mod-security-users — General discussion about mod_security

Re: [mod-security-users] can't seem to get notification working...

[Ivan R. <iv...@we...>]

> So the only way I could get this to work is to comment the above code and 
> recompile suexec.  Obviously this is probably a bad idea but I just did it 
> to prove the point.
> 
> Any ideas on how to make this work without hacking suexec?

  I will try to modify mod_security tomorrow to make it work with
  suexec. Perhaps I can chdir to the folder first and just use the
  name of the script for execution. Suexec checks the DOC_ROOT anyway.


> Also, are there environment varibles I can use to get more specific in my 
> alers?

  Normally you will get MOD_SECURITY_EXECUTED, MOD_SECURITY_STATUS, and
  MOD_SECURITY_MESSAGE but, having just looked at the code it seems that
  the latter two are not available when external binaries are executed.
  I'll fix that in the next release.

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

Re: [mod-security-users] can't seem to get notification working...

[Mark <ad...@as...>]

Jeremy Hansen wrote:

>>> So yes...this actually leads to something:
>>>
>>> [2004-04-03 10:23:15]: error: invalid command
>>> (/usr/webservers/httpd/conf/report-attack.sh)
>>>
>>> but I'm not sure exactly what it means by invalid command.
>>
>> So looking at the code:
>>
>>     if ((cmd[0] == '/') || (!strncmp(cmd, "../", 3))
>>         || (strstr(cmd, "/../") != NULL)) {
>>         log_err("error: invalid command (%s)\n", cmd);
>>         exit(104);
>>     }
>>
>> so, because the line starts with a /, suexec says it's an invalid
>> command. What's the work around for this?
>
> So the only way I could get this to work is to comment the above code
> and recompile suexec.  Obviously this is probably a bad idea but I
> just did it to prove the point.
>
> Any ideas on how to make this work without hacking suexec?

Personally, I would just get rid of suEXEC altogether. suEXEC requires that
the directory of your program be within the Apache webspace. And in my
experience (and yours, it seems), scripts like the one above are exactly
what you do NOT want in the web-tree. But apart from that,

Why not just hardlink (not symlink!) to it, from with your web-root space?
Then in, say,

/usr/webservers/httpd/vhosts/myhost/htdocs/

You would do:

"ln /usr/webservers/httpd/conf/report-attack.sh report-attack.sh"

So you can run a relative call to report-attack.sh, from within the Apache
webspace. Not pretty, perhaps; but it might do the trick.

P.S. I am myself rather charmed with mod_security's SecChrootDir command, as
it makes chrooting Apache rather trivial. Do that, and the need for using
suEXEC may subside even more.

Cheers,

- Mark

        System Administrator Asarian-host.org

---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx

Re: [mod-security-users] can't seem to get notification working...

[Jeremy H. <je...@me...>]

On Sat, 3 Apr 2004, Jeremy Hansen wrote:

> On Sat, 3 Apr 2004, Jeremy Hansen wrote:
> 
> > On Sat, 3 Apr 2004, Ivan Ristic wrote:
> > 
> > > 
> > > > So I tried 1.7.6 and still, no message so I'm obviously doing something 
> > > > wrong in my config.  Any clues?
> > > 
> > >   Your script works for me without modification. One thing to try
> > >   would be to use absolute paths for all binares (hostname and mail).
> > > 
> > >   Are you using suexec on your web server? Look in the suexec log
> > >   if you are, there may be clues there.
> > 
> > So yes...this actually leads to something:
> > 
> > [2004-04-03 10:23:15]: error: invalid command 
> > (/usr/webservers/httpd/conf/report-attack.sh)
> > 
> > but I'm not sure exactly what it means by invalid command.
> 
> So looking at the code:
> 
>     if ((cmd[0] == '/') || (!strncmp(cmd, "../", 3))
>         || (strstr(cmd, "/../") != NULL)) {
>         log_err("error: invalid command (%s)\n", cmd);
>         exit(104);
>     }
> 
> so, because the line starts with a /, suexec says it's an invalid command.  
> What's the work around for this?

So the only way I could get this to work is to comment the above code and 
recompile suexec.  Obviously this is probably a bad idea but I just did it 
to prove the point.

Any ideas on how to make this work without hacking suexec?

Also, are there environment varibles I can use to get more specific in my 
alers?

Thanks again

-jeremy

> Thanks
> -jeremy
> 
> > Thanks
> > -jeremy
> > 
> > 
> 
> 

Re: [mod-security-users] can't seem to get notification working...

[Jeremy H. <je...@me...>]

On Sat, 3 Apr 2004, Jeremy Hansen wrote:

> On Sat, 3 Apr 2004, Ivan Ristic wrote:
> 
> > 
> > > So I tried 1.7.6 and still, no message so I'm obviously doing something 
> > > wrong in my config.  Any clues?
> > 
> >   Your script works for me without modification. One thing to try
> >   would be to use absolute paths for all binares (hostname and mail).
> > 
> >   Are you using suexec on your web server? Look in the suexec log
> >   if you are, there may be clues there.
> 
> So yes...this actually leads to something:
> 
> [2004-04-03 10:23:15]: error: invalid command 
> (/usr/webservers/httpd/conf/report-attack.sh)
> 
> but I'm not sure exactly what it means by invalid command.

So looking at the code:

    if ((cmd[0] == '/') || (!strncmp(cmd, "../", 3))
        || (strstr(cmd, "/../") != NULL)) {
        log_err("error: invalid command (%s)\n", cmd);
        exit(104);
    }

so, because the line starts with a /, suexec says it's an invalid command.  
What's the work around for this?

Thanks
-jeremy

> Thanks
> -jeremy
> 
> 

Re: [mod-security-users] can't seem to get notification working...

[Jeremy H. <je...@me...>]

On Sat, 3 Apr 2004, Ivan Ristic wrote:

> 
> > So I tried 1.7.6 and still, no message so I'm obviously doing something 
> > wrong in my config.  Any clues?
> 
>   Your script works for me without modification. One thing to try
>   would be to use absolute paths for all binares (hostname and mail).
> 
>   Are you using suexec on your web server? Look in the suexec log
>   if you are, there may be clues there.

So yes...this actually leads to something:

[2004-04-03 10:23:15]: error: invalid command 
(/usr/webservers/httpd/conf/report-attack.sh)

but I'm not sure exactly what it means by invalid command.

Thanks
-jeremy

Re: [mod-security-users] can't seem to get notification working...

[Ivan R. <iv...@we...>]

> So I tried 1.7.6 and still, no message so I'm obviously doing something 
> wrong in my config.  Any clues?

  Your script works for me without modification. One thing to try
  would be to use absolute paths for all binares (hostname and mail).

  Are you using suexec on your web server? Look in the suexec log
  if you are, there may be clues there.

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

Re: [mod-security-users] can't seem to get notification working...

[Jeremy H. <je...@me...>]

On Sat, 3 Apr 2004, Ulf Harnhammar wrote:

> > But I don't receive the email, yet, when I execute this from the command 
> > line, I get the email no problem.
> 
> > > #!/bin/sh
> > > 
> > > HOSTNAME=`hostname`
> > > 
> > > 
> > > echo "Attack detected.  Check audit log" | mail -s "$HOSTNAME: attack 
> > > detected" in...@me...
> 
> A guess would be some problem with $PATH. Try inserting export PATH=/bin:/usr/bin or something similar as the second line of your script.

So I tried 1.7.6 and still, no message so I'm obviously doing something 
wrong in my config.  Any clues?

Thanks
-jeremy

> // Ulf Harnhammar
>    http://www.advogato.org/person/metaur
> 
> 

Re: [mod-security-users] can't seem to get notification working...

[Jeremy H. <je...@me...>]

On Sat, 3 Apr 2004, Ulf Harnhammar wrote:

> > But I don't receive the email, yet, when I execute this from the command 
> > line, I get the email no problem.
> 
> > > #!/bin/sh
> > > 
> > > HOSTNAME=`hostname`
> > > 
> > > 
> > > echo "Attack detected.  Check audit log" | mail -s "$HOSTNAME: attack 
> > > detected" in...@me...
> 
> A guess would be some problem with $PATH. Try inserting export
> PATH=/bin:/usr/bin or something similar as the second line of your
> script.

I thought about this as well and tried it.  Still no message.  I'm also 
watching the mail server logs and I don't ever see a delivery attempt 
even.  I'm going to try the "stable" release today.  Perhaps this just 
isn't working in the 1.8 beta.

-jeremy

> // Ulf Harnhammar
>    http://www.advogato.org/person/metaur
> 
> 

Re: [mod-security-users] can't seem to get notification working...

