Re: [mod-security-users] Problem with REQUEST_BODY SecRule (notcatching/denying)

[hanj <mailing@as...>]

Ok.. I figured it out.. but need to know how to address the problem. It
looks like the problem is related to mod_security-2.1.1 and
mod_limitipconn-0.22-r1. If I remove this module, then mod_security
works with Apache correctly, if I leave it in, then we start to have
problems. mod_security-1.8.4 works fine with mod_limitipconn-0.22-r1.
Any ideas how to enable mod_limitipconn with mod_sec-2.x? Anyone else
run into similar problems with other modules and mod_sec?

Again... here are my modules and versions:

mod_security-2.1.1
mod_bw-0.7
mod_limitipconn-0.22-r1
apache-2.0.58-r2

Thanks!!!
hanji

Re: [mod-security-users] What is this? Can you please explain?

[Ofer Shezaf <OferS@Breach.com>]

What rule set does the Mandriva package uses?

=20

~ Ofer

=20

From: Albert E. Whale [mailto:aewhale@...]=20
Sent: Monday, May 28, 2007 5:57 PM
To: Ofer Shezaf
Cc: Christian Bockermann; mod-security-users@...
Subject: Re: [mod-security-users] What is this? Can you please explain?

=20

Thank you.  Since this is a Mandriva release of the Mod_Security package
I can review the information and fix it for me, and also the Mandriva
distribution ... this may help a few other newcomers as well.

Thank you!

Ofer Shezaf wrote:=20

Actually Albert might be right. Some versions of Apache use an internal
keep alive pinger that issues a request without a host name.
=20
The Core Rule Set have a specific exclusion for that, but this rule is
probably not part of the Core Rule Set (no rule ID) and blocks this
request.
=20
In order to verify we will need the entire request as you can find in
the audit log.
=20
So in order to permit it: either use the core rule set instead of the
rules you use or refer to Ryan's recent blog entry on creating
exceptions
http://www.modsecurity.org/blog/archives/2007/02/handling_false.html
=20
~ Ofer
=20
 =20

	-----Original Message-----
	From: mod-security-users-bounces@...
[mailto:mod-
	security-users-bounces@...] On Behalf Of
Christian
	Bockermann
	Sent: Monday, May 28, 2007 11:20 AM
	To: aewhale@...
	Cc: mod-security-users@...
	Subject: Re: [mod-security-users] What is this? Can you please
	   =20

explain?
 =20

	Hi Albert!
	=20
	In this case it is not the fact that it's the localhost, but a
matter
	of
	a missing/empty Accept-Header in the request. Do you use the
	   =20

core-rules
 =20

	or any custom-made ruleset?
	=20
	The core rules contain some checks that complain if an
Accept-header
	   =20

is
 =20

	missing. This is a problem I observed with some RSS-clients for
	example.
	According to the RFC the Accept-header is optional.
	=20
	Regards,
	     Chris
	=20
	=20
	Am 28.05.2007 um 05:26 schrieb Albert E. Whale:
	=20
	   =20

		Too me this appears to indicate that the localhost is
not permitted
		to test the root level of the web Server.  Why?
		=20
		[Sun May 27 23:24:03 2007] [error] [client 127.0.0.1]
mod_security:
		Access denied with code 500. Pattern match "^$" at
HEADER("Accept")
		[severity "EMERGENCY"] [hostname "127.0.0.1"] [uri "/"]
[unique_id
		"R9xVQH8AAAEAAAN2kzoAAAAF"]
		=20
		Where can I permit this?
		=20
		--
		Albert E. Whale, CHS CISA CISSP
		Sr. Security, Network, Risk Assessment and Systems
Consultant
		ABS Computer Technology, Inc. - Email, Internet and
Security
		Consultants
		SPAMZapper - No-JunkMail.com - True Spam Elimination.
		=20
		     =20

---------------------------------------------------------------------
 =20

	-
	   =20

		---
		This SF.net email is sponsored by DB2 Express
		Download DB2 Express C - the FREE version of DB2 express
and take
		control of your XML. No limits. Just data. Click to get
it now.
		http://sourceforge.net/powerbar/db2/
		_______________________________________________
		mod-security-users mailing list
		mod-security-users@...
=09
https://lists.sourceforge.net/lists/listinfo/mod-security-users
		     =20

	=20
	=20
	   =20

-----------------------------------------------------------------------
 =20

	--
	This SF.net email is sponsored by DB2 Express
	Download DB2 Express C - the FREE version of DB2 express and
take
	control of your XML. No limits. Just data. Click to get it now.
	http://sourceforge.net/powerbar/db2/
	_______________________________________________
	mod-security-users mailing list
	mod-security-users@...
	https://lists.sourceforge.net/lists/listinfo/mod-security-users
	   =20

=20
------------------------------------------------------------------------
-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
mod-security-users mailing list
mod-security-users@...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
=20
 =20

=20

--=20
Albert E. Whale, CHS CISA CISSP
Sr. Security, Network, Risk Assessment and Systems Consultant

________________________________

ABS Computer Technology, Inc. <http://www.ABS-CompTech.com>;  - Email,
Internet and Security Consultants
SPAMZapper <http://www.Spam-Zapper.com>;  - No-JunkMail.com
<http://www.No-JunkMail.com>;  - True Spam Elimination.=20

Re: [mod-security-users] Core rules 2.1-1.4b2 question

[Ofer Shezaf <OferS@Breach.com>]

Sorry for taking you both several steps back, but I don't think the
issue is related to loading the libxml2.so library but to the actual
compilation of ModSecurity with XML support. The error messages for
missing libxml2.so (either if the file is missing or if the LoadFile
directive is wrong) are different.

In order for XML to not be recognized by the parser (which is the case
here), I think that ModSecurity must be compiled without the
WITH_LIBXML2 compile flag. While as you said it is on by default in the
make file, the compile and link lines you send do not imply that it was
actually on. I think that msc_xml might be compiled and linked anyway.

So, bottom line, can you send (if you prefer privately to ryan and me)
the entire make file and compile log?

