ModSecurity Console Start-up Script

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Re: segmentation faults

Kelly Martin wrote:
> Hi, I just setup a new FreeBSD 6.4 server and I installed ModSecurity
> through the ports tree. Please bear with me, as I'm still used to the
> old ModSecurity 1.9.x style of logging and troubleshooting.
> 
> On my new server with Apache 2.2.9 and the latest ModSecurity 2.5.5
> I'm getting the following sort of Segmentation Fault errors. I'm using
> the default configuration and the Core Rules.
> 
> 
> [Sun Nov 30 02:04:15 2008] [error] [client 61.135.168.39] ModSecurity:
> Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required.
> [file "/usr/local/etc/apache22/Includes/mod_security2/modsecurity_crs_21_protocol_anomalies.conf"]
> [line "41"] [id "960015"] [msg "Request Missing an Accept Header"]
> [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"]
> [hostname "www.mywebsite.com"] [uri "/"] [unique_id
> "STJXD0SQBYoAARtifZAAAAAO"]
> [Sun Nov 30 02:04:15 2008] [notice] child pid 72546 exit signal
> Segmentation fault (11)
> [Sun Nov 30 02:13:39 2008] [error] [client 81.83.9.15] ModSecurity:
> Warning. Pattern match "<b>Warning<\\/b>.{0,100}?:.{0,1000}?\\bon
> line\\b" at RESPONSE_BODY. [file
> "/usr/local/etc/apache22/Includes/mod_security2/modsecurity_crs_50_outbound.conf"]
> [line "42"] [id "970009"] [msg "PHP Information Leakage"] [severity
> "WARNING"] [tag "LEAKAGE/ERRORS"] [hostname "www.mywebsite.com"] [uri
> "/pictures/slideshow.php"] [unique_id "STJZQ0SQBYoAARuZ6GkAAAAD"]
> [Sun Nov 30 02:13:40 2008] [notice] child pid 72601 exit signal
> Segmentation fault (11)
> [Sun Nov 30 02:24:39 2008] [error] [client 123.110.21.171]
> ModSecurity: Output filter: Response body too large (over limit of
> 524288, total not specified). [hostname "www.mywebsite.com"] [uri
> "/pictures/slideshow.php"] [unique_id "STJb1USQBYoAARtefewAAAAJ"]
> [Sun Nov 30 02:24:39 2008] [notice] child pid 72542 exit signal
> Segmentation fault (11)
> 
> 
> Can someone help me understand what is happening?

Kelly,

ModSecurity 2.5.7 is the latest.  Version 2.5.6 fixed an issue that may
be causing your crash.  Please upgrade to 2.5.7 and see if this fixes
the problem you are seeing.

thanks,
-B

--

-- 
Brian Rectanus
Breach Security

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Re: How to stop dropped requests to be passed to Apache

R.A. Imhoff wrote:
> Hello,
> 
> I noticed that requests intercepted by the following rule still show
> up in the Apache access log:
> 
>  >SecRule REQUEST_URI "@pm http korff .dll db_config" "phase:
> 1,t:none,drop,status:400,exec:/sbin/blacklist_web,msg:'proxy url 1 -
> blacklisted',severity:'2',id:'111022',tag:'blacklisted'"
> 
> 
> I had thought with the "drop" action the request would not be passed
> on at all ?
> 
> The way it is now, the offending IP does get blacklisted, but the
> initial request that triggered this rule got through to Apache inspite
> of the "drop".
> 
> Am I using the wrong phase, or how to avoid Apache getting such
> requests at all ?
> (Also, the "drop" causes the client's browser to re-attempt the same
> request, which gets to the server before the blacklist script
> finished, so there are actually two almost simultaneous identical
> requests in the ModSec log.)

The "drop" action closes the socket between client and server (sends a
TCP FIN/ACK) and does not use the "status:400" as you would get with a
"deny".  The "drop" really should not be retried by the browser (what
browser?), so I suspect that this is not working correctly (but it may
view the "drop" the same as a failed KeepAlive request and retry).  Some
items to check:

1) The "drop" action does not work correctly on a Windows webserver and
should become a "deny".  Check the debug and error logs.

2) The "drop" action will not work when SecRuleEngine is set to
"DetectionOnly".

3) Check the Apache error log to see if there is a message stating it
was dropped.

4) In the access log, are the requests getting through successfully?

Please provide the relevant access, error and ModSec debug log entries
(sanitize them).

thanks,
-B

--

-- 
Brian Rectanus
Breach Security

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

compile error on redhat enterprise linux 4.5 on intel x64

I've had to run ./configure with the --httpd-src option, as it was not
finding libapr.  When I do so, I get an error that I can't figure out:

/usr/bin/ld: /prefix/httpd-2.2.10/srclib/pcre/.libs/libpcre.a(maketables.o):
relocation R_X86_64_32 against `a local symbol' can not be used when
making a shared object; recompile with -fPIC
/prefix/httpd-2.2.10/srclib/pcre/.libs/libpcre.a(maketables.o): could
not read symbols: Bad value
collect2: ld returned 1 exit status
apxs:Error: Command failed with rc=65536

Anyone successfully build this on Redhat Enterprise Linux 4.5 on x64?
Any pointers?
--

-- 
Walt Williams, CISSP, SSCP
Ergo inimicus vobis factus sum, verum dicens vobis?

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Re: compile error on redhat enterprise linux 4.5 on intel x64

Walt,

The --httpd-src option does not work well as libpcre is not installed by
Apache and you have to link with it manually.  Install the development
libraries (RPMs): apr-devel, apr-util-devel, libxml2-devel, pcre-devel,
curl-devel.

thanks,
-B

Walt Williams wrote:
> I've had to run ./configure with the --httpd-src option, as it was not
> finding libapr.  When I do so, I get an error that I can't figure out:
> 
> /usr/bin/ld: /prefix/httpd-2.2.10/srclib/pcre/.libs/libpcre.a(maketables.o):
> relocation R_X86_64_32 against `a local symbol' can not be used when
> making a shared object; recompile with -fPIC
> /prefix/httpd-2.2.10/srclib/pcre/.libs/libpcre.a(maketables.o): could
> not read symbols: Bad value
> collect2: ld returned 1 exit status
> apxs:Error: Command failed with rc=65536
> 
> Anyone successfully build this on Redhat Enterprise Linux 4.5 on x64?
> Any pointers?
> --
> Walt Williams, CISSP, SSCP
> Ergo inimicus vobis factus sum, verum dicens vobis?
> 
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

--

-- 
Brian Rectanus
Breach Security

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Re: compile error on redhat enterprise linux 4.5 on intel x64

Brian,

I'll give that a try.  Thanks!

Walt

On Mon, Dec 1, 2008 at 2:51 PM, Brian Rectanus
<Brian.Rectanus <at> breach.com> wrote:
> Walt,
>
> The --httpd-src option does not work well as libpcre is not installed by
> Apache and you have to link with it manually.  Install the development
> libraries (RPMs): apr-devel, apr-util-devel, libxml2-devel, pcre-devel,
> curl-devel.
>
> thanks,
> -B
>
> Walt Williams wrote:
>> I've had to run ./configure with the --httpd-src option, as it was not
>> finding libapr.  When I do so, I get an error that I can't figure out:
>>
>> /usr/bin/ld: /prefix/httpd-2.2.10/srclib/pcre/.libs/libpcre.a(maketables.o):
>> relocation R_X86_64_32 against `a local symbol' can not be used when
>> making a shared object; recompile with -fPIC
>> /prefix/httpd-2.2.10/srclib/pcre/.libs/libpcre.a(maketables.o): could
>> not read symbols: Bad value
>> collect2: ld returned 1 exit status
>> apxs:Error: Command failed with rc=65536
>>
>> Anyone successfully build this on Redhat Enterprise Linux 4.5 on x64?
>> Any pointers?
>> --
>> Walt Williams, CISSP, SSCP
>> Ergo inimicus vobis factus sum, verum dicens vobis?
>>
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> mod-security-users mailing list
>> mod-security-users <at> lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
> --
> Brian Rectanus
> Breach Security
>

--

-- 
Walt Williams, CISSP, SSCP
Ergo inimicus vobis factus sum, verum dicens vobis?

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Injecting Parameters into a Redirect action URL

Hi,

I'm trying to use ModSecurity to 'cleanse' the value of some parameters sent 
to an application.

Basically the L parameter should be either 1 or 0. If not I want to send a 
redirect, but keeping the value of the 'id' parameter sent by the browser.

Here's the rule I came up with:

SecRule ARGS:L "!@rx ^(0|1)$" "phase:2,t:none,log,msg:'L param 
poisoning',chain,setvar:tx.PAGEID=%{ARGS:id},redirect:'%{REQUEST_FILENAME}?id=%{TX:PAGEID}&L=0',status:302"
SecRule REQUEST_FILENAME "^/index.php"

The detection is fine, however the parameters in the redirect URL are not 
converted to their values. E.g.:

http://intranetdev.powys.gov.uk/index.php?id=3&L=rubbish

... is redirected to:

http://intranetdev.powys.gov.uk/%{REQUEST_FILENAME}?id=%25{TX:PAGEID}&L=0

Am I right in assuming that variables cannot be used in the redirect URL, or 
is it my syntax that's wrong?

Regards,
-- 
Sion Pennant
Arweinydd Tim Datblygu'r We
Web Development Team Leader
Cyngor Sir Powys County Council
-----------------------------------------
Cyngor Sir Powys County Council
www.powys.gov.uk

Mae'r e bost hwn ac unrhyw atodiad iddo yn gyfrinachol ac fe'i
bwriedir ar gyfer y sawl a enwir arno yn unig. Gall gynnwys
gwybodaeth freintiedig. Os yw wedi eich cyrraedd trwy gamgymeriad
ni ellwch ei gopio, ei ddosbarthu na'i ddangos i unrhyw un arall a
dylech gysylltu gyda Cyngor Sir Powys ar unwaith.

