Thread: [mod-security-users] problems
Brought to you by:
victorhora,
zimmerletw
From: love w. <lov...@gm...> - 2007-07-18 11:36:17
|
hi all i have installed modsecurity-2.1.1 on apache -2.0.55 and have the following in the configuration file: LoadFile /usr/lib/libxml2.so LoadModule security2_module modules/mod_security2.so <IfModule mod_security2.c> SecRuleEngine On SecAuditEngine RelevantOnly SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "!(^((?:(?:pos|ge)t|head))|http/(0\.9|1\.0|1\.1)$)" SecAuditLog logs/audit.log SecAuditLogType serial SecAuditLogParts ABIFHZ </IfModule> Now i have my audit file created in the logs directory but as per the rule it is not logging the relevant logs into the audit file and i have this empty file as such.Kindly help me where i m wrong. Warm Regards Love Wadhwa RedHat Certified Engg |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-07-18 11:54:00
|
The RegEx that you are using looks like it was taken from the Reference Manual. Its purpose is to create a positive policy check against the entire URI to enforce the proper request method and HTTP version data. It should be applied to the REQUEST_LINE variable - http://www.modsecurity.org/documentation/modsecurity-apache/2.1.0/modsec urity2-apache-reference.html#N10B2D. =20 Keep in mind that the Rule Engine and Audit Engine are separate. So, for testing purposes, you should try and change the SecAuditEngine to On then make a connection or two to your web app and then review the logs to ensure that this is being captured. =20 --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache =20 =20 ________________________________ From: mod...@li... [mailto:mod...@li...] On Behalf Of love wadhwa Sent: Wednesday, July 18, 2007 7:36 AM To: mod...@li... Subject: [mod-security-users] problems =20 hi all i have installed modsecurity-2.1.1 on apache -2.0.55 and have the following in the configuration file: LoadFile /usr/lib/libxml2.so LoadModule security2_module modules/mod_security2.so <IfModule mod_security2.c>=20 SecRuleEngine On SecAuditEngine RelevantOnly SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "!(^((?:(?:pos|ge)t|head))|http/(0\.9|1\.0|1\.1)$)" SecAuditLog logs/audit.log SecAuditLogType serial=20 SecAuditLogParts ABIFHZ </IfModule> Now i have my audit file created in the logs directory but as per the rule it is not logging the relevant logs into the audit file and i have this empty file as such.Kindly help me where i m wrong. Warm Regards Love Wadhwa RedHat Certified Engg=20 |
From: Bunyamin D. <bun...@gm...> - 2007-07-18 11:58:27
|
Hi, Maybe for file permission chown <apache user> logs/audit.log and <IfModule mod_security2.c> SecRuleEngine On SecAuditEngine RelevantOnly SecAuditLog logs/audit.log SecAuditLogType serial SecAuditLogParts ABIFHZ SecAuditLogRelevantStatus ^[45] SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "!(^((?:(?:pos|ge)t|head))|http/(0\.9|1\.0|1\.1)$)" </IfModule> it will work when you get an error or a warning. i hope :) Best regards, -- Bunyamin Demir OWASP-Turkey Chair http://www.webguvenligi.org 2007/7/18, love wadhwa < lov...@gm...>: > > hi all > i have installed modsecurity-2.1.1 on apache - 2.0.55 and have the > following in the configuration file: > > LoadFile /usr/lib/libxml2.so > LoadModule security2_module modules/mod_security2.so > > <IfModule mod_security2.c> > SecRuleEngine On > SecAuditEngine RelevantOnly > SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS > "!(^((?:(?:pos|ge)t|head))|http/(0\.9|1\.0|1\.1)$)" > SecAuditLog logs/audit.log > SecAuditLogType serial > SecAuditLogParts ABIFHZ </IfModule> > > Now i have my audit file created in the logs directory but as per the > rule it is not logging the relevant logs into the audit file and i have this > empty file as such.Kindly help me where i m wrong. > > Warm Regards > Love Wadhwa > RedHat Certified Engg > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > -- Bunyamin Demir OWASP-Turkey Chair http://www.webguvenligi.org |
From: love w. <lov...@gm...> - 2007-07-18 13:02:44
|
