Christopher Jay Manders | 15 Aug 00:30 2014
Picon

Re: Mlogc and Waf-fle logs

Hi,

You can have more than one...

SecAuditLog "|/usr/bin/mlogc /etc/mlogc.conf"
SecAuditLog2 /var/log/modsec/modsec_audit.log

Does that help?

Best,
-cjm

From: Wagner Queiroz <wmqueiroz <at> gmail.com>
Subject: [mod-security-users] Mlogc and Waf-fle logs
Date: 14August, 2014 at 13:34:45 PDT

Hi,

I need to storage default modsecurity format in my webserver.
When an event happens, the logs doen't stay local, the mlogc sends the logs to server via mlogc that has WAF-FLE installed.
The directories in /var/log/modsec/... are empty. The modsecurity create a directory with the date, but is all empty.
The modsecurity.conf is set Concurrent in SecAuditLogType.
If I extract the logs from the WAF-FLE database, the format isn't the modsecurity default.

Thanks,
Wagner
------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/


------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Wagner Queiroz | 14 Aug 22:34 2014
Picon

Mlogc and Waf-fle logs

Hi,

I need to storage default modsecurity format in my webserver.
When an event happens, the logs doen't stay local, the mlogc sends the logs to server via mlogc that has WAF-FLE installed.
The directories in /var/log/modsec/... are empty. The modsecurity create a directory with the date, but is all empty.
The modsecurity.conf is set Concurrent in SecAuditLogType.
If I extract the logs from the WAF-FLE database, the format isn't the modsecurity default.

Thanks,
Wagner
------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Paul Beckett | 12 Aug 08:01 2014

Segmentation Fault : modsecurity combined with proxy-balancer

My apache server has started segmentation faulting all the time (seems to log a segmentation fault every few requests to the apache error log):

[Fri Jul 25 06:25:42.046752 2014] [core:notice] [pid 11226:tid 140006078953216] AH00052: child pid 11715 exit signal Segmentation fault (11)

This initally appeared to be due to the number of proxy balancers I have configured (problem isn't related to any one specific proxy balancer, adding / removing any of the proxy balancers causes the problem to appear/disappear). I'm using Apache HTTPD as a reverse proxy for a lot of backend web application servers (~150 proxy-balancers, configured in apache httpd to load-balance web app servers). Following the infomation at http://httpd.apache.org/dev/debugging.html#backtrace I've obtained the following backtrace of one of the core dumps using gdb, which seems to point to something happening in modsecurity logging at the point of the segmenation fault?

(gdb) where
#0  apr_global_mutex_lock (mutex=0x0) at locks/unix/global_mutex.c:97
#1  0x00007ffe08a90e83 in sec_audit_logger (msr=0x7ffdac006328) at msc_logging.c:579
#2  0x00007ffe08a966f7 in modsecurity_process_phase_logging (msr=0x7ffdac006328, phase=<value optimized out>) at modsecurity.c:689
#3  modsecurity_process_phase (msr=0x7ffdac006328, phase=<value optimized out>) at modsecurity.c:795
#4  0x00007ffe08a6b68b in hook_log_transaction (r=0x7ffdac004980) at mod_security2.c:1202
#5  0x00000000004343f0 in ap_run_log_transaction (r=0x7ffdac004980) at protocol.c:1788
#6  0x000000000044571f in eor_bucket_cleanup (data=<value optimized out>) at eor_bucket.c:35
#7  0x00007ffe10040c6e in run_cleanups (pool=0x7ffdac004908) at memory/unix/apr_pools.c:2352
#8  apr_pool_destroy (pool=0x7ffdac004908) at memory/unix/apr_pools.c:804
#9  0x00007ffe0cb3b9b9 in ssl_io_filter_output (f=0x7ffdb4001240, bb=0x7ffd5c003d98) at ssl_engine_io.c:1659
#10 0x00007ffe0cb3c0f5 in ssl_io_filter_coalesce (f=0x7ffdb4001218, bb=0x7ffd5c003d98) at ssl_engine_io.c:1558
#11 0x000000000045fa5d in ap_process_request_after_handler (r=0x7ffdac004980) at http_request.c:256
#12 0x000000000045d040 in ap_process_http_async_connection (c=0x7ffdb4000cc0) at http_core.c:143
#13 ap_process_http_connection (c=0x7ffdb4000cc0) at http_core.c:228
#14 0x0000000000454b30 in ap_run_process_connection (c=0x7ffdb4000cc0) at connection.c:41
#15 0x00007ffe0eda17e1 in process_socket (thd=0x2047658, dummy=<value optimized out>) at event.c:970
#16 worker_thread (thd=0x2047658, dummy=<value optimized out>) at event.c:1815
#17 0x00007ffe0f9cf851 in start_thread () from /lib64/libpthread.so.0
#18 0x00007ffe0f71d90d in clone () from /lib64/libc.so.6

I am running Apache HTTPD 2.4.9 with mod-security 2.7.5 both built from source on RHEL6.

I would be incredibly grateful for any help or advice on resolving this.

Thanks,
Paul

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

modSecuitu + IIS : data encoding

Hi,

Can modsecurity encode the data received on the server and if so how can that be achieved?

 

Regards,

Sandeep


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Disclaimer~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Information contained and transmitted by this e-mail is confidential and proprietary to IGATE and its affiliates and is intended for use only by the recipient. If you are not the intended recipient, you are hereby notified that any dissemination, distribution, copying or use of this e-mail is strictly prohibited and you are requested to delete this e-mail immediately and notify the originator or mailadmin <at> igate.com. IGATE does not enter into any agreement with any party by e-mail. Any views expressed by an individual do not necessarily reflect the view of IGATE. IGATE is not responsible for the consequences of any actions taken on the basis of information provided, through this email. The contents of an attachment to this e-mail may contain software viruses, which could damage your own computer system. While IGATE has taken every reasonable precaution to minimise this risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You should carry out your own virus checks before opening an attachment. To know more about IGATE please visit www.igate.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Ryan Barnett | 5 Aug 18:08 2014

Live ModSecurity Demos at Blackhat Arsenal

FYI – if any of you are going to be out at Blackhat USA this week in Las Vegas, please stop by Arsenal tools on Thursday morning as I will be there demoing many cool ModSecurity features :)


Hope to see some of you in Las Vegas!

Ryan Barnett

Senior Lead Security Researcher, SpiderLabs

 

Trustwave | SMART SECURITY ON DEMAND

www.trustwave.com



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: mod-security-users Digest, Vol 99, Issue 11

Hi Felipe,
By default SecStreamInBodyInspection parameter was not present in the modsecurity.conf that I had on my server.

I tried adding and setting SecStreamInBodyInspection to On and it worked for me. I have also added the below parameters,

SecStreamOutBodyInspection On
SecStreamInBodyInspection On
SecContentInjection On

Thanks a lot !

Regards,
Sandeep Kale.
________________________________________
From: mod-security-users-request <at> lists.sourceforge.net <mod-security-users-request <at> lists.sourceforge.net>
Sent: Tuesday, August 5, 2014 4:24 AM
To: mod-security-users <at> lists.sourceforge.net
Subject: mod-security-users Digest, Vol 99, Issue 11

Send mod-security-users mailing list submissions to
        mod-security-users <at> lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/mod-security-users
or, via email, send a message with subject or body 'help' to
        mod-security-users-request <at> lists.sourceforge.net

You can reach the person managing the list at
        mod-security-users-owner <at> lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of mod-security-users digest..."

Today's Topics:

   1. Re: IIS modSecurity Problem (Sandeep Kale (GRP00 - GROTH))
   2. domain names with specific prefix (Ehsan Mahdavi)
   3. Re: domain names with specific prefix (Suresh Prajapati)
   4. Re: domain names with specific prefix (Ehsan Mahdavi)

----------------------------------------------------------------------

Message: 1
Date: Tue, 5 Aug 2014 06:03:18 +0000
From: "Sandeep Kale (GRP00 - GROTH)" <Sandeep.SKale <at> igate.com>
Subject: Re: [mod-security-users] IIS modSecurity Problem
To: "mod-security-users <at> lists.sourceforge.net"
        <mod-security-users <at> lists.sourceforge.net>
Cc: "Abhishek Tripathi \(GE\)" <Abhishek.Tripathi <at> igate.com>
Message-ID: <1407218597583.34816 <at> igate.com>
Content-Type: text/plain; charset="iso-8859-1"

Hi Felipe,
My configurations are almost same as the defaults settings. Below are my findings.

Do you have SecRequestBodyAccess (https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecRequestBodyAccess)
enabled or disabled?

Sandeep : Yes, This is enabled.

Dynamic compression is enabled in your server?.

Sandeep : I will check on this. Should I enable it if not ?

Do you have another IIS module installed in this very same server?

Sandeep : nope. I have only one website on this server. I have urlscan installed on this IIS.

Can you set SecStreamInBodyInspection to On and check if the problem persists?
(More information here: https://github.com/SpiderLabs/ModSecurity/issues/562)

Sandeep : I will check on this and give a try.

Thanks for your attention into this issue.

Regards,
Sandeep Kale.

?

________________________________
From: Sandeep Kale (GRP00 - GROTH)
Sent: Monday, August 4, 2014 11:05 AM
To: mod-security-users <at> lists.sourceforge.net
Cc: Abhishek Tripathi (GE)
Subject: RE: IIS modSecurity Problem

Hi ,

I have observed that when application uses GET method then it works fine but when we use POST method then we
see that modSecurity is blocking the requests with default settings.

Is there any configuration settings to allow POST resquests as well or am I missing anything else ?

Regards,

Sandeep Kale.

________________________________
From: Sandeep Kale (GRP00 - GROTH)
Sent: Monday, August 4, 2014 5:07 AM
To: mod-security-users <at> lists.sourceforge.net
Cc: Abhishek Tripathi (GE)
Subject: IIS modSecurity Problem

Hi,

I have installed modSecurity 2.8.0 for IIS 7.5 on Windows Server? 2008 R2 server. We have CGI based web
application running on this IIS.

After installtion we see that modSecurity is blocking all the request to web-server. The debug and Audit
logs are enabled and we do not see much information as to why the requests are blocked.

I tried to intercept the request in burp suit and do not see  the actual request sent to server. Hence it looks
like the complete request is blocked.

Is there any configuration parameter to log everything that modSecurity is doing ?

Regards,

Sandeep Kale.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Disclaimer~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Information contained and transmitted by this e-mail is confidential and proprietary to IGATE and its
affiliates and is intended for use only by the recipient. If you are not the intended recipient, you are
hereby notified that any dissemination, distribution, copying or use of this e-mail is strictly
prohibited and you are requested to delete this e-mail immediately and notify the originator or
mailadmin <at> igate.com <mailto:mailadmin <at> igate.com>. IGATE does not enter into any agreement with any
party by e-mail. Any views expressed by an individual do not necessarily reflect the view of IGATE. IGATE
is not responsible for the consequences of any actions taken on the basis of information provided,
through this email. The contents of an attachment to this e-mail may contain software viruses, wh
 ich could damage your own computer system. While IGATE has taken every reasonable precaution to minimise
this risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You
should carry out your own virus checks before opening an attachment. To know more about IGATE please visit
www.igate.com <http://www.igate.com>.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 2
Date: Tue, 5 Aug 2014 13:16:04 +0430
From: Ehsan Mahdavi <ehsan.mahdavi <at> gmail.com>
Subject: [mod-security-users] domain names with specific prefix
To: mod-security-users <at> lists.sourceforge.net
Message-ID:
        <CAC7V=mz-xUk_L=LqeU-YbURPOasmERgS0CdeohfDuy48atKGjw <at> mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Greetings,

I am trying to protect a large domain containing many sub-domains all with
a specific post-fix on their names, e.g. site1.domain.com , site2.domain.com,
.... , siten.domain.com .

I am wondering if I can configure a reverse proxy so modsecurity will
protect something like *.domain.com?

P.S. I'm Using mod-security with apache.
P.S. Different domain names have different IP addresses.

--
                    regards
                 Ehsan.Mahdavi
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 3
Date: Tue, 5 Aug 2014 14:36:38 +0530
From: Suresh Prajapati <suresh.prajapati <at> bankbazaar.com>
Subject: Re: [mod-security-users] domain names with specific prefix
To: mod-security-users <at> lists.sourceforge.net
Message-ID:
        <CA+g953MWPErYG56SYOzEti+2gs=YxUSssHSdz2Z6-kZPaAMx1w <at> mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Ehan,

If using Apache it will protect each virtualhost on the server. If you want
disable any virtual host from monitoring just include SecRuleenging off.

Regards,
Suresh

On Tue, Aug 5, 2014 at 2:16 PM, Ehsan Mahdavi <ehsan.mahdavi <at> gmail.com>
wrote:

> Greetings,
>
> I am trying to protect a large domain containing many sub-domains all with
> a specific post-fix on their names, e.g. site1.domain.com ,
> site2.domain.com, .... , siten.domain.com .
>
> I am wondering if I can configure a reverse proxy so modsecurity will
> protect something like *.domain.com?
>
> P.S. I'm Using mod-security with apache.
> P.S. Different domain names have different IP addresses.
>
> --
>                     regards
>                  Ehsan.Mahdavi
>
>
>
> ------------------------------------------------------------------------------
> Infragistics Professional
> Build stunning WinForms apps today!
> Reboot your WinForms applications with our WinForms controls.
> Build a bridge from your legacy apps to the future.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
>

--
Thanks,
Suresh
Information Security Analyst
suresh.prajapati <at> bankbazaar.com
Mobile: +91 8884199479
DISCLAIMER:
Information contained and transmitted by this email including any
attachment is proprietary to BankBazaar.com and is intended solely for the
addressee/s, and may contain information that is privileged, confidential
or exempt from disclosure under applicable law. Access to this e-mail
and/or to the attachment by anyone else is unauthorized. If this is a
forwarded message, the content and the views expressed in this email may
not reflect those of BankBazaar.com. If you are not the intended recipient,
an agent of the intended recipient or a person responsible for delivering
the information to the named recipient, you are notified that any use,
distribution, transmission, printing, copying or dissemination of this
information in any way or in any manner is strictly prohibited.
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 4
Date: Tue, 5 Aug 2014 13:54:37 +0430
From: Ehsan Mahdavi <ehsan.mahdavi <at> gmail.com>
Subject: Re: [mod-security-users] domain names with specific prefix
To: mod-security-users <at> lists.sourceforge.net
Message-ID:
        <CAC7V=mwy=QEe3fhZ+LzLD=i2NYpCDh_+hh_AE+=A+Zwy_qcOSA <at> mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

What do you mean?

Do you mean that I must define a virtual host per domain name?
If yes, this is the common solution, and I was asking for something like a
virtual host(just one virtual host) which can support all domain names.
e.g. *.domain.com

On Tue, Aug 5, 2014 at 1:36 PM, Suresh Prajapati <
suresh.prajapati <at> bankbazaar.com> wrote:

> Ehan,
>
> If using Apache it will protect each virtualhost on the server. If you
> want disable any virtual host from monitoring just include SecRuleenging
> off.
>
> Regards,
> Suresh
>
>
> On Tue, Aug 5, 2014 at 2:16 PM, Ehsan Mahdavi <ehsan.mahdavi <at> gmail.com>
> wrote:
>
>> Greetings,
>>
>> I am trying to protect a large domain containing many sub-domains all
>> with a specific post-fix on their names, e.g. site1.domain.com ,
>> site2.domain.com, .... , siten.domain.com .
>>
>> I am wondering if I can configure a reverse proxy so modsecurity will
>> protect something like *.domain.com?
>>
>> P.S. I'm Using mod-security with apache.
>> P.S. Different domain names have different IP addresses.
>>
>> --
>>                     regards
>>                  Ehsan.Mahdavi
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Infragistics Professional
>> Build stunning WinForms apps today!
>> Reboot your WinForms applications with our WinForms controls.
>> Build a bridge from your legacy apps to the future.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
>> _______________________________________________
>> mod-security-users mailing list
>> mod-security-users <at> lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>>
>>
>
>
> --
> Thanks,
> Suresh
> Information Security Analyst
> suresh.prajapati <at> bankbazaar.com
> Mobile: +91 8884199479
> DISCLAIMER:
> Information contained and transmitted by this email including any
> attachment is proprietary to BankBazaar.com and is intended solely for the
> addressee/s, and may contain information that is privileged, confidential
> or exempt from disclosure under applicable law. Access to this e-mail
> and/or to the attachment by anyone else is unauthorized. If this is a
> forwarded message, the content and the views expressed in this email may
> not reflect those of BankBazaar.com. If you are not the intended recipient,
> an agent of the intended recipient or a person responsible for delivering
> the information to the named recipient, you are notified that any use,
> distribution, transmission, printing, copying or dissemination of this
> information in any way or in any manner is strictly prohibited.
>
>
> ------------------------------------------------------------------------------
> Infragistics Professional
> Build stunning WinForms apps today!
> Reboot your WinForms applications with our WinForms controls.
> Build a bridge from your legacy apps to the future.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
>

