mod-security-users

[mod-security-users] SecFilterSelective OUTPUT problem

[Eric <e3...@gm...>]

Hi,

I am currently using apache as a proxy for serving content from a backend
application server.  I am using modsecurity to send requests for non-existent
pages to a custom 404 page.  The command that I am using is SecFilterSelective
OUTPUT "..." "log,status:404" with the 404 as a custom page I define with
ErrorDocument 404 /404/error/page.  And it seems to be catching the rule fine.

The problem that I am having is what Error Page is returned.  When the content
is comming from apache the Custom error page is returned, but when the content
is coming from the app server the default 404 message is displayed.  In both
cases the SecFilter rule is catching the "..." correctly, but its just not
displaying the custom 404 page.  

Any ideas why the custom page is not being displayed?

Thanks.

-Eric

Re: [mod-security-users] SecFilterSelective OUTPUT problem

[Ivan R. <iv...@we...>]

Eric wrote:
>
> The problem that I am having is what Error Page is returned.  When the content
> is comming from apache the Custom error page is returned, but when the content
> is coming from the app server the default 404 message is displayed.  In both
> cases the SecFilter rule is catching the "..." correctly, but its just not
> displaying the custom 404 page.  
>
> 
> Any ideas why the custom page is not being displayed?

  I think it's an Apache issue, i.e. the ErrorDocument feature
  is not working correctly. I have noticed it myself, although
  I am not really sure if it's the same with all versions.

  Apache has this feature called content filters. When a problem
  is discovered in output it is the (ModSecurity) filter that
  is reporting the problem. It seems that Apache does not handle
  that case correctly.

  It is something I will look into shortly. In the first
  instance (e.g. 2.0) I was thinking of enabling ModSecurity
  to create error pages directly. This would also allow one
  to use the same error code with different pages, which I
  think is needed in real life.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net

Re: [mod-security-users] SecFilterSelective OUTPUT problem

[Ryan B. <rcb...@gm...>]

Are you using virtual hosts?  If you have defined virtual hosts, then you
need to specify both the proxy rules and errordocument directives within th=
e
same virtual host conatainer.

I have implemented a similar mod_security mechanism to catch failed
authentications for internal Oracle web apps.  I have mod_security inspect
the OUTPUT html returned by the proxied app server and look for the Oracle
Error message.  If it sees this, it will trigger a 401 status code and then
use the CGI script that I specified in the ErorrDocument.

 <LocationMatch "/application1/login.do">
   SecFilterSelective OUTPUT "ORA-01017\: invalid username\/password\; logo=
n
denied" status:401
 </LocationMatch>

This works fine for me, however I had to specify all of this within the
SSL/443 virtual host container.

--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache


On 3/30/06, Eric <e3...@gm...> wrote:
>
> Hi,
>
> I am currently using apache as a proxy for serving content from a backend
> application server.  I am using modsecurity to send requests for
> non-existent
> pages to a custom 404 page.  The command that I am using is
> SecFilterSelective
> OUTPUT "..." "log,status:404" with the 404 as a custom page I define with
> ErrorDocument 404 /404/error/page.  And it seems to be catching the rule
> fine.
>
> The problem that I am having is what Error Page is returned.  When the
> content
> is comming from apache the Custom error page is returned, but when the
> content
> is coming from the app server the default 404 message is displayed.  In
> both
> cases the SecFilter rule is catching the "..." correctly, but its just no=
t
> displaying the custom 404 page.
>
> Any ideas why the custom page is not being displayed?
>
> Thanks.
>
> -Eric
>
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting
> language
> that extends applications into web and mobile media. Attend the live
> webcast
> and join the prime developer group breaking into this new coding
> territory!
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat=
=3D121642
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>

Re: [mod-security-users] SecFilterSelective OUTPUT problem

[E R <e3...@gm...>]

No, I'm not using virtual hosts.  It appears that the mod_security side is
catching the output, throwing the 404 error, but not using the custom
server-level ErrorDocument directive.  This only happens when requesting
non-existing content served from the app server.  Requesting non-existent
html pages works properly.

Ivan:
Is there a combination of Apache/ModSecurity that you know will work for
this problem?

-Eric

On 3/30/06, Ryan Barnett <rcb...@gm...> wrote:
>
> Are you using virtual hosts?  If you have defined virtual hosts, then you
> need to specify both the proxy rules and errordocument directives within =
the
> same virtual host conatainer.
>
> I have implemented a similar mod_security mechanism to catch failed
> authentications for internal Oracle web apps.  I have mod_security inspec=
t
> the OUTPUT html returned by the proxied app server and look for the Oracl=
e
> Error message.  If it sees this, it will trigger a 401 status code and th=
en
> use the CGI script that I specified in the ErorrDocument.
>
>  <LocationMatch "/application1/login.do">
>    SecFilterSelective OUTPUT "ORA-01017\: invalid username\/password\;
> logon denied" status:401
>  </LocationMatch>
>
> This works fine for me, however I had to specify all of this within the
> SSL/443 virtual host container.
>
> --
> Ryan C. Barnett
> Web Application Security Consortium (WASC) Member
> CIS Apache Benchmark Project Lead
> SANS Instructor: Securing Apache
> GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
> Author: Preventing Web Attacks with Apache
>
>
> On 3/30/06, Eric <e3...@gm...> wrote:
> >
> > Hi,
> >
> > I am currently using apache as a proxy for serving content from a
> > backend
> > application server.  I am using modsecurity to send requests for
> > non-existent
> > pages to a custom 404 page.  The command that I am using is
> > SecFilterSelective
> > OUTPUT "..." "log,status:404" with the 404 as a custom page I define
> > with
> > ErrorDocument 404 /404/error/page.  And it seems to be catching the rul=
e
> > fine.
>
>
>
> The problem that I am having is what Error Page is returned.  When the
> content
> is comming from apache the Custom error page is returned, but when the
> content
> is coming from the app server the default 404 message is displayed.  In
> both
> cases the SecFilter rule is catching the "..." correctly, but its just no=
t
> displaying the custom 404 page.
>
> Any ideas why the custom page is not being displayed?
>
> Thanks.
>
> -Eric
>
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting
> language
> that extends applications into web and mobile media. Attend the live
> webcast
> and join the prime developer group breaking into this new coding
> territory!
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat=
=3D121642
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
>

Re: [mod-security-users] SecFilterSelective OUTPUT problem

[Ivan R. <iv...@we...>]

E R wrote:
>
> Ivan:
> Is there a combination of Apache/ModSecurity that you know will work for
> this problem?

  I don't know, sorry.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net