Thread: Re: [mod-security-users] How to write an IP automatically to a file?
Brought to you by:
victorhora,
zimmerletw
From: Brian R. <Bri...@br...> - 2010-01-27 16:46:50
|
Lua support is optional. Does your build have Lua support? nm /path/to/modules/mod_security2.so | grep -i lua If the above returns results, then you do have support. -B Sergio wrote: > Hi William, > I googled some info and found the following in > http://docs.cpanel.net/twiki/bin/view/AllDocumentation/EasyapacheModsecurity > : > > "ModSecurity 2.5 Rule Scripting - Lua > > ModSecurity version 2.5 adds support for rule scripting via lua. Lua is > known to have difficulties building. Lua build failures will not cause > an Apache build to halt, but will provide errors in the build log upon > build failure, and lua support will not be enabled. If you wish to use > lua in your custom ruleset, you should read carefully on the proper > usage of lua and ensure that the lua build was a success. > > *Where to store lua scripts* > > Lua scripts should be stored in */usr/local/apache/conf* in a sub > directory such as */usr/local/apache/conf/modsec-lua*. Storing scripts > in this location will ensure they are available whenever Apache > configurations are tested or Apache is restarted. It will also keep them > intact through EasyApache builds." > > So, after reading this I moved the script to the suggested directory, > but stills not working, even that it is not showing any error at all, > maybe is something that I doing wrong on the lua script. Even the file > "IPS.TXT" has been moved to the same directory as the script. > > Best Regards, > > Sergio > > > On Wed, Jan 27, 2010 at 12:38 AM, William Salusky <wsa...@gm... > <mailto:wsa...@gm...>> wrote: > > Sounds like your module does not have Lua support built in. > > W > > > On Wed, Jan 27, 2010 at 1:00 AM, <se...@gm... > <mailto:se...@gm...>> wrote: > > William, > I have moved the lua file to > /usr/local/apache/conf/modsec_rules, but the same error continues. > > I have monitored the debug log and nothing weird shows up, only > this: > > [26/Jan/2010:23:55:54 --0600] > [www.somedomain.com/sid#e958b80][rid#10ee8060][/index.php][1 > <http://www.somedomain.com/sid#e958b80%5D%5Brid%2310ee8060%5D%5B/index.php%5D%5B1>] > Access denied with code 406 (phase 2). Matched phrase "/matched" > at REQUEST_URI. [file > "/usr/local/apache/conf/modsec_rules/00_ip_write.conf"] [line > "2"] [id "999999"] [rev "1"] [msg "SECMAS: Malware Script > detected in URL"] [data "/matched"] [severity "CRITICAL"] > > It doesn't said anything about an error copying the data to the > IP.TXT file. > > Regards, > Sergio > > > > On Jan 26, 2010 11:46pm, se...@gm... > <mailto:se...@gm...> wrote: > > Hi William, > > Yes my modsec has been configured with LoadFile > /opt/lua/lib/liblua.so, I have already checked the apache > error_log but nothing is in there that shows an error in my rule. > > > > I set the debug but failed to have it on 1 instead of 3, I > will fix that. > > > > Let me change the lua file to the same directory where the > modsec_rules are. > > > > I will write you back with what I found, thanks. > > > > Regards, > > Sergio > > > > > > On Jan 26, 2010 11:30pm, William Salusky wsa...@gm... > <mailto:wsa...@gm...>> wrote: > > > 1. Is your mod_security module compiled with lua support?� > If you're using a distribution's packaged module it may not have > lua support. > > > > > > 2. Do you have an appropriate��� LoadFile� > /path/to/liblua.so�� in your httpd.conf? > > > > > > > > > 3. Are there any telling log entries in your Apache server > error_log? > > > > > > If still nothing, turn up Debug to at least 3 and try > generating some error_log output and see if that gives you any > insight. > > > > > > One last thing, since you are attempting to exec the lua > script from the /backup/ partition, not sure if it would affect > the outcome, but is that filesystem by chance mounted 'noexec'? > > > > > > > > > W > > > > > > > > > On Tue, Jan 26, 2010 at 11:09 PM, Sergio se...@gm... > <mailto:se...@gm...>> wrote: > > > > > > Hi William, > > > I have tested the rule but is not working, I don't know if > it is because a bad chmod in any of the files, here is what I > have done: > > > > > > SecRule REQUEST_URI "@pmFromFile my-file.txt" \ > > > > "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:999999,rev:1,severit > > > > > > > > > y:2,msg:'IP > DETECTED',exec:'/backup/ip-write-test.lua',logdata:'%{TX.0}'" > > > > > > The SecRule is working his part, but the exec is not, for > the LUA file I wrote it in my /backup partition and chmod it > 644, the other file "IPS.TXT" is also in my /backup partition > and has a chmod of 644. > > > > > > > > > > > > Are this settings ok or am I missing something? > > > > > > Regards, > > > Sergio > > > > > > > > > On Tue, Jan 26, 2010 at 3:49 PM, William Salusky > wsa...@gm... <mailto:wsa...@gm...>> wrote: > > > > > > > > > You can do that by calling a Lua script via the exec keyword. > > > > > > SecRule BLAH "BLAH" > "log,auditlog,pass,id:'888801',msg:'ip-write-test',severity:'7',rev:'1',exec:/path/to/your_lua_scripts/ip-write-test.lua" > > > > > > > > > > > > > > > ===== > > > > > > function main() > > > � local fh = io.open("/tmp/ips.txt", "a+") > > > � if fh then > > > ��� local var1 = m.getvar("REMOTE_ADDR", "none") > > > ��� str1 = string.format('IP is: %s\n', var1) > > > > > > > > > > > > ��� fh:write(str1) > > > ��� fh:flush() > > > ��� fh:close() > > > � end > > > > > > � return fh ~= nil > > > end > > > > > > > > > > > > > > > > > > On Tue, Jan 26, 2010 at 3:55 PM, Sergio se...@gm... > <mailto:se...@gm...>> wrote: > > > > > > > > > > > > > > > > > > > > > Hi, > > > Is it possible to create a rule that when it is triggered it > could write just the offender IP to a file other than the audit_log? > > > > > > > > > > > > > > > Regards, > > > Sergio > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > The Planet: dedicated and managed hosting, cloud storage, > colocation > > > > > > Stay online with enterprise data centers and the best > network in the business > > > > > > Choose flexible plans and management services without > long-term contracts > > > > > > Personal 24x7 support from experience hosting pros just a > phone call away. > > > > > > http://p.sf.net/sfu/theplanet-com > > > _______________________________________________ > > > > > > mod-security-users mailing list > > > > > > mod...@li... > <mailto:mod...@li...> > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > Commercial ModSecurity Appliances, Rule Sets and Support: > > > > > > http://www.modsecurity.org/breach/index.html > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- Brian Rectanus Breach Security |
From: Sergio <se...@gm...> - 2010-01-27 17:36:11
|
I really want to thank you both of you for your time on this, hope your patience will be infinite, lol. Ok, I have done the following: # nm /usr/local/apache/modules/mod_security2.so | grep -i lua U luaL_checklstring U luaL_checknumber U luaL_loadfile U luaL_newstate U luaL_openlibs U luaL_register U lua_close 00009380 t lua_compile U lua_createtable U lua_dump 000090d0 t lua_execute U lua_getfield U lua_isstring U lua_isuserdata U lua_load U lua_objlen U lua_pcall U lua_pushlightuserdata U lua_pushlstring U lua_pushnil U lua_pushnumber U lua_pushstring U lua_rawgeti U lua_setfield U lua_settable U lua_settop U lua_tolstring U lua_topointer U lua_type U lua_typename 0002a170 t msre_rule_lua_create And, also this: # ldd /usr/local/apache/modules/mod_security2.so | egrep lua liblua-5.1.3.so => /opt/lua/lib/liblua-5.1.3.so (0x00d13000) Do I need to install something else for this to run? Best Regards, Sergio |
From: Brian R. <Bri...@br...> - 2010-01-27 17:39:14
|
I suggest you crank the debug log to level 9 and see if there are any errors there. -B Sergio wrote: > I really want to thank you both of you for your time on this, hope your > patience will be infinite, lol. > > Ok, I have done the following: > > # nm /usr/local/apache/modules/mod_security2.so | grep -i lua > �������� U luaL_checklstring > �������� U luaL_checknumber > �������� U luaL_loadfile > �������� U luaL_newstate > �������� U luaL_openlibs > �������� U luaL_register > �������� U lua_close > 00009380 t lua_compile > �������� U lua_createtable > �������� U lua_dump > 000090d0 t lua_execute > �������� U lua_getfield > �������� U lua_isstring > �������� U lua_isuserdata > �������� U lua_load > �������� U lua_objlen > �������� U lua_pcall > �������� U lua_pushlightuserdata > �������� U lua_pushlstring > �������� U lua_pushnil > �������� U lua_pushnumber > �������� U lua_pushstring > �������� U lua_rawgeti > �������� U lua_setfield > �������� U lua_settable > �������� U lua_settop > �������� U lua_tolstring > �������� U lua_topointer > �������� U lua_type > �������� U lua_typename > 0002a170 t msre_rule_lua_create > > And, also this: > > # ldd /usr/local/apache/modules/mod_security2.so | egrep lua > ������� liblua-5.1.3.so <http://liblua-5.1.3.so> => > /opt/lua/lib/liblua-5.1.3.so <http://liblua-5.1.3.so> (0x00d13000) > > Do I need to install something else for this to run? > > Best Regards, > Sergio -- Brian Rectanus Breach Security |
From: William S. <wsa...@gm...> - 2010-01-27 18:37:46
|
Sergio, Based on the path to your specific lua library, do you have the following defined in your Apache httpd.conf? LoadFile /opt/lua/lib/liblua-5.1.3.so I would place this just before your LoadModule statement for mod_security2.so W On Wed, Jan 27, 2010 at 12:36 PM, Sergio <se...@gm...> wrote: > I really want to thank you both of you for your time on this, hope your > patience will be infinite, lol. > > Ok, I have done the following: > > # nm /usr/local/apache/modules/mod_security2.so | grep -i lua > U luaL_checklstring > U luaL_checknumber > U luaL_loadfile > U luaL_newstate > U luaL_openlibs > U luaL_register > U lua_close > 00009380 t lua_compile > U lua_createtable > U lua_dump > 000090d0 t lua_execute > U lua_getfield > U lua_isstring > U lua_isuserdata > U lua_load > U lua_objlen > U lua_pcall > U lua_pushlightuserdata > U lua_pushlstring > U lua_pushnil > U lua_pushnumber > U lua_pushstring > U lua_rawgeti > U lua_setfield > U lua_settable > U lua_settop > U lua_tolstring > U lua_topointer > U lua_type > U lua_typename > 0002a170 t msre_rule_lua_create > > And, also this: > > # ldd /usr/local/apache/modules/mod_security2.so | egrep lua > liblua-5.1.3.so => /opt/lua/lib/liblua-5.1.3.so (0x00d13000) > > Do I need to install something else for this to run? > > Best Regards, > Sergio > > > ------------------------------------------------------------------------------ > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the > business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > > |
From: Sergio <se...@gm...> - 2010-01-27 20:47:28
|
Hi William, I have set the LoadFile before mod_security2.so as you suggested, but didn't work as well. Maybe is something wrong on my Rule definition? Regards, Sergio On Wed, Jan 27, 2010 at 12:37 PM, William Salusky <wsa...@gm...>wrote: > Sergio, > > Based on the path to your specific lua library, do you have the following > defined in your Apache httpd.conf? > > LoadFile /opt/lua/lib/liblua-5.1.3.so > > I would place this just before your LoadModule statement for > mod_security2.so > > W > > On Wed, Jan 27, 2010 at 12:36 PM, Sergio <se...@gm...