Thread: [mod-security-users] (no subject)

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

Someone is spamming from our mail server. Is there any way to create
sendmail commands log file. So at least I can see who is using
sendmail command. I think its usie php/FormMail script for send mail.
However i alreay implement FormMail rule.

I just want to create log file whenever sendmail command use.

Thanx.

--=20
M.A.Shaikh
Linux System Administrator

M.Saeed Shaikh wrote:
> Hi,
> 
> Someone is spamming from our mail server. Is there any way to create
> sendmail commands log file. So at least I can see who is using
> sendmail command. I think its usie php/FormMail script for send mail.
> However i alreay implement FormMail rule.
> 
> I just want to create log file whenever sendmail command use.

A simple (but blunt) way to do this would be to replace /bin/sendmail (or 
wherever it is) with a small script that logs whatever you want to log from 
the environment and the command input before passing them on to the real 
sendmail.

This may create too much of an overhead on a busy system however.

In mod_security, you could set up a Location directive for the suspect script, 
which it seems you know, and add in some audit logging rules:

<Location /path/to/formail.php>
	SecAuditEngine On
	SecAuditLog path_to_formail_audit_log
</Location>

If you have an idea about how the script is being exploited, add in a filter 
match and set SecAuditEngine to RelevantOnly, otherwise you'll be logging 
every single request. See the Audit Logging section of the manual.

One question arises: If audit logging is already on, is it possible to 
override the existing SecAuditLog directive for specific Locations?

Terry.

> Thanx.
> 

Terry Dooher wrote:
>
> One question arises: If audit logging is already on, is it possible to
> override the existing SecAuditLog directive for specific Locations?

  Yes, it is.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
Tel: +44 20 8141 2161, Fax: +44 87 0762 3934

<html><div style='background-color:'>Hi. I need that mod_security decode and applies rules filters to arguments codified in base64. Those arguments are passed like: <A href="http://www.blablabla.com?name=XYWXZXWZ">http://www.blablabla.com?name=XYWXZXWZ</A> where XYWXZXWZ is base64 encoded. how can i do that?</div></html>

Diego Pellegrino wrote:
> Hi. I need that mod_security decode and applies rules filters to
> arguments codified in base64. Those arguments are passed
> like:
> http://www.blablabla.com?name=XYWXZXWZ
> where XYWXZXWZ is base64 encoded.
> how can i do that?

  By changing the source code. Since you are probably after
  a quick & dirty solution, you could change the function
  parse_arguments to base64-decode parameter values (if a valid
  base64 encoding is detected).

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

<html><div style='background-color:'>Hi. I would like to know if it's possible to change a specific chracter from a request fowarded by mod_security from the user browser to the web server
for example:
if the parameter 'name' contains the characters '&lt;' and '&gt;'
name=Diego &lt;duff&gt; Pellegrino
the translated parameter should be
name=Diego [duff] Pellegrino
Thanks. </div></html>

Diego Pellegrino wrote:
> Hi. I would like to know if it's possible to change a specific chracter
> from a request fowarded by mod_security from the user browser to the web
> server

  No, it's not. ModSecurity does not change content, it only
  observes the traffic.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
Tel: +44 20 8141 2161, Fax: +44 87 0762 3934

Hi All,
How much at risk am I with this off? With it on, it really makes it hard
to talk about anything interesting, using squirrelmail, without it 403ing
my mail message.

POST scanning

Request body payload (or POST payload) scanning is disabled by default. To
use it, you need to turn it on:

SecFilterScanPOST On

BP

On 4/26/06, BassPlayer <bas...@an...> wrote:
> Hi All,
> How much at risk am I with this off? With it on, it really makes it hard
> to talk about anything interesting, using squirrelmail, without it 403ing
> my mail message.
>
> POST scanning

You are experiencing problems not because you have request body
buffering enabled, but because you have incorrect rules setup for
SquirerelMail. You should really focus on the latter (for example, you
might decide to turn ModSecurity off for that part of the web server).

As for the risk measurement - it's not a purely technical issue. It
depends on how likely is that someone is going to attack you.

--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

Can some one help me install mod_security in windows
xp?

Thanks
jijo

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

On 9/29/06, JiJo Robert <jij...@ya...> wrote:
> Can some one help me install mod_security in windows
> xp?

Of course! What seems to be troubling you?

-- 
Ivan Ristic

i got modsecurity rules from
> http://www.gotroot.com/downloads/ftp/mod_security/apache2/apache2-gotrootrules-latest.tar.gz
the directive SecFilterRemove doesn't work it gives me
> Invalid command 'SecFilterRemove', perhaps mis-spelled or defined by a
> module not included in the server configuration
Because i work with joomla cms i need some rules leting me work without
secfilter  stops me ,how cai i achieve this ?
thank you !

The referer often contains the URL and parameters from another site, such a=
s a web search page, when someone navigates to our site via a search. We ha=
ve found the Time Warner's websearch contains an onClick parameter that set=
s of the XSS rule.=0A=0AThis fix was suggest to exclude scanning the refere=
r.=0A=0AREQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:R=
eferer=0A=0AThis almost worked for me, but our FireClick implementation sto=
res the referer in the session cookie, so I still get a match (see below). =
=0A=0ASorry about the old version (rule id 50004).=0A=0AI had already remov=
e the ".cookie" part of the rule because our site has cookies named somethi=
ng.cookie.=0A=0AI don't want to exclude an XSS on the cookies because we ha=
ve observed other XSS attack attempt in the cookie.=0A=0AAny suggestions?=
=0A=0A--674ddd71-A--=0A[16/Jan/2007:14:18:34 --0600] EPbcZKwQIh8AAATnGgcAAA=
Aa 172.16.32.102 55719 172.16.34.31 80=0A--674ddd71-B--=0AGET /processSearc=
h.do?allPropertyTypesSelected=3Dtrue&usertypedcity=3D&destination=3D4fded4f=
f-af4a-41b7-976b-bd5bd436f135%7Cb68f06c3-77a8-49f1-9ba2-c9e779fdad9d%7CLas+=
Vegas%2C+NV%2C+USA%7C1&inout=3D&CIMonth=3D3&CIDay=3D2&CIYear=3D2007&COMonth=
=3D3&CODay=3D5&COYear=3D2007&dateless=3D&numrooms=3D1&adults%5B0%5D=3D2&chi=
ld%5B0%5D=3D0 HTTP/1.1=0AAccept: */*=0AReferer: http://www.aaaa.com/index.j=
sp?PSRC=3DG21&displayAd=3Dfalse&googlekw=3Daaaa.com_-_exact_match&js=3D1&zz=
=3D1168978561781=0AAccept-Language: en-us=0AUA-CPU: x86=0AUser-Agent: Mozil=
la/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1=
)=0ACookie: JSESSIONID=3DUMHAKCHLXFI35LAQEZBSCOVMCATDOH20; ABTest.4=3D3; si=
d=3D{AC102643-14D7-7459-1102-2C2C8ACB9E1F}; visitCounter=3D1; PSRC=3DG21; V=
SRC=3DHRN MRKT; SSRC=3D; MSRC=3D; TSRC=3D1; fcC=3DX=3DC1854576&Y=3D11689786=
30937&FV=3D8&H=3D1168978630921&Z=3D1&vis=3Dg409650#e409650zaaaa.com_-_exact=
_match#m54z0#m56z0#m11z0#m42z0#l39#m52z1#m53z1#l17#e125482z-#m54z1#g440958#=
m40z0&D=3DG409651#E409651zaaaa.com_-_exact_match&F=3D0&I=3D1168978713171&E=
=3D5041538; fcP=3DC=3D0&T=3D1168978568750&DTO=3D1168978568671&V=3D116897863=
0921&fcV.1=3DG409651`1171570570406&fcV.2=3DE409651zaaaa.com_-_exact_match`1=
