mod-security-users

[mod-security-users] Need help understanding rule activity

[Peter L. <pe...@st...>]

Hi! I've got mod_security 1.8.7 installed against Apache 2.0.46,  
CentOS 3.4. I've got some rules (mostly gotroot.com) installed. I  
noted after installation that the audit log shows mod_security  
catching an attack (see below for log snippet). The attempt in  
question was against a phpBB site which was currently not set up: a  
non-attack request to the same viewtopic.php would yield a 404.

When the same attack is run against an active phpBB site (non-attack  
request would show the proper topic), I get the properly displayed  
topic and no record in the audit log.

It seems very odd to me that the presence or absence of a target for  
the request (viewtopic.php in this case) would matter...I was under  
the impression that mod_security processed requests before it ever  
made it down to the page serving part of Apache.

Can anybody point me to some documentation so I can straighten myself  
out? Thanks.

-Pete

========================================
UNIQUE_ID: qpuNOX8AAAEAACdDPfIAAAAH
Request: 66.45.252.82 - - [17/Jun/2005:22:49:31 --0700] "GET / 
viewtopic.php?t=20
746&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)% 
252Echr(108)%2
52Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr 
(112)%252Echr
(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)% 
252Echr(40
)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)% 
252Echr(77)%252
Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0"  
403 0
Handler: type-map
----------------------------------------
GET /viewtopic.php?t=20746&highlight=%2527%252Esystem(chr(112)%252Echr 
(101)%252E
chr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr 
(32)%252Echr(3
4)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)% 
252Echr(32)%
252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr 
(111)%252Ec
hr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34)) 
%252E%2527
HTTP/1.0
Host: <withheld>
Accept: */*
User-Agent: Mozilla/4.0
mod_security-message: Access denied with code 403. Pattern match  
"(system|exec|p
assthru|cmd|fopen|exit|fwrite)" at THE_REQUEST
mod_security-action: 403

HTTP/1.0
Content-Length: 412
Connection: close
Content-Type: text/html; charset=iso-8859-1
========================================

Re: [mod-security-users] Need help understanding rule activity

[Ivan R. <iv...@we...>]

Peter Loron wrote:
> Hi! I've got mod_security 1.8.7 installed against Apache 2.0.46,  CentOS 
> 3.4. I've got some rules (mostly gotroot.com) installed. I  noted after 
> installation that the audit log shows mod_security  catching an attack 
> (see below for log snippet). The attempt in  question was against a 
> phpBB site which was currently not set up: a  non-attack request to the 
> same viewtopic.php would yield a 404.
> 
> When the same attack is run against an active phpBB site (non-attack  
> request would show the proper topic), I get the properly displayed  
> topic and no record in the audit log.
> 
> It seems very odd to me that the presence or absence of a target for  
> the request (viewtopic.php in this case) would matter...I was under  the 
> impression that mod_security processed requests before it ever  made it 
> down to the page serving part of Apache.

   It does. But there are modules that run before mod_security, they
   may interfere by changing the request in some way.


> Can anybody point me to some documentation so I can straighten myself  
> out? Thanks.

   The best way to proceed is to set the debug log to 9, and perform
   an attack in both cases, with and without PHPBB installed.


> Handler: type-map

   This may be a clue. For what purpose are you using mod_negotiate? Try
   turning it off.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org