AW: [Modsecurity] Some initial Problems
Thomas Ammermann
thomas.ammermann at digicol.de
Thu Nov 8 02:09:04 EST 2007
Thank you Ryan for explaining this. I ran into the exact same problem and
was very happy to find this solution.
But all I did was upgrade Apache from 2.2.4 to 2.2.6 and mod_security from
2.0.4 to 2.1.3.
I did not change anything in my configuration (httpd.conf,
mod_security.conf, ...). The Gotroot rules were just copied over from my old
installation.
Has this "t:lowercase" feature been integrated into mod_security somewhere
between 2.0.4 and 2.1.3 ?
Thanks in advance,
Thomas
-----Ursprüngliche Nachricht-----
Von: modsecurity-bounces at gotroot.com
[mailto:modsecurity-bounces at gotroot.com] Im Auftrag von Ryan Barnett
Gesendet: Montag, 5. November 2007 18:11
An: AK-Palme
Cc: modsecurity at gotroot.com
Betreff: Re: [Modsecurity] Some initial Problems
AK-Palme,
I have seen this issue before. If you look at the first SecDefaultAction
directive in the rules.conf file
(http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf )
you will see that it is using the "t:lowercase" transformation function -
#Configure for your site
SecDefaultAction
"log,deny,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
This means that all of the rules that follow need to be written in lowercase
and this is why the next rule is matching on all requests. It should have
been written like this -
#Enforce proper HTTP requests
SecRule REQUEST_PROTOCOL "!^http/(0\.9|1\.0|1\.1)$"
"id:340000,severity:1,msg:'Bad HTTP Protocol'"
Just an FYI - you should consider using the open source Core Rules found on
the ModSecurity site - http://www.modsecurity.org/projects/rules/index.html
. If you run into any issues with ModSecurity itself and/or with the Core
Rules, you should also sign up for the official ModSecurity mail-list -
https://lists.sourceforge.net/lists/listinfo/mod-security-users. This
current mail-list is mainly for the GotRoot rule sets.
--
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
On 11/5/07, AK-Palme <ak-palme at ak-palme.de> wrote:
Hi,
I am new to mod-security. I am using apache2 with mod-security2 on
Debian. I downloaded the rulesets from
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf...
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/jitp.conf.
<http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/jitp.conf.>
..
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/useragents.con
f. ..
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist.conf
...
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist2.con
f.
<http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist2.co
nf.> ..
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/apache2-rules.
conf. ..
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rootkits.conf.
..
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/exclude.conf.
<http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/exclude.conf.
> ..
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/recons.conf.
..
and first all websites stopped working until I disabled
SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"
"id:340000,severity:1,msg:'Bad HTTP Protocol'"
To use the MediaWiki I had to disable several rules, too.
I wonder if I am the only one with this errors or if the project is
not
maintained anymore. Because the rules-files on the Server are almose
1
year old, too..
Greetings,
AK-Palme
_______________________________________________
Modsecurity mailing list
Modsecurity at gotroot.com
http://lists.gotroot.com/mailman/listinfo/modsecurity
More information about the Modsecurity
mailing list