Thread: [mod-security-users] Getting first SecSelectiveFilter to work
Brought to you by:
victorhora,
zimmerletw
From: <Ral...@it...> - 2006-02-22 18:32:30
|
Hello, after having read about mod_security in O'Reilley's APACHE SECURITY I downloaded, installed and integrated the module into our webserver. This was all very easy. However, now I even fail to get the most basic filter to work. Before I can establish any useful filters I need to convince myself that I understood their concept and syntax correctly. As a Perl fan I would assume that I have a basic knowledge of Perl's regex's, and the mod_security doc claims it to be PCRE capable. For instance just to get started I loaded mod_status and collect from the /server-status?auto URI the scoreboard where I have a cronjob counting the various chars to be fed to Munin stats for its neat rrdgraph-ing. This is done by a simple LWP request that has the HTTP header modified to give a User-Agent: token similar to "$(uname -n)-status" Although that <Location> has an Allow from IP range restriction it would further soothe paranoia if one could parse for an allowed user agent (admittedly, this wouldn't require mod_security I guess) When I add a line like this to my mod_security.conf file=20 (n.b. Include-d in httpd.conf within a <IfDefined SEC> block) SecFilterSelective HTTP_Header /agent:?\s*(?:hostA|hostB)-status/i log,pass and send the master httpd a SIGHUP (i.e. apachectl graceful, which earlier started with -DSEC), and then again run my server-status request nothing gets logged as the filter doesn't seem to work. I changed other directives such as e.g. SecServerSignature just to verify that=20 my tinkering gets recognized at all, and the latter one works if the ServerToken is reset to Full. Btw, it would be a nice feature if one could place an exec action next to SecServerSignature to sort of get "randomized" server signatures (e.g. day of week or similar) Rgds Ralph |
From: Ivan R. <iv...@we...> - 2006-02-22 19:24:31
|
Ral...@it... wrote: > > This was all very easy. > However, now I even fail to get the most basic filter to work. > Before I can establish any useful filters I need to convince > myself > that I understood their concept and syntax correctly. Hi, Two recommendations if you want to just play with it: 1. Use "SecFilter REGEX" - SecFilter is very broad (it examines the request line and the body at the same time) but nice to play with regular expressions. 2. Use the debug log and increase the log level (e.g. to 9) - then you'll be able to see exactly what ModSecurity does. This is usually not a good idea on a production server, though, because it logs a lot of stuff for every request. > As a Perl fan I would assume that I have a basic knowledge of > Perl's > regex's, and the mod_security doc claims it to be PCRE capable. ModSecurity uses what Apache uses and if it's Apache 2.x then it's PCRE. > SecFilterSelective HTTP_Header > /agent:?\s*(?:hostA|hostB)-status/i log,pass Some observations: 1) For the User-Agent header you want your rule to start with: SecFilterSelective HTTP_User-Agent ... 2) You don't need / and / 3) And you don't need i at the end, regexes are case insensitive. You'll find plenty of examples in the manual, BTW. > I changed other directives such as e.g. SecServerSignature just > to verify that > my tinkering gets recognized at all, and the latter one works if > the ServerToken is reset to Full. > Btw, it would be a nice feature if one could place an exec action > next to SecServerSignature > to sort of get "randomized" server signatures (e.g. day of week > or similar) Noted. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |