headers
Sumith Gamage | 1 Feb 08:40
Picon

Re: Proxying a request based on RESPONSE_STATUS

Dear Ryan & Christian,

 

I took all your advices and tried several options to build my user scenario. (Sorry, I cannot make this mail any shorter. Please read it to the end. It describes the options I tried and road-blocks I came across.)

 

My clear cut user scenario is:

=============================

1. We use a common Apache front end and several application back-ends.

 

2. Based on the different user request URIs we proxy the request to different internal application servers. We use "ProxyPass" & "ProxyPassReverse" directives from "mod_proxy" module for this porpose.

 

     ProxyPass /ap/PostLeadAction http://db2-1:8001/ap/PostLeadAction

     ProxyPassReverse /ap/PostLeadAction http://db2-1:8001/ap/PostLeadAction

 

     ProxyPass / https://app1-1:8101/

     ProxyPassReverse / https://app1-1:8101/

 

This works fine for us so far.

 

3. Now our requirement is to introduce another 3rd "spool" server which will take care of the /ap/PostLeadAction requests only in one of the following cases:

 a. If the db2-1 server is unavailable.

 b. If db2-1 server timeouts.

 c. If the db2-1 server run out of threads.

 d. If db2-1 responds with an HTTP 5xx response.

 

I am planning to use the functionalities provided by ModSecurity to accomplish the 3rd point above.

 

Here are some of the tryouts I did:

==================================

1. Use "proxy" action in "phase 3" based on the "HTTP_STATUS"

   ---------------------------------------------------------

     # Detect when the original Lead handling server is down

     # and proxy to the spooling server

     SecRule RESPONSE_STATUS 4..|5.. "log,phase:3,proxy:http://spool/ap/PostLeadAction"

 

When the trigger is ditected “proxy” action was failed with following log message:

 

==> ../logs/https_modsec_debug_log <==

Access denied with code 500 (phase 3) (Configuration Error: Proxy action requested but it does not work in output phases). Pattern match "5..|4.." at RESPONSE_STATUS.

 

2. Use “redirect” action at “phase 3” in conjunction with “ProxyPass”

   -----------------------------------------------------------------

    # Proxying redirected Lead posts to the spooling VM

     ProxyPass /backup/PostLeadAction http://spool:8003/ap/PostLeadAction

     ProxyPassReverse /backup/PostLeadAction http://spool:8003/ap/PostLeadAction

 

     # Detect when the original Lead handling server is down

     # and redirect to the backup PostLeadAction URI

     # ProxyPass rule above will send these request to the spool VM.

     SecRule RESPONSE_STATUS 4..|5.. "log,phase:3,redirect:/backup/PostLeadAction"

 

This works fine for HTTP 4xx responses. However, the redirection fails (since the request does not pass across phase 3 & 4) for HTTP 502 (I guess this might be true for all HTTP 5xx) responses with following debug log:

 

==> ../logs/https_modsec_debug_log <==

 

Initialising transaction (txid VRXllAoAAAMAACKsTtIAAAAD).

Adding request cookie: name "JSESSIONID", value "df742sklhjoar"

Transaction context created (dcfg 9efe998).

Starting phase REQUEST_HEADERS.

Second phase starting (dcfg 9efe998).

Input filter: This request does not have a body.

Time #1: 493

Starting phase REQUEST_BODY.

Time #2: 561

Hook insert_filter: Adding output filter (r 9f335c8).

Initialising logging.

Starting phase LOGGING.

Audit log: Logging this transaction.

 

3. Use “redirect” action in “phase 5”

   ---------------------------------

     # Detect when the original Lead handling server is down

     # and redirect to the backup PostLeadAction URI

     # ProxyPass rule above will send these request to the spool VM.

     SecRule RESPONSE_STATUS 4..|5.. "log,phase:5,redirect:/backup/PostLeadAction"

 

ModSecurity triggered with this setting, but was not effective since it could not perform an effective redirection (since the response is already sent to the user).

 

==> ../logs/https_modsec_debug_log <==

Initialising transaction (txid hMJasAoAAAMAACeUKY0AAAAA).

Adding request cookie: name "JSESSIONID", value "df742sklhjoar"

Transaction context created (dcfg 8fa5998).

Starting phase REQUEST_HEADERS.

Second phase starting (dcfg 8fa5998).

Input filter: This request does not have a body.

Time #1: 472

Starting phase REQUEST_BODY.

Time #2: 541

Hook insert_filter: Adding output filter (r 8fda5f8).

Initialising logging.

Starting phase LOGGING.

Recipe: Invoking rule 8f62318.

Executing operator rx with param "5..|4.." against RESPONSE_STATUS.

Operator completed in 13 usec.

Warning. Pattern match "5..|4.." at RESPONSE_STATUS.

Rule returned 1.

Audit log: Logging this transaction.

 

With these results, we thought that ModSecurity will not be able to handle our user scenario. However, I wanted to drop this email seeking for ModSecurity expert’s advice to finalize our decision.

 

Please correct me if I use wrong configuration to tackle the problem here or else please suggest me an alternative way/tool to handle this sort of user scenario.

 

Thank you very much for reading the mail to this point and all your support so far!

 

Regards,

Sumith

 

> -----Original Message-----

> From: Christian Bockermann [mailto:chris <at> jwall.org]

> Sent: Tuesday, January 30, 2007 12:53 AM

> To: Sumith Gamage

> Subject: Re: [mod-security-users] Proxying a request based on

> RESPONSE_STATUS

>

>

> Am 29.01.2007 um 17:50 schrieb Sumith Gamage:

>

> > Dear Ryan,

> >

> > Thanks for the comments. I went though them carefully. I will give

> > a try

> > tomorrow morning on the suggestions you made. However, I am afraid

> > that is

> > not the exact solution to my problem.

> >

> > In my scenario, all the processing behind the front-end web server

> > should be

> > hidden to the application user. Therefore, redirect will not help

> > me since

> > it will change the browser URL.

>

> That might also be possible with redirecting. Just consider the

> following (untested):

>

> ----BEGIN----

> #

> # Initialize the session-collections

> #

> SecRule REQUEST_COOKIES:JSESSIONID "!^$" nolog,phase:1,pass,chain

> SecAction setsid:%{REQUEST_COOKIES:JSESSIONID}

>

> #

> # If a session has been redirected for backup,

> #   the request is sent to the backup-server

> #

> SecRule SESSION:server " <at> eq backup" "nolog,phase:2,pass,chain"

> SecAction "proxy:http://backup.server.com"

>

> #

> # assign a session to the backup-server

> #

> SecRule RESPONSE_STATUS 404 "log,phase:3,redirect:http://

> backup.server.com,setvar:server=backup,expirevar:server:3600"

> ----END----

>

> Unfortunately, the client will lose the request that failed

> processing in the app-server. A real

> hot-replacement would probably need some more ;-)

>

> > It seems the Christian's suggestion on http://www.backhand.org/

> > mod_backhand/

> > going to help me. I will give a try on both your suggestion

> > tomorrow and

> > reply you back with the status.

>

> When using mod_backhand you could probably combine it with the

> mod_security-solution above. IIRC

> mod_backhand can access environment variable etc. so this might be

> worth a try.

>

> Regards,

>      Chris

 

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 4 comments |
headers
Simon Bakowski | 1 Feb 14:28
Picon

problem with running new console 1.0.2

Dear Ryan & Christian,

I`ve strated using mod_security some time ago. I configured it successfully so 
that I am getting proper logs but do experience problems with console 
configuration - basically can’t make it work. I went through other people 
problems but haven’t found case like mine. My configuration:

Console: 1.0.2 for Linux, Apache 2.0.59

collector config:
my $CONSOLE_URI = "/rpc/auditLogReceiver";
my $CONSOLE_HOST = "192.168.0.95";
my $CONSOLE_PORT = "8886";
my $CONSOLE_USERNAME = "test";
my $CONSOLE_PASSWORD = "test123";

test is a sensor name and test123 it`s password.

Basically I am getting something like this below after getting to "Home" 
section of the console itself:

Failed processing RPC request: PreparedStatementCallback; SQL [INSERT INTO 
http_transactions ( sensorid, sensor_txid, webappid, sessionid, userid, 
data_type, data_source, data_offset, data_length, data_hash, create_time, 
tx_time, hostname, remote_addr, remote_host, remote_port, local_user, 
request_method, request_uri, query_string, protocol, request_content_length, 
request_content_type, response_status, response_content_type, referer, 
user_agent, tx_duration, tx_request_duration, tx_processing_duration, 
tx_response_duration, is_valid, was_blocked, alert_severity, alert_message, 
keep ) VALUES 
( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 
?, ?, ?, ?, ?, ?, ?, ?, ?, ?)]; The resulting value is outside the range for 
the data type INTEGER.; nested exception is 
org.apache.derby.impl.jdbc.EmbedSQLException: The resulting value is outside 
the range for the data type INTEGER. 