~ Ofer

> -----Original Message-----
> From: Ryan Barnett
> Sent: Monday, May 28, 2007 7:52 PM
> To: Joakim Schramm; Ofer Shezaf
> Cc: mod-security-users@...
> Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
>=20
> One more item - remove the "!" before the IfModule name as this means
> if the module is not loaded.
>=20
> --
> Ryan C. Barnett
> ModSecurity Community Manager
> Breach Security: Director of Application Security Training
> Web Application Security Consortium (WASC) Member
> CIS Apache Benchmark Project Lead
> SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
> Author: Preventing Web Attacks with Apache
>=20
>=20
>=20
> > -----Original Message-----
> > From: Joakim Schramm [mailto:joakim@...]
> > Sent: Monday, May 28, 2007 12:49 PM
> > To: Ryan Barnett; Ofer Shezaf
> > Cc: mod-security-users@...
> > Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
> >
> >
> >
> > > -----Original Message-----
> > > From: Ryan Barnett [mailto:Ryan.Barnett@...]
> > > Sent: 28 May 2007 18:33
> > > To: Joakim Schramm; Ofer Shezaf
> > > Cc: mod-security-users@...
> > > Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
> > >
> > > You to have the XML LoadFile directive specified BEFORE the
> > > ModSecurity LoadFile directive like this -
> > >
> > > <IfDefine SECURITY>
> > >         <IfModule !mod_security2.c>
> > >             LoadFile /usr/lib/libxml2.so
> > >             LoadModule security2_module modules/mod_security2.so
> > >         </IfModule>
> > >
> > >         # use Core Rule Set by default:
> > >         Include /etc/apache2/modules.d/mod_security/*.conf
> > > </IfDefine>
> > >
> > Unfortunately,
> >
> > It makes no difference. Right now I have no other option then remove
> all
> > XML
> > variables as apache2 refuses to start as it is.
> >
> > Joakim
> > > --
> > > Ryan C. Barnett
> > > ModSecurity Community Manager
> > > Breach Security: Director of Application Security Training
> > > Web Application Security Consortium (WASC) Member CIS Apache
> > > Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH,
> > > GSNA, GCUX, GSEC
> > > Author: Preventing Web Attacks with Apache
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Joakim Schramm [mailto:joakim@...]
> > > > Sent: Monday, May 28, 2007 12:28 PM
> > > > To: Ryan Barnett; Ofer Shezaf
> > > > Cc: mod-security-users@...
> > > > Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
> > > >
> > > > This from my httpd.conf for
> > > >
> > > > <IfDefine SECURITY>
> > > >         <IfModule !mod_security2.c>
> > > >                 LoadModule security2_module
> modules/mod_security2.so
> > > >         </IfModule>
> > > >
> > > >         LoadFile /usr/lib/libxml2.so
> > > >
> > > >         # use Core Rule Set by default:
> > > >         Include /etc/apache2/modules.d/mod_security/*.conf
> > > > </IfDefine>
> > > >
> > > > merc ~ # locate libxml2.so
> > > > /usr/lib/libxml2.so.2.6.28
> > > > /usr/lib/libxml2.so.2
> > > > /usr/lib/libxml2.so
> > > >
> > > > merc ~ # /etc/init.d/apache2 restart
> > > >  * Apache2 has detected a syntax error in your configuration
> files:
> > > > Syntax error on line 54 of
> > > >
> > > /etc/apache2/modules.d/mod_security/modsecurity_crs_20_protoco
> > > l_violatio
> > > ns
> > > > .c
> > > > onf:
> > > > Error creating rule: Unknown variable: XML
> > > >
> > > > I don't know if this is because apache2 currently is
> > > running w/ modsec
> > > > 2.1.1
> > > > but w/o libxml2 line in conf, so it might check syntax for
> > > what it has
> > > at
> > > > hands before restarting and don't because of this as apache2
> never
> > > stops.
> > > > I
> > > > may have to stop it maunally and srat it again, not just restart
> BUT
> > > if it
> > > > still fail all my web services is down :-( I guess I have no
> option
> > > but
> > > > take
> > > > a chance and rely on you guys if it still fails. Faith was the
> word
> > > :-)
> > > >
> > > > Unfortunately,
> > > >
> > > > After stopping still
> > > >
> > > > merc ~ # /etc/init.d/apache2 start
> > > >  * Apache2 has detected a syntax error in your configuration
> files:
> > > > Syntax error on line 54 of
> > > >
> > > /etc/apache2/modules.d/mod_security/modsecurity_crs_20_protoco
> > > l_violatio
> > > ns
> > > > .c
> > > > onf:
> > > > Error creating rule: Unknown variable: XML
> > > >
> > > > Joakim
> > > >
> > > > > -----Original Message-----
> > > > > From: Ryan Barnett [mailto:Ryan.Barnett@...]
> > > > > Sent: 28 May 2007 17:54
> > > > > To: Joakim Schramm; Ofer Shezaf
> > > > > Cc: mod-security-users@...
> > > > > Subject: RE: [mod-security-users] Core rules 2.1-1.4b2
question
> > > > >
> > > > > Did you add the following to your httpd.conf file before the
> > > > > ModSecurity LoadModule directive - LoadFile
> /usr/lib/libxml2.so.
> > > > >
> > > > > This is in the Installation section of the reference manual
> > > > > -http://www.modsecurity.org/documentation/modsecurity-apache/2
> > > > > .1.0/modse
> > > > > curity2-apache-reference.html#02-installation
> > > > >
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: mod-security-users-bounces@...
> > > [mailto:mod-
> > > > > > security-users-bounces@...] On Behalf
> > > Of Joakim
> > > > > Schramm
> > > > > > Sent: Monday, May 28, 2007 11:50 AM
> > > > > > To: Ofer Shezaf
> > > > > > Cc: mod-security-users@...
> > > > > > Subject: Re: [mod-security-users] Core rules 2.1-1.4b2
> question
> > > > > >
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Ofer Shezaf [mailto:OferS@...]
> > > > > > > Sent: 28 May 2007 17:05
> > > > > > > To: Joakim Schramm
> > > > > > > Cc: mod-security-users@...
> > > > > > > Subject: RE: [mod-security-users] Core rules
> > > 2.1-1.4b2 question
> > > > > > >
> > > > > > > Just one correction, if you want to remove the XML
> > > variable from
> > > > > > > the rules, it also appears in file #20.
> > > > > > >
> > > > > > Well I don't want to but have XML working. I looked at the
> make
> > > file
> > > > > as it
> > > > > > is in archive and it seem XML is on by default, and I have
> have
> > > > > libxml2
> > > > > > were
> > > > > > it says by default, so as far as I understand it "should"
> > > > > be compiled
> > > > > with
> > > > > > xml support, not sure why it isn't working though. I have
the
> > > whole
> > > > > output
> > > > > > from compile by Gentoo emerge packager and it appear to
> > > > > confirm xml is
> > > > > > compled in. Just pasting the relevant parts here, let me
know
> if
> > > you
> > > > > need
> > > > > > full output?
> > > > > >
> > > > > > D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -DAP_DEBUG
> > > -pthread
> > > > > > -I/usr/include/apache2  -I/usr/include/apr-1
> > > -I/usr/include/apr-1
> > > > > > -I/usr/include/db4.5  -c -o
> > > > > >
> > > > > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > > > > pache_2.2.
> > > > > 0-
> > > > > > de
> > > > > > v1/apache2/msc_xml.lo
> > > > > >
> > > > > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > > > > pache_2.2.
> > > > > 0-
> > > > > > de
> > > > > > v1/apache2/msc_xml.c && touch
> > > > > >
> > > > > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > > > > pache_2.2.
> > > > > 0-
> > > > > > de
> > > > > > v1/apache2/msc_xml.slo
> > > > > > /usr/bin/libtool --silent --mode=3Dcompile =
i686-pc-linux-gnu-
> gcc
> > > > > -prefer-pic
> > > > > > -march=3Dpentium4 -O2 -pipe  -DLINUX=3D2 -D_REENTRANT -
> D_GNU_SOURCE
> > > > > > -D_LARGEFILE64_SOURCE -DAP_DEBUG -pthread -
> I/usr/include/apache2
> > > > > > -I/usr/include/apr-1 -
> > > > > > ...
> > > > > > www/mod_security-2.2.0/work/modsecurity-apache_2.2.0-
> > > > > > dev1/apache2/persist_db
> > > > > > m.lo
> > > > > >
> > > > > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > > > > pache_2.2.
> > > > > 0-
> > > > > > de
> > > > > > v1/apache2/pdf_protect.lo
> > > > > >
> > > > > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > > > > pache_2.2.
> > > > > 0-
> > > > > > de
> > > > > > v1/apache2/msc_xml.lo
> > > > > >
> > > > > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > > > > pache_2.2.
> > > > > 0-
> > > > > > de
> > > > > > v1/apache2/msc_util.lo
> > > > > >
> > > > > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > > > > pache_2.2.
> > > > > 0-
> > > > > > de
> > > > > > v1/apache2/msc_reqbody.lo /var/tmp/portage/net-
> > > > > >
> > > > > > So xml "should" really work, but it doesn't or is there
> > > > > something more
> > > > > > that
> > > > > > need to be done?
> > > > > >
> > > > > > Joakim
> > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: Joakim Schramm [mailto:joakim@...]
> > > > > > > > Sent: Monday, May 28, 2007 5:58 PM
> > > > > > > > To: Ofer Shezaf
> > > > > > > > Cc: mod-security-users@...
> > > > > > > > Subject: RE: [mod-security-users] Core rules 2.1-1.4b2
> > > question
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: Ofer Shezaf [mailto:OferS@...]
> > > > > > > > > Sent: 28 May 2007 16:49
> > > > > > > > > To: Joakim Schramm
> > > > > > > > > Subject: RE: [mod-security-users] Core rules
> > > > > 2.1-1.4b2 question
> > > > > > > > >
> > > > > > > > > Regarding XML - Avi is still investigating the
> > > > > problem (actually
> > > > > a
> > > > > > > > > solution) as we already know the problem. You
> > > have compiled
> > > > > > > > > ModSecurity without XML support, which is perfectly
> > > > > > > valid, but does
> > > > > > > > > not work with the new dev version of
> > > > > > > > >
> > > > > > > > > So you will need to either compile with XML support,
> wait
> > > till
> > > > > we
> > > > > > > > > find a generic solution, or just delete all the XML
> > > > > > > variables from
> > > > > > > > > the different rules (I think it is only in file #40)
> > > > > > > > >
> > > > > > > > > ~ Ofer
> > > > > > > >
> > > > > > > > Aha, I use Gentoo and simply reused the current ebuild
> for
> > > > > > > 2.1.1, so I
> > > > > > > > will have to figure out how to get xml support compiled
> in
> > > then
> > > > > ;-)
> > > > > > > >
> > > > > > > > Joakim
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > --------------------------------------------------------------
> > > > > ----------
> > > > > -
> > > > > > This SF.net email is sponsored by DB2 Express Download
> > > DB2 Express
> > > > > > C - the FREE version of DB2 express and take control of
> > > your XML.
> > > > > > No limits. Just data. Click to get it now.
> > > > > > http://sourceforge.net/powerbar/db2/
> > > > > > _______________________________________________
> > > > > > mod-security-users mailing list
> > > > > > mod-security-users@...
> > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-
> users
> > > > >
> > >
> > >

Re: [mod-security-users] Core rules 2.1-1.4b2 question

[Ryan Barnett <Ryan.Barnett@Breach.com>]

One more item - remove the "!" before the IfModule name as this means if
the module is not loaded.
=20
--=20
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
=20
=20

