headers
Torsten Lunze | 2 Jul 17:15
Picon

Redirect in case of an failed rule


Hi all,


I use the inspect file to check the uploads for virus. If a virus is found the apache should redirect the client to the same URI with a parameter attached. This is my rule:

SecRule FILES_TMPNAMES " <at> inspectFile /.../modsec-clamscan.pl" t:none,redirect:'%{REQUEST_FILENAME}?error=virus&%{QUERY_STRING}',status:302

The virus check works find. The problem is that in case a virus is found the apache shows me a site with a link to the original site; instead of telling the client to got to the redirected page:

'The document has moved here.'

I am using Apache 2.0 under AIX and mod security 2.1.

Anyone knows what configuration in the apache may help me?

Thank you,
Torsten

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 0 comments |
headers
Gonen Radai | 4 Jul 12:29
Picon

Re: exclude rule and log

Hi,

Sorry for the long delay.

Jeremy, I tried your first (and small) solution, but I still see log 
entries for that location+rule.

Your second solution is not good for me since I want all core rules to 
be applied for my whole server,

and it's going to be very messy to put so many configuration lines in 
each VHost, especially if those lines will

apear again in each VHost.

I tried the following:

<VirtualHost>

...

        <Location "/index.html">

               SecAuditEngine Off
               SecRuleRemoveById       960015
                SecRuleRemoveById       990011

                 SecAuditEngine On

       </Location>

</VirtualHost>

but in that way, I don't get ANY logging for /index.html, which is bad 
because I need to see

log entries regarding to other rules on that location.

What is way to configure SecRuleRemoveById+nolog on a specific URI ?

Thanks,

Gonen

If you can't read my mail, try changing encoding to UTF-8.
Gonen.

Jeremy Melanson wrote:
> Ah. I see your problem.
>
> I have multiple virtual hosts in my proxies as well. The solution I did
> was to create individual Mod Security configs per VHost config:
>
> <VirtualHost [blahblahblahblah]>
> 	<IfModule  mod_security2.c>
> 		SecRuleEngine On
> 		SecRequestBodyAccess XXX
> 		SecResponseBodyAccess XXX
> 		SecResponseBodyMimeType XXXXXXXXXXXXXXXXXXXXXXX
> 		SecResponseBodyLimit XXXXXX
> 		SecUploadDir XXXXXXXXXXXXXXXX
> 		SecUploadKeepFiles XXX
> 		SecAuditEngine XXXXXXXXXXXX
> 		SecAuditLogRelevantStatus XXXXXXXXXX
> 		SecAuditLogType Concurrent
> 		SecAuditLog [log file specific to virtual host]
> 		SecAuditLogStorageDir [storage dir specific to virtual host]
> 		SecAuditLogParts XXXXXXXXXXXXX
> 		SecArgumentSeparator XXXX
> 		SecCookieFormat XXXX
> 		SecRequestBodyInMemoryLimit XXXXXXXXXXXX
> 		Include [configu file containing rule exceptions specific to virtual
> host]
> 	</IfModule>
> </VirtualHost>
>
> The really important one is the "Include" line. That is where I've
> configured my individual exceptions. Since their within my VirtualHost
> definition, they're specific only to that VirtualHost.
>
> Keep in mind, that there is additional administration overhead when it's
> done this way, but at least you can be a lot more granular with your
> rule definitions and exeptions. And with my config, I can also tweak
> several Mod Security parameters per-VirtualHost as well.
>
> -----
> Jeremy
>
> On Thu, 2007-06-21 at 22:02 +0300, Gonen Radai wrote:
>   
>> Hi Jeremy, thanks for your response.
>>
>>
>> I have two problems with you suggestion:
>>
>> 1) Matching by URI means that if I want to remove rule on a specific
>> URL, I can't because
>>
>> I might have more than one VirtualHost that includes the same URI (e.g
>> 'index.php).
>>
>>
>> 2) You didn't tell me if this way you don't see log entries of the
>> matching rule (although it's removed and passed).
>>
>> I am able to remove rule on a specific URL, but I keep getting entries
>> of that rule matching with that URL.
>>
>> My goal is to remove rule on URL and NOT log any matches between the
>> rule and the URL.
>>
>>
>> Gonen
>>
>>
>> If you can't read my mail, try changing encoding to UTF-8.
>> Gonen.
>>
>>
>> Jeremy Melanson wrote: 
>>     
>>> Hi Gonen.
>>>
>>> Here's how I've been removing by specific URL, or more specifically URI:
>>>
>>> <LocationMatch "[URL]">
>>> 	SecRuleRemoveById ####
>>> </LocationMatch>
>>>
>>> If you wanted /index.do, you'd enter:
>>> <LocationMatch "^/index\.do">
>>> 	SecRuleRemoveById ####
>>> </LocationMatch>
>>>
>>> This will remove the rule when a match is made on any URI beginning with
>>> "/index.do".
>>>
>>> -----
>>> Jeremy
>>>
>>>
>>> On Thu, 2007-06-21 at 19:45 +0300, Gonen Radai wrote:
>>>   
>>>       
>>>> OK, but how do i remove entries from the log, on:
>>>>
>>>> 1) a specific URL 
>>>>
>>>>
>>>> 2) SecRuleRemoveById #### (on that specific URL)
>>>>
>>>> ?
>>>>
>>>>
>>>> Gonen
>>>>
>>>>
>>>> If you can't read my mail, try changing encoding to UTF-8.
>>>> Gonen.
>>>>
>>>>
>>>> Ofer Shezaf wrote: 
>>>>     
>>>>         
>>>>> The duplicate ID is a bug in the Core Rule Set that was fixed in the
>>>>> current (stable) release
>>>>>
>>>>>  
>>>>>
>>>>> ~ Ofer
>>>>>
>>>>>  
>>>>>
>>>>> From:mod-security-users-bounces <at> lists.sourceforge.net
>>>>> [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf
>>>>> Of Gonen Radai
>>>>> Sent: Tuesday, June 19, 2007 3:40 PM
>>>>> To: mod-security-users <at> lists.sourceforge.net
>>>>> Subject: [mod-security-users] exclude rule and log
>>>>>
>>>>>
>>>>>  
>>>>>
>>>>> Hi, 
>>>>>
>>>>>
>>>>> I'm running modsecurity2
>>>>> The core rule 960015 is configured in the following conf files:
>>>>> modsecurity_crs_20_protocol_violations.conf
>>>>> modsecurity_crs_21_protocol_anomalies.conf
>>>>>
>>>>> I don't want to log requests that match the rule on a specific url,
>>>>> for example:
>>>>> http://domain.com/index.html
>>>>>
>>>>> so I added the following SecRuleRemoveById to my VirtualHost:
>>>>>
>>>>> <VirtualHost 123.123.123.123:80>
>>>>> Servername domain.com
>>>>> ...
>>>>>     <Files index.html>
>>>>>                 SecRuleRemoveById       960015
>>>>>         </Files>
>>>>> </VirtualHost>    
>>>>>
>>>>> But I still get log entries regarding that rule on that specific
>>>>> http://domain.com/index.html
>>>>> Changing it to:
>>>>> SecRuleRemoveById       960015 "allow,phase:1,nolog"
>>>>>
>>>>> Also didn't stop the logging.
>>>>> What do I miss ?
>>>>>
>>>>>
>>>>>
>>>>> -- 
>>>>> If you can't read my mail, try changing encoding to UTF-8.
>>>>> Gonen.
>>>>>       
>>>>>           
>>>> ______________________________________________________________________
>>>> This email has been scanned by the MessageLabs Email Security System.
>>>> For more information please visit http://www.messagelabs.com/email 
>>>> ______________________________________________________________________
>>>> -------------------------------------------------------------------------
>>>> This SF.net email is sponsored by DB2 Express
>>>> Download DB2 Express C - the FREE version of DB2 express and take
>>>> control of your XML. No limits. Just data. Click to get it now.
>>>> http://sourceforge.net/powerbar/db2/
>>>> _______________________________________________ mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>>     
>>>>         
>>> -------------------------------------------------------------------------
>>> This SF.net email is sponsored by DB2 Express
>>> Download DB2 Express C - the FREE version of DB2 express and take
>>> control of your XML. No limits. Just data. Click to get it now.
>>> http://sourceforge.net/powerbar/db2/
>>> _______________________________________________
>>> mod-security-users mailing list
>>> mod-security-users <at> lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>
>>>   
>>>       
>
>
Attachment (smime.p7s): application/x-pkcs7-signature, 3237 bytes
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 3 comments |
headers
Frank Misa | 4 Jul 23:08
Picon

[SOLVED - BOOYAH] RE: Perl script issues - running ModSecurityConsole on a Wind

Thanks Guys,

I thought you were just trying to tweak the Perl script with that last patch.
But I merged it manually today -- and after a closer look -- I realize the modifications allow the Perl script to be run from command-line directly (without piping stdio) -- this also allows running the script as a scheduled task on Windows.

Perfect -- this is exactly what I wanted.....

After manually merging the diff file you attached -- I tested the script -- and it works perfectly.
I'm very happy.

You MUST include this patch on your downloads site -- for Windows users.....
Running the script as service or scheduled/cron job should be an available option.

Attached are my merged - working version of the script - as well as an HTML/Diff-report showing differences between the Aleksey Yudin's version and original OTB....

