Re: Disable php_flag version?

------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

[Fwd: Modsecurity console don't show activity]

------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Re: Building mlogc for OpenBSD 4.4

I have added the ability to specify the exact config script for the next
release (will release it in the next few days).  So, this should work
for you in the future:

./configure \
  --with-apr=/usr/local/bin/apr-1-mt-config \
  --with-apu=/usr/local/bin/apu-1-mt-config

https://www.modsecurity.org/fisheye/changelog/modsecurity/?cs=1263

-B

Sylvain Lapendry wrote:
> Did you try to add "apr-1-mt-config" & "apu-1-mt-config" ? Do you think
> you'll add this in the next release ?
> 
> 2009/2/23 Sylvain Lapendry <sylvain.lapendry <at> gmail.com
> <mailto:sylvain.lapendry <at> gmail.com>>
> 
>     No, because the name of the scripts are differents !
>     The "configure" script search for apr-1-config, and not apr-1-mt-config.
> 
>     If you want to make mlogc compatible with OpenBSD, you should add,
>     in the configure script :
>     line 5437 : for ARP_CONFIG in apr-1-mt-config apr-1-config
>     apr-config; do
>     line 5503 : for ARU_CONFIG in apu-1-mt-config apu-1-config
>     apu-config; do
>     (actually, you should change the build/find_ap*.m4 files).
> 
>     I've tested that, and it works !
> 
>     2009/2/20 Brian Rectanus <brian.rectanus <at> breach.com
>     <mailto:brian.rectanus <at> breach.com>>
> 
>         The with-apr and with-apu configure opts can point to the config
>         scripts, I believe.
> 
>         -B
> 
> 
>         -- 
>         Brian Rectanus
>         Senior Engineer
>         (760) 444-6149
>         Support Hotline: (866) 205-7031 (toll-free)
> 
>         Breach Security, Inc. 
>         2141 Palomar Airport Road, Suite 200
>         Carlsbad, CA 92011
>         www.breach.com <http://www.breach.com>
> 
>         ------------------------------------------------------------------------
>         *From*: Sylvain Lapendry
>         *To*: Brian Rectanus
>         *Cc*: mod-security-users <at> lists.sourceforge.net
>         <mailto:mod-security-users <at> lists.sourceforge.net>
>         *Sent*: Fri Feb 20 09:51:56 2009
>         *Subject*: Re: [mod-security-users] Building mlogc for OpenBSD 4.4
>         Actually, mlogc can't be build if I use the packages of OpenBSD.
>         Indeed, the apr packages compiled with thread support are named
>         apr-mt and apr-util-mt, and there are differences between the
>         default apr and apr-mt : the apr lib with thread support is
>         /usr/local/lib/apr-1-mt.so (the config script is
>         /usr/local/bin/apr-1-mt-config), whereas the apr lib without
>         thread support is located in /usr/local/lib/apr-1.so (and the
>         config script is /usr/local/bin/apr-1-config).
> 
>         With the OpenBSD packages, mlogc can't be compiled, because this
>         is the /usr/local/bin/apr-1-config script which is executed,
>         instead of this one : /usr/local/bin/apr-1-mt-config. Maybe you
>         should do some test in the configure script, in order to know if
>         the OS is OpenBSD, and if it is, to change the bin/lib/include
>         to /usr/local/bin/apr-1-mt-config, /usr/local/lib/apr-1-mt.so,
>         /usr/local/include/apr-1-mt/ instead of
>         /usr/local/bin/apr-1-config, /usr/local/lib/apr-1.so,
>         /usr/local/include/apr-1/.
> 
>         2009/2/20 Sylvain Lapendry <sylvain.lapendry <at> gmail.com
>         <mailto:sylvain.lapendry <at> gmail.com>>
> 
>             The apr lib I used was the default one in OpenBSD :
>             http://www.openbsd.org/4.4_packages/i386/apr-1.2.11p2.tgz-long.html.
>             I tried with this one :
>             http://www.openbsd.org/4.4_packages/i386/apr-mt-1.2.11p2.tgz-long.html,
>             which has thread support, and it worked well !
> 
>             Problem solved ;)
>             Thanks a lot !
> 
>             PS : maybe you should write somewere that APR needs thread
>             support ?
> 
>             2009/2/19 Brian Rectanus <Brian.Rectanus <at> breach.com
>             <mailto:Brian.Rectanus <at> breach.com>>
> 
> 
>                 The parens make that a sub-shell and it goes back to
>                 previous pwd.
> 
>                 The mlogc util requires threads.  It may be that you do
>                 not have an APR
>                 compiled with thread support?
> 
>                 Look in apr.h for:
> 
>                 #define APR_HAS_THREADS  1
> 
> 
>                 -B
> 
> 
> 
>                 Sylvain Lapendry wrote:
>                 > Furtermore, even with your change, I still have the
>                 same error when I
>                 > want to compile mlogc.
>                 >
>                 > 2009/2/19 Sylvain Lapendry <sylvain.lapendry <at> gmail.com
>                 <mailto:sylvain.lapendry <at> gmail.com>
>                 > <mailto:sylvain.lapendry <at> gmail.com
>                 <mailto:sylvain.lapendry <at> gmail.com>>>
>                 >
>                 >     I think your change can't work :
>                 >
>                 >     mlogc:
>                 >
>                 >     @(cd mlogc-src && $(MAKE) mlogc) \
>                 >       && cp -p mlogc-src/mlogc ../tools \
>                 >       && cp -p mlogc-src/mlogc-batch-load.pl ../tools \
>                 >       && echo \
>                 >
>                 >       && echo "Successfully built \"mlogc\" in
