From mike at gotroot.com Sat Aug 4 20:53:37 2007 From: mike at gotroot.com (Michael Shinn) Date: Sat, 04 Aug 2007 20:53:37 -0400 Subject: [Modsecurity] Sorry for the delays - update still coming Message-ID: <46B51F91.7020002@gotroot.com> We are working out some neat new features, due to a whole new attack vector we ran into the other day and want to make sure its good to go for the rules. Is anyone using 2.5 yet? We have been working on a massive rewrite built around 2.5, but I'd like to get a sense of what everyone is using so we can allocate resources to each version. Now that we have a solution to the load issue with 2.5, it won't be a problem to start putting out daily releases again. But its really important to us to know who is running boxes that can not run 2.5 (apache 1.x) and those that can not update for now. Just need some sense of what everyones needs are so I can plan my time accordingly. Also, we will be releasing the rules under the GPL. Not sure yet if it will be v2 or v3. If anyone has thoughts on other licenses, chime in now. -- Michael Shinn From cooldude7273 at gmail.com Sun Aug 5 11:13:09 2007 From: cooldude7273 at gmail.com (Daniel McAlonan) Date: Sun, 5 Aug 2007 11:13:09 -0400 Subject: [Modsecurity] Sorry for the delays - update still coming In-Reply-To: <46B51F91.7020002@gotroot.com> References: <46B51F91.7020002@gotroot.com> Message-ID: I'm personally stuck on mod_security 1.9.1 with apache 1.3.37... On 8/4/07, Michael Shinn wrote: > > We are working out some neat new features, due to a whole new attack > vector we ran into the other day and want to make sure its good to go > for the rules. > > Is anyone using 2.5 yet? We have been working on a massive rewrite > built around 2.5, but I'd like to get a sense of what everyone is using > so we can allocate resources to each version. > > Now that we have a solution to the load issue with 2.5, it won't be a > problem to start putting out daily releases again. But its really > important to us to know who is running boxes that can not run 2.5 > (apache 1.x) and those that can not update for now. Just need some > sense of what everyones needs are so I can plan my time accordingly. > > Also, we will be releasing the rules under the GPL. Not sure yet if it > will be v2 or v3. If anyone has thoughts on other licenses, chime in now. > > -- > Michael Shinn > _______________________________________________ > Modsecurity mailing list > Modsecurity at gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity > -- Daniel McAlonan Proud Webmaster of MsBetas.org and ProxySauce.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20070805/8e16fc56/attachment.html From davea at ingraftedsoftware.com Sun Aug 5 11:56:57 2007 From: davea at ingraftedsoftware.com (Dave Augustus) Date: Sun, 05 Aug 2007 10:56:57 -0500 Subject: [Modsecurity] Sorry for the delays - update still coming In-Reply-To: <46B51F91.7020002@gotroot.com> References: <46B51F91.7020002@gotroot.com> Message-ID: <1186329417.6355.0.camel@springer> Running apache 2 on all my clients as well as my own- about 25 servers total. Dave On Sat, 2007-08-04 at 20:53 -0400, Michael Shinn wrote: > We are working out some neat new features, due to a whole new attack > vector we ran into the other day and want to make sure its good to go > for the rules. > > Is anyone using 2.5 yet? We have been working on a massive rewrite > built around 2.5, but I'd like to get a sense of what everyone is using > so we can allocate resources to each version. > > Now that we have a solution to the load issue with 2.5, it won't be a > problem to start putting out daily releases again. But its really > important to us to know who is running boxes that can not run 2.5 > (apache 1.x) and those that can not update for now. Just need some > sense of what everyones needs are so I can plan my time accordingly. > > Also, we will be releasing the rules under the GPL. Not sure yet if it > will be v2 or v3. If anyone has thoughts on other licenses, chime in now. > > -- > Michael Shinn > _______________________________________________ > Modsecurity mailing list > Modsecurity at gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20070805/0e7ee6c0/attachment.html From ronald at mp2.nl Sun Aug 5 12:01:18 2007 From: ronald at mp2.nl (ronald at mp2.nl) Date: 5 Aug 2007 18:01:18 +0200 Subject: [Modsecurity] Re: Modsecurity Digest, Vol 28, Issue 1 Message-ID: <20070805160118.18550.qmail@atlas.mp2.nl> Geachte mailer, Ik ben momenteel niet bereikbaar. Neem in dringende gevallen contact op met info at mp2.nl; uw mail wordt dan zo spoedig mogelijk door 1 van mijn collega's beantwoord. Vriendelijke groet, -- Ronald Dolfsma MP2 Automatisering From modsecurity at lists.grepular.com Sun Aug 5 15:50:23 2007 From: modsecurity at lists.grepular.com (Mike