Thanks for working through this with me....
I'm really surprised nobody else has run into this ?
Go linux - go ;)

Cheers
Frank
PS
PLEASE NOTE:
# Script Usage example: 
# perl.exe C:\Apache2\bin\modsec-auditlog-collector.pl C:\Apache2\logs\auditlog C:\Apache2\logs\auditlog\index C:\Apache2\logs\collector.log
# "Usage: modsec-auditlog-collector auditlog-folder auditlog-index logfile
# -----------------------------------------------------------------------------------
Parameters...
C:\Apache2\logs\auditlog    =====> Would be your:  SecAuditLogStorageDir setting.
C:\Apache2\logs\auditlog\index  ==> Would be your:  SecAuditLog setting.
C:\Apache2\logs\collector.log  ===> Is just the log file for the perl script itself - pick whatever name you like....


> Date: Fri, 29 Jun 2007 09:50:19 -0400
> From: Brian.Rectanus <at> breach.com
> To: frankmisa <at> hotmail.com
> CC: mod-security-users <at> lists.sourceforge.net
> Subject: Re: [mod-security-users] Perl script issues - running ModSecurityConsole on a Windows box.
>
> Aleksey Yudin (http://www.ptsecurity.ru) sent a patch a while back on
> the list. I attached it, but have not tested it.
>
> -B
>
> Frank Misa wrote:
> > Hi All,
> >
> > FYI
> >
> > Piped logging is broken on Apache/WindowsNT -- I've found several BUGs
> > logged against this issue -- and many posts on the Apache forums
> > discussing problems with piped logs.
> >
> > I've attached some feedback I've received from the Apache group below....
> >
> > As a workaround -- can the Breach development team -- modify the Perl
> > script so that it can be run as a cron/scheduled job on the Windows
> > platform ? That would help -- in the meantime -- I'll work around this
> > issue in other ways....
> >
> > Thanks all for your help....
> > Cheers
> > Frank
> >
> > The following directive crashes both versions of Apache for me - on
> > WinXP and Win2003....
> >>>SecAuditLog "|C:/Perl/bin/perl.exe
> > C:/fmm/ApacheSSL224/bin/modsec-auditlog-collector.pl"
> >
> > Apache 2.0.59 faults:
> >>>Faulting application httpd.exe, version 2.2.4.0, faulting module
> > libapr-1.dll, version 1.2.8.0, fault address 0x00004c80.
> >
> > Apache 2.2.4 faults:
> >>>Faulting application Apache.exe, version 2.0.59.200, faulting module
> > libapr.dll, version 0.9.12.0, fault address 0x0000d6f0.
> >
> > ------------------------------------------------------------------------
> >
> > > From: sctemme <at> apache.org
> > > Date: Thu, 28 Jun 2007 09:38:39 -0700
> > > To: users <at> httpd.apache.org
> > > Subject: Re: [users <at> httpd] Does Apache Support Piped Logs On
> > Windows Platform
> > >
> > > Frank,
> > >
> > > On Jun 28, 2007, at 9:22 AM, Frank Misa wrote:
> > >
> > > > I've seen many references to Apache issues with logging to piped
> > > > processes on the forums; but no clear answer on whether this is
> > > > supported or not.
> > > > Can someone here please confirm -- Yes/No...
> > > > Do the latest versions of Apache 2.0.x OR Apache 2.2.x support
> > > > piped logs on Windows ?
> > >
> > > Piped logs are currently effectively broken on Windows, due to the
> > > way we do or don't pass valid file descriptors to the called process
> > > for stdout and stderr. Others more knowledgeable than myself can
> > > elucidate on this more eloquently than I can.
> > >
> > > We're trying to fix it, but that hasn't happened so far. If you want
> > > to rotate your log files, the best approach is currently to rename
> > > them and then send your httpd service a restart signal using
> > >
> > > \path\to\httpd -n Apache2 -k restart
> > >
> > > with the name of the Windows Service as argument to the -n
> > > parameter. You can script this in any language that pleases you, and
> > > run it periodically in the Windows Scripting Host.
> > >
> > > > >>SecAuditLog "|C:/Perl/bin/perl.exe
> > C:/fmm/ApacheSSL224/bin/modsec-
> > > > auditlog-collector.pl"
> > >
> > > I haven't reviewed mod_security to this extent but does it use the
> > > Apache logging APIs? Or does it do its own thing?
> > >
> > > S.
> > >
> > > --
> > > Sander Temme
> > > sctemme <at> apache.org
> > > PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
> > >
> > >
> > >
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> >> Date: Sat, 23 Jun 2007 22:20:32 -0400
> >> From: Brian.Rectanus <at> breach.com
> >> To: frankmisa <at> hotmail.com
> >> CC: Ryan.Barnett <at> Breach.com; mod-security-users <at> lists.sourceforge.net
> >> Subject: Re: [mod-security-users] Perl script issues - running
> > ModSecurityConsole on a Windows box.
> >>
> >> Sorry Frank. I am out-of-town until Tue. I'll look more then.
> >>
> >> -B
> >>
> >> Ryan Barnett wrote:
> >> > Frank,
> >> >
> >> > We will do our best, but please understand that the support that is
> >> > given to open source Mod users is “best effort”. This is no different
> >> > then any other open source project. Yes, we do work for breach and this
> >> > means that we are wearing multiple hats and also working on the
> >> > commercial task items as well. We are normally very responsive to
> >> > questions, issues, etc… but it can take a bit more time to setup
> >> > different configurations and test them out. If you feel that the open
> >> > source support is not adequate for your needs and timelines, you may
> >> > want to consider purchasing commercial ModSecurity support.
> >> >
> >> >
> >> >
> >> > --
> >> > */Ryan C. Barnett
> >> > /*ModSecurity Community Manager
> >> >
> >> > Breach Security: Director of Application Security Training
> >> > Web Application Security Consortium (WASC) Member
> >> > CIS Apache Benchmark Project Lead
> >> > SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
> >> >
> >> > Author: Preventing Web Attacks with Apache
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > ------------------------------------------------------------------------
> >> >
> >> > *From:* Frank Misa [mailto:frankmisa <at> hotmail.com]
> >> > *Sent:* Friday, June 22, 2007 1:18 PM
> >> > *To:* Ryan Barnett; Brian Rectanus;
> > mod-security-users <at> lists.sourceforge.net
> >> > *Subject:* RE: [mod-security-users] Perl script issues - running
> >> > ModSecurityConsole on a Windows box.
> >> >
> >> >
> >> >
> >> > Hi Ryan, Brian:
> >> >
> >> > OK - I can run from command-line now -- but now I'm back at square one
> >> > -- Apache on Windows will not start if I configure my system as you
> >> > suggest here:
> >> > http://www.modsecurity.org/blog/archives/2007/03/modsecurity_con_1.html
> >> >
> >> >
> >> > You two guys are the only ones who have shown an interest in my
> >> > question. I'm grateful...
> >> > You both work for Breach -- can you PLEASE configure an Windows/Apache
> >> > box..... and confirm that you too are not seeing the same error ?
> >> > If it works for you then I'll drop this issue -- and pursue another
> >> > avenue to parse/analyze the logs files I've generated.
> >> >
> >> > ============================================
> >> > 1) I can now run the perl script from command line like this:
> >> > type C:\apache\logs\modSecurity\auditlog\modsec_audit.log |
> >> > c:\Perl\bin\perl.exe modsec-auditlog-collector.pl
> >> > C:\apache\logs\modSecurity\audit
> >> > C:\apache\logs\modSecurity\auditlog\modsec_audit.log
> >> >
> >> > NOTE: Even though the system initially complains about: "Failed
> >> > processing RPC request: Failed to rename file from"
> >> > Files ARE actually accumulating in the modSecurityConsole
> >> > ...\var\data\main\console\logs\pending directory -- great.
> >> > The UI looks - now - like it's getting some data - please see
> > screenshot:
> >> >
> >> >
> >> > ============================================
> >> > 2) When I configure my Apache/Windows system like this:
> >> > From: httpd.conf
> >> >>><IfModule mod_security2.c>
> >> >>> Include "C:/apache/conf/modsecurity/*.conf"
> >> >>></IfModule>
> >> >
> >> > From: modsecurity_crs_10_config.conf
> >> >>>SecAuditLog "|C:/Perl/bin/perl.exe
> >> > C:/apache/bin/modsec-auditlog-collector.pl
> >> > C:/apache/logs/modSecurity/audit
> >> > C:/apache/logs/modSecurity/auditlog/audit.log"
> >> >
> >> > I cannot start Apache -- no error on console running:
> >> >>>C:\apache\bin>Apache -S
> >> >>>C:\apache\bin>
> >> >
> >> > But the event viewer displays:
> >> >>>Faulting application Apache.exe, version 2.0.59.200, faulting module
> >> > libapr.dll, version 0.9.12.0, fault address 0x0000d6f0.
> >> >
> >> > Thanks
> >> > Frank
> >> >
> >> > ------------------------------------------------------------------------
> >> >
> >> > Explore the seven wonders of the world Learn more!
> >> >
> > <http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE>
> >> >
> >>
> >>
> >> --
> >> Brian Rectanus
> >> Breach Security
> >
> > ------------------------------------------------------------------------
> > Connect to the next generation of MSN Messenger Get it now!
> > <http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline>
>
>
> --
> Brian Rectanus
> Breach Security

Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! Try it!
Attachment (modsec-auditlog-collector-win32b.pl): application/x-perl, 6428 bytes

