mod-security-users

[mod-security-users] Getting first SecSelectiveFilter to work

[<Ral...@it...>]

Hello,

after having read about mod_security in O'Reilley's APACHE
SECURITY
I downloaded, installed and integrated the module into our
webserver.

This was all very easy.
However, now I even fail to get the most basic filter to work.
Before I can establish any useful filters I need to convince
myself
that I understood their concept and syntax correctly.

As a Perl fan I would assume that I have a basic knowledge of
Perl's
regex's, and the mod_security doc claims it to be PCRE capable.

For instance just to get started I loaded mod_status and collect
from the
/server-status?auto URI the scoreboard where I have a cronjob
counting the
various chars to be fed to Munin stats for its neat rrdgraph-ing.

This is done by a simple LWP request that has the HTTP header
modified to give
a User-Agent: token similar to "$(uname -n)-status"
Although that <Location> has an Allow from IP range restriction
it would further soothe paranoia if one could parse for an
allowed user agent
(admittedly, this wouldn't require mod_security I guess)

When I add a line like this to my mod_security.conf file=20
(n.b. Include-d in httpd.conf within a <IfDefined SEC> block)


SecFilterSelective HTTP_Header
/agent:?\s*(?:hostA|hostB)-status/i log,pass

and send the master httpd a SIGHUP (i.e. apachectl graceful,
which earlier started with -DSEC),
and then again run my server-status request nothing gets logged
as the filter doesn't seem to work.

I changed other directives such as e.g. SecServerSignature just
to verify that=20
my tinkering gets recognized at all, and the latter one works if
the ServerToken is reset to Full.
Btw, it would be a nice feature if one could place an exec action
next to SecServerSignature
to sort of get "randomized" server signatures (e.g. day of week
or similar)

Rgds
Ralph

Re: [mod-security-users] Getting first SecSelectiveFilter to work

[Ivan R. <iv...@we...>]

Ral...@it... wrote:
>
> This was all very easy.
> However, now I even fail to get the most basic filter to work.
> Before I can establish any useful filters I need to convince
> myself
> that I understood their concept and syntax correctly.

  Hi,

  Two recommendations if you want to just play with it:

  1. Use "SecFilter REGEX" - SecFilter is very broad (it
     examines the request line and the body at the same
     time) but nice to play with regular expressions.

  2. Use the debug log and increase the log level (e.g.
     to 9) - then you'll be able to see exactly what
     ModSecurity does. This is usually not a good idea
     on a production server, though, because it logs
     a lot of stuff for every request.


> As a Perl fan I would assume that I have a basic knowledge of
> Perl's
> regex's, and the mod_security doc claims it to be PCRE capable.

  ModSecurity uses what Apache uses and if it's Apache 2.x
  then it's PCRE.


> SecFilterSelective HTTP_Header
> /agent:?\s*(?:hostA|hostB)-status/i log,pass

  Some observations:


  1) For the User-Agent header you want your rule to start
     with:

  SecFilterSelective HTTP_User-Agent ...

  2) You don't need / and /

  3) And you don't need i at the end, regexes are case
     insensitive.

  You'll find plenty of examples in the manual, BTW.


> I changed other directives such as e.g. SecServerSignature just
> to verify that 
> my tinkering gets recognized at all, and the latter one works if
> the ServerToken is reset to Full.
> Btw, it would be a nice feature if one could place an exec action
> next to SecServerSignature
> to sort of get "randomized" server signatures (e.g. day of week
> or similar)

  Noted.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall