Thread: [mod-security-users] Automatically Add to Deny Hosts
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: John T. <gma...@jt...> - 2006-02-15 21:11:25
|
I would like to ban people that break too many mod security rules. I see, in my error logs, machines breaking 20-50 rules at a time. These, in my view, seem to be some script looking for a known vulnerability. Is there a way to automagically add these *&*&^ to my host.deny file? |
|
From: Ivan R. <iv...@we...> - 2006-02-16 09:41:06
|
John Thomas wrote: > I would like to ban people that break too many mod security rules. I > see, in my error logs, machines breaking 20-50 rules at a time. These, > in my view, seem to be some script looking for a known vulnerability. > > Is there a way to automagically add these *&*&^ to my host.deny file? Not without a little bit of work: you could configure SEC (Simple Event Correlator) to watch the error log and act on the information seen there. I am planning to add similar functionality to httpd-guardian pretty soon though. This script can already protect the web server from DoS attacks and I'll extend it to track rule violations per IP address too. Once a violation is established it can block the offending IP address on the firewall level (either locally, using iptables or pf, or remote, via SnortSam). The interesting thing about httpd-guardian is that it can also receive data via Spread - making it a possible solution for web server clusters too. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: Achim H. <ki...@se...> - 2006-02-16 12:34:23
|
On Thu, 16 Feb 2006, Ivan Ristic wrote: !! John Thomas wrote: !! > Is there a way to automagically add these *&*&^ to my host.deny file? !! !! Not without a little bit of work: you could configure SEC (Simple Event !! Correlator) to watch the error log and act on the information seen there. hmm, should be simple with using mod_security's exec action, which calls a script to manage those IPs and add/remove the corresponding firewall rules. I'd never recommend to do that 'cause it most likely ends up in a performance nightmare (beside the additional work to do to remove the firewall rules) Achim |
|
From: Ivan R. <iv...@we...> - 2006-02-16 12:42:18
|
Achim Hoffmann wrote: > On Thu, 16 Feb 2006, Ivan Ristic wrote: > !! John Thomas wrote: > !! > Is there a way to automagically add these *&*&^ to my host.deny file? > !! > !! Not without a little bit of work: you could configure SEC (Simple Event > !! Correlator) to watch the error log and act on the information seen there. > > hmm, should be simple with using mod_security's exec action, which calls a > script to manage those IPs and add/remove the corresponding firewall rules. > I'd never recommend to do that 'cause it most likely ends up in a performance > nightmare Correct, that's why I recommended the use of SEC in the first place :) > (beside the additional work to do to remove the firewall rules) Both "blacklist" and SnortSam (I believe) are capable of blacking IP addresses for a limited period only. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: <Kam...@bd...> - 2008-07-01 14:29:14
|
Hi, I have modsecurity 2.2.5 with apache 2.2.3 in reverse proxy setup. I can create rules for arguments passed directly in URL but my rules are not triggered by argument sent by post. The following rules works well for URL in format https://server.com/path_to_file/file.with.dots sent by GET/POST methods with argument, ie. https://server.com/path_to_file/file.with.dots?lng=foo. But once I send the argument in body of request, it is not detected on server. I tried to play with phase:1, phase:2 in rules but I it gave the same result. I tried also REQUEST_BODY without success. It seems my proxy ignore the body of the request. What do I wrong? Thanks Kamil My config: ---------------- ProxyRequests Off <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPreserveHost on ProxyPass /path123/ http://127.0.0.3:8080/path123/ SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess Off SecRequestBodyInMemoryLimit 131072 SecRequestBodyLimit 131072 SecDefaultAction "phase:2,log,auditlog,deny,status:500" SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \ "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments ARGS_NAMES=%{ARGS_NAMES}'" SecRule ARGS_NAMES "!^(call|page|session)$" SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \ "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments ARGS_NAMES=%{ARGS_NAMES}'" SecRule ARGS:lng "!^(cz|en)$" |
|
From: Christian B. <ch...@jw...> - 2008-07-01 14:32:40
|
Hi Kamil!
Did you enable the SecRequestBodyAccess property?
You should have a statement like:
SecRequestBodyAccess On
in your rule-file.
Regards,
Chris
Am 01.07.2008 um 16:28 schrieb <Kam...@bd...> <Kam...@bd...
>:
> Hi,
> I have modsecurity 2.2.5 with apache 2.2.3 in reverse proxy setup. I
> can create rules for arguments passed directly in URL but my rules are
> not triggered by argument sent by post.
>
> The following rules works well for URL in format
> https://server.com/path_to_file/file.with.dots sent by GET/POST
> methods
> with argument, ie.
> https://server.com/path_to_file/file.with.dots?lng=foo.
> But once I send the argument in body of request, it is not detected on
> server. I tried to play with phase:1, phase:2 in rules but I it gave
> the
>
> same result. I tried also REQUEST_BODY without success. It seems my
> proxy ignore the body of the request. What do I wrong?
>
> Thanks
>
> Kamil
>
>
> My config:
> ----------------
> ProxyRequests Off
>
> <Proxy *>
> Order deny,allow
> Allow from all
> </Proxy>
>
> ProxyPreserveHost on
> ProxyPass /path123/ http://127.0.0.3:8080/path123/
>
> SecRuleEngine On
> SecRequestBodyAccess On
> SecResponseBodyAccess Off
> SecRequestBodyInMemoryLimit 131072
> SecRequestBodyLimit 131072
>
> SecDefaultAction "phase:2,log,auditlog,deny,status:500"
>
> SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
> "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments
> ARGS_NAMES=%{ARGS_NAMES}'"
> SecRule ARGS_NAMES "!^(call|page|session)$"
>
> SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
> "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments
> ARGS_NAMES=%{ARGS_NAMES}'"
> SecRule ARGS:lng "!^(cz|en)$"
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
|
|
From: Stephen C. E. <ste...@gm...> - 2008-07-01 16:01:53
|
Hi Kamil,
The best way to solve your problem is to enable debugging, crank it up
to top level:
SecDebugLog /etc/modsecurity/logs/modsec_debug.log
SecDebugLogLevel 9
Go to the page that's causing the problem.
Restart Apache.
Clear your browser cache; reload the page.
Examine the debug file. It won't be very big. You'll see exactly
what's going on.
Whenever debugging, it's best to have only the minimal amount in the
debug file as it can get large quickly. In Linux, just erase the debug
log file ('rm -f ...') and create a new blank one ('touch ...'), then
restart Apache and reproduce the problem.
Stephen
On Tue, Jul 1, 2008 at 10:28 PM, <Kam...@bd...> wrote:
> Hi,
> I have modsecurity 2.2.5 with apache 2.2.3 in reverse proxy setup. I
> can create rules for arguments passed directly in URL but my rules are
> not triggered by argument sent by post.
>
> The following rules works well for URL in format
> https://server.com/path_to_file/file.with.dots sent by GET/POST methods
> with argument, ie.
> https://server.com/path_to_file/file.with.dots?lng=foo.
> But once I send the argument in body of request, it is not detected on
> server. I tried to play with phase:1, phase:2 in rules but I it gave the
>
> same result. I tried also REQUEST_BODY without success. It seems my
> proxy ignore the body of the request. What do I wrong?
>
> Thanks
>
> Kamil
>
>
> My config:
> ----------------
> ProxyRequests Off
>
> <Proxy *>
> Order deny,allow
> Allow from all
> </Proxy>
>
> ProxyPreserveHost on
> ProxyPass /path123/ http://127.0.0.3:8080/path123/
>
> SecRuleEngine On
> SecRequestBodyAccess On
> SecResponseBodyAccess Off
> SecRequestBodyInMemoryLimit 131072
> SecRequestBodyLimit 131072
>
> SecDefaultAction "phase:2,log,auditlog,deny,status:500"
>
> SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
> "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments
> ARGS_NAMES=%{ARGS_NAMES}'"
> SecRule ARGS_NAMES "!^(call|page|session)$"
>
> SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
> "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments
> ARGS_NAMES=%{ARGS_NAMES}'"
> SecRule ARGS:lng "!^(cz|en)$"
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
|
|
From: <Kam...@bd...> - 2008-07-02 09:39:22
|
Hi Stephen,
I tried the debug level 9 before I wrote the question. But I found
nothing suspiciou in logs. I tried to google today and I found a log
that contains the following lines:
Adding request argument (BODY): name "FirstName", value "asdfasfd"
[/index.php/contact.process/]
Adding request argument (BODY): name "LastName", value
My log contains only lines of type
Adding request argument (QUERY_STRING): name "Cmd" ...
The problem is probably that it does not read the body part of the
request. I have the line 'SecRequestBodyAccess On' in my config file
(Christian's remark), I tried to experiment with the phases,
but without success. Maybe the problem is in other part of my apache
settings. Can you send me your minimal config that works with argument
send in POST body?
Thank you
Kamil
> -----Original Message-----
> From: Stephen Craig Evans [mailto:ste...@gm...]
> Sent: Tuesday, July 01, 2008 6:02 PM
> To: Golombek Kamil | BDO IT a.s.
> Cc: mod...@li...
> Subject: Re: [mod-security-users] args ignored in POST -
> filter question
>
> Hi Kamil,
>
> The best way to solve your problem is to enable debugging, crank it up
> to top level:
> SecDebugLog /etc/modsecurity/logs/modsec_debug.log
> SecDebugLogLevel 9
>
> Go to the page that's causing the problem.
> Restart Apache.
> Clear your browser cache; reload the page.
> Examine the debug file. It won't be very big. You'll see exactly
> what's going on.
>
> Whenever debugging, it's best to have only the minimal amount in the
> debug file as it can get large quickly. In Linux, just erase the debug
> log file ('rm -f ...') and create a new blank one ('touch ...'), then
> restart Apache and reproduce the problem.
>
> Stephen
>
> On Tue, Jul 1, 2008 at 10:28 PM, <Kam...@bd...> wrote:
> > Hi,
> > I have modsecurity 2.2.5 with apache 2.2.3 in reverse proxy setup. I
> > can create rules for arguments passed directly in URL but
> my rules are
> > not triggered by argument sent by post.
> >
> > The following rules works well for URL in format
> > https://server.com/path_to_file/file.with.dots sent by
> GET/POST methods
> > with argument, ie.
> > https://server.com/path_to_file/file.with.dots?lng=foo.
> > But once I send the argument in body of request, it is not
> detected on
> > server. I tried to play with phase:1, phase:2 in rules but
> I it gave the
> >
> > same result. I tried also REQUEST_BODY without success. It seems my
> > proxy ignore the body of the request. What do I wrong?
> >
> > Thanks
> >
> > Kamil
> >
> >
> > My config:
> > ----------------
> > ProxyRequests Off
> >
> > <Proxy *>
> > Order deny,allow
> > Allow from all
> > </Proxy>
> >
> > ProxyPreserveHost on
> > ProxyPass /path123/ http://127.0.0.3:8080/path123/
> >
> > SecRuleEngine On
> > SecRequestBodyAccess On
> > SecResponseBodyAccess Off
> > SecRequestBodyInMemoryLimit 131072
> > SecRequestBodyLimit 131072
> >
> > SecDefaultAction "phase:2,log,auditlog,deny,status:500"
> >
> > SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
> > "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments
> > ARGS_NAMES=%{ARGS_NAMES}'"
> > SecRule ARGS_NAMES "!^(call|page|session)$"
> >
> > SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
> > "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments
> > ARGS_NAMES=%{ARGS_NAMES}'"
> > SecRule ARGS:lng "!^(cz|en)$"
> >
> >
> --------------------------------------------------------------
> -----------
> > Check out the new SourceForge.net Marketplace.