Cardwell) Date: Sun, 05 Aug 2007 20:50:23 +0100 Subject: [Modsecurity] Sorry for the delays - update still coming In-Reply-To: <46B51F91.7020002@gotroot.com> References: <46B51F91.7020002@gotroot.com> Message-ID: <46B629FF.5040005@lists.grepular.com> Michael Shinn wrote: > We are working out some neat new features, due to a whole new attack > vector we ran into the other day and want to make sure its good to go > for the rules. > > Is anyone using 2.5 yet? We have been working on a massive rewrite > built around 2.5, but I'd like to get a sense of what everyone is using > so we can allocate resources to each version. At a guess, most people are like me and use the latest version that they can find a package for their OS for, rather than compiling from scratch. I'm running Apache2 on Debian Etch, and stuck this in my apt/sources.list: deb http://etc.inittab.org/~agi/debian/libapache-mod-security2 ./ This presently gives me version 2.1.1. I'll be willing to upgrade to 2.5 manually if/when a compelling reason rears it's head. Just took a look at: http://www.modsecurity.org/download/index.html and found that it lists a debian package repository of http://ftp.debian-unofficial.org/debian/pool/main/liba/libapache-mod-security/ which only contains mod_security v1 packages... > Now that we have a solution to the load issue with 2.5, it won't be a > problem to start putting out daily releases again. But its really > important to us to know who is running boxes that can not run 2.5 > (apache 1.x) and those that can not update for now. Just need some > sense of what everyones needs are so I can plan my time accordingly. Apache 2 was released over 5 years ago now. I don't see how anyone could expect you to continue further development for the 1.3 branch if they themselves wont take the time to upgrade. There will come a point when support for 1.3 needs to stop. If this were my project, that point would have been reached by now ;) Mike From cooldude7273 at gmail.com Sun Aug 5 16:14:20 2007 From: cooldude7273 at gmail.com (Daniel McAlonan) Date: Sun, 5 Aug 2007 16:14:20 -0400 Subject: [Modsecurity] Sorry for the delays - update still coming In-Reply-To: <46B629FF.5040005@lists.grepular.com> References: <46B51F91.7020002@gotroot.com> <46B629FF.5040005@lists.grepular.com> Message-ID: Thing is, a ton of people are indeed still using 1.3. cPanel, a major and widely used web host control panel only supports apache 1.3 at the moment, and as a result, mod_security 1.9. This is the only reason I'm still stuck in 1.3 land - it's because it's the only land there is in cPanel at the moment. (Note: Apache 2 support is slated for release this month in cPanel) On 8/5/07, Mike Cardwell wrote: > > Michael Shinn wrote: > > We are working out some neat new features, due to a whole new attack > > vector we ran into the other day and want to make sure its good to go > > for the rules. > > > > Is anyone using 2.5 yet? We have been working on a massive rewrite > > built around 2.5, but I'd like to get a sense of what everyone is using > > so we can allocate resources to each version. > > At a guess, most people are like me and use the latest version that they > can find a package for their OS for, rather than compiling from scratch. > I'm running Apache2 on Debian Etch, and stuck this in my apt/sources.list: > > deb http://etc.inittab.org/~agi/debian/libapache-mod-security2 ./ > > This presently gives me version 2.1.1. I'll be willing to upgrade to 2.5 > manually if/when a compelling reason rears it's head. > > Just took a look at: http://www.modsecurity.org/download/index.html and > found that it lists a debian package repository of > > http://ftp.debian-unofficial.org/debian/pool/main/liba/libapache-mod-security/ > which only contains mod_security v1 packages... > > > Now that we have a solution to the load issue with 2.5, it won't be a > > problem to start putting out daily releases again. But its really > > important to us to know who is running boxes that can not run 2.5 > > (apache 1.x) and those that can not update for now. Just need some > > sense of what everyones needs are so I can plan my time accordingly. > > Apache 2 was released over 5 years ago now. I don't see how anyone could > expect you to continue further development for the 1.3 branch if they > themselves wont take the time to upgrade. There will come a point when > support for 1.3 needs to stop. If this were my project, that point would > have been reached by now ;) > > Mike > _______________________________________________ > Modsecurity mailing list > Modsecurity at gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity > -- Daniel McAlonan Proud Webmaster of MsBetas.org and ProxySauce.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20070805/43483637/attachment.html From ronald at mp2.nl Mon Aug 6 12:01:29 2007 From: ronald at mp2.nl (ronald at mp2.nl) Date: 6 Aug 2007 18:01:29 +0200 Subject: [Modsecurity] Re: Modsecurity Digest, Vol 28, Issue 2 Message-ID: <20070806160129.5247.qmail@atlas.mp2.nl> Geachte mailer, Ik ben momenteel niet bereikbaar. Neem in dringende gevallen contact op met info at mp2.nl; uw mail wordt dan zo spoedig mogelijk door 1 van mijn collega's beantwoord. Vriendelijke groet, -- Ronald Dolfsma MP2 Automatisering From faris at cymru1.net Mon Aug 6 15:03:25 2007 From: faris at cymru1.net (Faris Raouf) Date: Mon, 6 Aug 2007 20:03:25 +0100 Subject: [Modsecurity] Sorry for the delays - update still coming In-Reply-To: <46B51F91.7020002@gotroot.com> References: <46B51F91.7020002@gotroot.com> Message-ID: <000601c7d85c$7777cfc0$66676f40$@net> I'm on 2.1.0 on Apache 2/Centos 4R5 at the moment but the moment a 2.5 release of the rules comes out I'll upgrade to 2.5. I really can't wait. The politics/differences between GPL3 and 2 really don't bother me. Faris. From thomas.ammermann at digicol.de Tue Aug 7 03:42:05 2007 From: thomas.ammermann at digicol.de (Thomas Ammermann) Date: Tue, 7 Aug 2007 09:42:05 +0200 Subject: AW: [Modsecurity] Sorry for the delays - update still coming In-Reply-To: <46B51F91.7020002@gotroot.com> References: <46B51F91.7020002@gotroot.com> Message-ID: <001201c7d8c6$73316650$599432f0$@ammermann@digicol.de> Hi, I'm working with mod_security 2.0.4 and Apache 2.2.4. Thomas -----Urspr?ngliche Nachricht----- Von: modsecurity-bounces at gotroot.com [mailto:modsecurity-bounces at gotroot.com] Im Auftrag von Michael Shinn Gesendet: Sonntag, 5. August 2007 02:54 An: modsecurity at gotroot.com Betreff: [Modsecurity] Sorry for the delays - update still coming We are working out some neat new features, due to a whole new attack vector we ran into the other day and want to make sure its good to go for the rules. Is anyone using 2.5 yet? We have been working on a massive rewrite built around 2.5, but I'd like to get a sense of what everyone is using so we can allocate resources to each version. Now that we have a solution to the load issue with 2.5, it won't be a problem to start putting out daily releases again. But its really important to us to know who is running boxes that can not run 2.5 (apache 1.x) and those that can not update for now. Just need some sense of what everyones needs are so I can plan my time accordingly. Also, we will be releasing the rules under the GPL. Not sure yet if it will be v2 or v3. If anyone has thoughts on other licenses, chime in now. -- Michael Shinn _______________________________________________ Modsecurity mailing list Modsecurity at gotroot.com http://lists.gotroot.com/mailman/listinfo/modsecurity From admin at efastservers.com Tue Aug 7 04:11:13 2007 From: admin at efastservers.com (admin at efastservers.com) Date: Tue, 7 Aug 2007 04:11:13 -0400 Subject: [Modsecurity] Us Message-ID: We are running Apache 1.3.x + Mod Sec 1.9.x -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20070807/fdbbaa66/attachment.html From ronald at mp2.nl Tue Aug 7 12:01:38 2007 From: ronald at mp2.nl (ronald at mp2.nl) Date: 7 Aug 2007 18:01:38 +0200 Subject: [Modsecurity] Re: Modsecurity Digest, Vol 28, Issue 3 Message-ID: <20070807160138.26003.qmail@atlas.mp2.nl> Geachte mailer, Ik ben momenteel niet bereikbaar. Neem in dringende gevallen contact op met info at mp2.nl; uw mail wordt dan zo spoedig mogelijk door 1 van mijn collega's beantwoord. Vriendelijke groet, -- Ronald Dolfsma MP2 Automatisering From mtholforty at surfalot.com Tue Aug 7 20:23:28 2007 From: mtholforty at surfalot.com (Todd Holforty) Date: Tue, 7 Aug 2007 19:23:28 -0500 Subject: [Modsecurity] Sorry for the delays - update still coming In-Reply-To: Message-ID: <000501c7d952$57a5ae50$7400a8c0@bitmuncher> dido. standard cPanel stuff. Looking forward to the apache 2 support from them, but doesn't sound like that will be enough. -----Original Message----- From: modsecurity-bounces at gotroot.com [mailto:modsecurity-bounces at gotroot.com] On Behalf Of Daniel McAlonan Sent: Sunday, August 05, 2007 10:13 AM To: modsecurity at gotroot.com Subject: Re: [Modsecurity] Sorry for the delays - update still coming I'm personally stuck on mod_security 1.9.1 with apache 1.3.37... On 8/4/07, Michael Shinn > wrote: We are working out some neat new features, due to a whole new attack vector we ran into the other day and want to make sure its good to go for the rules. Is anyone using 2.5 yet? We have been working on a massive rewrite built around 2.5, but I'd like to get a sense of what everyone is using so we can allocate resources to each version. Now that we have a solution to the load issue with 2.5, it won't be a problem to start putting out daily releases again. But its really important to us to know who is running boxes that can not run 2.5 (apache 1.x) and those that can not update for now. Just need some sense of what everyones needs are so I can plan my time accordingly. Also, we will be releasing the rules under the GPL. Not sure yet if it will be v2 or v3. If anyone has thoughts on other licenses, chime in now. -- Michael Shinn _______________________________________________ Modsecurity mailing list Modsecurity at gotroot.com http://lists.gotroot.com/mailman/listinfo/modsecurity -- Daniel McAlonan Proud Webmaster of MsBetas.org and ProxySauce.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20070807/c11c8596/attachment.html From modsecurity at lists.grepular.com Wed Aug 8 05:07:53 2007 From: modsecurity at lists.grepular.com (Mike Cardwell) Date: Wed, 8 Aug 2007 10:07:53 +0100 Subject: [Modsecurity] Re: Modsecurity Digest, Vol 28, Issue 3 In-Reply-To: <20070807160138.26003.qmail@atlas.mp2.nl> References: <20070807160138.26003.qmail@atlas.mp2.nl> Message-ID: <20070808090752.GA954@127.0.0.1> * on the Tue, Aug 07, 2007 at 06:01:38PM +0200, ronald at mp2.nl wrote: > Geachte mailer, > > Ik ben momenteel niet bereikbaar. > Neem in dringende gevallen contact op met info at mp2.nl; uw mail wordt dan zo spoedig mogelijk door 1 van mijn collega's beantwoord. > > > Vriendelijke groet, > > -- > Ronald Dolfsma > MP2 Automatisering Any chance this guy could be unsubscribed, or at least prevented from posting? He's clearly having difficulty in setting up a polite autoresponder. Mike From ronald at mp2.nl Wed Aug 8 12:01:57 2007 From: ronald at mp2.nl (ronald at mp2.nl) Date: 8 Aug 2007 18:01:57 +0200 Subject: [Modsecurity] Re: Modsecurity Digest, Vol 28, Issue 4 Message-ID: <20070808160157.13673.qmail@atlas.mp2.nl> Geachte mailer, Ik ben momenteel niet bereikbaar. Neem in dringende gevallen contact op met info at mp2.nl; uw mail wordt dan zo spoedig mogelijk door 1 van mijn collega's beantwoord. Vriendelijke groet, -- Ronald Dolfsma MP2 Automatisering From admin at efastservers.com Thu Aug 9 02:13:49 2007 From: admin at efastservers.com (admin at efastservers.com) Date: Thu, 9 Aug 2007 02:13:49 -0400 Subject: [Modsecurity] Getthing hit be sql injection attacks Message-ID: One of my sites is getting hit hard by thousands of attempted sql injection attacks. 72.208.177.18 - - [09/Aug/2007:01:59:03 -0400] "GET /images/Web-Directory_12.gif HTTP/1.1" 200 562 "http://www.mydomain.com/directory.php?ax=list&sub=1&cat_id=-1/**/UNION/**/S ELECT/**/1,2,3,4,concat(0x2D2D3E,email,0x3a,password),6,7,8,9,10,0x223E3C212 D2D,12,13/**/from/**/links/*" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" Although they only succeeded once, im desperate for a rule to kick a 403 back. Anyone know what they are trying to do? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20070809/7dc568fd/attachment.html From zeki at zeki.ch Thu Aug 9 08:13:25 2007 From: zeki at zeki.ch (Zekeria Oezdemir) Date: Thu, 9 Aug 2007 14:13:25 +0200 Subject: AW: [Modsecurity] Sorry for the delays - update still coming In-Reply-To: <000601c7d85c$7777cfc0$66676f40$@net> References: <46B51F91.7020002@gotroot.com> <000601c7d85c$7777cfc0$66676f40$@net> Message-ID: <002901c7da7e$b19ed760$14dc8620$@ch> hello im on centos 4.5 with apache 2.0.52 modsec 2.5 greets zek -- Zekeria Oezdemir > -----Urspr?ngliche Nachricht----- > Von: modsecurity-bounces at gotroot.com [mailto:modsecurity- > bounces at gotroot.com] Im Auftrag von Faris Raouf > Gesendet: Montag, 6. August 2007 21:03 > An: 'Michael Shinn'; modsecurity at gotroot.com > Betreff: RE: [Modsecurity] Sorry for the delays - update still coming > > I'm on 2.1.0 on Apache 2/Centos 4R5 at the moment but the moment a 2.5 > release of the rules comes out I'll upgrade to 2.5. I really can't > wait. > > The politics/differences between GPL3 and 2 really don't bother me. > > Faris. > > > _______________________________________________ > Modsecurity mailing list > Modsecurity at gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity From modsecurity at lists.grepular.com Thu Aug 9 09:10:24 2007 From: modsecurity at lists.grepular.com (Mike Cardwell) Date: Thu, 9 Aug 2007 14:10:24 +0100 Subject: [Modsecurity] Getthing hit be sql injection attacks Message-ID: <20070809131024.GA9750@127.0.0.1> * on the Thu, Aug 09, 2007 at 02:13:49AM -0400, admin at efastservers.com wrote: > One of my sites is getting hit hard by thousands of attempted sql injection > attacks. > > 72.208.177.18 - - [09/Aug/2007:01:59:03 -0400] "GET > /images/Web-Directory_12.gif HTTP/1.1" 200 562 > "http://www.mydomain.com/directory.php?ax=list&sub=1&cat_id=-1/**/UNION/**/S > ELECT/**/1,2,3,4,concat(0x2D2D3E,email,0x3a,password),6,7,8,9,10,0x223E3C212 > D2D,12,13/**/from/**/links/*" "Mozilla/5.0 (Windows; U; Windows NT 5.1; > en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" > > Although they only succeeded once, im desperate for a rule to kick a 403 > back. > > Anyone know what they are trying to do? >From a look at the SQL, it appears they're trying to read a list of email:password entries from table "links" in a database. Is directory.php home grown, or part of some other package you've installed? If you go to the url you quoted above but with your real domain name, does it show the list of login details? Mike From modsecurity at lists.grepular.com Thu Aug 9 09:59:17 2007 From: modsecurity at lists.grepular.com (Mike Cardwell) Date: Thu, 9 Aug 2007 14:59:17 +0100 Subject: [Modsecurity] Getthing hit be sql injection attacks In-Reply-To: <46BB1341.2000203@rogers.com> References: <20070809131024.GA9750@127.0.0.1> <46BB1341.2000203@rogers.com> Message-ID: <20070809135916.GA11527@127.0.0.1> * on the Thu, Aug 09, 2007 at 10:14:41AM -0300, Crazy Canucks wrote: >>> One of my sites is getting hit hard by thousands of attempted sql injection >>> attacks. >>> >>> 72.208.177.18 - - [09/Aug/2007:01:59:03 -0400] "GET >>> /images/Web-Directory_12.gif HTTP/1.1" 200 562 >>> "http://www.mydomain.com/directory.php?ax=list&sub=1&cat_id=-1/**/UNION/**/S >>> ELECT/**/1,2,3,4,concat(0x2D2D3E,email,0x3a,password),6,7,8,9,10,0x223E3C212 >>> D2D,12,13/**/from/**/links/*" "Mozilla/5.0 (Windows; U; Windows NT 5.1; >>> en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" >>> >>> Although they only succeeded once, im desperate for a rule to kick a 403 >>> back. >>> >>> Anyone know what they are trying to do? >> From a look at the SQL, it appears they're trying to read a list of >> email:password entries from table "links" in a database. >> >> Is directory.php home grown, or part of some other package you've >> installed? If you go to the url you quoted above but with your real >> domain name, does it show the list of login details? > There is a new PNphpBB2 (and I'm guessing phpBB2 as well) > vulnerability on viewforum.php. It allows passwords to be stolen. > Not sure if it is related to this or not. Hi. You accidently replied to me directly rather than to the list. I don't think that vulnerability is related. The log entry you show is attempting to exploit "directory.php" not "viewforum.php" Mike From ronald at mp2.nl Thu Aug 9 12:01:59 2007 From: ronald at mp2.nl (ronald at mp2.nl) Date: 9 Aug 2007 18:01:59 +0200 Subject: [Modsecurity] Re: Modsecurity Digest, Vol 28, Issue 5 Message-ID: <20070809160159.1758.qmail@atlas.mp2.nl> Geachte mailer, Ik ben momenteel niet bereikbaar. Neem in dringende gevallen contact op met info at mp2.nl; uw mail wordt dan zo spoedig mogelijk door 1 van mijn collega's beantwoord. Vriendelijke groet, -- Ronald Dolfsma MP2 Automatisering From ronald at mp2.nl Fri Aug 10 12:01:58 2007 From: ronald at mp2.nl (ronald at mp2.nl) Date: 10 Aug 2007 18:01:58 +0200 Subject: [Modsecurity] Re: Modsecurity Digest, Vol 28, Issue 6 Message-ID: <20070810160158.26694.qmail@atlas.mp2.nl> Geachte mailer, Ik ben momenteel niet bereikbaar. Neem in dringende gevallen contact op met info at mp2.nl; uw mail wordt dan zo spoedig mogelijk door 1 van mijn collega's beantwoord. Vriendelijke groet, -- Ronald Dolfsma MP2 Automatisering From ronald at mp2.nl Sat Aug 11 12:01:57 2007 From: ronald at mp2.nl (ronald at mp2.nl) Date: 11 Aug 2007 18:01:57 +0200 Subject: [Modsecurity] Re: Modsecurity Digest, Vol 28, Issue 7 Message-ID: <20070811160157.18943.qmail@atlas.mp2.nl> Geachte mailer, Ik ben momenteel niet bereikbaar. Neem in dringende gevallen contact op met info at mp2.nl; uw mail wordt dan zo spoedig mogelijk door 1 van mijn collega's beantwoord. Vriendelijke groet, -- Ronald Dolfsma MP2 Automatisering From etharp at earthlink.net Sat Aug 11 15:31:04 2007 From: etharp at earthlink.net (ed) Date: Sat, 11 Aug 2007 15:31:04 -0400 Subject: [Modsecurity] newbie ?where is? Message-ID: <46BE0E78.205@earthlink.net> I am sure there is someplace for me to learn this, and I hope you all are the folks that know where. I would like to be able to bypass (write an exception?, turn off mod_sec for 5 or 10 minutes?) mod_security 1.9 on apache 2.2 just a link would be a huge help.. thanks in advance From ronald at mp2.nl Sun Aug 12 12:02:04 2007 From: ronald at mp2.nl (ronald at mp2.nl) Date: 12 Aug 2007 18:02:04 +0200 Subject: [Modsecurity] Re: Modsecurity Digest, Vol 28, Issue 8 Message-ID: <20070812160204.7252.qmail@atlas.mp2.nl> Geachte mailer, Ik ben momenteel niet bereikbaar. Neem in dringende gevallen contact op met info at mp2.nl; uw mail wordt dan zo spoedig mogelijk door 1 van mijn collega's beantwoord. Vriendelijke groet, -- Ronald Dolfsma MP2 Automatisering From lerra82 at gmail.com Sun Aug 12 14:38:37 2007 From: lerra82 at gmail.com (Lezgin Bakircioglu) Date: Sun, 12 Aug 