---------- Forwarded message ---------- From: love wadhwa <lov...@gm...> Date: Jul 18, 2007 5:40 PM Subject: Re: [mod-security-users] problems To: Bunyamin DEMIR <bun...@gm...> Hi As per your saying i finally switched off rule engine since i m in testing phase and entered this in configuration file: <IfModule mod_security2.c> SecAuditEngine On SecAuditLog logs/audit.log SecAuditLogType serial SecAuditLogParts ABIFHZ </IfModule> After this i restart my apache and i automatically get my audi file made in logs directory.But i am not getting anything logged in it. The permissions are same as that of access.log file.So since it is getting logged so definitely no problems shud be there in audit file regarding file permissions. Now i cud not get the idea why its not logging?Definitely some of it is working since audit file has been made but it could not log.Plz help regardin the same. On 7/18/07, Bunyamin DEMIR <bun...@gm...> wrote: > > Hi, > > Maybe for file permission > > chown <apache user> logs/audit.log > > > and > > <IfModule mod_security2.c> > SecRuleEngine On > SecAuditEngine RelevantOnly SecAuditLog logs/audit.log > SecAuditLogType serial SecAuditLogParts ABIFHZ > SecAuditLogRelevantStatus ^[45] > SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS > "!(^((?:(?:pos|ge)t|head))|http/(0\.9|1\.0|1\.1)$)" > </IfModule> > > it will work when you get an error or a warning. > > i hope :) > > Best regards, > -- > Bunyamin Demir > OWASP-Turkey Chair > http://www.webguvenligi.org > > > > 2007/7/18, love wadhwa < lov...@gm...>: > > > > hi all > > i have installed modsecurity-2.1.1 on apache - 2.0.55 and have the > > following in the configuration file: > > > > LoadFile /usr/lib/libxml2.so > > LoadModule security2_module modules/mod_security2.so > > > > <IfModule mod_security2.c> > > SecRuleEngine On > > SecAuditEngine RelevantOnly > > SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS > > "!(^((?:(?:pos|ge)t|head))|http/(0\.9|1\.0|1\.1)$)" > > SecAuditLog logs/audit.log > > SecAuditLogType serial > > SecAuditLogParts ABIFHZ > > </IfModule> > > > > Now i have my audit file created in the logs directory but as per the > > rule it is not logging the relevant logs into the audit file and i have this > > empty file as such.Kindly help me where i m wrong. > > > > Warm Regards > > Love Wadhwa > > RedHat Certified Engg > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > -- > Bunyamin Demir > OWASP-Turkey Chair > http://www.webguvenligi.org -- Warm Regards Love Wadhwa RedHat Certified Engg -- Warm Regards Love Wadhwa RedHat Certified Engg |
From: Avi A. <av...@br...> - 2007-07-18 14:13:39
|
Hi, =20 Switching off the engine entirely is actually telling modsecurity to skip all the rules, meaning no blocking nor interceptions will occur. What Ryan suggested was: SecRuleEngine DetectionOnly SecAuditEngine On =20 The rest of the configuration can stay the same. With this configuration, modsecurity will not block your traffic, but will log everything, even if the transaction was ok. In case of the rule you used, it will be logged only if the request line is badly written. Try this to test logging. SecAction "pass,msg:'Logging is fine!',log" =20 =20 HTH, Avi =20 ________________________________ From: mod...@li... [mailto:mod...@li...] On Behalf Of love wadhwa Sent: Wednesday, July 18, 2007 4:03 PM To: mod...@li... Subject: [mod-security-users] problems =20 ---------- Forwarded message ---------- From: love wadhwa <lov...@gm...> Date: Jul 18, 2007 5:40 PM=20 Subject: Re: [mod-security-users] problems To: Bunyamin DEMIR <bun...@gm...> Hi As per your saying i finally switched off rule engine since i m in testing phase and entered this in configuration file:=20 <IfModule mod_security2.c> SecAuditEngine On SecAuditLog logs/audit.log SecAuditLogType serial=20 SecAuditLogParts ABIFHZ </IfModule> After this i restart my apache and i automatically get my audi file made in logs directory.But i am not getting anything logged in it. The permissions are same as that of access.log file.So since it is getting logged so definitely no problems shud be there in audit file regarding file permissions. Now i cud not get the idea why its not logging?Definitely some of it is working since audit file has been made but it could not log.Plz help regardin the same. =20 On 7/18/07, Bunyamin DEMIR < bun...@gm... <mailto:bun...@gm...> > wrote: Hi, Maybe for file permission chown <apache user> logs/audit.log and <IfModule mod_security2.c>=20 SecRuleEngine On SecAuditEngine RelevantOnly SecAuditLog logs/audit.log SecAuditLogType serial=20 SecAuditLogParts ABIFHZ SecAuditLogRelevantStatus ^[45]=20 SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "!(^((?:(?:pos|ge)t|head))|http/(0\.9|1\.0|1\.1)$)" </IfModule> it will work when you get an error or a warning.=20 i hope :)=20 Best regards,=20 --=20 Bunyamin Demir OWASP-Turkey Chair http://www.webguvenligi.org 2007/7/18, love wadhwa < lov...@gm... <mailto:lov...@gm...> >: hi all i have installed modsecurity-2.1.1 on apache - 2.0.55 and have the following in the configuration file: =09 LoadFile /usr/lib/libxml2.so LoadModule security2_module modules/mod_security2.so =09 <IfModule mod_security2.c>=20 SecRuleEngine On SecAuditEngine RelevantOnly SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "!(^((?:(?:pos|ge)t|head))|http/(0\.9|1\.0|1\.1)$)" SecAuditLog logs/audit.log SecAuditLogType serial=20 SecAuditLogParts ABIFHZ </IfModule> =09 Now i have my audit file created in the logs directory but as per the rule it is not logging the relevant logs into the audit file and i have this empty file as such.Kindly help me where i m wrong. =09 Warm Regards Love Wadhwa RedHat Certified Engg=20 =09 ------------------------------------------------------------------------ - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now.=20 http://sourceforge.net/powerbar/db2/ _______________________________________________ mod-security-users mailing list=20 mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users --=20 Bunyamin Demir OWASP-Turkey Chair http://www.webguvenligi.org=20 --=20 Warm Regards Love Wadhwa RedHat Certified Engg=20 --=20 Warm Regards Love Wadhwa RedHat Certified Engg=20 |
From: love w. <lov...@gm...> - 2007-07-18 14:58:13
|
Hi Thanx to everybody for the help.It was my very silly mistake that i forgot to install the mod_unique_id module installed. I m sorry for that.Anyway your replies have been helpful to me . On 7/18/07, Avi Aminov <av...@br...> wrote: > > Hi, > > > > Switching off the engine entirely is actually telling modsecurity to skip > all the rules, meaning no blocking nor interceptions will occur. > > What Ryan suggested was: > > SecRuleEngine *DetectionOnly* > > SecAuditEngine *On* > > > > The rest of the configuration can stay the same. > > With this configuration, modsecurity will not block your traffic, but will > log everything, even if the transaction was ok. > > In case of the rule you used, it will be logged only if the request line > is badly written. Try this to test logging. > > SecAction "pass,msg:'Logging is fine!',log" > > > > > > HTH, > > Avi > > > ------------------------------ > > *From:* mod...@li... [mailto: > mod...@li...] *On Behalf Of *love > wadhwa > *Sent:* Wednesday, July 18, 2007 4:03 PM > *To:* mod...@li... > *Subject:* [mod-security-users] problems > > > > > > ---------- Forwarded message ---------- > From: *love wadhwa* <lov...@gm...> > Date: Jul 18, 2007 5:40 PM > Subject: Re: [mod-security-users] problems > To: Bunyamin DEMIR <bun...@gm...> > > Hi > As per your saying i finally switched off rule engine since i m in testing > phase and entered this in configuration file: > <IfModule mod_security2.c> > SecAuditEngine On > SecAuditLog logs/audit.log > SecAuditLogType serial > SecAuditLogParts ABIFHZ > </IfModule> > > After this i restart my apache and i automatically get my audi file made > in logs directory.But i am not getting anything logged in it. The > permissions are same as that of access.log file.So since it is getting > logged so definitely no problems shud be there in audit file regarding file > permissions. > Now i cud not get the idea why its not logging?Definitely some of it is > working since audit file has been made but it could not log.Plz help > regardin the same. > > > > On 7/18/07, *Bunyamin DEMIR* < bun...@gm...> wrote: > > Hi, > > Maybe for file permission > > chown <apache user> logs/audit.log > > > and > > <IfModule mod_security2.c> > SecRuleEngine On > SecAuditEngine RelevantOnly > > SecAuditLog logs/audit.log > > SecAuditLogType serial > > SecAuditLogParts ABIFHZ > SecAuditLogRelevantStatus ^[45] > SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS > "!(^((?:(?:pos|ge)t|head))|http/(0\.9|1\.0|1\.1)$)" > > </IfModule> > > it will work when you get an error or a warning. > > i hope :) > > Best regards, > -- > Bunyamin Demir > OWASP-Turkey Chair > http://www.webguvenligi.org > > > 2007/7/18, love wadhwa < lov...@gm...>: > > hi all > i have installed modsecurity-2.1.1 on apache - 2.0.55 and have the > following in the configuration file: > > LoadFile /usr/lib/libxml2.so > LoadModule security2_module modules/mod_security2.so > > <IfModule mod_security2.c> > SecRuleEngine On > SecAuditEngine RelevantOnly > SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS > "!(^((?:(?:pos|ge)t|head))|http/(0\.9|1\.0|1\.1)$)" > SecAuditLog logs/audit.log > SecAuditLogType serial > SecAuditLogParts ABIFHZ > > </IfModule> > > Now i have my audit file created in the logs directory but as per the > rule it is not logging the relevant logs into the audit file and i have this > empty file as such.Kindly help me where i m wrong. > > Warm Regards > Love Wadhwa > RedHat Certified Engg > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > -- > Bunyamin Demir > OWASP-Turkey Chair > http://www.webguvenligi.org > > > > > > -- > > > Warm Regards > Love Wadhwa > RedHat Certified Engg > > > > -- > Warm Regards > Love Wadhwa > RedHat Certified Engg > -- Warm Regards Love Wadhwa RedHat Certified Engg |