> > It's the best place to buy or sell services for
> > just about anything Open Source.
> > http://sourceforge.net/services/buy/index.php
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> >
>
|
|
From: Brian R. <Bri...@br...> - 2008-07-02 15:08:21
|
Your config looks fine. What is the full request you are sending?
ModSecurity only handles these types:
application/x-www-form-urlencoded
multipart/form-data
-B
Kam...@bd... wrote:
> Hi Stephen,
>
> I tried the debug level 9 before I wrote the question. But I found
> nothing suspiciou in logs. I tried to google today and I found a log
> that contains the following lines:
>
> Adding request argument (BODY): name "FirstName", value "asdfasfd"
> [/index.php/contact.process/]
> Adding request argument (BODY): name "LastName", value
>
> My log contains only lines of type
>
> Adding request argument (QUERY_STRING): name "Cmd" ...
>
> The problem is probably that it does not read the body part of the
> request. I have the line 'SecRequestBodyAccess On' in my config file
> (Christian's remark), I tried to experiment with the phases,
> but without success. Maybe the problem is in other part of my apache
> settings. Can you send me your minimal config that works with argument
> send in POST body?
>
> Thank you
>
> Kamil
>
>
>
>
>> -----Original Message-----
>> From: Stephen Craig Evans [mailto:ste...@gm...]
>> Sent: Tuesday, July 01, 2008 6:02 PM
>> To: Golombek Kamil | BDO IT a.s.
>> Cc: mod...@li...
>> Subject: Re: [mod-security-users] args ignored in POST -
>> filter question
>>
>> Hi Kamil,
>>
>> The best way to solve your problem is to enable debugging, crank it up
>> to top level:
>> SecDebugLog /etc/modsecurity/logs/modsec_debug.log
>> SecDebugLogLevel 9
>>
>> Go to the page that's causing the problem.
>> Restart Apache.
>> Clear your browser cache; reload the page.
>> Examine the debug file. It won't be very big. You'll see exactly
>> what's going on.
>>
>> Whenever debugging, it's best to have only the minimal amount in the
>> debug file as it can get large quickly. In Linux, just erase the debug
>> log file ('rm -f ...') and create a new blank one ('touch ...'), then
>> restart Apache and reproduce the problem.
>>
>> Stephen
>>
>> On Tue, Jul 1, 2008 at 10:28 PM, <Kam...@bd...> wrote:
>> > Hi,
>> > I have modsecurity 2.2.5 with apache 2.2.3 in reverse proxy setup. I
>> > can create rules for arguments passed directly in URL but
>> my rules are
>> > not triggered by argument sent by post.
>> >
>> > The following rules works well for URL in format
>> > https://server.com/path_to_file/file.with.dots sent by
>> GET/POST methods
>> > with argument, ie.
>> > https://server.com/path_to_file/file.with.dots?lng=foo.
>> > But once I send the argument in body of request, it is not
>> detected on
>> > server. I tried to play with phase:1, phase:2 in rules but
>> I it gave the
>> >
>> > same result. I tried also REQUEST_BODY without success. It seems my
>> > proxy ignore the body of the request. What do I wrong?