> -----Original Message-----
> From: Joakim Schramm [mailto:joakim@...]
> Sent: Monday, May 28, 2007 12:49 PM
> To: Ryan Barnett; Ofer Shezaf
> Cc: mod-security-users@...
> Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
>=20
>=20
>=20
> > -----Original Message-----
> > From: Ryan Barnett [mailto:Ryan.Barnett@...]
> > Sent: 28 May 2007 18:33
> > To: Joakim Schramm; Ofer Shezaf
> > Cc: mod-security-users@...
> > Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
> >
> > You to have the XML LoadFile directive specified BEFORE the
> > ModSecurity LoadFile directive like this -
> >
> > <IfDefine SECURITY>
> >         <IfModule !mod_security2.c>
> >             LoadFile /usr/lib/libxml2.so
> >             LoadModule security2_module modules/mod_security2.so
> >         </IfModule>
> >
> >         # use Core Rule Set by default:
> >         Include /etc/apache2/modules.d/mod_security/*.conf
> > </IfDefine>
> >
> Unfortunately,
>=20
> It makes no difference. Right now I have no other option then remove
all
> XML
> variables as apache2 refuses to start as it is.
>=20
> Joakim
> > --
> > Ryan C. Barnett
> > ModSecurity Community Manager
> > Breach Security: Director of Application Security Training
> > Web Application Security Consortium (WASC) Member CIS Apache
> > Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH,
> > GSNA, GCUX, GSEC
> > Author: Preventing Web Attacks with Apache
> >
> >
> >
> > > -----Original Message-----
> > > From: Joakim Schramm [mailto:joakim@...]
> > > Sent: Monday, May 28, 2007 12:28 PM
> > > To: Ryan Barnett; Ofer Shezaf
> > > Cc: mod-security-users@...
> > > Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
> > >
> > > This from my httpd.conf for
> > >
> > > <IfDefine SECURITY>
> > >         <IfModule !mod_security2.c>
> > >                 LoadModule security2_module
modules/mod_security2.so
> > >         </IfModule>
> > >
> > >         LoadFile /usr/lib/libxml2.so
> > >
> > >         # use Core Rule Set by default:
> > >         Include /etc/apache2/modules.d/mod_security/*.conf
> > > </IfDefine>
> > >
> > > merc ~ # locate libxml2.so
> > > /usr/lib/libxml2.so.2.6.28
> > > /usr/lib/libxml2.so.2
> > > /usr/lib/libxml2.so
> > >
> > > merc ~ # /etc/init.d/apache2 restart
> > >  * Apache2 has detected a syntax error in your configuration
files:
> > > Syntax error on line 54 of
> > >
> > /etc/apache2/modules.d/mod_security/modsecurity_crs_20_protoco
> > l_violatio
> > ns
> > > .c
> > > onf:
> > > Error creating rule: Unknown variable: XML
> > >
> > > I don't know if this is because apache2 currently is
> > running w/ modsec
> > > 2.1.1
> > > but w/o libxml2 line in conf, so it might check syntax for
> > what it has
> > at
> > > hands before restarting and don't because of this as apache2 never
> > stops.
> > > I
> > > may have to stop it maunally and srat it again, not just restart
BUT
> > if it
> > > still fail all my web services is down :-( I guess I have no
option
> > but
> > > take
> > > a chance and rely on you guys if it still fails. Faith was the
word
> > :-)
> > >
> > > Unfortunately,
> > >
> > > After stopping still
> > >
> > > merc ~ # /etc/init.d/apache2 start
> > >  * Apache2 has detected a syntax error in your configuration
files:
> > > Syntax error on line 54 of
> > >
> > /etc/apache2/modules.d/mod_security/modsecurity_crs_20_protoco
> > l_violatio
> > ns
> > > .c
> > > onf:
> > > Error creating rule: Unknown variable: XML
> > >
> > > Joakim
> > >
> > > > -----Original Message-----
> > > > From: Ryan Barnett [mailto:Ryan.Barnett@...]
> > > > Sent: 28 May 2007 17:54
> > > > To: Joakim Schramm; Ofer Shezaf
> > > > Cc: mod-security-users@...
> > > > Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
> > > >
> > > > Did you add the following to your httpd.conf file before the
> > > > ModSecurity LoadModule directive - LoadFile /usr/lib/libxml2.so.
> > > >
> > > > This is in the Installation section of the reference manual
> > > > -http://www.modsecurity.org/documentation/modsecurity-apache/2
> > > > .1.0/modse
> > > > curity2-apache-reference.html#02-installation
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: mod-security-users-bounces@...
> > [mailto:mod-
> > > > > security-users-bounces@...] On Behalf
> > Of Joakim
> > > > Schramm
> > > > > Sent: Monday, May 28, 2007 11:50 AM
> > > > > To: Ofer Shezaf
> > > > > Cc: mod-security-users@...
> > > > > Subject: Re: [mod-security-users] Core rules 2.1-1.4b2
question
> > > > >
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Ofer Shezaf [mailto:OferS@...]
> > > > > > Sent: 28 May 2007 17:05
> > > > > > To: Joakim Schramm
> > > > > > Cc: mod-security-users@...
> > > > > > Subject: RE: [mod-security-users] Core rules
> > 2.1-1.4b2 question
> > > > > >
> > > > > > Just one correction, if you want to remove the XML
> > variable from
> > > > > > the rules, it also appears in file #20.
> > > > > >
> > > > > Well I don't want to but have XML working. I looked at the
make
> > file
> > > > as it
> > > > > is in archive and it seem XML is on by default, and I have
have
> > > > libxml2
> > > > > were
> > > > > it says by default, so as far as I understand it "should"
> > > > be compiled
> > > > with
> > > > > xml support, not sure why it isn't working though. I have the
> > whole
> > > > output
> > > > > from compile by Gentoo emerge packager and it appear to
> > > > confirm xml is
> > > > > compled in. Just pasting the relevant parts here, let me know
if
> > you
> > > > need
> > > > > full output?
> > > > >
> > > > > D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -DAP_DEBUG
> > -pthread
> > > > > -I/usr/include/apache2  -I/usr/include/apr-1
> > -I/usr/include/apr-1
> > > > > -I/usr/include/db4.5  -c -o
> > > > >
> > > > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > > > pache_2.2.
> > > > 0-
> > > > > de
> > > > > v1/apache2/msc_xml.lo
> > > > >
> > > > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > > > pache_2.2.
> > > > 0-
> > > > > de
> > > > > v1/apache2/msc_xml.c && touch
> > > > >
> > > > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > > > pache_2.2.
> > > > 0-
> > > > > de
> > > > > v1/apache2/msc_xml.slo
> > > > > /usr/bin/libtool --silent --mode=3Dcompile =
i686-pc-linux-gnu-gcc
> > > > -prefer-pic
> > > > > -march=3Dpentium4 -O2 -pipe  -DLINUX=3D2 -D_REENTRANT
-D_GNU_SOURCE
> > > > > -D_LARGEFILE64_SOURCE -DAP_DEBUG -pthread
-I/usr/include/apache2
> > > > > -I/usr/include/apr-1 -
> > > > > ...
> > > > > www/mod_security-2.2.0/work/modsecurity-apache_2.2.0-
> > > > > dev1/apache2/persist_db
> > > > > m.lo
> > > > >
> > > > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > > > pache_2.2.
> > > > 0-
> > > > > de
> > > > > v1/apache2/pdf_protect.lo
> > > > >
> > > > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > > > pache_2.2.
> > > > 0-
> > > > > de
> > > > > v1/apache2/msc_xml.lo
> > > > >
> > > > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > > > pache_2.2.
> > > > 0-
> > > > > de
> > > > > v1/apache2/msc_util.lo
> > > > >
> > > > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > > > pache_2.2.
> > > > 0-
> > > > > de
> > > > > v1/apache2/msc_reqbody.lo /var/tmp/portage/net-
> > > > >
> > > > > So xml "should" really work, but it doesn't or is there
> > > > something more
> > > > > that
> > > > > need to be done?
> > > > >
> > > > > Joakim
> > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Joakim Schramm [mailto:joakim@...]
> > > > > > > Sent: Monday, May 28, 2007 5:58 PM
> > > > > > > To: Ofer Shezaf
> > > > > > > Cc: mod-security-users@...
> > > > > > > Subject: RE: [mod-security-users] Core rules 2.1-1.4b2
> > question
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: Ofer Shezaf [mailto:OferS@...]
> > > > > > > > Sent: 28 May 2007 16:49
> > > > > > > > To: Joakim Schramm
> > > > > > > > Subject: RE: [mod-security-users] Core rules
> > > > 2.1-1.4b2 question
> > > > > > > >
> > > > > > > > Regarding XML - Avi is still investigating the
> > > > problem (actually
> > > > a
> > > > > > > > solution) as we already know the problem. You
> > have compiled
> > > > > > > > ModSecurity without XML support, which is perfectly
> > > > > > valid, but does
> > > > > > > > not work with the new dev version of
> > > > > > > >
> > > > > > > > So you will need to either compile with XML support,
wait
> > till
> > > > we
> > > > > > > > find a generic solution, or just delete all the XML
> > > > > > variables from
> > > > > > > > the different rules (I think it is only in file #40)
> > > > > > > >
> > > > > > > > ~ Ofer
> > > > > > >
> > > > > > > Aha, I use Gentoo and simply reused the current ebuild for
> > > > > > 2.1.1, so I
> > > > > > > will have to figure out how to get xml support compiled in
> > then
> > > > ;-)
> > > > > > >
> > > > > > > Joakim
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > --------------------------------------------------------------
> > > > ----------
> > > > -
> > > > > This SF.net email is sponsored by DB2 Express Download
> > DB2 Express
> > > > > C - the FREE version of DB2 express and take control of
> > your XML.
> > > > > No limits. Just data. Click to get it now.
> > > > > http://sourceforge.net/powerbar/db2/
> > > > > _______________________________________________
> > > > > mod-security-users mailing list
> > > > > mod-security-users@...
> > > > >
https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > >
> >
> >

Re: [mod-security-users] Core rules 2.1-1.4b2 question

[Joakim Schramm <joakim@as...>]

 

> -----Original Message-----
> From: Ryan Barnett [mailto:Ryan.Barnett@...] 
> Sent: 28 May 2007 18:33
> To: Joakim Schramm; Ofer Shezaf
> Cc: mod-security-users@...
> Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
> 
> You to have the XML LoadFile directive specified BEFORE the 
> ModSecurity LoadFile directive like this -
> 
> <IfDefine SECURITY>
>         <IfModule !mod_security2.c>
>             LoadFile /usr/lib/libxml2.so    
>             LoadModule security2_module modules/mod_security2.so
>         </IfModule>
> 
>         # use Core Rule Set by default:
>         Include /etc/apache2/modules.d/mod_security/*.conf
> </IfDefine>
> 
Unfortunately,

It makes no difference. Right now I have no other option then remove all XML
variables as apache2 refuses to start as it is.

