@cy...> - 2005-08-19 17:50:36
|
Exactly why I asked about the problem of not been able to catch malformed requests... I was investigating how httprint identifies de remote host, and trying to filter this. regards, Leandro On Fri, 2005-08-19 at 08:08 -0400, Ryan Barnett wrote: > Another small benefit of plugging mod_security into hook-0 would be > its ability to alter the sematic characteristics of Apache that web > server fingerprinting apps often rely on for accuracy. > > HTTPrint - > http://net-square.com/httprint/index.html > > Identification of web servers despite the banner string and any other > obfuscation. httprint can successfully identify the underlying web > servers when their headers are mangled by either patching the binary, > by modules such as mod_security.c or by commercial products such as > ServerMask. > > HTTPrint sends malformed requests that Apache will respond to is a > distinct way. Allowing Mod_Security to get the first crack at > inspecting these requests will help to alter the default Apache > responses. > > Looks like it is time to have some fun with Mod_Security's "status" > flag and see how these fingerprinters react :) > ---------------------------- Leandro Meiners CYBSEC S.A. Security Systems E-mail: lme...@cy... Tel/Fax: [54-11] 4382-1600 Web: http://www.cybsec.com |
|
From: Ryan B. <rcb...@gm...> - 2005-08-19 12:08:56
|
Another small benefit of plugging mod_security into hook-0 would be its ability to alter the sematic characteristics of Apache that web server fingerprinting apps often rely on for accuracy. HTTPrint - http://net-square.com/httprint/index.html Identification of web servers despite the banner string and any other obfuscation. httprint can successfully identify the underlying web servers when their headers are mangled by either patching the binary, by modules such as mod_security.c or by commercial products such as ServerMask. HTTPrint sends malformed requests that Apache will respond to is a distinct way. Allowing Mod_Security to get the first crack at inspecting these requests will help to alter the default Apache responses. Looks like it is time to have some fun with Mod_Security's "status" flag and see how these fingerprinters react :) --=20 Ryan C. Barnett Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GSNA, GCUX, GSEC On 8/19/05, Ivan Ristic <iv...@we...> wrote: > Ivan Ristic wrote: > > > > I'll do a couple of test to see if it works, > > and if does I will release 1.9dev3 (by the end of week) with a > > configuration option to choose the hook to run at. >=20 > FYI, I've released 1.9dev3 with a compile-time option to make > mod_security run in hook #0 (post_read_request). >=20 > Here's a fragment from the manual: >=20 > --- > By default mod_security will try to run at the last possible moment in > Apache request pre-processing, but just before the request is actually > run (for example, processed by mod_php). I have chosen this approach > because the most important function of mod_security is to protect the > application. On the other hand by doing this we are leaving certain > parts of Apache unprotected although there are things we could do about > it. For those who wish to experiment, as of 1.9dev3 mod_security can be > compiled to run at the earliest possible moment. Just compile it with > -DENABLE_EARLY_HOOK. Bear in mind that this is an experimental feature. > Some of the differences you will discover are: >=20 > * It should now be possible to detect invalid requests before Apache > handles them. >=20 > * It should be possible to assess requests that would otherwise > handled by Apache (e.g TRACE) >=20 > * Only server-wide rules will run. This is because at this point > Apache hasn't mapped the request to the path yet. >=20 > Subsequent releases of ModSecurity are likely to allow rule processing > to be split into two phases. One to run as early as possible, and > another, to run as late as possible. > --- >=20 > -- > Ivan Ristic > Apache Security (O'Reilly) - http://www.apachesecurity.net > Open source web application firewall - http://www.modsecurity.org >=20 >=20 >=20 > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practic= es > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & Q= A > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > |
|
From: Ivan R. <iv...@we...> - 2005-08-19 08:52:08
|
Ivan Ristic wrote:
>
> I'll do a couple of test to see if it works,
> and if does I will release 1.9dev3 (by the end of week) with a
> configuration option to choose the hook to run at.
FYI, I've released 1.9dev3 with a compile-time option to make
mod_security run in hook #0 (post_read_request).
Here's a fragment from the manual:
---
By default mod_security will try to run at the last possible moment in
Apache request pre-processing, but just before the request is actually
run (for example, processed by mod_php). I have chosen this approach
because the most important function of mod_security is to protect the
application. On the other hand by doing this we are leaving certain
parts of Apache unprotected although there are things we could do about
it. For those who wish to experiment, as of 1.9dev3 mod_security can be
compiled to run at the earliest possible moment. Just compile it with
-DENABLE_EARLY_HOOK. Bear in mind that this is an experimental feature.
Some of the differences you will discover are:
* It should now be possible to detect invalid requests before Apache
handles them.
* It should be possible to assess requests that would otherwise
handled by Apache (e.g TRACE)
* Only server-wide rules will run. This is because at this point
Apache hasn't mapped the request to the path yet.
Subsequent releases of ModSecurity are likely to allow rule processing
to be split into two phases. One to run as early as possible, and
another, to run as late as possible.
---
--
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org
|
|
From: Ivan R. <iv...@we...> - 2005-08-19 08:40:29
|
ModSecurity 1.9dev3 has been released. It is available for immediate
download from:
http://www.modsecurity.org/download/
This version implements the final batch of major improvements to the
1.9.x series. These include a completely new audit logging subsystem
intended for real-time audit log aggregation, audit logging based on
response status code, support for PUT uploads, stateful denial of
service defence through httpd-guardian (an external monitoring process),
significantly improved support for rule inheritance (import from parent
context, remove from current context, mandatory inheritance, etc.), and
many smaller improvements.
About ModSecurity
-----------------
ModSecurity is a web application firewall, designed to protect
vulnerable applications and reject manual and automated attacks.
It is an open source intrusion detection and prevention system. It
can work embedded in Apache, or as a standalone security device when
configured to work as part of an Apache-based reverse proxy.
Optionally, ModSecurity creates application audit logs, which contain
the full request body in addition to all other details. Requests are
filtered using regular expressions. Some of the things possible are:
* Apply filters against any part of the request (URI,
headers, either GET or POST)
* Apply filters against individual parameters
* Reject SQL injection attacks
* Reject Cross site scripting attacks
* Store the files uploaded through the web server, and have them
checked by external scripts
With few general rules ModSecurity can protect from both known
and unknown vulnerabilities. A Java version is also available, which
works with any Servlet 2.3 compatible web server.
--
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org
|
|
From: Ryan B. <rcb...@gm...> - 2005-08-18 20:21:19
|
TRACE is handled by Apache at an earlier request phase - before
Mod_Security has a hook. Mod_Rewrite has a hook that will allow it to
identify/block TRACE requests.
Implement mod_rewrite and then add these entries -
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE$
RewriteRule .* - [F]
--=20
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
On 8/18/05, David ROBERT <cas...@gm...> wrote:
> Hello,
>=20
> I try to disable http TRACE methode using :
>=20
> SecFilterSelective REQUEST_METHOD "^TRACE$"
>=20
> It don't work, do you know why ?
>=20
> David.
>=20
>=20
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practic=
es
> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & Q=
A
> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
|
|
From: David R. <cas...@gm...> - 2005-08-18 19:58:32
|
Hello, I try to disable http TRACE methode using : SecFilterSelective REQUEST_METHOD "^TRACE$" It don't work, do you know why ? David. |
|
From: Ivan R. <iv...@we...> - 2005-08-16 21:12:38
|
Nick Floersch wrote: > Hi All! > > I installed mod security not so much for the security help, but in > order to watch POSTs to my web application in my log files. > Installation was easy enough. Activation was easy too. But this log > entry doesn't seem very helpful. Why can't it show me the post payload > or what does that even mean? I just want to see what the post query > was.... You probably need to add "SecFilterScanPOST On" to your configuration*. By default mod_security tries to be as passive as possible. (*) It is also possible for a request body to be missing if the request contains a malformed multipart/form-data payload, but that's *very* rare. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Nick F. <Ni...@st...> - 2005-08-16 20:52:50
|
Hi All! I installed mod security not so much for the security help, but in order to watch POSTs to my web application in my log files. Installation was easy enough. Activation was easy too. But this log entry doesn't seem very helpful. Why can't it show me the post payload or what does that even mean? I just want to see what the post query was.... Thanks! =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Request: xXx.xXx.xXx.xXx - XXXXX [16/Aug/2005:16:13:45 --0400] "POST /cgi-bin/prog.cgi HTTP/1.1" 200 10168 Handler: cgi-script ---------------------------------------- POST /cgi-bin/prog.cgi HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* Referer: http://myhost.mycomp.com/cgi-bin/prog.cgi?attribute_inspectionresulttype id=3D1&showinspection=3DAdd+Inspection Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Host: myhost.mycomp.com Content-Length: 199 Connection: Keep-Alive Cache-Control: no-cache Cookie: CGISESSID=3Db7acb258222d2b81270006ebaf279764 Authorization: Basic U2FuZHk6ZG9kZ2Vpd2ltcw=3D=3D 28 [POST payload not available] HTTP/1.1 200 OK Expires: Mon, 15 Aug 2005 20:13:45 GMT Cach-control: no-cache, must-revalidate, max-age=3D0 Content-Length: 10168 Keep-Alive: timeout=3D15, max=3D100 Connection: Keep-Alive Content-Type: text/html; charset=3DUTF-8 Expires: Mon, 15 Aug 2005 20:13:45 GMT Date: Tue, 16 Aug 2005 20:13:45 GMT Cach-control: no-cache, must-revalidate, max-age=3D0 ---snip--- ----------------------------------- Nicholas E. Floersch (pr. Floor-sh) Manager of Information Technology Stone Environmental, Inc. nfl...@st... www.stone-env.com |
|
From: Ivan R. <iv...@we...> - 2005-08-15 17:10:46
|
Justin Grindea wrote:
> allright, this rocks.
