Apache mod-security

Broke mlogc

Greetz, all.

Well, here we go again.  I was looking to upgrade 
modsec to the latest and greatest from version 
2.5.9.  All of the pieces are where they should 
be, and config files (I believe) correct, but now 
I'm geeting no output to the modsecurity console, 
and am getting this in mlogc-log.error:

[Tue Feb 09 17:00:37 2010] [2] [12366/9b678a8] 
Flagging server as errored after failure to 
submit entry SM4XTcCoAQMAAHNbbhYAAAAG with HTTP 
response code 500: Internal Server Error
[Tue Feb 09 17:00:37 2010] [2] [12369/8f308a8] 
Flagging server as errored after failure to 
submit entry SM4XTcCoAQMAAHNbbhYAAAAG with HTTP 
response code 500: Internal Server Error
[Tue Feb 09 17:01:42 2010] [2] [12366/9b678a8] 
Flagging server as errored after failure to 
submit entry SM4XTcCoAQMAAHNbbhYAAAAG with HTTP 
response code 500: Internal Server Error
[Tue Feb 09 17:01:42 2010] [2] [12369/8f308a8] 
Flagging server as errored after failure to 
submit entry SM4XTcCoAQMAAHNbbhYAAAAG with HTTP 
response code 500: Internal Server Error
[Tue Feb 09 17:02:47 2010] [2] [12366/9b678a8] 
Flagging server as errored after failure to 
submit entry SM4XTcCoAQMAAHNbbhYAAAAG with HTTP 
response code 500: Internal Server Error
[Tue Feb 09 17:02:47 2010] [2] [12369/8f308a8] 
Flagging server as errored after failure to 
submit entry SM4XTcCoAQMAAHNbbhYAAAAG with HTTP 
response code 500: Internal Server Error
[Tue Feb 09 17:03:52 2010] [2] [12366/9b678a8] 
Flagging server as errored after failure to 
submit entry SM4XTcCoAQMAAHNbbhYAAAAG with HTTP 
response code 500: Internal Server Error
[Tue Feb 09 17:03:52 2010] [2] [12369/8f308a8] 
Flagging server as errored after failure to 
submit entry SM4XTcCoAQMAAHNbbhYAAAAG with HTTP 
response code 500: Internal Server Error
[Tue Feb 09 17:04:57 2010] [2] [12366/9b678a8] 
Flagging server as errored after failure to 
submit entry SM4XTcCoAQMAAHNbbhYAAAAG with HTTP 
response code 500: Internal Server Error
[Tue Feb 09 17:04:57 2010] [2] [12369/8f308a8] 
Flagging server as errored after failure to 
submit entry SM4XTcCoAQMAAHNbbhYAAAAG (cURL code 
55): select/poll returned error

How might I fix what I messed up.

Thanks.

Dimitri

--

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

headers

Gagan Bhatia | 9 Feb 14:00

Multiple alerts received "Request Missing an Accept Header"

Dear Mailing List

We were trying implementing Modsecurity with IBM IHS server. I am receiving multiple alerts related to Request Missing an Accept Header. Can any one enlighten on the same.

[Tue Feb 09 18:16:41 2010] [error] [client x.x.x.x.] ModSecurity: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/opt/SomePATH/conf/modsecurity/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "somedomain.com"] [uri "/InternalWEB/UploadServlet"] [unique_id "TzRH4wpQGAkAAFPaG8QAAACF"]

Regards
Gagan Bhatia
Tata Consultancy Services
Mailto: gagan.bhatia <at> tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Outsourcing
____________________________________________=====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

headers

Brian Rectanus | 6 Feb 02:25

ModSecurity 2.5.12 Released

Hello all,

ModSecurity 2.5.12 has been released.  This release fixes several
important issues to help prevent a detection bypass and denial of
service attacks against ModSecurity.  Many thanks to the Sogeti/ESEC R&D
team for sending us the results of their code review.  In addition, this
release fixes quite a few small but notable bugs and includes the latest
Core Ruleset (v2.0.5).

It is highly recommended that you upgrade to ModSecurity 2.5.12, but
there are some changes you need to watch out for.

