headers
Ivan Ristic | 4 Oct 11:52
Gravatar

Re: SecAuditLog and SecFilterDebugLog


> is there a way to use the two log directives of mod_security in the same 
> manner as the Apache CustomLog or ErrorLog directives?

  Not at the moment, but there will be in the future. I am only not
  sure whether it will be possible to have a piped audit log in
  Apache 1.3.x. Concurrent access control in Apache 1.3.x is done
  via the file locking mechanism and I don't know yet if that works
  with piped logs (I suspect not).

--

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
Permalink | Reply | 0 comments |
headers
michael.lee | 12 Oct 09:51
Picon

Dynamic Disable Post Scanning


Hi,

I have used the rule

#disable Post scanning for upload files
SetEnvIfNoCase Content-Type "^multipart/form-data" "MODSEC_NOPOSTBUFFERING=Do not buffer file uploads"

When multipart/form-data is received, apache thread terminated with following in error_log

[Tue Oct 12 14:14:26 2004] [notice] child pid 24935 exit signal Segmentation fault (11)

I have set debug level to 4, and the log contains:

[12/Oct/2004:14:14:25 +0800] [_default_/sid#809f020][rid#82b54a0][/ittest/modules/newbb/post.php] sec_check_access, path=(null)
[12/Oct/2004:14:14:25 +0800] [_default_/sid#809f020][rid#82b54a0][/ittest/modules/newbb/post.php] Normalised REQUEST_URI: "/ittest/modules/newbb/post.php"
[12/Oct/2004:14:14:25 +0800] [_default_/sid#809f020][rid#82b54a0][/ittest/modules/newbb/post.php] Parsing arguments...
[12/Oct/2004:14:14:25 +0800] [_default_/sid#809f020][rid#82b54a0][/ittest/modules/newbb/post.php] Adding cookie "lx006app_kmbh_com_hk_9080_ittest_newbb_10_LastVisit"="1097561646"
[12/Oct/2004:14:14:25 +0800] [_default_/sid#809f020][rid#82b54a0][/ittest/modules/newbb/post.php] Adding cookie "lx006app_kmbh_com_hk_9080_ittest_newbb_10_LastVisitTemp"="1097561621"
[12/Oct/2004:14:14:25 +0800] [_default_/sid#809f020][rid#82b54a0][/ittest/modules/newbb/post.php] Adding cookie "lx006app_kmbh_com_hk_9080_ittest_newbb_10_forum_lastview"="a:1:{i:1;i:1097561638;}"
[12/Oct/2004:14:14:25 +0800] [_default_/sid#809f020][rid#82b54a0][/ittest/modules/newbb/post.php] Adding cookie "PHPSESSID"="9f1b8e18d45bc5ec6393dca955406bb4"
[12/Oct/2004:14:14:25 +0800] [_default_/sid#809f020][rid#82b54a0][/ittest/modules/newbb/post.php] content-type = "multipart/form-data; boundary=----------------
-----------7d417823502a0"
[12/Oct/2004:14:14:25 +0800] [_default_/sid#809f020][rid#82b54a0][/ittest/modules/newbb/post.php] read_post_payload: POST scanning turned off dynamically (MODSEC_NOPOSTBUFFERING=Do not buffer file uploads)

-- EOF --

After changing the rule to :
SecFilterSelective HTTP_Content-Type "^multipart/form-data" "allow"

The transaction can be completed sucessfully.


Also, following rule in the documentation seems to be incorrect :

    # Only accept request encodings we know how to handle
    # we exclude GET requests from this because some (automated)
    # clients supply "text/html" as Content-Type
    SecFilterSelective REQUEST_METHOD "!^GET$" chain
    SecFilterSelective HTTP_Content-Type "!^(|application/x-www-form-urlencoded|multipart/form-data)$"

since multipart/form-data include ";boundary ...." in Content-Type.


Version : mod_security 1.8.4
Apache : 2.0.40 (bundled in RedHat 8.0)


Thanks & Regards,
Michael

-----------------------------------------------------------------------------------------------------------
KMB E-mail Disclaimer

This e-mail may contain confidential, proprietary or legally privileged
information and is intended for the attention and use of the
addressee(s) only. If you are not the intended recipient of this
message, you must not copy, use or disclose any part of its
contents. Please notify the sender immediately and delete this
message from your system.

