gmane.comp.apache.mod-security.user

building mlogc

Clayton Dillard — 2008-08-07T20:08:30

Anyone have any tips on building mlogc? I downloaded the source from Breach but get lots of errors using make. Seems like the code is fubar'd or something. Thanks, Clay ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

< at >validateUrlEncoding

2008-08-07T11:23:40

------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________ mod-security-users mailing list mod-security-users< at >lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users

Pass & No Log

Clayton Dillard — 2008-08-06T15:57:53

Fw: ModSecurity 2.5.6 Released

Grant Peel — 2008-08-05T21:24:46

Brian, Yes, the problem does completely dissappear when mod_security is removed. I first tried detect only, and the issue persisted. Then, I remarked out the LoadModule and Include config line from httpd.conf and the issue diappeared. In the end, I removed the 2.5.6 version and reinstalled the 2.1.something, and it worked fine again. -Grant ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

Segfault in Apache 2.2.9 with mod_securityresponse filtering enabled

Chris Wakelin — 2008-08-05T21:09:07

I've got a weird problem with Apache 2.2.9 and a particular page we reverse proxy, but only if a) response filtering is enabled in mod_security and b) it's Apache 2.2.9 (Apache 2.2.8 is fine). I've tried with mod_security 2.1.4, 2.1.5, 2.5.5 and 2.5.6, and core rules 1.6.1 and 1.5. It causes a segmentation fault. The page is text/html, isn't very large, and I've got SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyLimit 5242880 in modsecurity_crs_10_config.conf. The reverse proxying is using mod_rewrite in a .htaccess file and if I copy the HTML output from a Apache 2.2.8 version of the page and serve it directly from 2.2.9, it's fine. Other reverse-proxied pages in 2.2.9 are fine too. It's Solaris 10 64-bit, prefork, and here's a backtrace from the core file Any ideas what could be the cause? I notice from the changelog that Apache 2.2.9 includes many fixes for mod_proxy and mod_proxy_http, so my guess is one of them is to blame! Best Wishes, Chris

False Positives - SQL Injection & SugarCRM

Clayton Dillard — 2008-08-05T19:25:50

I've read a bit on false positive handling but I need some help determining how the rule should be modified in our case. I have pasted some details regarding the events below. Any help would be much appreciated. It looks like the Cookies and the User-Agent are the cause but I'm not sure what to change. thank you, CTD ##################################### ##ModeSecurity audit log ##################################### --174f0117-A-- [05/Aug/2008:14:48:27 --0400] 5sFcTwoKARcAAEN9CA4AAAAP 66.255.149.114 2967 1.2.3.23 80 --174f0117-B-- GET /itr/cache/jsLanguage/Calendar/en_us.js?s=5.0.0e&c=&j=2 HTTP/1.1 Accept: */* Referer: https://myhost.mydomain.com/itr/index.php?module=Calendar&action=index Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Tue, 03 Jun 2008 16:11:13 GMT; length=1099 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Host: myhost.mydomain.com Connection: Keep-Alive Cookie: ck_login_id_20=380900f5-0fac-3862-f245-4

XML < at >validateSchema

Nicola Bianchi — 2008-08-05T11:45:06

ModSecurity 2.5.6 and Mlogc

Brian Rectanus — 2008-08-04T19:12:10

The ModSecurity Log Collector (mlogc) is used to send ModSecurity audit log data to a console or Breach Security appliance. The final packaged release of ModSecurity 2.5.6 did not contain the mlogc source as it should have. This means that a "make mlogc" will fail. However, the mlogc source is also packaged separately and can be downloaded from Breach Labs (https://bsn.breach.com/downloads/mlogc/). Please use the source from Breach Labs to build mlogc until the next release of ModSecurity. -B

Optional Parameters

Vidal Graupera — 2008-08-04T16:42:47

Hi, Is there anyway to specify that a parameter is OPTIONAL? I can't seem to find any reference to this in the documentation, or if it is even a feature. I am using mod_security 1.9.4. Thanks, Vidal. ================= Vidal Graupera vidalg< at >a2z.com 650-331-2714 130 Lytton Ave., Suite 300 Palo Alto, CA 94301 UnSpun by Amazon: Community Opinions ... Ranked! http://unspun.amazon.com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

no response body in logs when response statusis 500

Wouter Callewaert — 2008-08-04T14:00:38

Dear all, I'm currently running Apache/2.0 & modsecurity 2.5.6 in a proxy config. I cannot log the response bodies for pages with response status 500. There's a IIS server running behind the proxy and I should be able to catch the error messages in the audit log file. The (interesting) part of my config: SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess On SecAuditEngine On SecAuditLogParts ABCDEFGHIKZ # Store up to 128 KB in memory SecRequestBodyInMemoryLimit 131072 # Buffer response bodies of up to # 512 KB in length SecResponseBodyLimit 524288 SecRule RESPONSE_STATUS 500 "log,auditlog,phase:3,msg:'Test'" Any idea what I'm doing wrong? I tried already phase 5 as well, but I don't get the 'E part' in the audit log.. Thanks in advance. Kind regards, Wouter Callewaert ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win

communication console <--> webserver

Schöke, Karsten — 2008-08-04T13:37:26

Hi, I install the current console on my Windows Admi PC. The installation was correct and i can connect over the webacces localhost:8888 My problem ist the communication with the webserver, whitch mod_securuty version 2.1.5 installed. Is a howto for Debian Etch available? I can't connect to the webserver... must i install a "agent" on the webserver? Why to come the log-data from webserver to my console? thx Karsten ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

bcc and cc

Grant Peel — 2008-08-01T20:36:27

Hi all, How does one turn on bcc and cc blocking in mod_security to block any requests that may come from form-to-email php and perl scripts? -Grant ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

ModSecurity 2.5.6 Released

Brian Rectanus — 2008-08-01T16:49:02

ModSecurity 2.5.6 was released earlier today. This is a major bugfix release that fixes issues associated with transformation caching which may result in an Apache crash or possibly evading ModSecurity under certain circumstances. If you are using ModSecurity 2.5 you are advised to immediately apply a workaround and upgrade as soon as possible. Packages can be downloaded from modsecurity.org as always. To work around these issues until you can upgrade, use the following directive to disable transformation caching: SecCacheTransformations Off 31 Jul 2008 - 2.5.6 ------------------- * Transformation caching has been deprecated, and is now off by default. We now advise against using transformation caching in production. * Fixed two separate transformation caching issues that could cause incorrect content inspection in some circumstances. * Fixed an issue with the transformation cache using too much RAM, potentially crashing Apache with a large number of cache entries. Two new configura

Transformation Caching Unstable, Fixed,But Deprecated (ModSecurity 2.5.6 available)

Ivan Ristic — 2008-08-01T09:10:46

FYI: Transformation Caching Unstable, Fixed, But Deprecated http://blog.modsecurity.org/2008/08/transformation.html

Simple Rule Question

2008-07-31T19:30:35

Hello, I have a seemingly simple question but I can't make it work. Virtual server www.example.com has several images in a folder called /images. The images are used in auctions and so the Referer should always contain ebay or [otherauctionsite.tld] and if it doesn't, then the request should be denied with a 40x-level code. With mod_sec version 1.x I was able to do this but I've since upgraded to 2.5 and I can't get the rules to work right. SecRule SERVER_NAME "< at >rx example.com" "chain" SecRule REQUEST_URI "images" "chain" SecRule REQUEST_HEADERS:Referer "!< at >contains ebay" # Now do something to deny it The problem is that I can still view the images, even if not referred from ebay. What am I missing? ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world ht

mlogc in 2.5.5 deb-package for debian etch?

Anton Hofmann — 2008-07-31T12:49:11

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, does anyone know if the mlogc package is included in the libapache2-mod-security2 deb-file for etch or should i compile it from the src-package of mod-security? The install-document i found unter [1] is a little bit old, so i have some problems in finding and installing the right auditor for 2.5.5 [1]http://www.modsecurity.org/blog/archives/2007/03/modsecurity_con_1.html thx -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFIkbTGXMoRx2jlGfkRAg/pAKCo13bnh9/lS821AypWRCDJ+cVbaQCeO+q8 2Gi3yfTKSW4b483OdUnwzNY= =BsQd -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

ModSecurity Console Browser Error on debianetch

Anton Hofmann — 2008-07-31T08:31:05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, i have untared the tar.gz file of mod_security and and started it whit ./modsecurity_console start before that i installed sun-java5-bin (1.5.0-14-1) and sun-java5-jre (1.5.0-14-1) but the only thing i get when i tried to open the console from a remote system with firefox is a download-window for a application/octet-stream. anyone an idea? thanx -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFIkXhJXMoRx2jlGfkRAvzAAJ91wHOInbYVmbloCM1QNmUHZvAhqgCgnFLF nbMrHgypGLfDojlBbNWJHWI= =P+ZV -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

Using Mod_Security to add IPs to hosts.deny

R.A. Imhoff — 2008-07-31T06:57:56

In looking at the error logs of our Debian LAMP server, a lot of the intrusion attempts seem to start with a rapid scan of common locations for a phpMyAdmin login. Thankfully, Mod_Security easily blocks this (for my own amusement I put a redirect to www.phpmyadmin.net on those attempts, but since they come from some automated tool, the redirects are undoubtedly not executed...) But since such an attacker undoubtedly moves on to other strategy, I would like to immediately block their access altogether by adding their IP to hosts.deny in a similar manner as denyhosts.pl does for ssh intrusion attemps, for example. That way all other ports such as ftp etc would also be covered against this attacker. I suppose one would have to use the EXEC command and call a script to achieve this (and the script would have to retrieve the IP from the environment variables, since EXEC doesn't allow any arguments). I would be most grateful for any advice on whether this is even a good idea, and what s

Lua

Paul Greenwood — 2008-07-30T21:48:14

Problem with Joomla Site Triggering Alarms

Johnny Stork — 2008-07-30T21:14:54

Joomla site triggering alarms

Johnny Stork — 2008-07-30T01:46:52