Is it something to do with $CONSOLE_URI variable by any chance?

I suppose that it may be related with lack of possibility to fetch log files 
and thus db engine is refusing this syntax with exclamation marks, instead of 
replaced values in place, but haven't trace it down yet as where the problem 
may occur. Does my output ring aany bell what it may be?

Thanks for your help

Simon

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 1 comment |
headers
Ryan Barnett | 1 Feb 16:23

Re: Proxying a request based on RESPONSE_STATUS

Comments inline below.

 

--
Ryan C. Barnett
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache

 

From: Sumith Gamage [mailto:banduwgs <at> gmail.com]
Sent: Thursday, February 01, 2007 2:40 AM
To: 'Mod Security'
Cc: 'Christian Bockermann'; Ryan Barnett
Subject: RE: [mod-security-users] Proxying a request based on RESPONSE_STATUS

 

Dear Ryan & Christian,

 

I took all your advices and tried several options to build my user scenario. (Sorry, I cannot make this mail any shorter. Please read it to the end. It describes the options I tried and road-blocks I came across.)

 

My clear cut user scenario is:

=============================

1. We use a common Apache front end and several application back-ends.

 

2. Based on the different user request URIs we proxy the request to different internal application servers. We use "ProxyPass" & "ProxyPassReverse" directives from "mod_proxy" module for this porpose.

 

     ProxyPass /ap/PostLeadAction http://db2-1:8001/ap/PostLeadAction

     ProxyPassReverse /ap/PostLeadAction http://db2-1:8001/ap/PostLeadAction

 

     ProxyPass / https://app1-1:8101/

     ProxyPassReverse / https://app1-1:8101/

 

This works fine for us so far.

 

3. Now our requirement is to introduce another 3rd "spool" server which will take care of the /ap/PostLeadAction requests only in one of the following cases:

 a. If the db2-1 server is unavailable.

 b. If db2-1 server timeouts.

 c. If the db2-1 server run out of threads.

 d. If db2-1 responds with an HTTP 5xx response.

 

I am planning to use the functionalities provided by ModSecurity to accomplish the 3rd point above.

 

Here are some of the tryouts I did:

==================================

1. Use "proxy" action in "phase 3" based on the "HTTP_STATUS"

   ---------------------------------------------------------

     # Detect when the original Lead handling server is down

     # and proxy to the spooling server

     SecRule RESPONSE_STATUS 4..|5.. "log,phase:3,proxy:http://spool/ap/PostLeadAction"

 

When the trigger is ditected “proxy” action was failed with following log message:

 

==> ../logs/https_modsec_debug_log <==

Access denied with code 500 (phase 3) (Configuration Error: Proxy action requested but it does not work in output phases). Pattern match "5..|4.." at RESPONSE_STATUS.

 

 

[Ryan Barnett] This is correct.  As my previous email stated, you can not use the proxy action past phases 1 or 2 as the proxy action is only able to act in the request phases.  In phase 3, it would be trying to act on the response.

 

 

2. Use “redirect” action at “phase 3” in conjunction with “ProxyPass”

   -----------------------------------------------------------------

    # Proxying redirected Lead posts to the spooling VM

     ProxyPass /backup/PostLeadAction http://spool:8003/ap/PostLeadAction

     ProxyPassReverse /backup/PostLeadAction http://spool:8003/ap/PostLeadAction

 

     # Detect when the original Lead handling server is down

     # and redirect to the backup PostLeadAction URI

     # ProxyPass rule above will send these request to the spool VM.

     SecRule RESPONSE_STATUS 4..|5.. "log,phase:3,redirect:/backup/PostLeadAction"

 

This works fine for HTTP 4xx responses. However, the redirection fails (since the request does not pass across phase 3 & 4) for HTTP 502 (I guess this might be true for all HTTP 5xx) responses with following debug log:

 

==> ../logs/https_modsec_debug_log <==

 

Initialising transaction (txid VRXllAoAAAMAACKsTtIAAAAD).

Adding request cookie: name "JSESSIONID", value "df742sklhjoar"

Transaction context created (dcfg 9efe998).

Starting phase REQUEST_HEADERS.

Second phase starting (dcfg 9efe998).

Input filter: This request does not have a body.

Time #1: 493

Starting phase REQUEST_BODY.

Time #2: 561

Hook insert_filter: Adding output filter (r 9f335c8).

Initialising logging.

Starting phase LOGGING.

Audit log: Logging this transaction.

 

[Ryan Barnett] This rule should work, however you need to use a full URI for the redirect action –

SecRule RESPONSE_STATUS 4..|5.. "log,phase:3,redirect:http://www.yourexternalhostname.com/backup/PostLeadAction"

 

3. Use “redirect” action in “phase 5”

   ---------------------------------

     # Detect when the original Lead handling server is down

     # and redirect to the backup PostLeadAction URI

     # ProxyPass rule above will send these request to the spool VM.

     SecRule RESPONSE_STATUS 4..|5.. "log,phase:5,redirect:/backup/PostLeadAction"

 

ModSecurity triggered with this setting, but was not effective since it could not perform an effective redirection (since the response is already sent to the user).

 

==> ../logs/https_modsec_debug_log <==

Initialising transaction (txid hMJasAoAAAMAACeUKY0AAAAA).

Adding request cookie: name "JSESSIONID", value "df742sklhjoar"

Transaction context created (dcfg 8fa5998).

Starting phase REQUEST_HEADERS.

Second phase starting (dcfg 8fa5998).

Input filter: This request does not have a body.

Time #1: 472

Starting phase REQUEST_BODY.

Time #2: 541

Hook insert_filter: Adding output filter (r 8fda5f8).

Initialising logging.

Starting phase LOGGING.

Recipe: Invoking rule 8f62318.

Executing operator rx with param "5..|4.." against RESPONSE_STATUS.

Operator completed in 13 usec.

Warning. Pattern match "5..|4.." at RESPONSE_STATUS.

Rule returned 1.

Audit log: Logging this transaction.

 

[Ryan Barnett] This is similar to issue #1 above, you can not take any “disruptive” actions on the transaction in phase 5 as it is too late.

 

With these results, we thought that ModSecurity will not be able to handle our user scenario. However, I wanted to drop this email seeking for ModSecurity expert’s advice to finalize our decision.

 

Please correct me if I use wrong configuration to tackle the problem here or else please suggest me an alternative way/tool to handle this sort of user scenario.

 

Thank you very much for reading the mail to this point and all your support so far!

 

Regards,

Sumith

 

> -----Original Message-----

> From: Christian Bockermann [mailto:chris <at> jwall.org]

> Sent: Tuesday, January 30, 2007 12:53 AM

> To: Sumith Gamage

> Subject: Re: [mod-security-users] Proxying a request based on

> RESPONSE_STATUS

>

>

> Am 29.01.2007 um 17:50 schrieb Sumith Gamage:

>

> > Dear Ryan,

> >

> > Thanks for the comments. I went though them carefully. I will give

> > a try

> > tomorrow morning on the suggestions you made. However, I am afraid

> > that is

> > not the exact solution to my problem.

> >

> > In my scenario, all the processing behind the front-end web server

> > should be

> > hidden to the application user. Therefore, redirect will not help

> > me since

> > it will change the browser URL.

>

> That might also be possible with redirecting. Just consider the

> following (untested):

>

> ----BEGIN----

> #

> # Initialize the session-collections

> #

> SecRule REQUEST_COOKIES:JSESSIONID "!^$" nolog,phase:1,pass,chain

> SecAction setsid:%{REQUEST_COOKIES:JSESSIONID}

>

> #

> # If a session has been redirected for backup,

> #   the request is sent to the backup-server

> #

> SecRule SESSION:server " <at> eq backup" "nolog,phase:2,pass,chain"

> SecAction "proxy:http://backup.server.com"

>

> #

> # assign a session to the backup-server

> #

> SecRule RESPONSE_STATUS 404 "log,phase:3,redirect:http://

> backup.server.com,setvar:server=backup,expirevar:server:3600"

> ----END----

>

> Unfortunately, the client will lose the request that failed

> processing in the app-server. A real

> hot-replacement would probably need some more ;-)

>

> > It seems the Christian's suggestion on http://www.backhand.org/

> > mod_backhand/

> > going to help me. I will give a try on both your suggestion

> > tomorrow and

> > reply you back with the status.

>

> When using mod_backhand you could probably combine it with the

> mod_security-solution above. IIRC

> mod_backhand can access environment variable etc. so this might be

> worth a try.

>

> Regards,

>      Chris

 

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 3 comments |
headers
Ivan Ristic | 1 Feb 16:22
Picon

Re: problem with running new console 1.0.2

Hi Simon,

I am guessing this error occurs for some requests but not for others?

In your console installation there is a place where unprocessed audit
logs are stored. The full path is
<CONSOLEHOME>/var/data/main/console/logs/pending. Please take the
files from there and send them to my private email address. I will
then find the ones that are causing this problem.

Thanks,
Ivan

On 2/1/07, Simon Bakowski <simon <at> gpsoft.co.uk> wrote:
> Dear Ryan & Christian,
>
> I`ve strated using mod_security some time ago. I configured it successfully so
> that I am getting proper logs but do experience problems with console
> configuration - basically can't make it work. I went through other people
> problems but haven't found case like mine. My configuration:
>
> Console: 1.0.2 for Linux, Apache 2.0.59
>
> collector config:
> my $CONSOLE_URI = "/rpc/auditLogReceiver";
> my $CONSOLE_HOST = "192.168.0.95";
> my $CONSOLE_PORT = "8886";
> my $CONSOLE_USERNAME = "test";
> my $CONSOLE_PASSWORD = "test123";
>
> test is a sensor name and test123 it`s password.
>
> Basically I am getting something like this below after getting to "Home"
> section of the console itself:
>
> Failed processing RPC request: PreparedStatementCallback; SQL [INSERT INTO
> http_transactions ( sensorid, sensor_txid, webappid, sessionid, userid,
> data_type, data_source, data_offset, data_length, data_hash, create_time,
> tx_time, hostname, remote_addr, remote_host, remote_port, local_user,
> request_method, request_uri, query_string, protocol, request_content_length,
> request_content_type, response_status, response_content_type, referer,
> user_agent, tx_duration, tx_request_duration, tx_processing_duration,
> tx_response_duration, is_valid, was_blocked, alert_severity, alert_message,
> keep ) VALUES
> ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
> ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)]; The resulting value is outside the range for
> the data type INTEGER.; nested exception is
> org.apache.derby.impl.jdbc.EmbedSQLException: The resulting value is outside
> the range for the data type INTEGER.
>
> Is it something to do with $CONSOLE_URI variable by any chance?
>
> I suppose that it may be related with lack of possibility to fetch log files
> and thus db engine is refusing this syntax with exclamation marks, instead of
> replaced values in place, but haven't trace it down yet as where the problem
> may occur. Does my output ring aany bell what it may be?
>
> Thanks for your help
>
> Simon
>
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier.
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>

--

-- 
Ivan Ristic

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Permalink | Reply | 0 comments |
headers
Tom Bishop | 1 Feb 18:54
Picon

Re: Trying to compile mod_security centos 4.464bit....

Go this to compile last night, needed to load the module stated below and in the instructions and had to make sure libxml was off to get it to sucessflly install.  Now I just need to figure out what the best policies should be for what I am running, which means I need to read, read, and read.  Thanks all for the help. :)

On 1/31/07, Ryan Barnett <Ryan.Barnett <at> breach.com> wrote:

Tom,

ModSecurity uses the Apache module mod_unique_id to produce unique ID #s for each transaction for the audit logging.  In order to check if you have mod_unique_id already installed as a DSO, just check for the LoadModule entry in your httpd.conf file –

 

# cd /usr/local/apache/conf

# grep mod_unique httpd.conf

LoadModule unique_id_module modules/mod_unique_id.so

 

 

--
Ryan C. Barnett
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache

 

From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf Of Tom Bishop
Sent: Wednesday, January 31, 2007 10:12 AM
To: Ivan Ristic; mod-security-users <at> lists.sourceforge.net
Subject: Re: [mod-security-users] Trying to compile mod_security centos 4.464bit....

 

Thanks for the reply, I have investigated that also, but being a being a newbie to apache (not Linux though) I wasn't sure what the second line meant " Make sure you have mod_unique_id installed."  Sorry but I'm not sure where to look to make sure this is installed.  If someone can point in the direction of this I will proceed with the instructions.  Thanks for the code, I've started reading through your book.

On 1/31/07, Ivan Ristic < ivan.ristic <at> gmail.com> wrote:

Hi Tom,

>From your output it appears that you are trying to compile ModSecurity
2.x directly using the apxs utility. You should be using the Makefile
instead. Please follow the process described in the manual:

http://www.modsecurity.org/documentation/modsecurity-apache/2.1.0-rc6/html-multipage/02-installation.html

and we'll take it from there.