FILE COMPARISON
Produced: 7/4/2007 3:24:36 PM
   
Mode:  All Lines  
   
Left file: C:\fmm\ApacheSSL224\bin\modsec-auditlog-collectorORIG.pl  
Right file: C:\fmm\ApacheSSL224\bin\modsec-auditlog-collector-win32b.pl  
1 #!/usr/bin/perl = 1 #!/usr/bin/perl
2 #   2 #
3 # ModSecurity for Apache (http://www.modsecurity.org)   3 # ModSecurity for Apache (http://www.modsecurity.org)
4 # Copyright (c) 2002-2006 Thinking Stone (http://www.thinkingstone.com)   4 # Copyright (c) 2002-2006 Thinking Stone (http://www.thinkingstone.com)
5 #   5 #
6 # $Id: modsec-auditlog-collector.pl,v 1.1.2.3 2006/01/31 11:27:45 ivanr Exp $ <> 6 # $Id: modsec-auditlog-collector-win32.pl ,v 1.1.2.3 2006/01/31 11:27:45 ivanr Exp $
      7 # ORIGINALY $Id: modsec-auditlog-collector.pl,v 1.1.2.3 2006/01/31 11:27:45 ivanr Exp $
      8 # MODIFIED by Aleksey Yudin (http://www.ptsecurity.ru) e-mail: aleksei-yudin <at> yandex.ru 2007/04/04
7 # = 9 #
8 # This is a proof-of-concept script that listens to the <> 10 # This is a proof-of-concept script for Windows systems that
9 # audit log in real time and submits the entries to   11 # reads audit log file every minute and submits the entries to a remote HTTP server.
10 # a remote HTTP server. This code is not suitable for   12 # This code is NOT TESTED for production environment.
11 # non-trivial production use since it can only submit   13 # This script designated for testing purposes only.
12 # one audit log entry at a time, plus it does not handle      
13 # errors gracefully.   14 #
14 # = 15 #
15 # Usage:   16 # Usage:
16 #   17 #
17 # 1) Enter the correct parameters $CONSOLE_* below   18 # 1) Enter the correct parameters $CONSOLE_* below
18 #   19 #
19 # 2) Configure ModSecurity to use this script for   20 # 2) Configure ModSecurity to use this script for
20 #    concurrent audit logging index:   21 #    concurrent audit logging index:
21 #   22 #
22 #    SecAuditEngine RelevantOnly   23 #    SecAuditEngine RelevantOnly
23 #    SecAuditLogType Concurrent   24 #    SecAuditLogType Concurrent
24 #    SecAuditLogParts ABCDEFGHZ   25 #    SecAuditLogParts ABCDEFGHZ
25 #    SecAuditLogStorageDir /path/to/auditlog/data/ <> 26 #    SecAuditLogStorageDir "drive:\path\to\auditlog\data\"
26 #    SecAuditLog "|/path/to/modsec-auditlog-collector.pl \   27 #    SecAuditLog "drive:\path\to\auditlog\index"
27 #        /path/to/auditlog/data/ \      
28 #        /path/to/auditlog/index"      
29 # = 28 #
30 # 3) Restart Apache.   29 # 3) Restart Apache.
    <> 30 #
      31 # 4) Start Scheduler Service (net start schedule)
      32 #
      33 # 5) Create new user (Windows) and add him to administrators group 
      34 #
      35 # 6) Create schedule task with new user credentials: SCHTASKS /Create /S computername /U user /P password /SC MINUTE /MO 1 /TN ModSecurityLogCollector /TR "perl C:\Apache2\bin\modsec-auditlog-collector.pl C:\Apache2\logs\auditlog C:\Apache2\logs\auditlog\index C:\Apache2\logs\collector.log"
      36 #
      37 # Script Usage example: 
      38 # perl.exe C:\Apache2\bin\modsec-auditlog-collector.pl C:\Apache2\logs\auditlog C:\Apache2\logs\auditlog\index C:\Apache2\logs\collector.log
      39  
31   = 40  
32 use MIME::Base64();   41 use MIME::Base64();
33 use IO::Socket::INET;   42 use IO::Socket::INET;
34     43  
35 my $CONSOLE_URI = "/rpc/auditLogReceiver";   44 my $CONSOLE_URI = "/rpc/auditLogReceiver";
36 my $CONSOLE_HOST = "127.0.0.1";   45 my $CONSOLE_HOST = "127.0.0.1";
37 my $CONSOLE_PORT = "8886";   46 my $CONSOLE_PORT = "8886";
38 my $CONSOLE_USERNAME = "test";   47 my $CONSOLE_USERNAME = "test";
39 my $CONSOLE_PASSWORD = "sensor";   48 my $CONSOLE_PASSWORD = "sensor";
40     49  
41 # ---------------------------------------------------   50 # ---------------------------------------------------
42     51  
43 my $logline_regex = "";   52 my $logline_regex = "";
44     53  
45 # hostname   54 # hostname
46 $logline_regex .= "^(\\S+)";   55 $logline_regex .= "^(\\S+)";
47 # remote host, remote username, local username   56 # remote host, remote username, local username
48 $logline_regex .= "\\ (\\S+)\\ (\\S+)\\ (\\S+)";   57 $logline_regex .= "\\ (\\S+)\\ (\\S+)\\ (\\S+)";
49 # date, time, and gmt offset   58 # date, time, and gmt offset
50 $logline_regex .= "\\ \\[([^:]+):(\\d+:\\d+:\\d+)\\ ([^\\]]+)\\]";   59 $logline_regex .= "\\ \\[([^:]+):(\\d+:\\d+:\\d+)\\ ([^\\]]+)\\]";
51 # request method + request uri + protocol (as one field)   60 # request method + request uri + protocol (as one field)
52 $logline_regex .= "\\ \"(.*)\"";   61 $logline_regex .= "\\ \"(.*)\"";
53 # status, bytes out   62 # status, bytes out
54 $logline_regex .= "\\ (\\d+)\\ (\\S+)";   63 $logline_regex .= "\\ (\\d+)\\ (\\S+)";
55 # referer, user_agent   64 # referer, user_agent
56 $logline_regex .= "\\ \"(.*)\"\\ \"(.*)\"";   65 $logline_regex .= "\\ \"(.*)\"\\ \"(.*)\"";
57 # uniqueid, sessionid   66 # uniqueid, sessionid
58 $logline_regex .= "\\ (\\S+)\\ \"(.*)\"";   67 $logline_regex .= "\\ (\\S+)\\ \"(.*)\"";
59 # filename, offset, size   68 # filename, offset, size
60 $logline_regex .= "\\ (\\S+)\\ (\\d+)\\ (\\d+)";   69 $logline_regex .= "\\ (\\S+)\\ (\\d+)\\ (\\d+)";
61 # hash   70 # hash
62 $logline_regex .= "\\ (\\S+)";   71 $logline_regex .= "\\ (\\S+)";
63 # the rest (always keep this part of the regex)   72 # the rest (always keep this part of the regex)
64 $logline_regex .= "(.*)\$";   73 $logline_regex .= "(.*)\$";
65     74  
66 my $therequest_regex = "(\\S+)\\ (.*?)\\ (\\S+)";   75 my $therequest_regex = "(\\S+)\\ (.*?)\\ (\\S+)";
67     76  
    <> 77  
68 sub send_entry { = 78 sub send_entry {
69   my ($file_name, $file_offset, $file_size, $hash, $summary) = <at> _;   79   my ($file_name, $file_offset, $file_size, $hash, $summary) = <at> _;
70   my $buffer;   80   my $buffer;
71     81  
72   if (!open(F, $file_name)) { <> 82 if (!open(F,$file_name))
      83 {
73    print LOG "> Could not open file $file_name.\n";   84        print LOG ("Could not open file $file_name \n");
74     return;   85       return;
      86  
75   } = 87   }
76     88  
    <> 89  
77   binmode F; = 90   binmode F;
78     91  
    -+ 92   print "\n";
79   $socket = IO::Socket::INET->new(Proto => 'tcp', PeerAddr => $CONSOLE_HOST, PeerPort => $CONSOLE_PORT, Timeout => 10); = 93   $socket = IO::Socket::INET->new(Proto => 'tcp', PeerAddr => $CONSOLE_HOST, PeerPort => $CONSOLE_PORT, Timeout => 10);
80   binmode $socket;   94   binmode $socket;
81     95  
82   if (!$socket) {   96   if (!$socket) {
83     print LOG "> Failed to open socket.\n"; <> 97     print LOG ("> Failed to open socket.\n");
84     return; = 98     return;
85   }   99   }
86     100  
87   $socket->autoflush(1);   101   $socket->autoflush(1);
88     102  
89   my $credentials = MIME::Base64::encode($CONSOLE_USERNAME . ":" . $CONSOLE_PASSWORD);   103   my $credentials = MIME::Base64::encode($CONSOLE_USERNAME . ":" . $CONSOLE_PASSWORD);
90   chomp($credentials);   104   chomp($credentials);
91     105  
92   print $socket "PUT $CONSOLE_URI HTTP/1.0\r\n";   106   print $socket "PUT $CONSOLE_URI HTTP/1.0\r\n";
93   print $socket "Content-Length: " . $file_size . "\r\n";   107   print $socket "Content-Length: " . $file_size . "\r\n";
94   print $socket "Authorization: Basic " . $credentials . "\r\n";   108   print $socket "Authorization: Basic " . $credentials . "\r\n";
95   print $socket "X-ForensicLog-Summary: " . $summary . "\r\n";   109   print $socket "X-ForensicLog-Summary: " . $summary . "\r\n";
96   print $socket "X-Content-Hash: " . $hash . "\r\n";   110   print $socket "X-Content-Hash: " . $hash . "\r\n";
97   print $socket "\r\n";   111   print $socket "\r\n";
98     112  
99   # send file contents <>    
100 &nbsp while (   113 while (
101   &nbsp read(F, $buffer, 8192)   114    read(F,$buffer,8192)
102   &nbsp and print $socket $buffer   115    and print $socket $buffer
103 &nbsp ) {};   116 ) {};
104 &nbsp close(F);   117 close(F);
105   = 118  
106   my $status = 0;   119   my $status = 0;
107   while(<$socket>) {   120   while(<$socket>) {
108     # print "> $_";   121     # print "> $_";
109     if (($status == 0) && (/^HTTP\/[0-9]\.[0-9] ([0-9]+).+$/)) {   122     if (($status == 0) && (/^HTTP\/[0-9]\.[0-9] ([0-9]+).+$/)) {
110       $status = $1;   123       $status = $1;
111     }   124     }
112   }   125   }
113     126  
114   print LOG "> Status: " . $status . "\n"; <> 127   print LOG ("Status: " . $status . "\n");
115   close($socket); = 128   close($socket);
116 }   129 }
117     130  
118 # -- Main --------------------------------------------------------------------   131 # -- Main --------------------------------------------------------------------
119     132  
120 if ( <at> ARGV != 2) { <> 133 if ( <at> ARGV != 3) {
121     print "Usage: modsec-auditlog-collector auditlog-folder auditlog-index\n";   134     print "Usage: modsec-auditlog-collector auditlog-folder auditlog-index logfile\n";
122     exit; = 135     exit;
123 }   136 }
124     137  
    <> 138  
      139  
125 my($folder, $index) = <at> ARGV;   140 my ($folder,$index,$log) = <at> ARGV;
126   = 141  
    <> 142  
      143  
      144 # Open log file for collector
127 open(LOG, ">>$index") || die("Failed to open: $index\n");   145 open(LOG, ">>$log") || die("Failed to open: $index\n");
128 $| = 1, select $_ for select LOG;   146  
129   = 147  
130     148  
    <> 149  
      150 # Open copy index file
      151 my $index2="$index"."2";
      152 open(INDEX2, ">>$index2") || die("Failed to open: $index2\n");
      153  
      154 # Reading index file into array 
      155 open(INDEX, "$index") || die("Failed to open: $index\n");
      156 flock INDEX,2;
      157 my <at> logs=<INDEX>;
      158 flock INDEX,8;
      159 close (INDEX);
      160  
      161 # Clearing original index file
      162 open(INDEX, "+>$index") || die("Failed to open: $index\n");
      163 close (INDEX);
      164  
      165 my $logsarray=0;
131 while(<STDIN>) {   166 while ($logsarray < scalar( <at> logs))
132     # print LOG "Line: $_";      
133     167 {
      168     $_=$logs[$logsarray];
      169     $logsarray++;
134     chomp(); = 170     chomp();
135     my $summary = $_;   171     my $summary = $_;
136     172  
137     next if (/^$/);   173     next if (/^$/);
138     174  
139     my <at> parsed_logline = /$logline_regex/x;   175     my <at> parsed_logline = /$logline_regex/x;
140     if ( <at> parsed_logline == 0) {   176     if ( <at> parsed_logline == 0) {
141         print LOG "> Failed to parse line: " . $_ . "\n"; <> 177         print LOG ("> Failed to parse line: " . $_ . "\n");
142     } else { = 178     } else {
143       ( <>    
144      &nbsp    $request{"hostname"},   179       (   $request{"hostname"},
145           $request{"remote_ip"}, = 180           $request{"remote_ip"},
146           $request{"remote_username"},   181           $request{"remote_username"},
147           $request{"username"},   182           $request{"username"},
148           $request{"date"},   183           $request{"date"},
149           $request{"time"},   184           $request{"time"},
150           $request{"gmt_offset"},   185           $request{"gmt_offset"},
151           $request{"the_request"},   186           $request{"the_request"},
152           $request{"status"},   187           $request{"status"},
153           $request{"bytes_out"},   188           $request{"bytes_out"},
154           $request{"referer"},   189           $request{"referer"},
155           $request{"user_agent"},   190           $request{"user_agent"},
156           $request{"unique_id"},   191           $request{"unique_id"},
157           $request{"session_id"},   192           $request{"session_id"},
158           $request{"filename"},   193           $request{"filename"},
159           $request{"file_offset"},   194           $request{"file_offset"},
160           $request{"file_size"},   195           $request{"file_size"},
161           $request{"hash"},   196           $request{"hash"},
162           $request{"the_rest"}   197           $request{"the_rest"}
163       ) = <at> parsed_logline;   198       ) = <at> parsed_logline;
164     199  
    <> 200  
165       $_ = $request{"the_request"}; = 201       $_ = $request{"the_request"};
166       my <at> parsed_therequest = /$therequest_regex/x;   202       my <at> parsed_therequest = /$therequest_regex/x;
167       if ( <at> parsed_therequest == 0) {   203       if ( <at> parsed_therequest == 0) {
168         $request{"invalid"} = "1";   204         $request{"invalid"} = "1";
169         $request{"request_method"} = "";   205         $request{"request_method"} = "";
170         $request{"request_uri"} = "";   206         $request{"request_uri"} = "";
171         $request{"protocol"} = "";   207         $request{"protocol"} = "";
172       } else {   208       } else {
173         (   209         (
174           $request{"request_method"},   210           $request{"request_method"},
175           $request{"request_uri"},   211           $request{"request_uri"},
176           $request{"protocol"}   212           $request{"protocol"}
177         ) = <at> parsed_therequest;   213         ) = <at> parsed_therequest;
178         }   214         }
179     215  
180       print LOG ($summary . "\n"); <> 216       print INDEX2 ($summary . "\n");
181       send_entry($abs_file_name = $folder . "/" . $request{"filename"}, $request{"file_offset"}, $request{"file_size"}, $request{"hash"}, $summary);   217         send_entry($abs_file_name = $folder . "/" . $request{"filename"}, $request{"file_offset"}, $request{"file_size"}, $request{"hash"}, $summary);
182     } = 218     }
183 }   219 }
184     220  
    <> 221  
      222  
      223 close(INDEX2);
185 close(LOG); = 224 close(LOG); 
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 0 comments |
headers
Sven Vetsch | 5 Jul 10:21

Core Rules for mod_security 1.9.5


Hi everyone,
I know, that the core rules are built for the mod_security 2.x syntax
but now my question is, if anyone of you have "translated" all rules
which can also be used in version 1.9.5 to the old syntax or know if
there's something like this available?

Regards,
Sven
Permalink | Reply | 0 comments |
headers
Aleks | 5 Jul 14:30
Picon
Favicon

Re: Perl script issues - running ModSecurityConsole on a Windows box.

HI, Frank.

I already modified the script. It works without pipes - only with shedule.

Modified perl script is here:

http://www.securitylab.ru/_download/software/modsec-auditlog-collector.pl

Usage of this script:

# Usage:
#
# 1) Enter the correct parameters $CONSOLE_* below
#
# 2) Configure ModSecurity to use this script for
# concurrent audit logging index:
#
# SecAuditEngine RelevantOnly
# SecAuditLogType Concurrent
# SecAuditLogParts ABCDEFGHZ
# SecAuditLogStorageDir "drive:\path\to\auditlog\data\"
# SecAuditLog "drive:\path\to\auditlog\index"
#
# 3) Restart Apache.
#
# 4) Start Scheduler Service (net start schedule)
#
# 5) Create new user (Windows) and add him to administrators group
#
# 6) Create schedule task with new user credentials: SCHTASKS /Create /S computername /U user /P password /SC MINUTE /MO 1 /TN ModSecurityLogCollector /TR "perl C:\Apache2\bin\modsec-auditlog-collector.pl C:\Apache2\logs\auditlog C:\Apache2\logs\auditlog\index C:\Apache2\logs\collector.log"
#
# Script Usage example:
# perl.exe C:\Apache2\bin\modsec-auditlog-collector.pl C:\Apache2\logs\auditlog C:\Apache2\logs\auditlog\index C:\Apache2\logs\collector.log

Best Regards, Aleksey Yudin - ■Positive Technologies■, Information Security Expert
WWW: http://maxpatrol.com, http://www.ptsecurity.ru, http://www.xspider.ru,
http://www.securitylab.ru

 

28.06.07, 22:41, Frank Misa :

>


Hi All,
>
>FYI
>
>Piped logging is broken on Apache/WindowsNT -- I've found several BUGs logged against this issue -- and many posts on the Apache forums discussing problems with piped logs.
>
>I've attached some feedback I've received from the Apache group below....
>
>As a workaround -- can the Breach development team -- modify the Perl script so that it can be run as a cron/scheduled job on the Windows platform ? That would help -- in the meantime -- I'll work around this issue in other ways....
>
>Thanks all for your help....
>Cheers
>Frank
>
>

The following directive crashes both versions of Apache for me - on WinXP and Win2003....
>>>SecAuditLog "|C:/Perl/bin/perl.exe C:/fmm/ApacheSSL224/bin/modsec-auditlog-collector.pl"
>
>
Apache 2.0.59 faults:
>
>>Faulting
application httpd.exe, version 2.2.4.0, faulting module libapr-1.dll,
version 1.2.8.0, fault address 0x00004c80.
>

