Thread: Re: [mod-security-users] Newbie Question - ModSec + SquidGuard
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <Ryan.Barnett@Breach.com> - 2008-05-04 13:27:00
|
You can also do redirects with ModSecurity instead of deny. Just change the action settings and redirect them to your friendly blocked page. Thanks, Ryan C. Barnett ----- Original Message ----- From: mod...@li... <mod...@li...> To: mod...@li... <mod...@li...> Sent: Sat May 03 09:26:02 2008 Subject: [mod-security-users] Newbie Question - ModSec + SquidGuard Hello all, Firstly let me say that, having just installed ModSecurity I am *very* impressed with it. Thank you to all the devs for such a great product. I am not a sysadmin, I just have a simple, largely static, website with a few bits of dynamic content (eg a squirrelmail webmail package serving up my family's mail from behind a AuthUserFile password protected area). I protect my children from undesirable web content by using a squid proxy server + squidGuard filter. Prior to installing ModSecurity this worked just fine, redirecting to a page informing them that the site is blocked. Now they just get a 400 Bad Request which can be confusing. I think that ModSecurity is blocking access to the squidGuard.cgi app which serves up the squidGuard blocking page, but I think ModSecurity is blocking because it's come via a numeric IP. (see extract from debug.log) [03/May/2008:14:09:11 +0100] [www.mydomain.co.uk/sid#b92b64a8][rid#b97a0f80][/cgi-bin/squidGuard.cgi][1] Access denied with code 400 (phase 2). Pattern match "^[\\d\\.]+$" at REQUEST_HEADERS:Host. [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] This causes problems because my internal network relies heavily on numerical IP addresses. Commenting out the above rule in modsecurity_crs_21_protocol_anomalies.conf allows it all to work properly again but I am not sure this is the best way to solve the problem. Should I create a local rule? If so how? (I might need some hand-holding...) Thanks in advance for any help. Mark |
From: Arthur D. <mis...@bl...> - 2008-05-28 18:25:31
|
On Tue, May 27, 2008 at 06:40:37PM -0400, Ryan Barnett wrote: > Ok, try this, just add this new rule to the top of the existing modsecurity_20_protocol_violations.conf file and see what happens. > > Thanks, > Ryan C. Barnett Aha! Brilliant idea.... And guess what? It works! Here is the entry from modsec_debug.log (level 3) [28/May/2008:19:08:27 +0100] [www.mydomain.uk/sid#b872e4a8][rid#b8c20598][/cgi-bin/squidGuard.cgi][1] Access denied with redirection to http://mydomain.co.uk/cgi-bin/squidGuard.cgi using status 302 (phase 2). Pattern match "^192\\.168\\.123\\." at REMOTE_ADDR. [id "1"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] There are just 2 small problems: 1) Why doesn't it work when it its own rule file? 2) Under normal operation the proxy passes some information to the .cgi script to be displayed on the user's screen (i.e. the squid rule group breached, the url etc..) This no longer works, with that information left blank. No the end of the world but it would be nice if it could be made to work properly... Thanks for your help. It feels like I'm getting somewhere now... Mark |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2008-05-28 19:04:09
|
> -----Original Message----- > From: Arthur Dent [mailto:mis...@bl...] > Sent: Wednesday, May 28, 2008 2:25 PM > To: Ryan Barnett > Cc: mod...@li... > Subject: Re: [mod-security-users] Newbie Question - ModSec + SquidGuard > > On Tue, May 27, 2008 at 06:40:37PM -0400, Ryan Barnett wrote: > > Ok, try this, just add this new rule to the top of the existing > modsecurity_20_protocol_violations.conf file and see what happens. > > > > Thanks, > > Ryan C. Barnett > > Aha! Brilliant idea.... > > And guess what? It works! > > Here is the entry from modsec_debug.log (level 3) > > [28/May/2008:19:08:27 +0100] > [www.mydomain.uk/sid#b872e4a8][rid#b8c20598][/cgi-bin/squidGuard.cgi][1] > Access denied with redirection to > http://mydomain.co.uk/cgi-bin/squidGuard.cgi using status 302 (phase > 2). Pattern match "^192\\.168\\.123\\." at REMOTE_ADDR. [id "1"] [msg > "Host header is a numeric IP address"] [severity "CRITICAL"] [tag > "PROTOCOL_VIOLATION/IP_HOST"] > > There are just 2 small problems: > > 1) Why doesn't it work when it its own rule file? [Ryan Barnett] Not quite sure - ownership/permissions maybe. > > 2) Under normal operation the proxy passes some information to the .cgi > script to be displayed on the user's screen (i.e. the squid rule group > breached, the url etc..) This no longer works, with that information > left blank. No the end of the world but it would be nice if it could be > made to work properly... > [Ryan Barnett] Since Mod is issuing a Redirect to the CGI script, the script should be able to dynamically insert this info from the ENV. You would need to use SSIs - http://httpd.apache.org/docs/2.2/howto/ssi.html |