On 1/29/07, Tom Bishop <bishoptf <at> gmail.com> wrote:
> I've looked in the archives and google and can't seem to find a "how to" to
> get this to work.  I'm running centos 4.4x64 and not sure how to get this to
> complete, here's my output, any help would be appreciated...thanks.
>
>
> [root <at> sbddauntless apache2]# apxs -cia modsecurity.c
> /bin/sh /usr/lib64/apr/build/libtool --silent --mode=compile gcc -prefer-pic
> -O2 -g -pipe -m64 -DAP_HAVE_DESIGNATED_IN
> ER -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/include/apr-0
> -I/usr/include/httpd  -c -o modsecurity.lo modse
> c && touch modsecurity.slo
> /bin/sh /usr/lib64/apr/build/libtool --silent --mode=link gcc -o
> modsecurity.la   -rpath /usr/lib64/httpd/modules -modu
> id-version    modsecurity.lo
> /usr/bin/ld: .libs/modsecurity.o: relocation R_X86_64_PC32 against
> `msre_format_metadata' can not be used when making
> d object; recompile with -fPIC
> /usr/bin/ld: final link failed: Bad value
>  collect2: ld returned 1 exit status
> apxs:Error: Command failed with rc=65536
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
>
>


--
Ivan Ristic

 


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 4 comments |
headers
Ofer Shezaf | 1 Feb 20:22

Re: Trying to compile mod_security centos4.464bit....

 

While slightly biased, I would recommend starting with the Core Rule Set (http://www.modsecurity.org/projects/rules/index.html). The provide a very good starting point and quite a lot of value out of the box. You can find an interesting discussion on the Core Rule Set at http://www.modsecurity.org/blog/archives/2007/01/key_advantages.html

 

~ Ofer Shezaf

Core Rule Set project leader

 

 

 

From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf Of Tom Bishop
Sent: Thursday, February 01, 2007 7:54 PM
To: Ryan Barnett; mod-security-users <at> lists.sourceforge.net
Subject: Re: [mod-security-users] Trying to compile mod_security centos4.464bit....

 

Go this to compile last night, needed to load the module stated below and in the instructions and had to make sure libxml was off to get it to sucessflly install.  Now I just need to figure out what the best policies should be for what I am running, which means I need to read, read, and read.  Thanks all for the help. :)

On 1/31/07, Ryan Barnett <Ryan.Barnett <at> breach.com> wrote:

Tom,

ModSecurity uses the Apache module mod_unique_id to produce unique ID #s for each transaction for the audit logging.  In order to check if you have mod_unique_id already installed as a DSO, just check for the LoadModule entry in your httpd.conf file –

 

# cd /usr/local/apache/conf

# grep mod_unique httpd.conf

LoadModule unique_id_module modules/mod_unique_id.so

 

 

--
Ryan C. Barnett
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache

 

From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf Of Tom Bishop
Sent: Wednesday, January 31, 2007 10:12 AM
To: Ivan Ristic; mod-security-users <at> lists.sourceforge.net
Subject: Re: [mod-security-users] Trying to compile mod_security centos 4.464bit....

 

Thanks for the reply, I have investigated that also, but being a being a newbie to apache (not Linux though) I wasn't sure what the second line meant " Make sure you have mod_unique_id installed."  Sorry but I'm not sure where to look to make sure this is installed.  If someone can point in the direction of this I will proceed with the instructions.  Thanks for the code, I've started reading through your book.

On 1/31/07, Ivan Ristic < ivan.ristic <at> gmail.com> wrote:

Hi Tom,

>From your output it appears that you are trying to compile ModSecurity
2.x directly using the apxs utility. You should be using the Makefile
instead. Please follow the process described in the manual:

http://www.modsecurity.org/documentation/modsecurity-apache/2.1.0-rc6/html-multipage/02-installation.html

and we'll take it from there.

On 1/29/07, Tom Bishop <bishoptf <at> gmail.com> wrote:
> I've looked in the archives and google and can't seem to find a "how to" to
> get this to work.  I'm running centos 4.4x64 and not sure how to get this to
> complete, here's my output, any help would be appreciated...thanks.
>
>
> [root <at> sbddauntless apache2]# apxs -cia modsecurity.c
> /bin/sh /usr/lib64/apr/build/libtool --silent --mode=compile gcc -prefer-pic
> -O2 -g -pipe -m64 -DAP_HAVE_DESIGNATED_IN
> ER -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/include/apr-0
> -I/usr/include/httpd  -c -o modsecurity.lo modse
> c && touch modsecurity.slo
> /bin/sh /usr/lib64/apr/build/libtool --silent --mode=link gcc -o
> modsecurity.la   -rpath /usr/lib64/httpd/modules -modu
> id-version    modsecurity.lo
> /usr/bin/ld: .libs/modsecurity.o: relocation R_X86_64_PC32 against
> `msre_format_metadata' can not be used when making
> d object; recompile with -fPIC
> /usr/bin/ld: final link failed: Bad value
>  collect2: ld returned 1 exit status
> apxs:Error: Command failed with rc=65536
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
>
>