> I knew about the exclude directive but didn't know about the inheritance
> from main file. Assumed that if I put it in the vhost block I'll need to
> put in all the rules for every vhost and exclude the ones I don't want...
>
> the IDs idea is great but still, I'm looking into a way to catalog the
> rules, use them more wisely and update them as needed. Maybe MySQL can
> help here?
I don't think so, the relational model is not rich enough for
this particular purpose.
I've been thinking a lot about that problem. I am attaching a
draft of a specification I designed as a vehicle to distribute
rules, and to make sure only the rules you want are installed.
--
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org
|
|
From: Ivan R. <iv...@we...> - 2005-08-15 13:38:26
|
Justin Grindea wrote:
> Greetings,
>
> I'd like to know if it's possible to implement per/vhost exclussions
> using mod_security.
Sure it is.
> We are using gotroot's rules as well as some custom rules but it's not
> working correctly with all sites.
>
> For example the cookies validation, UTF-8 encoding checks as well as
> application specific rules need to be excluded here and there.
Simply turn them off where you need:
<VirtualHost XYZ>
SecFilterCheckURLEncoding Off
SecFilterCheckUnicodeEncoding Off
SecFilterCheckCookieFormat Off
SecFilterNormalizeCookies Off
</VirtualHost>
VirtualHosts will inherit the configuration from the main
server but you can make changes as you wish. In 1.9 you can
even import or delete individual rules via their IDs. (I am
about to document these 1.9 features.)
--
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org
|
|
From: Justin G. <web...@sw...> - 2005-08-15 13:31:16
|
Greetings,
I'd like to know if it's possible to implement per/vhost exclussions using
mod_security.
We are using gotroot's rules as well as some custom rules but it's not
working correctly with all sites.
For example the cookies validation, UTF-8 encoding checks as well as
application specific rules need to be excluded here and there.
All the below config vars for example are hitting few sites on every
general web hosting server I came across till now and it's a pitty not to
secure some 400 sites on the machine because 10 of them are getting hurt :(
SecFilterCheckURLEncoding Off
SecFilterCheckUnicodeEncoding Off
SecFilterCheckCookieFormat Off
SecFilterNormalizeCookies Off
I believe mod_security is a great tools for webhosters, but rules
organizations can be improved, specially when working with tons of rules,
like the ones provided by gotroot.
thanks,
Justin
|
|
From: Michael S. <mi...@go...> - 2005-08-15 13:14:24
|
On Mon, 2005-08-15 at 13:06 +0100, Ivan Ristic wrote: > LesT wrote: > > We are building a new server and cannot get modsecurity to install. =20 > > Below find the server info and following that the first few lines of=20 > > hundreds that follow when attempting to install mod_security 1.8.7 > =20 > The compiler cannot find the Apache include files. Why exactly, I > don't know - that depends on your system. Do you have a package > called "http-devel" or "httpd-devel" installed? FC2 doesn't include httpd-devel by default. --=20 Michael T. Shinn KeyID:DAE2EC86 Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xDAE2EC86 =20 Got Root? http://www.gotroot.com ModSecurity WebServer Firewall: http://www.modsecurityrules.com Troubleshooting Firewalls: http://troubleshootingfirewalls.com |
139 messages has been excluded from this view by a project administrator.