From: Arthur D. <mis...@bl...> - 2008-05-21 13:55:45
|
Apologies for the slow response from me. I got hit by an altered deadline at work which has taken over my life... ...till now... Phew! On Sun, May 04, 2008 at 09:26:49AM -0400, Ryan Barnett wrote: > You can also do redirects with ModSecurity instead of deny. Just change the action settings and redirect them to your friendly blocked page. > > Thanks, > Ryan C. Barnett OK - That's interesting. How would I construct a rule that blocks all numeric IPs *unless* they are from my internal network (192.168.100.0/24) in which case they get redirected to the squidguard .cgi page? I have never written a mod-sec rule before so I might need some hand-holding! Thanks again... Mark > ----- Original Message ----- > From: mod...@li... <mod...@li...> > To: mod...@li... <mod...@li...> > Sent: Sat May 03 09:26:02 2008 > Subject: [mod-security-users] Newbie Question - ModSec + SquidGuard > > Hello all, > > Firstly let me say that, having just installed ModSecurity I am *very* > impressed with it. Thank you to all the devs for such a great product. > > I am not a sysadmin, I just have a simple, largely static, website with > a few bits of dynamic content (eg a squirrelmail webmail package serving > up my family's mail from behind a AuthUserFile password protected area). > > I protect my children from undesirable web content by using a squid > proxy server + squidGuard filter. > > Prior to installing ModSecurity this worked just fine, redirecting to a > page informing them that the site is blocked. > > Now they just get a 400 Bad Request which can be confusing. > > I think that ModSecurity is blocking access to the squidGuard.cgi app > which serves up the squidGuard blocking page, but I think ModSecurity is > blocking because it's come via a numeric IP. (see extract from > debug.log) > > [03/May/2008:14:09:11 +0100] > [www.mydomain.co.uk/sid#b92b64a8][rid#b97a0f80][/cgi-bin/squidGuard.cgi][1] > Access denied with code 400 (phase 2). Pattern match "^[\\d\\.]+$" at > REQUEST_HEADERS:Host. [id "960017"] [msg "Host header is a numeric IP > address"] [severity "CRITICAL"] > > This causes problems because my internal network relies heavily on > numerical IP addresses. > > Commenting out the above rule in > modsecurity_crs_21_protocol_anomalies.conf allows it all to work > properly again but I am not sure this is the best way to solve the > problem. > > Should I create a local rule? If so how? (I might need some > hand-holding...) > > Thanks in advance for any help. > > Mark > |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2008-05-21 14:26:10
|
> -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Arthur Dent > Sent: Wednesday, May 21, 2008 9:55 AM > To: mod...@li... > Subject: Re: [mod-security-users] Newbie Question - ModSec + SquidGuard > > On Sun, May 04, 2008 at 09:26:49AM -0400, Ryan Barnett wrote: > > You can also do redirects with ModSecurity instead of deny. Just change > the action settings and redirect them to your friendly blocked page. > > > > Thanks, > > Ryan C. Barnett > > OK - That's interesting. How would I construct a rule that blocks all > numeric > IPs *unless* they are from my internal network (192.168.100.0/24) in which > case they get redirected to the squidguard .cgi page? > > I have never written a mod-sec rule before so I might need some hand- > holding! > [Ryan Barnett] What is the exact version of Mod that you are using (as there are some features that may be available)? Assuming that you are using 2.5.x, then you should be able to add the following rule to a rules file BEFORE the other existing modsecurity_crs_21_protocol_anomalies.conf file - SecRule REQUEST_HEADERS:Host "^[\d\.]+$" "chain,phase:2,t:none,redirect:http://www.mydomain.co.uk/cgi-bin/squidGu ard.cgi,status:302,log,auditlog,msg:'Host header is a numeric IP address', severity:'2',id:'1',tag:'PROTOCOL_VIOLATION/IP_HOST'" SecRule REMOTE_ADDR "@beginsWith 192.168.100." Keep in mind that this is two separate lines that each start with "SecRule" (email systems sometimes munges up the rules). Let me know how this works for you, Ryan |