Joakim
> --
> Ryan C. Barnett
> ModSecurity Community Manager
> Breach Security: Director of Application Security Training 
> Web Application Security Consortium (WASC) Member CIS Apache 
> Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, 
> GSNA, GCUX, GSEC
> Author: Preventing Web Attacks with Apache
>  
>  
> 
> > -----Original Message-----
> > From: Joakim Schramm [mailto:joakim@...]
> > Sent: Monday, May 28, 2007 12:28 PM
> > To: Ryan Barnett; Ofer Shezaf
> > Cc: mod-security-users@...
> > Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
> > 
> > This from my httpd.conf for
> > 
> > <IfDefine SECURITY>
> >         <IfModule !mod_security2.c>
> >                 LoadModule security2_module modules/mod_security2.so
> >         </IfModule>
> > 
> >         LoadFile /usr/lib/libxml2.so
> > 
> >         # use Core Rule Set by default:
> >         Include /etc/apache2/modules.d/mod_security/*.conf
> > </IfDefine>
> > 
> > merc ~ # locate libxml2.so
> > /usr/lib/libxml2.so.2.6.28
> > /usr/lib/libxml2.so.2
> > /usr/lib/libxml2.so
> > 
> > merc ~ # /etc/init.d/apache2 restart
> >  * Apache2 has detected a syntax error in your configuration files:
> > Syntax error on line 54 of
> >
> /etc/apache2/modules.d/mod_security/modsecurity_crs_20_protoco
> l_violatio
> ns
> > .c
> > onf:
> > Error creating rule: Unknown variable: XML
> > 
> > I don't know if this is because apache2 currently is 
> running w/ modsec
> > 2.1.1
> > but w/o libxml2 line in conf, so it might check syntax for 
> what it has
> at
> > hands before restarting and don't because of this as apache2 never
> stops.
> > I
> > may have to stop it maunally and srat it again, not just restart BUT
> if it
> > still fail all my web services is down :-( I guess I have no option
> but
> > take
> > a chance and rely on you guys if it still fails. Faith was the word
> :-)
> > 
> > Unfortunately,
> > 
> > After stopping still
> > 
> > merc ~ # /etc/init.d/apache2 start
> >  * Apache2 has detected a syntax error in your configuration files:
> > Syntax error on line 54 of
> >
> /etc/apache2/modules.d/mod_security/modsecurity_crs_20_protoco
> l_violatio
> ns
> > .c
> > onf:
> > Error creating rule: Unknown variable: XML
> > 
> > Joakim
> > 
> > > -----Original Message-----
> > > From: Ryan Barnett [mailto:Ryan.Barnett@...]
> > > Sent: 28 May 2007 17:54
> > > To: Joakim Schramm; Ofer Shezaf
> > > Cc: mod-security-users@...
> > > Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
> > >
> > > Did you add the following to your httpd.conf file before the 
> > > ModSecurity LoadModule directive - LoadFile /usr/lib/libxml2.so.
> > >
> > > This is in the Installation section of the reference manual
> > > -http://www.modsecurity.org/documentation/modsecurity-apache/2
> > > .1.0/modse
> > > curity2-apache-reference.html#02-installation
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: mod-security-users-bounces@...
> [mailto:mod-
> > > > security-users-bounces@...] On Behalf 
> Of Joakim
> > > Schramm
> > > > Sent: Monday, May 28, 2007 11:50 AM
> > > > To: Ofer Shezaf
> > > > Cc: mod-security-users@...
> > > > Subject: Re: [mod-security-users] Core rules 2.1-1.4b2 question
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Ofer Shezaf [mailto:OferS@...]
> > > > > Sent: 28 May 2007 17:05
> > > > > To: Joakim Schramm
> > > > > Cc: mod-security-users@...
> > > > > Subject: RE: [mod-security-users] Core rules 
> 2.1-1.4b2 question
> > > > >
> > > > > Just one correction, if you want to remove the XML 
> variable from 
> > > > > the rules, it also appears in file #20.
> > > > >
> > > > Well I don't want to but have XML working. I looked at the make
> file
> > > as it
> > > > is in archive and it seem XML is on by default, and I have have
> > > libxml2
> > > > were
> > > > it says by default, so as far as I understand it "should"
> > > be compiled
> > > with
> > > > xml support, not sure why it isn't working though. I have the
> whole
> > > output
> > > > from compile by Gentoo emerge packager and it appear to
> > > confirm xml is
> > > > compled in. Just pasting the relevant parts here, let me know if
> you
> > > need
> > > > full output?
> > > >
> > > > D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -DAP_DEBUG
> -pthread
> > > > -I/usr/include/apache2  -I/usr/include/apr-1
> -I/usr/include/apr-1
> > > > -I/usr/include/db4.5  -c -o
> > > >
> > > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > > pache_2.2.
> > > 0-
> > > > de
> > > > v1/apache2/msc_xml.lo
> > > >
> > > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > > pache_2.2.
> > > 0-
> > > > de
> > > > v1/apache2/msc_xml.c && touch
> > > >
> > > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > > pache_2.2.
> > > 0-
> > > > de
> > > > v1/apache2/msc_xml.slo
> > > > /usr/bin/libtool --silent --mode=compile i686-pc-linux-gnu-gcc
> > > -prefer-pic
> > > > -march=pentium4 -O2 -pipe  -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE 
> > > > -D_LARGEFILE64_SOURCE -DAP_DEBUG -pthread -I/usr/include/apache2
> > > > -I/usr/include/apr-1 -
> > > > ...
> > > > www/mod_security-2.2.0/work/modsecurity-apache_2.2.0-
> > > > dev1/apache2/persist_db
> > > > m.lo
> > > >
> > > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > > pache_2.2.
> > > 0-
> > > > de
> > > > v1/apache2/pdf_protect.lo
> > > >
> > > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > > pache_2.2.
> > > 0-
> > > > de
> > > > v1/apache2/msc_xml.lo
> > > >
> > > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > > pache_2.2.
> > > 0-
> > > > de
> > > > v1/apache2/msc_util.lo
> > > >
> > > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > > pache_2.2.
> > > 0-
> > > > de
> > > > v1/apache2/msc_reqbody.lo /var/tmp/portage/net-
> > > >
> > > > So xml "should" really work, but it doesn't or is there
> > > something more
> > > > that
> > > > need to be done?
> > > >
> > > > Joakim
> > > >
> > > > > > -----Original Message-----
> > > > > > From: Joakim Schramm [mailto:joakim@...]
> > > > > > Sent: Monday, May 28, 2007 5:58 PM
> > > > > > To: Ofer Shezaf
> > > > > > Cc: mod-security-users@...
> > > > > > Subject: RE: [mod-security-users] Core rules 2.1-1.4b2
> question
> > > > > >
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Ofer Shezaf [mailto:OferS@...]
> > > > > > > Sent: 28 May 2007 16:49
> > > > > > > To: Joakim Schramm
> > > > > > > Subject: RE: [mod-security-users] Core rules
> > > 2.1-1.4b2 question
> > > > > > >
> > > > > > > Regarding XML - Avi is still investigating the
> > > problem (actually
> > > a
> > > > > > > solution) as we already know the problem. You 
> have compiled 
> > > > > > > ModSecurity without XML support, which is perfectly
> > > > > valid, but does
> > > > > > > not work with the new dev version of
> > > > > > >
> > > > > > > So you will need to either compile with XML support, wait
> till
> > > we
> > > > > > > find a generic solution, or just delete all the XML
> > > > > variables from
> > > > > > > the different rules (I think it is only in file #40)
> > > > > > >
> > > > > > > ~ Ofer
> > > > > >
> > > > > > Aha, I use Gentoo and simply reused the current ebuild for
> > > > > 2.1.1, so I
> > > > > > will have to figure out how to get xml support compiled in
> then
> > > ;-)
> > > > > >
> > > > > > Joakim
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > --------------------------------------------------------------
> > > ----------
> > > -
> > > > This SF.net email is sponsored by DB2 Express Download 
> DB2 Express 
> > > > C - the FREE version of DB2 express and take control of 
> your XML. 
> > > > No limits. Just data. Click to get it now.
> > > > http://sourceforge.net/powerbar/db2/
> > > > _______________________________________________
> > > > mod-security-users mailing list
> > > > mod-security-users@...
> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > >
> 
> 

Re: [mod-security-users] Core rules 2.1-1.4b2 question

[Ryan Barnett <Ryan.Barnett@Breach.com>]

You to have the XML LoadFile directive specified BEFORE the ModSecurity
LoadFile directive like this -

<IfDefine SECURITY>
        <IfModule !mod_security2.c>
            LoadFile /usr/lib/libxml2.so   =20
            LoadModule security2_module modules/mod_security2.so
        </IfModule>

        # use Core Rule Set by default:
        Include /etc/apache2/modules.d/mod_security/*.conf
</IfDefine>

--=20
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
=20
=20

> -----Original Message-----
> From: Joakim Schramm [mailto:joakim@...]
> Sent: Monday, May 28, 2007 12:28 PM
> To: Ryan Barnett; Ofer Shezaf
> Cc: mod-security-users@...
> Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
>=20
> This from my httpd.conf for
>=20
> <IfDefine SECURITY>
>         <IfModule !mod_security2.c>
>                 LoadModule security2_module modules/mod_security2.so
>         </IfModule>
>=20
>         LoadFile /usr/lib/libxml2.so
>=20
>         # use Core Rule Set by default:
>         Include /etc/apache2/modules.d/mod_security/*.conf
> </IfDefine>
>=20
> merc ~ # locate libxml2.so
> /usr/lib/libxml2.so.2.6.28
> /usr/lib/libxml2.so.2
> /usr/lib/libxml2.so
>=20
> merc ~ # /etc/init.d/apache2 restart
>  * Apache2 has detected a syntax error in your configuration files:
> Syntax error on line 54 of
>
/etc/apache2/modules.d/mod_security/modsecurity_crs_20_protocol_violatio
ns
> .c
> onf:
> Error creating rule: Unknown variable: XML
>=20
> I don't know if this is because apache2 currently is running w/ modsec
> 2.1.1
> but w/o libxml2 line in conf, so it might check syntax for what it has
at
> hands before restarting and don't because of this as apache2 never
stops.
> I
> may have to stop it maunally and srat it again, not just restart BUT
if it
> still fail all my web services is down :-( I guess I have no option
but
> take
> a chance and rely on you guys if it still fails. Faith was the word
:-)
>=20
> Unfortunately,
>=20
> After stopping still
>=20
> merc ~ # /etc/init.d/apache2 start
>  * Apache2 has detected a syntax error in your configuration files:
> Syntax error on line 54 of
>
/etc/apache2/modules.d/mod_security/modsecurity_crs_20_protocol_violatio
ns
> .c
> onf:
> Error creating rule: Unknown variable: XML
>=20
> Joakim
>=20
> > -----Original Message-----
> > From: Ryan Barnett [mailto:Ryan.Barnett@...]
> > Sent: 28 May 2007 17:54
> > To: Joakim Schramm; Ofer Shezaf
> > Cc: mod-security-users@...
> > Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
> >
> > Did you add the following to your httpd.conf file before the
> > ModSecurity LoadModule directive - LoadFile /usr/lib/libxml2.so.
> >
> > This is in the Installation section of the reference manual
> > -http://www.modsecurity.org/documentation/modsecurity-apache/2
> > .1.0/modse
> > curity2-apache-reference.html#02-installation
> >
> >
> >
> > > -----Original Message-----
> > > From: mod-security-users-bounces@...
[mailto:mod-
> > > security-users-bounces@...] On Behalf Of Joakim
> > Schramm
> > > Sent: Monday, May 28, 2007 11:50 AM
> > > To: Ofer Shezaf
> > > Cc: mod-security-users@...
> > > Subject: Re: [mod-security-users] Core rules 2.1-1.4b2 question
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Ofer Shezaf [mailto:OferS@...]
> > > > Sent: 28 May 2007 17:05
> > > > To: Joakim Schramm
> > > > Cc: mod-security-users@...
> > > > Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
> > > >
> > > > Just one correction, if you want to remove the XML variable
> > > > from the rules, it also appears in file #20.
> > > >
> > > Well I don't want to but have XML working. I looked at the make
file
> > as it
> > > is in archive and it seem XML is on by default, and I have have
> > libxml2
> > > were
> > > it says by default, so as far as I understand it "should"
> > be compiled
> > with
> > > xml support, not sure why it isn't working though. I have the
whole
> > output
> > > from compile by Gentoo emerge packager and it appear to
> > confirm xml is
> > > compled in. Just pasting the relevant parts here, let me know if
you
> > need
> > > full output?
> > >
> > > D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -DAP_DEBUG
-pthread
> > > -I/usr/include/apache2  -I/usr/include/apr-1
-I/usr/include/apr-1
> > > -I/usr/include/db4.5  -c -o
> > >
> > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > pache_2.2.
> > 0-
> > > de
> > > v1/apache2/msc_xml.lo
> > >
> > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > pache_2.2.
> > 0-
> > > de
> > > v1/apache2/msc_xml.c && touch
> > >
> > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > pache_2.2.
> > 0-
> > > de
> > > v1/apache2/msc_xml.slo
> > > /usr/bin/libtool --silent --mode=3Dcompile i686-pc-linux-gnu-gcc
> > -prefer-pic
> > > -march=3Dpentium4 -O2 -pipe  -DLINUX=3D2 -D_REENTRANT =
-D_GNU_SOURCE
> > > -D_LARGEFILE64_SOURCE -DAP_DEBUG -pthread -I/usr/include/apache2
> > > -I/usr/include/apr-1 -
> > > ...
> > > www/mod_security-2.2.0/work/modsecurity-apache_2.2.0-
> > > dev1/apache2/persist_db
> > > m.lo
> > >
> > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > pache_2.2.
> > 0-
> > > de
> > > v1/apache2/pdf_protect.lo
> > >
> > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > pache_2.2.
> > 0-
> > > de
> > > v1/apache2/msc_xml.lo
> > >
> > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > pache_2.2.
> > 0-
> > > de
> > > v1/apache2/msc_util.lo
> > >
> > /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> > pache_2.2.
> > 0-
> > > de
> > > v1/apache2/msc_reqbody.lo /var/tmp/portage/net-
> > >
> > > So xml "should" really work, but it doesn't or is there
> > something more
> > > that
> > > need to be done?
> > >
> > > Joakim
> > >
> > > > > -----Original Message-----
> > > > > From: Joakim Schramm [mailto:joakim@...]
> > > > > Sent: Monday, May 28, 2007 5:58 PM
> > > > > To: Ofer Shezaf
> > > > > Cc: mod-security-users@...
> > > > > Subject: RE: [mod-security-users] Core rules 2.1-1.4b2
question
> > > > >
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Ofer Shezaf [mailto:OferS@...]
> > > > > > Sent: 28 May 2007 16:49
> > > > > > To: Joakim Schramm
> > > > > > Subject: RE: [mod-security-users] Core rules
> > 2.1-1.4b2 question
> > > > > >
> > > > > > Regarding XML - Avi is still investigating the
> > problem (actually
> > a
> > > > > > solution) as we already know the problem. You have compiled
> > > > > > ModSecurity without XML support, which is perfectly
> > > > valid, but does
> > > > > > not work with the new dev version of
> > > > > >
> > > > > > So you will need to either compile with XML support, wait
till
> > we
> > > > > > find a generic solution, or just delete all the XML
> > > > variables from
> > > > > > the different rules (I think it is only in file #40)
> > > > > >
> > > > > > ~ Ofer
> > > > >
> > > > > Aha, I use Gentoo and simply reused the current ebuild for
> > > > 2.1.1, so I
> > > > > will have to figure out how to get xml support compiled in
then
> > ;-)
> > > > >
> > > > > Joakim
> > > >
> > > >
> > >
> > >
> > >
> > --------------------------------------------------------------
> > ----------
> > -
> > > This SF.net email is sponsored by DB2 Express
> > > Download DB2 Express C - the FREE version of DB2 express and take
> > > control of your XML. No limits. Just data. Click to get it now.
> > > http://sourceforge.net/powerbar/db2/
> > > _______________________________________________
> > > mod-security-users mailing list
> > > mod-security-users@...
> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> >

