Apache mod-security

Jason Edgecombe | 1 Dec 01:09

Picon

Re: Trigger modsec log/deny from web script - logging web spam flagged by b2evolution

Ivan Ristic wrote:

>Jason Edgecombe wrote:
>  
>
>>Hi there,
>>
>>Is there a way to have mod_security deny and log a request based on the
>>action of a php/perl/cgi script?
>>
>>Specifically, I'm using b2evolution for weblogs and I want to have
>>mod_security log the requests that b2evolution marks as spam. Currently,
>>b2evolution returns a 403 when a comment/trackback is spam. I don't see
>>a way to trigger mod_security based on response code. Would setting an
>>environment variable from within a PHP script accomplish this?
>>    
>>
>
>  How about:
>
>  SecAuditLogRelevantStatus ^403$
>
>  
>
Excellent! I'll implement that.

Is there another way incase I don't want to use the http error code?

For example, a http request contains a spam referrer, but I still want 
to serve the page to the client.

(Continue reading)

Ivan Ristic | 1 Dec 19:37

Re: Trigger modsec log/deny from web script - logging web spam flagged by b2evolution

Jason Edgecombe wrote:
>
> Excellent! I'll implement that.
> 
> Is there another way incase I don't want to use the http error code?
> 
> For example, a http request contains a spam referrer, but I still want
> to serve the page to the client.

  I don't know anything about your software but you can serve
  a perfectly normal looking page with code 403 (since the code
  is not shown to the user). But if your setup does not allow
  for that you can try to use output buffering and catch
  spammers with:

  SecFilterSelective OUTPUT "keyword in the response"

  This is a somewhat slower solution, though.

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

(Continue reading)

Ivan Ristic | 1 Dec 19:40

Re: Exception

Randvo wrote:
>
> But what if i want to disable a specific rule in a specific file on a
> specific domain/user ??

  Option #1, add the <Location> tags to the <VirtualHost> container.

  Option #2, use <Directory>

  Also have a look at SecFilterRemove (in the manual).

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

Ann Hopkins | 3 Dec 01:32

Apache 2.2.0 - Mod Security 1.9.1 - Webdav Folder


I moved my webdav folder out of the general root directory structure in apache,
and used "SecFilterInheritance Off", but it "Mod_security" still blocks the
request.  I would appreciate any ideas. Thanks

Error Message - Apache
========================
[Fri Dec 02 16:24:47 2005] [error] [client 192.168.254.XXX] mod_security: Access
denied with code 403. Pattern match
"!(^application/x-www-form-urlencoded$|^multipart/form-data;)" at
HEADER("Content-Type") [hostname "www.example.com"] [uri "/"]
[Fri Dec 02 16:24:47 2005] [error] [client 192.168.254.XXX] mod_security: Access
denied with code 403. Pattern match
"!(^application/x-www-form-urlencoded$|^multipart/form-data;)" at
HEADER("Content-Type") [hostname "www.example.com"] [uri "/tails"]

httpd-dav.conf
=========================
DavLockDB /usr/local/apache/var/DavLock
DAVMinTimeout 600

Alias /tails/ "/<non-standard location>/tails/"

<Directory "/<non-standard location>/tails">
    Dav On

    Options Indexes MultiViews

    AllowOverride AuthConfig
    Order allow,deny

(Continue reading)

Ivan Ristic | 3 Dec 10:39

Re: Apache 2.2.0 - Mod Security 1.9.1 - Webdav Folder

Ann Hopkins wrote:
> I moved my webdav folder out of the general root directory structure in apache,
> and used "SecFilterInheritance Off", but it "Mod_security" still blocks the
> request.  I would appreciate any ideas. Thanks

  You appear to be doing the right thing. This may be a problem with
  the order in which contexts are inherited in Apache.

  Show us the part where you create ModSecurity configuration.

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

Ann Hopkins | 3 Dec 18:57

Re: Apache 2.2.0 - Mod Security 1.9.1 - Webdav Folder


Apache 2.2.0 configuration now uses a modular configuration file with includes
and this is the portion at the the end of the "http.conf" file - modules are
activated at the beginning of this file.