From: Arthur D. <mis...@bl...> - 2008-05-21 15:25:17
|
On Wed, May 21, 2008 at 10:25:59AM -0400, Ryan Barnett wrote: > ClamAV 0.93 > > > > You can also do redirects with ModSecurity instead of deny. Just > change > > the action settings and redirect them to your friendly blocked page. > > > > > > Thanks, > > > Ryan C. Barnett > > > > OK - That's interesting. How would I construct a rule that blocks all > > numeric > > IPs *unless* they are from my internal network (192.168.100.0/24) in > which > > case they get redirected to the squidguard .cgi page? > > > > I have never written a mod-sec rule before so I might need some hand- > > holding! > > > [Ryan Barnett] What is the exact version of Mod that you are using (as > there are some features that may be available)? Assuming that you are > using 2.5.x, then you should be able to add the following rule to a > rules file BEFORE the other existing > modsecurity_crs_21_protocol_anomalies.conf file - Ahhh... I am using mod_security-2.1.7-1.fc8 (this is a Fedora 8 system and I prefer to use the packages in the repository where possible - 2.1.7 appears to be the latest!) Will it still work? > > SecRule REQUEST_HEADERS:Host "^[\d\.]+$" > "chain,phase:2,t:none,redirect:http://www.mydomain.co.uk/cgi-bin/squidGu > ard.cgi,status:302,log,auditlog,msg:'Host header is a numeric IP > address', severity:'2',id:'1',tag:'PROTOCOL_VIOLATION/IP_HOST'" > SecRule REMOTE_ADDR "@beginsWith 192.168.100." > > Keep in mind that this is two separate lines that each start with > "SecRule" (email systems sometimes munges up the rules). > > Let me know how this works for you, > Ryan Well I can't test it at the moment (still at work) but if you think the above rule will work with 2.1.7 I'll give it a go when I get home... Thanks for your help so far. Mark |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2008-05-21 15:31:23
|
OK, in this case, you can't use the @beginsWith operator but that is fine as you can just revert to using @rx for specifying the IP range - SecRule REQUEST_HEADERS:Host "^[\d\.]+$" "chain,phase:2,t:none,redirect:http://www.mydomain.co.uk/cgi-bin/squidGu ard.cgi,status:302,log,auditlog,msg:'Host header is a numeric IP address', severity:'2',id:'1',tag:'PROTOCOL_VIOLATION/IP_HOST'" SecRule REMOTE_ADDR "@rx ^192\.168\.100\." This should work. -Ryan > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Arthur Dent > Sent: Wednesday, May 21, 2008 11:25 AM > To: mod...@li... > Subject: Re: [mod-security-users] Newbie Question - ModSec + SquidGuard > > On Wed, May 21, 2008 at 10:25:59AM -0400, Ryan Barnett wrote: > > ClamAV 0.93 > > > > > > You can also do redirects with ModSecurity instead of deny. Just > > change > > > the action settings and redirect them to your friendly blocked page. > > > > > > > > Thanks, > > > > Ryan C. Barnett > > > > > > OK - That's interesting. How would I construct a rule that blocks all > > > numeric > > > IPs *unless* they are from my internal network (192.168.100.0/24) in > > which > > > case they get redirected to the squidguard .cgi page? > > > > > > I have never written a mod-sec rule before so I might need some hand- > > > holding! > > > > > [Ryan Barnett] What is the exact version of Mod that you are using (as > > there are some features that may be available)? Assuming that you are > > using 2.5.x, then you should be able to add the following rule to a > > rules file BEFORE the other existing > > modsecurity_crs_21_protocol_anomalies.conf file - > > Ahhh... I am using mod_security-2.1.7-1.fc8 (this is a Fedora 8 system and > I > prefer to use the packages in the repository where possible - 2.1.7 > appears to > be the latest!) Will it still work? > > > > > SecRule REQUEST_HEADERS:Host "^[\d\.]+$" > > "chain,phase:2,t:none,redirect:http://www.mydomain.co.uk/cgi-bin/squidGu > > ard.cgi,status:302,log,auditlog,msg:'Host header is a numeric IP > > address', severity:'2',id:'1',tag:'PROTOCOL_VIOLATION/IP_HOST'" > > SecRule REMOTE_ADDR "@beginsWith 192.168.100." > > > > Keep in mind that this is two separate lines that each start with > > "SecRule" (email systems sometimes munges up the rules). > > > > Let me know how this works for you, > > Ryan > > Well I can't test it at the moment (still at work) but if you think the > above > rule will work with 2.1.7 I'll give it a go when I get home... > > Thanks for your help so far. > > Mark |
From: Arthur D. <mis...@bl...> - 2008-05-26 17:46:53
|
On Wed, May 21, 2008 at 11:31:20AM -0400, Ryan Barnett wrote: > > OK, in this case, you can't use the @beginsWith operator but that is > fine as you can just revert to using @rx for specifying the IP range - > > SecRule REQUEST_HEADERS:Host "^[\d\.]+$" > "chain,phase:2,t:none,redirect:http://www.mydomain.co.uk/cgi-bin/squidGu > ard.cgi,status:302,log,auditlog,msg:'Host header is a numeric IP > address', severity:'2',id:'1',tag:'PROTOCOL_VIOLATION/IP_HOST'" > SecRule REMOTE_ADDR "@rx ^192\.168\.100\." > > This should work. > > -Ryan Well I really appreciate your help with this, but I'm afraid I still can't get it to work. First I rule these 2 lines (having fixed the line wrap) in /etc/httpd/modsecurity.d/modsecurity_localrules.conf but that didn't work (instead of being redirected to the squidGuard.cgi script the user still gets a 400 not found page). I wasn't sure of the precedence of localrules.conf over the other rulesets (esp the /modsecurity_crs_21_protocol_anomalies.conf rule) so I created a new set called /modsecurity_15_myrule.conf and tried running with your lines in that. Still no joy. (Note I *did* remember to restart Apache after each change). I would still be curious to try to get this working as an exercise in learning rule writing, but I'm afraid I have a bigger problem. I have registered 3 versions of my domain name (www.mydomain.org.uk, www.mydomain.org, and http://mydomain.mine.nu) each with a different registrar. I have my webserver on a static IP address and I point each of those domains at that IP using the tools provided by the registrars. Of all of the three, only the (free!) http://mydomain.mine.u registered with DynDNS.com, seems to be able to direct to pages and sub-pages without triggering the numeric IP rule! Is there anything I can do about this or am I stuck with turning the numeric IP address rule off? Thanks again. Mark > > > -----Original Message----- > > From: mod...@li... [mailto:mod- > > sec...@li...] On Behalf Of Arthur Dent > > Sent: Wednesday, May 21, 2008 11:25 AM > > To: mod...@li... > > Subject: Re: [mod-security-users] Newbie Question - ModSec + > SquidGuard > > > > On Wed, May 21, 2008 at 10:25:59AM -0400, Ryan Barnett wrote: > > > ClamAV 0.93 > > > > > > > > You can also do redirects with ModSecurity instead of deny. > Just > > > change > > > > the action settings and redirect them to your friendly blocked > page. > > > > > > > > > > Thanks, > > > > > Ryan C. Barnett > > > > > > > > OK - That's interesting. How would I construct a rule that blocks > all > > > > numeric > > > > IPs *unless* they are from my internal network (192.168.100.0/24) > in > > > which > > > > case they get redirected to the squidguard .cgi page? > > > > > > > > I have never written a mod-sec rule before so I might need some > hand- > > > > holding! > > > > > > > [Ryan Barnett] What is the exact version of Mod that you are using > (as > > > there are some features that may be available)? Assuming that you > are > > > using 2.5.x, then you should be able to add the following rule to a > > > rules file BEFORE the other existing > > > modsecurity_crs_21_protocol_anomalies.conf file - > > > > Ahhh... I am using mod_security-2.1.7-1.fc8 (this is a Fedora 8 system > and > > I > > prefer to use the packages in the repository where possible - 2.1.7 > > appears to > > be the latest!) Will it still work? > > > > > > > > SecRule REQUEST_HEADERS:Host "^[\d\.]+$" > > > > "chain,phase:2,t:none,redirect:http://www.mydomain.co.uk/cgi-bin/squidGu > > > ard.cgi,status:302,log,auditlog,msg:'Host header is a numeric IP > > > address', severity:'2',id:'1',tag:'PROTOCOL_VIOLATION/IP_HOST'" > > > SecRule REMOTE_ADDR "@beginsWith 192.168.100." > > > > > > Keep in mind that this is two separate lines that each start with > > > "SecRule" (email systems sometimes munges up the rules). > > > > > > Let me know how this works for you, > > > Ryan > > > > Well I can't test it at the moment (still at work) but if you think > the > > above > > rule will work with 2.1.7 I'll give it a go when I get home... > > > > Thanks for your help so far. > > > > Mark > |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2008-05-27 13:04:11
