Re: Installing mod_security 2.7.2

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Allow cd/

Hi,

I need a little help here:
we are using core ruleset/2.2.5 and we have to allow cd/ in GET Request and in Cookies. 

--f6931400-A--
[22/Mar/2013:14:10:44 +0100] UUxYVLwoPJYAABUXH9cAAABD x.x.x.x 55107 x.x.x.x 80
--f6931400-B--
GET /produktsuche/cd/ HTTP/1.1
Host: www.xxxxxxxx.de
Origin: http://www.xxxxxxxx.de
Accept-Encoding: gzip, deflate
Accept-Language: de-de
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.57.2 (KHTML, like Gecko)
Version/5.1.7 Safari/534.57.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.xxxxxxxx.de/
Dnt: 1
Cookie: session_id=df79fc36af3d36c19c60b5c4cce59302;
__utmz=182827576.1363957841.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
__utmc=182827576; __utmb=182827576.1.10.1363957841; __utma=182827576.907144049.1363957841.1363957841.1363957841.1
Connection: keep-alive

--f6931400-F--
HTTP/1.1 403 Forbidden
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 186
Keep-Alive: timeout=5, max=73
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--f6931400-E--

--f6931400-H--
Message: Access denied with code 403 (phase 2). Pattern match
"(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:\\.exe|32)\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\
..." at REQUEST_FILENAME. [file
"/etc/modsecurity/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "197"] [id
"950006"] [rev "2.2.5"] [msg "System Command Injection"] [data "cd/"] [severity "CRITICAL"] [tag
"WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"]
Action: Intercepted (phase 2)
Stopwatch: 1363957844764331 2715 (- - -)
Stopwatch2: 1363957844764331 2715; combined=1175, p1=201, p2=936, p3=0, p4=0, p5=38, sr=48, sw=0,
l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.3 (http://www.modsecurity.org/); core ruleset/2.2.5.
Server: Apache/2.2.22

Greets,
Chris
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Capturing username with the rules

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Installing mod_security 2.7.2

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

SpiderLabs rules slow to load

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

standalone hostname in error logs

Hello,

   I got modsecurity (https://github.com/SpiderLabs/ModSecurity) 
installed and configured behind NGINX with php5-fpm, and it blocks 
malicious requests just fine.  The problem is that in the error logs, it 
outputs [hostname "standalone"] instead of the actual hostname of the 
site being hit.  Is this intentional, or a bug?

Example output:

2013/03/20 15:16:57 [error] 8161#0: [client 189.14.0.122] ModSecurity: 
Access denied with code 403 (phase 2). Pattern match

"(/\\*!?|\\*/|[';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\x00)" 
at REQUEST_COOKIES:slimstat_tracking_code. [file 
"/etc/nginx/conf/modsecurity.conf"] [line "1122"] [id "981231"] [rev 
"2"] [msg "SQL Comment Sequence Detected."] [data "Matched Data: 
--rgdwMr7GCwS3RrtaF5P6- found within 
REQUEST_COOKIES:slimstat_tracking_code: 
--rgdwMr7GCwS3RrtaF5P6-FGQUAsUMqX9QsDmlx1nuXBB4RND8oibj2cAnC1yRhqj-k-W8WxGt4BS20WjqJpA.."] 
[severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "8"] [accuracy 
"8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] 
[tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] 
[hostname "standalone"] [uri "/press-feed/"] [unique_id "12345"]

# /etc/nginx/sbin/nginx -V
nginx version: nginx/1.3.14
built by gcc 4.4.5 (Debian 4.4.5-8)
TLS SNI support enabled
configure arguments: --with-http_ssl_module --with-http_realip_module 
--add-module=../ModSecurity/nginx/modsecurity 
--with-http_gzip_static_module --without-http_ssi_module 
--without-http_userid_module --without-http_auth_basic_module 
--without-http_geo_module --without-http_map_module 
--without-http_split_clients_module --without-http_uwsgi_module 
--without-http_scgi_module --without-http_memcached_module 
--without-http_empty_gif_module --without-http_browser_module 
--with-cc-opt='-fstack-protector-all -fomit-frame-pointer -Os -pipe 
-falign-functions=64 -falign-loops=32 -fforce-addr -ffast-math' 
--prefix=/etc/nginx --with-poll_module --with-select_module 
--with-file-aio --without-mail_pop3_module --without-mail_imap_module 
--without-mail_smtp_module --with-pcre

~/ModSecurity$ ./configure --enable-standalone-module

Is there something I am missing, or do I need to pass another option to 
./configure ?

Thanks!
Zach

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

not running rules in phase 1 and phase 2

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Using X-Forwarded-For as the source address?

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: modsecurity causing IIS Applicaiton pool to crash

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

mod_security behind network load-balancer

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

modsecurity causing IIS Applicaiton pool to crash

# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)

#On, Off, DetectionOnly
#could only use DetectionOnly for testing use
SecRuleEngine On

# Maximum request body size we will
# accept for buffering
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType "(null) text/html text/plain text/xml"
SecRequestBodyLimit 524288
# Store up to 128 KB in memory
SecRequestBodyInMemoryLimit 131072

# Reject requests with status 500
# phase:1 - in request header phase
SecDefaultAction "log,deny,phase:1,status:500"

SecUploadKeepFiles off

# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "Microsoft-IIS/7.5"

SecDataDir C:\inetpub\logs\modsecurity\run

# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog C:\inetpub\logs\modsecurity\audit_log.txt
SecAuditLogParts ABCFHZ
SecAuditLogRelevantStatus "^[45]"
#SecAuditLogRelevantStatus "^5"

# You normally won't need debug logging
SecDebugLogLevel 0
SecDebugLog C:\inetpub\logs\modsecurity\modsec_debug_log.txt

# Now only include sql injection rule
#Include modsecurity_crs_10_setup.conf
#Include activated_rules\*.conf

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/