[Modsecurity] Some initial Problems

Ryan Barnett rcbarnett at gmail.com
Thu Nov 8 10:41:07 EST 2007 

So, all you did was to upgrade Apache and ModSecurity and this issue went
away?  That does not seem right.  Can you please send me your configs so I
can see how you are calling up your rules and also the contents of that
specific rules file that was initially blocking the requests?

As to the lowercase transformation function, it was introduced in Mod 2.0.

Did you sign up for the ModSecurity mail-list (the link I sent previously)?

-- 
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache

On Nov 8, 2007 2:09 AM, Thomas Ammermann <thomas.ammermann at digicol.de>
wrote:

> Thank you Ryan for explaining this. I ran into the exact same problem and
> was very happy to find this solution.
>
> But all I did was upgrade Apache from 2.2.4 to 2.2.6 and mod_security from
> 2.0.4 to 2.1.3.
> I did not change anything in my configuration (httpd.conf,
> mod_security.conf, ...). The Gotroot rules were just copied over from my
> old
> installation.
>
> Has this "t:lowercase" feature been integrated into mod_security somewhere
> between 2.0.4 and 2.1.3 ?
>
> Thanks in advance,
> Thomas
>
>
> -----Ursprüngliche Nachricht-----
> Von: modsecurity-bounces at gotroot.com
> [mailto:modsecurity-bounces at gotroot.com] Im Auftrag von Ryan Barnett
> Gesendet: Montag, 5. November 2007 18:11
> An: AK-Palme
> Cc: modsecurity at gotroot.com
> Betreff: Re: [Modsecurity] Some initial Problems
>
> AK-Palme,
> I have seen this issue before.  If you look at the first SecDefaultAction
> directive in the rules.conf file
> (http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf)
> you will see that it is using the "t:lowercase" transformation function -
>
> #Configure for your site
> SecDefaultAction
>
> "log,deny,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
>
> This means that all of the rules that follow need to be written in
> lowercase
> and this is why the next rule is matching on all requests.  It should have
> been written like this -
>
> #Enforce proper HTTP requests
> SecRule REQUEST_PROTOCOL "!^http/(0\.9|1\.0|1\.1)$"
> "id:340000,severity:1,msg:'Bad HTTP Protocol'"
>
> Just an FYI - you should consider using the open source Core Rules found
> on
> the ModSecurity site -
> http://www.modsecurity.org/projects/rules/index.html
> .  If you run into any issues with ModSecurity itself and/or with the Core
> Rules, you should also sign up for the official ModSecurity mail-list -
> https://lists.sourceforge.net/lists/listinfo/mod-security-users.  This
> current mail-list is mainly for the GotRoot rule sets.
>
> --
> Ryan C. Barnett
> ModSecurity Community Manager
> Breach Security: Director of Application Security Training
> Web Application Security Consortium (WASC) Member
> CIS Apache Benchmark Project Lead
> SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
> Author: Preventing Web Attacks with Apache
>
>
> On 11/5/07, AK-Palme <ak-palme at ak-palme.de> wrote:
>
>        Hi,
>        I am new to mod-security. I am using apache2 with mod-security2 on
>        Debian. I downloaded the rulesets from
>
> http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf.
> ..
>
> http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/jitp.conf.
> <http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/jitp.conf.>
> ..
>
>
> http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/useragents.con
> f. ..
>
>
> http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist.conf
> ...
>
>
> http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist2.con
> f.
> <
> http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist2.co
> nf.> ..
>
>
> http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/apache2-rules
> .
> conf. ..
>
>
> http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rootkits.conf
> .
> ..
>
> http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/exclude.conf
> .
> <
> http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/exclude.conf
> .
> > ..
>
> http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/recons.conf.
> ..
>
>        and first all websites stopped working until I disabled
>        SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"
>        "id:340000,severity:1,msg:'Bad HTTP Protocol'"
>
>        To use the MediaWiki I had to disable several rules, too.
>
>        I wonder if I am the only one with this errors or if the project is
> not
>        maintained anymore. Because the rules-files on the Server are
> almose
> 1
>        year old, too..
>
>        Greetings,
>        AK-Palme
>        _______________________________________________
>        Modsecurity mailing list
>        Modsecurity at gotroot.com
>        http://lists.gotroot.com/mailman/listinfo/modsecurity
>
>
>
>
>
> _______________________________________________
>  Modsecurity mailing list
> Modsecurity at gotroot.com
> http://lists.gotroot.com/mailman/listinfo/modsecurity
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20071108/ebc54389/attachment.html

More information about the Modsecurity mailing list