|
Question - how are you calling up the rule files in your httpd.conf file? Are you explicitly listing them or are you using wildcards to include all files in your rules directory? If it is the former, then make sure you specify your new rules file. If it is the latter, then the name of your file is important as you want your custom rules to run before the other rules. I would recommend that you use the same naming format that the Core Rules uses but with a lower number - modsecurity_crs_15_customrules.conf. If that doesn't fix things, then it is time for the debug log then. Change the SecDebugLogLevel to a higher level to see exactly what is happening when that rule is being processed and why it isn't matching. > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Arthur Dent > Sent: Monday, May 26, 2008 1:47 PM > To: mod...@li... > Subject: Re: [mod-security-users] Newbie Question - ModSec + SquidGuard > > On Wed, May 21, 2008 at 11:31:20AM -0400, Ryan Barnett wrote: > > > > OK, in this case, you can't use the @beginsWith operator but that is > > fine as you can just revert to using @rx for specifying the IP range - > > > > SecRule REQUEST_HEADERS:Host "^[\d\.]+$" > > "chain,phase:2,t:none,redirect:http://www.mydomain.co.uk/cgi-bin/squidGu > > ard.cgi,status:302,log,auditlog,msg:'Host header is a numeric IP > > address', severity:'2',id:'1',tag:'PROTOCOL_VIOLATION/IP_HOST'" > > SecRule REMOTE_ADDR "@rx ^192\.168\.100\." > > > > This should work. > > > > -Ryan > > Well I really appreciate your help with this, but I'm afraid I still > can't get it to work. > > First I rule these 2 lines (having fixed the line wrap) in > /etc/httpd/modsecurity.d/modsecurity_localrules.conf but that didn't > work (instead of being redirected to the squidGuard.cgi script the user > still gets a 400 not found page). I wasn't sure of the precedence of > localrules.conf over the other rulesets (esp the > /modsecurity_crs_21_protocol_anomalies.conf rule) so I created a new set > called /modsecurity_15_myrule.conf and tried running with your lines in > that. Still no joy. (Note I *did* remember to restart Apache after each > change). > > I would still be curious to try to get this working as an exercise in > learning rule writing, but I'm afraid I have a bigger problem. > > I have registered 3 versions of my domain name (www.mydomain.org.uk, > www.mydomain.org, and http://mydomain.mine.nu) each with a different > registrar. I have my webserver on a static IP address and I point each > of those domains at that IP using the tools provided by the registrars. > Of all of the three, only the (free!) http://mydomain.mine.u registered > with DynDNS.com, seems to be able to direct to pages and sub-pages > without triggering the numeric IP rule! > > Is there anything I can do about this or am I stuck with turning the > numeric IP address rule off? > > Thanks again. > > Mark > > > > > > > -----Original Message----- > > > From: mod...@li... [mailto:mod- > > > sec...@li...] On Behalf Of Arthur Dent > > > Sent: Wednesday, May 21, 2008 11:25 AM > > > To: mod...@li... > > > Subject: Re: [mod-security-users] Newbie Question - ModSec + > > SquidGuard > > > > > > On Wed, May 21, 2008 at 10:25:59AM -0400, Ryan Barnett wrote: > > > > ClamAV 0.93 > > > > > > > > > > You can also do redirects with ModSecurity instead of deny. > > Just > > > > change > > > > > the action settings and redirect them to your friendly blocked > > page. > > > > > > > > > > > > Thanks, > > > > > > Ryan C. Barnett > > > > > > > > > > OK - That's interesting. How would I construct a rule that blocks > > all > > > > > numeric > > > > > IPs *unless* they are from my internal network (192.168.100.0/24) > > in > > > > which > > > > > case they get redirected to the squidguard .cgi page? > > > > > > > > > > I have never written a mod-sec rule before so I might need some > > hand- > > > > > holding! > > > > > > > > > [Ryan Barnett] What is the exact version of Mod that you are using > > (as > > > > there are some features that may be available)? Assuming that you > > are > > > > using 2.5.x, then you should be able to add the following rule to a > > > > rules file BEFORE the other existing > > > > modsecurity_crs_21_protocol_anomalies.conf file - > > > > > > Ahhh... I am using mod_security-2.1.7-1.fc8 (this is a Fedora 8 system > > and > > > I > > > prefer to use the packages in the repository where possible - 2.1.7 > > > appears to > > > be the latest!) Will it still work? > > > > > > > > > > > SecRule REQUEST_HEADERS:Host "^[\d\.]