AW: [Modsecurity] Some initial Problems
Thomas Ammermann
thomas.ammermann at digicol.de
Fri Nov 9 03:19:41 EST 2007
Hi,
sorry, I may not have described this correctly.
I did not have this problem with Apache 2.2.4 and ModSecurity 2.0.4. Then I
upgraded to Apache 2.2.6 and ModSecurity 2.1.3 without changing any of my
configuration files. Suddenly this problem appeared.
That's why I was wondering ...
Greetings,
Thomas
P.S.: I signed up for both mailing lists (gotroot and mod-security-users).
-----Ursprüngliche Nachricht-----
Von: Ryan Barnett [mailto:rcbarnett at gmail.com]
Gesendet: Donnerstag, 8. November 2007 16:41
An: Thomas Ammermann
Cc: modsecurity at gotroot.com
Betreff: Re: [Modsecurity] Some initial Problems
So, all you did was to upgrade Apache and ModSecurity and this issue went
away? That does not seem right. Can you please send me your configs so I
can see how you are calling up your rules and also the contents of that
specific rules file that was initially blocking the requests?
As to the lowercase transformation function, it was introduced in Mod 2.0.
Did you sign up for the ModSecurity mail-list (the link I sent previously)?
--
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
On Nov 8, 2007 2:09 AM, Thomas Ammermann <thomas.ammermann at digicol.de>
wrote:
Thank you Ryan for explaining this. I ran into the exact same
problem and
was very happy to find this solution.
But all I did was upgrade Apache from 2.2.4 to 2.2.6 and
mod_security from
2.0.4 to 2.1.3.
I did not change anything in my configuration (httpd.conf,
mod_security.conf, ...). The Gotroot rules were just copied over
from my old
installation.
Has this "t:lowercase" feature been integrated into mod_security
somewhere
between 2.0.4 and 2.1.3 ?
Thanks in advance,
Thomas
-----Ursprüngliche Nachricht-----
Von: modsecurity-bounces at gotroot.com
[mailto:modsecurity-bounces at gotroot.com] Im Auftrag von Ryan Barnett
Gesendet: Montag, 5. November 2007 18:11
An: AK-Palme
Cc: modsecurity at gotroot.com
Betreff: Re: [Modsecurity] Some initial Problems
AK-Palme,
I have seen this issue before. If you look at the first
SecDefaultAction
directive in the rules.conf file
(
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf
<http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf>
)
you will see that it is using the "t:lowercase" transformation
function -
#Configure for your site
SecDefaultAction
"log,deny,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
This means that all of the rules that follow need to be written in
lowercase
and this is why the next rule is matching on all requests. It
should have
been written like this -
#Enforce proper HTTP requests
SecRule REQUEST_PROTOCOL "!^http/(0\.9|1\.0|1\.1)$"
"id:340000,severity:1,msg:'Bad HTTP Protocol'"
Just an FYI - you should consider using the open source Core Rules
found on
the ModSecurity site -
http://www.modsecurity.org/projects/rules/index.html
. If you run into any issues with ModSecurity itself and/or with
the Core
Rules, you should also sign up for the official ModSecurity
mail-list -
https://lists.sourceforge.net/lists/listinfo/mod-security-users .
This
current mail-list is mainly for the GotRoot rule sets.
--
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
On 11/5/07, AK-Palme <ak-palme at ak-palme.de > wrote:
Hi,
I am new to mod-security. I am using apache2 with
mod-security2 on
Debian. I downloaded the rulesets from
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf.
<http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf.>
..
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/jitp.conf .
<http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/jitp.conf.>
..
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/useragents.con
<http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/useragents.co
n>
f. ..
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist.conf
...
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist2.con
f.
<
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist2.co
<http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist2.co
>
nf.> ..
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/apache2-rules
.
conf. ..
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rootkits.conf.
..
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/exclude.conf.
<
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/exclude.conf
<http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/exclude.conf>
.
> ..
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/recons.conf .
..
and first all websites stopped working until I disabled
SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"
"id:340000,severity:1,msg:'Bad HTTP Protocol'"
To use the MediaWiki I had to disable several rules, too.
I wonder if I am the only one with this errors or if the
project is
not
maintained anymore. Because the rules-files on the Server are
almose
1
year old, too..
Greetings,
AK-Palme
_______________________________________________
Modsecurity mailing list
Modsecurity at gotroot.com
http://lists.gotroot.com/mailman/listinfo/modsecurity
_______________________________________________
Modsecurity mailing list
Modsecurity at gotroot.com
http://lists.gotroot.com/mailman/listinfo/modsecurity
More information about the Modsecurity
mailing list