rules problem mod_security2

I installed apache 2.2.8 & mod_security2-2.1.6 using only the CORE rules that
came with the install..everything seemed to go well untill i went to start
apache i got:

Syntax error on line 64 of
/usr/local/etc/apache22/Includes/mod_security2/modsecurity_crs_20_protocol_violations.conf:
Error creating rule: Unknown variable: XML

I removed the file & restarted apache & I got the same error for file
modsecurity_crs_40_generic_attacks.conf line 32 Error creating rule: Unknown
variable: XML

I removed that file then apache fired up using the remaining rules. Is there
someplace i can replace those files with ones that will work ? Or is there
some change to those files that is needed ? Help..thanx in advance.

modsecurity_crs_20_protocol_violations.conf
modsecurity_crs_40_generic_attacks.conf

--
Brent

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

Re: rules problem mod_security2

Try a quick search for that error in the archives:

http://sourceforge.net/search/?group_id=68846&words=Unknown+variable%3A+XML&type_of_search=mlists&pmode=0&limit=50

Basically, you did not compile with XML support.

-B

Brent wrote:
> I installed apache 2.2.8 & mod_security2-2.1.6 using only the CORE rules
> that
> came with the install..everything seemed to go well untill i went to start
> apache i got:
> 
> Syntax error on line 64 of
> /usr/local/etc/apache22/Includes/mod_security2/modsecurity_crs_20_protocol_violations.conf:
> Error creating rule: Unknown variable: XML
> 
> I removed the file & restarted apache & I got the same error for file
> modsecurity_crs_40_generic_attacks.conf line 32 Error creating rule: Unknown
> variable: XML
> 
> I removed that file then apache fired up using the remaining rules. Is there
> someplace i can replace those files with ones that will work ? Or is there
> some change to those files that is needed ? Help..thanx in advance.
> 
> modsecurity_crs_20_protocol_violations.conf
> modsecurity_crs_40_generic_attacks.conf
> 
> 

Re: rules problem mod_security2

The FAQ is your friend :)
http://www.modsecurity.org/documentation/faq.html#d0e78

For this issue, check out this past thread -
http://article.gmane.org/gmane.comp.apache.mod-security.user/3630

You have a few options:
1) Compile ModSecurity with XML support

2) If you already compiled it, it may be that you didn't add the
LoadFile directive -
http://www.modsecurity.org/documentation/modsecurity-apache/2.1.6/modsec
urity2-apache-reference.html#02-installation

3) If you don't want to, or can't, compile Mod with XML support, then
you can edit the Core Rules files themselves and remove the "XML:/*"
variable from the rules.

 
> -----Original Message-----
> From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-
> security-users-bounces <at> lists.sourceforge.net] On Behalf Of Brent
> Sent: Tuesday, April 01, 2008 6:44 PM
> To: mod-security-users <at> lists.sourceforge.net
> Subject: [mod-security-users] rules problem mod_security2
> 
> I installed apache 2.2.8 & mod_security2-2.1.6 using only the CORE
rules
> that
> came with the install..everything seemed to go well untill i went to

Debug log explanation

Hello,

A few question about the debug log:
  1. How to see in which phase we are ?
  2. What's the link between the rule number (hexa) in this file and the 
real rule id number ?

Thanks,

Nick

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

ModSecurity & vhost

Hello,

When ModSecurity is defined at the main server level, what is the 
expected behaviour in virtual hosts ?
I would expect, by default, to have it active, but the documentation is 
not clear. Should I explicitly state "SecRuleInheritance On" ?

Furthermore, I cannot have my rules active at all.
Ex:
    SecRuleEngine  On
    SecRuleInheritance On
    ...
    <VirtualHost ...>
       SecRuleEngine  On
       SecRuleInheritance On
       ...
    </VirtualHost>
Inside the virtual host, rules are not triggered !?!

Do I miss something ?

Thanks,

Nick

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

Re: ModSecurity & vhost

It seems that I found most of the answer:
  1. "SecRuleInheritance On" is absolutely needed in vhosts
     (default is "Off" - is this secure by default ?)
  2. "SecDefaultAction" is not inherited in vhosts
     Isn't this a bug ?

Thanks,

Nick

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

Re: ModSecurity & vhost

Hi Nick,

On Wed, Apr 2, 2008 at 11:07 AM, Nick Gearls <nickgearls <at> gmail.com> wrote:
> It seems that I found most of the answer:
>   1. "SecRuleInheritance On" is absolutely needed in vhosts
>      (default is "Off" - is this secure by default ?)

This is not what I get in my installation. Rules from the main server
are inherited in virtual hosts. Here's my configuration:

Listen 8081
NameVirtualHost 192.168.0.111:8081

SecRuleEngine On
SecDebugLog logs/modsec_debug.log
SecDebugLogLevel 9

SecRule ARGS xxx id:1

<VirtualHost 192.168.0.111:8081>
    ServerName test2.example.com
    DocumentRoot /home/ivanr/apache22/htdocs/test2/
    SecRule ARGS test2 id:2
</VirtualHost>

<VirtualHost 192.168.0.111:8081>
    ServerName test1.example.com
    DocumentRoot /home/ivanr/apache22/htdocs/test1/
    SecRule ARGS test1 id:3
</VirtualHost>

Re: Debug log explanation

On Wed, Apr 2, 2008 at 9:48 AM, Nick Gearls <nickgearls <at> gmail.com> wrote:
> Hello,
>
>  A few question about the debug log:
>   1. How to see in which phase we are ?

In your debug log you should see level 4 messages such as:

Starting phase REQUEST_HEADERS.

and

Starting phase REQUEST_BODY.

and so on.

>   2. What's the link between the rule number (hexa) in this file and the
>  real rule id number ?

There isn't one. The hexadecimal numbers are pointers to memory
locations used to store rules. They are only used to the developers.

>  Thanks,
>
>  Nick
>
>
>  -------------------------------------------------------------------------
>  Check out the new SourceForge.net Marketplace.
>  It's the best place to buy or sell services for

AppSec EU08 registrations are open!

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders <at> lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

IP/Host Exlusion

I would like to excluded a range of IP addresses from being blocked by
ModSecurity rules.  Can someone point me to some info on how to set this
up?

Thank you,
Clay

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace