gmane.comp.apache.mod-security.user

Re: ModSecurity calling order and SiteMinder

Ryan Barnett — 2008-09-05T20:54:30

Kogelheide capabilities, that [Ryan Barnett] Without any details of the SiteMinder Apache module code (do you have the source?) this is a blackbox trouble-shooting scenario. There may be some workarounds to try. 1) Easy test - what order have you specified the SiteMinder and ModSecurity LoadModule directives? You can try to specify ModSecurity first and then SiteMinder. This way, if they are both using the same hooks, Mod would run first. 2) If you try this and it is still a problem, you might be able to edit the mod_security2.c file to have the SiteMinder module called up after ModSecurity. Something like this (I don't know what the SiteMinder module name is though) - /** * Registers module hooks with Apache. */ static void register_hooks(apr_pool_t *mp) { --CUT-- static const char *postread_afterme_list[] = { "mod_log_forensic.c", "mod_siteminder.c", NULL }; If SiteMinder is actually running as a Filter, then this won't work. If none of this works, please op

ModSecurity calling order and SiteMinder

Ryan Kogelheide — 2008-09-05T20:42:05

I've installed ModSecurity 2.5.6 on Apache protected by CA's SiteMinder. In testing ModSecurity with the Core rules, I've seen that SiteMinder is called first. It has some application firewall capabilities, so intercepts some of the bad URLs that I'm sending. Is there a fashion to get ModSecurity to proc before SiteMinder? Note that we have no control over the code of SiteMinder. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

Re: log

Jair Santos — 2008-09-05T20:02:50

I am sorry. I was looking at the wrong audit_log file. Jair Santos audit(1220642761.595:62827): user pid=5113 uid=0 auid=0 ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

Re: log

Brian Rectanus — 2008-09-05T19:53:38

These logs are not from ModSecurity, but are generated by PAM runing via cron (/usr/sbin/crond). What makes you think they are ModSecurity releated? -B

Re: log

Ryan Barnett — 2008-09-05T19:43:07

------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________ mod-security-users mailing list mod-security-users< at >lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users

log

Jair Santos — 2008-09-05T19:35:33

Re: Invalid command 'SecComponentSignature'????

Ryan Barnett — 2008-09-05T17:23:59

???? how [Ryan Barnett] What version of Mod are you using? This is a 2.5.x directive - http://www.modsecurity.org/documentation/modsecurity-apache/2.5.6/modsec urity2-apache-reference.html#N10410. We specify it within the Core Rules to help with trouble-shooting as it will be included in the audit log data. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

Invalid command 'SecComponentSignature' ????

Eric Haddix — 2008-09-05T17:19:37

I've come a LONG way to get to this point but there is only 1 post online that mentions this and the solution is not mentioned. Syntax error on line 117 of /etc/httpd/modsecurity/modsecurity_crs_10_config.conf: Invalid command 'SecComponentSignature', perhaps misspelled or defined by a module not included in the server configuration Can someone shed some light on this for me? I don't even have a clue how to test what is going wrong so I don't have a good way to know how to fix it yet. Thanks Eric ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

Re: BaiduSpider issues - protocol anomolies

Brian Rectanus — 2008-09-05T15:21:13

Thanks, will fix for the next release. -B

Re: Special Characters not supported bymodsecurity

Ryan Barnett — 2008-09-05T13:15:44

Special Characters not supported by modsecurity

Angel Ferreres — 2008-09-05T12:02:14

Re: BaiduSpider issues - protocol anomolies

Bedirhan Urgun — 2008-09-05T05:14:29

Re: BaiduSpider issues - protocol anomolies

Ryan Barnett — 2008-09-04T21:12:43

Whale [Ryan Barnett] The reason that this was blocked was that it was missing an Accept Request Header. This rule is enforcing RFC compliance where all normal web browsers always include a Host, User-Agent and Accept header. Many custom bots, spiders, crawlers do not conform to these RFC details. It is up to you as to how strict you want to be with these rules. You can easily use SecRuleUpdateActionById (http://www.modsecurity.org/documentation/modsecurity-apache/2.5.6/modse curity2-apache-reference.html#N10A10) to change the action to pass - SecRuleUpdateActionById 960015 "pass" ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

Re: BaiduSpider issues - protocol anomolies

Brian Rectanus — 2008-09-04T21:05:52

This is a bot (from *Japan* I believe, heh) that does not seem to play well as it ignores robots.txt. So it made the list. -B

BaiduSpider issues - protocol anomolies

Albert E. Whale — 2008-09-04T20:52:29

I never expected this one. I am getting ID 960015 on the Baiduspider+(+http://www.baidu.com/search/spider_jp.html) scanning the domain of one of my hosted sites. I nothing against the Chinese, but I am wondering if this is being Too restrictive? Certainly there is no possibility that the Chinese are coming to Pittsburgh to work out at a Curves site. What is the consciences on this id? I'm attaching the Raw Tx log. Thanks for all you guys do!

