Thread: RE: [mod-security-users] Blocking PUT requests
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: De V. R. <Ric...@bm...> - 2006-02-13 21:34:06
|
Hmm, even though I set the following rule:
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$"
I still see the following file being created in /tmp if I do a PUT
/tmp/20060213-153039-172.18.60.128-request_body-TnaGyO
Additionally, these files are not automatically being cleaned up.
Suggestions anyone?
R
-----Original Message-----
From: mod...@li...
[mailto:mod...@li...] On Behalf Of De
Vries, Richard
Sent: Monday, February 13, 2006 15:25
To: mod...@li...
Subject: [mod-security-users] Blocking PUT requests
I was wondering whether or not it'd be wise to block PUT requests. I
don't foresee needing file-uploads ... does anyone know whether "PUT" is
used for anything else?
R
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=3Dk&kid=103432&bid#0486&dat=121642
_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
|
|
From: De V. R. <Ric...@bm...> - 2006-02-13 21:45:15
|
Understood. Thanks for the feedback. So there is no way to have mod_security delete these files, even though they triggered an alarm? It's important to have these attempts logged; I just don't know if we would actually want to keep the offending files. Especially if these are quite large. R -----Original Message----- From: mod...@li... [mailto:mod...@li...] On Behalf Of Ivan Ristic Sent: Monday, February 13, 2006 15:40 To: De Vries, Richard Cc: mod...@li... Subject: Re: [mod-security-users] Blocking PUT requests De Vries, Richard wrote: > > I was wondering whether or not it'd be wise to block PUT requests. I > don't foresee needing file-uploads ... does anyone know whether "PUT" is > used for anything else? They are often used for various RPC calls, but normally not in "normal" web applications. > Hmm, even though I set the following rule: >=20 > SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$" >=20 > I still see the following file being created in /tmp if I do a PUT >=20 > /tmp/20060213-153039-172.18.60.128-request_body-TnaGyO >=20 > Additionally, these files are not automatically being cleaned up. > Suggestions anyone? You should configure a different directory for those files, some place where only httpd can access. (Just to be on the safe side.) Other than that, the file is probably not erased because it is referenced in the audit log. --=20 Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D103432&bid=3D230486&dat=3D= 121642 _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users |
|
From: Ivan R. <iv...@we...> - 2006-02-13 21:50:59
|
De Vries, Richard wrote: > Understood. Thanks for the feedback. > > So there is no way to have mod_security delete these files, even though > they triggered an alarm? You should be able to use "noauditlog" action to disable audit logging for that rule alone. > It's important to have these attempts logged; I just don't know if we > would actually want to keep the offending files. Especially if these are > quite large. I doubt you will have that rule triggered very often. But if you really start getting many PUT requests you can simply set-up a cronjob to delete files older than X days. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: Ivan R. <iv...@we...> - 2006-02-13 21:39:07
|
De Vries, Richard wrote: > > I was wondering whether or not it'd be wise to block PUT requests. I > don't foresee needing file-uploads ... does anyone know whether "PUT" is > used for anything else? They are often used for various RPC calls, but normally not in "normal" web applications. > Hmm, even though I set the following rule: > > SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$" > > I still see the following file being created in /tmp if I do a PUT > > /tmp/20060213-153039-172.18.60.128-request_body-TnaGyO > > Additionally, these files are not automatically being cleaned up. > Suggestions anyone? You should configure a different directory for those files, some place where only httpd can access. (Just to be on the safe side.) Other than that, the file is probably not erased because it is referenced in the audit log. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
Thanks for helping keep SourceForge clean.
X