gmane.comp.apache.mod-security.user

Compiling modsecurity 2.6.5 for apache 2.0.x

Ruiyuan Jiang — 2012-05-24T22:11:23

Hi, I am trying to compile ModSecurity 2.6.5 for Apache 2.0.x on a Redhat Enterprise v6.2, x86_64. In the configure step, I specified --with-pcre=/usr which is Redhat's built-in pcre v7.8. When I compiled Apache 2.0.x, I specified the same for pcre. The configure step saw RHEL's pcre and passed. In the make process, I got a message:

....
/bin/sh ../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I.  -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE    -I/opt/apache2.0.54/include  -I/opt/apache2.0.54/include   -I/opt/apache2.0.54/include -I/usr/include/libxml2  -DWITH_PCRE_STUDY -DMODSEC_PCRE_MATCH_LIMIT=1500 -DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500        -g -O2 -MT mod_security2_la-msc_pcre.lo -MD -MP -MF .deps/mod_security2_la-msc_pcre.Tpo -c -o mod_security2_la-msc_pcre.lo `test -f 'msc_pcre.c' || echo './'`msc_pcre.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -I/opt/apache2.0.54/include -I/opt/apache2.0.54/include -I/opt/apache2.0.54/include -I/usr/include/libxml2 -DWITH_

Forum reply being blocked by mod_security

2012-05-22T12:17:57

I'm not getting very far with the software developers so I'm now appealing  
to the experts here to find a solution to my problem.

It appears mod_security is triggering on the word nmap within a forum post,  
preventing replies to the thread. Link is here:  
http://www.globalaffairs.org/forum/threads/nmap-6-released.68912/

The mod_security log shows the following:

Access denied with code 501 (phase 2). Pattern  
match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)| 
t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd| 
ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)| 
d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at  
REQUEST_HEADERS:X-Ajax-Referer.  
[file "/usr/local/apache/conf/modsec2.user.conf"] [line "149"]  
[id "959006"] [msg "System Command Injection"] [data "/nmap-"]  
[severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"]

This is the first time I've run across this, but it seems to be a common  
occurrence with the Xen Foro

AuditConsole 0.4.6 released!

Christian Bockermann — 2012-05-22T06:28:52

Dear ModSecurity users,

I am happy to announce the release of the next version of AuditConsole, the
free log-management tool for ModSecurity.

This version comes with a clean-up of the web-interface, lots of bug-fixes,
support for OpenID authentication and an internal pipe-lining model that will
allow further customization of audit-event processing in the future.

The AuditConsole is available in multiple editions (debian package, RPM package,
standalone, WAR archive) at

http://download.jwall.org/AuditConsole/0.4.6/


For details see my blog-post at

       https://secure.jwall.org/blog/2012/05/22/1337638334497.html


Best regards,

    Chris
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/s

error when creating rule for op "rx"

daminto lee — 2012-05-22T01:26:38

Hi,

I am encountering some problem when trying to compile the latest version
mod_security-apache_2.6.5 onto my Ubuntu Server 12.04 LTS. When I run "make
CFLAGS=-DMSC_TEST test, I received the following error message:

ERROR: Failed to create rule for op "rx": Error creating rule: Error
compiling pattern (offset 2): unrecognized character after (? or (?-
make[2]: *** [check-TESTS] Error 1
make[1]: *** [check-am] Error 2

Below is a more detailed message contributing to the above error

Loaded 8 tests from ./op/rx.t
     1) op "rx": passed (Pattern match "" at UNIT_TEST.)
     2) op "rx": passed
     3) op "rx": passed (Pattern match "" at UNIT_TEST.)
     4) op "rx": passed (Pattern match "abc" at UNIT_TEST.)
     5) op "rx": passed (Pattern match "def" at UNIT_TEST.)
     6) op "rx": passed (Pattern match "ghi" at UNIT_TEST.)
     7) op "rx": passed
Test exited with signal 11.
Executed: ./msc_test "-t" "op" "-n" "rx" "-p"
"(?^i:^([^=])\s*=\s*((?:abc)+(?:def|ghi){2})$)" "-D" "0" "-r" "1"
     8) op "rx": fai

Persistent collections and errors in Apache error_log

Luca — 2012-05-21T15:12:08

Hello everyone.
I'm getting a lot of error entries related to access to DBM file used to store 
collections data.
DBM file is huge, aroung 1GB, I think it never shrinks.
Here a couple of examples:
ModSecurity: Failed deleting collection (name "ip", key
 "93.57.22.65_c40a1a4c63dc22a36a4dacec0e35e80139000959"): Internal error
 [hostname  "XYZ"] [uri "XYZ"] [unique_id "T7pTQApRQSoAAH3H7OIAAABF"]

ModSecurity: Failed to access DBM file 
"/usr/local/apache/rproxyworker/logs/data/ip": Resource deadlock avoided
 [hostname  "XYZ"] [uri "XYZ"] [unique_id "T7nbtgpRQSoAACUgnxIAAAEH"]

Current installation is:
RHEL6, 64bit
Apache: 2.2.22
ModSec: 2.6.5
CRS: 2.2.4 

Configuration:
SecCollectionTimeout 180

I'm using the standar collections created in 2.2.4
Thank you for your help.
Luca



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respo

New to Modsecurity: I Need to allow directory traversal to a single virtual host

mrnicholsb — 2012-05-19T20:58:22

Hello all, Im new to modsecurity and forgive me if this is a noobish 
question.