171570570421; fcR=3Dhttp%3A//websearch.timewarnercable.com/websearch/%3Fdiv=
_id%3D30%26FUIComponentClass%3D%255Btype+Function%255D%26FRadioButtonClass%=
3D%255Btype+Function%255D%26FRadioButtonGroupClass%3D%255Btype+Function%255=
D%26FPushButtonClass%3D%255Btype+Function%255D%26searches%3D%255Bobject+Obj=
ect%255D%26getValue%3D%255Btype+Function%255D%26onClick%3D%255Btype+Functio=
n%255D%26query%3Daaaa%252Ecom=0ATE: chunked;q=3D1.0=0AConnection: TE, keep-=
alive=0AAccept-Encoding: gzip=0AAkamai-Origin-Hop: 1=0AVia: 1.1 akamai.net(=
ghost) (AkamaiGHost)=0AX-Forwarded-For: 71.79.187.187, 72.247.29.86=0AHost:=
 www.aaaa.com=0APragma: no-cache=0ACache-Control: no-cache, max-age=3D0=0A=
=0A--674ddd71-F--=0AHTTP/1.1 200 OK=0ASet-Cookie: sid=3D{AC102643-14D7-7459=
-1102-2C2C8ACB9E1F}; domain=3D.aaaa.com; expires=3DFri, 29-Oct-2021 20:18:3=
3 GMT; path=3D/=0ASet-Cookie: PSRC=3DG21; domain=3D.aaaa.com; expires=3DFri=
, 29-Oct-2021 20:18:33 GMT; path=3D/=0ASet-Cookie: VSRC=3DHRN MRKT; domain=
=3D.aaaa.com; expires=3DFri, 29-Oct-2021 20:18:33 GMT; path=3D/=0ASet-Cooki=
e: SSRC=3D; domain=3D.aaaa.com; expires=3DFri, 29-Oct-2021 20:18:33 GMT; pa=
th=3D/=0ASet-Cookie: MSRC=3D; domain=3D.aaaa.com; expires=3DFri, 29-Oct-202=
1 20:18:33 GMT; path=3D/=0ASet-Cookie: TSRC=3D1; domain=3D.aaaa.com; expire=
s=3DFri, 29-Oct-2021 20:18:33 GMT; path=3D/=0AKeep-Alive: timeout=3D3, max=
=3D59=0AConnection: Keep-Alive=0ATransfer-Encoding: chunked=0AContent-Type:=
 text/html=0A=0A--674ddd71-H--=0AMessage: Warning. Pattern match "(?:\\b(?:=
on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:h=
ange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\\b\\W*?=
=3D|abort\\b)|(?:l(?:owsrc\\b\\W*?\\b(?:(?:java|vb)script|shell)|ivescript)=
|(?:href|url)\\b\\W*?\\b(?:(?:java|vb)script|shell)|mocha):|type\\b\\W*?\\b=
(?:text\\b(?:\\W*?\\b(?:j(?:ava)?|ecma)script\\b|[vbscript])|application\\b=
\\W*?\\bx-(?:java|vb)script\\b)|s(?:(?:tyle\\b\\W*=3D.*\\bexpression\\b\\W*=
|ettimeout\\b\\W*?)\\(|rc\\b\\W*?\\b(?:(?:java|vb)script|shell|http):)|(?:c=
(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|background-i=
mage:)\\b|a(?:ctivexobject\\b|lert\\b\\W*?\\())|<(?:(?:body\\b.*?\\b(?:back=
groun|onloa)d|input\\b.*?\\btype\\b\\W*?\\bimage)\\b|!\\[CDATA\\[|script|me=
ta)|(?:\\.(?:(?:execscrip|addimpor)t|fromcharcode|innerhtml)|\\B@import)\\b=
)" at REQUEST_HEADERS:Cookie. [id "50004"] [msg "Cross-site Scripting (XSS)=
 Attack"] [severity "WARNING"]=0AStopwatch: 1168978713435236 735698 (233 25=
39 -)=0AProducer: ModSecurity v2.0.3 (Apache 2.x)=0AServer: Apache/2.0.52 (=
CentOS)=0A=0A--674ddd71-Z--=0A=0A=0A=0A=0A=0A=0A=0A =0A____________________=
________________________________________________________________=0AExpectin=
g? Get great news right away with email Auto-Check. =0ATry the Yahoo! Mail =
Beta.=0Ahttp://advision.webevents.yahoo.com/mailbeta/newmail_tools.html 
=20