Re: [mod-security-users] Core rules 2.1-1.4b2 question

[Joakim Schramm <joakim@as...>]

This from my httpd.conf for

<IfDefine SECURITY>
        <IfModule !mod_security2.c>
                LoadModule security2_module modules/mod_security2.so
        </IfModule>

        LoadFile /usr/lib/libxml2.so

        # use Core Rule Set by default:
        Include /etc/apache2/modules.d/mod_security/*.conf
</IfDefine>

merc ~ # locate libxml2.so
/usr/lib/libxml2.so.2.6.28
/usr/lib/libxml2.so.2
/usr/lib/libxml2.so

merc ~ # /etc/init.d/apache2 restart
 * Apache2 has detected a syntax error in your configuration files:
Syntax error on line 54 of
/etc/apache2/modules.d/mod_security/modsecurity_crs_20_protocol_violations.c
onf:
Error creating rule: Unknown variable: XML

I don't know if this is because apache2 currently is running w/ modsec 2.1.1
but w/o libxml2 line in conf, so it might check syntax for what it has at
hands before restarting and don't because of this as apache2 never stops. I
may have to stop it maunally and srat it again, not just restart BUT if it
still fail all my web services is down :-( I guess I have no option but take
a chance and rely on you guys if it still fails. Faith was the word :-)

Unfortunately,

After stopping still 

merc ~ # /etc/init.d/apache2 start
 * Apache2 has detected a syntax error in your configuration files:
Syntax error on line 54 of
/etc/apache2/modules.d/mod_security/modsecurity_crs_20_protocol_violations.c
onf:
Error creating rule: Unknown variable: XML
 
Joakim

> -----Original Message-----
> From: Ryan Barnett [mailto:Ryan.Barnett@...] 
> Sent: 28 May 2007 17:54
> To: Joakim Schramm; Ofer Shezaf
> Cc: mod-security-users@...
> Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
> 
> Did you add the following to your httpd.conf file before the 
> ModSecurity LoadModule directive - LoadFile /usr/lib/libxml2.so.
> 
> This is in the Installation section of the reference manual 
> -http://www.modsecurity.org/documentation/modsecurity-apache/2
> .1.0/modse
> curity2-apache-reference.html#02-installation
> 
> Ryan C. Barnett
> Director of Application Security Training Breach Security, Inc. 
> Phone: 703-794-2248
> Cell: 703-269-8998
> Ryan.Barnett@...
> http://www.Breach.com
>  
> 
> > -----Original Message-----
> > From: mod-security-users-bounces@... [mailto:mod-
> > security-users-bounces@...] On Behalf Of Joakim
> Schramm
> > Sent: Monday, May 28, 2007 11:50 AM
> > To: Ofer Shezaf
> > Cc: mod-security-users@...
> > Subject: Re: [mod-security-users] Core rules 2.1-1.4b2 question
> > 
> > 
> > 
> > > -----Original Message-----
> > > From: Ofer Shezaf [mailto:OferS@...]
> > > Sent: 28 May 2007 17:05
> > > To: Joakim Schramm
> > > Cc: mod-security-users@...
> > > Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
> > >
> > > Just one correction, if you want to remove the XML variable
> > > from the rules, it also appears in file #20.
> > >
> > Well I don't want to but have XML working. I looked at the make file
> as it
> > is in archive and it seem XML is on by default, and I have have
> libxml2
> > were
> > it says by default, so as far as I understand it "should" 
> be compiled
> with
> > xml support, not sure why it isn't working though. I have the whole
> output
> > from compile by Gentoo emerge packager and it appear to 
> confirm xml is
> > compled in. Just pasting the relevant parts here, let me know if you
> need
> > full output?
> > 
> > D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -DAP_DEBUG -pthread
> > -I/usr/include/apache2  -I/usr/include/apr-1   -I/usr/include/apr-1
> > -I/usr/include/db4.5  -c -o
> >
> /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> pache_2.2.
> 0-
> > de
> > v1/apache2/msc_xml.lo
> >
> /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> pache_2.2.
> 0-
> > de
> > v1/apache2/msc_xml.c && touch
> >
> /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> pache_2.2.
> 0-
> > de
> > v1/apache2/msc_xml.slo
> > /usr/bin/libtool --silent --mode=compile i686-pc-linux-gnu-gcc
> -prefer-pic
> > -march=pentium4 -O2 -pipe  -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE
> > -D_LARGEFILE64_SOURCE -DAP_DEBUG -pthread -I/usr/include/apache2
> > -I/usr/include/apr-1 -
> > ...
> > www/mod_security-2.2.0/work/modsecurity-apache_2.2.0-
> > dev1/apache2/persist_db
> > m.lo
> >
> /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> pache_2.2.
> 0-
> > de
> > v1/apache2/pdf_protect.lo
> >
> /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> pache_2.2.
> 0-
> > de
> > v1/apache2/msc_xml.lo
> >
> /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> pache_2.2.
> 0-
> > de
> > v1/apache2/msc_util.lo
> >
> /var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-a
> pache_2.2.
> 0-
> > de
> > v1/apache2/msc_reqbody.lo /var/tmp/portage/net-
> > 
> > So xml "should" really work, but it doesn't or is there 
> something more
> > that
> > need to be done?
> > 
> > Joakim
> > 
> > > > -----Original Message-----
> > > > From: Joakim Schramm [mailto:joakim@...]
> > > > Sent: Monday, May 28, 2007 5:58 PM
> > > > To: Ofer Shezaf
> > > > Cc: mod-security-users@...
> > > > Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Ofer Shezaf [mailto:OferS@...]
> > > > > Sent: 28 May 2007 16:49
> > > > > To: Joakim Schramm
> > > > > Subject: RE: [mod-security-users] Core rules 
> 2.1-1.4b2 question
> > > > >
> > > > > Regarding XML - Avi is still investigating the 
> problem (actually
> a
> > > > > solution) as we already know the problem. You have compiled
> > > > > ModSecurity without XML support, which is perfectly
> > > valid, but does
> > > > > not work with the new dev version of
> > > > >
> > > > > So you will need to either compile with XML support, wait till
> we
> > > > > find a generic solution, or just delete all the XML
> > > variables from
> > > > > the different rules (I think it is only in file #40)
> > > > >
> > > > > ~ Ofer
> > > >
> > > > Aha, I use Gentoo and simply reused the current ebuild for
> > > 2.1.1, so I
> > > > will have to figure out how to get xml support compiled in then
> ;-)
> > > >
> > > > Joakim
> > >
> > >
> > 
> > 
> >
> --------------------------------------------------------------
> ----------
> -
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and take
> > control of your XML. No limits. Just data. Click to get it now.
> > http://sourceforge.net/powerbar/db2/
> > _______________________________________________
> > mod-security-users mailing list
> > mod-security-users@...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 

Re: [mod-security-users] Core rules 2.1-1.4b2 question

[Ryan Barnett <Ryan.Barnett@Breach.com>]

Did you add the following to your httpd.conf file before the ModSecurity
LoadModule directive - LoadFile /usr/lib/libxml2.so.