Notable changes which may impact an upgrade:

* PCRE match limits are substantially lowered by default.  If you have
custom rules that are resulting in "PCRE limits exceeded", then you may
have to adjust SecPcreMatchLimit* directives or modify your regex.  You
can also revert to the default by building with
"--disable-pcre-match-limit" and "--disable-pcre-match-limit-recursion"
configure options (not recommended, though).

* PCRE "studying" is now on by default (Use the --disable-pcre-study
configure option to turn it off).  This allows for extra checks when
compiling a regex for optimization.  Normally this is a good thing, but
it may slow down a restart/reload on large rulesets.

* A new form of processing flags has been introduced.  ModSecurity
processing flags may indicate an issue or inconsistency when processing
a transaction.  These flags have been placed in the TX collection so
that they maintain backwards compatibility.  Each of these flags are
prefixed with "MSC_".  If you are using this prefix, then you may have
false positives and will need to change to another prefix.  Currently
there is just one flag, TX:MSC_PCRE_LIMITS_EXCEEDED, being used.  See
the documentation on the TX and SecPcreMatchLimit* directives for more
information.

* ModSecurity will now (by default) not process more than 100 file
uploads.  This can be overridden via SecUploadFileLimit.  You are
encouraged to *lower* the limit if you do not allow mass uploads of
files on your site.

* The @pmFromFile operator will now trim whitespace from both sides of
the phrase (line) when reading in the list of phrases.  If you have used
whitespace as a left or right boundary in custom rules, then you will
need to replace the boundary with non-whitespace character.

As always, downloads are available from modsecurity.org.

CHANGES:

04 Feb 2010 - 2.5.12
--------------------

 * Fixed SecUploadFileMode to set the correct mode.

 * Fixed nolog,auditlog/noauditlog/nolog controls for disruptive actions.

 * Added additional file info definitions introduced in APR 0.9.5 so that
   build will work with older APRs (IBM HTTP Server v6).

 * Added SecUploadFileLimit to limit the number of uploaded file parts that
   will be processed in a multipart POST.  The default is 100.

 * Fixed path normalization to better handle backreferences that extend
   above root directories.  Reported by Sogeti/ESEC R&D.

 * Trim whitespace around phrases used with @pmFromFile and allow
   for both LF and CRLF terminated lines.

 * Allow for more robust parsing for multipart header folding.  Reported
   by Sogeti/ESEC R&D.

 * Fixed failure to match internally set TX variables with regex
   (TX:/.../) syntax.

 * Fixed failure to log full internal TX variable names and populate
   MATCHED_VAR* vars.

 * Enabled PCRE "studying" by default.  This is now a configure-time option.

 * Added PCRE match limits (SecPcreMatchLimit/SecPcreMatchLimitRecursion) to
   aide in REDoS type attacks.  A rule that goes over the limits will set
   TX:MSC_PCRE_LIMITS_EXCEEDED.  It is intended that the next major release
   of ModSecurity (2.6.x) will move these flags to a dedicated collection.

 * Reduced default PCRE match limits reducing impact of REDoS on poorly
   written regex rules.  Reported by Sogeti/ESEC R&D.

 * Fixed memory leak in v1 cookie parser.  Reported by Sogeti/ESEC R&D.

 * Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.)

 * Update copyright to 2010.

 * Reserved 700,000-799,999 IDs for Ivan Ristic.

 * Fixed SecAction not working when CONNECT request method is used
   (MODSEC-110). [Ivan Ristic]

 * Do not escape quotes in macro resolution and only escape NUL in setenv
   values.

--

-- 
Brian Rectanus
Breach Security

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

headers

Ross Lawrie | 3 Feb 21:43

modsecurity console question

Just a quick question, and perhaps it's to the wrong place.  I've just
finished upgrading my systems to 2.5.11, however I'm noticing an issue
with events sent to the console - they don't seem to result in a
severity at the console side, and therefore aren't shown in alerts; I
have to dig through the transactions in order to find potential errors.

Is this just an incompatibility between 2.5.11 and the old console, or
have I missed something somewhere in my build?  I do realise that the
console is fairly old and no longer maintained, but figured someone else
might have seen the same issue and know a workaround?  I do also realise
there is the AuditConsole project which I am looking at moving to, but
am not there quite yet.

I'm using ModSecurity 2.5.11 (with CRS 2.0.4) and ModSecurity Console
1.0.5.

Thanks,

Ross Lawrie.

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

headers

argo | 3 Feb 16:31

compile mod_security 2.5.11 on RHAT 5.2 and IBM HTTP SERVER 6 (apache 2.0.47)

Hi,
i'm trying to compile mod_security 2.5.11 on a rhat 5.2 server
using IBM http server 6 (based on apache 2.0.47).
My problem is that on file msc_util.c, when compiling, gcc is 
telling me that APR_WSTICKY, APR_GSETID and APR_USETID are undefined.
I've checked and apr-config --version say that i'm using apr 0.9.4
Is my configuration supported or not?
thanks to anyone!

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

headers

Shanti Suresh | 2 Feb 23:49

Recommendations for Mod_security architecture

Hi all,

We have several applications hosted on separate Apache+Tomcat instances.  We use one web-server-to-one App_server
per application in order to provide application isolation.  Change management and Configuration
management becomes easy this way.

My questions are:
(1) Should I install mod_security as part of the Apache web-server which already acts as a reverse proxy?
(2) Install a separate Apache server instance+mod_proxy to protect all other (Apache reverse-proxies +
Applications) behind it?

Thanks.

                                       -Shanti
--
Shanti Suresh
Sr. Programmer/Analyst
Enterprise Clinical Systems

**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

headers

Ken S. | 1 Feb 21:23

The 'exec' Action and Available Variables

My question is about which variables are available to scripts running
from the 'exec' action.

I had posted earlier about wanting to log all POST data to a file
separate from the Apache error_log.
(http://article.gmane.org/gmane.comp.apache.mod-security.user/7099)
Ryan was kind enough to point me to the 'exec' action in the
documentation.  So I began developing a Bash script to handle this for
me; Bash is the most light-weight language that I know.  My script
works exactly as I want it when I run it as the "action" from a web
form, but does not capture any POST data when run from as the exec
action from my rule, but it does log all the other data from the
script; i.e date, referrer, etc.  You can see it at:
http://www.imacollector.com/test-post.htm

This is the rule I have in my modsecurity_crs_15_customrules.conf file:

# Log POST data to a file
SecRule REQUEST_METHOD "^POST$"
"phase:2,t:none,noauditlog,log,pass,exec:/usr/local/apache2/bin/logpostvars.sh"

The documentation says:
"... Some transaction information will be placed in environment
variables. All the usual CGI environment variables will be there. ..."

so I suspect all I need to do is to know which environment variable
stores the POST data and then split it in to key/value pairs and
continue.

If anyone could help me get over this last hurdle, I would be golden.

Thanks!
-ken
--

-- 
Have a nice day ... unless you've made other plans.

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

headers

Mike Cardwell | 1 Feb 19:22

Incomplete SSL negotiation information

My server has somehow found its self on the end of some strange
behaviour originating from the Pushdo botnet as described here:

http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100129

The infected hosts basically connect to the HTTPS port, send some
garbage and then disconnect without the SSL negotiation even being
completed. My error log is full of stuff like this:

[Mon Feb 01 18:19:37 2010] [error] unusably short session_id provided (1
bytes)

Annoyingly for some reason Apache doesn't log the IP address in this
circumstance. Is there anything I can do with ModSecurity to gather more
information on this problem or to mitigate it somehow?

-- 
Mike Cardwell    : UK based IT Consultant, Perl developer, Linux admin
Cardwell IT Ltd. : UK Company - http://cardwellit.com/       #06920226
Technical Blog   : Tech Blog  - https://secure.grepular.com/
Spamalyser       : Spam Tool  - http://spamalyser.com/

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

headers

OSSEC junkie | 29 Jan 18:01

RBL Lookup File - ip.pag help!

All:

I am using the RBL lookup and the ip.pag file is huge.  I thought this
would be recycled nightly but I guess not.  Any ideas or insight on
how to shrink would be great.  I could script the file to be deleted
nightly but just wanted to make sure there isn't something I need to
be doing but am not..

My current rule set being used is:
SecRule IP:PREVIOUS_RBL_CHECK "@eq 1"
"phase:1,t:none,pass,nolog,skipAfter:END_RBL_LOOKUP"

 SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org

"
"phase:1,t:none,log,auditlog,msg:'RBL Match for SPAM
Source',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule
.msg}',setvar:tx.automation_score=+1,logdata:'%{TX.0}',setvar:tx.%{rule.id

}-AUTOMATION/MALICIOUS-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var},setvar:ip.s
pammer=1,expirevar:ip.spammer=86400,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400,skipAfter:END_RBL_CHECK"

 SecAction "phase:1.t:none,nolog,pass,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400"

SecMarker END_RBL_LOOKUP

 SecRule IP:SPAMMER "@eq 1" "phase:1,t:none,log,auditlog,msg:'Request
from Known SPAM Source (Previous
RBLMatch)',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{
rule.msg}',setvar:tx.automation_score=+1,logdata:'%{TX.0}',setvar:tx.%{rule.id

}-AUTOMATION/MALICIOUS-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}"

SecMarker END_RBL_CHECK

Any ideas as to why the log file is so huge?   The expirevar option is
in the configuration but no luck.  I will ultimately be forced to
delete the file nightly...or is that the ideal way to handle it?

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

headers

Sergio | 29 Jan 05:57

Re: How to write an IP automatically to a file?

Hi to all,
I finally found that the command exec is not working inside the ruel as I tried SecRuleScript with the script and it worked like a charm, the problem now is that I don't know how to use the SecRuleScript in my rule as I have tried the following:

SecRule REQUEST_URI " <at> pmFromFile bad-scripts.txt" \
"capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:999999,rev:1,severity:2,msg:' Malware Script detected in URL',logdata:'%{TX.0}'"
SecRuleScript "/usr/local/apache/conf/modsec_rules/ip_write.lua"

But using as it is, I have the problem that the LUA script writes any IP, not only the one that triggered the rule.

If you don't mind, can you tell me what it will be the best way to use both rules together?

Regards,
Sergio

On Wed, Jan 27, 2010 at 10:29 AM, Brian Rectanus <Brian.Rectanus <at> breach.com> wrote:

Lua support is optional. Does your build have Lua support?

nm /path/to/modules/mod_security2.so | grep -i lua

If the above returns results, then you do have support.

-B

Sergio wrote:
> Hi William,
> I googled some info and found the following in
> http://docs.cpanel.net/twiki/bin/view/AllDocumentation/EasyapacheModsecurity
> :
>
> "ModSecurity 2.5 Rule Scripting - Lua
>
> ModSecurity version 2.5 adds support for rule scripting via lua. Lua is
> known to have difficulties building. Lua build failures will not cause
> an Apache build to halt, but will provide errors in the build log upon
> build failure, and lua support will not be enabled. If you wish to use
> lua in your custom ruleset, you should read carefully on the proper
> usage of lua and ensure that the lua build was a success.
>
> *Where to store lua scripts*
>
> Lua scripts should be stored in */usr/local/apache/conf* in a sub
> directory such as */usr/local/apache/conf/modsec-lua*. Storing scripts
> in this location will ensure they are available whenever Apache
> configurations are tested or Apache is restarted. It will also keep them
> intact through EasyApache builds."
>
> So, after reading this I moved the script to the suggested directory,
> but stills not working, even that it is not showing any error at all,
> maybe is something that I doing wrong on the lua script. Even the file
> "IPS.TXT" has been moved to the same directory as the script.
>
> Best Regards,
>
> Sergio
>
>
> On Wed, Jan 27, 2010 at 12:38 AM, William Salusky <wsalusky <at> gmail.com

> <mailto:wsalusky <at> gmail.com>> wrote:
>
> Sounds like your module does not have Lua support built in.
>
> W
>
>
> On Wed, Jan 27, 2010 at 1:00 AM, <secmas <at> gmail.com

> <mailto:secmas <at> gmail.com>> wrote:
>
> William,
> I have moved the lua file to
> /usr/local/apache/conf/modsec_rules, but the same error continues.
>
> I have monitored the debug log and nothing weird shows up, only
> this:
>
> [26/Jan/2010:23:55:54 --0600]
> [www.somedomain.com/sid#e958b80][rid#10ee8060][/index.php][1

> <http://www.somedomain.com/sid#e958b80%5D%5Brid%2310ee8060%5D%5B/index.php%5D%5B1>]
> Access denied with code 406 (phase 2). Matched phrase "/matched"
> at REQUEST_URI. [file
> "/usr/local/apache/conf/modsec_rules/00_ip_write.conf"] [line
> "2"] [id "999999"] [rev "1"] [msg "SECMAS: Malware Script
> detected in URL"] [data "/matched"] [severity "CRITICAL"]
>
> It doesn't said anything about an error copying the data to the
> IP.TXT file.
>
> Regards,
> Sergio
>
>
>
> On Jan 26, 2010 11:46pm, secmas <at> gmail.com

> <mailto:secmas <at> gmail.com> wrote:
> > Hi William,
> > Yes my modsec has been configured with LoadFile
> /opt/lua/lib/liblua.so, I have already checked the apache
> error_log but nothing is in there that shows an error in my rule.
> >
> > I set the debug but failed to have it on 1 instead of 3, I
> will fix that.
> >
> > Let me change the lua file to the same directory where the
> modsec_rules are.
> >
> > I will write you back with what I found, thanks.
> >
> > Regards,
> > Sergio
> >
> >
> > On Jan 26, 2010 11:30pm, William Salusky wsalusky <at> gmail.com

> <mailto:wsalusky <at> gmail.com>> wrote:
> > > 1. Is your mod_security module compiled with lua support?�
> If you're using a distribution's packaged module it may not have
> lua support.
> > >
> > > 2. Do you have an appropriate�� LoadFile�
> /path/to/liblua.so�� in your httpd.conf?
> > >
> > >
> > > 3. Are there any telling log entries in your Apache server
> error_log?
> > >
> > > If still nothing, turn up Debug to at least 3 and try
> generating some error_log output and see if that gives you any
> insight.
> > >
> > > One last thing, since you are attempting to exec the lua
> script from the /backup/ partition, not sure if it would affect
> the outcome, but is that filesystem by chance mounted 'noexec'?
> > >
> > >
> > > W
> > >
> > >
> > > On Tue, Jan 26, 2010 at 11:09 PM, Sergio secmas <at> gmail.com

> <mailto:secmas <at> gmail.com>> wrote:
> > >
> > > Hi William,
> > > I have tested the rule but is not working, I don't know if
> it is because a bad chmod in any of the files, here is what I
> have done:
> > >
> > > SecRule REQUEST_URI " <at> pmFromFile my-file.txt" \
> > >
> "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:999999,rev:1,severit
> > >
> > >
> > > y:2,msg:'IP
> DETECTED',exec:'/backup/ip-write-test.lua',logdata:'%{TX.0}'"
> > >
> > > The SecRule is working his part, but the exec is not, for
> the LUA file I wrote it in my /backup partition and chmod it
> 644, the other file "IPS.TXT" is also in my /backup partition
> and has a chmod of 644.
> > >
> > >
> > >
> > > Are this settings ok or am I missing something?
> > >
> > > Regards,
> > > Sergio
> > >
> > >
> > > On Tue, Jan 26, 2010 at 3:49 PM, William Salusky

