modsecurity erro

Hello,

We have configure modsecurity and We are getting following error on our mail log. 

Output filter: Error while forwarding response data (103): Software caused connection abort

What could be the reason ? How to solve ?

Thank you 

Regards
Jigar

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Regarding the core rule set

Hi, 

I have installed the Mod Security Module into my Apache2 server using libapache-mod-security. Since I am
using Ubuntu distribution it was available through aptitude. Now I want to incorporate the core rule set
and test if the installed Mod Security module is working. Can you suggest me the appropriate way to perform
these two tasks. 

Awaiting for a prompt response. 

Thanks and Regards 

----
Sajal Bhatia
Research Masters Student
QUT, Brisbane
AUSTRALIA

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

About the rules action

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Re: About the rules action

On Friday 04 December 2009 03:00:23 am Junyong Jiang wrote:
> Dear all:
> 
> When I use modsecurity to protect my website. I came accross the following
>  problems: 1. When use deny action to prevend a client atthack, the action
>  is '1'. 2. When use pass action, the action id is '2'.
> 3. When use allow action, the action id is also '1'.
> 
> The action id is record in the debug log file.
> First I guess the '1' equals 'forbidden, and '2' is not forbidden, however
>  it is wrong.
> 
> Can anyone give me some explanations?
> Thanks in advance.
> 

Brian or Ivan can answer this better, however I believe that what the 
debug_log action is showing is that in both the deny/allow actions, the normal 
request phase processing is changed and 1 means that it will skip directly to 
phase:5 logging.  Pass continues with normal processing.

-Ryan

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Re: About the rules action

That's correct. The correct terminology here is "log levels". There
can be only one message with log level 1 (error) per transaction. Log
level 2 means warning amd log level 3 means notice.

Neither of those will mean forbidden, actually. To figure out whether
a transaction was forbidden you need to look into the message. All the
possible variants are described in the Data Formats document, which is
included with ModSecurity.

On Fri, Dec 4, 2009 at 1:40 PM, Ryan Barnett <ryan.barnett <at> breach.com> wrote:
> On Friday 04 December 2009 03:00:23 am Junyong Jiang wrote:
>> Dear all:
>>
>> When I use modsecurity to protect my website. I came accross the following
>>  problems: 1. When use deny action to prevend a client atthack, the action
>>  is '1'. 2. When use pass action, the action id is '2'.
>> 3. When use allow action, the action id is also '1'.
>>
>> The action id is record in the debug log file.
>> First I guess the '1' equals 'forbidden, and '2' is not forbidden, however
>>  it is wrong.
>>
>> Can anyone give me some explanations?
>> Thanks in advance.
>>
>
> Brian or Ivan can answer this better, however I believe that what the
> debug_log action is showing is that in both the deny/allow actions, the normal
> request phase processing is changed and 1 means that it will skip directly to
> phase:5 logging.  Pass continues with normal processing.
>
> -Ryan
>
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html
>

--

-- 
Ivan Ristic
ModSecurity Handbook [https://www.feistyduck.com]
SSL Labs [https://www.ssllabs.com/ssldb/]

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Hello all, new user, probleme with rules with joomla

I install and configure, I hope good mod security lastest

I try rule 2.0.3 and have some trouble with joomla.

I search on internet, I found, bug reports false positive and I was 
fixed in 2.0.0
I try 2.0.0 and I't works

But version after, include 2.0.4 (try this afternoon) dont work...

I need some help,
I'm doing something wrong ? or false positiv is per mistake go back to 
rules ?

sorry if my english is not the best, i'm french user.

Thanks for helping !

niko

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

multipart/related content-type

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Re: multipart/related content-type

On Mon, Dec 7, 2009 at 8:47 AM, Nicola Bianchi <bianchi.nicola <at> gmail.com> wrote:
>
> Hi Guys,
> is modsecurity able to handle multipart/related content-type?

No, not in a meaningful way. It's generally not used in web
applications so there's not really a demand to support it.

It would be useful if you could share more information about how
you're using it (if you can't do it here, with me or Brian
personally), so that we could have more information if we need it in
the future.

> We have some webservice which use this kind of content-type and we would
> know if modsecurity can do some check about the content.

You might be able to force ModSecurity to buffer an entire request
body and treat it as a stream of bytes, but that's about it.

> At the moment, for the content-type text/xml, we inspect the post with the
> XML parser engine over an XSD schema; very handy!

Great!

> Thank you, regards.
> Nick
>
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html
>
>

--

-- 
Ivan Ristic
ModSecurity Handbook [https://www.feistyduck.com]
SSL Labs [https://www.ssllabs.com/ssldb/]

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Re: multipart/related content-type

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Mod_security and Netscaler Appliances

Good Morning

My company uses Citrix Netscalers for load balancing it's web farm.   
Behind them we have our servers that run the mod_security WAF.  We  
recently launched it into DetectionOnly mode to see what would  
transpire and we get a lot of these alerts.

Sun Dec 06 04:30:45 2009] [error] [client 172.16.205.68] ModSecurity:  
Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required.  
[file "/etc/httpd/modsecurity.d/ 
modsecurity_crs_21_protocol_anomalies.conf"] [lin
e "41"] [id "960015"] [msg "Request Missing an Accept Header"]  
[severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"]  
[hostname "XXXXX.XXXX.XXXXX"] [uri "/index.cfm"] [unique_id  
"go <at> Co6wQzV0AAFhichcAAAAB"]

Does anyone know if these are some artifiact of the netscaler?  Or  
should I be looking elsewhere.   So far today I have about 140k of  
these in the error log.

Thanks

Michael

------------------------------------------------------------------------------
Return on Information:
Google Enterprise Search pays you back
Get the facts.
http://p.sf.net/sfu/google-dev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html