From ak-palme at ak-palme.de Mon Nov 5 12:02:37 2007 From: ak-palme at ak-palme.de (AK-Palme) Date: Mon, 05 Nov 2007 18:02:37 +0100 Subject: [Modsecurity] Some initial Problems Message-ID: <472F4CAD.1010101@ak-palme.de> Hi, I am new to mod-security. I am using apache2 with mod-security2 on Debian. I downloaded the rulesets from http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf... http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/jitp.conf... http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/useragents.conf... http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist.conf... http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist2.conf... http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/apache2-rules.conf... http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rootkits.conf... http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/exclude.conf... http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/recons.conf... and first all websites stopped working until I disabled SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$" "id:340000,severity:1,msg:'Bad HTTP Protocol'" To use the MediaWiki I had to disable several rules, too. I wonder if I am the only one with this errors or if the project is not maintained anymore. Because the rules-files on the Server are almose 1 year old, too.. Greetings, AK-Palme From rcbarnett at gmail.com Mon Nov 5 12:11:14 2007 From: rcbarnett at gmail.com (Ryan Barnett) Date: Mon, 5 Nov 2007 13:11:14 -0400 Subject: [Modsecurity] Some initial Problems In-Reply-To: <472F4CAD.1010101@ak-palme.de> References: <472F4CAD.1010101@ak-palme.de> Message-ID: AK-Palme, I have seen this issue before. If you look at the first SecDefaultAction directive in the rules.conf file ( http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf) you will see that it is using the "t:lowercase" transformation function - #Configure for your site SecDefaultAction "log,deny,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" This means that all of the rules that follow need to be written in lowercase and this is why the next rule is matching on all requests. It should have been written like this - #Enforce proper HTTP requests SecRule REQUEST_PROTOCOL "!^http/(0\.9|1\.0|1\.1)$" "id:340000,severity:1,msg:'Bad HTTP Protocol'" Just an FYI - you should consider using the open source Core Rules found on the ModSecurity site - http://www.modsecurity.org/projects/rules/index.html. If you run into any issues with ModSecurity itself and/or with the Core Rules, you should also sign up for the official ModSecurity mail-list - https://lists.sourceforge.net/lists/listinfo/mod-security-users. This current mail-list is mainly for the GotRoot rule sets. -- Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache On 11/5/07, AK-Palme wrote: > > Hi, > I am new to mod-security. I am using apache2 with mod-security2 on > Debian. I downloaded the rulesets from > http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf. > .. > http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/jitp.conf... > > http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/useragents.conf. > .. > > http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist.conf. > .. > > http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist2.conf. > .. > > http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/apache2-rules.conf. > .. > > http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rootkits.conf. > .. > > http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/exclude.conf. > .. > http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/recons.conf. > .. > > and first all websites stopped working until I disabled > SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$" > "id:340000,severity:1,msg:'Bad HTTP Protocol'" > > To use the MediaWiki I had to disable several rules, too. > > I wonder if I am the only one with this errors or if the project is not > maintained anymore. Because the rules-files on the Server are almose 1 > year old, too.. > > Greetings, > AK-Palme > _______________________________________________ > Modsecurity mailing list > Modsecurity at gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20071105/acbca550/attachment.html From thomas.ammermann at digicol.de Thu Nov 8 02:09:04 2007 