--
Ivan Ristic

 

 

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 3 comments |
headers
Brian Rectanus | 2 Feb 02:00
Picon
Gravatar

Re: Proxying a request based on RESPONSE_STATUS

Some other comments...

On 2/1/07, Ryan Barnett <Ryan.Barnett <at> breach.com> wrote:
> [Ryan Barnett] This is correct.  As my previous email stated, you can not
> use the proxy action past phases 1 or 2 as the proxy action is only able to
> act in the request phases.  In phase 3, it would be trying to act on the
> response.

Agree w/Ryan here.  Simply not possible.  You probably need a layer4-7
Load Balancer here.

You must detect the error at layer 7 (HTTP), but then handle the error
at layer 4 (TCP).  Something like Foundry ServerIron would work here.

> 2. Use "redirect" action at "phase 3" in conjunction with "ProxyPass"
> -----------------------------------------------------------------
>     # Proxying redirected Lead posts to the spooling VM
>      ProxyPass /backup/PostLeadAction
> http://spool:8003/ap/PostLeadAction
>      ProxyPassReverse /backup/PostLeadAction
> http://spool:8003/ap/PostLeadAction
>
>      # Detect when the original Lead handling server is down
>      # and redirect to the backup PostLeadAction URI
>      # ProxyPass rule above will send these request to the spool VM.
>      SecRule RESPONSE_STATUS 4..|5..
> "log,phase:3,redirect:/backup/PostLeadAction"
>
>
> This works fine for HTTP 4xx responses. However, the redirection fails

Hmm, really?  I would think you would lose your POST body with a
redirect.  I am assuming it was a POST with the "PostLeadAction" name.
 A GET would be ok, but not sure if modsec tacks on the query string
to the redirect option.

An HTTP redirect (a Location: header) you would get something like this:

HTTP/1.x 302 Found

Date: Fri, 02 Feb 2007 00:43:26 GMT

Server: Apache

Location: http://foo.bar/backup/PostLeadAction

Content-Length:  xxx

Connection: close

Content-Type: text/html; charset=iso-8859-1

No body.  And your browser will probably re-request with a GET with no
parameters.  So redirect will probably not work with a POST request.
Although I have seen some browsers try to re-post, but with a warning
dialog first.

> (since the request does not pass across phase 3 & 4) for HTTP 502 (I guess
> this might be true for all HTTP 5xx) responses with following debug log:
>
>   ==> ../logs/https_modsec_debug_log <==
>
> Initialising transaction (txid VRXllAoAAAMAACKsTtIAAAAD).
> Adding request cookie: name "JSESSIONID", value "df742sklhjoar"
> Transaction context created (dcfg 9efe998).
> Starting phase REQUEST_HEADERS.
> Second phase starting (dcfg 9efe998).
> Input filter: This request does not have a body.

See, no body here.

> Time #1: 493
> Starting phase REQUEST_BODY.
> Time #2: 561
> Hook insert_filter: Adding output filter (r 9f335c8).
> Initialising logging.
> Starting phase LOGGING.
> Audit log: Logging this transaction.

snip

> Please correct me if I use wrong configuration to tackle the problem here or
> else please suggest me an alternative way/tool to handle this sort of user
> scenario.

mod_proxy_balancer in Apache 2.2.4 will do much of what you want, but
I don't think it will handle the 5xx issue.  Perhaps you could modify
mod_proxy_balancer (mod_proxy_http) to detect a 'down' situation on
5xx error codes (not looked at the code)?

Another option is a layer 4-7 load balancer (application or content switch).

-B

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Permalink | Reply | 0 comments |
headers
Nicholas Vulgrinski | 2 Feb 18:23
Picon
Favicon

REQUEST_COOKIES Regexp

Ofer,

Still having problems with using a regular expression with REQUEST_COOKIES and REQUEST_COOKIES_NAMES.