> wsalusky <at> gmail.com <mailto:wsalusky <at> gmail.com>> wrote:
> > >
> > >
> > > You can do that by calling a Lua script via the exec keyword.
> > >
> > > SecRule BLAH "BLAH"
> "log,auditlog,pass,id:'888801',msg:'ip-write-test',severity:'7',rev:'1',exec:/path/to/your_lua_scripts/ip-write-test.lua"
> > >
> > >
> > >
> > >
> > > =====
> > >
> > > function main()
> > > � local fh = io.open("/tmp/ips.txt", "a+")
> > > � if fh then
> > > �� local var1 = m.getvar("REMOTE_ADDR", "none")
> > > �� str1 = string.format('IP is: %s\n', var1)
> > >
> > >
> > >
> > > �� fh:write(str1)
> > > �� fh:flush()
> > > �� fh:close()
> > > � end
> > >
> > > � return fh ~= nil
> > > end
> > >
> > >
> > >
> > >
> > >
> > > On Tue, Jan 26, 2010 at 3:55 PM, Sergio secmas <at> gmail.com

> <mailto:secmas <at> gmail.com>> wrote:
> > >
> > >
> > >
> > >
> > >
> > >
> > > Hi,
> > > Is it possible to create a rule that when it is triggered it
> could write just the offender IP to a file other than the audit_log?
> > >
> > >
> > >
> > >
> > > Regards,
> > > Sergio
> > >
> > >
> > >
> > >
> > >
> > >
> ------------------------------------------------------------------------------
> > >
> > > The Planet: dedicated and managed hosting, cloud storage,
> colocation
> > >
> > > Stay online with enterprise data centers and the best
> network in the business
> > >
> > > Choose flexible plans and management services without
> long-term contracts
> > >
> > > Personal 24x7 support from experience hosting pros just a
> phone call away.
> > >
> > > http://p.sf.net/sfu/theplanet-com
> > > _______________________________________________
> > >
> > > mod-security-users mailing list
> > >
> > > mod-security-users <at> lists.sourceforge.net

> <mailto:mod-security-users <at> lists.sourceforge.net>

> > >
> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > >
> > > Commercial ModSecurity Appliances, Rule Sets and Support:
> > >
> > > http://www.modsecurity.org/breach/index.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
>
>
>

--
Brian Rectanus
Breach Security

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

headers

Michael Heuberger | 28 Jan 23:52

Help required: How to forbid inclusion attacks?

H

I tried following rule:
SecFilterSelective REQUEST_URI "\=(http|ftp|https)\:/" "msg:'Inclusion attacks
not allowed'"

But somehow it doesn't work. I want to filter out URLs like
"http://www.deafzone.ch/?id=http://www.sun-angel.ru//js/gid.gif"

Any inclusion attach beginning with "=http:" or "=ftp:" or "=https:" should be
filtered out with the above rule.

Maybe I did something wrong?

Thank you for your help

Michael H.

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

28	February 2010
99	January 2010
80	December 2009
156	November 2009
112	October 2009
73	September 2009
134	August 2009
92	July 2009
78	June 2009
132	May 2009
104	April 2009
127	March 2009
131	February 2009
137	January 2009
85	December 2008
82	November 2008
84	October 2008
154	September 2008
167	August 2008
187	July 2008
95	June 2008
115	May 2008
89	April 2008
97	March 2008
134	February 2008
159	January 2008
56	December 2007
205	November 2007
135	October 2007
97	September 2007
162	August 2007
130	July 2007
250	June 2007
191	May 2007
150	April 2007
181	March 2007
161	February 2007
166	January 2007
104	December 2006
172	November 2006
103	October 2006
83	September 2006
101	August 2006
92	July 2006
116	June 2006
65	May 2006
139	April 2006
82	March 2006
148	February 2006
61	January 2006
74	December 2005
104	November 2005
49	October 2005
28	September 2005
51	August 2005
27	July 2005
71	June 2005
26	May 2005
53	April 2005
82	March 2005
61	February 2005
67	January 2005
12	December 2004
22	November 2004
28	October 2004
31	September 2004
24	August 2004
36	July 2004
20	June 2004
15	May 2004
47	April 2004
21	March 2004
13	February 2004
44	January 2004
18	December 2003
13	November 2003
11	October 2003
9	September 2003
7	August 2003
16	July 2003
1	June 2003

Mon	Tue	Wed	Thu	Fri	Sat	Sun

1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28