> wrote: > >> I really want to thank you both of you for your time on this, hope your >> patience will be infinite, lol. >> >> Ok, I have done the following: >> >> # nm /usr/local/apache/modules/mod_security2.so | grep -i lua >> U luaL_checklstring >> U luaL_checknumber >> U luaL_loadfile >> U luaL_newstate >> U luaL_openlibs >> U luaL_register >> U lua_close >> 00009380 t lua_compile >> U lua_createtable >> U lua_dump >> 000090d0 t lua_execute >> U lua_getfield >> U lua_isstring >> U lua_isuserdata >> U lua_load >> U lua_objlen >> U lua_pcall >> U lua_pushlightuserdata >> U lua_pushlstring >> U lua_pushnil >> U lua_pushnumber >> U lua_pushstring >> U lua_rawgeti >> U lua_setfield >> U lua_settable >> U lua_settop >> U lua_tolstring >> U lua_topointer >> U lua_type >> U lua_typename >> 0002a170 t msre_rule_lua_create >> >> And, also this: >> >> # ldd /usr/local/apache/modules/mod_security2.so | egrep lua >> liblua-5.1.3.so => /opt/lua/lib/liblua-5.1.3.so (0x00d13000) >> >> Do I need to install something else for this to run? >> >> Best Regards, >> Sergio >> >> >> ------------------------------------------------------------------------------ >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the >> business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone call away. >> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Appliances, Rule Sets and Support: >> http://www.modsecurity.org/breach/index.html >> >> > |
From: Sergio <se...@gm...> - 2010-01-28 19:54:12
|
Well, it seems that I am out of options. I have already set everything as you said but it didn't work and I don't know if resintalling LUA will cause CPANEL not to run modsec, so, I will left this as it is. Thankyou for your kind help. Regards, Sergio On Wed, Jan 27, 2010 at 2:47 PM, Sergio <se...@gm...> wrote: > Hi William, > I have set the LoadFile before mod_security2.so as you suggested, but > didn't work as well. > > Maybe is something wrong on my Rule definition? > > Regards, > Sergio > > > > > > On Wed, Jan 27, 2010 at 12:37 PM, William Salusky <wsa...@gm...>wrote: > >> Sergio, >> >> Based on the path to your specific lua library, do you have the following >> defined in your Apache httpd.conf? >> >> LoadFile /opt/lua/lib/liblua-5.1.3.so >> >> I would place this just before your LoadModule statement for >> mod_security2.so >> >> W >> >> On Wed, Jan 27, 2010 at 12:36 PM, Sergio <se...@gm...> wrote: >> >>> I really want to thank you both of you for your time on this, hope your >>> patience will be infinite, lol. >>> >>> Ok, I have done the following: >>> >>> # nm /usr/local/apache/modules/mod_security2.so | grep -i lua >>> U luaL_checklstring >>> U luaL_checknumber >>> U luaL_loadfile >>> U luaL_newstate >>> U luaL_openlibs >>> U luaL_register >>> U lua_close >>> 00009380 t lua_compile >>> U lua_createtable >>> U lua_dump >>> 000090d0 t lua_execute >>> U lua_getfield >>> U lua_isstring >>> U lua_isuserdata >>> U lua_load >>> U lua_objlen >>> U lua_pcall >>> U lua_pushlightuserdata >>> U lua_pushlstring >>> U lua_pushnil >>> U lua_pushnumber >>> U lua_pushstring >>> U lua_rawgeti >>> U lua_setfield >>> U lua_settable >>> U lua_settop >>> U lua_tolstring >>> U lua_topointer >>> U lua_type >>> U lua_typename >>> 0002a170 t msre_rule_lua_create >>> >>> And, also this: >>> >>> # ldd /usr/local/apache/modules/mod_security2.so | egrep lua >>> liblua-5.1.3.so => /opt/lua/lib/liblua-5.1.3.so (0x00d13000) >>> >>> Do I need to install something else for this to run? >>> >>> Best Regards, >>> Sergio >>> >>> >>> ------------------------------------------------------------------------------ >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >>> business >>> Choose flexible plans and management services without long-term contracts >>> Personal 24x7 support from experience hosting pros just a phone call >>> away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Appliances, Rule Sets and Support: >>> http://www.modsecurity.org/breach/index.html >>> >>> >> > |