>
Apache 2.2.4 faults:
>
>>Faulting
application Apache.exe, version 2.0.59.200, faulting module libapr.dll,
version 0.9.12.0, fault address 0x0000d6f0.
>
>
> From: sctemme <at> apache.org
>> Date: Thu, 28 Jun 2007 09:38:39 -0700
>> To: users <at> httpd.apache.org
>> Subject: Re: [users <at> httpd] Does Apache Support Piped Logs On Windows Platform
>>
>> Frank,
>>
>> On Jun 28, 2007, at 9:22 AM, Frank Misa wrote:
>>
>> > I've seen many references to Apache issues with logging to piped
>> > processes on the forums; but no clear answer on whether this is
>> > supported or not.
>> > Can someone here please confirm -- Yes/No...
>> > Do the latest versions of Apache 2.0.x OR Apache 2.2.x support
>> > piped logs on Windows ?
>>
>> Piped logs are currently effectively broken on Windows, due to the
>> way we do or don't pass valid file descriptors to the called process
>> for stdout and stderr. Others more knowledgeable than myself can
>> elucidate on this more eloquently than I can.
>>
>> We're trying to fix it, but that hasn't happened so far. If you want
>> to rotate your log files, the best approach is currently to rename
>> them and then send your httpd service a restart signal using
>>
>> \path\to\httpd -n Apache2 -k restart
>>
>> with the name of the Windows Service as argument to the -n
>> parameter. You can script this in any language that pleases you, and
>> run it periodically in the Windows Scripting Host.
>>
>> > >>SecAuditLog "|C:/Perl/bin/perl.exe C:/fmm/ApacheSSL224/bin/modsec-
>> > auditlog-collector.pl"
>>
>> I haven't reviewed mod_security to this extent but does it use the
>> Apache logging APIs? Or does it do its own thing?
>>
>> S.
>>
>> --
>> Sander Temme
>> sctemme <at> apache.org
>> PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
>>
>>
>>

>

>
>> Date: Sat, 23 Jun 2007 22:20:32 -0400
>> From: Brian.Rectanus <at> breach.com
>> To: frankmisa <at> hotmail.com
>> CC: Ryan.Barnett <at> Breach.com; mod-security-users <at> lists.sourceforge.net
>> Subject: Re: [mod-security-users] Perl script issues - running ModSecurityConsole on a Windows box.
>>
>> Sorry Frank. I am out-of-town until Tue. I'll look more then.
>>
>> -B
>>
>> Ryan Barnett wrote:
>> > Frank,
>> >
>> > We will do our best, but please understand that the support that is
>> > given to open source Mod users is “best effort”. This is no different
>> > then any other open source project. Yes, we do work for breach and this
>> > means that we are wearing multiple hats and also working on the
>> > commercial task items as well. We are normally very responsive to
>> > questions, issues, etc… but it can take a bit more time to setup
>> > different configurations and test them out. If you feel that the open
>> > source support is not adequate for your needs and timelines, you may
>> > want to consider purchasing commercial ModSecurity support.
>> >
>> >
>> >
>> > --
>> > */Ryan C. Barnett
>> > /*ModSecurity Community Manager
>> >
>> > Breach Security: Director of Application Security Training
>> > Web Application Security Consortium (WASC) Member
>> > CIS Apache Benchmark Project Lead
>> > SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
>> >
>> > Author: Preventing Web Attacks with Apache
>> >
>> >
>> >
>> >
>> >
>> > ------------------------------------------------------------------------
>> >
>> > *From:* Frank Misa [mailto:frankmisa <at> hotmail.com]
>> > *Sent:* Friday, June 22, 2007 1:18 PM
>> > *To:* Ryan Barnett; Brian Rectanus; mod-security-users <at> lists.sourceforge.net
>> > *Subject:* RE: [mod-security-users] Perl script issues - running
>> > ModSecurityConsole on a Windows box.
>> >
>> >
>> >
>> > Hi Ryan, Brian:
>> >
>> > OK - I can run from command-line now -- but now I'm back at square one
>> > -- Apache on Windows will not start if I configure my system as you
>> > suggest here:
>> > http://www.modsecurity.org/blog/archives/2007/03/modsecurity_con_1.html
>> >
>> >
>> > You two guys are the only ones who have shown an interest in my
>> > question. I'm grateful...
>> > You both work for Breach -- can you PLEASE configure an Windows/Apache
>> > box..... and confirm that you too are not seeing the same error ?
>> > If it works for you then I'll drop this issue -- and pursue another
>> > avenue to parse/analyze the logs files I've generated.
>> >
>> > ============================================
>> > 1) I can now run the perl script from command line like this:
>> > type C:\apache\logs\modSecurity\auditlog\modsec_audit.log |
>> > c:\Perl\bin\perl.exe modsec-auditlog-collector.pl
>> > C:\apache\logs\modSecurity\audit
>> > C:\apache\logs\modSecurity\auditlog\modsec_audit.log
>> >
>> > NOTE: Even though the system initially complains about: "Failed
>> > processing RPC request: Failed to rename file from"
>> > Files ARE actually accumulating in the modSecurityConsole
>> > ...\var\data\main\console\logs\pending directory -- great.
>> > The UI looks - now - like it's getting some data - please see screenshot:
>> >
>> >
>> > ============================================
>> > 2) When I configure my Apache/Windows system like this:
>> > From: httpd.conf
>> >>>
>> >>> Include "C:/apache/conf/modsecurity/*.conf"
>> >>>
>> >
>> > From: modsecurity_crs_10_config.conf
>> >>>SecAuditLog "|C:/Perl/bin/perl.exe
>> > C:/apache/bin/modsec-auditlog-collector.pl
>> > C:/apache/logs/modSecurity/audit
>> > C:/apache/logs/modSecurity/auditlog/audit.log"
>> >
>> > I cannot start Apache -- no error on console running:
>> >>>C:\apache\bin>Apache -S
>> >>>C:\apache\bin>
>> >
>> > But the event viewer displays:
>> >>>Faulting application Apache.exe, version 2.0.59.200, faulting module
>> > libapr.dll, version 0.9.12.0, fault address 0x0000d6f0.
>> >
>> > Thanks
>> > Frank
>> >
>> > ------------------------------------------------------------------------
>> >
>> > Explore the seven wonders of the world Learn more!
>> >
>> >
>>
>>
>> --
>> Brian Rectanus
>> Breach Security
>
>Connect to the next generation of MSN Messenger Get it now!


--
Sincerely yours. Aleks :)
Aleksei-yudin <at> yandex.ru 
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 14 comments |
headers
Jeremy Melanson | 5 Jul 16:49

Re: exclude rule and log

In my config, all of the core rules are applied to the VirtualHosts. There are no modifications to the core rules, only exclusions per VirtualHost. This means that all of the core rules are applied for your whole server.


I have this in my httpd.conf, which makes them "global" (it applies to all VirtualHosts).

SecServerSignature "ArbitraryName"
SecDataDir /usr/local/apache/var/secdatadir
SecTmpDir /usr/local/apache/var/sectmpdir
# We specify modsecurity*.conf, because there are other files that we don't want to call from here.
# They are called for their specific virtual hosts.
Include /usr/local/apache/conf/modsecurity/modsecurity*.conf

If you want to just keep all of the Mod Security settings the same for all VirtualHosts, then you would just remove parts of the <ifModule mod_security2.c> section for each virtualHost that you want to make global, and put them into your httpd.conf file. You still have the option of making individual rule changes per virtual host if you want.

I wouldn't turn SecAuditEngine off for any reason, as that turns off auditing for ALL rules. The best thing to do (IMHO) is to just "SecRuleRemoveById" for specific Locations. When you issue "SecRuleRemoveById XXXXXX", it turns the given rule off , which includes all Auditing and logging for that rule. Your access logs, normal error logging, and other Mod Security rules should behave normally.

