Apache mod-security

lists | 1 Jun 18:04

AuditLog not working in 1.9.4


Hello,

I just upgraded to 1.9.4 from 1.9.2

I have modsec running and it IS blocking what it should based on the rules,
BUT the auditlog is not working at all.

I promise I looked at the docs. ;)

Is there something obvious I am overlooking?

-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642

lists | 1 Jun 18:07

Re: AuditLog not working in 1.9.4


BTW, here is the conf I have for it...

# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLogType Concurrent
SecAuditLogStorageDir /Sites/mysite.com/audit_log/
SecAuditLog /Sites/modsec_index
SecAuditLogParts ABCFHZ

on 6/1/06 12:04 PM, lists <at> 323inc.com at lists <at> 323inc.com wrote:

> 
> Hello,
> 
> I just upgraded to 1.9.4 from 1.9.2
> 
> I have modsec running and it IS blocking what it should based on the rules,
> BUT the auditlog is not working at all.
> 
> I promise I looked at the docs. ;)
> 
> Is there something obvious I am overlooking?
> 
> 
> 
> 
> 
> 
> -------------------------------------------------------

(Continue reading)

Ivan Ristic | 1 Jun 19:21

Picon

Re: AuditLog not working in 1.9.4

On 6/1/06, lists <at> 323inc.com <lists <at> 323inc.com> wrote:
>
> Hello,
>
> I just upgraded to 1.9.4 from 1.9.2
>
> I have modsec running and it IS blocking what it should based on the rules,
> BUT the auditlog is not working at all.
>
> I promise I looked at the docs. ;)
>
> Is there something obvious I am overlooking?

Did the same configuration work in 1.9.2? If it's a permission problem
(Apache should have the permission to write to
/Sites/mysite.com/audit_log/) there should be some error messages in
the Apache error log (and in the debug log, of course). Tail the error
log file, send a request that will be singled out by ModSecurity and
see what happens (in the debug log/error log).

--

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642

(Continue reading)

Turnquist, Greg | 1 Jun 19:08

RE: AuditLog not working in 1.9.4

 SecAuditLogStorageDir is a filepath, not a URL web path. Do you really
have a root folder named /Sites, as opposed to something like
/usr/local/apache2/htdocs/Sites/.....? And does apache have write
capability to that folder?

-----Original Message-----
From: mod-security-users-admin <at> lists.sourceforge.net
[mailto:mod-security-users-admin <at> lists.sourceforge.net] On Behalf Of
lists <at> 323inc.com
Sent: Thursday, June 01, 2006 12:08 PM
To: lists <at> 323inc.com; modsec-users
Subject: Re: [mod-security-users] AuditLog not working in 1.9.4

BTW, here is the conf I have for it...

# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLogType Concurrent
SecAuditLogStorageDir /Sites/mysite.com/audit_log/
SecAuditLog /Sites/modsec_index
SecAuditLogParts ABCFHZ

on 6/1/06 12:04 PM, lists <at> 323inc.com at lists <at> 323inc.com wrote:

> 
> Hello,
> 
> I just upgraded to 1.9.4 from 1.9.2
> 
> I have modsec running and it IS blocking what it should based on the

(Continue reading)

Jim Watt | 1 Jun 19:08

Re: AuditLog not working in 1.9.4

On 6/1/2006 9:07 AM, lists <at> 323inc.com wrote:
> 
> BTW, here is the conf I have for it...
> 
> 
> # Only record the interesting stuff
> SecAuditEngine RelevantOnly
> SecAuditLogType Concurrent
> SecAuditLogStorageDir /Sites/mysite.com/audit_log/
> SecAuditLog /Sites/modsec_index
> SecAuditLogParts ABCFHZ
> 
> 
> on 6/1/06 12:04 PM, lists <at> 323inc.com at lists <at> 323inc.com wrote:
> 
> 
>>Hello,
>>
>>I just upgraded to 1.9.4 from 1.9.2
>>
>>I have modsec running and it IS blocking what it should based on the rules,
>>BUT the auditlog is not working at all.
>>
>>I promise I looked at the docs. ;)
>>
>>Is there something obvious I am overlooking?

I didn't spot anything obvious.  I'm running 1.9.4-rc1 for Apache 2.
The 1.9.4 release notes say there weren't any changes between RC1 and
the actual release.

(Continue reading)

lists | 1 Jun 20:11

Re: AuditLog not working in 1.9.4

Turned out to be mod_unique was not enabled.

Is that mod required to use auditlog?

Will 2.0 require it as well?

on 6/1/06 1:21 PM, Ivan Ristic at ivan.ristic <at> gmail.com wrote:

> On 6/1/06, lists <at> 323inc.com <lists <at> 323inc.com> wrote:
>> 
>> Hello,
>> 
>> I just upgraded to 1.9.4 from 1.9.2
>> 
>> I have modsec running and it IS blocking what it should based on the rules,
>> BUT the auditlog is not working at all.
>> 
>> I promise I looked at the docs. ;)
>> 
>> Is there something obvious I am overlooking?
> 
> Did the same configuration work in 1.9.2? If it's a permission problem
> (Apache should have the permission to write to
> /Sites/mysite.com/audit_log/) there should be some error messages in
> the Apache error log (and in the debug log, of course). Tail the error
> log file, send a request that will be singled out by ModSecurity and
> see what happens (in the debug log/error log).

-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!

(Continue reading)

Ivan Ristic | 1 Jun 21:18

Picon

Re: AuditLog not working in 1.9.4

On 6/1/06, lists <at> 323inc.com <lists <at> 323inc.com> wrote:
> Turned out to be mod_unique was not enabled.
>
> Is that mod required to use auditlog?

1.9.x should require for the concurrent audit logging only.

> Will 2.0 require it as well?

2.0 requires it for everything, at least it does in the current beta.
But I am likely to write a transaction ID-generating code for 2.1 or
3.0. (Because Apache does not run mod_unique_id for invalid requests,
meaning such requests cannot be logged.) Actually, I'll see if I can
remove that requirement before 2.0 goes live...

--

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642

Ivan Ristic | 1 Jun 21:44

Picon

Re: Re: web app discovery

On 5/28/06, Alexx Alexx <zmische <at> yahoo.com> wrote:
>
> Why not to use existing logs, for example, to create
> basic "knowledge" rules? It could be useful for
> web-application with specific logic that is almost
> static, so as you are able to scan logs for some
> period and produce rules, tweak them and almost
> forgot.

Because existing logs do not contain enough data to create rules from
them (because there's no information about what goes in request
bodies). I think it's better to do it properly, by learning from the
complete transactions captured by ModSecurity.

BTW, the more I think about on-the-fly conversion the more I like it.

--

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642

Alvaro Marín | 2 Jun 12:41

phpbb strange attack


Hi,

I use modsecurity in my servers and it stops a lot of attacks.
Yesterday one PHPbb forum was cracked on one server, but was strange, 
because in logs there wasn't any typical attack sign. These are the logs:

201.127.65.149 - - [01/Jun/2006:23:31:52 +0200] "GET 
/forum/viewtopic.php?p=222&sid=845f9490d4da28a7ab7d9fc8586b0caa 
HTTP/1.1" 200 12760

"http://www.altavista.com/web/results?itag=ody&q=powered+by+phpbb+2.0.6&kgs=1&kls=0&stq=10" 
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

(some .gifs...etc)

201.127.65.149 - - [01/Jun/2006:23:38:56 +0200] "GET 
/forum/admin/index.php?sid=719ed2e4e45fe8a763555a0ea46b5b48 HTTP/1.1" 
200 638 "http://www.domain.com/forum/" "Mozilla/4.0 (compatible; MSIE 
6.0; Windows NT 5.1; SV1)"

As you see, he search in altavista for "powered by phpbb 2.0.6" and 
then, viewed a post and directly he loged into admin.
Any idea? XSS attack perhaps?

Thanks for help|ideas :)

Regards,

--

--

(Continue reading)

Andras Got | 2 Jun 13:12

Picon

Re: phpbb strange attack

Hi,

IIRC it's an old phpbb bug, phpbb should be updated.

It's listed here: http://www.phpbb.com/support/documents.php?mode=changelog#207

Regards,
Andras

Alvaro Marín wrote:
> Hi,
> 
> I use modsecurity in my servers and it stops a lot of attacks.
> Yesterday one PHPbb forum was cracked on one server, but was strange, 
> because in logs there wasn't any typical attack sign. These are the logs:
> 
> 201.127.65.149 - - [01/Jun/2006:23:31:52 +0200] "GET 
> /forum/viewtopic.php?p=222&sid=845f9490d4da28a7ab7d9fc8586b0caa 
> HTTP/1.1" 200 12760 
>
"http://www.altavista.com/web/results?itag=ody&q=powered+by+phpbb+2.0.6&kgs=1&kls=0&stq=10" 
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 
> (some .gifs...etc)
> 
> 201.127.65.149 - - [01/Jun/2006:23:38:56 +0200] "GET 
> /forum/admin/index.php?sid=719ed2e4e45fe8a763555a0ea46b5b48 HTTP/1.1" 
> 200 638 "http://www.domain.com/forum/" "Mozilla/4.0 (compatible; MSIE 
> 6.0; Windows NT 5.1; SV1)"
>

(Continue reading)

Group

gmane.comp.apache.mod-security.user.

Project Web Page

Apache mod-security

Search Archive

Page

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12

Articles in period: 116

June 2006

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

ignore http header (10 Feb 16:16)
modsec/crs issue with vhosts (10 Feb 13:37)
blocking all sorts of whitespaces (10 Feb 03:55)
WASC Distributed Web Honeypots Project Update (8 Feb 21:20)
Regarding Modsecurity (7 Feb 14:17)
Skipping core ruleset for some arguments (7 Feb 04:23)
Stripping characters from an argument (7 Feb 04:45)
ip collection rotation? (5 Feb 10:26)
filter html comments (2 Feb 22:01)
Magento installer is running forever with mod_security enabled -small (2 Feb 16:05)
Magento installer is running forever with mod_security enabled (2 Feb 15:36)
Variable Expansion for Redirect Action and SecDefaultAction Inheritanc (1 Feb 02:28)
How to add/remove multiple targets with ctl:ruleUpdateTargetById (30 Jan 18:41)
HTTP Server go down (28 Jan 09:50)
mod-security-users Digest, Vol 68, Issue 16 (27 Jan 23:33)
HOIC DDoS Analysis and Detection (27 Jan 20:59)
ModSecurity Console (27 Jan 18:32)
Allowing google bot and google preview (27 Jan 18:01)
Allowing google bot and google preview (27 Jan 10:52)
ModSecurity Virtual Patching Workshop/Training at OWASP AppSecDC 2012 (26 Jan 22:46)
@pmFromFile with exact match? (25 Jan 17:49)

Archives

63	February 2012
80	January 2012
44	December 2011
51	November 2011
78	October 2011
108	September 2011
104	August 2011
111	July 2011
66	June 2011
185	May 2011
54	April 2011
72	March 2011
69	February 2011
76	January 2011
26	December 2010
51	November 2010
69	October 2010
79	September 2010
67	August 2010
67	July 2010
59	June 2010
88	May 2010
59	April 2010
130	March 2010
117	February 2010
99	January 2010
80	December 2009
156	November 2009
112	October 2009
73	September 2009
134	August 2009
92	July 2009
78	June 2009
132	May 2009
104	April 2009
127	March 2009
131	February 2009
137	January 2009
85	December 2008
82	November 2008
84	October 2008
154	September 2008
167	August 2008
187	July 2008
95	June 2008
115	May 2008
89	April 2008
97	March 2008
134	February 2008
159	January 2008
56	December 2007
205	November 2007
135	October 2007
97	September 2007
162	August 2007
130	July 2007
250	June 2007
191	May 2007
150	April 2007
181	March 2007
161	February 2007
166	January 2007
104	December 2006
172	November 2006
103	October 2006
83	September 2006
101	August 2006
92	July 2006
116	June 2006
65	May 2006
139	April 2006
82	March 2006
148	February 2006
61	January 2006
74	December 2005
104	November 2005
49	October 2005
28	September 2005
51	August 2005
27	July 2005
71	June 2005
26	May 2005
53	April 2005
82	March 2005
61	February 2005
67	January 2005
12	December 2004
22	November 2004
28	October 2004
31	September 2004
24	August 2004
36	July 2004
20	June 2004
15	May 2004
47	April 2004
21	March 2004
13	February 2004
44	January 2004
18	December 2003
13	November 2003
11	October 2003
9	September 2003
7	August 2003
16	July 2003
1	June 2003

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template