Thanks Nicholas,

=20

As you say, the Referer header is prone to false positives as it is
controlled generated by other sites and extend their false positives to
your site. This is the reason it is not searched for SQL injection
signatures in the core rule set, and I checking now whether to do the
same for XSS just as you suggest. =20

=20

My experience is that the Cookie header is also prone to false positives
such as this, but I'm less inclined to include an exception for the
cookie header in the Core Set for two reasons:

=20

(a) It is controlled by the application itself, and many times, such as
in your case, the application should be changed rather than the rule.
Storing the external Referer header in a cookie and presumably using it
somewhere is a very good recipe for a security disaster.

=20

(b) The Cookie header is used a lot by applications and therefore may be
an attack channel more often than the Referer header

=20

Saying that, I assume that you do not have a simple way to have the
application modified and therefore need another solution.=20

=20

I think that in your case the simplest and most effective would be to
exclude the cookie header also (!REQUEST_HEADERS:Cookie). Since the
cookie is controlled by the referrer it is just a matter of time until
another signature will match, so removing onClick is a short time
solution.=20

=20

~ Ofer

=20

________________________________

From: mod...@li...
[mailto:mod...@li...] On Behalf Of
Nicholas Vulgrinski
Sent: Friday, January 19, 2007 7:02 PM
To: mod...@li...
Subject: [mod-security-users] (no subject)

=20

The referer often contains the URL and parameters from another site,
such as a web search page, when someone navigates to our site via a
search. We have found the Time Warner's websearch contains an onClick
parameter that sets of the XSS rule.

This fix was suggest to exclude scanning the referer.

REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Refere
r

This almost worked for me, but our FireClick implementation stores the
referer in the session cookie, so I still get a match (see below).=20

Sorry about the old version (rule id 50004).

I had already remove the ".cookie" part of the rule because our site has
cookies named something.cookie.

I don't want to exclude an XSS on the cookies because we have observed
other XSS attack attempt in the cookie.

Any suggestions?

--674ddd71-A--
[16/Jan/2007:14:18:34 --0600] EPbcZKwQIh8AAATnGgcAAAAa 172.16.32.102
55719 172.16.34.31 80
--674ddd71-B--
GET
/processSearch.do?allPropertyTypesSelected=3Dtrue&usertypedcity=3D&destin=
ati
on=3D4fded4ff-af4a-41b7-976b-bd5bd436f135%7Cb68f06c3-77a8-49f1-9ba2-c9e77=
9
fdad9d%7CLas+Vegas%2C+NV%2C+USA%7C1&inout=3D&CIMonth=3D3&CIDay=3D2&CIYear=
=3D2007
&COMonth=3D3&CODay=3D5&COYear=3D2007&dateless=3D&numrooms=3D1&adults%5B0%=
5D=3D2&chil
d%5B0%5D=3D0 HTTP/1.1
Accept: */*
Referer:
http://www.aaaa.com/index.jsp?PSRC=3DG21&displayAd=3Dfalse&googlekw=3Daaa=
a.com
_-_exact_match&js=3D1&zz=3D1168978561781
Accept-Language: en-us
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
1.1.4322; InfoPath.1)
Cookie: JSESSIONID=3DUMHAKCHLXFI35LAQEZBSCOVMCATDOH20; ABTest.4=3D3;
sid=3D{AC102643-14D7-7459-1102-2C2C8ACB9E1F}; visitCounter=3D1; =
PSRC=3DG21;
VSRC=3DHRN MRKT; SSRC=3D; MSRC=3D; TSRC=3D1;
fcC=3DX=3DC1854576&Y=3D1168978630937&FV=3D8&H=3D1168978630921&Z=3D1&vis=3D=
g409650#e409
650zaaaa.com_-_exact_match#m54z0#m56z0#m11z0#m42z0#l39#m52z1#m53z1#l17#e
125482z-#m54z1#g440958#m40z0&D=3DG409651#E409651zaaaa.com_-_exact_match&F=
=3D
0&I=3D1168978713171&E=3D5041538;
fcP=3DC=3D0&T=3D1168978568750&DTO=3D1168978568671&V=3D1168978630921&fcV.1=
=3DG409651`
1171570570406&fcV.2=3DE409651zaaaa.com_-_exact_match`1171570570421;
fcR=3Dhttp%3A//websearch.timewarnercable.com/websearch/%3Fdiv_id%3D30%26F=
U
IComponentClass%3D%255Btype+Function%255D%26FRadioButtonClass%3D%255Btyp
e+Function%255D%26FRadioButtonGroupClass%3D%255Btype+Function%255D%26FPu
shButtonClass%3D%255Btype+Function%255D%26searches%3D%255Bobject+Object%
255D%26getValue%3D%255Btype+Function%255D%26onClick%3D%255Btype+Function
%255D%26query%3Daaaa%252Ecom
TE: chunked;q=3D1.0
Connection: TE, keep-alive
Accept-Encoding: gzip
Akamai-Origin-Hop: 1
Via: 1.1 akamai.net(ghost) (AkamaiGHost)
X-Forwarded-For: 71.79.187.187, 72.247.29.86
Host: www.aaaa.com
Pragma: no-cache
Cache-Control: no-cache, max-age=3D0