-----
Jeremy


On Wed, 2007-07-04 at 13:29 +0300, Gonen Radai wrote:
Hi, Sorry for the long delay. Jeremy, I tried your first (and small) solution, but I still see log entries for that location+rule. Your second solution is not good for me since I want all core rules to be applied for my whole server, and it's going to be very messy to put so many configuration lines in each VHost, especially if those lines will apear again in each VHost. I tried the following: <VirtualHost> ... <Location "/index.html"> SecAuditEngine Off SecRuleRemoveById 960015 SecRuleRemoveById 990011 SecAuditEngine On </Location> </VirtualHost> but in that way, I don't get ANY logging for /index.html, which is bad because I need to see log entries regarding to other rules on that location. What is way to configure SecRuleRemoveById+nolog on a specific URI ? Thanks, Gonen If you can't read my mail, try changing encoding to UTF-8. Gonen. Jeremy Melanson wrote: > Ah. I see your problem. > > I have multiple virtual hosts in my proxies as well. The solution I did > was to create individual Mod Security configs per VHost config: > > <VirtualHost [blahblahblahblah]> > <IfModule mod_security2.c> > SecRuleEngine On > SecRequestBodyAccess XXX > SecResponseBodyAccess XXX > SecResponseBodyMimeType XXXXXXXXXXXXXXXXXXXXXXX > SecResponseBodyLimit XXXXXX > SecUploadDir XXXXXXXXXXXXXXXX > SecUploadKeepFiles XXX > SecAuditEngine XXXXXXXXXXXX > SecAuditLogRelevantStatus XXXXXXXXXX > SecAuditLogType Concurrent > SecAuditLog [log file specific to virtual host] > SecAuditLogStorageDir [storage dir specific to virtual host] > SecAuditLogParts XXXXXXXXXXXXX > SecArgumentSeparator XXXX > SecCookieFormat XXXX > SecRequestBodyInMemoryLimit XXXXXXXXXXXX > Include [configu file containing rule exceptions specific to virtual > host] > </IfModule> > </VirtualHost> > > The really important one is the "Include" line. That is where I've > configured my individual exceptions. Since their within my VirtualHost > definition, they're specific only to that VirtualHost. > > Keep in mind, that there is additional administration overhead when it's > done this way, but at least you can be a lot more granular with your > rule definitions and exeptions. And with my config, I can also tweak > several Mod Security parameters per-VirtualHost as well. > > ----- > Jeremy > > On Thu, 2007-06-21 at 22:02 +0300, Gonen Radai wrote: > >> Hi Jeremy, thanks for your response. >> >> >> I have two problems with you suggestion: >> >> 1) Matching by URI means that if I want to remove rule on a specific >> URL, I can't because >> >> I might have more than one VirtualHost that includes the same URI (e.g >> 'index.php). >> >> >> 2) You didn't tell me if this way you don't see log entries of the >> matching rule (although it's removed and passed). >> >> I am able to remove rule on a specific URL, but I keep getting entries >> of that rule matching with that URL. >> >> My goal is to remove rule on URL and NOT log any matches between the >> rule and the URL. >> >> >> Gonen >> >> >> If you can't read my mail, try changing encoding to UTF-8. >> Gonen. >> >> >> Jeremy Melanson wrote: >> >>> Hi Gonen. >>> >>> Here's how I've been removing by specific URL, or more specifically URI: >>> >>> <LocationMatch "[URL]"> >>> SecRuleRemoveById #### >>> </LocationMatch> >>> >>> If you wanted /index.do, you'd enter: >>> <LocationMatch "^/index\.do"> >>> SecRuleRemoveById #### >>> </LocationMatch> >>> >>> This will remove the rule when a match is made on any URI beginning with >>> "/index.do". >>> >>> ----- >>> Jeremy >>> >>> >>> On Thu, 2007-06-21 at 19:45 +0300, Gonen Radai wrote: >>> >>> >>>> OK, but how do i remove entries from the log, on: >>>> >>>> 1) a specific URL >>>> >>>> >>>> 2) SecRuleRemoveById #### (on that specific URL) >>>> >>>> ? >>>> >>>> >>>> Gonen >>>> >>>> >>>> If you can't read my mail, try changing encoding to UTF-8. >>>> Gonen. >>>> >>>> >>>> Ofer Shezaf wrote: >>>> >>>> >>>>> The duplicate ID is a bug in the Core Rule Set that was fixed in the >>>>> current (stable) release >>>>> >>>>> >>>>> >>>>> ~ Ofer >>>>> >>>>> >>>>> >>>>> From:mod-security-users-bounces <at> lists.sourceforge.net >>>>> [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf >>>>> Of Gonen Radai >>>>> Sent: Tuesday, June 19, 2007 3:40 PM >>>>> To: mod-security-users <at> lists.sourceforge.net >>>>> Subject: [mod-security-users] exclude rule and log >>>>> >>>>> >>>>> >>>>> >>>>> Hi, >>>>> >>>>> >>>>> I'm running modsecurity2 >>>>> The core rule 960015 is configured in the following conf files: >>>>> modsecurity_crs_20_protocol_violations.conf >>>>> modsecurity_crs_21_protocol_anomalies.conf >>>>> >>>>> I don't want to log requests that match the rule on a specific url, >>>>> for example: >>>>> http://domain.com/index.html >>>>> >>>>> so I added the following SecRuleRemoveById to my VirtualHost: >>>>> >>>>> <VirtualHost 123.123.123.123:80> >>>>> Servername domain.com >>>>> ... >>>>> <Files index.html> >>>>> SecRuleRemoveById 960015 >>>>> </Files> >>>>> </VirtualHost> >>>>> >>>>> But I still get log entries regarding that rule on that specific >>>>> http://domain.com/index.html >>>>> Changing it to: >>>>> SecRuleRemoveById 960015 "allow,phase:1,nolog" >>>>> >>>>> Also didn't stop the logging. >>>>> What do I miss ? >>>>> >>>>> >>>>> >>>>> -- >>>>> If you can't read my mail, try changing encoding to UTF-8. >>>>> Gonen. >>>>> >>>>> >>>> ______________________________________________________________________ >>>> This email has been scanned by the MessageLabs Email Security System. >>>> For more information please visit http://www.messagelabs.com/email >>>> ______________________________________________________________________ >>>> ------------------------------------------------------------------------- >>>> This SF.net email is sponsored by DB2 Express >>>> Download DB2 Express C - the FREE version of DB2 express and take >>>> control of your XML. No limits. Just data. Click to get it now. >>>> http://sourceforge.net/powerbar/db2/ >>>> _______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> >>>> >>> ------------------------------------------------------------------------- >>> This SF.net email is sponsored by DB2 Express >>> Download DB2 Express C - the FREE version of DB2 express and take >>> control of your XML. No limits. Just data. Click to get it now. >>> http://sourceforge.net/powerbar/db2/ >>> _______________________________________________ >>> mod-security-users mailing list >>> mod-security-users <at> lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> >>> >>> > > 
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 2 comments |
headers
blaster | 5 Jul 17:04

Re: exclude rule and log

Can SecRuleRemoveById also be used to turn only logging off?
So that the rule still blocks bad attempts?

Thomas

Zitat von Jeremy Melanson <jmelanson <at> passkey.com>:

> In my config, all of the core rules are applied to the VirtualHosts.
> There are no modifications to the core rules, only exclusions per
> VirtualHost. This means that all of the core rules are applied for your
> whole server.
> 
> 
> I have this in my httpd.conf, which makes them "global" (it applies to
> all VirtualHosts).
> 
> SecServerSignature "ArbitraryName"
> SecDataDir /usr/local/apache/var/secdatadir
> SecTmpDir /usr/local/apache/var/sectmpdir
> # We specify modsecurity*.conf, because there are other files that we
> don't want to call from here.
> # They are called for their specific virtual hosts.
> Include /usr/local/apache/conf/modsecurity/modsecurity*.conf
> 
> If you want to just keep all of the Mod Security settings the same for
> all VirtualHosts, then you would just remove parts of the <ifModule
> mod_security2.c> section for each virtualHost that you want to make
> global, and put them into your httpd.conf file. You still have the
> option of making individual rule changes per virtual host if you want.
> 
> I wouldn't turn SecAuditEngine off for any reason, as that turns off
> auditing for ALL rules. The best thing to do (IMHO) is to just
> "SecRuleRemoveById" for specific Locations. When you issue
> "SecRuleRemoveById XXXXXX", it turns the given rule off , which includes
> all Auditing and logging for that rule. Your access logs, normal error
> logging, and other Mod Security rules should behave normally.
> 
> -----
> Jeremy
> 
> 
> On Wed, 2007-07-04 at 13:29 +0300, Gonen Radai wrote:
> 
> > Hi,
> > 
> > 
> > Sorry for the long delay.
> > 
> > 
> > Jeremy, I tried your first (and small) solution, but I still see log 
> > entries for that location+rule.
> > 
> > 
> > Your second solution is not good for me since I want all core rules to 
> > be applied for my whole server,
> > 
> > and it's going to be very messy to put so many configuration lines in 
> > each VHost, especially if those lines will
> > 
> > apear again in each VHost.
> > 
> > 
> > I tried the following:
> > 
> > <VirtualHost>
> > 
> > ...
> > 
> >         <Location "/index.html">
> > 
> >                SecAuditEngine Off
> >                SecRuleRemoveById       960015
> >                 SecRuleRemoveById       990011
> > 
> >                  SecAuditEngine On
> > 
> >        </Location>
> > 
> > </VirtualHost>
> > 
> > 
> > but in that way, I don't get ANY logging for /index.html, which is bad 
> > because I need to see
> > 
> > log entries regarding to other rules on that location.
> > 
> > 
> > What is way to configure SecRuleRemoveById+nolog on a specific URI ?
> > 
> > 
> > Thanks,
> > 
> > Gonen
> > 
> > If you can't read my mail, try changing encoding to UTF-8.
> > Gonen.
> > 
> > 
> > 
> > Jeremy Melanson wrote:
> > > Ah. I see your problem.
> > >
> > > I have multiple virtual hosts in my proxies as well. The solution I did
> > > was to create individual Mod Security configs per VHost config:
> > >
> > > <VirtualHost [blahblahblahblah]>
> > > 	<IfModule  mod_security2.c>
> > > 		SecRuleEngine On
> > > 		SecRequestBodyAccess XXX
> > > 		SecResponseBodyAccess XXX
> > > 		SecResponseBodyMimeType XXXXXXXXXXXXXXXXXXXXXXX
> > > 		SecResponseBodyLimit XXXXXX
> > > 		SecUploadDir XXXXXXXXXXXXXXXX
> > > 		SecUploadKeepFiles XXX
> > > 		SecAuditEngine XXXXXXXXXXXX
> > > 		SecAuditLogRelevantStatus XXXXXXXXXX
> > > 		SecAuditLogType Concurrent
> > > 		SecAuditLog [log file specific to virtual host]
> > > 		SecAuditLogStorageDir [storage dir specific to virtual host]
> > > 		SecAuditLogParts XXXXXXXXXXXXX
> > > 		SecArgumentSeparator XXXX
> > > 		SecCookieFormat XXXX
> > > 		SecRequestBodyInMemoryLimit XXXXXXXXXXXX
> > > 		Include [configu file containing rule exceptions specific to 
virtual
> > > host]
> > > 	</IfModule>
> > > </VirtualHost>
> > >
> > > The really important one is the "Include" line. That is where I've
> > > configured my individual exceptions. Since their within my VirtualHost
> > > definition, they're specific only to that VirtualHost.
> > >
> > > Keep in mind, that there is additional administration overhead when
> it's
> > > done this way, but at least you can be a lot more granular with your
> > > rule definitions and exeptions. And with my config, I can also tweak
> > > several Mod Security parameters per-VirtualHost as well.
> > >
> > > -----
> > > Jeremy
> > >
> > > On Thu, 2007-06-21 at 22:02 +0300, Gonen Radai wrote:
> > >   
> > >> Hi Jeremy, thanks for your response.
> > >>
> > >>
> > >> I have two problems with you suggestion:
> > >>
> > >> 1) Matching by URI means that if I want to remove rule on a specific
> > >> URL, I can't because
> > >>
> > >> I might have more than one VirtualHost that includes the same URI (e.g
> > >> 'index.php).
> > >>
> > >>
> > >> 2) You didn't tell me if this way you don't see log entries of the
> > >> matching rule (although it's removed and passed).
> > >>
> > >> I am able to remove rule on a specific URL, but I keep getting entries
> > >> of that rule matching with that URL.
> > >>
> > >> My goal is to remove rule on URL and NOT log any matches between the
> > >> rule and the URL.
> > >>
> > >>
> > >> Gonen
> > >>
> > >>
> > >> If you can't read my mail, try changing encoding to UTF-8.
> > >> Gonen.
> > >>
> > >>
> > >> Jeremy Melanson wrote: 
> > >>     
> > >>> Hi Gonen.
> > >>>
> > >>> Here's how I've been removing by specific URL, or more specifically
> URI:
> > >>>
> > >>> <LocationMatch "[URL]">
> > >>> 	SecRuleRemoveById ####
> > >>> </LocationMatch>
> > >>>
> > >>> If you wanted /index.do, you'd enter:
> > >>> <LocationMatch "^/index\.do">
> > >>> 	SecRuleRemoveById ####
> > >>> </LocationMatch>
> > >>>
> > >>> This will remove the rule when a match is made on any URI beginning
> with
> > >>> "/index.do".
> > >>>
> > >>> -----
> > >>> Jeremy
> > >>>
> > >>>
> > >>> On Thu, 2007-06-21 at 19:45 +0300, Gonen Radai wrote:
> > >>>   
> > >>>       
> > >>>> OK, but how do i remove entries from the log, on:
> > >>>>
> > >>>> 1) a specific URL 
> > >>>>
> > >>>>
> > >>>> 2) SecRuleRemoveById #### (on that specific URL)
> > >>>>
> > >>>> ?
> > >>>>
> > >>>>
> > >>>> Gonen
> > >>>>
> > >>>>
> > >>>> If you can't read my mail, try changing encoding to UTF-8.
> > >>>> Gonen.
> > >>>>
> > >>>>
> > >>>> Ofer Shezaf wrote: 
> > >>>>     
> > >>>>         
> > >>>>> The duplicate ID is a bug in the Core Rule Set that was fixed in
> the
> > >>>>> current (stable) release
> > >>>>>
> > >>>>>  
> > >>>>>
> > >>>>> ~ Ofer
> > >>>>>
> > >>>>>  
> > >>>>>
> > >>>>> From:mod-security-users-bounces <at> lists.sourceforge.net
> > >>>>> [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf
> > >>>>> Of Gonen Radai
> > >>>>> Sent: Tuesday, June 19, 2007 3:40 PM
> > >>>>> To: mod-security-users <at> lists.sourceforge.net
> > >>>>> Subject: [mod-security-users] exclude rule and log
> > >>>>>
> > >>>>>
> > >>>>>  
> > >>>>>
> > >>>>> Hi, 
> > >>>>>
> > >>>>>
> > >>>>> I'm running modsecurity2
> > >>>>> The core rule 960015 is configured in the following conf files:
> > >>>>> modsecurity_crs_20_protocol_violations.conf
> > >>>>> modsecurity_crs_21_protocol_anomalies.conf
> > >>>>>
> > >>>>> I don't want to log requests that match the rule on a specific url,
> > >>>>> for example:
> > >>>>> http://domain.com/index.html
> > >>>>>
> > >>>>> so I added the following SecRuleRemoveById to my VirtualHost:
> > >>>>>
> > >>>>> <VirtualHost 123.123.123.123:80>
> > >>>>> Servername domain.com
> > >>>>> ...
> > >>>>>     <Files index.html>
> > >>>>>                 SecRuleRemoveById       960015
> > >>>>>         </Files>
> > >>>>> </VirtualHost>    
> > >>>>>
> > >>>>> But I still get log entries regarding that rule on that specific
> > >>>>> http://domain.com/index.html
> > >>>>> Changing it to:
> > >>>>> SecRuleRemoveById       960015 "allow,phase:1,nolog"
> > >>>>>
> > >>>>> Also didn't stop the logging.
> > >>>>> What do I miss ?
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>> -- 
> > >>>>> If you can't read my mail, try changing encoding to UTF-8.
> > >>>>> Gonen.
> > >>>>>       
> > >>>>>           
> > >>>>
> ______________________________________________________________________
> > >>>> This email has been scanned by the MessageLabs Email Security
> System.
> > >>>> For more information please visit http://www.messagelabs.com/email 
> > >>>>
> ______________________________________________________________________
> > >>>>
> -------------------------------------------------------------------------
> > >>>> This SF.net email is sponsored by DB2 Express
> > >>>> Download DB2 Express C - the FREE version of DB2 express and take
> > >>>> control of your XML. No limits. Just data. Click to get it now.
> > >>>> http://sourceforge.net/powerbar/db2/
> > >>>> _______________________________________________ mod-security-users
> mailing list mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > >>>>     
> > >>>>         
> > >>>
> -------------------------------------------------------------------------
> > >>> This SF.net email is sponsored by DB2 Express
> > >>> Download DB2 Express C - the FREE version of DB2 express and take
> > >>> control of your XML. No limits. Just data. Click to get it now.
> > >>> http://sourceforge.net/powerbar/db2/
> > >>> _______________________________________________
> > >>> mod-security-users mailing list
> > >>> mod-security-users <at> lists.sourceforge.net
> > >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > >>>
> > >>>   
> > >>>       
> > >
> > >   
> 

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Permalink | Reply | 0 comments |
headers
Ryan Barnett | 5 Jul 17:34

Re: exclude rule and log

Keep in mind that when you place SecRuleRemoveByID inside Apache scope directives (such as Location, LocationMatch, etc…) that it only operates in phase 2.  This means that you can not disable phase 1 Core Rules.

 

It is for this reason that we are working on a new action that will allow you to selectively disable rules instead of it being a global directive.

 

--
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

Author: Preventing Web Attacks with Apache

 

 

From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf Of Jeremy Melanson
Sent: Thursday, July 05, 2007 10:50 AM
To: Gonen Radai
Cc: mod-security-users <at> lists.sourceforge.net
Subject: Re: [mod-security-users] exclude rule and log

 

In my config, all of the core rules are applied to the VirtualHosts. There are no modifications to the core rules, only exclusions per VirtualHost. This means that all of the core rules are applied for your whole server.


I have this in my httpd.conf, which makes them "global" (it applies to all VirtualHosts).

SecServerSignature "ArbitraryName"
SecDataDir /usr/local/apache/var/secdatadir
SecTmpDir /usr/local/apache/var/sectmpdir
# We specify modsecurity*.conf, because there are other files that we don't want to call from here.
# They are called for their specific virtual hosts.
Include /usr/local/apache/conf/modsecurity/modsecurity*.conf

If you want to just keep all of the Mod Security settings the same for all VirtualHosts, then you would just remove parts of the <ifModule mod_security2.c> section for each virtualHost that you want to make global, and put them into your httpd.conf file. You still have the option of making individual rule changes per virtual host if you want.

I wouldn't turn SecAuditEngine off for any reason, as that turns off auditing for ALL rules. The best thing to do (IMHO) is to just "SecRuleRemoveById" for specific Locations. When you issue "SecRuleRemoveById XXXXXX", it turns the given rule off , which includes all Auditing and logging for that rule. Your access logs, normal error logging, and other Mod Security rules should behave normally.

-----
Jeremy


On Wed, 2007-07-04 at 13:29 +0300, Gonen Radai wrote:

 

Hi,

 

 

Sorry for the long delay.

 

 

Jeremy, I tried your first (and small) solution, but I still see log

entries for that location+rule.

 

 

Your second solution is not good for me since I want all core rules to

be applied for my whole server,

 

and it's going to be very messy to put so many configuration lines in

each VHost, especially if those lines will

 

apear again in each VHost.

 

 

I tried the following:

 

<VirtualHost>

 

...

 

        <Location "/index.html">

 

               SecAuditEngine Off

               SecRuleRemoveById       960015

                SecRuleRemoveById       990011

 

                 SecAuditEngine On

 

       </Location>

 

</VirtualHost>

 

 

but in that way, I don't get ANY logging for /index.html, which is bad

because I need to see

 

log entries regarding to other rules on that location.

 

 

What is way to configure SecRuleRemoveById+nolog on a specific URI ?

 

 

Thanks,

 

Gonen

 

If you can't read my mail, try changing encoding to UTF-8.

Gonen.

 

 

 

Jeremy Melanson wrote:

> Ah. I see your problem.