But I have a virtual host that I have a lot of iso files on that I would 
like to have directory indexing allowed on just that host.

I have my .htaccess file as follows

Options +Indexes

But ever since I got mod_security running its being ignored, is there a 
way to tell
modsecurity to respect .htaccess files?

Should I just forget about .htaccess all together while running 
mod_security?

And how would I go about adding an exception to modsecurity to allow 
indexing on this virtual host?

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
m

Capturing Internal Server Errors

Usman — 2012-05-17T11:33:02

Hi,

I have the following directive in my crs_10 file:

SecAuditLogRelevantStatus "^(?:5|0(?!04))"

This logs 500 internal server errors when they happen.

I would like to set some attributes like tag, msg, severity etc for the  
above when viewing the alert in the AuditConsole.

I tried using the following rule but no luck:

SecRule RESPONSE_STATUS "< at >eq 500" \
"phase:2,t:none,log,pass,id:'500002',tag:'INTERNAL SERVER ERROR  
500',msg:'Internal Server Error  
500.',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},logdata:'%{response_status}',severity:1"

Based on the docs i found the below which does not give me the desired  
result:

SecRule RESPONSE_STATUS "^[5]" \
"phase:2,t:none,log,pass,id:'500002',tag:'INTERNAL SERVER ERROR  
5xx',msg:'Internal Server Error  
5xx.',setvar:tx.anomaly_score=+%{tx.critical_anomaly_s     
core},logdata:'%{response_status}',severity:1"

but then there was a note in the docs saying:

"This directive may not work as expected in embedded-mode as Apache  
handles many of t

Own POST Rate Limit Rule not Working

Thomas Berger — 2012-05-11T12:45:10

Hi all, 

we have tried to write a  ModSecurity rule to limit POST Requests. But the limit does not work as expected.


Here is the rule:

 SecRule REQUEST_METHOD "^POST$" "phase:1,nolog,initcol:IP=%{REMOTE_ADDR},setvar:IP.pagecount=+1,expirevar:IP.pagecount=60"
 SecRule IP:PAGECOUNT "< at >gt 250" "phase:1,deny,status:403,msg:'Too many requests'"

The "pagecount" counter does not work correctly. as we have a few IP's with anly 10 requests and all requests are "GET" , with a pagecount of 250. 
Where is our error?

We are using ModSecurity on Debian 6, in Version 2.5.12


Regards,
------------------------------------------------------------------------ 
 Thomas Berger 
 - Certified Linux/Cisco Networking Engineer - 
 BOREUS Rechenzentrum GmbH 
 Zur Schwedenschanze 2 
 D - 18435 Stralsund 
 Germany 
 Phone:+49 (0) 38 31 - 36 76 415 
 Fax: +49 (0) 38 31 - 36 76 615 
 eMail: tbe< at >boreus.de 
 Internet: http://www.boreus.de/ 
 -------------------------------------------------------------------------- 
 Geschäftsführer

2.6.5 Compile Question

Dan Denton — 2012-05-10T22:07:44

I'm compiling modsec 2.6.5 against Apache 2.4.2, and during a "make CFLAGS=-DMSC_TEST test" I get the following:

msc_test-modsecurity.o: In function `modsecurity_init':
modsecurity.c:(.text+0x240): undefined reference to `ap_unixd_set_global_mutex_perms'
modsecurity.c:(.text+0x291): undefined reference to `ap_unixd_set_global_mutex_perms'
collect2: ld returned 1 exit status
make[2]: *** [msc_test] Error 1
make[2]: Leaving directory `/opt/modsecurity-apache_2.6.5/tests'
make[1]: *** [check-am] Error 2
make[1]: Leaving directory `/opt/modsecurity-apache_2.6.5/tests'
make: *** [check-recursive] Error 1

I'm having trouble finding a work-around or solution for this. Can anyone point me in the right direction?

Thanks,

Dan

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile

SecRule 981317

Canell, Stephen E (2240 — 2012-05-10T16:40:21

In modsecurity_crs_41_sql_injection_attacks.conf, rule ID 981317 looks for
the following:

SecRule TX:SQLI_SELECT_STATEMENT_COUNT "< at >ge 3"
"phase:2,t:none,block,id:'981317'ŠŠŠ.


Which if the *_COUNT is equal to or greater the 3 of the list of SQL key
words, issue a 403 error.

I have two variable fields that consist of pure text fields where the SQL
key words will most likely be hit, i.e.: the count will equal 3 or greater
very easily.  These fields are not SQL in nature.

How can I perform the equivalent  of an if-else-then where if variables
coverLetterTxt or resumeTXT is scanned, to not perform the 981317 processŠ
I do not care if the word count reaches 20000 for these two variables
where SQL injection is concerned, but for the many other fields, I do want
these tests to be performed and permission denied in the event of an SQL
attack.

For these two fields, I do have a while list on the ASCII characters from
X01-X7F, allow.  Do I need another allow statement with the inclusion of
the SQL key words su

ModSecurity starting,but not logging even with debug

2012-05-09T18:54:21

I have installed ModSecurity 2.6.5 on Apache httpd 2.0.52 and I see it  
load in the error_log, but I get nothing from the ModSecurity logs.  I  
have set SecDebugLogLevel to 9.  I have turned debug logs on in apache  
as well, but am seeing nothing in the logs about ModSecurity failing.   
Apache is writing to it's own logs as it should and the ModSecurity  
logs are set to be in the same directory as the Apache logs.  I have  
rules linked in to the activated_rules directory.  I copied the  
error_log from apache below.

I have ModSecurity running great with the same configuration on a  
newer httpd 2.2.3, but am unable to upgrade this older server at the  
moment.

Thanks in advance for your time and help,
Steve


... caught SIGTERM, shutting down
... suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
... ModSecurity for Apache/2.6.5 (http://www.modsecurity.org/) configured.
... ModSecurity: APR compiled version="0.9.4"; loaded version="0.9.4"
... ModSecurity: PCRE compiled version="4.5"; loaded version

REQUEST_BODY has some XML

Usman Waheed — 2012-05-09T13:14:40

Hi,

I am new to mod security and have an application that POSTS XML data in  
the REQUEST_BODY.

The REQUEST_HEADER Content-type is set to  
application/x-www-form-urlencoded and NOT to text/xml.

A sample of my XML POST data in the REQUEST_BODY looks like:

<?xml version="1.0" encoding="utf-8"?><oau:versioncheck  
schema-version="1.0" update-level="3" main="1" xmlns:oau="urn:myupdate">
<legend><product>test777</product><version>1.0</version><build-number>1347</build-number></legend>

What i am trying to do is sanitize the inputs within this XML i receive  
using mod security rules.

I could write a regular expression that checks the validity of the inputs  
in the REQUEST_BODY but then i saw this example where
one can use validateSchema and the XML processor. My problem is that the  
REQUEST_HEADER Content-type: is set to application/x-www-form-urlencoded
which does not allow me to fire the XML processor.

Is there an alternate way to go about running the XML processor on the  
REQUEST_BODY where the REQUE

SecFilter rules

solarflow99 — 2012-05-06T19:01:19

Have the SecFilter directives become obsolete?    The RHEL5 NSA
security guide mentions them but they don't see to exist anymore.


Thanks,

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

how to turn off rule checking for specificfield

chris derham — 2012-05-04T11:21:04

All,

So we have a user that has put a % symbol in their password. This is
tripping up mod_security when the user tries to login. The relevant entry
is


Message: Pattern match "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"
at ARGS:j_password. [file
"D:/apps/Apache2.2/conf/modsecurity2/base_rules/modsecurity_crs_20_protocol_violations.conf"]
[line "185"] [id "950109"] [rev "2.1.1"] [msg "Multiple URL Encoding
Detected"] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/EVASION"]

So what I want to do is convince this rule to now check this parameter for
the specific url. I am guessing something along the lines of

    <LocationMatch "/loginUrl">
        update 950109 such that it doesn't check j_password ARG
    </LocationMatch>

Unfortunately my google skills only work when I know what key term to look
for. Any hints appreciated

Thanks

Chris
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's securit

Modsecurity super slow whenSecRequestBodyAccess On

Gil Vidals — 2012-05-03T02:25:20

I have installed, modsecurity-crs_2.2.4.tar.gz, and an ASP sign HTML form
is being processed super slow whenever  SecRequestBodyAccess is On. If I
set it to Off, the form processes very quickly.

I turned on debugging, and I see the usec are super high for the steps
below. How can this be fixed so that I can have much faster processing of
the form fill when  SecRequestBodyAccess is On?