2007 20:38:37 +0200 Subject: [Modsecurity] newbie ?where is? In-Reply-To: <46BE0E78.205@earthlink.net> References: <46BE0E78.205@earthlink.net> Message-ID: <46BF53AD.90502@gmail.com> Why not just turn off the module for mod security? Check your apache configuration for a "LoadModule mod_security.so" (or somthing like that) line and comment it out and restart apache. MVH Lezgin Bakircioglu ed skrev: > I am sure there is someplace for me to learn this, and I hope you all > are the folks that know where. > I would like to be able to bypass (write an exception?, turn off > mod_sec for 5 or 10 minutes?) mod_security 1.9 on apache 2.2 > just a link would be a huge help.. > thanks in advance > _______________________________________________ > Modsecurity mailing list > Modsecurity at gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity > From lerra82 at gmail.com Sun Aug 12 14:43:07 2007 From: lerra82 at gmail.com (Lezgin Bakircioglu) Date: Sun, 12 Aug 2007 20:43:07 +0200 Subject: [Modsecurity] Sorry for the delays - update still coming In-Reply-To: <000601c7d85c$7777cfc0$66676f40$@net> References: <46B51F91.7020002@gotroot.com> <000601c7d85c$7777cfc0$66676f40$@net> Message-ID: <46BF54BB.3090600@gmail.com> I am using both 2.1.1 and 1.9.5 on two different Apache 2.2.3 machines. 2.1.1 is recently installed and will go in to production in a week or so, 1.9.5 have been in productions for 2 years and plans is to move to 2.1.1 if it works smoothly. MVH Lezgin Bakircioglu From ronald at mp2.nl Mon Aug 13 12:02:23 2007 From: ronald at mp2.nl (ronald at mp2.nl) Date: 13 Aug 2007 18:02:23 +0200 Subject: [Modsecurity] Re: Modsecurity Digest, Vol 28, Issue 9 Message-ID: <20070813160223.32033.qmail@atlas.mp2.nl> Geachte mailer, Ik ben momenteel niet bereikbaar. Neem in dringende gevallen contact op met info at mp2.nl; uw mail wordt dan zo spoedig mogelijk door 1 van mijn collega's beantwoord. Vriendelijke groet, -- Ronald Dolfsma MP2 Automatisering From lerra82 at gmail.com Tue Aug 14 10:01:12 2007 From: lerra82 at gmail.com (Lezgin Bakircioglu) Date: Tue, 14 Aug 2007 16:01:12 +0200 Subject: [Modsecurity] SecRequestBodyInMemoryLimit does not respond on changes and diff to find a rule based on regexp Message-ID: <46C1B5A8.5070503@gmail.com> I have difficulties to locate the rule that generates this false-positive (no "id" and did not get any hits by searching rule file for the pattern match) for my php application: [13/Aug/2007:20:45:58 +0200] [www.xxx.xxx/sid#691d20][rid#8f25f8][/xxxxxx.php][2] Warning. Pattern match "\\%(?!$|\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:xxxx. Another wierd problem i have is this false-positive that i get when i upload one specific file. [Fri Aug 10 21:56:32 2007] [error] [client 127.0.0.1] ModSecurity: Request body is larger than the configured limit (134217728). [hostname "www.xxxx.xxx"] [uri "/xxxxxx.php"] [unique_id "xY87X1hQBsUAACf7hcwAAAAA"] I have locate the problem to the variable "SecRequestBodyInMemoryLimit" that was set to 131072 (134217728/1024) but when i raise the value nothing happends (restarted apache2), even the same error with the same number with in (). Anybody that have had the same problem? I am using Mod security 2.1.1, apache 2 on Debian etch and core rules from mod security. Any help to get? I tried to solv this for 2 days now and i cant do anything more then ask for help because I'm out of ideas (or i may be blind).. -- MVH Lezgin Bakircioglu From mike at gotroot.com Tue Aug 14 11:53:18 2007 From: mike at gotroot.com (Michael Shinn) Date: Tue, 14 Aug 2007 11:53:18 -0400 Subject: [Modsecurity] SecRequestBodyInMemoryLimit does not respond on changes and diff to find a rule based on regexp In-Reply-To: <46C1B5A8.5070503@gmail.com> References: <46C1B5A8.5070503@gmail.com> Message-ID: <1187106798.22782.58.camel@shrike.gotroot.com> Are you using the gotroot rules, or the breach core rules? On Tue, 2007-08-14 at 16:01 +0200, Lezgin Bakircioglu wrote: > I have difficulties to locate the rule that generates this > false-positive (no "id" and did not get any hits by searching rule file > for the pattern match) for my php application: > [13/Aug/2007:20:45:58 +0200] > [www.xxx.xxx/sid#691d20][rid#8f25f8][/xxxxxx.php][2] Warning. Pattern > match "\\%(?!