Apache mod-security

Tom Anderson | 1 Feb 20:16

Re: http-version

----- Original Message ----- 
From: "Ivan Ristic" <ivanr <at> webkreator.com>
>   The variable that works is SERVER_PROTOCOL. There's one problem,
>   though. Apache handles requests with invalid protocol versions long
>   before the request is passed on to mod_security for analysis. That's
>   why it always responds with 400.

Is there a way to redirect the 400 response?  I tried it with ErrorDocument, 
but it didn't seem to work.  I guess it doesn't pass the error document 
request back through mod_security.  In fact, it didn't even fetch the error 
document for 400 at all, but just returned its generic 400 error message.

Tom

-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl

Rudi Starcevic | 3 Feb 02:59

apache-monitor error

Hi,

I just downloaded the latest version of the apache security tools from 
http://www.apachesecurity.net/

This is my error :

./apache-monitor /root/scripts/httpd/server-status 
http://myserver.com/server-status/?auto

Failed to parse URL output at ./apache-monitor line 59.

This is line 59:

my %data = parse_page("URL output", $page);
if (!%data) {  die("Failed to parse URL output"); }

So I added

print $page;
exit(0);

Just before line 59 to try and find why there is a parse error ...

This is the output:

BusyWorkers: 132
IdleWorkers: 35
Scoreboard: 
W.___K___KCKK_K_.CWW_GGGW___WKGKC__GKKW.WG_W_WK__KK_GK_.KWWW_KWKW.KCGWGK_KGWKKW.GGKKGWWK_G.W_GK_GKW.GW_GKW.GWGWK_.KKWGK.K.GGG.KWGRWK.KKCWGCK.WGW_GGKCG_GWGW_KGGG.K___.GK.KKKWKWW_K_............G.............C..................G...G.....G..............G......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

(Continue reading)

Ivan Ristic | 2 Feb 10:19

Re: apache-monitor error

Rudi Starcevic wrote:
> Hi,
> 
> I just downloaded the latest version of the apache security tools from 
> http://www.apachesecurity.net/
>
 > ...
 >
> Just before line 59 to try and find why there is a parse error ...
> 
> This is the output:
> 
> BusyWorkers: 132
> IdleWorkers: 35
> Scoreboard: 
> W.___K___KCKK_K_.CWW_GGGW___WKGKC__GKKW.WG_W_WK__KK_GK_.KWWW_KWKW.

   Some things seem to be missing from the output. Do you have
   ExtendedStatus set to On (in the Apache configuration)?

--

-- 
Ivan Ristic (http://www.modsecurity.org)

-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl

Ivan Ristic | 2 Feb 10:43

Re: http-version

Tom Anderson wrote:
> ----- Original Message ----- From: "Ivan Ristic" <ivanr <at> webkreator.com>
> 
>>   The variable that works is SERVER_PROTOCOL. There's one problem,
>>   though. Apache handles requests with invalid protocol versions long
>>   before the request is passed on to mod_security for analysis. That's
>>   why it always responds with 400.
> 
> Is there a way to redirect the 400 response?  I tried it with 
> ErrorDocument, but it didn't seem to work.  I guess it doesn't pass the 
> error document request back through mod_security.  In fact, it didn't 
> even fetch the error document for 400 at all, but just returned its 
> generic 400 error message.

   That's what I get too. And, no, I don't know a way to get round it.

--

-- 
Ivan Ristic (http://www.modsecurity.org)

-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl

Tom Anderson | 2 Feb 16:33

Re: http-version

I have SecAuditEngine set to "RelevantOnly", but the log is getting filled 
up with "HTTP/1.0 200 OK" entries every three minutes from my web host 
checking the connection with "check_http/1.24.2.4 (nagios-plugins )".  I 
don't have any rules that return 200... they all return 406.  Why is it 
logging these?  There are no mod_security headers attached.

I tried to work around the problem by matching "check_http" in the user 
agent and giving it a "nolog,deny,status:200", but apparently the 
"status:200" overrules the deny directive as the page is still output, and 
apparently the "nolog" command doesn't apply to the audit log.

Desired/expected behavior:

1) it shouldn't add any unmatched requests to the audit log when set to 
RelevantOnly
2) "deny" command with "status:200" should just return the 200 header 
without any data
3) "nolog" should apply to the audit log too

Tom

-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl

Tom Anderson | 2 Feb 16:40

Re: http-version

----- Original Message ----- 
From: "Ivan Ristic" <ivanr <at> webkreator.com>
>   The variable that works is SERVER_PROTOCOL. There's one problem,
>   though. Apache handles requests with invalid protocol versions long
>   before the request is passed on to mod_security for analysis. That's
>   why it always responds with 400.

Here's an interesting problem.... I have the rule 'SecFilterSelective 
SERVER_PROTOCOL "!HTTP"' in order to return an error when someone tries 
something like "GET / JUNK/1.0".  However, not only does that not match and 
reject the intended string, it instead matches any "httpd/unix-directory" 
handler requests.  In other words, all "/" or "/directory/" requests.  But 
it doesn't reject pages that have a filename.  The audit log shows the same 
HTTP protocol in both cases.  It seems that SERVER_PROTOCOL isn't matching 
the right thing.

Tom

-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl

Ivan Ristic | 2 Feb 16:53

Re: http-version

Tom Anderson wrote:
> I have SecAuditEngine set to "RelevantOnly", but the log is getting 
> filled up with "HTTP/1.0 200 OK" entries every three minutes from my web 
> host checking the connection with "check_http/1.24.2.4 (nagios-plugins 
> )".  I don't have any rules that return 200... they all return 406.  Why 
> is it logging these?  There are no mod_security headers attached.

   Are you using 1.9dev1? If you are it's a bug (fixed in the CVS). If
   not... post your mod_security configuration and the audit log entry
   for that request.

> 1) it shouldn't add any unmatched requests to the audit log when set to 
> RelevantOnly

   That depends. For example, I consider 414 responses to be relevant,
   match or no match. 1.9 will have a conf. option to deal with that.

> 2) "deny" command with "status:200" should just return the 200 header 
> without any data

   I'm not sure Apache will allow that but I'll try.

> 3) "nolog" should apply to the audit log too

   I programmed it to apply to the audit log too. If it doesn't then
   it's a bug.

--

-- 
Ivan Ristic (http://www.modsecurity.org)

(Continue reading)

Ivan Ristic | 2 Feb 17:01

Re: http-version

Tom Anderson wrote:
> Here's an interesting problem.... I have the rule 'SecFilterSelective 
> SERVER_PROTOCOL "!HTTP"' in order to return an error when someone tries 
> something like "GET / JUNK/1.0".  However, not only does that not match 
> and reject the intended string, it instead matches any 
> "httpd/unix-directory" handler requests.  In other words, all "/" or 
> "/directory/" requests.  But it doesn't reject pages that have a 
> filename.  The audit log shows the same HTTP protocol in both cases.  It 
> seems that SERVER_PROTOCOL isn't matching the right thing.

   Works for me here. From the debug log (at level 9):

   Checking signature "!HTTP" at SERVER_PROTOCOL
   Checking against "JUNK/1.0"
   Signature check returned 403

   Which error message are you getting? Look into the debug log at
   level 9 for more information.

--

-- 
Ivan Ristic (http://www.modsecurity.org)

-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl

Tom Anderson | 2 Feb 17:58

Re: http-version

----- Original Message ----- 
>   Are you using 1.9dev1? If you are it's a bug (fixed in the CVS). If
>   not... post your mod_security configuration and the audit log entry
>   for that request.

These are my system specs:

Linux 2.6.9-gentoo-r4 i686 Intel Pentium 4 CPU 1.80GHz
Portage 2.0.51-r15
gcc-3.3.5
glibc-2.3.4.20040808-r1
autoconf-2.59-r6
automake-1.8.5-r1
binutils-2.15.92.0.2-r1
libtool-1.5.2-r7
CFLAGS="-02 -march=i686 -fomit-frame-pointer"

Server version:  Apache/2.0.52
Server built:    Nov 21 2004 17:37:14
Server's Module Magic Number: 20020903:9
Architecture:    32-bit
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD

(Continue reading)

Ivan Ristic | 2 Feb 18:15

Re: http-version


> mod_security-1.7.6 (net-www/mod_security)
> 
> This is the latest stable version in portage when using "emerge -s 
> mod_security" or "emerge -uDp mod_security".

   That's way too old, having been released in March 2004. The 1.8 is
   better in many, many ways. I can see here
   http://www.gentoo-portage.com/net-www/mod_security

   they have the 1.8.6 version (I don't know what "hard masked" means,
   though). Chances are your problems will go away when you upgrade. Or,
   if they don't go away - I'll fix them.

>>> 1) it shouldn't add any unmatched requests to the audit log when set 
>>> to RelevantOnly
>>
>>   That depends. For example, I consider 414 responses to be relevant,
>>   match or no match. 1.9 will have a conf. option to deal with that.
> 
> The manual says that "Relevant requests are those requests that caused a 
> filter match".  I would agree with that description.  A 414 should be 
> logged to the Apache error log, but not the mod_security audit log.

   That's why you'll get a conf. option to turn it off ;)

>>> 3) "nolog" should apply to the audit log too
>>
>>
>>   I programmed it to apply to the audit log too. If it doesn't then

(Continue reading)

Group

gmane.comp.apache.mod-security.user.

Project Web Page

Apache mod-security

Search Archive

Page

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8

Articles in period: 71

February 2005

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

ignore http header (10 Feb 16:16)
modsec/crs issue with vhosts (10 Feb 13:37)
blocking all sorts of whitespaces (10 Feb 03:55)
WASC Distributed Web Honeypots Project Update (8 Feb 21:20)
Regarding Modsecurity (7 Feb 14:17)
Skipping core ruleset for some arguments (7 Feb 04:23)
Stripping characters from an argument (7 Feb 04:45)
ip collection rotation? (5 Feb 10:26)
filter html comments (2 Feb 22:01)
Magento installer is running forever with mod_security enabled -small (2 Feb 16:05)
Magento installer is running forever with mod_security enabled (2 Feb 15:36)
Variable Expansion for Redirect Action and SecDefaultAction Inheritanc (1 Feb 02:28)
How to add/remove multiple targets with ctl:ruleUpdateTargetById (30 Jan 18:41)
HTTP Server go down (28 Jan 09:50)
mod-security-users Digest, Vol 68, Issue 16 (27 Jan 23:33)
HOIC DDoS Analysis and Detection (27 Jan 20:59)
ModSecurity Console (27 Jan 18:32)
Allowing google bot and google preview (27 Jan 18:01)
Allowing google bot and google preview (27 Jan 10:52)
ModSecurity Virtual Patching Workshop/Training at OWASP AppSecDC 2012 (26 Jan 22:46)
@pmFromFile with exact match? (25 Jan 17:49)

Archives

63	February 2012
80	January 2012
44	December 2011
51	November 2011
78	October 2011
108	September 2011
104	August 2011
111	July 2011
66	June 2011
185	May 2011
54	April 2011
72	March 2011
69	February 2011
76	January 2011
26	December 2010
51	November 2010
69	October 2010
79	September 2010
67	August 2010
67	July 2010
59	June 2010
88	May 2010
59	April 2010
130	March 2010
117	February 2010
99	January 2010
80	December 2009
156	November 2009
112	October 2009
73	September 2009
134	August 2009
92	July 2009
78	June 2009
132	May 2009
104	April 2009
127	March 2009
131	February 2009
137	January 2009
85	December 2008
82	November 2008
84	October 2008
154	September 2008
167	August 2008
187	July 2008
95	June 2008
115	May 2008
89	April 2008
97	March 2008
134	February 2008
159	January 2008
56	December 2007
205	November 2007
135	October 2007
97	September 2007
162	August 2007
130	July 2007
250	June 2007
191	May 2007
150	April 2007
181	March 2007
161	February 2007
166	January 2007
104	December 2006
172	November 2006
103	October 2006
83	September 2006
101	August 2006
92	July 2006
116	June 2006
65	May 2006
139	April 2006
82	March 2006
148	February 2006
61	January 2006
74	December 2005
104	November 2005
49	October 2005
28	September 2005
51	August 2005
27	July 2005
71	June 2005
26	May 2005
53	April 2005
82	March 2005
61	February 2005
67	January 2005
12	December 2004
22	November 2004
28	October 2004
31	September 2004
24	August 2004
36	July 2004
20	June 2004
15	May 2004
47	April 2004
21	March 2004
13	February 2004
44	January 2004
18	December 2003
13	November 2003
11	October 2003
9	September 2003
7	August 2003
16	July 2003
1	June 2003

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template