headers
Tkachenko Alexei | 3 Jan 13:30
Picon

Log question

Peace be with you,

I'd like to log all php and perl requests in different logs in addition to
my usual mod_security logging.

Something like this: "Log all '.php|.phtml' -> mod_sec_php.log" and "Log all
'.cgi|.perl' -> mod_sec_perl.log".
Is it possible with mod-security tacking into account that I have usual
audit.log logging for different types of attack?

To the mod_sec_php.log and mod_sec_perl.log I'd like to log only apache
requests but not the whole information that I have in the audit_log from
mod_security.

Regards, Alexey

-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
Permalink | Reply | 2 comments |
headers
Ivan Ristic | 3 Jan 14:17
Gravatar

Re: Log question

Tkachenko Alexei wrote:
> Peace be with you,
> 
> 
> I'd like to log all php and perl requests in different logs in addition to
> my usual mod_security logging.

   All requests? You can do that without mod_security. Something like
   this should work:

   SetEnvIf Request_URI (\.php|\.phtml|/)$ dynamic
   CustomLog logs/b92.log combined env=dynamic

--

-- 
Ivan Ristic (http://www.modsecurity.org)

-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
Permalink | Reply | 1 comment |
headers
Thierry Robitaille | 3 Jan 21:38
Picon

Unicode problem.

Hi,

I just enable SecFilterCheckUnicodeEncoding and mod_sec(1.8.6) seem to see 
invalid unicode encoding in this referer:
"http://search.ke.voila.fr/S/wanadoo?gb=site&dt=*&cid=wng&kw=diversit%E9%20culturel"

but there is no unicode in it, only url encoding characters.

Any idea?

Thanks
Thierry
##
part of my conf:

SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding On
SecFilterForceByteRange 1 255
###
part of the log:

GET / HTTP/1.1
Accept: */*
Referer: 
http://search.ke.voila.fr/S/wanadoo?gb=site&dt=*&cid=wng&kw=diversit%E9%20culturel
Accept-Language: en-ca,en-us;q=0.7,fr-ca;q=0.3
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
(Continue reading)

Permalink | Reply | 1 comment |
headers
Ivan Ristic | 3 Jan 22:11
Gravatar

Re: Unicode problem.

Thierry Robitaille wrote:
> Hi,
> 
> I just enable SecFilterCheckUnicodeEncoding and mod_sec(1.8.6) seem to 
> see invalid unicode encoding in this referer:
> "http://search.ke.voila.fr/S/wanadoo?gb=site&dt=*&cid=wng&kw=diversit%E9%20culturel" 
> 
> but there is no unicode in it, only url encoding characters.
> 
> Any idea?

   In short: if there's no Unicode there then Unicode encoding
   validation won't do any good for you. It will just produce false
   positives, such as the one you used as the example. Therefore you
   need to turn it off.

   ModSecurity can't tell (because HTTP does not support it) whether some
   incoming data is Unicode or not. Therefore it's on you to decide
   whether to enable the validation feature or not, using the knowledge
   of your application. If the Unicode encoding validation feature is
   enabled then all data must be a valid UTF-8 encoding. In your example,
   the %e9 character is treated as the first of a three-byte UTF-8
   encoded character. ModSecurity complains because the second and the
   third bytes are not valid.

--

-- 
Ivan Ristic (http://www.modsecurity.org)

-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
(Continue reading)

Permalink | Reply | 0 comments |
headers
Ivan Ristic | 3 Jan 22:35
Gravatar

Re: Unicode problem.

Thierry Robitaille wrote:
> Hi,
> 
> Ok, but I have 1 vhost that use UTF-8 has default ("AddDefaultCharset 
> UTF-8"), is there a way to enable it just for this one?
> 
> The rest of my mod_sec conf and rules are apply to all my vhosts.

   Of course. Disable it globally and only enable it for that
   virtual host (inside the <VirtualHost> container).

--

-- 
Ivan Ristic (http://www.modsecurity.org)

-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
Permalink | Reply | 0 comments |
headers
David Obando | 5 Jan 15:31
Picon

Filter rules in extra file?

Dear all,

is it possible to store the filter rules (or the whole mod_security 
configuration) in an extra file (not httpd.conf)? It would keep my 
apache configs clearer and other users could read the rules easier.

