headers
Ryan Barnett | 1 Aug 2008 01:56

Re: Simple Rule Question

Are those your exact rule examples or did you omit some action data?  The reason I ask is the the default
SecDefualtActions setting in 2.5 is to log,pass and not to deny.  So, unless you specify deny on your
example chained rule starter line, it will only log.

Thanks,
Ryan C. Barnett 

----- Original Message -----
From: mod-security-users-bounces <at> lists.sourceforge.net <mod-security-users-bounces <at> lists.sourceforge.net>
To: mod-security-users <at> lists.sourceforge.net <mod-security-users <at> lists.sourceforge.net>
Sent: Thu Jul 31 15:30:35 2008
Subject: [mod-security-users] Simple Rule Question

Hello,

I have a seemingly simple question but I can't make it work.

Virtual server www.example.com has several images in a folder called
/images.  The images are used in auctions and so the Referer should
always contain ebay or [otherauctionsite.tld] and if it doesn't,
then the request should be denied with a 40x-level code.

With mod_sec version 1.x I was able to do this but I've since upgraded
to 2.5 and I can't get the rules to work right.

SecRule SERVER_NAME " <at> rx example.com" "chain"
SecRule REQUEST_URI "images" "chain"
SecRule REQUEST_HEADERS:Referer "! <at> contains ebay"
# Now do something to deny it
(Continue reading)

Permalink | Reply | 1 comment |
headers
modsec8 | 1 Aug 2008 02:11

Re: Simple Rule Question

Hello,

Thanks for the reply.  The SecDefaultAction is, well, left at its 
default, so that would be "log,pass".  I've tried variations of 

"chain,log,auditlog,deny" on the first SecRule but the processing seems 
to fail or not match when it hits SecRule REQUEST_HEADERS:Referer 
"! <at> contains ebay".  I'm basing that off of debug logging which states 
that 'Rule returned 0' when it attempts the match:

[31/Jul/2008:13:22:04 --0500] 
[example.com/sid#9d3a628][rid#a04ef90]
[/images/db.jpg][4] Executing operator "!contains" with param 
"ebay" against REQUEST_HEADERS:Referer.

[31/Jul/2008:13:22:04 --0500] 
[example.com/sid#9d3a628][rid#a04ef90][/
images/db.jpg][4] Operator completed in 8 usec.

[31/Jul/2008:13:22:04 --0500] 
[example.com/sid#9d3a628][rid#a04ef90][/
images/db.jpg][4] Rule returned 0.

The previous two rules, SERVER_NAME and REQUEST_URI both have "Rule 
returned 1" which seems to indicate a match.  It's just this last line 
that fails.

I'm wondering if it's because REQUEST_HEADERS:Referer doesn't exist for 
my testing?  In other words, I'm hitting that image directly in my 
browser trying to test things so I don't think I'm sending a referer
(Continue reading)

Permalink | Reply | 0 comments |
headers
Ryan Barnett | 1 Aug 2008 02:31

Re: Simple Rule Question

Ah, now we know what the issue is as you didn't have a referer header in your test requests so the final rule in
your chain didn't have any data to match.  Please refer to this blog post on the topic of rules to identify
missing vs. empty headers - http://blog.modsecurity.org/2007/03/211x-rule-diffe.html.

For the rule below where you tried to evaluate the existence of the referer header, you needed to precede the
variable with the & character in order to count it.  If the & is missing the rule assumes the header exists but
it tries to evaluate the data such as -

Referer: 0

Hope this helps.

Thanks,
Ryan C. Barnett 

----- Original Message -----
From: mod-security-users-bounces <at> lists.sourceforge.net <mod-security-users-bounces <at> lists.sourceforge.net>
To: mod-security-users <at> lists.sourceforge.net <mod-security-users <at> lists.sourceforge.net>
Sent: Thu Jul 31 20:11:53 2008
Subject: Re: [mod-security-users] Simple Rule Question

Hello,

Thanks for the reply.  The SecDefaultAction is, well, left at its 
default, so that would be "log,pass".  I've tried variations of 

"chain,log,auditlog,deny" on the first SecRule but the processing seems 
to fail or not match when it hits SecRule REQUEST_HEADERS:Referer 
"! <at> contains ebay".  I'm basing that off of debug logging which states 
that 'Rule returned 0' when it attempts the match:
(Continue reading)

Permalink | Reply | 501 comments |
headers
modsec8 | 1 Aug 2008 03:36

Re: Simple Rule Question


This did it, along with a bit of tweaking.  Thanks for the help.

On Thu, Jul 31, 2008 at 08:31:34PM -0400, Ryan Barnett wrote:
> Ah, now we know what the issue is as you didn't have a referer header in your test requests so the final rule in
your chain didn't have any data to match.  Please refer to this blog post on the topic of rules to identify
missing vs. empty headers - http://blog.modsecurity.org/2007/03/211x-rule-diffe.html.
> 
> For the rule below where you tried to evaluate the existence of the referer header, you needed to precede
the variable with the & character in order to count it.  If the & is missing the rule assumes the header exists
but it tries to evaluate the data such as -
> 
> Referer: 0
> 
> Hope this helps.
> 
> 
> Thanks,
> Ryan C. Barnett 
> 
> ----- Original Message -----
> From: mod-security-users-bounces <at> lists.sourceforge.net <mod-security-users-bounces <at> lists.sourceforge.net>
> To: mod-security-users <at> lists.sourceforge.net <mod-security-users <at> lists.sourceforge.net>
> Sent: Thu Jul 31 20:11:53 2008
> Subject: Re: [mod-security-users] Simple Rule Question
> 
> Hello,
> 
> Thanks for the reply.  The SecDefaultAction is, well, left at its 
> default, so that would be "log,pass".  I've tried variations of
(Continue reading)

