headers
eliot joslin | 1 Apr 03:14
Picon

compiling mod_security question

I ma having an issue perhaps someone can help- i have compiled apache 2.2.11 on
ubuntu 6.06.2 LTS dapper - with the following configure:
./configure --prefix=/etc/apache2 --with-mpm=worker --disable-actions
--disable-auth --disable-authn_file --disable-authn_default
--disable-authz_groupfile --disable-authz_user --disable-authz_default
--disable-auth_basic -disable-alias --disable-asis --disable-autoindex
--disable-cgi --disable-cgid --disable-charset-lite --disable-env
--disable-imagemap --disable-include --disable-negotiation --disable-setenvif
--disable-status --disable-userdir --disable-filter  --enable-proxy 
--disable-proxy_ajp --disable-proxy_ftp --enable-proxy-balancer
--enable-proxy-connect --enable-proxy-http --enable-rewrite --enable-ssl
--enable-unique-id --enable-module=shared

I have also compiled mod_security as follows- ./configure
--with-apxs=/etc/apache2/bin/apxs --with-apr=/etc/apache2/bin/apr-1-config 

but when i attempt to start apache i get the following error which looks like a
mis-match in version between the mod_security module and apache any help would
be great...

./apachect start
httpd: Syntax error on line 413 of /etc/apache2/conf/httpd.conf: API module
structure 'security2_module' in file /etc/apache2/modules/mod_security2.so is
garbled - expected signature 41503232 but saw 41503230 - perhaps this is not an
Apache module DSO, or was compiled for a different Apache version?

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
(Continue reading)

Permalink | Reply | 1 comment |
headers
jmathew | 1 Apr 17:29
Picon
Favicon

Re: mod_security

Thank you for your guidance Brian, Could you please let me know how to incorporate the X-forwarded field in
the Rule and use the "if" condition.

Thanks again...
Regards,
Jessy 

-----Original Message-----
From: Brian Rectanus [mailto:Brian.Rectanus <at> breach.com] 
Sent: Tuesday, March 31, 2009 6:50 PM
To: Mathew Jessy (HCC1MJM)
Cc: mod-security-users <at> lists.sourceforge.net
Subject: Re: [mod-security-users] mod_security

Jessy Mathew wrote:
> Hello,
>
> Could you please let me know if there is way in mod_security to 
> throttle requests based on IP with in a defined period of time.
> eg.  if the no. of requests from a particular ip address exceeds 90 
> requests in a 5 minute interval, flag the ip address and blocks it for 
> 60 minutes. By default, the requests should be throttled based on 
> X-forwarded field Ip addresses. If x-forwarded field is not present, 
> throttle requests based on real client IP.
>
> Thanks in advance,
> Jessy

The archives are a good place to look for things like this...
(Continue reading)

Permalink | Reply | 1 comment |
headers
Mark Lavi | 1 Apr 20:28
Picon
Favicon

Re: compiling mod_security question

Eliot:

You will need to do some troubleshooting; my guess is that you have
library conflicts.

Remove any OS distribution versions of Apache (if they exist and are not
necessary) and repeat compiling from scratch (make clean, etc.) since
you appear to be compiling from source.

Next, you should be explicit and add
--with-apu=${path.to}/bin/apu-1-config for modsecurity. In addition,
insure you're make test completed!

Finally, use ldd on bin/httpd and modules/mod_security2.so to see what
shared libraries they are using. You want to see that they are using the
same (expected) libraries you've compiled against and not other
libraries on your LD_LIBRARY_PATH.

I can't elaborate too much more, but your strategy should be to
eliminate any possible conflicts by removing anything and by being
explicit on your environment.

Good luck, I hope this helps.
..............................

Mark Lavi

Senior Web Producer

SGI
(Continue reading)

Permalink | Reply | 0 comments |
headers
Christian Bockermann | 1 Apr 21:58

Re: mod_security

Hi Jessy,

let's see what we have here... Some comments on Ryan's rules from the  
post referred to by Brian:

     #
     # we initialize the IP collection, i.e. we create associate the  
IP collection with
     # the client's IP, i.e. we now have a collection associated with  
the remote address.
     #
     SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR}, \
                   setvar:request_count=+1,  
expirevar:request_count=86400

     #
     # we make sure that the client can access the  
"limit_exceeded_page.html" by
     # any means, even if he is blocked
     #
     SecRule REQUEST_URI "/limit_exceeded_page\.html"  
"log,allow,ctl:ruleEngine=off"

     #
     # we check if the REQUEST_COUNT variable in the IP collection is  
above the threshold
     # of 2000 requests per IP address and take further actions, by  
setting the "blocked"
     # variable
     #
(Continue reading)

Permalink | Reply | 0 comments |
headers
Eric Langheinrich | 2 Apr 20:59

Problem with chained rules


I'm new to mod_security and am just starting to play around with rule sets.
I am running into a problem where I have a chained rule, that is getting
applied even when one of the tests isn't satisfied. 

The rule is:

SecRule RESPONSE_CONTENT_TYPE "^text/html"
"chain,phase:4,log,pass,append:'<hr><div style=\"background-color:
#ff0000\"><b>Your Computer is Infected</div>'"
SecRule REMOTE_ADDR "@pmFromFile
/usr/local/apache2/greylists/pt.mydomain.org"

What's happening is the div is getting added regardless of if the
REMOTE_ADDR is in the file. 

Any help would be greatly appreciated.

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
Permalink | Reply | 3 comments |
headers
Brian Rectanus | 2 Apr 21:48

Re: Problem with chained rules

Eric Langheinrich wrote:
>
>
> I'm new to mod_security and am just starting to play around with rule sets.
> I am running into a problem where I have a chained rule, that is getting
> applied even when one of the tests isn't satisfied.
>
> The rule is:
>
> SecRule RESPONSE_CONTENT_TYPE "^text/html"
> "chain,phase:4,log,pass,append:'<hr><div style=\"background-color:
> #ff0000\"><b>Your Computer is Infected</div>'"
> SecRule REMOTE_ADDR "@pmFromFile
> /usr/local/apache2/greylists/pt.mydomain.org"
>
> What's happening is the div is getting added regardless of if the
> REMOTE_ADDR is in the file.
>
> Any help would be greatly appreciated.

Any non-disruptive action will get executed for each sub-rule in a 
chain.  Put the non-disruptive actions in the last sub-rule in the 
chain.  However, disruptive actions must still go in the chain starter. 
  A bit confusing.

SecRule RESPONSE_CONTENT_TYPE "^text/html" "chain,phase:4,log,pass"
SecRule REMOTE_ADDR "@pmFromFile 
/usr/local/apache2/greylists/pt.mydomain.org" "append:'<hr><div 
style=\"background-color: #ff0000\"><b>Your Computer is Infected</div>'"
(Continue reading)

Permalink | Reply | 2 comments |
headers
Eric Langheinrich | 2 Apr 22:09

Re: Problem with chained rules


> 
> Any non-disruptive action will get executed for each sub-rule 
> in a chain.  Put the non-disruptive actions in the last 
> sub-rule in the chain.  However, disruptive actions must 
> still go in the chain starter. 
>   A bit confusing.
> 
> SecRule RESPONSE_CONTENT_TYPE "^text/html" "chain,phase:4,log,pass"
> SecRule REMOTE_ADDR "@pmFromFile
> /usr/local/apache2/greylists/pt.mydomain.org" "append:'<hr><div
> style=\"background-color: #ff0000\"><b>Your Computer is 
> Infected</div>'"
> 
> -B
> 

I moved the append down as you show above and now the content isn't getting
inserted. I am a bit confused by the disruptive action section. The pass is
required to be on the first Rule. If it behaves like the non-disruptive
actions won't it occur regardless of if all of the tests in the chain are
met?

For example, if I have the following default rule:

SecDefaultAction log,deny,phase:1,redirect:http://www.myotherdomain.com

Assuming the natural result of visiting www.mydomain.org is to return
txt/html the pass will always take effect. Is that right? From what I've
been playing around with that seems to be the case.
(Continue reading)

Permalink | Reply | 1 comment |
headers
Brian Rectanus | 3 Apr 01:27

Re: Problem with chained rules

Eric Langheinrich wrote:
>
>
>> Any non-disruptive action will get executed for each sub-rule
>> in a chain.  Put the non-disruptive actions in the last
>> sub-rule in the chain.  However, disruptive actions must
>> still go in the chain starter.
>>    A bit confusing.
>>
>> SecRule RESPONSE_CONTENT_TYPE "^text/html" "chain,phase:4,log,pass"
>> SecRule REMOTE_ADDR "@pmFromFile
>> /usr/local/apache2/greylists/pt.mydomain.org" "append:'<hr><div
>> style=\"background-color: #ff0000\"><b>Your Computer is
>> Infected</div>'"
>>
>> -B
>>
>
> I moved the append down as you show above and now the content isn't getting
> inserted. I am a bit confused by the disruptive action section. The pass is
> required to be on the first Rule. If it behaves like the non-disruptive
> actions won't it occur regardless of if all of the tests in the chain are
> met?
>
> For example, if I have the following default rule:
>
> SecDefaultAction log,deny,phase:1,redirect:http://www.myotherdomain.com
>
> Assuming the natural result of visiting www.mydomain.org is to return
> txt/html the pass will always take effect. Is that right? From what I've
(Continue reading)

Permalink | Reply | 0 comments |
headers
OSSEC junkie | 7 Apr 01:48
Picon

Error on installation

when trying to install ModSecurity on Apache 2.11, I get this error message, any ideas?

checking for libapr config script... no

configure: *** apr library not found.

configure: error: apr library is required

 

 

------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
Permalink | Reply | 1 comment |
headers
Tedi Heriyanto | 7 Apr 05:34
Picon

Re: Error on installation

On Tue, Apr 7, 2009 at 6:48 AM, OSSEC junkie <ossec.junkie <at> gmail.com> wrote:
> when trying to install ModSecurity on Apache 2.11, I get this error message,
> any ideas?
>
> checking for libapr config script... no
>
> configure: *** apr library not found.
>
> configure: error: apr library is required
According to the error message, you need to install apr library

In my system (openSUSE-based), the package name is libapr1. You may
need to install libapr1-devel too.

-- 
cheers,

tedi
Blog      : http://theriyanto.wordpress.com
Website : http://tedi.heriyanto.net
You Need More Than Awareness : Stay Alert!

------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
Permalink | Reply | 0 comments |

Gmane