>> >
>> > Thanks
>> >
>> > Kamil
>> >
>> >
>> > My config:
>> > ----------------
>> > ProxyRequests Off
>> >
>> > <Proxy *>
>> > Order deny,allow
>> > Allow from all
>> > </Proxy>
>> >
>> > ProxyPreserveHost on
>> > ProxyPass /path123/ http://127.0.0.3:8080/path123/
>> >
>> > SecRuleEngine On
>> > SecRequestBodyAccess On
>> > SecResponseBodyAccess Off
>> > SecRequestBodyInMemoryLimit 131072
>> > SecRequestBodyLimit 131072
>> >
>> > SecDefaultAction "phase:2,log,auditlog,deny,status:500"
>> >
>> > SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
>> > "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments
>> > ARGS_NAMES=%{ARGS_NAMES}'"
>> > SecRule ARGS_NAMES "!^(call|page|session)$"
>> >
>> > SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
>> > "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments
>> > ARGS_NAMES=%{ARGS_NAMES}'"
>> > SecRule ARGS:lng "!^(cz|en)$"
>> >
>> >
>> --------------------------------------------------------------
>> -----------
>> > Check out the new SourceForge.net Marketplace.
>> > It's the best place to buy or sell services for
>> > just about anything Open Source.
>> > http://sourceforge.net/services/buy/index.php
>> > _______________________________________________
>> > mod-security-users mailing list
>> > mod...@li...
>> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> >
>>
>
> -------------------------------------------------------------------------
> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
> Studies have shown that voting for your favorite open source project,
> along with a healthy diet, reduces your potential for chronic lameness
> and boredom. Vote Now at http://www.sourceforge.net/community/cca08
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
--
Brian Rectanus
Breach Security
|
|
From: Adriel D. <ad...@ne...> - 2008-07-02 15:32:42
Attachments:
adriel.vcf
|
Greetings, I've configured a modsecurity reverse proxy but I'm interested in checking its config against a how-to for doing just that. I'm using apache + mod_security. Anyone have a good how-to? Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 Join the Netragard, LLC. Linked In Group: http://www.linkedin.com/e/gis/48683/0B98E1705142 --------------------------------------------------------------- Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security Netragard Whitepaper Downloads: ------------------------------- Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you must know : http://tinyurl.com/26pjsn |
|
From: <Kam...@bd...> - 2008-07-03 08:36:57
|
Thank you Brian, that was my problem. I modified the request in proxy to test various modifications. I found that the proxy correctly handle the content-length header as I switched the GET/POST method by It did not changed the content-type. Kamil > -----Original Message----- > From: Brian Rectanus [mailto:Bri...@br...] > Sent: Wednesday, July 02, 2008 5:08 PM > To: Golombek Kamil | BDO IT a.s. > Cc: mod...@li... > Subject: Re: [mod-security-users] args ignored in POST - > filter question > > Your config looks fine. What is the full request you are sending? > ModSecurity only handles these types: > > application/x-www-form-urlencoded > multipart/form-data > > -B > |
|
From: Stephen C. E. <ste...@gm...> - 2008-07-03 01:05:45
|
Hi Kamil,
Are you running the traffic through a web proxy like WebScarab or
Paros to make sure that the POST request body parameters are being
sent?
>> I tried the debug level 9 before I wrote the question. But I found
>> nothing suspicious in logs.
The debug log at level 9 shows the DNA of your ModSecurity app... Log
only the 2 scenarios you described, zip it (it highly compresses;
probably less than 40k), email it to me and I'll look it at.
Cheers,
Stephen
On Wed, Jul 2, 2008 at 11:08 PM, Brian Rectanus
<Bri...@br...> wrote:
> Your config looks fine. What is the full request you are sending?
> ModSecurity only handles these types:
>
> application/x-www-form-urlencoded
> multipart/form-data
>
> -B
>
> Kam...@bd... wrote:
>> Hi Stephen,
>>
>> I tried the debug level 9 before I wrote the question. But I found
>> nothing suspiciou in logs. I tried to google today and I found a log
>> that contains the following lines:
>>
>> Adding request argument (BODY): name "FirstName", value "asdfasfd"
>> [/index.php/contact.process/]
>> Adding request argument (BODY): name "LastName", value
>>
>> My log contains only lines of type
>>
>> Adding request argument (QUERY_STRING): name "Cmd" ...