Permalink | Reply | 501 comments |
headers
marty | 1 Aug 2008 04:02

Re: Using Mod_Security to add IPs to, hosts.deny

> In looking at the error logs of our Debian LAMP server, a lot of the  
> intrusion attempts seem to start with a rapid scan of common locations  
> for a phpMyAdmin login.
> 
> Thankfully, Mod_Security easily blocks this (for my own amusement I  
> put a redirect to www.phpmyadmin.net on those attempts, but since they  
> come from some automated tool, the redirects are undoubtedly not  
> executed...)
> 
> But since such an attacker undoubtedly moves on to other strategy, I  
> would like to immediately block their access altogether by adding  
> their IP to hosts.deny in a similar manner as denyhosts.pl does for  
> ssh intrusion attemps, for example. That way all other ports such as  
> ftp etc would also be covered against this attacker.
> 
> I suppose one would have to use the EXEC command and call a script to  
> achieve this (and the script would have to retrieve the IP from the  
> environment variables, since EXEC doesn't allow any arguments).
> 
> I would be most grateful for any advice on whether this is even a good  
> idea, and what such a script would look like.
> 
I answer this from personal experience, which has been good.
This is very annoying stuff for concerned admins.

(1) Those types of automated attacks are just looking for
low hanging fruit. But they do steal bandwidth.
Most of this activity comes from a few nasty netblocks that
can (and should) be banned without issues. Manual permanent
blocks are the most effective way to deal with this garbage.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Ivan Ristic | 1 Aug 2008 11:10
Picon

Transformation Caching Unstable, Fixed, But Deprecated (ModSecurity 2.5.6 available)

FYI:

Transformation Caching Unstable, Fixed, But Deprecated
http://blog.modsecurity.org/2008/08/transformation.html

--

-- 
Ivan Ristic

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Permalink | Reply | 0 comments |
headers
Brian Rectanus | 1 Aug 2008 18:49

ModSecurity 2.5.6 Released

ModSecurity 2.5.6 was released earlier today.  This is a major bugfix 
release that  fixes issues associated with transformation caching which 
may result in an Apache crash or possibly evading ModSecurity under 
certain circumstances.  If you are using ModSecurity 2.5 you are advised 
to immediately apply a workaround and upgrade as soon as possible.

Packages can be downloaded from modsecurity.org as always.

To work around these issues until you can upgrade, use the following 
directive to disable transformation caching:

SecCacheTransformations Off

31 Jul 2008 - 2.5.6
-------------------

  * Transformation caching has been deprecated, and is now off by 
default. We now advise against using transformation caching in production.

  * Fixed two separate transformation caching issues that could cause 
incorrect content inspection in some circumstances.

  * Fixed an issue with the transformation cache using too much RAM, 
potentially crashing Apache with a large number of cache entries. Two 
new configuration options have been added to allow for a finer control 
of caching:

      maxitems: Max number of items to cache (default 1024)
      incremental: Whether to cache incrementally (default off)
(Continue reading)

Permalink | Reply | 3 comments |
headers
Grant Peel | 1 Aug 2008 22:36

bcc and cc

Hi all,

How does one turn on bcc and cc blocking in mod_security to block any 
requests that may come from form-to-email php and perl scripts?

-Grant 

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Permalink | Reply | 1 comment |
headers
Grant Peel | 3 Aug 2008 18:46

Re: ModSecurity 2.5.6 Released

Hi all,

After installing mod_security, I have a cleints Invision Power Board that is 
returning this error.

  IPS Driver Error
  There appears to be an error with the database.
  You can try to refresh the page by clicking here

  Odyly enough, I don't see anything in the logs....

  Any ideas?

  -Grant
----- Original Message ----- 
From: "Brian Rectanus" <Brian.Rectanus <at> breach.com>
To: "Mod Security" <mod-security-users <at> lists.sourceforge.net>; "Mod 
Packagers" <mod-security-packagers <at> lists.sourceforge.net>
Sent: Friday, August 01, 2008 12:49 PM
Subject: [mod-security-users] ModSecurity 2.5.6 Released

> ModSecurity 2.5.6 was released earlier today.  This is a major bugfix
> release that  fixes issues associated with transformation caching which
> may result in an Apache crash or possibly evading ModSecurity under
> certain circumstances.  If you are using ModSecurity 2.5 you are advised
> to immediately apply a workaround and upgrade as soon as possible.
>
> Packages can be downloaded from modsecurity.org as always.
>
> To work around these issues until you can upgrade, use the following
(Continue reading)

Permalink | Reply | 2 comments |
headers
Brian Rectanus | 4 Aug 2008 06:39

Re: ModSecurity 2.5.6 Released

It does not seem a likely error caused by ModSecurity as the request is 
not altered.  Does it go away without ModSecurity?  Was this an upgrade 
of ModSecurity or a new install?  Is this a proxy install or installed 
into the same Apache as IPS?

Upon a cursory google search, the error may be a load issue and/or a 
corrupted DB.  Contact the vendor and see what could cause the error.

-B

Grant Peel wrote:
> Hi all,
> 
> After installing mod_security, I have a cleints Invision Power Board that is
> returning this error.
> 
>   IPS Driver Error
>   There appears to be an error with the database.
>   You can try to refresh the page by clicking here
> 
> 
>   Odyly enough, I don't see anything in the logs....
> 
>   Any ideas?
> 
>   -Grant
> ----- Original Message -----
> From: "Brian Rectanus" <Brian.Rectanus <at> breach.com>
> To: "Mod Security" <mod-security-users <at> lists.sourceforge.net>; "Mod
> Packagers" <mod-security-packagers <at> lists.sourceforge.net>
(Continue reading)

Permalink | Reply | 1 comment |

Gmane