Mae unrhyw gynnwys nad yw'n ymwneud gyda busnes swyddogol Cyngor
Sir Powys yn bersonol i'r awdur ac nid yw'n awdurdodedig gan y
Cyngor.

This e mail and any attachments are confidential and intended for
the named recipient only. The content may contain privileged
information. If it has reached you by mistake, you should not copy,
distribute or show the content to anyone but should contact Powys
County Council at once.

Any content that is not pertinent to Powys County Council business
is personal to the author, and is not necessarily the view of the
Council.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Re: Injecting Parameters into a Redirect action URL

-----Original Message-----
From: Sion Pennant [mailto:sion.pennant <at> powys.gov.uk]
Sent: Tuesday, December 02, 2008 6:55 AM
To: mod-security-users <at> lists.sourceforge.net
Subject: [mod-security-users] Injecting Parameters into a Redirect action URL

Hi,

I'm trying to use ModSecurity to 'cleanse' the value of some parameters sent
to an application.

Basically the L parameter should be either 1 or 0. If not I want to send a
redirect, but keeping the value of the 'id' parameter sent by the browser.

Here's the rule I came up with:

SecRule ARGS:L "!@rx ^(0|1)$" "phase:2,t:none,log,msg:'L param
poisoning',chain,setvar:tx.PAGEID=%{ARGS:id},redirect:'%{REQUEST_FILENAME}?id=%{TX:PAGEID}&L=0',status:302"
SecRule REQUEST_FILENAME "^/index.php"

The detection is fine, however the parameters in the redirect URL are not
converted to their values. E.g.:

http://intranetdev.powys.gov.uk/index.php?id=3&L=rubbish

... is redirected to:

http://intranetdev.powys.gov.uk/%{REQUEST_FILENAME}?id=%25{TX:PAGEID}&L=0

Am I right in assuming that variables cannot be used in the redirect URL, or
is it my syntax that's wrong?
[Ryan Barnett] A few comments -

1) The redirect action does not currently have macro expansion capabilities, so you will not be able to
dynamically add custom variable data to it.

2) General note - when using setvar, you need to use a "." instead of a ":" as the separator like this - setvar:tx.PAGEID=%{ARGS.id}

3) As for the redirection, you could try using both ModSecurity and Mod_Rewrite together to achieve the
functionality that want.  What you can do is to use ModSecurity the way that you are doing it except instead
of issuing the redirect there, you instead set an environmental token that Mod_Rewrite can use and then it
can do the redirect.  Something like this might work -

SecRule ARGS:L "!@rx ^(0|1)$" "phase:1,t:none,log,msg:'L param poisoning',chain,pass"
SecRule REQUEST_FILENAME "^/index.php" "setenv:redirect=true"

RewriteEngine On
RewriteCond %{ENV:redirect} ^true$
RewriteRule /index.php?id=(.*)& http://intranetdev.powys.gov.uk/index.php?id=$1&L=0 [R]

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Re: segmentation faults

On Sun, Nov 30, 2008 at 8:57 PM, Brian Rectanus
<Brian.Rectanus <at> breach.com> wrote:
>
> ModSecurity 2.5.7 is the latest.  Version 2.5.6 fixed an issue that may
> be causing your crash.  Please upgrade to 2.5.7 and see if this fixes
> the problem you are seeing.

Thanks Brian, right now the FreeBSD port is still at version 2.5.5_2.
I e-mailed the maintainer and he'll be updating the port this weekend.
So I'll try it again with the new version, for now I've had to disable
ModSecurity. I don't mind compiling it myself but it's easier to keep
up-to-date and monitor application vulnerabilities using ports and
port tools, so I'd rather wait for it to show up there.

thanks,
kelly

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Re: segmentation faults

Kelly Martin wrote:
> On Sun, Nov 30, 2008 at 8:57 PM, Brian Rectanus
> <Brian.Rectanus <at> breach.com> wrote:
>> ModSecurity 2.5.7 is the latest.  Version 2.5.6 fixed an issue that may
>> be causing your crash.  Please upgrade to 2.5.7 and see if this fixes
>> the problem you are seeing.
> 
> Thanks Brian, right now the FreeBSD port is still at version 2.5.5_2.
> I e-mailed the maintainer and he'll be updating the port this weekend.
> So I'll try it again with the new version, for now I've had to disable
> ModSecurity. I don't mind compiling it myself but it's easier to keep
> up-to-date and monitor application vulnerabilities using ports and
> port tools, so I'd rather wait for it to show up there.

Sorry, I should have mentioned this as well.  You can try to disable
transformation caching:

http://blog.modsecurity.org/2008/08/transformation.html

If that does not fix it, then it may not be the same issue I am thinking.

-B

--

-- 
Brian Rectanus
Breach Security

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/