Thread: Re: [mod-security-users] Modsec on Tiger?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Ivan R. <iv...@we...> - 2006-02-13 17:52:46
|
li...@32... wrote: > on 2/13/06 11:20 AM, Ivan Ristic at iv...@we... wrote: > >> There's nothing related to ModSecurity in the above output. The warning >> comes from Apache itself. >> >> BTW, Tiger uses Apache 1.3.x? > > > Tiger uses 1.3 by default. Apple still has not made Apache2 the default yet. > > >>> Any ideas why it will not even log, let alone block anything? >>> >>> >>> -Mike >>> >>> P.S. It worked perfect on Panther server. >> You can't get it to even produce debug output at level 9? If that's >> the case it is probably never invoked. > > > OK, that made it start spitting info. Everything looks fine, but I am still > not seeing as much filtering as before my upgrade. > > Can you give me a test rule to see what is up? No, there's no such thing as a test rule. Just read the debug log - it will tell you everything you need to know... -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: Ivan R. <iv...@we...> - 2006-02-13 18:14:01
|
li...@32... wrote: > on 2/13/06 12:53 PM, Ivan Ristic at iv...@we... wrote: > >>> OK, that made it start spitting info. Everything looks fine, but I am still >>> not seeing as much filtering as before my upgrade. >>> >>> Can you give me a test rule to see what is up? >> No, there's no such thing as a test rule. Just read the debug log - it >> will tell you everything you need to know... > > Really, not even a rule that looks for 'goober' in a GET argument? Really. Why would you want your adversaries to have the ability to test whether ModSecurity is running or not? > I am sure > that can be done? What, to have a test rule? It can be done but it's not a smart thing to do. > Then I can 'test' to see if it catches it. Or, you could read the debug log as already I suggested. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: Ivan R. <iv...@we...> - 2006-02-13 18:28:35
|
li...@32... wrote: > > Can someone else help me write a rule that looks for the word 'goober' in > the uri? You should really start using the "reply to all" function in your email client - I was the only recipient of your email. > Can someone else help me write a rule that looks for the word 'goober' in > the uri? > > I just want to see if modsec is working. I can then delete that > rule. Did not realize it was that big of a request. :/ Here is the rule: SecFilter goober Please do not tell us if it worked. BTW, the ModSecurity manual is right here: http://www.modsecurity.org/documentation/modsecurity-apache/stable/ -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: Christopher M. <mu...@to...> - 2006-02-13 18:34:19
|
On a side note i'm at my desk eating lunch and found this thread very amusing :) -- Regards, -Chris _______________________________________________ Christopher Murley Network Administrator TownNews.Com 800.293.9576 Ivan Ristic wrote: > > li...@32... wrote: >> > >> Can someone else help me write a rule that looks for the word 'goober' >> in >> the uri? > > You should really start using the "reply to all" function in your > email client - I was the only recipient of your email. > > >> Can someone else help me write a rule that looks for the word 'goober' >> in >> the uri? >> >> I just want to see if modsec is working. I can then delete that >> rule. Did not realize it was that big of a request. :/ > > Here is the rule: SecFilter goober > > Please do not tell us if it worked. BTW, the ModSecurity manual is > right here: > > http://www.modsecurity.org/documentation/modsecurity-apache/stable/ > > -- > Ivan Ristic, Technical Director > Thinking Stone, http://www.thinkingstone.com > ModSecurity: Open source Web Application Firewall > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log > files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > |
|
From: <li...@32...> - 2006-02-13 18:39:11
|
on 2/13/06 1:28 PM, Ivan Ristic at iv...@we... wrote: > li...@32... wrote: >> > >> Can someone else help me write a rule that looks for the word 'goober' in >> the uri? > > You should really start using the "reply to all" function in your > email client - I was the only recipient of your email. Sorry about that, normally don't do that with other lists. :) >> Can someone else help me write a rule that looks for the word 'goober' in >> the uri? >> >> I just want to see if modsec is working. I can then delete that >> rule. Did not realize it was that big of a request. :/ > > Here is the rule: SecFilter goober > > Please do not tell us if it worked. BTW, the ModSecurity manual is > right here: > > http://www.modsecurity.org/documentation/modsecurity-apache/stable/ Ivan, Not sure why the attitude? If I did not need help figuring this out, then I would not bother the list. I apologize if I have offended you somehow. I know where the manual is, but it is not helping me figure this out. I looked at the debug log, but do not see anything that might be causing the filters to not work. I can send you a snippet, if you would be willing to look at it? |
|
From: Ivan R. <iv...@we...> - 2006-02-13 18:57:32
|
li...@32... wrote: > >> Please do not tell us if it worked. BTW, the ModSecurity manual is >> right here: >> >> http://www.modsecurity.org/documentation/modsecurity-apache/stable/ > > Ivan, Not sure why the attitude? If I did not need help figuring this out, > then I would not bother the list. Well, I'll explain, since I have to now. I was not giving you attitude, I was merely trying to give you a hint that the collective time of the list members is wasted because, IMHO, you don't want to spend some time reading the manual. I wrote the manual *specifically* to avoid answering trivial questions. Not all aspects of ModSecurity are easy, I'll give you that, but to write the simplest possible rule *is* trivial. It's simply starting to get to me that out of all ModSecurity-related questions I get (and there are a lot), answers to more than 90% of them are already in the manual. Now, let's stop wasting everyone's time. Send us the debug log snippets so that we can see if everything is working as expected. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: <li...@32...> - 2006-02-13 19:06:02