--674ddd71-F--
HTTP/1.1 200 OK
Set-Cookie: sid=3D{AC102643-14D7-7459-1102-2C2C8ACB9E1F};
domain=3D.aaaa.com; expires=3DFri, 29-Oct-2021 20:18:33 GMT; path=3D/
Set-Cookie: PSRC=3DG21; domain=3D.aaaa.com; expires=3DFri, 29-Oct-2021
20:18:33 GMT; path=3D/
Set-Cookie: VSRC=3DHRN MRKT; domain=3D.aaaa.com; expires=3DFri, =
29-Oct-2021
20:18:33 GMT; path=3D/
Set-Cookie: SSRC=3D; domain=3D.aaaa.com; expires=3DFri, 29-Oct-2021 =
20:18:33
GMT; path=3D/
Set-Cookie: MSRC=3D; domain=3D.aaaa.com; expires=3DFri, 29-Oct-2021 =
20:18:33
GMT; path=3D/
Set-Cookie: TSRC=3D1; domain=3D.aaaa.com; expires=3DFri, 29-Oct-2021 =
20:18:33
GMT; path=3D/
Keep-Alive: timeout=3D3, max=3D59
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

--674ddd71-H--
Message: Warning. Pattern match
"(?:\\b(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d
own|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focu
s|blur)\\b\\W*?=3D|abort\\b)|(?:l(?:owsrc\\b\\W*?\\b(?:(?:java|vb)script|=
s
hell)|ivescript)|(?:href|url)\\b\\W*?\\b(?:(?:java|vb)script|shell)|moch
a):|type\\b\\W*?\\b(?:text\\b(?:\\W*?\\b(?:j(?:ava)?|ecma)script\\b|[vbs
cript])|application\\b\\W*?\\bx-(?:java|vb)script\\b)|s(?:(?:tyle\\b\\W*
=3D.*\\bexpression\\b\\W*|ettimeout\\b\\W*?)\\(|rc\\b\\W*?\\b(?:(?:java|v=
b
)script|shell|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:speci
al|parent)folder|background-image:)\\b|a(?:ctivexobject\\b|lert\\b\\W*?\
\())|<(?:(?:body\\b.*?\\b(?:backgroun|onloa)d|input\\b.*?\\btype\\b\\W*?
\\bimage)\\b|!\\[CDATA\\[|script|meta)|(?:\\.(?:(?:execscrip|addimpor)t|
fromcharcode|innerhtml)|\\B@import)\\b)" at REQUEST_HEADERS:Cookie. [id
"50004"] [msg "Cross-site Scripting (XSS) Attack"] [severity "WARNING"]
Stopwatch: 1168978713435236 735698 (233 2539 -)
Producer: ModSecurity v2.0.3 (Apache 2.x)
Server: Apache/2.0.52 (CentOS)

--674ddd71-Z--

=20

________________________________

TV dinner still cooling?
Check out "Tonight's Picks"
<http://us.rd.yahoo.com/evt=3D49979/*http:/tv.yahoo.com/> on Yahoo! TV.

Dear ModSecurity users,

A new version of the core rules, 1.4, is now available at =
http://www.modsecurity.org/download/index.html.
The rules have been tested with version 2.1.1, and might not work with =
an older version.
Please note that this ruleset is newer than the rules bundled with =
version 2.1.1 of ModSecurity.
Here's a list of the changes made in this version:

----------
New Events
----------
- 970021 - WebLogic information disclosure
=A0=A0=A0 Matching of "<title>JSP compile error</title>" in the response =
body, will trigger this rule, with severity 4 (Warning)
- 950015,950910,950911 - HTTP Response Splitting
=A0=A0=A0HTTP Response Splitting is described in Amit Klein's excellent =
article:
=A0=A0=A0 =
http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse=
.pdf
ModSecurity does not support compressed content at the moment. Thus, the =
following rules have been added:
- 960013 - Content-Encoding in request not supported
=A0=A0=A0 Any incoming compressed request will be denied
- 960051 - Content-Encoding in response not suppoted
=A0=A0=A0 An outgoing compressed response will be logged to alert, but =
ONLY ONCE.

---------------------
False Positives Fixes
---------------------
The following FPs have been reported. They have been examined and found =
to be commonly used in the web.
- Removed <.exe>,<.shtml> from restricted extensions
- Will not be looking for SQL Injection signatures <root@>,<coalesce> in =
the Via request header
- Excluded Referer header from SQL injection, XSS and command injection =
rules
- Excluded X-OS-Prefs header from command injection rule
- Will be looking for command injection signatures in
=A0 REQUEST_COOKIES|REQUEST_COOKIES_NAMES instead of =
REQUEST_HEADERS:Cookie.
- Allowing charset specification in the =
<application/x-www-form-urlencoded> Content-Type
=A0=A0=A0 i.e.: The following Content-Type will be allowed: =
application/x-www-form-urlencoded; charset=3DISO-8859-1
=A0=A0=A0=A0=A0=A0=A0=A0=A0 (or any other valid charset)

----------------------
Additional rules logic
----------------------
- Corrected match of OPTIONS method in event 960015
=A0=A0=A0 No transformation, and looking exactly for ^OPTIONS$, to =
dismiss it from having an Accept header.
- Changed location for event 960014 (proxy access) to REQUEST_URI_RAW
=A0=A0=A0 REQUEST_URI_RAW also contains the domain name, if provided by =
the client.
=A0=A0=A0 In a normal case, a client will not provide the domain name in =
the URI
=A0=A0=A0 The appearence of "http:/" in the URI, may imply an attempt =
for proxy access.
- Moved all rules apart from method inspection from phase 1 to phase 2 -
=A0=A0=A0 This will enable viewing content if such a rule triggers as =
well as setting exceptions using Apache scope tags.
- Added match for double quote in addition to single quote for <or =
x=3Dx> signature (SQL Injection)
- Added 1=3D1 signature (SQL Injection)

Avi Aminov,
ModSecurity Core Rule Set Team

I'm having trouble getting mod_security to work with Subversion through
WebDAV. Subversion works perfectly with mod_security disabled, but with
it, I'm getting a "400: bad request" error from the client. After checking
the logs, I see that mod_security is blocking everything but the most
common request types. Here is one of the errors from the modsec_audit log:

Message: Access denied with code 400 (phase 2). Match of "rx
^[a-z]{3,10}\\s*(?:\\w{3,7}?\\:\\/\\/[\\w\\-\\.\\/]*)??\\/[\\w    
\\-\\.\\/~%:@&=+$,;]*(?:\\?[\\S]*)??\\s*http\\/\\d\\.\\d$" against
"REQUEST_LINE" required. [id "960911"] [msg "Invalid HTT     P Request
Line"] [severity "CRITICAL"]

I'm quite new to the mod_security software. Is there anyone who has set up
their mod_security to work with subversion and might be willing to help me
out with what SecRules to include? I've tried adding several SecRules, but
I'm not even sure if I'm putting them in the right place. Here are the
ones that I've tried:

SecRule REQUEST_METHOD "^(PROPFIND|PROPPATCH)$" allow
SecRule REQUEST_METHOD "^(REPORT|OPTIONS)$" allow
SecRule REQUEST_METHOD "^(MKACTIVITY|CHECKOUT)$" allow
SecRule REQUEST_METHOD "^(PUT|DELETE|MERGE)$" allow

I've spent many hours searching google for a solution, so any help at all
would be very greatly appreciated.