[Ulf H. <me...@op...>]

> But I don't receive the email, yet, when I execute this from the command 
> line, I get the email no problem.

> > #!/bin/sh
> > 
> > HOSTNAME=`hostname`
> > 
> > 
> > echo "Attack detected.  Check audit log" | mail -s "$HOSTNAME: attack 
> > detected" in...@me...

A guess would be some problem with $PATH. Try inserting export PATH=/bin:/usr/bin or something similar as the second line of your script.

// Ulf Harnhammar
   http://www.advogato.org/person/metaur

-- 
_____________________________________________________________
Web-based SMS services available at http://www.operamail.com.
From your mailbox to local or overseas cell phones.

Powered by Outblaze

Re: [mod-security-users] can't seem to get notification working...

[Jeremy H. <je...@me...>]

So I quoted it this time:

SecFilter /etc/passwd 
"log,exec:/usr/webservers/httpd/conf/report-attack.sh"

and I see this in the audit log:

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030922
mod_security-executed: /usr/webservers/httpd/conf/report-attack.sh

But I don't receive the email, yet, when I execute this from the command 
line, I get the email no problem.

Thanks
-jeremy

On Fri, 2 Apr 2004, Jeremy Hansen wrote:

> 
> I'm using version mod_security-1.8dev1.tar.gz and I can't seem to get 
> notification working.  Here my rules:
> 
>     # Execute the external script on filter match
>     SecFilter yyy log,exec:/usr/webservers/httpd/conf/report-attack.sh
> 
> and here's the little shell script:
> 
> #!/bin/sh
> 
> HOSTNAME=`hostname`
> 
> 
> echo "Attack detected.  Check audit log" | mail -s "$HOSTNAME: attack 
> detected" in...@me...
> 
> just simple script.  Using the test suite, I definitely am tripping some 
> filters...
> 
> Test "38 Unicode test 1": OK
> Test "39 Unicode test 2": OK
> Test "40 Unicode test 3": OK
> Test "43 post range check bug": OK
> Test "44 normalisation bug": OK
> Test "45 null byte attack": OK
> Test "43 multipart/form-data test": OK
> Test "53 named cookie test": OK
> 
> etc..
> 
> but nothing in my email...
> 
> Very new to this so perhaps my rules are completely wrong.  Here's the 
> full rules list:
> 
>     # Turn the filtering engine On or Off
>     SecFilterEngine On
> 
>     # The audit engine works independently and
>     # can be turned On of Off on the per-server or
>     # on the per-directory basis
>     SecAuditEngine RelevantOnly
> 
>     # The name of the audit log file
>     SecAuditLog /var/log/httpd/logs/audit_log
> 
>     # Should mod_security inspect POST payloads
>     SecFilterScanPOST On
> 
>     # Check URL encoding
>     SecFilterCheckURLEncoding On
> 
>     # Default action set
>     SecFilterDefaultAction "deny,log,status:500"
> 
>     # Only allow certain byte values to be a part of the request.
>     # This is pretty relaxed, most applications where only English
>     # is used will happily work with a range 32 - 126.
>     SecFilterForceByteRange 32 126
> 
>     # Only accept request encodings we know how to handle
>     # SecFilterSelective HTTP_Content-Type 
> "!^(|application/x-www-form-urlencoded|multipart/form-data)$"
> 
>     # Don't accept transfer encodings we know we don't handle
>     # (and you don't need it anyway)
>     SecFilterSelective HTTP_Transfer-Encoding "!^$"
> 
>     # Simple example filter
>     # SecFilter 111
> 
>     # Chroot
>     # SecChrootDir /usr/webservers/httpd
> 
>     # Change Signature
>     SecServerSignature "FuckYouVeryMuch/2.0"
> 
>     # Command execution attacks
>     SecFilter /etc/passwd
>     SecFilter /etc/shadow
>     SecFilter /etc/password
>     SecFilter /bin/ls
>     # Directory traversal attacks
>     SecFilter "\.\./"
>     # XSS attacks
>     SecFilter "<(.|\n)+>"
>     SecFilter "<[[:space:]]*script"
> 
>     # SQL injection attacks
>     SecFilter "delete[[:space:]]+from"
>     SecFilter "insert[[:space:]]+into"
>     SecFilter "select.+from"
> 
>     SecFilterSelective ARG_b2inc "!^$"
> 
>     SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
>     SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
> 
>     <Location /cgi-bin/FormMail>
>         SecFilterSelective "ARG_recipient" "!@methanesea\.com$"
>     </Location>
> 
>     SecFilterSelective OUTPUT "Fatal error:"
> 
>     # Execute the external script on filter match
>     SecFilter yyy log,exec:/usr/webservers/httpd/conf/report-attack.sh
> 
>     # Redirect user on filter match
>     SecFilter xxx redirect:http://www.methanesea.com
>     
>     # SecFilterDebugLog /var/log/httpd/logs/modsec_debug_log
>     # SecFilterDebugLevel 100
>     
>     # Simple filter
>     SecFilter 111
>     
>     # Only check the QUERY_STRING variable
>     SecFilterSelective QUERY_STRING 222
> 
>     # Only check the body of the POST request
>     SecFilterSelective POST_PAYLOAD 333
>     
>     # Only check arguments (will work for GET and POST)
>     SecFilterSelective ARGS 444
> 
>     # Another test filter, will be denied with 404 but not logged
>     # action supplied as a parameter overrides the default action
>     SecFilter 999 "deny,nolog,status:500"
> 
> Mostly stolen from various articles and docs.
> 
> Thanks for any tips.
> -jeremy
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 

