Thread: Re: [mod-security-users] mod_security status 200
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Peter VE <xx...@im...> - 2005-11-04 12:27:45
|
Ryan,
the SecFilterSelective OUTPUT doesn't work.
In the debug log, I'm seeing "sec_pre: output filtering is off here"
I've just started setting it up
(using mod_security for the first time)
This is what I have so far :
<IfModule mod_security.c>
SecFilterEngine On
SecFilterDefaultAction "deny,log,status:200"
SecFilterScanPOST On
SecFilterCheckCookieFormat Off
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off
SecFilterForceByteRange 1 255
SecAuditEngine On
SecAuditLog /var/log/www/modsecurity.log
SecFilterDebugLog /var/log/www/modsecurity_debug.log
SecFilterDebugLevel 5
SecFilter "\.\./"
SecFilter "favicon.ico"
SecFilterSelective OUTPUT "was not found on this server." status:200
SecFilter "<(.|\n)*script"
SecFilter "<.|\n+>"
</IfModule>
To your point, I don't care about the 200 messages, because no regular
users should connect to my server. I'm only using it for server to
server communication, but in theory, it is possible that a user tries to
connect. In that case, I'll try to fool the user while hiding/protecting
the real information by securing the application itself
I hope this makes sense
thanks
P
|
|
From: Peter VE <xx...@im...> - 2005-11-04 12:54:52
|
Ok, I forgot to turn on SecFilterScanOutput
SecFilterScanOutput On
SecFilterSelective OUTPUT "was not found on this server." status:200
After enabling ScanOutput, I'm seeing "scan_pre: adding the output
filter to the filter list" in the log... but it still doesn't work
any ideas ?
On Fri, 2005-11-04 at 13:26 +0000, Peter VE wrote:
> Ryan,
>
> the SecFilterSelective OUTPUT doesn't work.
> In the debug log, I'm seeing "sec_pre: output filtering is off here"
>
> I've just started setting it up
> (using mod_security for the first time)
>
> This is what I have so far :
>
> <IfModule mod_security.c>
> SecFilterEngine On
> SecFilterDefaultAction "deny,log,status:200"
> SecFilterScanPOST On
> SecFilterCheckCookieFormat Off
> SecFilterCheckURLEncoding On
> SecFilterCheckUnicodeEncoding Off
> SecFilterForceByteRange 1 255
> SecAuditEngine On
> SecAuditLog /var/log/www/modsecurity.log
> SecFilterDebugLog /var/log/www/modsecurity_debug.log
> SecFilterDebugLevel 5
> SecFilter "\.\./"
> SecFilter "favicon.ico"
> SecFilterSelective OUTPUT "was not found on this server." status:200
> SecFilter "<(.|\n)*script"
> SecFilter "<.|\n+>"
> </IfModule>
>
>
> To your point, I don't care about the 200 messages, because no regular
> users should connect to my server. I'm only using it for server to
> server communication, but in theory, it is possible that a user tries to
> connect. In that case, I'll try to fool the user while hiding/protecting
> the real information by securing the application itself
>
> I hope this makes sense
>
> thanks
>
> P
|
|
From: Ivan R. <iv...@we...> - 2005-11-04 13:48:48
|
Peter VE wrote: > Ok, I forgot to turn on SecFilterScanOutput > > SecFilterScanOutput On > SecFilterSelective OUTPUT "was not found on this server." status:200 > > After enabling ScanOutput, I'm seeing "scan_pre: adding the output > filter to the filter list" in the log... but it still doesn't work > > any ideas ? Actually, the output filter is not triggered for Apache-produced pages. (I'll have to look into that to figure out exactly why.) So the above only works for "normal" pages. But there is another way. Do this: ErrorDocument 404 /error404.php And then have the script explicitly respond with code 200 in addition to outputing a human-readable message. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: <xx...@im...> - 2005-11-04 14:27:03
|