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|
!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES_NAMES|
!REQUEST_COOKIES_NAMES:/\.cookie/|REQUEST_COOKIES|!REQUEST_COOKIES:/^fc/ \
        "(?:\b(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|mocha):|type\b\W*?\b(?:text\b(?:\W*?\b(?:j(?:ava)?|ecma)script\b| [vbscript])|application\b\W*?\bx-(?:java|vb)script\b)|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|background-image:)\b|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\\btype\b\W*?\bimage)\b|!\[CDATA\[|script|meta)|\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)\b)" \
        "redirect:/error.jsp,log,id:1,severity:2,msg:'Cross-site Scripting (XSS) Attack'"

I looked at the 2.0.4 source code and can see logic to handle regular expressions. Is the syntax above correct? I think we may still be using v2.0.3, was this working in that version?

Thanks.

We won't tell. Get more on shows you hate to love
(and love to hate): Yahoo! TV's Guilty Pleasures list. 
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 0 comments |
headers
Nicholas Vulgrinski | 2 Feb 18:24
Picon
Favicon

Re: REQUEST_COOKIES Regexp

Sorry left out the $, should be !REQUEST_COOKIES_NAMES:/\.cookie$/ below.

----- Original Message ----
From: Nicholas Vulgrinski <nvulgrinski <at> yahoo.com>
To: Ofer Shezaf <OferS <at> Breach.com>
Cc: mod-security-users <at> lists.sourceforge.net
Sent: Friday, February 2, 2007 11:23:26 AM
Subject: REQUEST_COOKIES Regexp

Ofer,

Still having problems with using a regular expression with REQUEST_COOKIES and REQUEST_COOKIES_NAMES.

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|
!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES_NAMES|
!REQUEST_COOKIES_NAMES:/\.cookie/|REQUEST_COOKIES|!REQUEST_COOKIES:/^fc/ \
        "(?:\b(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|mocha):|type\b\W*?\b(?:text\b(?:\W*?\b(?:j(?:ava)?|ecma)script\b| [vbscript])|application\b\W*?\bx-(?:java|vb)script\b)|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|background-image:)\b|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\\btype\b\W*?\bimage)\b|!\[CDATA\[|script|meta)|\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)\b)" \
        "redirect:/error.jsp,log,id:1,severity:2,msg:'Cross-site Scripting (XSS) Attack'"

I looked at the 2.0.4 source code and can see logic to handle regular expressions. Is the syntax above correct? I think we may still be using v2.0.3, was this working in that version?

Thanks.

We won't tell. Get more on shows you hate to love
(and love to hate): Yahoo! TV's Guilty Pleasures list.


Don't pick lemons.
See all the new 2007 cars at Yahoo! Autos. 
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 0 comments |
headers
Adam Stachelek | 2 Feb 19:02
Picon

Unknown request body processor on multipart/form-data upload

Hi all,

I am testing an installation of modsecurity on our web app (Apache  
2.2.3 fronting Tomcat/JBoss), and inconsistently but fairly regularly  
I get the following error during the file upload:

[Thu Feb 01 16:10:57 2007] [error] [client 64.25.85.102] ModSecurity:  
Unknown request body processor: Accept-Encoding [hostname  
"XXXXXXXXXX"] [uri "/uploader/"] [unique_id "qX-1\
iwoEYKwAAATXG1gAAAAH"]

This happens when doing a form post with content type text/plain to a  
few different URIs that are calls to the DWR framework (Java AJAX  
framework).  The text that comes after "Unknown request body  
processor:" varies depending (seemingly) on the other requests that  
are happening at the same time.  With debug logging on, I can see  
that the request body processor is being set to URLENCODED per the  
rule below.

Here are some relevant details:

* Mod Security 2.0.4
* Modified Version of Core Rules 2.0-1.2 (relevant updates given below)
* Apache 2.2.3 / Worker MPM / mod_jk 1.2.15 / mod_disk_cache enabled
* Red Hat Enterprise Linux 4
* Compiled Mod Security against OS PCRE installation as was Apache

Relevant Custom Rules:

SecRule REQUEST_METHOD "^POST$" "chain,log,pass,phase:1,msg:'Got text/ 
plain on POST, we have
DWR, switching to URLENCODED'"
SecRule REQUEST_HEADERS:Content-Type "^text/plain$" "phase: 
1,ctl:requestBodyProcessor=URLENCODED"

Rule #1 is to have modsecurity check POST data when we use DWR (Java  
AJAX framework) since DWR does POST with text/plain content type.

Any ideas?

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Permalink | Reply | 4 comments |

Gmane