This is in the Installation section of the reference manual
-http://www.modsecurity.org/documentation/modsecurity-apache/2.1.0/modse
curity2-apache-reference.html#02-installation

Ryan C. Barnett
Director of Application Security Training
Breach Security, Inc.=20
Phone: 703-794-2248
Cell: 703-269-8998=20
Ryan.Barnett@...
 http://www.Breach.com
=20

> -----Original Message-----
> From: mod-security-users-bounces@... [mailto:mod-
> security-users-bounces@...] On Behalf Of Joakim
Schramm
> Sent: Monday, May 28, 2007 11:50 AM
> To: Ofer Shezaf
> Cc: mod-security-users@...
> Subject: Re: [mod-security-users] Core rules 2.1-1.4b2 question
>=20
>=20
>=20
> > -----Original Message-----
> > From: Ofer Shezaf [mailto:OferS@...]
> > Sent: 28 May 2007 17:05
> > To: Joakim Schramm
> > Cc: mod-security-users@...
> > Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
> >
> > Just one correction, if you want to remove the XML variable
> > from the rules, it also appears in file #20.
> >
> Well I don't want to but have XML working. I looked at the make file
as it
> is in archive and it seem XML is on by default, and I have have
libxml2
> were
> it says by default, so as far as I understand it "should" be compiled
with
> xml support, not sure why it isn't working though. I have the whole
output
> from compile by Gentoo emerge packager and it appear to confirm xml is
> compled in. Just pasting the relevant parts here, let me know if you
need
> full output?
>=20
> D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -DAP_DEBUG -pthread
> -I/usr/include/apache2  -I/usr/include/apr-1   -I/usr/include/apr-1
> -I/usr/include/db4.5  -c -o
>
/var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-apache_2.2.
0-
> de
> v1/apache2/msc_xml.lo
>
/var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-apache_2.2.
0-
> de
> v1/apache2/msc_xml.c && touch
>
/var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-apache_2.2.
0-
> de
> v1/apache2/msc_xml.slo
> /usr/bin/libtool --silent --mode=3Dcompile i686-pc-linux-gnu-gcc
-prefer-pic
> -march=3Dpentium4 -O2 -pipe  -DLINUX=3D2 -D_REENTRANT -D_GNU_SOURCE
> -D_LARGEFILE64_SOURCE -DAP_DEBUG -pthread -I/usr/include/apache2
> -I/usr/include/apr-1 -
> ...
> www/mod_security-2.2.0/work/modsecurity-apache_2.2.0-
> dev1/apache2/persist_db
> m.lo
>
/var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-apache_2.2.
0-
> de
> v1/apache2/pdf_protect.lo
>
/var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-apache_2.2.
0-
> de
> v1/apache2/msc_xml.lo
>
/var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-apache_2.2.
0-
> de
> v1/apache2/msc_util.lo
>
/var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-apache_2.2.
0-
> de
> v1/apache2/msc_reqbody.lo /var/tmp/portage/net-
>=20
> So xml "should" really work, but it doesn't or is there something more
> that
> need to be done?
>=20
> Joakim
>=20
> > > -----Original Message-----
> > > From: Joakim Schramm [mailto:joakim@...]
> > > Sent: Monday, May 28, 2007 5:58 PM
> > > To: Ofer Shezaf
> > > Cc: mod-security-users@...
> > > Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Ofer Shezaf [mailto:OferS@...]
> > > > Sent: 28 May 2007 16:49
> > > > To: Joakim Schramm
> > > > Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
> > > >
> > > > Regarding XML - Avi is still investigating the problem (actually
a
> > > > solution) as we already know the problem. You have compiled
> > > > ModSecurity without XML support, which is perfectly
> > valid, but does
> > > > not work with the new dev version of
> > > >
> > > > So you will need to either compile with XML support, wait till
we
> > > > find a generic solution, or just delete all the XML
> > variables from
> > > > the different rules (I think it is only in file #40)
> > > >
> > > > ~ Ofer
> > >
> > > Aha, I use Gentoo and simply reused the current ebuild for
> > 2.1.1, so I
> > > will have to figure out how to get xml support compiled in then
;-)
> > >
> > > Joakim
> >
> >
>=20
>=20
>
------------------------------------------------------------------------
-
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

Re: [mod-security-users] Core rules 2.1-1.4b2 question

[Joakim Schramm <joakim@as...>]

 

> -----Original Message-----
> From: Ofer Shezaf [mailto:OferS@...] 
> Sent: 28 May 2007 17:05
> To: Joakim Schramm
> Cc: mod-security-users@...
> Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
> 
> Just one correction, if you want to remove the XML variable 
> from the rules, it also appears in file #20.
> 
Well I don't want to but have XML working. I looked at the make file as it
is in archive and it seem XML is on by default, and I have have libxml2 were
it says by default, so as far as I understand it "should" be compiled with
xml support, not sure why it isn't working though. I have the whole output
from compile by Gentoo emerge packager and it appear to confirm xml is
compled in. Just pasting the relevant parts here, let me know if you need
full output?

D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -DAP_DEBUG -pthread
-I/usr/include/apache2  -I/usr/include/apr-1   -I/usr/include/apr-1
-I/usr/include/db4.5  -c -o
/var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-apache_2.2.0-de
v1/apache2/msc_xml.lo
/var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-apache_2.2.0-de
v1/apache2/msc_xml.c && touch
/var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-apache_2.2.0-de
v1/apache2/msc_xml.slo
/usr/bin/libtool --silent --mode=compile i686-pc-linux-gnu-gcc -prefer-pic
-march=pentium4 -O2 -pipe  -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE
-D_LARGEFILE64_SOURCE -DAP_DEBUG -pthread -I/usr/include/apache2
-I/usr/include/apr-1 -  
...
www/mod_security-2.2.0/work/modsecurity-apache_2.2.0-dev1/apache2/persist_db
m.lo
/var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-apache_2.2.0-de
v1/apache2/pdf_protect.lo
/var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-apache_2.2.0-de
v1/apache2/msc_xml.lo
/var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-apache_2.2.0-de
v1/apache2/msc_util.lo
/var/tmp/portage/net-www/mod_security-2.2.0/work/modsecurity-apache_2.2.0-de
v1/apache2/msc_reqbody.lo /var/tmp/portage/net-

So xml "should" really work, but it doesn't or is there something more that
need to be done?

Joakim

> > -----Original Message-----
> > From: Joakim Schramm [mailto:joakim@...]
> > Sent: Monday, May 28, 2007 5:58 PM
> > To: Ofer Shezaf
> > Cc: mod-security-users@...
> > Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
> > 
> > 
> > 
> > > -----Original Message-----
> > > From: Ofer Shezaf [mailto:OferS@...]
> > > Sent: 28 May 2007 16:49
> > > To: Joakim Schramm
> > > Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
> > >
> > > Regarding XML - Avi is still investigating the problem (actually a
> > > solution) as we already know the problem. You have compiled 
> > > ModSecurity without XML support, which is perfectly 
> valid, but does 
> > > not work with the new dev version of
> > >
> > > So you will need to either compile with XML support, wait till we 
> > > find a generic solution, or just delete all the XML 
> variables from 
> > > the different rules (I think it is only in file #40)
> > >
> > > ~ Ofer
> > 
> > Aha, I use Gentoo and simply reused the current ebuild for 
> 2.1.1, so I 
> > will have to figure out how to get xml support compiled in then ;-)
> > 
> > Joakim
> 
> 

Re: [mod-security-users] Core rules 2.1-1.4b2 question

[Ofer Shezaf <OferS@Breach.com>]

Just one correction, if you want to remove the XML variable from the
rules, it also appears in file #20.

> -----Original Message-----
> From: Joakim Schramm [mailto:joakim@...]
> Sent: Monday, May 28, 2007 5:58 PM
> To: Ofer Shezaf
> Cc: mod-security-users@...
> Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
>=20
>=20
>=20
> > -----Original Message-----
> > From: Ofer Shezaf [mailto:OferS@...]
> > Sent: 28 May 2007 16:49
> > To: Joakim Schramm
> > Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
> >
> > Regarding XML - Avi is still investigating the problem (actually a
> > solution) as we already know the problem. You have compiled
> > ModSecurity without XML support, which is perfectly valid,
> > but does not work with the new dev version of
> >
> > So you will need to either compile with XML support, wait
> > till we find a generic solution, or just delete all the XML
> > variables from the different rules (I think it is only in file #40)
> >
> > ~ Ofer
>=20
> Aha, I use Gentoo and simply reused the current ebuild for 2.1.1, so I
> will
> have to figure out how to get xml support compiled in then ;-)
>=20
> Joakim

Re: [mod-security-users] What is this? Can you please explain?

[Albert E. Whale <aewhale@ABS-CompTech.com>]

Thank you.  Since this is a Mandriva release of the Mod_Security package 
I can review the information and fix it for me, and also the Mandriva 
distribution ... this may help a few other newcomers as well.

Thank you!

Ofer Shezaf wrote:
> Actually Albert might be right. Some versions of Apache use an internal
> keep alive pinger that issues a request without a host name.
>
> The Core Rule Set have a specific exclusion for that, but this rule is
> probably not part of the Core Rule Set (no rule ID) and blocks this
> request.
>
> In order to verify we will need the entire request as you can find in
> the audit log.
>
> So in order to permit it: either use the core rule set instead of the
> rules you use or refer to Ryan's recent blog entry on creating
> exceptions
> http://www.modsecurity.org/blog/archives/2007/02/handling_false.html
>
> ~ Ofer
>
>   
>> -----Original Message-----
>> From: mod-security-users-bounces@... [mailto:mod-
>> security-users-bounces@...] On Behalf Of Christian
>> Bockermann
>> Sent: Monday, May 28, 2007 11:20 AM
>> To: aewhale@...
>> Cc: mod-security-users@...
>> Subject: Re: [mod-security-users] What is this? Can you please
>>     
> explain?
>   
>> Hi Albert!
>>
>> In this case it is not the fact that it's the localhost, but a matter
>> of
>> a missing/empty Accept-Header in the request. Do you use the
>>     
> core-rules
>   
>> or any custom-made ruleset?
>>
>> The core rules contain some checks that complain if an Accept-header
>>     
> is
>   
>> missing. This is a problem I observed with some RSS-clients for
>> example.
>> According to the RFC the Accept-header is optional.
>>
>> Regards,
>>      Chris
>>
>>
>> Am 28.05.2007 um 05:26 schrieb Albert E. Whale:
>>
>>     
>>> Too me this appears to indicate that the localhost is not permitted
>>> to test the root level of the web Server.  Why?
>>>
>>> [Sun May 27 23:24:03 2007] [error] [client 127.0.0.1] mod_security:
>>> Access denied with code 500. Pattern match "^$" at HEADER("Accept")
>>> [severity "EMERGENCY"] [hostname "127.0.0.1"] [uri "/"] [unique_id
>>> "R9xVQH8AAAEAAAN2kzoAAAAF"]
>>>
>>> Where can I permit this?
>>>
>>> --
>>> Albert E. Whale, CHS CISA CISSP
>>> Sr. Security, Network, Risk Assessment and Systems Consultant
>>> ABS Computer Technology, Inc. - Email, Internet and Security
>>> Consultants
>>> SPAMZapper - No-JunkMail.com - True Spam Elimination.
>>>
>>>       
> ---------------------------------------------------------------------
>   
>> -
>>     
>>> ---
>>> This SF.net email is sponsored by DB2 Express
>>> Download DB2 Express C - the FREE version of DB2 express and take
>>> control of your XML. No limits. Just data. Click to get it now.
>>> http://sourceforge.net/powerbar/db2/
>>> _______________________________________________
>>> mod-security-users mailing list
>>> mod-security-users@...
>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>       
>>
>>     
> -----------------------------------------------------------------------
>   
>> --
>> This SF.net email is sponsored by DB2 Express
>> Download DB2 Express C - the FREE version of DB2 express and take
>> control of your XML. No limits. Just data. Click to get it now.
>> http://sourceforge.net/powerbar/db2/
>> _______________________________________________
>> mod-security-users mailing list
>> mod-security-users@...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>     
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
>   


-- 
Albert E. Whale, CHS CISA CISSP
Sr. Security, Network, Risk Assessment and Systems Consultant
------------------------------------------------------------------------
ABS Computer Technology, Inc. <http://www.ABS-CompTech.com>; - Email, 
Internet and Security Consultants
SPAMZapper <http://www.Spam-Zapper.com>; - No-JunkMail.com 
<http://www.No-JunkMail.com>; - *True Spam Elimination*.