+$" > > > > > > "chain,phase:2,t:none,redirect:http://www.mydomain.co.uk/cgi-bin/squidGu > > > > ard.cgi,status:302,log,auditlog,msg:'Host header is a numeric IP > > > > address', severity:'2',id:'1',tag:'PROTOCOL_VIOLATION/IP_HOST'" > > > > SecRule REMOTE_ADDR "@beginsWith 192.168.100." > > > > > > > > Keep in mind that this is two separate lines that each start with > > > > "SecRule" (email systems sometimes munges up the rules). > > > > > > > > Let me know how this works for you, > > > > Ryan > > > > > > Well I can't test it at the moment (still at work) but if you think > > the > > > above > > > rule will work with 2.1.7 I'll give it a go when I get home... > > > > > > Thanks for your help so far. > > > > > > Mark > > |
From: Arthur D. <mis...@bl...> - 2008-05-27 18:17:51
|
On Tue, May 27, 2008 at 09:04:23AM -0400, Ryan Barnett wrote: > Question - how are you calling up the rule files in your httpd.conf > file? Are you explicitly listing them or are you using wildcards to > include all files in your rules directory? If it is the former, then > make sure you specify your new rules file. If it is the latter, then > the name of your file is important as you want your custom rules to run > before the other rules. I would recommend that you use the same naming > format that the Core Rules uses but with a lower number - > modsecurity_crs_15_customrules.conf. Well actually it is explicitly called from httpd.conf but I changed the name to /etc/httpd/modsecurity.d/modsecurity_crs_15_myrule.conf so that it would be in line with the others. I checked that it is being read by putting a deliberate mistake into the file and then restarting Apache. Sure enough it reports an error. > If that doesn't fix things, then it is time for the debug log then. > Change the SecDebugLogLevel to a higher level to see exactly what is > happening when that rule is being processed and why it isn't matching. OK. Here is the output from /var/log/httpd/modsec_debug.log. http://pastebin.com/m6d5ed81 The first entry is with debug level set to the default level 3. The next gazillion lines are from a similar event, but with debug level set to 9. I have no idea what most of it means, and I certainly can't tell if it is correctly applying the rule... The event in question is attempting to access www.runescape.com, a game site which should be blocked by squidGuard for my kid's computers at this time of day... I have also put up the rule file in case I have made a mistake in editing out the line wraps. It can be found here: http://pastebin.com/m142b9f6b Incidentally - another question I'm afraid. Given that this is all taking place within my own network, could the rule not redirect to 192.168.100.101/cgi-bin/squidGuard.cgi instead of going outside the network in order to come back in to that page? Thanks again for your support - much appreciated. Mark |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2008-05-27 19:02:35
|
Your rule is not being executed as the first rule that is running is the HTTP request line verification rule from the modsecurity_crs_20_protocol_violations.conf file. If your file is being specified before that one, then there "should" be an entry in the debug log for it. Can you show me the entries in your httpd.conf file? > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Arthur Dent > Sent: Tuesday, May 27, 2008 2:18 PM > To: mod...@li... > Subject: Re: [mod-security-users] Newbie Question - ModSec + SquidGuard > > On Tue, May 27, 2008 at 09:04:23AM -0400, Ryan Barnett wrote: > > Question - how are you calling up the rule files in your httpd.conf > > file? Are you explicitly listing them or are you using wildcards to > > include all files in your rules directory? If it is the former, then > > make sure you specify your new rules file. If it is the latter, then > > the name of your file is important as you want your custom rules to run > > before the other rules. I would recommend that you use the same naming > > format that the Core Rules uses but with a lower number - > > modsecurity_crs_15_customrules.conf. > > Well actually it is explicitly called from httpd.conf but I changed the > name to /etc/httpd/modsecurity.d/modsecurity_crs_15_myrule.conf