From: thomas.ammermann at digicol.de (Thomas Ammermann) Date: Thu, 8 Nov 2007 08:09:04 +0100 Subject: AW: [Modsecurity] Some initial Problems In-Reply-To: References: <472F4CAD.1010101@ak-palme.de> Message-ID: <001301c821d6$3f668360$be338a20$@ammermann@digicol.de> Thank you Ryan for explaining this. I ran into the exact same problem and was very happy to find this solution. But all I did was upgrade Apache from 2.2.4 to 2.2.6 and mod_security from 2.0.4 to 2.1.3. I did not change anything in my configuration (httpd.conf, mod_security.conf, ...). The Gotroot rules were just copied over from my old installation. Has this "t:lowercase" feature been integrated into mod_security somewhere between 2.0.4 and 2.1.3 ? Thanks in advance, Thomas -----Urspr?ngliche Nachricht----- Von: modsecurity-bounces at gotroot.com [mailto:modsecurity-bounces at gotroot.com] Im Auftrag von Ryan Barnett Gesendet: Montag, 5. November 2007 18:11 An: AK-Palme Cc: modsecurity at gotroot.com Betreff: Re: [Modsecurity] Some initial Problems AK-Palme, I have seen this issue before. If you look at the first SecDefaultAction directive in the rules.conf file (http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf ) you will see that it is using the "t:lowercase" transformation function - #Configure for your site SecDefaultAction "log,deny,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" This means that all of the rules that follow need to be written in lowercase and this is why the next rule is matching on all requests. It should have been written like this - #Enforce proper HTTP requests SecRule REQUEST_PROTOCOL "!^http/(0\.9|1\.0|1\.1)$" "id:340000,severity:1,msg:'Bad HTTP Protocol'" Just an FYI - you should consider using the open source Core Rules found on the ModSecurity site - http://www.modsecurity.org/projects/rules/index.html . If you run into any issues with ModSecurity itself and/or with the Core Rules, you should also sign up for the official ModSecurity mail-list - https://lists.sourceforge.net/lists/listinfo/mod-security-users. This current mail-list is mainly for the GotRoot rule sets. -- Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache On 11/5/07, AK-Palme wrote: Hi, I am new to mod-security. I am using apache2 with mod-security2 on Debian. I downloaded the rulesets from http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf... http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/jitp.conf. .. http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/useragents.con f. .. http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist.conf ... http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist2.con f. .. http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/apache2-rules. conf. .. http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rootkits.conf. .. http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/exclude.conf. .. http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/recons.conf. .. and first all websites stopped working until I disabled SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$" "id:340000,severity:1,msg:'Bad HTTP Protocol'" To use the MediaWiki I had to disable several rules, too. I wonder if I am the only one with this errors or if the project is not maintained anymore. Because the rules-files on the Server are almose 1 year old, too.. Greetings, AK-Palme _______________________________________________ Modsecurity mailing list Modsecurity at gotroot.com http://lists.gotroot.com/mailman/listinfo/modsecurity From rcbarnett at gmail.com Thu Nov 8 10:41:07 2007 From: rcbarnett at gmail.com (Ryan Barnett) Date: Thu, 8 Nov 2007 10:41:07 -0500 Subject: [Modsecurity] Some initial Problems In-Reply-To: <-2706782886503079322@unknownmsgid> References: <472F4CAD.1010101@ak-palme.de> <-2706782886503079322@unknownmsgid> Message-ID: So, all you did was to upgrade Apache and ModSecurity and this issue went away? That does not seem right. Can you please send me your configs so I can see how you are calling up your rules and also the contents of that specific rules file that was initially blocking the requests? As to the lowercase transformation function, it was introduced in Mod 2.0. Did you sign up for the ModSecurity mail-list (the link I sent previously)? -- Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache On Nov 8, 2007 2:09 AM, Thomas Ammermann wrote: > Thank you Ryan for explaining this. I ran into the exact same problem and > was very happy to find this solution. > > But all I did was upgrade Apache from 2.2.4 to 2.2.6 and mod_security from > 2.0.4 to 2.1.3. > I did not change anything in my configuration (httpd.conf, > mod_security.conf, ...). The Gotroot rules were just copied over from my > old > installation. > > Has this "t:lowercase" feature been integrated into mod_security somewhere > between 2.0.4 and 2.1.3 ? > > Thanks in advance, > Thomas > > > -----Urspr?ngliche Nachricht----- > Von: modsecurity-bounces at gotroot.com > [mailto:modsecurity-bounces at gotroot.com] Im Auftrag von Ryan Barnett > Gesendet: Montag, 5. November 2007 18:11 > An: AK-Palme > Cc: modsecurity at gotroot.com > Betreff: Re: [Modsecurity] Some initial Problems > > AK-Palme, > I have seen this issue before. If you look at the first SecDefaultAction > directive in the rules.conf file > (http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf) > you will see that it is using the "t:lowercase" transformation function - > > #Configure for your site > SecDefaultAction > > "log,deny,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" > > This means that all of the rules that follow need to be written in > lowercase > and this is why the next rule is matching on all requests. It should have > been written like this - > > #Enforce proper HTTP requests > SecRule REQUEST_PROTOCOL "!^http/(0\.9|1\.0|1\.1)$" > "id:340000,severity:1,msg:'Bad HTTP Protocol'" > > Just an FYI - you should consider using the open source Core Rules found > on > the ModSecurity site - > http://www.modsecurity.org/projects/rules/index.html > . If you run into any issues with ModSecurity itself and/or with the Core > Rules, you should also sign up for the official ModSecurity mail-list - > https://lists.sourceforge.net/lists/listinfo/mod-security-users. This > current mail-list is mainly for the GotRoot rule sets. > > -- > Ryan C. Barnett > ModSecurity Community Manager > Breach Security: Director of Application Security Training > Web Application Security Consortium (WASC) Member > CIS Apache Benchmark Project Lead > SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > Author: Preventing Web Attacks with Apache > > > On 11/5/07, AK-Palme wrote: > > Hi, > I am new to mod-security. I am using apache2 with mod-security2 on > Debian. I downloaded the rulesets from > > http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf. > .. > > http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/jitp.conf. > > .. > > > http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/useragents.con > f. .. > > > http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist.conf > ... > > > http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist2.con > f. > < > http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist2.co > nf.> .. > > > http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/apache2-rules > . > conf. .. > > > http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rootkits.conf > . > .. > > http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/exclude.conf > . > < > http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/exclude.conf > . > > .. > > http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/recons.conf. > .. > > and first all websites stopped working until I disabled > SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$" > "id:340000,severity:1,msg:'Bad HTTP Protocol'" > > To use the MediaWiki I had to disable several rules, too. > > I wonder if I am the only one with this errors or if the project is > not > maintained anymore. Because the rules-files on the Server are > almose > 1 > year old, too.. > > Greetings, > AK-Palme > _______________________________________________ > Modsecurity mailing list > Modsecurity at gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity > > > > > > _______________________________________________ > Modsecurity mailing list > Modsecurity at gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20071108/ebc54389/attachment.html From thomas.ammermann at digicol.de Fri Nov 9 03:19:41 2007 From: thomas.ammermann at digicol.de (Thomas Ammermann) Date: Fri, 9 Nov 2007 09:19:41 +0100 Subject: AW: [Modsecurity] Some initial Problems In-Reply-To: References: <472F4CAD.1010101@ak-palme.de> <-2706782886503079322@unknownmsgid> Message-ID: <005601c822a9$46b69f50$d423ddf0$@ammermann@digicol.de> Hi, sorry, I may not have described this correctly. I did not have this problem with Apache 2.2.4 and ModSecurity 2.0.4. Then I upgraded to Apache 2.2.6 and ModSecurity 2.1.3 without changing any of my configuration files. Suddenly this problem appeared. That's why I was wondering ... Greetings, Thomas P.S.: I signed up for both mailing lists (gotroot and mod-security-users). -----Urspr?ngliche Nachricht----- Von: Ryan Barnett [mailto:rcbarnett at gmail.com] Gesendet: Donnerstag, 8. November 2007 16:41 An: Thomas Ammermann Cc: modsecurity at gotroot.com Betreff: Re: [Modsecurity] Some initial Problems So, all you did was to upgrade Apache and ModSecurity and this issue went away? That does not seem right. Can you please send me your configs so I can see how you are calling up your rules and also the contents of that specific rules file that was initially blocking the requests? As to the lowercase transformation function, it was introduced in Mod 2.0. Did you sign up for the ModSecurity mail-list (the link I sent previously)? -- Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache On Nov 8, 2007 2:09 AM, Thomas Ammermann wrote: Thank you Ryan for explaining this. I ran into the exact same problem and was very happy to find this solution. But all I did was upgrade Apache from 2.2.4 to 2.2.6 and mod_security from 2.0.4 to 2.1.3. I did not change anything in my configuration (httpd.conf, mod_security.conf, ...). The Gotroot rules were just copied over from my old installation. Has this "t:lowercase" feature been integrated into mod_security somewhere between 2.0.4 and 2.1.3 ? Thanks in advance, Thomas -----Urspr?ngliche Nachricht----- Von: modsecurity-bounces at gotroot.com [mailto:modsecurity-bounces at gotroot.com] Im Auftrag von Ryan Barnett Gesendet: Montag, 5. November 2007 18:11 An: AK-Palme Cc: modsecurity at gotroot.com Betreff: Re: [Modsecurity] Some initial Problems AK-Palme, I have seen this issue before. If you look at the first SecDefaultAction directive in the rules.conf file ( http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf ) you will see that it is using the "t:lowercase" transformation function - #Configure for your site SecDefaultAction "log,deny,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" This means that all of the rules that follow need to be written in lowercase and this is why the next rule is matching on all requests. It should have been written like this - #Enforce proper HTTP requests SecRule REQUEST_PROTOCOL "!^http/(0\.9|1\.0|1\.1)$" "id:340000,severity:1,msg:'Bad HTTP Protocol'" Just an FYI - you should consider using the open source Core Rules found on the ModSecurity site - http://www.modsecurity.org/projects/rules/index.html . If you run into any issues with ModSecurity itself and/or with the Core Rules, you should also sign up for the official ModSecurity mail-list - https://lists.sourceforge.net/lists/listinfo/mod-security-users . This current mail-list is mainly for the GotRoot rule sets. -- Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache On 11/5/07, AK-Palme wrote: Hi, I am new to mod-security. I am using apache2 with mod-security2 on Debian. I downloaded the rulesets from http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf. .. http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/jitp.conf . .. http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/useragents.con f. .. http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist.conf ... http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist2.con f. < http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist2.co nf.