>

 

> I have multiple virtual hosts in my proxies as well. The solution I did

> was to create individual Mod Security configs per VHost config:

>

 

> <VirtualHost [blahblahblahblah]>

>      <IfModule  mod_security2.c>

>              SecRuleEngine On

>              SecRequestBodyAccess XXX

>              SecResponseBodyAccess XXX

>              SecResponseBodyMimeType XXXXXXXXXXXXXXXXXXXXXXX

>              SecResponseBodyLimit XXXXXX

>              SecUploadDir XXXXXXXXXXXXXXXX

>              SecUploadKeepFiles XXX

>              SecAuditEngine XXXXXXXXXXXX

>              SecAuditLogRelevantStatus XXXXXXXXXX

>              SecAuditLogType Concurrent

>              SecAuditLog [log file specific to virtual host]

>              SecAuditLogStorageDir [storage dir specific to virtual host]

>              SecAuditLogParts XXXXXXXXXXXXX

>              SecArgumentSeparator XXXX

>              SecCookieFormat XXXX

>              SecRequestBodyInMemoryLimit XXXXXXXXXXXX

>              Include [configu file containing rule exceptions specific to virtual

> host]

>      </IfModule>

> </VirtualHost>

>

 

> The really important one is the "Include" line. That is where I've

> configured my individual exceptions. Since their within my VirtualHost

> definition, they're specific only to that VirtualHost.

>

 

> Keep in mind, that there is additional administration overhead when it's

> done this way, but at least you can be a lot more granular with your

> rule definitions and exeptions. And with my config, I can also tweak

> several Mod Security parameters per-VirtualHost as well.

>

 

> -----

> Jeremy

>

 

> On Thu, 2007-06-21 at 22:02 +0300, Gonen Radai wrote:

>  

>> Hi Jeremy, thanks for your response.

>>

 

>>

 

>> I have two problems with you suggestion:

>>

 

>> 1) Matching by URI means that if I want to remove rule on a specific

>> URL, I can't because

>>

 

>> I might have more than one VirtualHost that includes the same URI (e.g

>> 'index.php).

>>

 

>>

 

>> 2) You didn't tell me if this way you don't see log entries of the

>> matching rule (although it's removed and passed).

>>

 

>> I am able to remove rule on a specific URL, but I keep getting entries

>> of that rule matching with that URL.

>>

 

>> My goal is to remove rule on URL and NOT log any matches between the

>> rule and the URL.

>>

 

>>

 

>> Gonen

>>

 

>>

 

>> If you can't read my mail, try changing encoding to UTF-8.

>> Gonen.

>>

 

>>

 

>> Jeremy Melanson wrote:

>>    

>>> Hi Gonen.

>>>

 

>>> Here's how I've been removing by specific URL, or more specifically URI:

>>>

 

>>> <LocationMatch "[URL]">

>>>    SecRuleRemoveById ####

>>> </LocationMatch>

>>>

 

>>> If you wanted /index.do, you'd enter:

>>> <LocationMatch "^/index\.do">

>>>    SecRuleRemoveById ####

>>> </LocationMatch>

>>>

 

>>> This will remove the rule when a match is made on any URI beginning with

>>> "/index.do".

>>>

 

>>> -----

>>> Jeremy

>>>

 

>>>

 

>>> On Thu, 2007-06-21 at 19:45 +0300, Gonen Radai wrote:

>>>  

>>>      

>>>> OK, but how do i remove entries from the log, on:

>>>>

 

>>>> 1) a specific URL

>>>>

 

>>>>

 

>>>> 2) SecRuleRemoveById #### (on that specific URL)

>>>>

 

>>>> ?

>>>>

 

>>>>

 

>>>> Gonen

>>>>

 

>>>>

 

>>>> If you can't read my mail, try changing encoding to UTF-8.

>>>> Gonen.

>>>>

 

>>>>

 

>>>> Ofer Shezaf wrote:

>>>>    

>>>>        

>>>>> The duplicate ID is a bug in the Core Rule Set that was fixed in the

>>>>> current (stable) release

>>>>>

 

>>>>> 

>>>>>

 

>>>>> ~ Ofer

>>>>>

 

>>>>> 

>>>>>

 

>>>>> From:mod-security-users-bounces <at> lists.sourceforge.net

>>>>> [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf

>>>>> Of Gonen Radai

>>>>> Sent: Tuesday, June 19, 2007 3:40 PM

>>>>> To: mod-security-users <at> lists.sourceforge.net

>>>>> Subject: [mod-security-users] exclude rule and log

>>>>>

 

>>>>>

 

>>>>> 

>>>>>

 

>>>>> Hi,

>>>>>

 

>>>>>

 

>>>>> I'm running modsecurity2

>>>>> The core rule 960015 is configured in the following conf files:

>>>>> modsecurity_crs_20_protocol_violations.conf

>>>>> modsecurity_crs_21_protocol_anomalies.conf

>>>>>

 

>>>>> I don't want to log requests that match the rule on a specific url,

>>>>> for example:

>>>>> http://domain.com/index.html

>>>>>

 

>>>>> so I added the following SecRuleRemoveById to my VirtualHost:

>>>>>

 

>>>>> <VirtualHost 123.123.123.123:80>

>>>>> Servername domain.com

>>>>> ...

>>>>>     <Files index.html>

>>>>>                 SecRuleRemoveById       960015

>>>>>         </Files>

>>>>> </VirtualHost>   

>>>>>

 

>>>>> But I still get log entries regarding that rule on that specific

>>>>> http://domain.com/index.html

>>>>> Changing it to:

>>>>> SecRuleRemoveById       960015 "allow,phase:1,nolog"

>>>>>

 

>>>>> Also didn't stop the logging.

>>>>> What do I miss ?

>>>>>

 

>>>>>

 

>>>>>

 

>>>>> --

>>>>> If you can't read my mail, try changing encoding to UTF-8.

>>>>> Gonen.

>>>>>      

>>>>>          

>>>> ______________________________________________________________________

>>>> This email has been scanned by the MessageLabs Email Security System.

>>>> For more information please visit http://www.messagelabs.com/email

>>>> ______________________________________________________________________

>>>> -------------------------------------------------------------------------

>>>> This SF.net email is sponsored by DB2 Express

>>>> Download DB2 Express C - the FREE version of DB2 express and take

>>>> control of your XML. No limits. Just data. Click to get it now.

>>>> http://sourceforge.net/powerbar/db2/

>>>> _______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users

>>>>    

>>>>        

>>> -------------------------------------------------------------------------

>>> This SF.net email is sponsored by DB2 Express

>>> Download DB2 Express C - the FREE version of DB2 express and take

>>> control of your XML. No limits. Just data. Click to get it now.

>>> http://sourceforge.net/powerbar/db2/

>>> _______________________________________________

>>> mod-security-users mailing list

>>> mod-security-users <at> lists.sourceforge.net

>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users

>>>

 

>>>  

>>>      

>

 

>   

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 0 comments |
headers
Erwin Geirnaert | 9 Jul 12:41
Favicon

ModSecurity plugin with client certificates

Hi list,

 

Before I start playing with this, I rather ask the list of experts:

 

Can ModSecurity be configured as a plugin for Apache after successful SSL authentication using client certificates?

In this scenario it is difficult to use mod_proxy because information from the client certificate is required in the local PHP application, but would ModSecurity be able to inspect HTTP traffic after decryption? (I assume yes)

 

Any additional things or configuration issues that might be required?

 

Thank you,

 

Erwin

 

Note:
This message is for the named person's use only.  It may contain confidential, proprietary or legally privileged information.  No confidentiality or privilege is waived or lost by any mistransmission.  If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender.  You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. ZION SECURITY and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks.
Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity.
 
Thank You.

Scanned by MailMarshal - Marshal's comprehensive email content security solution. Download a free evaluation of MailMarshal at www.marshal.com. Implemented and supported by ZION SECURITY.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 501 comments |
headers
Ryan Barnett | 9 Jul 13:37

Re: ModSecurity plugin with client certificates

Yes, ModSecurity can be installed on an Apache server that is doing SSL + Client certificate auth.  You are asking about two different things however – encryption and authentication.  SSL encryption does not affect Mod when running embedded as the decryption happens at a lower level.  The data is already decrypted by the time Apache passes it off to Mod in phase:1 – post-ready-request.  Now for SSL client cert authentication, that would happen at a later apache request phase hook (access control).  If you moved all of the Mod security rules to run in phase:2 or later, then you would have the SSL decryption and access control execute before Mod took any action.

 

--
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

Author: Preventing Web Attacks with Apache

 

 

From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf Of Erwin Geirnaert
Sent: Monday, July 09, 2007 6:41 AM
To: mod-security-users <at> lists.sourceforge.net
Subject: [mod-security-users] ModSecurity plugin with client certificates

 

Hi list,

 

Before I start playing with this, I rather ask the list of experts:

 

Can ModSecurity be configured as a plugin for Apache after successful SSL authentication using client certificates?

In this scenario it is difficult to use mod_proxy because information from the client certificate is required in the local PHP application, but would ModSecurity be able to inspect HTTP traffic after decryption? (I assume yes)

 

Any additional things or configuration issues that might be required?

 

Thank you,

 

Erwin

 

Note:

This message is for the named person's use only.  It may contain confidential, proprietary or legally privileged information.  No confidentiality or privilege is waived or lost by any mistransmission.  If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender.  You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. ZION SECURITY and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks.

Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity.

 

Thank You.

Scanned by MailMarshal - Marshal's comprehensive email content security solution. Download a free evaluation of MailMarshal at www.marshal.com. Implemented and supported by ZION SECURITY.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 501 comments |

Gmane