Mike,
That specific ModSecurity Core Rule is enforcing HTTP RFC compliance to
the request line, so this means that Subversion is sending some requests
that are triggering this alert.  Can you send a sanitized audit_log
entry of this request?

Also, you might want to have a look at this Blog post for handling false
positives -
http://www.modsecurity.org/blog/archives/2007/02/handling_false.html

As for your example rules, one issue to be aware of is that the "allow"
action only applies to the current request phase.  Since you did not
specify a phase on the action lines of these rules, that means that
these rules would inherit whatever phase is set in the preceding
SecDefaultAction directive.  So, if this is set to phase:1, then your
custom rules will only "allow" these requests through the remainder of
phase:1.  This means that all of the phase:2 rules would then inspect
them and possibly take action.  If you want to truly allow an inbound
request through, then you will need to add both the allow action, as
well as, the "ctl:ruleEngine=3DOff" action.

--=20
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
=20
=20
> -----Original Message-----
> From: mod...@li... [mailto:mod-
> sec...@li...] On Behalf Of
> mi...@th...
> Sent: Monday, October 22, 2007 2:51 PM
> To: mod...@li...
> Subject: [mod-security-users] (no subject)
>=20
> I'm having trouble getting mod_security to work with Subversion
through
> WebDAV. Subversion works perfectly with mod_security disabled, but
with
> it, I'm getting a "400: bad request" error from the client. After
checking
> the logs, I see that mod_security is blocking everything but the most
> common request types. Here is one of the errors from the modsec_audit
log:
>=20
> Message: Access denied with code 400 (phase 2). Match of "rx
> ^[a-z]{3,10}\\s*(?:\\w{3,7}?\\:\\/\\/[\\w\\-\\.\\/]*)??\\/[\\w
> \\-\\.\\/~%:@&=3D+$,;]*(?:\\?[\\S]*)??\\s*http\\/\\d\\.\\d$" against
> "REQUEST_LINE" required. [id "960911"] [msg "Invalid HTT     P Request
> Line"] [severity "CRITICAL"]
>=20
> I'm quite new to the mod_security software. Is there anyone who has
set up
> their mod_security to work with subversion and might be willing to
help me
> out with what SecRules to include? I've tried adding several SecRules,
but
> I'm not even sure if I'm putting them in the right place. Here are the
> ones that I've tried:
>=20
> SecRule REQUEST_METHOD "^(PROPFIND|PROPPATCH)$" allow
> SecRule REQUEST_METHOD "^(REPORT|OPTIONS)$" allow
> SecRule REQUEST_METHOD "^(MKACTIVITY|CHECKOUT)$" allow
> SecRule REQUEST_METHOD "^(PUT|DELETE|MERGE)$" allow
>=20
> I've spent many hours searching google for a solution, so any help at
all
> would be very greatly appreciated.
>=20
>=20
>
------------------------------------------------------------------------
-
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a
browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

Mike,

Can you provide the audit log entry for these requests that modsecurity
blocks?

Thanks,
Avi

-----Original Message-----
From: mod...@li...
[mailto:mod...@li...] On Behalf Of
Ryan Barnett
Sent: Monday, October 22, 2007 9:16 PM
To: mi...@th...; mod...@li...
Subject: Re: [mod-security-users] (no subject)

Mike,
That specific ModSecurity Core Rule is enforcing HTTP RFC compliance to
the request line, so this means that Subversion is sending some requests
that are triggering this alert.  Can you send a sanitized audit_log
entry of this request?