Re: [mod-security-users] Core rules 2.1-1.4b2 question

[Joakim Schramm <joakim@as...>]

 

> -----Original Message-----
> From: Ofer Shezaf [mailto:OferS@...] 
> Sent: 28 May 2007 16:49
> To: Joakim Schramm
> Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
> 
> Regarding XML - Avi is still investigating the problem (actually a
> solution) as we already know the problem. You have compiled 
> ModSecurity without XML support, which is perfectly valid, 
> but does not work with the new dev version of 
> 
> So you will need to either compile with XML support, wait 
> till we find a generic solution, or just delete all the XML 
> variables from the different rules (I think it is only in file #40)
> 
> ~ Ofer

Aha, I use Gentoo and simply reused the current ebuild for 2.1.1, so I will
have to figure out how to get xml support compiled in then ;-)

Joakim

Re: [mod-security-users] Core rules 2.1-1.4b2 question

[Joakim Schramm <joakim@as...>]

 Well I don't want to be picky but.., I initially sent this to the list, and
you must then have replied directly to me rather then to the list and I then
replied on your email... ;-)

All the best,

Joakim
> -----Original Message-----
> From: Ofer Shezaf [mailto:OferS@...] 
> Sent: 28 May 2007 15:49
> To: Joakim Schramm
> Cc: Avi Aminov
> Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
> 
> 
> We are looking into it. Generally speaking we prefer to keep 
> such discussion to the mailing list so it can help everyone.
> 
> ~ Ofer
> 
> > -----Original Message-----
> > From: Joakim Schramm [mailto:joakim@...]
> > Sent: Monday, May 28, 2007 4:30 PM
> > To: Ofer Shezaf
> > Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
> > 
> > Well finally tested the dev ruleset but got this error on 
> restarting 
> > apache
> > 2.2
> > 
> > * Apache2 has detected a syntax error in your configuration files:
> > Syntax error on line 54 of
> >
> /etc/apache2/modules.d/mod_security2_crs/modsecurity_crs_20_pr
> otocol_vi
> > olati
> > ons.conf:
> > Error creating rule: Unknown variable: XML
> > 
> > I use modsec 2.1.1, do I need the the dev version to use 
> the dev rules 
> > or?
> > 
> > Joakim
> > 
> > > -----Original Message-----
> > > From: Ofer Shezaf [mailto:OferS@...]
> > > Sent: 28 May 2007 14:31
> > > To: Joakim Schramm; mod-security-users@...
> > > Subject: RE: [mod-security-users] Core rules 2.1-1.4b2 question
> > >
> > > I think it is a bug, though it has no effect what so ever on the 
> > > rule set functionality. So it is a "visual" bug. Anyway, we will 
> > > look into it.
> > >
> > > ~ Ofer Shezaf
> > > Core Rule Set project leader
> > > CTO, Breach Security
> > >
> > > > -----Original Message-----
> > > > From: mod-security-users-bounces@...
> [mailto:mod-
> > > > security-users-bounces@...] On Behalf 
> Of Joakim 
> > > > Schramm
> > > > Sent: Monday, May 28, 2007 3:23 PM
> > > > To: mod-security-users@...
> > > > Subject: [mod-security-users] Core rules 2.1-1.4b2 question
> > > >
> > > > Hi,
> > > >
> > > > When I look at the core rules dev version and compare 
> it with my 
> > > > current rulesets I notice several rules have changed 
> just by now 
> > > > having a dubble comma (like ,,) in the argument part. Is this 
> > > > intentional or just a result of "hastyness" in typing aka a bug?
> > > >
> > > > Regards,
> > > >
> > > > Joakim
> > > >
> > > >
> > > >
> > > --------------------------------------------------------------
> > > ---------
> > > > --
> > > > This SF.net email is sponsored by DB2 Express Download DB2
> > > Express C -
> > > > the FREE version of DB2 express and take control of 
> your XML. No 
> > > > limits. Just data. Click to get it now.
> > > > http://sourceforge.net/powerbar/db2/
> > > > _______________________________________________
> > > > mod-security-users mailing list
> > > > mod-security-users@...
> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > >
> 
> 

Re: [mod-security-users] Core rules 2.1-1.4b2 question

[Ofer Shezaf <OferS@Breach.com>]

I think it is a bug, though it has no effect what so ever on the rule
set functionality. So it is a "visual" bug. Anyway, we will look into
it.

~ Ofer Shezaf
Core Rule Set project leader
CTO, Breach Security

> -----Original Message-----
> From: mod-security-users-bounces@... [mailto:mod-
> security-users-bounces@...] On Behalf Of Joakim
> Schramm
> Sent: Monday, May 28, 2007 3:23 PM
> To: mod-security-users@...
> Subject: [mod-security-users] Core rules 2.1-1.4b2 question
>=20
> Hi,
>=20
> When I look at the core rules dev version and compare it with my
> current
> rulesets I notice several rules have changed just by now having a
> dubble
> comma (like ,,) in the argument part. Is this intentional or just a
> result
> of "hastyness" in typing aka a bug?
>=20
> Regards,
>=20
> Joakim
>=20
>=20
>
-----------------------------------------------------------------------
> --
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

[mod-security-users] Core rules 2.1-1.4b2 question

[Joakim Schramm <joakim@as...>]

Hi,

When I look at the core rules dev version and compare it with my current
rulesets I notice several rules have changed just by now having a dubble
comma (like ,,) in the argument part. Is this intentional or just a result
of "hastyness" in typing aka a bug?

Regards,

Joakim

Re: [mod-security-users] What is this? Can you please explain?

[Ofer Shezaf <OferS@Breach.com>]

Actually Albert might be right. Some versions of Apache use an internal
keep alive pinger that issues a request without a host name.

The Core Rule Set have a specific exclusion for that, but this rule is
probably not part of the Core Rule Set (no rule ID) and blocks this
request.

In order to verify we will need the entire request as you can find in
the audit log.

So in order to permit it: either use the core rule set instead of the
rules you use or refer to Ryan's recent blog entry on creating
exceptions
http://www.modsecurity.org/blog/archives/2007/02/handling_false.html

~ Ofer

> -----Original Message-----
> From: mod-security-users-bounces@... [mailto:mod-
> security-users-bounces@...] On Behalf Of Christian
> Bockermann
> Sent: Monday, May 28, 2007 11:20 AM
> To: aewhale@...
> Cc: mod-security-users@...
> Subject: Re: [mod-security-users] What is this? Can you please
explain?
>=20
> Hi Albert!
>=20
> In this case it is not the fact that it's the localhost, but a matter
> of
> a missing/empty Accept-Header in the request. Do you use the
core-rules
> or any custom-made ruleset?
>=20
> The core rules contain some checks that complain if an Accept-header
is
> missing. This is a problem I observed with some RSS-clients for
> example.
> According to the RFC the Accept-header is optional.
>=20
> Regards,
>      Chris
>=20
>=20
> Am 28.05.2007 um 05:26 schrieb Albert E. Whale:
>=20
> > Too me this appears to indicate that the localhost is not permitted
> > to test the root level of the web Server.  Why?
> >
> > [Sun May 27 23:24:03 2007] [error] [client 127.0.0.1] mod_security:
> > Access denied with code 500. Pattern match "^$" at HEADER("Accept")
> > [severity "EMERGENCY"] [hostname "127.0.0.1"] [uri "/"] [unique_id
> > "R9xVQH8AAAEAAAN2kzoAAAAF"]
> >
> > Where can I permit this?
> >
> > --
> > Albert E. Whale, CHS CISA CISSP
> > Sr. Security, Network, Risk Assessment and Systems Consultant
> > ABS Computer Technology, Inc. - Email, Internet and Security
> > Consultants
> > SPAMZapper - No-JunkMail.com - True Spam Elimination.
> >
---------------------------------------------------------------------
> -
> > ---
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and take
> > control of your XML. No limits. Just data. Click to get it now.
> > http://sourceforge.net/powerbar/db2/
> > _______________________________________________
> > mod-security-users mailing list
> > mod-security-users@...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
>=20
>=20
>
-----------------------------------------------------------------------
> --
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

Re: [mod-security-users] Installation issue with mod_security2

[Alberto Gonzalez Iniesta <agi@in...>]

On Sun, May 27, 2007 at 09:51:00PM +0200, kroc69 wrote:
> Hi all
> 
> I just trying from yesterday to install mod_security2 on a Etch distro 
> and nether the less my attempts I have always that error message
> 
> /usr/share/apr-1.0/build/libtool: line 1222: i486-linux-gnu-gcc: command 
> not found.
> 
> I follow the ModSecurity Reference Manual Installation part and put into 
> the Makefile what I think/hope is the top_dir which is for me 
> /usr/share/apache2. I also installed the module mod_unique_id.
> 
> What's going wrong from your input, please ?
> 
> thanks in advance

You may want to try the Debian packages at:

http://etc.inittab.org/~agi/debian/libapache-mod-security2/

Regards,

Alberto
-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3

Re: [mod-security-users] What is this? Can you please explain?

[Christian Bockermann <chris@jw...>]

Hi Albert!

In this case it is not the fact that it's the localhost, but a matter of
a missing/empty Accept-Header in the request. Do you use the core-rules
or any custom-made ruleset?

The core rules contain some checks that complain if an Accept-header is
missing. This is a problem I observed with some RSS-clients for example.
According to the RFC the Accept-header is optional.

Regards,
     Chris


Am 28.05.2007 um 05:26 schrieb Albert E. Whale:

> Too me this appears to indicate that the localhost is not permitted  
> to test the root level of the web Server.  Why?
>
> [Sun May 27 23:24:03 2007] [error] [client 127.0.0.1] mod_security:  
> Access denied with code 500. Pattern match "^$" at HEADER("Accept")  
> [severity "EMERGENCY"] [hostname "127.0.0.1"] [uri "/"] [unique_id  
> "R9xVQH8AAAEAAAN2kzoAAAAF"]
>
> Where can I permit this?
>
> -- 
> Albert E. Whale, CHS CISA CISSP
> Sr. Security, Network, Risk Assessment and Systems Consultant
> ABS Computer Technology, Inc. - Email, Internet and Security  
> Consultants
> SPAMZapper - No-JunkMail.com - True Spam Elimination.
> ---------------------------------------------------------------------- 
> ---
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/ 
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

[mod-security-users] What is this? Can you please explain?