>                 ../tools." \
>                 >       && echo "See: mlogc-src/INSTALL" \
>                 >       && echo
>                 >
>                 >
>                 >     You do a (cd mlogc-src && make mlogc), and then (cp -p
>                 >     mlogc-src/mlogc ../tools).
>                 >     Shouldn't you do (cd mlogc-src && make mlogc && cd
>                 ..), or (cp -p
>                 >     mlogc ../../tools) ?
>                 >
>                 >
>                 >     2009/2/18 Brian Rectanus
>                 <Brian.Rectanus <at> breach.com
>                 <mailto:Brian.Rectanus <at> breach.com>
>                 >     <mailto:Brian.Rectanus <at> breach.com
>                 <mailto:Brian.Rectanus <at> breach.com>>>
>                 >
>                 >         Sylvain Lapendry wrote:
>                 >         > Hi everyone,
>                 >         >
>                 >         > I'm trying to build and install modsecurity
>                 & mlogc for
>                 >         Apache2 on OpenBSD.
>                 >         > The "./configure", "make" and "make install"
>                 steps are
>                 >         successful, but
>                 >         > I've got a problem with mlogc :
>                 >         >
>                 >         > - First of all, "make mlogc" in the
>                 ./modsecurity*/apache2/
>                 >         directory
>                 >         > doesn't work, because of that line :
>                 "@$(MAKE) -C mlogc-src
>                 >         mlogc". In
>                 >         > OpenBSD, the "-C" option doesn't exist
>                 >         >
>                 >        
>                 (http://www.openbsd.org/cgi-bin/man.cgi?query=make&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html
>                 <http://www.openbsd.org/cgi-bin/man.cgi?query=make&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html>
>                 >        
>                 <http://www.openbsd.org/cgi-bin/man.cgi?query=make&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html
>                 <http://www.openbsd.org/cgi-bin/man.cgi?query=make&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html>>
>                 >         >
>                 >        
>                 <http://www.openbsd.org/cgi-bin/man.cgi?query=make&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html
>                 <http://www.openbsd.org/cgi-bin/man.cgi?query=make&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html>
>                 >        
>                 <http://www.openbsd.org/cgi-bin/man.cgi?query=make&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html
>                 <http://www.openbsd.org/cgi-bin/man.cgi?query=make&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html>>>)
>                 >         > ;
>                 >
>                 >         I just fixed this on trunk.  Replace this line:
>                 >
>                 >         @$(MAKE) -C mlogc-src mlogc \
>                 >
>                 >         With this one:
>                 >
>                 >         @(cd mlogc-src && $(MAKE) mlogc) \
>                 >
>                 >         >
>                 >         > - Then, if I go into the mlogc-src
>                 directory, and enter "make
>                 >         mlogc", it
>                 >         > doesn't work and I've got this error :
>                 >
>                 >
>                 >         Yes, it needs some variables from the main
>                 Makefile set.
>                 >
>                 >
>                 >         >
>                 >         > Building dynamically linked mlogc...
>                 >         > mlogc.c:154: error: syntax error before '*'
>                 token
>                 >         > mlogc.c:154: warning: data definition has no
>                 type or storage class
>                 >         > mlogc.c: In function `logc_init':
>                 >         > mlogc.c:1030: error:
>                 `APR_THREAD_MUTEX_UNNESTED' undeclared
>                 >         (first use
>                 >         > in this function)
>                 >         > mlogc.c:1030: error: (Each undeclared
>                 identifier is reported
>                 >         only once
>                 >         > mlogc.c:1030: error: for each function it
>                 appears in.)
>                 >         > *** Error code 1
>                 >         >
>                 >         > Stop in
>                 /tmp/tmp/modsecurity-apache_2.5.7/apache2/mlogc-src
>                 >         (line 42 of
>                 >         > Makefile).
>                 >         > *** Error code 1
>                 >         >
>                 >         > Stop in
>                 /tmp/tmp/modsecurity-apache_2.5.7/apache2 (line 108 of
>                 >         Makefile).
>                 >         >
>                 >         >
>                 >         > Can someone help me ?
>                 >         >
>                 >         > Thanks,
>                 >         > Sylvain
>                 >         >
>                 >
>                 >         --
>                 >         Brian Rectanus
>                 >         Breach Security
>                 >
>                 >
>                 >
> 
>                 --
>                 Brian Rectanus
>                 Breach Security
> 
> 
> 
> 
> 

--

-- 
Brian Rectanus
Breach Security

------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Re: bind console to localhost

Sorry for the late reply.  While I agree "host" would have been an
intuitive name for the property, it is "listeningIpAddress".

Under the com.thinkingstone.console.ConsoleComponent section:

Property listeningIpAddress "127.0.0.1"

However, this is only the console component.  The RPC componenet still
binds to 0.0.0.0:8887.  But, will only accept connections from the
"adminNetwork".

-B

John Doe wrote:
> hi,
> 
> is it possible to bind the modsecurity console to localhost:8888 only?
> per default, the console is listening on 0.0.0.0:8888 <http://0.0.0.0:8888>.
> 
> i already googled for a solution an only found the hint to add the
> host-property to console.conf:
> 
> <Source console com.thinkingstone.console.ConsoleComponent>
>     [..]
>    
>     Property host "127.0.0.1"
> 
>     [..]
> </Source>
> 
> anyway, that didn't change anything. the console is still listening on
> all interfaces.
> is there a solution for this problem?
> 
> regards, lowshoe
> 
> 

--

-- 
Brian Rectanus
Breach Security

------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Re: bind console to localhost

On Fri, Mar 6, 2009 at 7:25 AM, Brian Rectanus
<Brian.Rectanus <at> breach.com> wrote:
> Sorry for the late reply.  While I agree "host" would have been an
> intuitive name for the property, it is "listeningIpAddress".
>
> Under the com.thinkingstone.console.ConsoleComponent section:
>
> Property listeningIpAddress "127.0.0.1"
>
> However, this is only the console component.  The RPC componenet still
> binds to 0.0.0.0:8887.  But, will only accept connections from the
> "adminNetwork".

I may be wrong, but as far as I can remember the RPC component is not
used in the current version. It was initially designed for program
shutdown but I ended up using something else for that. Try removing it
from the configuration file altogether.

>
> -B
>
> John Doe wrote:
>> hi,
>>
>> is it possible to bind the modsecurity console to localhost:8888 only?
>> per default, the console is listening on 0.0.0.0:8888 <http://0.0.0.0:8888>.
>>
>> i already googled for a solution an only found the hint to add the
>> host-property to console.conf:
>>
>> <Source console com.thinkingstone.console.ConsoleComponent>
>>     [..]
>>
>>     Property host "127.0.0.1"
>>
>>     [..]
>> </Source>
>>
>> anyway, that didn't change anything. the console is still listening on
>> all interfaces.
>> is there a solution for this problem?
>>
>> regards, lowshoe
>>
>>
>
> --
> Brian Rectanus
> Breach Security
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
> -Strategies to boost innovation and cut costs with open source participation
> -Receive a $600 discount off the registration fee with the source code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html
>

--

-- 
Ivan Ristic

------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

mlogc: More information about error 409: X-Content-Hash

------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Re: mlogc: More information about error 409: X-Content-Hash

There's a description here:

http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/doc/modsecurity2-data-formats.xml?revision=1258&view=markup

And you can always inspect the mlogc source code for clues.

On Fri, Mar 6, 2009 at 11:56 AM, Eduard Cercos <ecercos <at> xtec.net> wrote:
> Hi!
>
> I've reproduced the curl request via command line. My command:
>
> $ ./curl -u user:password -T
> /path/to/data/20090306-094739-RHO-wNWwoyMAADEpJYEAAAkb
> https://IP_CONSOLE:8888/rpc/auditLogReceiver -k
>
> And the response:
>
> <html>
>     <head>
>         <title>409 Mandatory header 'X-Content-Hash' not found.</title>
>     </head>
>
>     <body>
>
>         <h2>409 Mandatory header 'X-Content-Hash' not found.</h2>
>
>         <!-- Padding:
>         #############################################
>         #############################################
>         #############################################
>         #############################################
>         #############################################
>         #############################################
>         #############################################
>         #############################################
>         #############################################
>         #############################################
>         #############################################
>         #############################################
>         #############################################
>         #############################################
>         #############################################
>         #############################################
>         #############################################
>         #############################################
>         #############################################
>         #############################################
>         -->
>
>     </body>
> </html>
>
> What does it means? How can I create the X-Content-Hash header?
>
>
> Eduard
> --------------------------------------------------------------------------------------------------------
>
>
>
> -------- Missatge original --------
> Assumpte: Modsecurity console don't show activity
> Data: Fri, 27 Feb 2009 14:14:08 +0100
> De: Eduard Cercos <ecercos <at> xtec.net>
> A: modsec-users <mod-security-users <at> lists.sourceforge.net>
>
> Hi everybody,
>
> I've just started using Modsecurity console. I'm trying to collect the
> audit logs but I haven't yet. All seems to work fine but I recive an
> #409 error when trying to submit the alerts. I don't know where to look
> for.
>
> Thanks!
>
> More information:
> My sensor is in a Solaris 10 T2000, the console is in a Linux box with
> fedora 9.
> Here's an extract of my mlogc-error.log with level 5 debug:
>
> [Fri Feb 27 13:19:38 2009] [5] [24848/0] Read 261 bytes from pipe:
> `server.xtec.net xx.xx.xx.xx - - [27/Feb/2009:13:19:38 +0100] \"GET
> /xxxxxxx/admin/cron.php HTTP/1.1\" 403 229 \"-\" \"-\"
> e4z3K9WwoyMAAGEgxu8AAAmP \"-\"
> /20090227/20090227-1319/20090227-131938-e4z3K9WwoyMAAGEgxu8AAAmP 0 872
> md5:1b4107ddb93d3825104abb133fb63799 \n'
> [Fri Feb 27 13:19:38 2009] [5] [24848/0] Received audit log entry (count
> 3 queue 0 workers 0): server.xtec.net xx.xx.xx.xx - -
> [27/Feb/2009:13:19:38 +0100] \"GET /xxxxxxx/admin/cron.php HTTP/1.1\"
> 403 229 \"-\" \"-\" e4z3K9WwoyMAAGEgxu8AAAmP \"-\"
> /20090227/20090227-1319/20090227-131938-e4z3K9WwoyMAAGEgxu8AAAmP 0 872
> md5:1b4107ddb93d3825104abb133fb63799
> [Fri Feb 27 13:19:38 2009] [4] [24848/0] Processed 1 entries from buffer.
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] Worker thread starting.
> [Fri Feb 27 13:19:38 2009] [5] [24848/0] Shifted buffer back 261 and
> offset 0 bytes for next read: `'
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] Locking mutex.
> [Fri Feb 27 13:19:38 2009] [5] [24848/0] Internal state: [evnt "0"][curr
> "0"][next "0"][nbytes "65536"]
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] Getting one entry from the
> queue.
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] Got one job.
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] Processing entry.
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] Regular expression matched.
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] File found, activating cURL.
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] CURL: Connection #0 seems
> to be dead!
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] CURL: Closing connection #0
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] CURL: SSLv3, TLS alert,
> Client hello (1):
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] CURL: About to connect() to
> 10.155.x.x port 8888 (#0)
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] CURL:   Trying 10.155.x.x...
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] CURL: connected
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] CURL: Connected to
> 10.155.x.x (10.155.x.x) port 8888 (#0)
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] CURL: SSL re-using session ID
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] CURL: SSLv3, TLS handshake,
> Client hello (1):
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] CURL: SSLv3, TLS handshake,
> Server hello (2):
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] CURL: SSLv3, TLS change
> cipher, Client hello (1):
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] CURL: SSLv3, TLS handshake,
> Finished (20):
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] CURL: SSLv3, TLS change
> cipher, Client hello (1):
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] CURL: SSLv3, TLS handshake,
> Finished (20):
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] CURL: SSL connection using
> EDH-RSA-DES-CBC3-SHA
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] CURL: Server certificate:
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] CURL: \t subject:
> /C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] CURL: \t start date:
> 2006-06-25 14:13:59 GMT
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] CURL: \t expire date:
> 2008-06-24 14:13:59 GMT
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] CURL: \t issuer:
> /C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] CURL: SSL certificate
> verify result: self signed certificate (18), continuing anyway.
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] CURL: Server auth using
> Basic with user 'wiphe'
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] CURL: Connection #0 to host
> 10.155.x.x left intact
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] Request returned with
> status "409 Parsing failed.": e4z3K9WwoyMAAGEgxu8AAAmP
> [Fri Feb 27 13:19:38 2009] [2] [24848/b4070] Failed to submit entry with
> "409 Parsing failed.": e4z3K9WwoyMAAGEgxu8AAAmP
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] Sleeping for 50 msec.
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] Loop completed.
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] Locking mutex.
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] Removing previous entry
> from storage.
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] Getting one entry from the
> queue.
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] No more work for this
> thread, exiting.
> [Fri Feb 27 13:19:38 2009] [4] [24848/b4070] Thread done.
> [Fri Feb 27 13:19:40 2009] [5] [24848/361d0] Management thread: Processing
> [Fri Feb 27 13:19:40 2009] [5] [24848/361d0] Management thread: Last
> checkpoint was 5 seconds ago.
>
>
> Eduard
>
>
> --
> Salutacions,
>
> Eduard Cercós
> Arquitectura Tecnològica
> Departament d'Educació
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
> -Strategies to boost innovation and cut costs with open source participation
> -Receive a $600 discount off the registration fee with the source code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html
>
>