[mod-security-users] can't seem to get notification working...

[Jeremy H. <je...@me...>]

I'm using version mod_security-1.8dev1.tar.gz and I can't seem to get 
notification working.  Here my rules:

    # Execute the external script on filter match
    SecFilter yyy log,exec:/usr/webservers/httpd/conf/report-attack.sh

and here's the little shell script:

#!/bin/sh

HOSTNAME=`hostname`


echo "Attack detected.  Check audit log" | mail -s "$HOSTNAME: attack 
detected" in...@me...

just simple script.  Using the test suite, I definitely am tripping some 
filters...

Test "38 Unicode test 1": OK
Test "39 Unicode test 2": OK
Test "40 Unicode test 3": OK
Test "43 post range check bug": OK
Test "44 normalisation bug": OK
Test "45 null byte attack": OK
Test "43 multipart/form-data test": OK
Test "53 named cookie test": OK

etc..

but nothing in my email...

Very new to this so perhaps my rules are completely wrong.  Here's the 
full rules list:

    # Turn the filtering engine On or Off
    SecFilterEngine On

    # The audit engine works independently and
    # can be turned On of Off on the per-server or
    # on the per-directory basis
    SecAuditEngine RelevantOnly

    # The name of the audit log file
    SecAuditLog /var/log/httpd/logs/audit_log

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # Check URL encoding
    SecFilterCheckURLEncoding On

    # Default action set
    SecFilterDefaultAction "deny,log,status:500"

    # Only allow certain byte values to be a part of the request.
    # This is pretty relaxed, most applications where only English
    # is used will happily work with a range 32 - 126.
    SecFilterForceByteRange 32 126

    # Only accept request encodings we know how to handle
    # SecFilterSelective HTTP_Content-Type 
"!^(|application/x-www-form-urlencoded|multipart/form-data)$"

    # Don't accept transfer encodings we know we don't handle
    # (and you don't need it anyway)
    SecFilterSelective HTTP_Transfer-Encoding "!^$"

    # Simple example filter
    # SecFilter 111

    # Chroot
    # SecChrootDir /usr/webservers/httpd

    # Change Signature
    SecServerSignature "FuckYouVeryMuch/2.0"

    # Command execution attacks
    SecFilter /etc/passwd
    SecFilter /etc/shadow
    SecFilter /etc/password
    SecFilter /bin/ls
    # Directory traversal attacks
    SecFilter "\.\./"
    # XSS attacks
    SecFilter "<(.|\n)+>"
    SecFilter "<[[:space:]]*script"

    # SQL injection attacks
    SecFilter "delete[[:space:]]+from"
    SecFilter "insert[[:space:]]+into"
    SecFilter "select.+from"

    SecFilterSelective ARG_b2inc "!^$"

    SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
    SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

    <Location /cgi-bin/FormMail>
        SecFilterSelective "ARG_recipient" "!@methanesea\.com$"
    </Location>

    SecFilterSelective OUTPUT "Fatal error:"