The KMB Group and each of its affiliates and the sender of this
message shall not be responsible or liable for any errors or omissions
in the contents of this message as secure or error free e-mail
transmission cannot be guaranteed. Information sent via e-mail
could arrive late or contain viruses or be intercepted, corrupted,
lost, destroyed, or incomplete. Unless otherwise stated, any
information given in this message is indicative only and is subject to
our formal written confirmation.
Permalink | Reply | 1 comment |
headers
Ivan Ristic | 12 Oct 11:32
Gravatar

Re: mod_security v1.8.4 Chroot problem

Gareth Ledger wrote:

> I am trying to get mod_security chroot support working on my server, but I
> am getting the following error.
> 
> ...
>
> [Tue Oct 12 11:30:16 2004] [notice] mod_security: chroot checkpoint #2
> (pid=2291 ppid=1)
> [Tue Oct 12 11:30:16 2004] [notice] mod_security: chroot successful,
> path=/chroot/apache
> [Tue Oct 12 11:30:16 2004] [error] (2)No such file or directory: could not
> create /etc/httpd/run/httpd.pid
> [Tue Oct 12 11:30:16 2004] [error] httpd: could not log pid to file
> /etc/httpd/run/httpd.pid

  Looking at this I'd say the /chroot/apache/etc/httpd/run folder
  does not exist.

> The System is:- Fedora Core 2 (Full patched)
>                Apache 2
>                FrontPage Extensions
>                SquirrelMail
>                mod_security v1.8.4
>  
> I have configured mod_security as follows:-
>  
> Added SecChrootDir /chroot/apache to mod_security.conf
>  
> Created the following directory structure:    /chroot/apache
>                                               /chroot/etc/httpd
>                                               /chroot/var/log/httpd
>                                               /chroot/var/run
>  
> I have created two symbolic links in /chroot/etc/httpd to
> /chroot/var/log/httpd and /chroot/var/run

  Maybe you created them with "ln -s /chroot/apache/var/run" ? That
  won't work from inside the jail since it's using the path
  that is only correct outside the jail. Try:

  cd /chroot/apache/etc/httpd
  (rm existing run dir first ;)
  ln -s ../../var/run

--

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
Permalink | Reply | 2 comments |
headers
Gareth Ledger | 12 Oct 11:12
Picon

mod_security v1.8.4 Chroot problem

I am trying to get mod_security chroot support working on my server, but I am getting the following error.

 

[Tue Oct 12 11:30:14 2004] [notice] LDAP: Built with OpenLDAP LDAP SDK

[Tue Oct 12 11:30:14 2004] [notice] LDAP: SSL support unavailable

[Tue Oct 12 11:30:14 2004] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

[Tue Oct 12 11:30:14 2004] [notice] mod_security: chroot checkpoint #1 (pid=2290 ppid=2289)

[Tue Oct 12 11:30:15 2004] [notice] Digest: generating secret for digest authentication ...

[Tue Oct 12 11:30:15 2004] [notice] Digest: done

[Tue Oct 12 11:30:15 2004] [notice] LDAP: Built with OpenLDAP LDAP SDK

[Tue Oct 12 11:30:15 2004] [notice] LDAP: SSL support unavailable

[Tue Oct 12 11:30:16 2004] [notice] mod_python: Creating 32 session mutexes based on 150 max processes and 0 max threads.

[Tue Oct 12 11:30:16 2004] [notice] mod_security: chroot checkpoint #2 (pid=2291 ppid=1)

[Tue Oct 12 11:30:16 2004] [notice] mod_security: chroot successful, path=/chroot/apache

[Tue Oct 12 11:30:16 2004] [error] (2)No such file or directory: could not create /etc/httpd/run/httpd.pid

[Tue Oct 12 11:30:16 2004] [error] httpd: could not log pid to file /etc/httpd/run/httpd.pid

 

The System is:- Fedora Core 2 (Full patched)

               Apache 2

               FrontPage Extensions

               SquirrelMail

               mod_security v1.8.4

 

I have configured mod_security as follows:-

 

Added SecChrootDir /chroot/apache to mod_security.conf

 

Created the following directory structure:    /chroot/apache

                                              /chroot/etc/httpd

                                              /chroot/var/log/httpd

                                              /chroot/var/run

 

I have created two symbolic links in /chroot/etc/httpd to /chroot/var/log/httpd and /chroot/var/run

 

Unfortunately I seem to be going around in circles trying to sort this problem, so your help would be most appreciated.

 

 

Many thanks.

 

Gareth Ledger 

 

 


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.775 / Virus Database: 522 - Release Date: 08/10/2004

Permalink | Reply | 3 comments |
headers
Ivan Ristic | 12 Oct 11:43
Gravatar

Re: Dynamic Disable Post Scanning

michael.lee <at> kmb.hk wrote:

> Hi,
> 
> I have used the rule
> 
> #disable Post scanning for upload files
> SetEnvIfNoCase Content-Type "^multipart/form-data" 
> "MODSEC_NOPOSTBUFFERING=Do not buffer file uploads"
> 
> When multipart/form-data is received, apache thread terminated with 
> following in error_log
> 
> [Tue Oct 12 14:14:26 2004] [notice] child pid 24935 exit signal 
> Segmentation fault (11)

  I can confirm this. The problem should be now fixed. Please
  retrieve the updated version (revision 1.139) from the CVS and
  try again:
  http://cvs.sourceforge.net/viewcvs.py/mod-security/mod_security/apache2/

> Also, following rule in the documentation seems to be incorrect :
> 
>     # Only accept request encodings we know how to handle
>     # we exclude GET requests from this because some (automated)
>     # clients supply "text/html" as Content-Type
>     SecFilterSelective REQUEST_METHOD "!^GET$" chain
>     SecFilterSelective HTTP_Content-Type 
> "!^(|application/x-www-form-urlencoded|multipart/form-data)$"
> 
> since multipart/form-data include ";boundary ...." in Content-Type.

  That's also correct but I fixed that one some time ago. I may have
  missed a spot, if I did please let me know where.

--

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
Permalink | Reply | 0 comments |
headers
michael.lee | 13 Oct 04:35
Picon

Re: Dynamic Disable Post Scanning


Hi Ivan,

> When multipart/form-data is received, apache thread terminated with
> following in error_log
>
> [Tue Oct 12 14:14:26 2004] [notice] child pid 24935 exit signal
> Segmentation fault (11)

 I can confirm this. The problem should be now fixed. Please
 retrieve the updated version (revision 1.139) from the CVS and
 try again:
 http://cvs.sourceforge.net/viewcvs.py/mod-security/mod_security/apache2/

I will try and inform you the result. Thanks

> Also, following rule in the documentation seems to be incorrect :
>
>     # Only accept request encodings we know how to handle
>     # we exclude GET requests from this because some (automated)
>     # clients supply "text/html" as Content-Type
>     SecFilterSelective REQUEST_METHOD "!^GET$" chain
>     SecFilterSelective HTTP_Content-Type
> "!^(|application/x-www-form-urlencoded|multipart/form-data)$"
>
> since multipart/form-data include ";boundary ...." in Content-Type.

  That's also correct but I fixed that one some time ago. I may have
 missed a spot, if I did please let me know where.


The reference manual for 1.8.4 (in PDF format) page 9 contains following

To make sure that only requests with these two encoding types are accepted by the
web server, add the following line to your configuration file:

SecFilterSelective HTTP_Content-Type "!^(|application/x-www-form-urlencoded|
multipart/form-data)$"

Please check.

Regards,
Michael

-----------------------------------------------------------------------------------------------------------
KMB E-mail Disclaimer

This e-mail may contain confidential, proprietary or legally privileged
information and is intended for the attention and use of the
addressee(s) only. If you are not the intended recipient of this
message, you must not copy, use or disclose any part of its
contents. Please notify the sender immediately and delete this
message from your system.

The KMB Group and each of its affiliates and the sender of this
message shall not be responsible or liable for any errors or omissions
in the contents of this message as secure or error free e-mail
transmission cannot be guaranteed. Information sent via e-mail
could arrive late or contain viruses or be intercepted, corrupted,
lost, destroyed, or incomplete. Unless otherwise stated, any
information given in this message is indicative only and is subject to
our formal written confirmation.
Permalink | Reply | 0 comments |
headers
michael.lee | 14 Oct 06:01
Picon

RE: Dynamic Disable Post Scanning / Chroot issue


Hi Ivan,

Problem on disable post scanning fixed using the CVS version.

Now, i try to use the chroot function of mod_security. So far everything okay. The environment is Apache2 + PHP + MySQL runing Xoops (a content management system). To communicate with MySQL, i need to set up a hard link in the chrooted environment for "mysql.sock".

However, in RedHat 8, logrotate will be used to apache log reorganization.  Following is the details:

/var/log/httpd/*log {
    missingok
    notifempty
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true
    endscript
}

When signal -HUP is received, apache cannot restart. Initially, the configuration file not found (httpd.conf). After created the files in the chrooted environment, it
changed to:

Syntax error on line 6 of /etc/httpd/conf2.d/auth_pgsql.conf:
Cannot load /etc/httpd/modules/mod_auth_pgsql.so into server: /etc/httpd/modules
/mod_auth_pgsql.so: cannot open shared object file: No such file or directory

If all modules need to be copied, it defeat the beauty of mod_security's chroot. Any suggestion or solution on this issue?

Regards,
Michael


-----------------------------------------------------------------------------------------------------------
KMB E-mail Disclaimer

This e-mail may contain confidential, proprietary or legally privileged
information and is intended for the attention and use of the
addressee(s) only. If you are not the intended recipient of this
message, you must not copy, use or disclose any part of its
contents. Please notify the sender immediately and delete this
message from your system.

The KMB Group and each of its affiliates and the sender of this
message shall not be responsible or liable for any errors or omissions
in the contents of this message as secure or error free e-mail
transmission cannot be guaranteed. Information sent via e-mail
could arrive late or contain viruses or be intercepted, corrupted,
lost, destroyed, or incomplete. Unless otherwise stated, any
information given in this message is indicative only and is subject to
our formal written confirmation.
Permalink | Reply | 502 comments |
headers
Ivan Ristic | 14 Oct 16:25
Gravatar

Re: RE: Dynamic Disable Post Scanning / Chroot issue

michael.lee <at> kmb.hk wrote:

> Hi Ivan,
> 
> Problem on disable post scanning fixed using the CVS version.
> 
> Now, i try to use the chroot function of mod_security. So far everything 
> okay. The environment is Apache2 + PHP + MySQL runing Xoops (a content 
> management system). To communicate with MySQL, i need to set up a hard 
> link in the chrooted environment for "mysql.sock".

  That's one of the possible ways to do it, yes.

> If all modules need to be copied, it defeat the beauty of mod_security's 
> chroot. Any suggestion or solution on this issue?

  It will work if you stop Apache first, then start it again. Options
  restart and graceful cannot work since the configuration fiels are
  outside the jail.

--

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
Permalink | Reply | 501 comments |
headers
Forrest Aldrich | 22 Oct 15:56

modsecurity config with Apache 1.x

I've set up mod_security with Apache-1.x, configured the httpd.conf file 
properly, etc.  But I've yet to see anything in the logs to indicate 
it's working.   I still see:

24.126.92.237 - - [22/Oct/2004:02:09:47 -0400] "SEARCH 
/\x90\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1
\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x
02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1
\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x
02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1
\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x
02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1

ad nauseum

Which I'm trying to block - the above looks like a worm or something, 
which really messed up my logfiles.

Do I need to enable this per VirtualHost?

The beginning of the httpd.conf directive has:

<IfModule mod_security.c>

    # Only inspect dynamic requests
    # (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
    SecFilterEngine DynamicOnly

    # Reject requests with status 403
    SecFilterDefaultAction "deny,log,status:403"

    # Some sane defaults
    SecFilterScanPOST On
    SecFilterCheckURLEncoding On
    SecFilterCheckCookieFormat On
    SecFilterCheckUnicodeEncoding Off

    # Accept almost all byte values
    SecFilterForceByteRange 1 255

Perhaps I need to put in some specific rules for the above.  But I'm 
surprised that, after weeks of running, nothing has been logged.

Thanks.

-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
Permalink | Reply | 1 comment |
headers
Ivan Ristic | 22 Oct 16:37
Gravatar

Re: modsecurity config with Apache 1.x

Forrest Aldrich wrote:

> I've set up mod_security with Apache-1.x, configured the httpd.conf file
> properly, etc.  But I've yet to see anything in the logs to indicate
> it's working.

  I don't know whether it's working or not in your case but the example
  you gave cannot be stopped with mod_security because Apache does it
  first. See here for details:
 http://sourceforge.net/mailarchive/forum.php?thread_id=5595944&forum_id=33492

--

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
Permalink | Reply | 0 comments |

Gmane