[Modsecurity] Some initial Problems
Ryan Barnett
rcbarnett at gmail.com
Mon Nov 5 12:11:14 EST 2007
AK-Palme,
I have seen this issue before. If you look at the first SecDefaultAction
directive in the rules.conf file (
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf)
you will see that it is using the "t:lowercase" transformation function -
#Configure for your site
SecDefaultAction
"log,deny,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
This means that all of the rules that follow need to be written in lowercase
and this is why the next rule is matching on all requests. It should have
been written like this -
#Enforce proper HTTP requests
SecRule REQUEST_PROTOCOL "!^http/(0\.9|1\.0|1\.1)$"
"id:340000,severity:1,msg:'Bad HTTP Protocol'"
Just an FYI - you should consider using the open source Core Rules found on
the ModSecurity site - http://www.modsecurity.org/projects/rules/index.html.
If you run into any issues with ModSecurity itself and/or with the Core
Rules, you should also sign up for the official ModSecurity mail-list -
https://lists.sourceforge.net/lists/listinfo/mod-security-users. This
current mail-list is mainly for the GotRoot rule sets.
--
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
On 11/5/07, AK-Palme <ak-palme at ak-palme.de> wrote:
>
> Hi,
> I am new to mod-security. I am using apache2 with mod-security2 on
> Debian. I downloaded the rulesets from
> http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf.
> ..
> http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/jitp.conf...
>
> http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/useragents.conf.
> ..
>
> http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist.conf.
> ..
>
> http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist2.conf.
> ..
>
> http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/apache2-rules.conf.
> ..
>
> http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rootkits.conf.
> ..
>
> http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/exclude.conf.
> ..
> http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/recons.conf.
> ..
>
> and first all websites stopped working until I disabled
> SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"
> "id:340000,severity:1,msg:'Bad HTTP Protocol'"
>
> To use the MediaWiki I had to disable several rules, too.
>
> I wonder if I am the only one with this errors or if the project is not
> maintained anymore. Because the rules-files on the Server are almose 1
> year old, too..
>
> Greetings,
> AK-Palme
> _______________________________________________
> Modsecurity mailing list
> Modsecurity at gotroot.com
> http://lists.gotroot.com/mailman/listinfo/modsecurity
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20071105/acbca550/attachment.html
More information about the Modsecurity
mailing list