ModSecurity script Chroot

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

IE6 browser with ask.com search engine with core ruleset/1.6.1

I submitted this to ask.com:

<submitted to ask.com>
When using ask.com search engine with IE6 browser, ask.com will generate
a Referrer header with %0D and %0A.

This causes an issue with a popular web server firewall called 
mod_security.

Example referrer:
Referer: 
http://www.ask.com/web?q=SANITIZED&search=%3CDIV+id%3Dsb6%3E%0D%0A%3CDIV+id%3Ds6%3E%3C%2FDIV%3E%3C%2FDI

So, people using IE6 with ask.com and clicking on the search results,
will likely be denied access to sites using mod_security web application 
firewall.
</submitted to ask.com>

Relevant headers:
-----------------
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/x-shockwave-flash, application/xaml+xml, ap
plication/vnd.ms-xpsdocument, application/x-ms-xbap, 
application/x-ms-application, application/vnd.ms-excel, applica
tion/vnd.ms-powerpoint, application/msword, */*
Referer: 
http://www.ask.com/web?q=SANITIZED+SANITIZED&search=%3CDIV+id%3Dsb6%3E%0D%0A%3CDIV+id%3Ds6%3E%3C%2FDIV%3E%3C%2FDI
V%3E&qsrc=0&o=0&l=dir
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET 
CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR
3.0.04506.30; .NET CLR 3.0.04506.648)
Host: www.SANITIZED.com
Connection: Keep-Alive

>From section H of the audit log:
--------------------------------
Message: Warning. Pattern match "%0[ad]" at REQUEST_HEADERS:Referer. [file 
"/etc/httpd/modsecurity.d/modsecurity_crs
_40_generic_attacks.conf"] [line "211"] [id "950910"] [msg "HTTP Response 
Splitting Attack"] [data "%0d"] [severity
"ALERT"]
Stopwatch: 1224182551337135 235424 (463 3343 113179)
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.5.6 (http://www.modsecurity.org/); core 
ruleset/1.6.1.
Server: Apache

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Re: ModSecurity script Chroot

Hi Julien,

I use the chroot facility of mod security. I think the issue is that your
perl installation lies outside the chroot. Even if the clamscan.pl
script is accessible to apache, it won't be able to run - hence the
execution failure error.

Mod security chroot does well at starting some piped logging scripts
which lie outside the chroot just prior to the chroot operation. These
scripts can run even though they are outside the chroot jail. However,
it's not possible to start additional processes outside the jail after
the chroot operation. Hence, for example, these piped logging processes
can't be restarted if they fail. Similarly, you won't be able to start
a perl process unless all the perl installation is copied into the
chroot jail - almost certainly a major undertaking.

Importantly, you don't really want any executables inside the jail
anyway - that way, if someone breaks in, they can't actually do
anything.

I don't know Clam AV, but could you call it using a network socket
approach rather than a script? Since sockets are network based, they
remain accessible to processes in the chroot.

David.

>I'm currently trying Modsecurity2 on httpd 2.2.10 with modsec-clamscan.pl
>and i've got a little question. When i use  SecRule FILES_TMPNAMES
>"@inspectFile /full/path/to/clamscan.pl" log,deny,status:507,phase:2 without
>chroot, it work fine but when i put the SecChrootDir option, i've got this
>messages :ModSecurity: Exec: Execution failed while reading output:
>clamscan.pl (End of file found).
>So, my question is: An external script can work with SecChrootDir ?
>
>Thanks for responses
>
>Best regards
>
>Julien HASCOET

-----------------------------
Email: David <at> megapico.co.uk
Online galleries & photos: http://www.megapico.co.uk/gallery/
-----------------------------

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Re: ModSecurity script Chroot

chroot jails are always a pain when it comes to such things. Perhaps a
nice feature request would be if modsecurity supported unix sockets as 
well as/instead of execv? i.e. pipe the filename to be scanned to a
socket and the daemon (outside the jail) associated with that socket
could scan the filename and return the 0/1 status that way? Sort of like
clamdscan vs clamscan for those ClamAV users out there  That way you
wouldn't have to put perl/etc within the jail.

In fact, I'd like to remind those chroot users out there that most of
the enhanced security you gain by running something in a jail comes from
the removal of /bin/sh and other system utilities - like perl. Putting
them within the jail effectively disables the security improvement you
should have got. Just Say No 

--

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Help me on installing modsecurity-apache_2.5.7

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Re: Help me on installing modsecurity-apache_2.5.7

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Re: Question about ModSecurity2

The name is different for every file; a temporary file is used. The
inspection script will receive the filename as its first parameter.