>>
>> The problem is probably that it does not read the body part of the
>> request. I have the line 'SecRequestBodyAccess On' in my config file
>> (Christian's remark), I tried to experiment with the phases,
>> but without success. Maybe the problem is in other part of my apache
>> settings. Can you send me your minimal config that works with argument
>> send in POST body?
>>
>> Thank you
>>
>> Kamil
>>
>>
>>
>>
>>> -----Original Message-----
>>> From: Stephen Craig Evans [mailto:ste...@gm...]
>>> Sent: Tuesday, July 01, 2008 6:02 PM
>>> To: Golombek Kamil | BDO IT a.s.
>>> Cc: mod...@li...
>>> Subject: Re: [mod-security-users] args ignored in POST -
>>> filter question
>>>
>>> Hi Kamil,
>>>
>>> The best way to solve your problem is to enable debugging, crank it up
>>> to top level:
>>> SecDebugLog /etc/modsecurity/logs/modsec_debug.log
>>> SecDebugLogLevel 9
>>>
>>> Go to the page that's causing the problem.
>>> Restart Apache.
>>> Clear your browser cache; reload the page.
>>> Examine the debug file. It won't be very big. You'll see exactly
>>> what's going on.
>>>
>>> Whenever debugging, it's best to have only the minimal amount in the
>>> debug file as it can get large quickly. In Linux, just erase the debug
>>> log file ('rm -f ...') and create a new blank one ('touch ...'), then
>>> restart Apache and reproduce the problem.
>>>
>>> Stephen
>>>
>>> On Tue, Jul 1, 2008 at 10:28 PM, <Kam...@bd...> wrote:
>>> > Hi,
>>> > I have modsecurity 2.2.5 with apache 2.2.3 in reverse proxy setup. I
>>> > can create rules for arguments passed directly in URL but
>>> my rules are
>>> > not triggered by argument sent by post.
>>> >
>>> > The following rules works well for URL in format
>>> > https://server.com/path_to_file/file.with.dots sent by
>>> GET/POST methods
>>> > with argument, ie.
>>> > https://server.com/path_to_file/file.with.dots?lng=foo.
>>> > But once I send the argument in body of request, it is not
>>> detected on
>>> > server. I tried to play with phase:1, phase:2 in rules but
>>> I it gave the
>>> >
>>> > same result. I tried also REQUEST_BODY without success. It seems my
>>> > proxy ignore the body of the request. What do I wrong?
>>> >
>>> > Thanks
>>> >
>>> > Kamil
>>> >
>>> >
>>> > My config:
>>> > ----------------
>>> > ProxyRequests Off
>>> >
>>> > <Proxy *>
>>> > Order deny,allow
>>> > Allow from all
>>> > </Proxy>
>>> >
>>> > ProxyPreserveHost on
>>> > ProxyPass /path123/ http://127.0.0.3:8080/path123/
>>> >
>>> > SecRuleEngine On
>>> > SecRequestBodyAccess On
>>> > SecResponseBodyAccess Off
>>> > SecRequestBodyInMemoryLimit 131072
>>> > SecRequestBodyLimit 131072
>>> >
>>> > SecDefaultAction "phase:2,log,auditlog,deny,status:500"
>>> >
>>> > SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
>>> > "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments
>>> > ARGS_NAMES=%{ARGS_NAMES}'"
>>> > SecRule ARGS_NAMES "!^(call|page|session)$"
>>> >
>>> > SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
>>> > "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments
>>> > ARGS_NAMES=%{ARGS_NAMES}'"
>>> > SecRule ARGS:lng "!^(cz|en)$"
>>> >
>>> >
>>> --------------------------------------------------------------
>>> -----------
>>> > Check out the new SourceForge.net Marketplace.
>>> > It's the best place to buy or sell services for
>>> > just about anything Open Source.
>>> > http://sourceforge.net/services/buy/index.php
>>> > _______________________________________________
>>> > mod-security-users mailing list
>>> > mod...@li...
>>> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>> >
>>>
>>
>> -------------------------------------------------------------------------
>> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
>> Studies have shown that voting for your favorite open source project,
>> along with a healthy diet, reduces your potential for chronic lameness
>> and boredom. Vote Now at http://www.sourceforge.net/community/cca08
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>
>
>
> --
> Brian Rectanus
> Breach Security
>
> -------------------------------------------------------------------------
> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
> Studies have shown that voting for your favorite open source project,
> along with a healthy diet, reduces your potential for chronic lameness
> and boredom. Vote Now at http://www.sourceforge.net/community/cca08
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
|
|
From: <Kam...@bd...> - 2008-07-03 07:19:04
|
He Stephen,
the first thing - using lokal proxy - of course :-) (both)
the second thing - I'm going to prepare it
thanks
Kamil
> -----Original Message-----
> From: Stephen Craig Evans [mailto:ste...@gm...]
> Sent: Thursday, July 03, 2008 3:06 AM
> To: Golombek Kamil | BDO IT a.s.
> Cc: mod...@li...
> Subject: Re: [mod-security-users] args ignored in POST -
> filter question
>
> Hi Kamil,
>
> Are you running the traffic through a web proxy like WebScarab or
> Paros to make sure that the POST request body parameters are being
> sent?
>
> >> I tried the debug level 9 before I wrote the question. But I found
> >> nothing suspicious in logs.
>
> The debug log at level 9 shows the DNA of your ModSecurity app... Log
> only the 2 scenarios you described, zip it (it highly compresses;
> probably less than 40k), email it to me and I'll look it at.
>
> Cheers,
> Stephen
>
>
> On Wed, Jul 2, 2008 at 11:08 PM, Brian Rectanus
> <Bri...@br...> wrote:
> > Your config looks fine. What is the full request you are sending?
> > ModSecurity only handles these types:
> >
> > application/x-www-form-urlencoded
> > multipart/form-data
> >
> > -B
> >
> > Kam...@bd... wrote:
> >> Hi Stephen,
> >>
> >> I tried the debug level 9 before I wrote the question. But I found
> >> nothing suspiciou in logs. I tried to google today and I
> found a log
> >> that contains the following lines:
> >>
> >> Adding request argument (BODY): name "FirstName", value "asdfasfd"
> >> [/index.php/contact.process/]
> >> Adding request argument (BODY): name "LastName", value
> >>
> >> My log contains only lines of type
> >>
> >> Adding request argument (QUERY_STRING): name "Cmd" ...
> >>
> >> The problem is probably that it does not read the body part of the
> >> request. I have the line 'SecRequestBodyAccess On' in my
> config file
> >> (Christian's remark), I tried to experiment with the phases,
> >> but without success. Maybe the problem is in other part of
> my apache
> >> settings. Can you send me your minimal config that works
> with argument
> >> send in POST body?
> >>
> >> Thank you
> >>
> >> Kamil
> >>
> >>
> >>
> >>
> >>> -----Original Message-----
> >>> From: Stephen Craig Evans [mailto:ste...@gm...]
> >>> Sent: Tuesday, July 01, 2008 6:02 PM
> >>> To: Golombek Kamil | BDO IT a.s.
> >>> Cc: mod...@li...
> >>> Subject: Re: [mod-security-users] args ignored in POST -
> >>> filter question
> >>>
> >>> Hi Kamil,
> >>>
> >>> The best way to solve your problem is to enable
> debugging, crank it up
> >>> to top level:
> >>> SecDebugLog /etc/modsecurity/logs/modsec_debug.log
> >>> SecDebugLogLevel 9
> >>>
> >>> Go to the page that's causing the problem.
> >>> Restart Apache.
> >>> Clear your browser cache; reload the page.
> >>> Examine the debug file. It won't be very big. You'll see exactly
> >>> what's going on.
> >>>
> >>> Whenever debugging, it's best to have only the minimal
> amount in the
> >>> debug file as it can get large quickly. In Linux, just
> erase the debug
> >>> log file ('rm -f ...') and create a new blank one ('touch
> ...'), then
> >>> restart Apache and reproduce the problem.
> >>>
> >>> Stephen
> >>>
> >>> On Tue, Jul 1, 2008 at 10:28 PM,
> <Kam...@bd...> wrote:
> >>> > Hi,
> >>> > I have modsecurity 2.2.5 with apache 2.2.3 in reverse
> proxy setup. I
> >>> > can create rules for arguments passed directly in URL but
> >>> my rules are
> >>> > not triggered by argument sent by post.
> >>> >
> >>> > The following rules works well for URL in format
> >>> > https://server.com/path_to_file/file.with.dots sent by
> >>> GET/POST methods
> >>> > with argument, ie.
> >>> > https://server.com/path_to_file/file.with.dots?lng=foo.
> >>> > But once I send the argument in body of request, it is not
> >>> detected on
> >>> > server. I tried to play with phase:1, phase:2 in rules but
> >>> I it gave the
> >>> >
> >>> > same result. I tried also REQUEST_BODY without success.
> It seems my
> >>> > proxy ignore the body of the request. What do I wrong?
> >>> >
> >>> > Thanks
> >>> >
> >>> > Kamil
> >>> >
> >>> >
> >>> > My config:
> >>> > ----------------
> >>> > ProxyRequests Off
> >>> >
> >>> > <Proxy *>
> >>> > Order deny,allow
> >>> > Allow from all
> >>> > </Proxy>
> >>> >
> >>> > ProxyPreserveHost on
> >>> > ProxyPass /path123/ http://127.0.0.3:8080/path123/
> >>> >
> >>> > SecRuleEngine On
> >>> > SecRequestBodyAccess On
> >>> > SecResponseBodyAccess Off
> >>> > SecRequestBodyInMemoryLimit 131072
> >>> > SecRequestBodyLimit 131072
> >>> >
> >>> > SecDefaultAction "phase:2,log,auditlog,deny,status:500"
> >>> >
> >>> > SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
> >>> >
> "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments
> >>> > ARGS_NAMES=%{ARGS_NAMES}'"
> >>> > SecRule ARGS_NAMES "!^(call|page|session)$"
> >>> >
> >>> > SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
> >>> >
> "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments
> >>> > ARGS_NAMES=%{ARGS_NAMES}'"
> >>> > SecRule ARGS:lng "!^(cz|en)$"
> >>> >
> >>> >
> >>> --------------------------------------------------------------
> >>> -----------
> >>> > Check out the new SourceForge.net Marketplace.
> >>> > It's the best place to buy or sell services for
> >>> > just about anything Open Source.
> >>> > http://sourceforge.net/services/buy/index.php
> >>> > _______________________________________________
> >>> > mod-security-users mailing list
> >>> > mod...@li...
> >>> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> >>> >
> >>>
> >>
> >>
> --------------------------------------------------------------
> -----------
> >> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
> >> Studies have shown that voting for your favorite open
> source project,
> >> along with a healthy diet, reduces your potential for
> chronic lameness
> >> and boredom. Vote Now at http://www.sourceforge.net/community/cca08
> >> _______________________________________________
> >> mod-security-users mailing list
> >> mod...@li...
> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> >>
> >
> >
> > --
> > Brian Rectanus
> > Breach Security
> >
> >
> --------------------------------------------------------------
> -----------
> > Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
> > Studies have shown that voting for your favorite open
> source project,
> > along with a healthy diet, reduces your potential for
> chronic lameness
> > and boredom. Vote Now at http://www.sourceforge.net/community/cca08
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> >
>
|
Thanks for helping keep SourceForge clean.
X