    # Execute the external script on filter match
    SecFilter yyy log,exec:/usr/webservers/httpd/conf/report-attack.sh

    # Redirect user on filter match
    SecFilter xxx redirect:http://www.methanesea.com
    
    # SecFilterDebugLog /var/log/httpd/logs/modsec_debug_log
    # SecFilterDebugLevel 100
    
    # Simple filter
    SecFilter 111
    
    # Only check the QUERY_STRING variable
    SecFilterSelective QUERY_STRING 222

    # Only check the body of the POST request
    SecFilterSelective POST_PAYLOAD 333
    
    # Only check arguments (will work for GET and POST)
    SecFilterSelective ARGS 444

    # Another test filter, will be denied with 404 but not logged
    # action supplied as a parameter overrides the default action
    SecFilter 999 "deny,nolog,status:500"

Mostly stolen from various articles and docs.

Thanks for any tips.
-jeremy

Re: [mod-security-users] LogWatch Filter and Config

[Ivan R. <iv...@we...>]

L. Christopher Luther wrote:

> OK, I guess no one has made any LogWatch configurations
> to work with mod_security.  So I guess the next question
> is what are people using to monitor the mod_security logs?
> IS anyone actually monitoring the mod_security logs?

  I have found the artificial ignorance concept to be
  very useful:

  http://archives.neohapsis.com/archives/nfr-wizards/1997/09/0098.html

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

Fwd: RE: [mod-security-users] LogWatch Filter and Config

[Jim H. <jim...@rc...>]

Christopher,

I user Big Brother to monitor my mod_security logfile, it 
works like a champ.  I have tested it on several occassion 
with NESSUS and it works great.

Regards,
Jim

---- Original message ----
>Date: Wed, 31 Mar 2004 15:52:08 -0500
>From: "L. Christopher Luther" <CL...@Xy...>  
>Subject: RE: [mod-security-users] LogWatch Filter and 
Config  
>To: "ModSecurity-Users \(E-mail\)" <mod-security-
us...@li...>
>
>   OK, I guess no one has made any LogWatch
>   configurations to work with mod_security.  So I
>   guess the next question is what are people using to
>   monitor the mod_security logs?  IS anyone actually
>   monitoring the mod_security logs? 
>    
>   TIA
>
>     -----Original Message-----
>     From:
>     mod...@li...
>     [mailto:mod...@li...]
On
>     Behalf Of L. Christopher Luther
>     Sent: Tuesday, March 23, 2004 7:20 PM
>     To: ModSecurity-Users (E-mail)
>     Subject: [mod-security-users] LogWatch Filter and
>     Config
>     Sensitivity: Confidential
>
>     Has anyone created a LogWatch config file and
>     filter for mod_security's audit log?
>
>     Sincerely, 
>
>     L. Christopher Luther 
>     Technical Consultant 
>     Xybernaut Solutions, Inc. 
>     (703) 654-3642 
>     cl...@xy... 
>     PGP Public KeyID:  0x21261B88
>     http://www.xybernautsolutions.com 
>
>     CONFIDENTIALITY NOTE:  This communication contains
>     information that is confidential and/or legally
>     privileged. 
>     This information is intended only for the use of
>     the individual
>     or entity named on this communication. If you are
>     not the
>     intended recipient, you are hereby notified that
>     any disclosure,
>     copying, distribution, printing or other use of,
>     or any action
>     in reliance on, the contents of this communication
>     is strictly
>     prohibited.  If you receive this communication in
>     error, please
>     immediately notify us by telephone at (703)
>     631-6925.
>
>     ============================================
>     Unsolicited commercial e-mail will automatically
>     be
>     reported to the appropriate abuse@ - without
>     exception.
>     ============================================
>
>     CONFIDENTIALITY NOTE:  This communication contains
>     information that is confidential and/or legally
>     privileged.  This information is intended only for
>     the use of the individual or entity named on this
>     communication.  If you are not the intended
>     recipient, you are hereby notified that any
>     disclosure, copying, distribution, printing or
>     other use of, or any action in reliance on, the
>     contents of this communication is strictly
>     prohibited.  If you received this communication in
>     error, please immediately notify us by telephone
>     at (703) 631-6925.

RE: [mod-security-users] LogWatch Filter and Config

[L. C. L. <CL...@Xy...>]

OK, I guess no one has made any LogWatch configurations to work with =
mod_security.  So I guess the next question is what are people using to =
monitor the mod_security logs?  IS anyone actually monitoring the =
mod_security logs? =20
=20
TIA

-----Original Message-----
From: mod...@li... =
[mailto:mod...@li...]On Behalf Of L. =
Christopher Luther
Sent: Tuesday, March 23, 2004 7:20 PM
To: ModSecurity-Users (E-mail)
Subject: [mod-security-users] LogWatch Filter and Config
Sensitivity: Confidential



Has anyone created a LogWatch config file and filter for mod_security's =
audit log?=20


Sincerely, =20

L. Christopher Luther =20
Technical Consultant =20
Xybernaut Solutions, Inc. =20
(703) 654-3642 =20
cl...@xy... =20
PGP Public KeyID:  0x21261B88=20
http://www.xybernautsolutions.com =20

CONFIDENTIALITY NOTE:  This communication contains=20
information that is confidential and/or legally privileged. =20
This information is intended only for the use of the individual=20
or entity named on this communication. If you are not the=20
intended recipient, you are hereby notified that any disclosure,=20
copying, distribution, printing or other use of, or any action=20
in reliance on, the contents of this communication is strictly=20
prohibited.  If you receive this communication in error, please=20
immediately notify us by telephone at (703) 631-6925.=20

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Unsolicited commercial e-mail will automatically be
reported to the appropriate abuse@ - without exception.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=20


CONFIDENTIALITY NOTE:  This communication contains information that is =
confidential and/or legally privileged.  This information is intended =
only for the use of the individual or entity named on this =
communication.  If you are not the intended recipient, you are hereby =
notified that any disclosure, copying, distribution, printing or other =
use of, or any action in reliance on, the contents of this communication =
is strictly prohibited.  If you received this communication in error, =
please immediately notify us by telephone at (703) 631-6925.

Re: [mod-security-users] Webdav Exploit - What Rule To Catch?

[Ivan R. <iv...@we...>]

> However, I am having difficulties capturing these Webdav
> exploits before Apache sends a 414 error response. Those
> "SEARCH" request methods are slipping by mod_security.
>
> ...
>
> Anyone having success at capturing Webdav exploits
> using mod_security? I am sure there is something
> I am overlooking in my configuration.

  I don't have the time to check right now but I'm
  pretty sure Apache rejects the request before
  mod_security gets to look at it. The same happens
  with TRACE.

  There's no way around it at the moment. I think
  you should be able to use mod_rewrite to detect
  and reject that request.

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

[mod-security-users] Webdav Exploit - What Rule To Catch?

[Purl G. <pur...@pu...>]

Many of you have noticed Apache log entries for
this idiotic Webdav exploit which are extremely
long and generate a "URI too long" error response.

An example which is truncated:

66.215.211.96 66.215.211.96 [30/Mar/2004:09:48:40 -0800] "SEARCH /\x90

This request method "SEARCH" is not recognized by
Apache 1.3.x series and presents a problem.

I enjoy very good success loading and running mod_security
for my Apache server. Ran the enclosed tests, all seems to
be working perfectly. Very nice module, indeed.

However, I am having difficulties capturing these Webdav
exploits before Apache sends a 414 error response. Those
"SEARCH" request methods are slipping by mod_security.

Currently I am trying this entry for mod_security:

     # Kill Search Request Method
     SecFilterSelective "REQUEST_METHOD" "^.*SEARCH.*$"

I have tried variations on this, tried a simple filter,
but cannot capture those darn Webdav exploits. My return
error message should be a 405 method not allowed but
have yet to succeed at this.

Anyone having success at capturing Webdav exploits
using mod_security? I am sure there is something
I am overlooking in my configuration.

Both your comments and help are appreciated.

Thanks,

Kira

[mod-security-users] LogWatch Filter and Config

[L. C. L. <CL...@Xy...>]

Has anyone created a LogWatch config file and filter for mod_security's =
audit log?


Sincerely, =20

L. Christopher Luther =20
Technical Consultant =20
Xybernaut Solutions, Inc. =20
(703) 654-3642 =20
cl...@xy... =20
PGP Public KeyID:  0x21261B88
http://www.xybernautsolutions.com =20

CONFIDENTIALITY NOTE:  This communication contains=20
information that is confidential and/or legally privileged. =20
This information is intended only for the use of the individual=20
or entity named on this communication. If you are not the=20
intended recipient, you are hereby notified that any disclosure,=20
copying, distribution, printing or other use of, or any action=20
in reliance on, the contents of this communication is strictly=20
prohibited.  If you receive this communication in error, please=20
immediately notify us by telephone at (703) 631-6925.=20

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Unsolicited commercial e-mail will automatically be=20
reported to the appropriate abuse@ - without exception.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D


CONFIDENTIALITY NOTE:  This communication contains information that is =
confidential and/or legally privileged.  This information is intended =
only for the use of the individual or entity named on this =
communication.  If you are not the intended recipient, you are hereby =
notified that any disclosure, copying, distribution, printing or other =
use of, or any action in reliance on, the contents of this communication =
is strictly prohibited.  If you received this communication in error, =
please immediately notify us by telephone at (703) 631-6925.

[mod-security-users] mod-security 1.7.6 debian woody packages

[Jochen B. <jo...@ro...>]

Hi!

Today I have installed a debian/woody box with Apache 1.3.26 and have
made a debian package of mod-security 1.7.6.
I give no guarantee that the packages work properly, because they were
only created for my own use.

If you are interested you can download the packages at
www.roastbyte.net/debs.html

Have fun.

best regards

Jochen

Re: [mod-security-users] mod_security seems to make Apache crashes when a file is uploaded

[Ivan R. <iv...@we...>]

> I am using mod_security 1.7.6 with Apache 2.0.49 on Solaris 8 with
> OpenSSL 0.9.7d
> When a pdf file is uploaded it makes the Apache child process
> crashes. Here's what I get:
> [Mon Mar 22 13:59:52 2004] [notice] child pid 827 exit signal Segmentation
> fault (11)
> 
> 
> When I disable the security rules the file upload works fine.

   It does not crash when you disable the rules but leave
   "SecFilterScanPOST On"?

   I am uploading a 3.6 MB file on Apache 2.0.49 + mod_security 1.7.6
   on Linux (sorry, I don't have access to a Solaris box) without any
   problems, with a match or without it.

   I will try to add mod_ssl to the mix but that shouldn't make any
   difference.

   Did you compile Apache yourself? Is the Apache using the built-in
   regular expression library? Or the Solaris implementation?


> I think that filtering makes the process crash maybe because the file
> is too big ( 1,5 MBytes). The security rules are very simple ( here's a few):
> SecFilterScanPOST On
> SecFilterCheckURLEncoding On
> SecFilter "delete[[:space:]]+from"
> SecFilter "insert[[:space:]]+into"
> SecFilter "select.+from"

   Can you post the PDF file somewhere (for me)? Maybe there's something
   in it that crashes the regular expression library.


> Since, it's a production system I can't do very more tests.
> How could I disable scanning of an uploaded file by mod_security engine ?
 >
> Would that rule :
> SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data allow
> at the beginning of the rules list be sufficient ?

   That should work, provided it does not crash with
   "SecFilterScanPOST On" but only when a regular expression is
   processed. Else, use "SecFilterScanPOST On".

   Other things you could do:

   Set the debug level to 9, "SecFilterDebugLevel 9", make it
   crash and send me the debug file.

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

[mod-security-users] mod_security seems to make Apache crashes when a file is uploaded

[<lde...@ne...>]

Hi,

I am using mod_security 1.7.6 with Apache 2.0.49 on Solaris 8 with
OpenSSL 0.9.7d
When a pdf file is uploaded it makes the Apache child process
crashes. Here's what I get:
[Mon Mar 22 13:59:52 2004] [notice] child pid 827 exit signal Segmentatio=
n
fault (11)


When I disable the security rules the file upload works fine.
I think that filtering makes the process crash maybe because the file
is too big ( 1,5 MBytes). The security rules are very simple ( here's a f=
ew):
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"

I didn't enable the SecFilterForceByteRange rule.
The file is uploaded via a HTTP POST request

Since, it's a production system I can't do very more tests.
How could I disable scanning of an uploaded file by mod_security engine ?

Would that rule :
SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data allow
at the beginning of the rules list be sufficient ?