$|\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:xxxx. > > > Another wierd problem i have is this false-positive that i get when i > upload one specific file. > [Fri Aug 10 21:56:32 2007] [error] [client 127.0.0.1] ModSecurity: > Request body is larger than the configured limit (134217728). [hostname > "www.xxxx.xxx"] [uri "/xxxxxx.php"] [unique_id "xY87X1hQBsUAACf7hcwAAAAA"] > > I have locate the problem to the variable "SecRequestBodyInMemoryLimit" > that was set to 131072 (134217728/1024) but when i raise the value > nothing happends (restarted apache2), even the same error with the same > number with in (). Anybody that have had the same problem? > > I am using Mod security 2.1.1, apache 2 on Debian etch and core rules > from mod security. Any help to get? I tried to solv this for 2 days now > and i cant do anything more then ask for help because I'm out of ideas > (or i may be blind).. > -- Michael T. Shinn KeyID:0xDAE2EC86 Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 Got Root? http://www.gotroot.com modsecurity rules: http://www.modsecurityrules.com Troubleshooting Firewalls: http://troubleshootingfirewalls.com From ronald at mp2.nl Tue Aug 14 12:03:17 2007 From: ronald at mp2.nl (ronald at mp2.nl) Date: 14 Aug 2007 18:03:17 +0200 Subject: [Modsecurity] Re: Modsecurity Digest, Vol 28, Issue 10 Message-ID: <20070814160317.24038.qmail@atlas.mp2.nl> Geachte mailer, Ik ben momenteel niet bereikbaar. Neem in dringende gevallen contact op met info at mp2.nl; uw mail wordt dan zo spoedig mogelijk door 1 van mijn collega's beantwoord. Vriendelijke groet, -- Ronald Dolfsma MP2 Automatisering From Segun at Combotek.com Tue Aug 14 12:46:58 2007 From: Segun at Combotek.com (segun) Date: Tue, 14 Aug 2007 09:46:58 -0700 Subject: [Modsecurity] Breach core rules blocks plesk API and others In-Reply-To: <20070814160227.46BAE755EF@mail2.combotek.com> References: <20070814160227.46BAE755EF@mail2.combotek.com> Message-ID: <8AD21D7129621E4CA1177978145B475162BDAF962E@mainserver.Combotek.local> I just set up modsecurity 2.1.2 on a FC6 running plesk 8.2 replacing my 1.9 version. I am currently getting 2 false positives when I use the blocking rules. The core rule mod-security_cvs_21_protocol_anomalies blocks Plesk API from communicating with other applications i.e SiteBuilder module. Another rule mod-security_cvs_30_http_policy prevent our clients from using a web gallery admin tool, a flash application used to upload pictures to a dynamic flash gallery. I don't know how to go about defining the exclusions for the Breach rule, can I use my old 1.9 exclusion rule? And is it better to use the Breach core rules or gotroot rules? From lerra82 at gmail.com Tue Aug 14 14:51:21 2007 From: lerra82 at gmail.com (Lezgin Bakircioglu) Date: Tue, 14 Aug 2007 20:51:21 +0200 Subject: [Modsecurity] SecRequestBodyInMemoryLimit does not respond on changes and diff to find a rule based on regexp In-Reply-To: <1187106798.22782.58.camel@shrike.gotroot.com> References: <46C1B5A8.5070503@gmail.com> <1187106798.22782.58.camel@shrike.gotroot.com> Message-ID: <46C1F9A9.60400@gmail.com> Sorry, the breach core rules. I got an private mail that i was told that gotroot and breach is not the same mailinglist. I did not know that they where separated and thought that gotroot mailinglist was the only way to communicate with modsecurity developer. MVH Lezgin Bakircioglu Michael Shinn skrev: > Are you using the gotroot rules, or the breach core rules? > > On Tue, 2007-08-14 at 16:01 +0200, Lezgin Bakircioglu wrote: >> I have difficulties to locate the rule that generates this >> false-positive (no "id" and did not get any hits by searching rule file >> for the pattern match) for my php application: >> [13/Aug/2007:20:45:58 +0200] >> [www.xxx.xxx/sid#691d20][rid#8f25f8][/xxxxxx.php][2] Warning. Pattern >> match "\\%(?!$|\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:xxxx. >> >> >> Another wierd problem i have is this false-positive that i get when i >> upload one specific file. >> [Fri Aug 10 21:56:32 2007] [error] [client 127.0.0.1] ModSecurity: >> Request body is larger than the configured limit (134217728). [hostname >> "www.xxxx.xxx"] [uri "/xxxxxx.php"] [unique_id "xY87X1hQBsUAACf7hcwAAAAA"] >> >> I have locate the problem to the variable "SecRequestBodyInMemoryLimit" >> that was set to 131072 (134217728/1024) but when i raise the value >> nothing happends (restarted apache2), even the same error with the same >> number with in (). Anybody that have had the same problem? >> >> I am using Mod security 2.1.1, apache 2 on Debian etch and core rules >> from mod security. Any help to get? I tried to solv this for 2 days now >> and i cant do anything more then ask for help because I'm out of ideas >> (or i may be blind).. >> From ronald at mp2.nl Wed Aug 15 12:16:10 2007 From: ronald at mp2.nl (ronald at mp2.nl) Date: 15 Aug 2007 18:16:10 +0200 Subject: [Modsecurity] Re: Modsecurity Digest, Vol 28, Issue 11 Message-ID: <20070815161610.17013.qmail@atlas.mp2.nl> Geachte mailer, Ik ben momenteel niet bereikbaar. Neem in dringende gevallen contact op met info at mp2.nl; uw mail wordt dan zo spoedig mogelijk door 1 van mijn collega's beantwoord. Vriendelijke groet, -- Ronald Dolfsma MP2 Automatisering From ronald at mp2.nl Fri Aug 17 13:17:59 2007 From: ronald at mp2.nl (ronald at mp2.nl) Date: 17 Aug 2007 19:17:59 +0200 Subject: [Modsecurity] Re: Modsecurity Digest, Vol 28, Issue 12 Message-ID: <20070817171759.17024.qmail@atlas.mp2.nl> Geachte mailer, Ik ben momenteel niet bereikbaar. Neem in dringende gevallen contact op met info at mp2.nl; uw mail wordt dan zo spoedig mogelijk door 1 van mijn collega's beantwoord. Vriendelijke groet, -- Ronald Dolfsma MP2 Automatisering From ronald at mp2.nl Sat Aug 18 12:12:28 2007 From: ronald at mp2.nl (ronald at mp2.nl) Date: 18 Aug 2007 18:12:28 +0200 Subject: [Modsecurity] Re: Modsecurity Digest, Vol 28, Issue 13 Message-ID: <20070818161228.16836.qmail@atlas.mp2.nl> Geachte mailer, Ik ben momenteel niet bereikbaar. Neem in dringende gevallen contact op met info at mp2.nl; uw mail wordt dan zo spoedig mogelijk door 1 van mijn collega's beantwoord. Vriendelijke groet, -- Ronald Dolfsma MP2 Automatisering From ronald at mp2.nl Sun Aug 19 12:01:29 2007 From: ronald at mp2.nl (ronald at mp2.nl) Date: 19 Aug 2007 18:01:29 +0200 Subject: [Modsecurity] Re: Modsecurity Digest, Vol 28, Issue 14 Message-ID: <20070819160129.6320.qmail@atlas.mp2.nl> Geachte mailer, Ik ben momenteel niet bereikbaar. Neem in dringende gevallen contact op met info at mp2.nl; uw mail wordt dan zo spoedig mogelijk door 1 van mijn collega's beantwoord. Vriendelijke groet, -- Ronald Dolfsma MP2 Automatisering From ronald at mp2.nl Mon Aug 20 12:01:30 2007 From: ronald at mp2.nl (ronald at mp2.nl) Date: 20 Aug 2007 18:01:30 +0200 Subject: [Modsecurity] Re: Modsecurity Digest, Vol 28, Issue 15 Message-ID: <20070820160130.29935.qmail@atlas.mp2.nl> Geachte mailer, Ik ben momenteel niet bereikbaar. Neem in dringende gevallen contact op met info at mp2.nl; uw mail wordt dan zo spoedig mogelijk door 1 van mijn collega's beantwoord. Vriendelijke groet, -- Ronald Dolfsma MP2 Automatisering From daniel.vega at yucatan.gob.mx Thu Aug 23 18:08:18 2007 From: daniel.vega at yucatan.gob.mx (Daniel Vega Villa) Date: Thu, 23 Aug 2007 17:08:18 -0500 Subject: [Modsecurity] issue with modsecurity and tomcat Message-ID: <74CA11B999068445BB4C145813AAAD9302E1C88F@srvmail02.gobierno1.yucatan.gob.mx> The users need to upload files with a web app to maintain their own sites, but now I'm getting this on the logs, and so they can't upload files any more... POST /adm/somefile.jsp HTTP/1.1 Host: www.hostxyz. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai n;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.8,es;q=0.5,es-mx;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www. hostxyz /adm/Lsomefile.jsp?id_fieldA=282 Cookie: JSESSIONID=94243EC01FD3D44C68136982361644ED Content-Type: multipart/form-data; boundary=---------------------------21695713117057 Content-Length: 16091 --7b250000-F-- HTTP/1.1 500 Internal Server Error <-- That is what the users get. Content-Length: 543 Connection: close Content-Type: text/html; charset=iso-8859-1 --7b250000-H-- Message: Error reading request body: Connection reset by peer <<<<<<<<<<<< here is it !!!! Message: Error reading request body: Connection reset by peer Apache-Handler: jakarta-servlet Stopwatch: 1187904329788134 30139 (- - -) Producer: ModSecurity v2.1.2 (Apache 2.x) Server: Apache Any idea? Thank in advance. Daniel. From johan at sege.nu Mon Aug 27 09:08:57 2007 From: johan at sege.nu (Johan =?ISO-8859-1?Q?Segern=E4s?=) Date: Mon, 27 Aug 2007 15:08:57 +0200 Subject: [Modsecurity] Updated rules? Spamming at the moment? Message-ID: <1188220137.22911.1.camel@roadrunner.serienet.levonline.com> Hello, We are experiencing some spamming activity on our servers since 2-3 weeks or something. It is probably a new hole on applications our customers have. Do we now about anything new? Anyone have any good new rule for some bug in phpbb/joomla or whatever? Regards, Johan From rcbarnett at gmail.com Mon Aug 27 09:13:04 2007 From: rcbarnett at gmail.com (Ryan Barnett) Date: Mon, 27 Aug 2007 09:13:04 -0400 Subject: [Modsecurity] Updated rules? Spamming at the moment? In-Reply-To: <1188220137.22911.1.camel@roadrunner.serienet.levonline.com> References: <1188220137.22911.1.camel@roadrunner.serienet.levonline.com> Message-ID: What rules are you currently using? GotRoot, Core Rules, both, neither? -- Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache On 8/27/07, Johan Segern?s wrote: > > Hello, > > We are experiencing some spamming activity on our servers since 2-3 > weeks or something. It is probably a new hole on applications our > customers have. > > Do we now about anything new? Anyone have any good new rule for some bug > in phpbb/joomla or whatever? > > Regards, > Johan > > _______________________________________________ > Modsecurity mailing list > Modsecurity at gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20070827/513e8bf5/attachment.html