Thanks,
David

--

-- 
The day microsoft makes something that doesn't suck is the day they start making vacuum cleaners.

-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
Permalink | Reply | 1 comment |
headers
Ivan Ristic | 5 Jan 15:52
Gravatar

Re: Filter rules in extra file?

David Obando wrote:
> Dear all,
> 
> is it possible to store the filter rules (or the whole mod_security 
> configuration) in an extra file (not httpd.conf)? It would keep my 
> apache configs clearer and other users could read the rules easier.

   It is, use the Apache Include directive:
   http://httpd.apache.org/docs-2.0/mod/core.html#include

--

-- 
Ivan Ristic (http://www.modsecurity.org)

-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
Permalink | Reply | 0 comments |
headers
Thai Duong | 10 Jan 13:29
Picon

Apache 2 child process crash when chrooted (even with CVS version)

Hello all,
I had successfully chrooted my Apache 2 with mod_security, it run very
smoothly until I installed phpldapadmin (http://www.phpldapadmin.com,
a free LADP administrator's tool).

When I tried to login into phpldapadmin, it didnt response anything,
and when I looked at the error_log of httpd, it was something like
below:

[Mon Jan 10 18:53:23 2005] [notice] child pid 19339 exit signal
Segmentation fault (11)

phpldapadmin runs without any problem if I dont use the chroot feature
of mod_security, my configuration is very simple:

SecFilterEngine On
SecServerSignature Microsoft/IIS-5.0
SecChrootDir /chroot/httpd
# The name of the audit log file
SecAuditLog logs/audit_log
SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 0

I also get the nightly built version of mod_security but have no luck.
Please advise. Below are some information maybe useful:

[root <at> ronaldo apache2]# httpd -v
Server version: Apache/2.0.52
Server built:   Oct 15 2004 11:39:29
(Continue reading)

Permalink | Reply | 1 comment |
headers
Ivan Ristic | 10 Jan 14:06
Gravatar

Re: Apache 2 child process crash when chrooted (even with CVS version)

Thai Duong wrote:
> Hello all,
> I had successfully chrooted my Apache 2 with mod_security, it run very
> smoothly until I installed phpldapadmin (http://www.phpldapadmin.com,
> a free LADP administrator's tool).
> 
> When I tried to login into phpldapadmin, it didnt response anything,
> and when I looked at the error_log of httpd, it was something like
> below:
> 
> [Mon Jan 10 18:53:23 2005] [notice] child pid 19339 exit signal
> Segmentation fault (11)

   It's unlikely the crash has anything to do with modsecurity. It's
   probably that phpldapadmin expects a file or device to always be
   there and segfaults because the file is not available in the jail
   (and there's no code to handle that eventuality).

   You can probably find what file is causing the problems if you
   strace the process as it crashes. When you do that you'll be able
   to copy the file into jail to solve the problem.

   I couldn't see from the web site whether phpldapadmin requires
   some PHP extension to work with LDAP. Does it? If it does it's
   probably the fault of the extension or the LDAP libraries it uses.
   It's unlikely that a web-only application can cause a crash.

--

-- 
Ivan Ristic (http://www.modsecurity.org)
(Continue reading)

Permalink | Reply | 0 comments |
headers
Tkachenko Alexei | 10 Jan 23:48
Picon

RE: Log question


Ivan, I can't use such thing.
I have hundreds of virtual hosts and can't add this "CustomLog ..." to each
of them.
Additionally I need to preserve current CustomLog setting for each
VirtualHost.

So I need to add additional logging for all requests by regexp of URL.

Also I need to preserve existing mod_security logging.
What should I place to the mod_security, is it allowed to have different
mod_security logging for different conditions?

Alexey. 

-----Original Message-----
From: Ivan Ristic [mailto:ivanr <at> webkreator.com] 
Sent: Monday, January 03, 2005 15:17
To: Tkachenko Alexei
Cc: mod-security-users <at> lists.sourceforge.net
Subject: Re: [mod-security-users] Log question

Tkachenko Alexei wrote:
> Peace be with you,
> 
> 
> I'd like to log all php and perl requests in different logs in 
> addition to my usual mod_security logging.

   All requests? You can do that without mod_security. Something like
(Continue reading)

Permalink | Reply | 0 comments |

Gmane