--
                    regards
                 Ehsan.Mahdavi
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk

------------------------------

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

End of mod-security-users Digest, Vol 99, Issue 11
**************************************************

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Disclaimer~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Information contained and transmitted by this e-mail is confidential and proprietary to IGATE and its
affiliates and is intended for use only by the recipient. If you are not the intended recipient, you are
hereby notified that any dissemination, distribution, copying or use of this e-mail is strictly
prohibited and you are requested to delete this e-mail immediately and notify the originator or
mailadmin <at> igate.com <mailto:mailadmin <at> igate.com>. IGATE does not enter into any agreement with any
party by e-mail. Any views expressed by an individual do not necessarily reflect the view of IGATE. IGATE
is not responsible for the consequences of any actions taken on the basis of information provided,
through this email. The contents of an attachment to this e-mail may contain software viruses, wh
 ich could damage your own computer system. While IGATE has taken every reasonable precaution to minimise
this risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You
should carry out your own virus checks before opening an attachment. To know more about IGATE please visit
www.igate.com <http://www.igate.com>.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Ehsan Mahdavi | 5 Aug 10:46 2014
Picon

domain names with specific prefix

Greetings,

I am trying to protect a large domain containing many sub-domains all with a specific post-fix on their names, e.g. site1.domain.com , site2.domain.com, .... , siten.domain.com .

I am wondering if I can configure a reverse proxy so modsecurity will protect something like *.domain.com?

P.S. I'm Using mod-security with apache.
P.S. Different domain names have different IP addresses.

--
                    regards
                 Ehsan.Mahdavi

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: IIS modSecurity Problem

Hi Felipe,

Do you have SecRequestBodyAccess (https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecRequestBodyAccess)
enabled or disabled?

Sandeep : Yes, This is enabled.

Dynamic compression is enabled in your server?. 

Sandeep : I will check on this. Should I enable it if not ?

Do you have another IIS module installed in this very same server?

Sandeep : nope. I have only one website on this server. I have urlscan installed on this IIS.

Can you set SecStreamInBodyInspection to On and check if the problem persists?
(More information here: https://github.com/SpiderLabs/ModSecurity/issues/562)

Sandeep : I will check on this and give a try.

Thanks for your attention into this issue.

Regards,
Sandeep Kale.

From: "Sandeep Kale (GRP00 - GROTH)" <Sandeep.SKale <at> igate.com<mailto:Sandeep.SKale <at> igate.com>>
Reply-To:
"mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>" <mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>>
Date: Monday, August 4, 2014 1:05 PM
To:
"mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>" <mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>>
Cc: "Abhishek Tripathi (GE)" <Abhishek.Tripathi <at> igate.com<mailto:Abhishek.Tripathi <at> igate.com>>
Subject: Re: [mod-security-users] IIS modSecurity Problem

Hi ,

I have observed that when application uses GET method then it works fine but when we use POST method then we
see that modSecurity is blocking the requests with default settings.

Is there any configuration settings to allow POST resquests as well or am I missing anything else ?

Regards,

Sandeep Kale.