|
on 2/13/06 1:57 PM, Ivan Ristic at iv...@we... wrote: > li...@32... wrote: >> >>> Please do not tell us if it worked. BTW, the ModSecurity manual is >>> right here: >>> >>> http://www.modsecurity.org/documentation/modsecurity-apache/stable/ >> >> Ivan, Not sure why the attitude? If I did not need help figuring this out, >> then I would not bother the list. > > Well, I'll explain, since I have to now. > > I was not giving you attitude, I was merely trying to give you a hint > that the collective time of the list members is wasted because, > IMHO, you don't want to spend some time reading the manual. I wrote the > manual *specifically* to avoid answering trivial questions. Not all aspects > of ModSecurity are easy, I'll give you that, but to write the > simplest possible rule *is* trivial. > > It's simply starting to get to me that out of all ModSecurity-related > questions I get (and there are a lot), answers to more than 90% > of them are already in the manual. > > Now, let's stop wasting everyone's time. Send us the debug log snippets so > that we can see if everything is working as expected. No need, I fixed it but do not know why it broke. Previously, I had... SecFilterEngine DynamicOnly And everything worked fine. When I upgraded to Tiger, it no longer worked. Changing it to .. SecFilterEngine On Made things start working again. BTW, I am not a noob, I checked the manual first, but as you can now see, this has nothing to do with 'not reading the manual'. As a developer myself, I want to know if something is not working or not. And yes I get frustrated with noobs myself, when they do not try to figure something out for themselves first. |
|
From: <li...@32...> - 2006-02-13 19:23:05
|
on 2/13/06 1:57 PM, Ivan Ristic at iv...@we... wrote: > It's simply starting to get to me that out of all ModSecurity-related > questions I get (and there are a lot), answers to more than 90% > of them are already in the manual. Yes, Ivan was correct , it was in the manual, page 44 :-( I apologize for being what I hate most ;-) Now I can eat my lunch :-) -Mike |
|
From: BassPlayer <bas...@an...> - 2006-02-13 18:58:59
|
I run a fairly basic set of rules (i've added 3 filters) and I get a crap load of matches. I can send you my audit_log and it would give you more URI's than you want that would trigger a match. I'm also using Apache 1.3.x. BP li...@32... wrote: > on 2/13/06 1:28 PM, Ivan Ristic at iv...@we... wrote: > >> li...@32... wrote: >>> >> >>> Can someone else help me write a rule that looks for the word 'goober' >>> in >>> the uri? >> >> You should really start using the "reply to all" function in your >> email client - I was the only recipient of your email. > > > Sorry about that, normally don't do that with other lists. :) > >>> Can someone else help me write a rule that looks for the word 'goober' >>> in >>> the uri? >>> >>> I just want to see if modsec is working. I can then delete that >>> rule. Did not realize it was that big of a request. :/ >> >> Here is the rule: SecFilter goober >> >> Please do not tell us if it worked. BTW, the ModSecurity manual is >> right here: >> >> http://www.modsecurity.org/documentation/modsecurity-apache/stable/ > > Ivan, Not sure why the attitude? If I did not need help figuring this out, > then I would not bother the list. I apologize if I have offended you > somehow. I know where the manual is, but it is not helping me figure this > out. > > I looked at the debug log, but do not see anything that might be causing > the > filters to not work. > > I can send you a snippet, if you would be willing to look at it? > > > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log > files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > !DSPAM:43f0d6df213311238317075! > |
|
From: Ivan R. <iv...@we...> - 2006-02-13 19:02:23
|
Christopher Murley wrote: > On a side note i'm at my desk eating lunch and found this thread very > amusing :) What did you have for lunch BTW? :) I had sausages with mashed potatoes. Let me tell you, putting some chopped flat-leaf parsley and black pepper (in addition to butter, salt, and milk, of course) does wonders for the mashed potatoes. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: Christopher M. <mu...@to...> - 2006-02-13 19:11:16
|
> What did you have for lunch BTW? :) You beat me, taco bell :) - but mashed potatoes sounds wonderful! > I had sausages with mashed potatoes. Let me tell you, putting some > chopped flat-leaf parsley and black pepper (in addition to butter, > salt, and milk, of course) does wonders for the mashed potatoes. I was reading the manual (ie google) and found a great recipe for garlic mashed potatoes if your interested :) I like to contribute as well! INGREDIENTS: 2 pounds of potatoes 1 cup of milk 6 tablespoons of butter Salt and pepper Start a large pot of water boiling. You want to add just enough water to cover all the potatoes. Peel and quarter the spuds and you are ready to make great mashed potatoes at home. HOW TO MAKE AT HOME 1. Add some salt to the boiling water and cook until the potatoes are tender. (About 15 minutes) 3. Drain the potatoes and mash by your method of choice. (I prefer a potato ricer) 4. Blend in butter and milk. 5. Season with salt and pepper. and of course: 6. (Optional) Add chopped flat-leaf parsley and black pepper. Enjoy your lunch Ivan! |
Thanks for helping keep SourceForge clean.
X