mod_security can't filter some words :(

Re: mod_security can't filter some words :(

我爱臭豆腐 wrote:
> hi
> i use mod_security 1.9.2 and httpd 2.0.55 test some php software .
> on some case i need filter chinaese word in web software .
> for example
> SecFilterSelective POST_PAYLOAD 中文
> SecFilterSelective POST_PAYLOAD testa
> is "SecFilterSelective POST_PAYLOAD testa " is pass .but
> SecFilterSelective POST_PAYLOAD 中文 is not :(

  That may be caused by the differences in the encodings
  used to define the signature and to enter the content.

  Can you send me (to my private email address) your raw
  (binary) audit log entry and I'll see if I can do anything
  about it.

--

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642

modsecurity log parsers

Re: modsecurity log parsers

Enjoy
BP

Augie Schwer wrote:
> On 1/26/06, BassPlayer <bassplayer <at> angmar.com> wrote:
>> I've done some google searches and checked the site and I didn't see any
>> sort of audit_log parser and report generator. Anyone have any scripts
>> already developed?
>
> When I looked a month or so ago I found the same void ; here are the
> few links I did find, but like I said it's not much:
>
> http://textsnippets.com/posts/show/9
> http://orderamidchaos.com/modsec/modsec_auditlog_parser
> http://prwdot.org/code/modsecauditlogparse.txt
>

ego pfe wrote:
> Hi all,
>
> I wanna now if there are some "log-parsers" for mod_security' audit_log or
> customlog such as webalizer, sarg etc.
> any tool that correlate apache logs with modsecurity logs is needed.
>
> what do you suggest ?
>
>
> Thanks in advance
>
> Federico
>
>
> !DSPAM:44329871218801781912415!
>

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Problem with AXS Logging

Re: Problem with AXS Logging

Darren wrote:
> I installed mod_security and all is well except one odd behavior.  The
> J/S used is this:
>  
> <script type="text/javascript">
> <!--
>         document.write('<img src="/cgi-bin/ax.pl?trans.gif&ref=');
>         document.write(document.referrer);
>         document.write('" height="1" width="1" alt="" />');
> // -->
> </script><noscript>
>       <p>  <img src="/cgi-bin/ax.pl?trans.gif" height="1" width="1"
> alt="" />
> </p>
> </noscript>
>  
> Instead of tracking referers correctly, all requests now say: arrived
> from "page" and visited  cgi-bin/ax.pl
> 
> I assume one of the rules I installed is causing this.

  I don't think that's the case. ModSecurity does not modify
  requests in any way. It blocks them if configured to do so, but
  in that case there wouldn't have been any "hits" in the tracking
  logs. Look into your error log for ModSecurity messages.

--

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Filtering on POST

Hello,

I wanted to filter some of my website on POST payload because I got some
blog spammed by POST requests.

So I've activated SecFilterScanPOST On

but now, when I want to POST a new story (which is rather legitimate ;))
I get these errors in apache logs and a blank page in the webblog :

Wed Apr 05 10:20:42 2006 error client xx.yy.ww.zz mod_security:
Filtering against POST payload requested but payload is not available
hostname "www.aaaaa.net" uri "/admin/story.php"

Any idea ?

I'm using :
- Debian 3.1 (mixed testing/unstable)
- Apache 2.055-4
- Mod_security 1.9.2-rc3-1
- Php4 4.4.2-1

Sioban.

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Re: Filtering on POST

Re: Filtering on POST

Ryan Barnett wrote:
> My first reaction was - Are you using Apache 2.X branch?  I have seen
> similar messages when trying to enable/scan POST payloads with Apache
> 1.X versions as that functionality is not available.  I see, however,
> that you are using 2.055-4 version.
>  
> Ivan's first recommendation is almost always - "Look in the mod_security
> debug log file".  It should give you some more detailed info than the
> normal Apache error log.

  What Ryan said :)

  Feel free to send me your configuration information, as specified
  here:

  http://www.thinkingstone.com/download/ModSecurity_Support_Request_Preparation_Guide.pdf

  to my private email address.

  That message, "Filtering against POST payload..." is something you'd
  get with SecFilterScanPOST set to off.

--

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Re: Filtering on POST

>> Ivan's first recommendation is almost always - "Look in the mod_security
>> debug log file".  It should give you some more detailed info than the
>> normal Apache error log.

quite huge..

I've done it so, but I don't know what to look for in it...

>   Feel free to send me your configuration information, as specified

Done.

>   That message, "Filtering against POST payload..." is something you'd
>   get with SecFilterScanPOST set to off.

Yes, my fault.
First I didn't found any error message and when I finally found this one,
I was happy and thought that was enough for you to help me, seems I was
totally wrong ;)

Thanks.

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642