On Tue, Nov 4, 2008 at 2:07 PM, Juls <julien.hascoet <at> gmail.com> wrote:
> Ok, thank you for theses informations. So, if we are in a chrooted context,
> what is the name given to the file to scan ?
>
> Best regards
>
> On Mon, Nov 3, 2008 at 2:28 PM, Ivan Ristic <ivan.ristic <at> gmail.com> wrote:
>>
>> It can, but you will have to have the entire Perl infrastructure in
>> the jail. That's going to require a bit of work. There is also a
>> question of how will the ClamAV daemon find the file it needs to scan
>> (e.g. if the client part of ClamAV references files using their
>> filenames, the paths will not be identical inside and outside the
>> jail).
>>
>> On Mon, Nov 3, 2008 at 11:09 AM, Juls <julien.hascoet <at> gmail.com> wrote:
>> > Hi,
>> >
>> > I'm currently trying Modsecurity2 on httpd 2.2.10 with
>> > modsec-clamscan.pl
>> > and i've got a little question. When i use  SecRule FILES_TMPNAMES
>> > "@inspectFile /full/path/to/clamscan.pl" log,deny,status:507,phase:2
>> > without
>> > chroot, it work fine but when i put the SecChrootDir option, i've got
>> > this
>> > messages :ModSecurity: Exec: Execution failed while reading output:
>> > clamscan.pl (End of file found).
>> > So, my question is: An external script can work with SecChrootDir ?
>> >
>> > Thanks for your response
>> >
>> > Best regards
>> >
>> > Julien HASCOET
>> >
>> >
>>
>>
>>
>> --
>> Ivan Ristic
>
>

--

-- 
Ivan Ristic

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Re: Help me on installing modsecurity-apache_2.5.7

Hi Najmeh,

I've just installed and configured ModSecurity on Red Hat-based distro.

On Tue, Nov 4, 2008 at 7:03 PM, Najmeh Rezatash <nrezatash <at> gmail.com> wrote:
> i know it's already installed on my system, but i reinstalled it again using
> "yum install pcre" .
> my question is:
> 1-what should i do for this error?
> 2- where will "pcre library" be installed?
As Brian said, please do :

yum install pcre-devel

> 3- how can i get a detailed installation guide to install ModSec
> successfully?
The documentation at :

http://www.modsecurity.org/documentation/modsecurity-apache/2.5.7/html-multipage/installation.html

Is very helpful for me to install modsecurity.

--

-- 
cheers,

tedi
Blog      : http://theriyanto.wordpress.com
Website : http://tedi.heriyanto.net
You Need More Than Awareness : Stay Alert!

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Re: Question about ModSecurity2

After, and your script must be in the jail too. Assuming your script
is in "/chroot/jail/script", the path you give to @inspectFile is just
"/script".

On Tue, Nov 4, 2008 at 4:02 PM, Juls <julien.hascoet <at> gmail.com> wrote:
> Ok, it's right in my mind now. So just a last question:
>
> my apache default directory is /opt/apache
> my SecChrootDir is /chroot/jail
>
> at @inspectFile, i've to put the path before the chroot process or after ?
>
> Thanks a lot for the time you gave to my problem.
>
> Best regard
>
> Julien
>
>
> On Tue, Nov 4, 2008 at 4:25 PM, Ivan Ristic <ivan.ristic <at> gmail.com> wrote:
>>
>> The name is different for every file; a temporary file is used. The
>> inspection script will receive the filename as its first parameter.
>>
>> On Tue, Nov 4, 2008 at 2:07 PM, Juls <julien.hascoet <at> gmail.com> wrote:
>> > Ok, thank you for theses informations. So, if we are in a chrooted
>> > context,
>> > what is the name given to the file to scan ?
>> >
>> > Best regards
>> >
>> > On Mon, Nov 3, 2008 at 2:28 PM, Ivan Ristic <ivan.ristic <at> gmail.com>
>> > wrote:
>> >>
>> >> It can, but you will have to have the entire Perl infrastructure in
>> >> the jail. That's going to require a bit of work. There is also a
>> >> question of how will the ClamAV daemon find the file it needs to scan
>> >> (e.g. if the client part of ClamAV references files using their
>> >> filenames, the paths will not be identical inside and outside the
>> >> jail).
>> >>
>> >> On Mon, Nov 3, 2008 at 11:09 AM, Juls <julien.hascoet <at> gmail.com> wrote:
>> >> > Hi,
>> >> >
>> >> > I'm currently trying Modsecurity2 on httpd 2.2.10 with
>> >> > modsec-clamscan.pl
>> >> > and i've got a little question. When i use  SecRule FILES_TMPNAMES
>> >> > "@inspectFile /full/path/to/clamscan.pl" log,deny,status:507,phase:2
>> >> > without
>> >> > chroot, it work fine but when i put the SecChrootDir option, i've got
>> >> > this
>> >> > messages :ModSecurity: Exec: Execution failed while reading output:
>> >> > clamscan.pl (End of file found).
>> >> > So, my question is: An external script can work with SecChrootDir ?
>> >> >
>> >> > Thanks for your response
>> >> >
>> >> > Best regards
>> >> >
>> >> > Julien HASCOET
>> >> >
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Ivan Ristic
>> >
>> >
>>
>>
>>
>> --
>> Ivan Ristic
>
>

--

-- 
Ivan Ristic

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Books contents mod_security rules creation tutorial

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users