________________________________
From: Sandeep Kale (GRP00 - GROTH)
Sent: Monday, August 4, 2014 5:07 AM
To: mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>
Cc: Abhishek Tripathi (GE)
Subject: IIS modSecurity Problem

Hi,

I have installed modSecurity 2.8.0 for IIS 7.5 on Windows Server? 2008 R2 server. We have CGI based web
application running on this IIS.

After installtion we see that modSecurity is blocking all the request to web-server. The debug and Audit
logs are enabled and we do not see much information as to why the requests are blocked.

I tried to intercept the request in burp suit and do not see  the actual request sent to server. Hence it looks
like the complete request is blocked.

Is there any configuration parameter to log everything that modSecurity is doing ?

Regards,

Sandeep Kale.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Disclaimer~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Information contained and transmitted by this e-mail is confidential and proprietary to IGATE and its
affiliates and is intended for use only by the recipient. If you are not the intended recipient, you are
hereby notified that any dissemination, distribution, copying or use of this e-mail is strictly
prohibited and you are requested to delete this e-mail immediately and notify the originator or
mailadmin <at> igate.com<mailto:mailadmin <at> igate.com>. IGATE does not enter into any agreement with any
party by e-mail. Any views expressed by an individual do not necessarily reflect the view of IGATE. IGATE
is not responsible for the consequences of any actions taken on the basis of information provided,
through this email. The contents of an attachment to this e-mail may contain software viruses, whi
 ch could damage your own computer system. While IGATE has taken every reasonable precaution to minimise
this risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You
should carry out your own virus checks before opening an attachment. To know more about IGATE please visit www.igate.com<http://www.igate.com>.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained herein (including any reliance
thereon) is strictly prohibited. If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 2
Date: Mon, 4 Aug 2014 22:37:50 +0530
From: Suresh Prajapati <suresh.prajapati <at> bankbazaar.com>
Subject: Re: [mod-security-users] Offline Monitoring Using ModSecurity
To: mod-security-users <at> lists.sourceforge.net
Message-ID:
        <CA+g953PjPmOxFN8XyBN7NfUjd5K_h+-RJPXNiU-W3Yt8bCH-LQ <at> mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Hey Craig,

Its going to help me lot ..thanks again appreciated.

Regards,

On Mon, Aug 4, 2014 at 4:42 PM, Craig Lawson <craig.lawson <at> secarma.co.uk>
wrote:

>  Hi Suresh:
>
>
>
> These work for CentOS 6, obviously there maybe ways we do things that
> don?t quite fit into your environment but I?m sure you can adjust
> appropriately:
>
>
>
> *Pre-Requisites:*
>
>
>
> yum install perl-CPAN
>
> perl -MCPAN -e shell
>
> install LWP::UserAgent
>
> install LWP::Protocol::https
>
> yum install perl-libwww-perl perl-Time-HiRes perl-File-Pid perl-File-Tail
> perl-Crypt-SSLeay
>
>
>
> *mlog2waffle:*
>
>
>
> wget https://github.com/klaubert/waf-fle/archive/master.zip
>
> unzip master.zip
>
> cd waf-fle-master
>
> cp extra/mlog2waffle/mlog2waffle /usr/sbin/mlog2waffle
>
> chmod +x /usr/sbin/mlog2waffle
>
> cp extra/mlog2waffle/mlog2waffle.rhel /etc/init.d/mlog2waffle
>
> cp extra/mlog2waffle/mlog2waffle.conf /etc/mlog2waffle.conf
>
> touch /opt/modsecurity/var/mlog2waffle-index
>
>
>
> # Edit /etc/mlog2waffle.conf to reflect your needs, the file has many
> comments
>
> # to help you in adjust the parameters
>
>
>
> # Edit your mod_security.conf to reflect the changes between mlogc.conf
>
> # and mlogc2waffle.conf
>
>
>
> chkconfig --add mlog2waffle
>
> service mlog2waffle start
>
>
>
>
>
> Craig
>
>
>
> *From:* Suresh Prajapati [mailto:suresh.prajapati <at> bankbazaar.com]
> *Sent:* 04 August 2014 11:44
> *To:* mod-security-users <at> lists.sourceforge.net
>
> *Subject:* Re: [mod-security-users] Offline Monitoring Using ModSecurity
>
>
>
> Hey Craig,
>
>
>
> That can solve my problem , If you have have any help doc on this please
> share if you can thanks for helping.
>
>
>
> Regards,
>
> Suresh
>
>
>
> On Mon, Aug 4, 2014 at 4:07 PM, Craig Lawson <craig.lawson <at> secarma.co.uk>
> wrote:
>
> I've had / seen the 100% cpu mlogc issue... We now use the log agent that
> comes with WAF-FLE to send our logs to AuditConsole, works for us.
>
> C
>
>
>
> -----Original Message-----
> From: Christian Bockermann [mailto:chris <at> jwall.org]
> Sent: 04 August 2014 10:18
> To: Mod Security
> Subject: Re: [mod-security-users] Offline Monitoring Using ModSecurity
>
>
> Am 04.08.2014 um 11:01 schrieb Reindl Harald <h.reindl <at> thelounge.net>:
> > Am 04.08.2014 um 10:51 schrieb Suresh Prajapati:
> >> So what is the other way to avoide the mlogc load on Apache server to
> use ModSecurity ?
> >> As modSecurity is taking lot of CPU and on some Server 100% CPU
> utilization.
> >
> > what mlogc load are you talking about?
> >
> > if you have 100% CPU load the reason is just a wrong config for
> > production and not that mod_security is running and so
>
> That might refer to a rather hard-to-reproduce bug that makes mlogc spin
> wildly with 100% CPU consumption due to some locks in the process.
>
> Not sure if that is solved in the latest version, but that used to be an
> issue for quite a while and one of the main reasons, people turned away
> from mlogc.
>
> Regards,
>    Chris
>
> ________________________________
>
> NOTICE AND DISCLAIMER
> This e-mail (including any attachments) is intended for the above-named
> person(s). If you are not the intended recipient, notify the sender
> immediately, delete this email from your system and do not disclose or use
> for any purpose. We may monitor all incoming and outgoing emails in line
> with current legislation. We have taken steps to ensure that this email and
> attachments are free from any virus, but it remains your responsibility to
> ensure that viruses do not adversely affect you
>
>
>
> ------------------------------------------------------------------------------
> Infragistics Professional
> Build stunning WinForms apps today!
> Reboot your WinForms applications with our WinForms controls.
> Build a bridge from your legacy apps to the future.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
>
>
>
>
> --
>
> Thanks,
>
> Suresh
>
> Information Security Analyst
>
> suresh.prajapati <at> bankbazaar.com
> Mobile: +91 8884199479
>
> DISCLAIMER:
>
> Information contained and transmitted by this email including any
> attachment is proprietary to BankBazaar.com and is intended solely for the
> addressee/s, and may contain information that is privileged, confidential
> or exempt from disclosure under applicable law. Access to this e-mail
> and/or to the attachment by anyone else is unauthorized. If this is a
> forwarded message, the content and the views expressed in this email may
> not reflect those of BankBazaar.com. If you are not the intended recipient,
> an agent of the intended recipient or a person responsible for delivering
> the information to the named recipient, you are notified that any use,
> distribution, transmission, printing, copying or dissemination of this
> information in any way or in any manner is strictly prohibited.
>
> ------------------------------
>
> NOTICE AND DISCLAIMER
> This e-mail (including any attachments) is intended for the above-named
> person(s). If you are not the intended recipient, notify the sender
> immediately, delete this email from your system and do not disclose or use
> for any purpose. We may monitor all incoming and outgoing emails in line
> with current legislation. We have taken steps to ensure that this email and
> attachments are free from any virus, but it remains your responsibility to
> ensure that viruses do not adversely affect you
>
>
> ------------------------------------------------------------------------------
> Infragistics Professional
> Build stunning WinForms apps today!
> Reboot your WinForms applications with our WinForms controls.
> Build a bridge from your legacy apps to the future.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
>

--
Thanks,
Suresh
Information Security Analyst
suresh.prajapati <at> bankbazaar.com
Mobile: +91 8884199479
DISCLAIMER:
Information contained and transmitted by this email including any
attachment is proprietary to BankBazaar.com and is intended solely for the
addressee/s, and may contain information that is privileged, confidential
or exempt from disclosure under applicable law. Access to this e-mail
and/or to the attachment by anyone else is unauthorized. If this is a
forwarded message, the content and the views expressed in this email may
not reflect those of BankBazaar.com. If you are not the intended recipient,
an agent of the intended recipient or a person responsible for delivering
the information to the named recipient, you are notified that any use,
distribution, transmission, printing, copying or dissemination of this
information in any way or in any manner is strictly prohibited.
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk

------------------------------

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

End of mod-security-users Digest, Vol 99, Issue 6
*************************************************

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Disclaimer~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Information contained and transmitted by this e-mail is confidential and proprietary to IGATE and its
affiliates and is intended for use only by the recipient. If you are not the intended recipient, you are
hereby notified that any dissemination, distribution, copying or use of this e-mail is strictly
prohibited and you are requested to delete this e-mail immediately and notify the originator or
mailadmin <at> igate.com <mailto:mailadmin <at> igate.com>. IGATE does not enter into any agreement with any
party by e-mail. Any views expressed by an individual do not necessarily reflect the view of IGATE. IGATE
is not responsible for the consequences of any actions taken on the basis of information provided,
through this email. The contents of an attachment to this e-mail may contain software viruses, wh
 ich could damage your own computer system. While IGATE has taken every reasonable precaution to minimise
this risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You
should carry out your own virus checks before opening an attachment. To know more about IGATE please visit
www.igate.com <http://www.igate.com>.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Anas Khatri | 4 Aug 14:42 2014
Picon

ModSecurity installation for new users

Dear All,

I am new to this forum, and i get plenty of emails where people are helping each other to resolve issues related to Mod_security i am new with this tool and i have no experience installing and configuring mod security, could any one help me out with the fresh installation guide or any tutorial or steps on how to install and configure mod security for apache.

Thanks,
Anas
------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

IIS modSecurity Problem

Hi,

I have installed modSecurity 2.8.0 for IIS 7.5 on Windows Server® 2008 R2 server. We have CGI based web application running on this IIS.

 

After installtion we see that modSecurity is blocking all the request to web-server. The debug and Audit logs are enabled and we do not see much information as to why the requests are blocked.

 

I tried to intercept the request in burp suit and do not see  the actual request sent to server. Hence it looks like the complete request is blocked.

 

Is there any configuration parameter to log everything that modSecurity is doing ?

 

Regards,

Sandeep Kale.

 

 


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Disclaimer~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Information contained and transmitted by this e-mail is confidential and proprietary to IGATE and its affiliates and is intended for use only by the recipient. If you are not the intended recipient, you are hereby notified that any dissemination, distribution, copying or use of this e-mail is strictly prohibited and you are requested to delete this e-mail immediately and notify the originator or mailadmin <at> igate.com. IGATE does not enter into any agreement with any party by e-mail. Any views expressed by an individual do not necessarily reflect the view of IGATE. IGATE is not responsible for the consequences of any actions taken on the basis of information provided, through this email. The contents of an attachment to this e-mail may contain software viruses, which could damage your own computer system. While IGATE has taken every reasonable precaution to minimise this risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You should carry out your own virus checks before opening an attachment. To know more about IGATE please visit www.igate.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Suresh Prajapati | 4 Aug 09:12 2014

Offline Monitoring Using ModSecurity

Hello,

I want run modsecurity on non Apache server where I can send my Apache logs and get the alert.
Can we get this feature with mod security.

​The idea is to avoid modsecurity load on Web server.

--
Thanks,
Suresh
Information Security Analyst
suresh.prajapati <at> bankbazaar.com 
Mobile: +91 8884199479
DISCLAIMER:
Information contained and transmitted by this email including any attachment is proprietary to BankBazaar.com and is intended solely for the addressee/s, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. Access to this e-mail and/or to the attachment by anyone else is unauthorized. If this is a forwarded message, the content and the views expressed in this email may not reflect those of BankBazaar.com. If you are not the intended recipient, an agent of the intended recipient or a person responsible for delivering the information to the named recipient, you are notified that any use, distribution, transmission, printing, copying or dissemination of this information in any way or in any manner is strictly prohibited.
------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Gmane