...
# Distributed authoring and versioning (WebDAV)
Include conf/httpd-dav.conf

# Various default settings
Include conf/httpd-default.conf

# Modsecurity filtering (Specific)
Include conf/httpd-modsecurity.conf

# Handypaws - Directories - Aliases (Specific)
Include conf/httpd-handypaws.conf

# Secure (SSL/TLS) connections
Include conf/httpd-ssl.conf
#
# Note: The following must must be present to support
#       starting without SSL on platforms with no /dev/random equivalent
#       but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

(Continue reading)

Ivan Ristic | 3 Dec 19:16

Re: Apache 2.2.0 - Mod Security 1.9.1 - Webdav Folder

Ann Hopkins wrote:
> I moved my webdav folder out of the general root directory structure in apache,
> and used "SecFilterInheritance Off", but it "Mod_security" still blocks the
> request.  I would appreciate any ideas. Thanks

  The way you have Apache configured right now

    Alias /tails/ "/<non-standard location>/tails/"

  Alias "kicks in" only when you provide the / at the end of the
  URI. But this is not happening:

> [Fri Dec 02 16:24:47 2005] [error] [client 192.168.254.XXX] mod_security: Access
> denied with code 403. Pattern match
> "!(^application/x-www-form-urlencoded$|^multipart/form-data;)" at
> HEADER("Content-Type") [hostname "www.example.com"] [uri "/tails"]

  Without the / at the end Apache treats the request as one
  for the root context. (You would be getting a 404 response if it
  were not for ModSecurity.)

  You can test my assumption my making a request to "/tails/" instead
  of "/tails".

  Changing the Alias line to:

    Alias /tails "/<non-standard location>/tails"

  should fix the problem.

(Continue reading)

Ann Hopkins | 3 Dec 19:35

Re: Apache 2.2.0 - Mod Security 1.9.1 - Webdav Folder

I forgot to add that I was using Windows XP to connect using Webdav.

"/tails/" did not work.  I also have to trick Windows XP to use basic
authentication otherwise it fails miserably.  "http://www.example.com:80/tails"
does work after changing the alias to what you suggested.

Weird that it worked before in pre-2.2.0 but I have a lot of those quirks yesterday.

Thank you.

Ivan Ristic wrote:
> Ann Hopkins wrote:
> 
>>I moved my webdav folder out of the general root directory structure in apache,
>>and used "SecFilterInheritance Off", but it "Mod_security" still blocks the
>>request.  I would appreciate any ideas. Thanks
> 
> 
>   The way you have Apache configured right now
> 
>     Alias /tails/ "/<non-standard location>/tails/"
> 
>   Alias "kicks in" only when you provide the / at the end of the
>   URI. But this is not happening:
> 
> 
>>[Fri Dec 02 16:24:47 2005] [error] [client 192.168.254.XXX] mod_security: Access
>>denied with code 403. Pattern match
>>"!(^application/x-www-form-urlencoded$|^multipart/form-data;)" at

(Continue reading)

Philippe Bourcier | 5 Dec 10:37

Re: Apache 2.2.0 - Mod Security 1.9.1 - Webdav Folder


Hi,

If think I had issues with Webdav/IE too.

You should replace this :

>     SecFilterSelective HTTP_Content-Type
>"!(^application/x-www-form-urlencoded$|^multipart/form-data;)"

With this :
SecFilterSelective HTTP_Content-Type 
"!(^$|^application/x-www-form-urlencoded$|^multipart/form-data|^text/xml)"

It worked for me.

Sincerely,

Philippe Bourcier

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

Aviram Carmi | 6 Dec 22:07

problem compiling?

Hi all,

relatively new to this, so I am probably making a very obvious mistake...

I am getting errors installing/compiling mod_security.

can you help?

thanks,

-avi

here is the requested info

# cd apache2/
# apxs -cia mod_security.c
/etc/httpd/build/libtool --silent --mode=compile gcc -prefer-pic 
-DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2 -D_REENTRANT 
-D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -g -O2 -pthread 
-DNO_DBM_REWRITEMAP -I/usr/include/httpd  -c -o mod_security.lo 
mod_security.c && touch mod_security.slo
mod_security.c: In function `sec_audit_logger_concurrent':
mod_security.c:5419: `APR_MD5_DIGESTSIZE' undeclared (first use in 
this function)
mod_security.c:5419: (Each undeclared identifier is reported only once
mod_security.c:5419: for each function it appears in.)
mod_security.c: In function `register_hooks':
mod_security.c:7959: incompatible type for argument 3 of 
`ap_register_input_filter'
mod_security.c:7959: too many arguments to function `ap_register_input_filter'

(Continue reading)

Group

gmane.comp.apache.mod-security.user.

Project Web Page

Apache mod-security

Search Archive

Page

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8

Articles in period: 74

December 2005

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

ignore http header (10 Feb 16:16)
modsec/crs issue with vhosts (10 Feb 13:37)
blocking all sorts of whitespaces (10 Feb 03:55)
WASC Distributed Web Honeypots Project Update (8 Feb 21:20)
Regarding Modsecurity (7 Feb 14:17)
Skipping core ruleset for some arguments (7 Feb 04:23)
Stripping characters from an argument (7 Feb 04:45)
ip collection rotation? (5 Feb 10:26)
filter html comments (2 Feb 22:01)
Magento installer is running forever with mod_security enabled -small (2 Feb 16:05)
Magento installer is running forever with mod_security enabled (2 Feb 15:36)
Variable Expansion for Redirect Action and SecDefaultAction Inheritanc (1 Feb 02:28)
How to add/remove multiple targets with ctl:ruleUpdateTargetById (30 Jan 18:41)
HTTP Server go down (28 Jan 09:50)
mod-security-users Digest, Vol 68, Issue 16 (27 Jan 23:33)
HOIC DDoS Analysis and Detection (27 Jan 20:59)
ModSecurity Console (27 Jan 18:32)
Allowing google bot and google preview (27 Jan 18:01)
Allowing google bot and google preview (27 Jan 10:52)
ModSecurity Virtual Patching Workshop/Training at OWASP AppSecDC 2012 (26 Jan 22:46)
@pmFromFile with exact match? (25 Jan 17:49)

Archives

63	February 2012
80	January 2012
44	December 2011
51	November 2011
78	October 2011
108	September 2011
104	August 2011
111	July 2011
66	June 2011
185	May 2011
54	April 2011
72	March 2011
69	February 2011
76	January 2011
26	December 2010
51	November 2010
69	October 2010
79	September 2010
67	August 2010
67	July 2010
59	June 2010
88	May 2010
59	April 2010
130	March 2010
117	February 2010
99	January 2010
80	December 2009
156	November 2009
112	October 2009
73	September 2009
134	August 2009
92	July 2009
78	June 2009
132	May 2009
104	April 2009
127	March 2009
131	February 2009
137	January 2009
85	December 2008
82	November 2008
84	October 2008
154	September 2008
167	August 2008
187	July 2008
95	June 2008
115	May 2008
89	April 2008
97	March 2008
134	February 2008
159	January 2008
56	December 2007
205	November 2007
135	October 2007
97	September 2007
162	August 2007
130	July 2007
250	June 2007
191	May 2007
150	April 2007
181	March 2007
161	February 2007
166	January 2007
104	December 2006
172	November 2006
103	October 2006
83	September 2006
101	August 2006
92	July 2006
116	June 2006
65	May 2006
139	April 2006
82	March 2006
148	February 2006
61	January 2006
74	December 2005
104	November 2005
49	October 2005
28	September 2005
51	August 2005
27	July 2005
71	June 2005
26	May 2005
53	April 2005
82	March 2005
61	February 2005
67	January 2005
12	December 2004
22	November 2004
28	October 2004
31	September 2004
24	August 2004
36	July 2004
20	June 2004
15	May 2004
47	April 2004
21	March 2004
13	February 2004
44	January 2004
18	December 2003
13	November 2003
11	October 2003
9	September 2003
7	August 2003
16	July 2003
1	June 2003

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template