Thanks,
Luc

Re: [mod-security-users] 1.7.6 not running at all

[Mike P. <mpl...@am...>]

On Sunday 21 March 2004 7:47 pm, Ivan Ristic wrote:
> > Thanks for the reply and you are correct I do not have ServerTokens set
> > to full.  In fact, I do not even have ServerTokens in the configuration
> > file at all.
>
>   Then you do, the default value for that directive is Full.
>
> > Here is my httpd.conf file as you requested.  Although, I am still
> > confused as to why nothing is being logged when I tell it to.
> >
> > Thanks for the help and thanks for creating this module.
>
>   You are welcome.
>
> > ------------------------------ File below -------------------
> >
> > ##
> > ## httpd.conf -- Apache HTTP server configuration file
> > ##
> >
> > ...
> >
> > <IfModule mod_securtiy.c>
>
>                     ^^^^
>   You have a typo here, that's why the module does not
>   get loaded :)

Thanks for pointing that out.  :)

-- 
Mike Plemmons
mpl...@am...

Re: [mod-security-users] 1.7.6 not running at all

[Ivan R. <iv...@we...>]

> Thanks for the reply and you are correct I do not have ServerTokens set to 
> full.  In fact, I do not even have ServerTokens in the configuration file at 
> all.

  Then you do, the default value for that directive is Full.


> Here is my httpd.conf file as you requested.  Although, I am still 
> confused as to why nothing is being logged when I tell it to.
> 
> Thanks for the help and thanks for creating this module.

  You are welcome.


> ------------------------------ File below -------------------
> 
> ##
> ## httpd.conf -- Apache HTTP server configuration file
> ##
> 
> ...
>
> <IfModule mod_securtiy.c>
                    ^^^^
  You have a typo here, that's why the module does not
  get loaded :)

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

Re: [mod-security-users] 1.7.6 not running at all

[Ivan R. <iv...@we...>]

Mike Plemmons wrote:
> Hello,
>   I am running version 1.7.6 with Apache 1.3.29 on a Slackware -current 
> machine.  I am using a Slackware package so I did not compile it.  I 
> installed mod_security using the apxs -cia command but I am having problems.
> 
>   I have the module loading, or so I think I do, and I have the mod_security.c 
> configuration added at the very bottom of my httpd.conf file.  From what I 
> can tell mod_security is not actualy running.  No log files are being created 
> even though I have specfically given them an absolute path to the same place 
> the apache log files are.  I have SecServerResponseToken set to On and when I 
> run a GET request from a telnet session I do not see mod_security listed.
> 
> What other steps do I need to do in order to get mod_security to work?

  What you did normally works for me. Only one line is required to
  load the module:

   LoadModule security_module /usr/lib/apache/mod_security.so

  But if there is a "ClearModuleDirective" somewhere in the
  configuration file you will also need to add:

   AddModule mod_security.c

  After that, all you need is the module configuration. Send
  me your httpd.conf (and other files if you have your
  configuration distributed) and I'll look at it.

  The fact that the server started without complaining about the
  SecServerResponse directive means mod_security is active. About
  the tokens missing in the server signature - maybe you don't have
  ServerTokens set to Full?

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

[mod-security-users] 1.7.6 not running at all

[Mike P. <mpl...@am...>]

Hello,
  I am running version 1.7.6 with Apache 1.3.29 on a Slackware -current 
machine.  I am using a Slackware package so I did not compile it.  I 
installed mod_security using the apxs -cia command but I am having problems.

  I have the module loading, or so I think I do, and I have the mod_security.c 
configuration added at the very bottom of my httpd.conf file.  From what I 
can tell mod_security is not actualy running.  No log files are being created 
even though I have specfically given them an absolute path to the same place 
the apache log files are.  I have SecServerResponseToken set to On and when I 
run a GET request from a telnet session I do not see mod_security listed.

  What other steps do I need to do in order to get mod_security to work?

Thanks in advance,

-- 
Mike Plemmons
mpl...@am...

RE: [mod-security-users] mod-security resource usage?

[Jim H. <jim...@rc...>]

I would say go for Apache 2.0.48, with the addition of mod_security you can
chroot the server very easily.  If you are talking a heavily loaded system
and want it really secure, chroot the server.  

Regards,
Jim

-----Original Message-----
From: mod...@li...
[mailto:mod...@li...] On Behalf Of
deb...@sp...
Sent: Thursday, March 18, 2004 11:25 AM
To: mod...@li...
Subject: [mod-security-users] mod-security resource usage?

I am trying to spec out a system to runs as a modsec appliance
providing IDS /IPS to multiple IIS websites some very heavily used

Can anyone thing be figures on process load, memory usage of 
modsecurity? 

Do people recommend apache 1.3 or 2 if 2 prefork variable or other?

thanks
Mat


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users