--

-- 
Ivan Ristic

------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Spam Attack

------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Re: Spam Attack

As far as I am aware, this is a RFI attack. This rule (i think) is part 
of one of the optional rule sets for Mod Security.

#
# RFI Attack
#
SecRule ARGS "^(?:ht|f)tp:/" \

"phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote 
File Inclusion Attack',id:'950117',severity:'2'"

It should block those with the 501 error.

--Brett

Folha Verde™ wrote:
> /Hi,
> I use ModSec2.2 and frequently receive SPAM attack via URL as bellow:
> http://www.domain_hosted_in_my_server.com/index.php?variablephp=http://externaldomain.com/some_spam_script
>
> And the "some_spam_script" is a PHP script that send spam mail.
>
> //How do I create a rule to block this attack?/
>
> /
> Thank you,
>
> FVerde./
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
> -Strategies to boost innovation and cut costs with open source participation
> -Receive a $600 discount off the registration fee with the source code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> ------------------------------------------------------------------------
>
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html
>   

------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Having Trouble Fixing False Positive

Hi,

Hoping someone can help me figure out what I'm doing wrong. I'm seeing
a bunch of false positives when rule #959006 fires due to specific
strings that show up in a specific google analytics cookie. The cookie
name is "__utmz" so I created a replacement rule that excludes that
cookie by name as follows:

----
SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES_NAMES:/^__utmz$/
\

SecRuleRemoveById 959006
-----

However, mod-security is now firing the same false positive against my
new rule. I can see it is matching against the new rule (#101) and
against the very cookie that I excluded (__utmz):

----
Message: Access denied with code 501 (phase 2). Pattern match
"/big-pattern-omitted/" at REQUEST_COOKIES:__utmz. [file
"/etc/httpd/modsecurity.d/modsecurity_localrules.conf"] [line "11"]
[id "101"] [msg "System Command Injection"]
----

Any idea what I'm doing wrong here? I followed the procedure outline
in this article:
http://www.modsecurity.org/blog/archives/2007/02/handling_false.html

Thanks,

Sam

------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html