[Albert E. Whale <aewhale@ABS-CompTech.com>]

Too me this appears to indicate that the localhost is not permitted to 
test the root level of the web Server.  Why?

[Sun May 27 23:24:03 2007] [error] [client 127.0.0.1] mod_security: 
Access denied with code 500. Pattern match "^$" at HEADER("Accept") 
[severity "EMERGENCY"] [hostname "127.0.0.1"] [uri "/"] [unique_id 
"R9xVQH8AAAEAAAN2kzoAAAAF"]

Where can I permit this?

-- 
Albert E. Whale, CHS CISA CISSP
Sr. Security, Network, Risk Assessment and Systems Consultant
------------------------------------------------------------------------
ABS Computer Technology, Inc. <http://www.ABS-CompTech.com>; - Email, 
Internet and Security Consultants
SPAMZapper <http://www.Spam-Zapper.com>; - No-JunkMail.com 
<http://www.No-JunkMail.com>; - *True Spam Elimination*.

Re: [mod-security-users] Problem with REQUEST_BODY SecRule (notcatching/denying)

[hanj <mailing@as...>]

On Mon, 28 May 2007 01:44:35 +0200
Christian Bockermann <chris@...> wrote:

> Hi hanj!
> 
> I had a short look at your config and set it up here locally within a
> virtual host.
> 
> I have two virtual hosts - one is acting as reverse-proxy and includes
> the rules you've posted. It forwards all requests to another "dummy"
> virtual host. This one will respond to any request with just a
> default-page.
> 
> With you rules, the POST-requests that contain "abc" or "123" did not
> get through the proxy-vhost and thus never reached the "dummy" server.
> If I got your description right - this is basically what you wanted to
> achieve.
> 
> To track down your problem even further you should perhaps raise the
> debug-loglevel (SecDebugLogLevel 9) and look at this. If you still
> experience problems it would be helpful to have the debug-output and
> - in order to exactly reproduce your problem a complete audit-log entry
> would be nice.
> 
> Regards,
>      Chris
> 
> 



Hello 

Before the segfault, it did write the debug log. I took out the
timestamps, etc. This line seems interesting to me:

[/index.php/contact.process/][4] Phase REQUEST_BODY already complete,
skipping.

I also pasted the modsec_audit.log from this same transaction(s). The
odd thing is the order of things.
A - start of the request
B - POST
C - Payload
F - is my redirect back to the 'thank you for your message' page
H - Access Denied (but it already redirected)

Just to clarify, I changed spam words so it gets delivered to the list.

Thanks!
hanji


[/lib/style.css][4] Starting phase REQUEST_HEADERS.
[/lib/style.css][9] This phase consists of 0 rule(s).
[/lib/style.css][4] Second phase starting (dcfg 8165370).
[/lib/style.css][4] Input filter: This request does not have a body.
[/lib/style.css][4] Time #1: 1328
[/lib/style.css][4] Starting phase REQUEST_BODY.
[/lib/style.css][9] This phase consists of 2 rule(s).
[/lib/style.css][4] Recipe: Invoking rule 8284d38.
[/lib/style.css][4] Rule returned 0.
[/lib/style.css][9] No match, not chained -> mode NEXT_RULE.
[/lib/style.css][4] Recipe: Invoking rule 8284fc8.
[/lib/style.css][4] Rule returned 0.
[/lib/style.css][9] No match, not chained -> mode NEXT_RULE.
[/lib/style.css][4] Time #2: 1592
[/lib/style.css][4] Phase REQUEST_BODY already complete, skipping.
[/lib/style.css][4] Hook insert_filter: Adding output filter (r
8530d50). [/lib/style.css][4] Initialising logging.
[/lib/style.css][4] Starting phase LOGGING.
[/lib/style.css][9] This phase consists of 0 rule(s).
[/lib/style.css][4] Audit log: Ignoring a non-relevant request.
[/index.php/contact.process/][4] Initialising transaction (txid
XRtJ40LbO5UAAElxTNQAAAAA). [/index.php/contact.process/][5] Adding
request cookie: name "Email", value
"admin%40domain.com" [/index.php/contact.process/][5] Adding request
cookie: name "notify_me", value "0" [/index.php/contact.process/][5]
Adding request cookie: name "save_info", value
"0" [/index.php/contact.process/][5] Adding request cookie: name
"Author", value "admin" [/index.php/contact.process/][5] Adding request
cookie: name "PHPSESSID", value
"aa520661c8e99364122a8c60ff651e3a" [/index.php/contact.process/][4]
Transaction context created (dcfg 8165370).
[/index.php/contact.process/][4] Starting phase REQUEST_HEADERS.
[/index.php/contact.process/][4] Second phase starting (dcfg 8165370).
[/index.php/contact.process/][4] Input filter: Reading request body.
[/index.php/contact.process/][5] Adding request argument (BODY): name
"FirstName", value "asdfasfd" [/index.php/contact.process/][5] Adding
request argument (BODY): name "LastName", value
"asfd" [/index.php/contact.process/][5] Adding request argument (BODY):
name "Email", value "asdf@..." [/index.php/contact.process/][5]
Adding request argument (BODY): name "Message", value "spam
content" [/index.php/contact.process/][5] Adding request argument
(BODY): name "formAction", value
"send" [/index.php/contact.process/][4] Input filter: Completed
receiving request body (length 92). [/index.php/contact.process/][4]
Time #1: 98949 [/index.php/contact.process/][4] Starting phase
REQUEST_BODY. [/index.php/contact.process/][4] Recipe: Invoking rule
8284d38. [/index.php/contact.process/][4] Executing operator rx with
param "(spam|content|removed|for|list)" against REQUEST_BODY.
[/index.php/contact.process/][4] Operator completed in 26 usec.
[/index.php/contact.process/][4] Rule returned 1.
[/index.php/contact.process/][1] Access denied with code 403 (phase 2).
Pattern match "(spam|content|removed|for|list)" at REQUEST_BODY.
[/index.php/contact.process/][4] Time #2: 99221
[/index.php/contact.process/][4] Phase REQUEST_BODY already complete,
skipping. [/index.php/contact.process/][4] Hook insert_filter: Adding
input forwarding filter (r 8530d58). [/index.php/contact.process/][4]
Hook insert_filter: Adding output filter (r 8530d58).
[/contact.process/][4] Phase REQUEST_BODY already complete, skipping.
[/contact.process/][4] Input filter: Forwarding input: mode=0, block=0,
nbytes=4000 (f 8532b88, r 8530d58). [/index.php/contact.process/][1]
Access denied with code 403 (phase 2). Pattern match
"(spam|content|removed|for|list)" at REQUEST_BODY.
[/index.php/contact.process/][4] Initialising transaction (txid
XvhgpELbO5UAAEopRm0AAAAA). [/index.php/contact.process/][4] Transaction
context created (dcfg 8165370). [/index.php/contact.process/][4]
Starting phase REQUEST_HEADERS. [/index.php/contact.process/][4] Second
phase starting (dcfg 8165370). [/index.php/contact.process/][4] Input
filter: Reading request body. [/index.php/contact.process/][4] Input
filter: Completed receiving request body (length 92).
[/index.php/contact.process/][4] Time #1: 98932
[/index.php/contact.process/][4] Starting phase REQUEST_BODY.
[/index.php/contact.process/][4] Recipe: Invoking rule 8284d38.
[/index.php/contact.process/][4] Executing operator rx with param
"(spam|content|removed|for|list)" against REQUEST_BODY.
[/index.php/contact.process/][4] Operator completed in 25 usec.
[/index.php/contact.process/][4] Rule returned 1.
[/index.php/contact.process/][1] Access denied with code 403 (phase 2).
Pattern match "(spam|content|removed|for|list)" at REQUEST_BODY.
[/index.php/contact.process/][4] Time #2: 99215
[/index.php/contact.process/][4] Phase REQUEST_BODY already complete,
skipping. [/index.php/contact.process/][4] Hook insert_filter: Adding
input forwarding filter (r 8530d60). [/index.php/contact.process/][4]
Hook insert_filter: Adding output filter (r 8530d60).
[/contact.process/][4] Phase REQUEST_BODY already complete, skipping.
[/contact.process/][4] Input filter: Forwarding input: mode=0, block=0,
nbytes=4000 (f 8532b90, r 8530d60).

---------------------------------------
Here is the audit_log


--a538181a-A--
[27/May/2007:17:55:29 --0600] XfZ8ikLbO5UAAEm8SIoAAAAA xxx.xxx.xxx.xxx
3083 xxx.xxx.xxx.xxx 80 --a538181a-B--
POST /index.php/contact.process/ HTTP/1.1
Host: http://www.domain.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.0.11) Gecko/20070312 Firefox/1.5.0.11 Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.domain.com/index.php/contact.main.htm
Cookie: Email=admin%40domain.com;
__utma=263310793.103240923.1170701296.1180289490.1180309404.125;
__utmz=263310793.1170701296.1.1.u
tmccn=(direct)|utmcsr=(direct)|utmcmd=(none); notify_me=0; save_info=0;
Author=admin; PHPSESSID=aa520661c8e99364122a8c60ff651e3a; __utmc=263310
793; f278ca17e89411619d8fa8529961a7e0=968521b06021c2e0080e5d8301bcd0a2;
__utmb=263310793 Cache-Control: max-age=0 Content-Type:
application/x-www-form-urlencoded Content-Length: 92

--a538181a-C--
FirstName=asdfasfd&LastName=asfd&Email=asdf%40asdf.com&Message=spam+content&formAction=send
--a538181a-F--
HTTP/1.1 302 Found
Set-Cookie:
f278ca17e89411619d8fa8529961a7e0=968521b06021c2e0080e5d8301bcd0a2;
expires=Mon, 28 May 2007 00:24:28 GMT; path=/; domain=www.domain.com
Location:
http://www.domain.com/index.php/code/ce385082a735db58c0b429cc0ea6cd1f/contact.main.htm
Content-Length: 0 Keep-Alive: timeout=15, max=100 Connection:
Keep-Alive Content-Type: text/html

--a538181a-H--
Message: Access denied with code 403 (phase 2). Pattern match
"(spam|content|removed|for|list)" at REQUEST_BODY. Action: Intercepted
(phase 2) Stopwatch: 1180310128983178 168713 (97389* 97651 167526)
Producer: ModSecurity v2.1.1 (Apache 2.x)
Server: Apache

--a538181a-Z--