501 Message Not Implemented Question

------------------------------------------------------------------------------

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

New installation woes

Hello, all.

I've had version 1.9.4 running on a CentOS 4 box 
with httpd-2.0.2 for quite a while now.  
Yesterday, I decided to install the latest 
version.  I followed the installation guide, and  
apache started fine.  But, my tests with nikto 
and MetoScan don't seem to be caught.

I think I configured the logger correctly, but no 
data are written to /var/log/mlogc/data.  And, 
mlogc-error.log reports the following:

ModSecurity Audit Log collector 2.5.9 started
Queue file not found. New one will be created.

Is that normal?

What information should I provide so that someone 
might help me.  I'm pulling my hair out!

Many thanks.

Dimitri

--

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Re: New installation woes

What modifications did you make to httpd.conf?

On Thu, Jul 2, 2009 at 10:33 AM, Dimitri Yioulos<dyioulos <at> firstbhph.com> wrote:
> Hello, all.
>
> I've had version 1.9.4 running on a CentOS 4 box
> with httpd-2.0.2 for quite a while now.
> Yesterday, I decided to install the latest
> version.  I followed the installation guide, and
> apache started fine.  But, my tests with nikto
> and MetoScan don't seem to be caught.
>
> I think I configured the logger correctly, but no
> data are written to /var/log/mlogc/data.  And,
> mlogc-error.log reports the following:
>
> ModSecurity Audit Log collector 2.5.9 started
> Queue file not found. New one will be created.
>
> Is that normal?
>
> What information should I provide so that someone
> might help me.  I'm pulling my hair out!
>
> Many thanks.
>
> Dimitri
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html
>

--

-- 
Walt Williams, CISSP, SSCP
Ergo inimicus vobis factus sum, verum dicens vobis?

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Re: New installation woes

LoadModule security2_module  
modules/mod_security2.so
LoadFile /usr/lib/libxml2.so
LoadFile /usr/lib/liblua.so.5.0

The LoadModule directive is all on one line.

Dimitri

P.S. - is top-posting OK?

On Thursday 02 July 2009 10:44:02 am you wrote:
> What modifications did you make to httpd.conf?
>
> On Thu, Jul 2, 2009 at 10:33 AM, Dimitri 
Yioulos<dyioulos <at> firstbhph.com> wrote:
> > Hello, all.
> >
> > I've had version 1.9.4 running on a CentOS 4
> > box with httpd-2.0.2 for quite a while now.
> > Yesterday, I decided to install the latest
> > version.  I followed the installation guide,
> > and apache started fine.  But, my tests with
> > nikto and MetoScan don't seem to be caught.
> >
> > I think I configured the logger correctly,
> > but no data are written to
> > /var/log/mlogc/data.  And, mlogc-error.log
> > reports the following:
> >
> > ModSecurity Audit Log collector 2.5.9 started
> > Queue file not found. New one will be
> > created.
> >
> > Is that normal?
> >
> > What information should I provide so that
> > someone might help me.  I'm pulling my hair
> > out!
> >
> > Many thanks.
> >
> > Dimitri
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> >
> > ---------------------------------------------
> >---------------------------------
> > _____________________________________________
> >__ mod-security-users mailing list
> > mod-security-users <at> lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/
> >mod-security-users Commercial ModSecurity
> > Appliances, Rule Sets and Support:
> > http://www.modsecurity.org/breach/index.html
>
> --
> Walt Williams, CISSP, SSCP
> Ergo inimicus vobis factus sum, verum dicens
> vobis?

--

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Re: New installation woes

Ensure that the Apache process user (as defined in the httpd.conf file
by the directive User) has write permission to the data directory. There
are a couple of directories which that UID needs to write too as well,
but do not chown the entire mlogc installation base. The data and logs
directory are the only ones I know of that need write permissions. You
may also need to ensure that the bin/mlogc binary is executable, but I
think that part is working for you (from your writings above).

HTH.

Mike Duncan
ISSO, Application Security Specialist
Government Contractor with STG, Inc.
NOAA :: National Climatic Data Center

Dimitri Yioulos wrote:
> Hello, all.
> 
> I've had version 1.9.4 running on a CentOS 4 box 
> with httpd-2.0.2 for quite a while now.  
> Yesterday, I decided to install the latest 
> version.  I followed the installation guide, and  
> apache started fine.  But, my tests with nikto 
> and MetoScan don't seem to be caught.
> 
> I think I configured the logger correctly, but no 
> data are written to /var/log/mlogc/data.  And, 
> mlogc-error.log reports the following:
> 
> ModSecurity Audit Log collector 2.5.9 started
> Queue file not found. New one will be created.
> 
> Is that normal?
> 
> What information should I provide so that someone 
> might help me.  I'm pulling my hair out!
> 
> Many thanks.
> 
> Dimitri
> 

Re: New installation woes

On Thursday 02 July 2009 11:14:39 am you wrote:
> On Thu, Jul 2, 2009 at 11:02 AM, Dimitri 
Yioulos<dyioulos <at> firstbhph.com> wrote:
> > LoadModule security2_module
> > modules/mod_security2.so
> > LoadFile /usr/lib/libxml2.so
> > LoadFile /usr/lib/liblua.so.5.0
> >
> > The LoadModule directive is all on one line.
>
> Do you have an include statement, as in
> "include conf/modsecurity/*.conf" ?
>
> --
> Walt Williams, CISSP, SSCP
> Ergo inimicus vobis factus sum, verum dicens
> vobis?

Ah, some light!

Just before your reply arrived, I saw a post that 
referred to  "include conf/modsecurity/*.conf".  
My httpd.conf still had the old "Include 
conf.d/*.conf" (conf.d is where the 
old "modsecurity.conf" lived.  I incorrectly 
thought that copying "modsecurity_example.conf" 
to "conf.d/modsecurity.conf", with appropriate 
changes, would work).  When I changed the 
httpd.conf directive to "Include 
conf.d/modsecurity/*.conf", I got the following 
in /var/log/httpd/error_log:

[Thu Jul 02 11:17:59 2009] [error] [client 
192.168.101.55] ModSecurity: Access denied with 
code 404 (phase 2). Pattern match "(?:
\\b(?:m(?:ozilla\\/4\\.0 \\(compatible\\)|etis)|
webtrends security analyzer|pmafind)\\b|
n(?:-stealth|sauditor|essus|ikto)|
b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|
webinspect|\\.nasl)" at 
REQUEST_HEADERS:User-Agent. 
[file "/etc/httpd/conf.d/modsecurity/modsecurity_crs_35_bad_robots.conf"] 
[line "19"] [id "990002"] [msg "Request Indicates 
a Security Scanner Scanned the Site"] 
[severity "CRITICAL"] 
[tag "AUTOMATION/SECURITY_SCANNER"] 
[hostname "www.firstbhph.com"] 
[uri "/robots.txt"] 
[unique_id "i5OTBMCoAQMAAFn8lyMAAAAC"]

Excellent!  Thank you for pointing that out, 
nonetheless.

It gets better.  As well, I changed ownership 
on /var/log/mlogc to apache, and now all logging 
is working, as is modsecurity console.

I do have another question that I hope you'll be 
kind enough to help me with.  I'd like to 
whitelist my own network, as I'm getting the 
following:

[Thu Jul 02 11:30:13 2009] [error] [client 
192.168.100.74] ModSecurity: Access denied with 
code 400 (phase 2). Pattern match "^[\\d\\.]+$" 
at REQUEST_HEADERS:Host. 
[file "/etc/httpd/conf.d/modsecurity/modsecurity_crs_21_protocol_anomalies.conf"] 
[line "60"] [id "960017"] [msg "Host header is a 
numeric IP address"] [severity "CRITICAL"] 
[tag "PROTOCOL_VIOLATION/IP_HOST"] 
[hostname "192.168.1.3"] 
[uri "/rci/rci_command_7288.txt"] 
[unique_id "t0keNMCoAQMAAFn7leIAAAAB"]
[Thu Jul 02 11:30:13 2009] [error] [client 
192.168.100.74] ModSecurity: Access denied with 
code 400 (phase 2). Pattern match "^[\\d\\.]+$" 
at REQUEST_HEADERS:Host. 
[file "/etc/httpd/conf.d/modsecurity/modsecurity_crs_21_protocol_anomalies.conf"] 
[line "60"] [id "960017"] [msg "Host header is a 
numeric IP address"] [severity "CRITICAL"] 
[tag "PROTOCOL_VIOLATION/IP_HOST"] 
[hostname "192.168.1.3"] 
[uri "/rci/rci_command_7288.txt"] 
[unique_id "t0keNMCoAQMAAFn7leIAAAAB"]

It's obviously important that our own requests not 
be blocked.

Dimitri

--

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Re: New installation woes

On Thursday 02 July 2009 11:48:15 am you wrote:
> http://www.modsecurity.org/documentation/faq.ht
>ml#d0e400 should help you with the white list.
>
> On Thu, Jul 2, 2009 at 11:38 AM, Dimitri 
Yioulos<dyioulos <at> firstbhph.com> wrote:
> > I do have another question that I hope you'll
> > be kind enough to help me with.  I'd like to
> > whitelist my own network, as I'm getting the
> > following:
>
> --
> Walt Williams, CISSP, SSCP
> Ergo inimicus vobis factus sum, verum dicens
> vobis?

Walt,

I'm looking at the FAQ, but am not sure where to 
put the directive.  And, if I want to whitelist 
the entire network, would I use the 
construct "SecRule 
REMOTE_ADDR "^192\.168\.100\.0$" etcetc"?

Thanks.

Dimitri

--

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Re: New installation woes

Thanks, Ryan.

And the whitelist rule(s) goes 
into "modsecurity_crs_10_config.conf"?

Dimitri

On Thursday 02 July 2009 12:53:04 pm you wrote:
> When you are using regex and you want to
> specify a network block range, use the
> beginning of line anchor and then specify the
> first 3 octets and then don't use the end of
> line anchor like this -
>
> SecRule REMOTE_ADDR "^192\.168\.100\."
>
> Ryan C. Barnett
> Director of Application Security Research
> Breach Security, Inc.
> Ryan.Barnett <at> Breach.com
> <blocked::mailto:Ryan.Barnett <at> Breach.com>
> www.Breach.com <http://www.breach.com/>
>
> ----- Original Message -----
> From: Dimitri Yioulos <dyioulos <at> firstbhph.com>
> To: mod-security-users <at> lists.sourceforge.net
> <mod-security-users <at> lists.sourceforge.net>
> Sent: Thu Jul 02 11:57:15 2009
> Subject: Re: [mod-security-users] New
> installation woes
>
> On Thursday 02 July 2009 11:48:15 am you wrote:
> > http://www.modsecurity.org/documentation/faq.
> >ht ml#d0e400 should help you with the white
> > list.
> >
> > On Thu, Jul 2, 2009 at 11:38 AM, Dimitri
>
> Yioulos<dyioulos <at> firstbhph.com> wrote:
> > > I do have another question that I hope
> > > you'll be kind enough to help me with.  I'd
> > > like to whitelist my own network, as I'm
> > > getting the following:
> >
> > --
> > Walt Williams, CISSP, SSCP
> > Ergo inimicus vobis factus sum, verum dicens
> > vobis?
>
> Walt,
>
> I'm looking at the FAQ, but am not sure where
> to put the directive.  And, if I want to
> whitelist the entire network, would I use the
> construct "SecRule
> REMOTE_ADDR "^192\.168\.100\.0$" etcetc"?
>
> Thanks.
>
> Dimitri
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
> -----------------------------------------------
>-------------------------------
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mo
>d-security-users Commercial ModSecurity
> Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html

--

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Re: New installation woes

When you are using regex and you want to specify a network block range, use the beginning of line anchor and
then specify the first 3 octets and then don't use the end of line anchor like this -

SecRule REMOTE_ADDR "^192\.168\.100\."

Ryan C. Barnett
Director of Application Security Research
Breach Security, Inc.
Ryan.Barnett <at> Breach.com <blocked::mailto:Ryan.Barnett <at> Breach.com>
www.Breach.com <http://www.breach.com/>

----- Original Message -----
From: Dimitri Yioulos <dyioulos <at> firstbhph.com>
To: mod-security-users <at> lists.sourceforge.net <mod-security-users <at> lists.sourceforge.net>
Sent: Thu Jul 02 11:57:15 2009
Subject: Re: [mod-security-users] New installation woes

On Thursday 02 July 2009 11:48:15 am you wrote:
> http://www.modsecurity.org/documentation/faq.ht

>ml#d0e400 should help you with the white list.
>
> On Thu, Jul 2, 2009 at 11:38 AM, Dimitri
Yioulos<dyioulos <at> firstbhph.com> wrote:
> > I do have another question that I hope you'll
> > be kind enough to help me with.  I'd like to
> > whitelist my own network, as I'm getting the
> > following:
>
> --
> Walt Williams, CISSP, SSCP
> Ergo inimicus vobis factus sum, verum dicens
> vobis?

Walt,

I'm looking at the FAQ, but am not sure where to
put the directive.  And, if I want to whitelist
the entire network, would I use the
construct "SecRule
REMOTE_ADDR "^192\.168\.100\.0$" etcetc"?

Thanks.

Dimitri

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

------------------------------------------------------------------------------

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

is it possible to have different setting for different rules

------------------------------------------------------------------------------

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html