> .. http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/apache2-rules . conf. .. http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rootkits.conf. .. http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/exclude.conf. < http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/exclude.conf . > .. http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/recons.conf . .. and first all websites stopped working until I disabled SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$" "id:340000,severity:1,msg:'Bad HTTP Protocol'" To use the MediaWiki I had to disable several rules, too. I wonder if I am the only one with this errors or if the project is not maintained anymore. Because the rules-files on the Server are almose 1 year old, too.. Greetings, AK-Palme _______________________________________________ Modsecurity mailing list Modsecurity at gotroot.com http://lists.gotroot.com/mailman/listinfo/modsecurity _______________________________________________ Modsecurity mailing list Modsecurity at gotroot.com http://lists.gotroot.com/mailman/listinfo/modsecurity From erecio at polywog.org Wed Nov 14 12:47:02 2007 From: erecio at polywog.org (E. M. Recio) Date: Wed, 14 Nov 2007 12:47:02 -0500 Subject: [Modsecurity] ErrorDocument problem with 2.1.3 Message-ID: <473B3496.1030800@polywog.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I noticed that if I put this: SecRule REQUEST_URI attack In the second line of my main configuration file (modsecurity_crs_10_config.conf) - right after "SecRuleEngine on" the modified error page comes up as expected. However, if I put the same line /after/ all the lines in that file, I get two "Internal Server Error" messages, plus an embedded internal server error message "Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request." It seems like the culprit is: SecDefaultAction "phase:2,log,deny,status:500" If I put that sample rule BEFORE the above line, ErrorDocument is OK. If I put it AFTER that line, ErrorDocument breaks. What would be the correct setting to make sure that the custom error messages appear correctly? And more importantly, why would the above default action break it? I am just trying to wrap my head around these rules, and tweaking is driving me nuts, so sorry if I am asking a dumb question. - -- Thanks, E. Recio MAC user's dynamic debugging list evaluator? Never heard of that. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHOzSWKoXvoXXmAZ0RAj2aAJ9X2OCC2jhQak6AqNuRB+1UUT7LdwCfUVUN cIytbLhn7kCv0qe/g0sLi4A= =9qc/ -----END PGP SIGNATURE----- From brectanu at gmail.com Thu Nov 15 01:08:49 2007 From: brectanu at gmail.com (Brian Rectanus) Date: Wed, 14 Nov 2007 22:08:49 -0800 Subject: [Modsecurity] ErrorDocument problem with 2.1.3 In-Reply-To: <473B3496.1030800@polywog.org> References: <473B3496.1030800@polywog.org> Message-ID: Hi, This list is for the ruleset for gotroot.com and you are using the Core Ruleset. Please use the mod-security-users at lists.sourceforge.net list for CoreRuleset and other general ModSecurity questions. I will take this over there and reply on that list. thanks, -B On Nov 14, 2007 9:47 AM, E. M. Recio wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I noticed that if I put this: > > SecRule REQUEST_URI attack > > In the second line of my main configuration file > (modsecurity_crs_10_config.conf) - right after "SecRuleEngine on" the > modified error page comes up as expected. > > However, if I put the same line /after/ all the lines in that file, I > get two "Internal Server Error" messages, plus an embedded internal > server error message "Additionally, a 500 Internal Server Error error > was encountered while trying to use an ErrorDocument to handle the request." > > It seems like the culprit is: > > SecDefaultAction "phase:2,log,deny,status:500" > > If I put that sample rule BEFORE the above line, ErrorDocument is OK. If > I put it AFTER that line, ErrorDocument breaks. > > What would be the correct setting to make sure that the custom error > messages appear correctly? And more importantly, why would the above > default action break it? > > I am just trying to wrap my head around these rules, and tweaking is > driving me nuts, so sorry if I am asking a dumb question. > > - -- > Thanks, > E. Recio > > MAC user's dynamic debugging list evaluator? Never heard of that. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFHOzSWKoXvoXXmAZ0RAj2aAJ9X2OCC2jhQak6AqNuRB+1UUT7LdwCfUVUN > cIytbLhn7kCv0qe/g0sLi4A= > =9qc/ > -----END PGP SIGNATURE----- > _______________________________________________ > Modsecurity mailing list > Modsecurity at gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity > From thillson at iastate.edu Wed Nov 28 11:40:41 2007 From: thillson at iastate.edu (Thomas Hillson) Date: Wed, 28 Nov 2007 10:40:41 -0600 Subject: [Modsecurity] Problem with Drupal and PHP sites on RHEL server In-Reply-To: <6A11C504-5A94-4FCF-8AE9-C19DB6D17227@livadaru.net> References: <6A11C504-5A94-4FCF-8AE9-C19DB6D17227@livadaru.net> Message-ID: <9F712319-D110-45E1-A24D-EF1E3FD5EA15@iastate.edu> I am running mod_security currently on a RHEL 4.6 with php 5.1.2 and MySQL 5.0.18, and Drupal 5.3. It is possible that this is due to an update from RHEL as we just went from 4.5 to 4.6 with a lot of updates in the last couple of weeks. When I first started using mod_security I had no problems, now all of my Drupal and several of my php sites are getting blocked. Here are two sections of my httpd error log showing what I am getting from mod_security. [Tue Nov 27 13:48:54 2007] [error] [client 129.186.243.2] ModSecurity: Access denied with code 501 (phase 4). Pattern match "^503$" at RESPONSE_STATUS. [id "70901"] [msg "The application is not available"] [severity "ALERT"] [hostname "www.ag.iastate.edu"] [uri "/ scholarships/"] [unique_id "Xu79-YG68i0AACOC7AoAAABB"] [Tue Nov 27 13:48:59 2007] [error] [client 129.186.242.10] ModSecurity: Access denied with code 501 (phase 4). Pattern match "^503$" at RESPONSE_STATUS. [id "70901"] [msg "The application is not available"] [severity "ALERT"] [hostname "www.ag.iastate.edu"] [uri "/ scholarships/"] [unique_id "X0L2GYG68i0AAEJWOKgAAACi"] [Tue Nov 27 13:49:05 2007] [error] [client 129.186.242.10] ModSecurity: Access denied with code 501 (phase 4). Pattern match "^503$" at RESPONSE_STATUS. [id "70901"] [msg "The application is not available"] [severity "ALERT"] [hostname "www.ag.iastate.edu"] [uri "/ scholarships/"] [unique_id "X5QZCYG68i0AAHTcX50AAABs"] [Tue Nov 27 13:49:10 2007] [error] [client 129.186.243.2] ModSecurity: Access denied with code 501 (phase 4). Pattern match "^503$" at RESPONSE_STATUS. [id "70901"] [msg "The application is not available"] [severity "ALERT"] [hostname "www.ag.iastate.edu"] [uri "/ scholarships/"] [unique_id "X at LRMIG68i0AAFkXgpoAAAAY"] [Wed Nov 28 10:15:42 2007] [error] [client 129.186.242.3] ModSecurity: Access denied with code 501 (phase 4). Pattern match "^503$" at RESPONSE_STATUS. [id "70901"] [msg "The application is not available"] [severity "ALERT"] [hostname "www.ag.iastate.edu"] [uri "/ scholarships/"] [unique_id "glX7AIG68i0AAFd682EAAACi"] [Wed Nov 28 10:15:43 2007] [error] [client 129.186.242.3] ModSecurity: Access denied with code 501 (phase 4). Pattern match "^503$" at RESPONSE_STATUS. [id "70901"] [msg "The application is not available"] [severity "ALERT"] [hostname "www.ag.iastate.edu"] [uri "/ scholarships/"] [unique_id "glzRH4G68i0AAFxnKyIAAAAI"] [Wed Nov 28 10:15:43 2007] [error] [client 129.186.242.3] ModSecurity: Access denied with code 501 (phase 4). Pattern match "^503$" at RESPONSE_STATUS. [id "70901"] [msg "The application is not available"] [severity "ALERT"] [hostname "www.ag.iastate.edu"] [uri "/ scholarships/"] [unique_id "gmD2EIG68i0AAF1PXi0AAAA8"] [Wed Nov 28 10:15:43 2007] [error] [client 129.186.242.3] ModSecurity: Access denied with code 501 (phase 4). Pattern match "^503$" at RESPONSE_STATUS. [id "70901"] [msg "The application is not available"] [severity "ALERT"] [hostname "www.ag.iastate.edu"] [uri "/ scholarships/"] [unique_id "gmQfNYG68i0AAFx8O3UAAABA"] Right now I have to kill mod_security until I either learn how to fix this or get some answer as to why it is doing it so I can make it work. I appreciate any help anyone can offer. Tom /----------------------------------------------------------------------- --- | Tom Hillson Agriculture Computer Services Manager |(515) 294-1543 College of Agriculture | Iowa State University ------------------------------------------------------------------------ --- |"The only thing I have too much of is too little time" -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20071128/76d0b99a/attachment.html From mike at gotroot.com Thu Nov 29 12:02:59 2007 From: mike at gotroot.com (Michael Shinn) Date: Thu, 29 Nov 2007 12:02:59 -0500 Subject: [Modsecurity] Problem with Drupal and PHP sites on RHEL server In-Reply-To: <9F712319-D110-45E1-A24D-EF1E3FD5EA15@iastate.edu> References: <6A11C504-5A94-4FCF-8AE9-C19DB6D17227@livadaru.net> <9F712319-D110-45E1-A24D-EF1E3FD5EA15@iastate.edu> Message-ID: <1196355779.9418.70.camel@shrike.gotroot.com> What happens if you turn modsec off? These look like REPONSE codes of 503, which would be somekind of error with your application normally. On Wed, 2007-11-28 at 10:40 -0600, Thomas Hillson wrote: > I am running mod_security currently on a RHEL 4.6 with php 5.1.2 and > MySQL 5.0.18, and Drupal 5.3. > > > It is possible that this is due to an update from RHEL as we just went > from 4.5 to 4.6 with a lot of updates in the last couple of weeks. > > When I first started using mod_security I had no problems, now all of > my Drupal and several of my php sites > are getting blocked. Here are two sections of my httpd error log > showing what I am getting from mod_security. > > > [Tue Nov 27 13:48:54 2007] [error] [client 129.186.243.2] ModSecurity: > Access denied with code 501 (phase 4). Pattern match "^503$" at > RESPONSE_STATUS. [id "70901"] [msg "The application is not available"] > [severity "ALERT"] [hostname "www.ag.iastate.edu"] [uri > "/scholarships/"] [unique_id "Xu79-YG68i0AACOC7AoAAABB"] > [Tue Nov 27 13:48:59 2007] [error] [client 129.186.242.10] > ModSecurity: Access denied with code 501 (phase 4). Pattern match > "^503$" at RESPONSE_STATUS. [id "70901"] [msg "The application is not > available"] [severity "ALERT"] [hostname "www.ag.iastate.edu"] [uri > "/scholarships/"] [unique_id "X0L2GYG68i0AAEJWOKgAAACi"] > [Tue Nov 27 13:49:05 2007] [error] [client 129.186.242.10] > ModSecurity: Access denied with code 501 (phase 4). Pattern match > "^503$" at RESPONSE_STATUS. [id "70901"] [msg "The application is not > available"] [severity "ALERT"] [hostname "www.ag.iastate.edu"] [uri > "/scholarships/"] [unique_id "X5QZCYG68i0AAHTcX50AAABs"] > [Tue Nov 27 13:49:10 2007] [error] [client 129.186.243.2] ModSecurity: > Access denied with code 501 (phase 4). Pattern match "^503$" at > RESPONSE_STATUS. [id "70901"] [msg "The application is not available"] > [severity "ALERT"] [hostname "www.ag.iastate.edu"] [uri > "/scholarships/"] [unique_id "X at LRMIG68i0AAFkXgpoAAAAY"] > > > > > [Wed Nov 28 10:15:42 2007] [error] [client 129.186.242.3] ModSecurity: > Access denied with code 501 (phase 4). Pattern match "^503$" at > RESPONSE_STATUS. [id "70901"] [msg "The application is not available"] > [severity "ALERT"] [hostname "www.ag.iastate.edu"] [uri > "/scholarships/"] [unique_id "glX7AIG68i0AAFd682EAAACi"] > [Wed Nov 28 10:15:43 2007] [error] [client 129.186.242.3] ModSecurity: > Access denied with code 501 (phase 4). Pattern match "^503$" at > RESPONSE_STATUS. [id "70901"] [msg "The application is not available"] > [severity "ALERT"] [hostname "www.ag.iastate.edu"] [uri > "/scholarships/"] [unique_id "glzRH4G68i0AAFxnKyIAAAAI"] > [Wed Nov 28 10:15:43 2007] [error] [client 129.186.242.3] ModSecurity: > Access denied with code 501 (phase 4). Pattern match "^503$" at > RESPONSE_STATUS. [id "70901"] [msg "The application is not available"] > [severity "ALERT"] [hostname "www.ag.iastate.edu"] [uri > "/scholarships/"] [unique_id "gmD2EIG68i0AAF1PXi0AAAA8"] > [Wed Nov 28 10:15:43 2007] [error] [client 129.186.242.3] ModSecurity: > Access denied with code 501 (phase 4). Pattern match "^503$" at > RESPONSE_STATUS. [id "70901"] [msg "The application is not available"] > [severity "ALERT"] [hostname "www.ag.iastate.edu"] [uri > "/scholarships/"] [unique_id "gmQfNYG68i0AAFx8O3UAAABA"] > > > Right now I have to kill mod_security until I either learn how to fix > this or get some answer as to why it is doing it so I can make it > work. > > > I appreciate any help anyone can offer. > > Tom > > > /-------------------------------------------------------------------------- > | Tom Hillson Agriculture Computer Services Manager > |(515) 294-1543 College of Agriculture > | Iowa State University > --------------------------------------------------------------------------- > |"The only thing I have too much of is too little time" > > > > > _______________________________________________ > Modsecurity mailing list > Modsecurity at gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity -- Michael T. Shinn KeyID:0xDAE2EC86 Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 SANS Advisory Board Member Got Root? http://www.gotroot.com modsecurity rules: http://www.modsecurityrules.com Troubleshooting Firewalls: http://troubleshootingfirewalls.com