Hi,
sorry, I may not have described this correctly.
I did not have this problem with Apache 2.2.4 and
ModSecurity 2.0.4. Then I
upgraded to Apache 2.2.6 and ModSecurity 2.1.3 without
changing any of my
configuration files. Suddenly this problem appeared.
That's why I was wondering ...
Greetings,
Thomas
P.S.: I signed up for both mailing lists (gotroot and
mod-security-users).
-----Ursprüngliche Nachricht-----
Von: Ryan Barnett [mailto:rcbarnett gmail.com]
Gesendet: Donnerstag, 8. November 2007 16:41
An: Thomas Ammermann
Cc: modsecuritygotroot.com
Betreff: Re: [Modsecurity] Some initial Problems
So, all you did was to upgrade Apache and ModSecurity and
this issue went
away? That does not seem right. Can you please send me
your configs so I
can see how you are calling up your rules and also the
contents of that
specific rules file that was initially blocking the
requests?
As to the lowercase transformation function, it was
introduced in Mod 2.0.
Did you sign up for the ModSecurity mail-list (the link I
sent previously)?
--
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
On Nov 8, 2007 2:09 AM, Thomas Ammermann
<thomas.ammermanndigicol.de>
wrote:
Thank you Ryan for explaining this. I ran into the exact
same
problem and
was very happy to find this solution.
But all I did was upgrade Apache from 2.2.4 to 2.2.6 and
mod_security from
2.0.4 to 2.1.3.
I did not change anything in my configuration (httpd.conf,
mod_security.conf, ...). The Gotroot rules were just copied
over
from my old
installation.
Has this "t:lowercase" feature been integrated
into mod_security
somewhere
between 2.0.4 and 2.1.3 ?
Thanks in advance,
Thomas
-----Ursprüngliche Nachricht-----
Von: modsecurity-bouncesgotroot.com
[mailto:modsecurity-bouncesgotroot.com] Im Auftrag von
Ryan Barnett
Gesendet: Montag, 5. November 2007 18:11
An: AK-Palme
Cc: modsecuritygotroot.com
Betreff: Re: [Modsecurity] Some initial Problems
AK-Palme,
I have seen this issue before. If you look at the first
SecDefaultAction
directive in the rules.conf file
(
http://www.gotroot.com/downloads/ftp/mod
_security/2.0/apache2/rules.conf
<http://www.gotroot.com/downloads/ftp
/mod_security/2.0/apache2/rules.conf>
)
you will see that it is using the "t:lowercase"
transformation
function -
#Configure for your site
SecDefaultAction
"log,deny,phase:2,status:500,t:urlDecodeUni,t:htmlEntit
yDecode,t:lowercase"
This means that all of the rules that follow need to be
written in
lowercase
and this is why the next rule is matching on all requests.
It
should have
been written like this -
#Enforce proper HTTP requests
SecRule REQUEST_PROTOCOL
"!^http/(0.9|1.0|1.1)$"
"id:340000,severity:1,msg:'Bad HTTP Protocol'"
Just an FYI - you should consider using the open source
Core Rules
found on
the ModSecurity site -
http://www.modsecurity.org/projects/rules/index.html
. If you run into any issues with ModSecurity itself
and/or with
the Core
Rules, you should also sign up for the official
ModSecurity
mail-list -
https://lists.sourceforge.net/lists/listinfo/mod-
security-users .
This
current mail-list is mainly for the GotRoot rule sets.
--
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
On 11/5/07, AK-Palme <ak-palmeak-palme.de > wrote:
Hi,
I am new to mod-security. I am using apache2 with
mod-security2 on
Debian. I downloaded the rulesets from
http://www.gotroot.com/downloads/ftp/mo
d_security/2.0/apache2/rules.conf.
<http://www.gotroot.com/downloads/ft
p/mod_security/2.0/apache2/rules.conf.>
..
http://www.gotroot.com/downloads/ftp/mod_
security/2.0/apache2/jitp.conf .
<http://www.gotroot.com/downloads/ftp
/mod_security/2.0/apache2/jitp.conf.>
..
http://www.gotroot.com/downloads/ftp
/mod_security/2.0/apache2/useragents.con
<http://www.gotroot.com/downloads/ftp/
mod_security/2.0/apache2/useragents.co
n>
f. ..
http://www.gotroot.com/downloads/ftp
/mod_security/2.0/apache2/blacklist.conf
...
http://www.gotroot.com/downloads/ftp
/mod_security/2.0/apache2/blacklist2.con
f.
<
http://www.gotroot.com/downloads/ftp/
mod_security/2.0/apache2/blacklist2.co
<http://www.gotroot.com/downloads/ftp/
mod_security/2.0/apache2/blacklist2.co
>
nf.> ..
http://www.gotroot.com/downloads/ftp/
mod_security/2.0/apache2/apache2-rules
.
conf. ..
http://www.gotroot.com/downloads/ftp
/mod_security/2.0/apache2/rootkits.conf.
..
http://www.gotroot.com/downloads/ftp/
mod_security/2.0/apache2/exclude.conf.
<
http://www.gotroot.com/downloads/ftp/m
od_security/2.0/apache2/exclude.conf
<http://www.gotroot.com/downloads/f
tp/mod_security/2.0/apache2/exclude.conf>
.
> ..
http://www.gotroot.com/downloads/ftp/mo
d_security/2.0/apache2/recons.conf .
..
and first all websites stopped working until I
disabled
SecRule REQUEST_PROTOCOL
"!^HTTP/(0.9|1.0|1.1)$"
"id:340000,severity:1,msg:'Bad HTTP
Protocol'"
To use the MediaWiki I had to disable several rules,
too.
I wonder if I am the only one with this errors or if
the
project is
not
maintained anymore. Because the rules-files on the
Server are
almose
1
year old, too..
Greetings,
AK-Palme
_______________________________________________
Modsecurity mailing list
Modsecuritygotroot.com
http://lists.gotroot.com/mailman/listinfo/modsecurity
_______________________________________________
Modsecurity mailing list
Modsecuritygotroot.com
http://lists.gotroot.com/mailman/listinfo/modsecurity
_______________________________________________
Modsecurity mailing list
Modsecuritygotroot.com
http://lists.gotroot.com/mailman/listinfo/modsecurity
|