so that > it would be in line with the others. > > I checked that it is being read by putting a deliberate mistake into the > file and then restarting Apache. Sure enough it reports an error. > > > > If that doesn't fix things, then it is time for the debug log then. > > Change the SecDebugLogLevel to a higher level to see exactly what is > > happening when that rule is being processed and why it isn't matching. > > > OK. Here is the output from /var/log/httpd/modsec_debug.log. > > http://pastebin.com/m6d5ed81 > > The first entry is with debug level set to the default level 3. The next > gazillion lines are from a similar event, but with debug level set to 9. > > I have no idea what most of it means, and I certainly can't tell if it > is correctly applying the rule... > > The event in question is attempting to access www.runescape.com, a game > site which should be blocked by squidGuard for my kid's computers at > this time of day... > > I have also put up the rule file in case I have made a mistake in > editing out the line wraps. It can be found here: > > http://pastebin.com/m142b9f6b > > Incidentally - another question I'm afraid. Given that this is all > taking place within my own network, could the rule not redirect to > 192.168.100.101/cgi-bin/squidGuard.cgi instead of going outside the > network in order to come back in to that page? > > Thanks again for your support - much appreciated. > > Mark |
From: Arthur D. <mis...@bl...> - 2008-05-27 19:08:14
|
On Tue, May 27, 2008 at 02:40:29PM -0400, Ryan Barnett wrote: > Your rule is not being executed as the first rule that is running is the > HTTP request line verification rule from the > modsecurity_crs_20_protocol_violations.conf file. If your file is being > specified before that one, then there "should" be an entry in the debug > log for it. Can you show me the entries in your httpd.conf file? <IfModule mod_security2.c> # This is the ModSecurity Core Rules Set. # Basic configuration goes in here Include modsecurity.d/modsecurity_crs_10_config.conf #SecAuditLog logs/audit_log # Protocol violation and anomalies. Include modsecurity.d/modsecurity_crs_15_myrule.conf Include modsecurity.d/modsecurity_crs_20_protocol_violations.conf Include modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf # HTTP policy rules Include modsecurity.d/modsecurity_crs_30_http_policy.conf # Here comes the Bad Stuff... Include modsecurity.d/modsecurity_crs_35_bad_robots.conf Include modsecurity.d/modsecurity_crs_40_generic_attacks.conf Include modsecurity.d/modsecurity_crs_45_trojans.conf Include modsecurity.d/modsecurity_crs_50_outbound.conf # Search engines and other crawlers. Only useful if you want to # track # Google / Yahoo et. al. # Include modsecurity.d/modsecurity_crs_55_marketing.conf # Put your local rules in here. Include modsecurity.d/modsecurity_localrules.conf </IfModule> Anything wrong? Thanks for helping... Mark |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2008-05-27 20:31:41
|
Not sure why this isn't working for you. I just installed Mod 2.1.7 with the CRS and added the rule I gave you (with my own internal LAN IP range) to a custom rules file and everything works fine - [16/Feb/2008:07:03:35 --0500] [192.168.10.109/sid#80a5f48][rid#8208350][/][4] Starting phase REQUEST_BODY. [16/Feb/2008:07:03:35 --0500] [192.168.10.109/sid#80a5f48][rid#8208350][/][9] This phase consists of 85 rule(s). [16/Feb/2008:07:03:35 --0500] [192.168.10.109/sid#80a5f48][rid#8208350][/][4] Recipe: Invoking rule 8158b78. [16/Feb/2008:07:03:35 --0500] [192.168.10.109/sid#80a5f48][rid#8208350][/][4] Executing operator rx with param "^[\\d\\.]+$" against REQUEST_HEADERS:Host. [16/Feb/2008:07:03:35 --0500] [192.168.10.109/sid#80a5f48][rid#8208350][/][9] Target value: 192.168.10.109 [16/Feb/2008:07:03:35 --0500] [192.168.10.109/sid#80a5f48][rid#8208350][/][4] Operator completed in 139 usec. [16/Feb/2008:07:03:35 --0500] [192.168.10.109/sid#80a5f48][rid#8208350][/][4] Rule returned 1. [16/Feb/2008:07:03:35 --0500] [192.168.10.109/sid#80a5f48][rid#8208350][/][9] Match -> mode NEXT_RULE. [16/Feb/2008:07:03:35 --0500] [192.168.10.109/sid#80a5f48][rid#8208350][/][4] Recipe: Invoking rule 8158dd8. [16/Feb/2008:07:03:35 --0500] [192.168.10.109/sid#80a5f48][rid#8208350][/][9] T (0) lowercase: 192.168.10.17 [16/Feb/2008:07:03:35 --0500] [192.168.10.109/sid#80a5f48][rid#8208350][/][9] T (0) replaceNulls: 192.168.10.17 [16/Feb/2008:07:03:35 --0500] [192.168.10.109/sid#80a5f48][rid#8208350][/][9] T (0) compressWhitespace: 192.168.10.17 [16/Feb/2008:07:03:35 --0500] [192.168.10.109/sid#80a5f48][rid#8208350][/][4] Executing operator rx with param "^192\\.168\\.10\\." against REMOTE_ADDR. [16/Feb/2008:07:03:35 --0500] [192.168.10.109/sid#80a5f48][rid#8208350][/][9] Target value: 192.168.10.17 [16/Feb/2008:07:03:35 --0500] [192.168.10.109/sid#80a5f48][rid#8208350][/][4] Operator completed in 10 usec. [16/Feb/2008:07:03:35 --0500] [192.168.10.109/sid#80a5f48][rid#8208350][/][4] Rule returned 1. [16/Feb/2008:07:03:35 --0500] [192.168.10.109/sid#80a5f48][rid#8208350][/][9] Match, intercepted -> returning. [16/Feb/2008:07:03:35 --0500] [192.168.10.109/sid#80a5f48][rid#8208350][/][1] Access denied with redirection to http://mydomain.co.uk/cgi-bin/squidGuard.cgi using status 302 (phase 2). Pattern match "^192\\.168\\.10\\." at REMOTE_ADDR . [id "1"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] This is how I am calling up the configs in the httpd.conf file - <IfModule security2_module> Include conf/rules/*.conf </IfModule> Here is the rules directory and custom rules contents - root@ubuntu:/usr/local/apache/conf/rules# pwd /usr/local/apache/conf/rules root@ubuntu:/usr/local/apache/conf/rules# ls CHANGELOG modsecurity_crs_30_http_policy.conf LICENSE modsecurity_crs_35_bad_robots.conf modsecurity_crs_10_config.conf modsecurity_crs_40_generic_attacks.conf modsecurity_crs_15_customrules.conf modsecurity_crs_45_trojans.conf modsecurity_crs_20_protocol_violations.conf modsecurity_crs_50_outbound.conf modsecurity_crs_21_protocol_anomalies.conf optional_rules modsecurity_crs_23_request_limits.conf README root@ubuntu:/usr/local/apache/conf/rules# cat *15* SecRule REQUEST_HEADERS:Host "^[\d\.]+$""chain,phase:2,t:none,redirect:http://mydomain.co.uk/cgi-bin/ squidGuard.cgi,status:302,log,auditlog,msg:'Host header is a numeric IP address', severity:'2',id:'1',tag:'PROTOCOL_VIOLATION/IP_HOST'" SecRule REMOTE_ADDR "@rx ^192\.168\.10\." > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Arthur Dent > Sent: Tuesday, May 27, 2008 3:08 PM > To: mod...@li... > Subject: Re: [mod-security-users] Newbie Question - ModSec + SquidGuard > > On Tue, May 27, 2008 at 02:40:29PM -0400, Ryan Barnett wrote: > > Your rule is not being executed as the first rule that is running is the > > HTTP request line verification rule from the > > modsecurity_crs_20_protocol_violations.conf file. If your file is being > > specified before that one, then there "should" be an entry in the debug > > log for it. Can you show me the entries in your httpd.conf file? > > <IfModule mod_security2.c> > # This is the ModSecurity Core Rules Set. > > # Basic configuration goes in here > Include modsecurity.d/modsecurity_crs_10_config.conf > #SecAuditLog logs/audit_log > > # Protocol violation and anomalies. > > Include modsecurity.d/modsecurity_crs_15_myrule.conf > Include > modsecurity.d/modsecurity_crs_20_protocol_violations.conf > Include modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf > > # HTTP policy rules > > Include modsecurity.d/modsecurity_crs_30_http_policy.conf > > # Here comes the Bad Stuff... > > Include modsecurity.d/modsecurity_crs_35_bad_robots.conf > Include modsecurity.d/modsecurity_crs_40_generic_attacks.conf > Include modsecurity.d/modsecurity_crs_45_trojans.conf > Include modsecurity.d/modsecurity_crs_50_outbound.conf > > # Search engines and other crawlers. Only useful if you want to > # track > # Google / Yahoo et. al. > > # Include modsecurity.d/modsecurity_crs_55_marketing.conf > > # Put your local rules in here. > > Include modsecurity.d/modsecurity_localrules.conf > </IfModule> > > > Anything wrong? > > Thanks for helping... > > Mark > |
From: Arthur D. <mis...@bl...> - 2008-05-27 21:38:20
|
On Tue, May 27, 2008 at 04:09:30PM -0400, Ryan Barnett wrote: > Not sure why this isn't working for you. I just installed Mod 2.1.7 > with the CRS and added the rule I gave you (with my own internal LAN IP > range) to a custom rules file and everything works fine - Oh... So what can I try now? I think that httpd.conf is reading the rule file OK because, as I said earlier I tried putting a deliberate mistake in the file and it produced an error when restarting httpd. So why is it not triggering the rule when squidGuard redirects? Thanks again... Mark |