Re: Conversion from mod_security 1.9.5 to2.5.6question

Steve — 2008-09-04T17:56:11

-------- Original-Nachricht -------- Sorry. Was a quick shot. Here another one: --- SecRule ARGS:login "^admin$" "phase:1,chain,t:compressWhiteSpace,t:lowercase,deny,log,auditlog,status:403,msg:'admin login denied'" SecRule REMOTE_ADDR "!^(64\.131\.90\.27|194\.44\.204\.[15]|194\.44\.(160\.178|134\.187))$" ---

Re: Conversion from mod_security 1.9.5to2.5.6question

Ryan Barnett — 2008-09-04T17:54:07

2.5.6: "!^(|64.131.90.27|194.44.204.1|194.44.204.5|194.44.160.178|194.44.134.18 7) [Ryan Barnett] Nope. SecFilterSelective -> SecRule is one translation that needs to be made when updating rules. The other aspect to update is the variable format has changed - ARG_login -> ARGS:login. Additionally, your example rule is missing chain. Please refer to the migration matrix - http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pd f ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

Re: Conversion from mod_security 1.9.5 to2.5.6question

Steve — 2008-09-04T17:50:37

-------- Original-Nachricht -------- Would that work? ---- SecRule ARG_login "^admin$" "phase:1,t:none,deny,log,auditlog,status:403,msg:'admin login denied'" SecRule REMOTE_ADDR "!^(64\.131\.90\.27|194\.44\.204\.[15]|194\.44\.(160\.178|134.187))$" ----

Re: Conversion from mod_security 1.9.5 to2.5.6question

Ryan Barnett — 2008-09-04T17:26:53

2.5.6: "!^(|64.131.90.27|194.44.204.1|194.44.204.5|194.44.160.178|194.44.134.18 7) [Ryan Barnett] http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pd f ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

Conversion from mod_security 1.9.5 to 2.5.6question

Peter M. Abraham — 2008-09-04T17:23:52

Greetings: The following rule sets work with mod_security 1.9.5 but not with 2.5.6: ## Only certain IP's can login as admin SecFilterSelective ARG_login ^admin chain SecFilterSelective REMOTE_ADDR "!^(|64.131.90.27|194.44.204.1|194.44.204.5|194.44.160.178|194.44.134.187)$" What changes would I have to make to have the same rule impact in mod_security 2.5.6? Thank you. ________________________________________________ Peter M. Abraham ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

[console empty] problem with mlogc

Samuel Salson — 2008-09-04T08:42:04

Hello All, I have a problem with the installation of mlogc Active Alerts remains to Zero :( informations of my installation: /opt/httpd/bin/apachectl -t -D DUMP_MODULES [...] security2_module (shared) Syntax OK this commande have a probleme because : ps -ef | grep mlogc root 7965 26175 0 Sep03 ? 00:00:00 /opt/mlogc/mlogc /etc/mlogc.conf root 22090 1 0 09:50 pts/0 00:00:00 /opt/mlogc/mlogc /etc/mlogc.conf root 22146 1 0 09:51 pts/0 00:00:00 /opt/mlogc/mlogc /etc/mlogc.conf root 22152 1 0 09:51 pts/0 00:00:00 /opt/mlogc/mlogc /etc/mlogc.conf whenever I reload apache2 a mlogc more load my /etc/mlogc.conf CollectorRoot "/var/log/mlogc" ConsoleURI "https://localhost:8888/rpc/auditLogReceiver" SensorUsername "user" SensorPassword "password" LogStorageDir "data" TransactionLog "mlogc-transaction.log" QueuePath "mlogc-queue.log" ErrorLog "mlogc-error.log" LockFile "mlogc.lck" KeepEntrie