httpd-guardian errors not in error

Thread: httpd-guardian errors not in error_log?

Search this list only Search all lists
httpd-guardian errors not in error_log?
	2007-03-30 16:52:06

Hey folks, I'm playing with using mod_security and httpd-guardian to protect against scripting and automation. httpd-guardian is configured like: SecGuardianLog "\|/usr/local/bin/httpd-guardian" I think I'm off to a great start, the alerts are being triggered and so forth, but I get no httpd-guardian messages in the apache error_log. Added the line: open STDERR, ">>/tmp/hg_log"; at the top of the httpd-guardian script, and the messages all show up just fine in hg_log.  I was hoping to have them show alongside the rest of the Apache error_log, and that seems to be what the documentation suggests will happen.  Any advice? I'm using: ModSecurity for Apache 2.1.0 Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.8b DAV/2 mod_apreq2-20051231/2.6.0 mod_perl/2.0.3 Perl/v5.8.8 Rev 1.6 of httpd-guardian from the sourceforge CVS site Thanks, and let me know if I can provide any other info that might help. -Miles
Re: httpd-guardian errors not in error_log?
United States	2007-03-31 07:44:57

Miles, Just change the location of your open command to point to your Apache error_log like this – open STDERR, ">>/path/to/apache/logs/error_log"; Now, once httpd-guardian takes action, you will see entries like this in your error_log file – httpd-guardian: IP address HASH(0x92e08d0) reached the 1 min threshold (speed = 2.76712328767123 req/sec, threshold = 0.01 req/sec) httpd-guardian: Executing: /usr/bin/logger DoS Attack Identified from 127.0.0.1 The 2^nd line above is from my own ̶0;test̶1; configuration where I am just using logger to create a Syslog alert and not actually blackholing the client on the firewall. # If defined, execute this command when a threshold is reached # block the IP address for one hour. # $PROTECT_EXEC = "/sbin/blacklist block %s 3600"; # $PROTECT_EXEC = "/sbin/samtool -block -ip %s -dur 3600 snortsam.example.com"; my $PROTECT_EXEC; # For testing only: # $PROTECT_EXEC = "/sbin/blacklist-webclient %s 3600"; $PROTECT_EXEC = "/usr/bin/logger DoS Attack Identified from %s"; The point is that a message will be generated when httpd-guardian identifies a client that has gone over your defined threshold of requests/time interval and when it executes a responsive action. Hope this helps. -- *Ryan C. Barnett* ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member Author: Preventing Web Attacks with Apache -------------- Web Security Threat Report Webinar on May 9, 2007 (12 pm EST) Learn More About the Breach Webinar Series: http://www.breach.com/webinars.asp -------------- From: mod-security-users-bounceslists.sourceforge.net [mailto:mod-security-users-bounceslists.sourceforge.net] On Behalf Of Miles Crawford Sent: Friday, March 30, 2007 5:52 PM To: mod-security-userslists.sourceforge.net Subject: [mod-security-users] httpd-guardian errors not in error_log? Hey folks, I'm playing with using mod_security and httpd-guardian to protect against scripting and automation. httpd-guardian is configured like: SecGuardianLog "\|/usr/local/bin/httpd-guardian" I think I'm off to a great start, the alerts are being triggered and so forth, but I get no httpd-guardian messages in the apache error_log. Added the line: open STDERR, ">>/tmp/hg_log"; at the top of the httpd-guardian script, and the messages all show up just fine in hg_log.  I was hoping to have them show alongside the rest of the Apache error_log, and that seems to be what the documentation suggests will happen. Any advice? I'm using: ModSecurity for Apache 2.1.0 Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.8b DAV/2 mod_apreq2-20051231/2.6.0 mod_perl/2.0.3 Perl/v5.8.8 Rev 1.6 of httpd-guardian from the sourceforge CVS site Thanks, and let me know if I can provide any other info that might help. -Miles
Re: httpd-guardian errors not in error_log?
	2007-03-31 23:31:34

Thanks, I guess I knew I could append the output to any file I liked in this fashion.  I suppose my question was more of a "why?" than a "how?" ;) Perhaps a note should be made here? Or within the comments of httpd-guardian itself, which seem to indicate this isn't a necessary step. Either way, it's not a big deal. ; Thanks for mod_security, it's been working great for us! -Miles On 3/31/07, Ryan Barnett < Ryan.Barnettbreach.com"> Ryan.Barnettbreach.com> wrote: Miles, Just change the location of your open command to point to your Apache error_log like this – open STDERR, ">>/path/to/apache/logs/error_log"; Now, once httpd-guardian takes action, you will see entries like this in your error_log file – httpd-guardian: IP address HASH(0x92e08d0) reached the 1 min threshold (speed = 2.76712328767123 req/sec, threshold = 0.01 req/sec) httpd-guardian: Executing: /usr/bin/logger DoS Attack Identified from 127.0.0.1 The 2^nd line above is from my own "test" configuration where I am just using logger to create a Syslog alert and not actually blackholing the client on the firewall. # If defined, execute this command when a threshold is reached # block the IP address for one hour. # $PROTECT_EXEC = "/sbin/blacklist block %s 3600"; # $PROTECT_EXEC = "/sbin/samtool -block -ip %s -dur 3600 snortsam.example.com"; my $PROTECT_EXEC; # For testing only: # $PROTECT_EXEC = "/sbin/blacklist-webclient %s 3600"; $PROTECT_EXEC = "/usr/bin/logger DoS Attack Identified from %s"; The point is that a message will be generated when httpd-guardian identifies a client that has gone over your defined threshold of requests/time interval and when it executes a responsive action. Hope this helps. -- *Ryan C. Barnett* ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member Author: Preventing Web Attacks with Apache -------------- Web Security Threat Report Webinar on May 9, 2007 (12 pm EST) Learn More About the Breach Webinar Series: http://www.breach.com/webinars.asp -------------- From: mod-security-users-bounceslists.sourceforge.net" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">mod-security-users-bounceslists.sourceforge.net [mailto: mod-security-users-bounceslists.sourceforge.net" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">mod-security-users-bounceslists.sourceforge.net] On Behalf Of Miles Crawford Sent: Friday, March 30, 2007 5:52 PM To: mod-security-userslists.sourceforge.net" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">mod-security-userslists.sourceforge.net Subject: [mod-security-users] httpd-guardian errors not in error_log? Hey folks, I'm playing with using mod_security and httpd-guardian to protect against scripting and automation. httpd-guardian is configured like: SecGuardianLog "\|/usr/local/bin/httpd-guardian" I think I'm off to a great start, the alerts are being triggered and so forth, but I get no httpd-guardian messages in the apache error_log. Added the line: open STDERR, ">>/tmp/hg_log"; at the top of the httpd-guardian script, and the messages all show up just fine in hg_log.  I was hoping to have them show alongside the rest of the Apache error_log, and that seems to be what the documentation suggests will happen. Any advice? I9;m using: ModSecurity for Apache 2.1.0 Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.8b DAV/2 mod_apreq2-20051231/2.6.0 mod_perl/2.0.3 Perl/v5.8.8 Rev 1.6 of httpd-guardian from the sourceforge CVS site Thanks, and let me know if I can provide any other info that might help. -Miles

[1-3]

about | contact Other archives ( Real Estate discussion Medical topics )