headers
Tinext Support (Tinext | 1 Jul 2010 17:20

Rules 2.0.5 to 2.0.7 don't block

 

Hello,

We just updated the rules from 2.0.5 to 2.0.7, but now it doesn’t block the attack.

For example

http://xxxxxxx/test.jsp?file=/etc/passwd

Is not blocked.

But with the 2.0.5 it blocks. What is wrong?

 

Thank you,


Regards

 

J

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
Permalink | Reply | 0 comments |
headers
JASPREET BINDRA | 5 Jul 2010 14:58
Picon

Reverse proxying configuration for using mod-security

Dear ALL 

I am a newbie at Mod-Security and my web servers are Windows Based (IIS in
particular). I will be using mod-security with Apache in Reverse-proxy Mode.
Now I have a particular requirement with respect to apache working in
reverse-proxy mode 

 Well i have a very peculiar question for reverse proxy 

In my netwrok there are different internal web servers hosting different web
applications eg 

i have three webserver(IIS) and they have different web applications serverd

let say the websites are :http://internal1.example.com hosted on internal1
machine 

http://internal2.example.com hosted on internal2 machine and
http://internal3.example.com hosted on internal3 machine

so my query is that my reverse proxy should work in such a way that any
external  request from Internet World 

a)for internal1.example.com should map to internal1.example.com and 

b)internal2.example.com should map to internal2.example.com and 

c) internal3.example.com should point to internal3 .example.com

so in all there are three web servers hosting 3 web websites. so my
questions is what will be the reverse proxying configuration and
architecture for this scenario ?

thanks

Jaspreet

THIS MAIL IP/VPN HAS BEEN SCANNED BY MCAFEE e-APPLIANCE 

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
Permalink | Reply | 0 comments |
headers
Mark Watts | 5 Jul 2010 16:08

Re: Reverse proxying configuration for using mod-security

On Mon, 2010-07-05 at 18:28 +0530, JASPREET BINDRA wrote:
> Dear ALL 
> 
>  
> 
> I am a newbie at Mod-Security and my web servers are Windows Based
> (IIS in particular). I will be using mod-security with Apache in
> Reverse-proxy Mode. Now I have a particular requirement with respect
> to apache working in  reverse-proxy mode 
> 
>  
> 
>  Well i have a very peculiar question for reverse proxy 
> 
>  
> 
> In my netwrok there are different internal web servers hosting
> different web applications eg 
> 
> i have three webserver(IIS) and they have different web applications
> serverd 
> 
>  
> 
> let say the websites are :http://internal1.example.com hosted on
> internal1 machine 
> 
> http://internal2.example.com hosted on internal2 machine and
> http://internal3.example.com hosted on internal3 machine
> 
>  
> 
> so my query is that my reverse proxy should work in such a way that
> any external  request from Internet World 
> 
> a)for internal1.example.com should map to internal1.example.com and 
> 
> b)internal2.example.com should map to internal2.example.com and 
> 
> c) internal3.example.com should point to internal3 .example.com
> 
>  
> 
> so in all there are three web servers hosting 3 web websites. so my
> questions is what will be the reverse proxying configuration and
> architecture for this scenario ?

Reverse proxying has little to do with mod_security - you would be
better asking on the Apache users mailing list.

Mark.

-- 
Mark Watts BSc RHCE MBCS
Senior Systems Engineer, Managed Services Manpower
www.QinetiQ.com
QinetiQ - Delivering customer-focused solutions
GPG Key: http://www.linux-corner.info/mwatts.gpg

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
Permalink | Reply | 0 comments |
headers
Jamuse | 5 Jul 2010 15:32
Picon

Re: Reverse proxying configuration for using mod-security

On Mon, Jul 5, 2010 at 3:58 PM, JASPREET BINDRA <jaspreet.bindra <at> eil.co.in> wrote:

so my query is that my reverse proxy should work in such a way that any external  request from Internet World

a)for internal1.example.com should map to internal1.example.com and

b)internal2.example.com should map to internal2.example.com and

c) internal3.example.com should point to internal3 .example.com

 


Hi JASPREET,

You can create three virtual hosts files, which include something like:

<VirtualHost 1.2.3.4:80>
  ServerName internal1.example.com
  ProxyPass / http://internal1.example.com/
  ProxyPassReverse / http://interna1.example.com/
 
  # Other configuration settings here ...
  # ...

</VirtualHost>

Then set the IP address in internal1.example.com in the hosts file, e.g.:
2.3.4.5  internal1.example.com
 
--
 - Josh
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
Permalink | Reply | 0 comments |
headers
Robert Stackhouse | 5 Jul 2010 19:52
Picon
Gravatar

Installing ModSecurity on Windows

Is there a windows binary for this somewhere?

Thanks,

Robert
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
Permalink | Reply | 1 comment |
headers
Ivan Ristic | 5 Jul 2010 20:09
Picon

Re: Installing ModSecurity on Windows

Yes, there is, at:

http://www.apachelounge.com/download/

On Mon, Jul 5, 2010 at 6:52 PM, Robert Stackhouse
<robertstackhouse <at> gmail.com> wrote:
> Is there a windows binary for this somewhere?
>
> Thanks,
> Robert
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html
>
>

--

-- 
Ivan Ristic
ModSecurity Handbook [http://www.modsecurityhandbook.com]
SSL Labs [https://www.ssllabs.com/ssldb/]

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
Permalink | Reply | 0 comments |
headers
Robert Stackhouse | 5 Jul 2010 22:14
Picon
Gravatar

I would like to log only specific requests and no others

I am trying to only log requests whose REQUEST_URI is of the form "/statusnet/api/statuses/update.xml"


Here is how I tried to do this:


SecRuleEngine On
SecAuditEngine On
SecAuditLogType Concurrent
SecAuditLogStorageDir C:/xampp/audit_log/data/
SecAuditLog C:/xampp/audit_log/index

#Log everything
SecAuditLogParts ABCDEFGHZ

#Don't want to log all requests to the audit log
SecDefaultAction "nolog,noauditlog,pass,phase:2"

#Only want to match /statusnet/api/statuses/update.xml
SecRule REQUEST_URI "^/statusnet/api/statuses/update\.xml$" "auditlog,pass,phase:2"



Obviously, my approach is not working. I have been over the documentation several times, but cannot find what I am looking for. Any help would be greatly appreciated.

Thanks,

Robert
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
Permalink | Reply | 2 comments |
headers
Ryan Barnett | 6 Jul 2010 02:42

Re: I would like to log only specific requests and no others

Try switching the SecAuditEngine to RelevantOnly. When it is set to On, it will log all transactions regardless of whether or not a rule matches.


--
Ryan Barnett
Senior Security Researcher
SpiderLabs Research Team
Trustwave
www.trustwave.com

From: Robert Stackhouse
To: mod-security-users <at> lists.sourceforge.net
Sent: Mon Jul 05 16:14:07 2010
Subject: [mod-security-users] I would like to log only specific requests and no others
I am trying to only log requests whose REQUEST_URI is of the form "/statusnet/api/statuses/update.xml"

Here is how I tried to do this:


SecRuleEngine On
SecAuditEngine On
SecAuditLogType Concurrent
SecAuditLogStorageDir C:/xampp/audit_log/data/
SecAuditLog C:/xampp/audit_log/index

#Log everything
SecAuditLogParts ABCDEFGHZ

#Don't want to log all requests to the audit log
SecDefaultAction "nolog,noauditlog,pass,phase:2"

#Only want to match /statusnet/api/statuses/update.xml
SecRule REQUEST_URI "^/statusnet/api/statuses/update\.xml$" "auditlog,pass,phase:2"



Obviously, my approach is not working. I have been over the documentation several times, but cannot find what I am looking for. Any help would be greatly appreciated.

Thanks,

Robert
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
Permalink | Reply | 1 comment |
headers
Robert Stackhouse | 6 Jul 2010 15:10
Picon
Gravatar

Re: I would like to log only specific requests and no others

Ryan,


Thanks, switching SecAuditEngine to RelevantOnly did the trick.

-Robert

On Mon, Jul 5, 2010 at 7:42 PM, Ryan Barnett <Ryan.Barnett <at> breach.com> wrote:

Try switching the SecAuditEngine to RelevantOnly. When it is set to On, it will log all transactions regardless of whether or not a rule matches.


--
Ryan Barnett
Senior Security Researcher
SpiderLabs Research Team
Trustwave
www.trustwave.com

From: Robert Stackhouse
To: mod-security-users <at> lists.sourceforge.net
Sent: Mon Jul 05 16:14:07 2010
Subject: [mod-security-users] I would like to log only specific requests and no others

I am trying to only log requests whose REQUEST_URI is of the form "/statusnet/api/statuses/update.xml"

Here is how I tried to do this:


SecRuleEngine On
SecAuditEngine On
SecAuditLogType Concurrent
SecAuditLogStorageDir C:/xampp/audit_log/data/
SecAuditLog C:/xampp/audit_log/index

#Log everything
SecAuditLogParts ABCDEFGHZ

#Don't want to log all requests to the audit log
SecDefaultAction "nolog,noauditlog,pass,phase:2"

#Only want to match /statusnet/api/statuses/update.xml
SecRule REQUEST_URI "^/statusnet/api/statuses/update\.xml$" "auditlog,pass,phase:2"



Obviously, my approach is not working. I have been over the documentation several times, but cannot find what I am looking for. Any help would be greatly appreciated.

Thanks,

Robert



--
Robert Stackhouse

http://robertstackhouse.com/flavorsof
http://agilebcs.org
http://bcsbloggers.org
http://uweb.tamu.edu
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
Permalink | Reply | 0 comments |
headers
Dropbox | 7 Jul 2010 06:07

Sedthakit Prasanphanich has invited you to Dropbox
We're excited to let you know that Sedthakit Prasanphanich has invited you to Dropbox!

Sedthakit Prasanphanich has been using Dropbox to sync and share files online and across computers, and thought you might want it too.

Visit www.dropbox.com to get started.

- The Dropbox Team
To stop receiving invites from Dropbox, click here © 2010 Dropbox 
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
Permalink | Reply | 0 comments |

Gmane