[02/May/2012:19:16:59 --0700] [
www.constantmd.com/sid#7fc8efd152d8][rid#7fc8f01f3878][/][5] Rule
7fc8efd11730: SecRule "TX:OUTBOUND_ANOMALY_SCORE" "< at >ge
%{tx.outbound_anomaly_score_level}"
"phase:5,id:981205,t:none,log,noauditlog,pass,msg:'Outbound Anomaly Score
Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}'"
[02/May/2012:19:16:59 --0700] [
www.constantmd.com/sid#7fc8efd152d8][rid#7fc8f01f3878][/][4] Rule returned
0.
[02/May/2012:19:16:59 --0700] [
www.constantmd.com/sid#7fc8efd152d8][rid#7fc8f01f3878][/][4] Audit log:
Ignoring a non-relevant request.
[02/May/2012:19:17:01 --0700] [
www.constantmd.com/sid#7fc8efd2

mod_security not denying access

Dennis Jacobfeuerborn — 2012-04-30T18:32:39

Hi,
I've just installed mod_security on a Centos 5 system and I'm having
trouble to actually get it to deny certain requests. I've change the line:

SecDefaultAction "phase:2,pass"

to

SecDefaultAction "phase:2,deny"

in "/etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf" and I get the
following in the audit log:

...
Message: Access denied with code 403 (phase 2). [file
"/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_49_enforcement.conf"]
[line "25"] [msg "Anomaly Score Exceeded (score 40): SQL Injection Attack"]
...

but the request is responded to normally with a "200 ok" and the webpage.
Is there anything in particular that needs to be done to actually have
apache deny the request?

Regards,
   Dennis

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile se

cpanel, mod_ruid2 and mod_sec

Sergio — 2012-04-20T00:10:49

Hi all,
I am having the following error in mod_sec log:

Audit log: Failed to lock global mutex: Permission denied

Do you know what is this error about?

Cpanel forum saids that it is an incompatibility issue among mod_ruid2 and
mod_sec, have you any idea what is this error about?

Thanks in advance.

Best Regards,

Sergio
------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

limit secrule

Gil Vidals — 2012-04-19T19:06:41

I was able to solve  a false positive with these two methods, but they
seemed to broad to me:

Method 1:
SecRule REQUEST_URI "/newthread.php.*"
phase:2,nolog,auditlog,allow,ctl:requestBodyAccess=Off

Method 2:
<Directory /hsphere/local/home/kamxxxx/ddddddk.com>
    SecRuleEngine DetectionOnly
</Directory>

However, I am not able to limit the scope of this rule. I tried this, but
it doesn't prevent the false positive.

#<Directory /hsphere/local/home/kamxxxx/ddddddk.com>
#   SecRule REQUEST_URI "/newthread.php.*"
phase:2,nolog,auditlog,allow,ctl:requestBodyAccess=Off
#</Directory>

Is it possible to limit the scope more on a server that has many virtual
hosted accounts?

Rules Hierarchy & Other Questions

Matt — 2012-04-06T17:20:15

Hello List,

I am a new user (as in new to webadmin, mod_security and Apache), I’ve just installed mod_security (v. 2.5.12) on my Amazon Web Services EC2 instance and I am in need of guidance. I am slowly learning this stuff, so I beg your patience…

Right now I have things set up as described/prescribed in the ModSecurity Handbook; Im calling liblua and libxml2 in httpd.conf and loading the mod_security module there too. Then I’ve got the modsecurity.conf where the directory locations are laid out and some other options – all according to the Handbook.

When it comes to calling the rules (in their .conf files) what hierarchy is best? Does mod_security call everything (conf. files & rules themselves) in the order they are written/listed? If so, when is a good time to call a whitelist? First? Last?

I take it the SecRuleEngine call should be first in the modsecurity.conf file or does that go in the httpd.conf file?

Last but not least (for now) I’m going to be using the core rules (v.2.2.4). I see .

Updated mod_sec now lost all rules?

Kaya Saman — 2012-04-04T08:09:41

Hi,

I updated from mod_sec 2.5.x to mod_security-2.6.4-1.el5.art on CentOS
5.x - yes I know is a bit out of date now but that's what the firm is
running :-)

Anyway, peeking into /etc/httpd/modsecurity.d/base_rules it became
evident that there were no rules within the folder.

Having a look at the changelog (ok this is for CentOS version 6), it
seems that rules are no longer being distributed with the package.

I had a go at scp'ing the old rules over from an old server to the
machine in question running the 2.6.4-1 update, when I came to
restarting Apache I got this error:

Starting httpd: Syntax error on line 47 of
/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf:
ModSecurity: SkipAfter actions can only be specified by chain starter rules.


.......and subsequently the httpd service would not start.


What I would like to understand is why the rules haven't been included
in new updates and additionally if it is possible to utilize the old
rules within the update?


Can anyone

Conteúdo em português

Junior Castelli — 2012-04-03T14:57:45

Pessoal, tem alguém que fala português na lista? Vocês podem me indicar
algum conteúdo, videos, textos em português?
------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev_______________________________________________
mod-security-users mailing list
mod-security-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/