I can see the custom 404 error page, but the SecFilterSelective doesn't work (the SecFilterSelective looks for text in the custom 404 page) The debug log says "Filtering off for a subrequest" Ivan Ristic <iv...@we...> 04/11/2005 14:49 To Peter VE <xx...@im...> cc mod_security mailinglist <mod...@li...>, rcb...@gm... Subject Re: [mod-security-users] mod_security status 200 Peter VE wrote: > Ok, I forgot to turn on SecFilterScanOutput > > SecFilterScanOutput On > SecFilterSelective OUTPUT "was not found on this server." status:200 > > After enabling ScanOutput, I'm seeing "scan_pre: adding the output > filter to the filter list" in the log... but it still doesn't work > > any ideas ? Actually, the output filter is not triggered for Apache-produced pages. (I'll have to look into that to figure out exactly why.) So the above only works for "normal" pages. But there is another way. Do this: ErrorDocument 404 /error404.php And then have the script explicitly respond with code 200 in addition to outputing a human-readable message. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Ivan R. <iv...@we...> - 2005-11-04 14:29:56
|
xx...@im... wrote:
> I can see the custom 404 error page,
> but the SecFilterSelective doesn't work
> (the SecFilterSelective looks for text in the custom 404 page)
>
> The debug log says "Filtering off for a subrequest"
You don't need mod_security for the approach I suggested.
You only need to put some code in error404.php like
this:
<?
header("HTTP/1.0 200 OK");
echo("Error page...");
?>
--
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org
|
|
From: <xx...@im...> - 2005-11-04 14:32:36
|
ok
I'll try (Need to convert the php code to html first...)
Best regards / Vriendelijke groeten,
Peter Van Eeckhoutte
IT Security Officer
System Administrator
European Lotus Notes Administrator
Sara Lee Foods Europe
Imperial Coordination Center nv --- SLFE's CoE in Telecoms and Security
Grote Baan 200 B-9920 Lovendegem, Belgium
Tel : +32 9 370 02 11 Fax : +32 9 372 50 00
Email : pet...@sa...
Ivan Ristic <iv...@we...>
04/11/2005 15:31
To
xx...@im...
cc
mod_security mailinglist <mod...@li...>,
rcb...@gm...
Subject
Re: [mod-security-users] mod_security status 200
xx...@im... wrote:
> I can see the custom 404 error page,
> but the SecFilterSelective doesn't work
> (the SecFilterSelective looks for text in the custom 404 page)
>
> The debug log says "Filtering off for a subrequest"
You don't need mod_security for the approach I suggested.
You only need to put some code in error404.php like
this:
<?
header("HTTP/1.0 200 OK");
echo("Error page...");
?>
--
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org
|
|
From: <xx...@im...> - 2005-11-04 14:30:37
|
One addition : when I call the custom 404 error page directly from my browser, I'm getting a 200 OK code... The debug log says "Access denied with code 200. Pattern match "<my pattern>" at OUTPUT - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - I can see the custom 404 error page, but the SecFilterSelective doesn't work (the SecFilterSelective looks for text in the custom 404 page) The debug log says "Filtering off for a subrequest" Ivan Ristic <iv...@we...> 04/11/2005 14:49 To Peter VE <xx...@im...> cc mod_security mailinglist <mod...@li...>, rcb...@gm... Subject Re: [mod-security-users] mod_security status 200 Peter VE wrote: > Ok, I forgot to turn on SecFilterScanOutput > > SecFilterScanOutput On > SecFilterSelective OUTPUT "was not found on this server." status:200 > > After enabling ScanOutput, I'm seeing "scan_pre: adding the output > filter to the filter list" in the log... but it still doesn't work > > any ideas ? Actually, the output filter is not triggered for Apache-produced pages. (I'll have to look into that to figure out exactly why.) So the above only works for "normal" pages. But there is another way. Do this: ErrorDocument 404 /error404.php And then have the script explicitly respond with code 200 in addition to outputing a human-readable message. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
Thanks for helping keep SourceForge clean.
X