Also, you might want to have a look at this Blog post for handling false
positives -
http://www.modsecurity.org/blog/archives/2007/02/handling_false.html

As for your example rules, one issue to be aware of is that the "allow"
action only applies to the current request phase.  Since you did not
specify a phase on the action lines of these rules, that means that
these rules would inherit whatever phase is set in the preceding
SecDefaultAction directive.  So, if this is set to phase:1, then your
custom rules will only "allow" these requests through the remainder of
phase:1.  This means that all of the phase:2 rules would then inspect
them and possibly take action.  If you want to truly allow an inbound
request through, then you will need to add both the allow action, as
well as, the "ctl:ruleEngine=3DOff" action.

--=20
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
=20
=20
> -----Original Message-----
> From: mod...@li... [mailto:mod-
> sec...@li...] On Behalf Of
> mi...@th...
> Sent: Monday, October 22, 2007 2:51 PM
> To: mod...@li...
> Subject: [mod-security-users] (no subject)
>=20
> I'm having trouble getting mod_security to work with Subversion
through
> WebDAV. Subversion works perfectly with mod_security disabled, but
with
> it, I'm getting a "400: bad request" error from the client. After
checking
> the logs, I see that mod_security is blocking everything but the most
> common request types. Here is one of the errors from the modsec_audit
log:
>=20
> Message: Access denied with code 400 (phase 2). Match of "rx
> ^[a-z]{3,10}\\s*(?:\\w{3,7}?\\:\\/\\/[\\w\\-\\.\\/]*)??\\/[\\w
> \\-\\.\\/~%:@&=3D+$,;]*(?:\\?[\\S]*)??\\s*http\\/\\d\\.\\d$" against
> "REQUEST_LINE" required. [id "960911"] [msg "Invalid HTT     P Request
> Line"] [severity "CRITICAL"]
>=20
> I'm quite new to the mod_security software. Is there anyone who has
set up
> their mod_security to work with subversion and might be willing to
help me
> out with what SecRules to include? I've tried adding several SecRules,
but
> I'm not even sure if I'm putting them in the right place. Here are the
> ones that I've tried:
>=20
> SecRule REQUEST_METHOD "^(PROPFIND|PROPPATCH)$" allow
> SecRule REQUEST_METHOD "^(REPORT|OPTIONS)$" allow
> SecRule REQUEST_METHOD "^(MKACTIVITY|CHECKOUT)$" allow
> SecRule REQUEST_METHOD "^(PUT|DELETE|MERGE)$" allow
>=20
> I've spent many hours searching google for a solution, so any help at
all
> would be very greatly appreciated.
>=20
>=20
>
------------------------------------------------------------------------
-
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a
browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

------------------------------------------------------------------------
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Hello all.

I have setup modsecuerity 1.9.4 with apache 1.3.35.
and I would like to set all ip address at REMOTE_ADDR  for some reason like below.

SecFilterSelective REMOTE_ADDR "^xx.xx.xx.xx$" allow

How to set all ip address at xx.xx.xx.xx?

Thanks in advance.

_________________________________________________________________
확 달라진 MSN 홈페이지, 지금 바로 만나보세요!
http://www.msn.co.kr

Hi,

Curently working with mod_security 1, we do have trouble to install the latest mod_security for apache.

Is it safe continuing working with mod_security 1 for a sensible application? Is it a separate branch still maintained, or is it now unsecured?

Thanks for your help,
Remi

 Créez votre adresse électronique prénom.n...@la... 
 1 Go d'espace de stockage, anti-spam et anti-virus intégrés.

ModSecurity 2.x is _much_ better. We've learned and done a lot since
1.9.x, which was more than 2 years ago.

ModSecurity 1.x is not supported and it won't be updated. I am not
sure what you mean by "unsecured", but there's nothing wrong with
1.9.5 that we know of.

On Wed, Jun 11, 2008 at 12:58 AM, remitmp4 <rem...@la...> wrote:
> Hi,
>
> Curently working with mod_security 1, we do have trouble to install the
> latest mod_security for apache.
>
> Is it safe continuing working with mod_security 1 for a sensible
> application? Is it a separate branch still maintained, or is it now
> unsecured?
>
> Thanks for your help,
> Remi
>
>
>
> Créez votre adresse électronique prénom.n...@la...
> 1 Go d'espace de stockage, anti-spam et anti-virus intégrés.
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
>

-- 
Ivan Ristic