[prev in list] [next in list] [prev in thread] [next in thread]
List: mod-security-users
Subject: Re: [mod-security-users] mod_security 2.5.5 not working after
From: Joe Keegan <jkeegan () aravo ! com>
Date: 2008-06-19 19:39:31
Message-ID: 7E6DBDE02B86E14B8BAED0F42AE7600635694E5B17 () VMBX102 ! ihostexchange ! net
[Download RAW message or body]
I just double checked on our QA environment, which mod_security is install =
and we don't have mod_unique_id. It's on our production and I just assumed =
it was in QA.
Sorry to waste everyone's time.
Thanks,
Joe
From: Ryan Barnett [mailto:Ryan.Barnett@Breach.com]
Sent: Thursday, June 19, 2008 12:27 PM
To: Joe Keegan; mod-security-users@lists.sourceforge.net
Subject: RE: [mod-security-users] mod_security 2.5.5 not working after inst=
all
Joe,
What does the error_log say when you start up apache and then when you send=
your requests?
This may or may not be related but another user recently was posting with s=
imilar issues and he responded to me and said that his problem was that he =
didn't have mod_unique_id installed. Once he added it back in everything w=
orked fine. Can you confirm if you have that installed?
--
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
________________________________
From: mod-security-users-bounces@lists.sourceforge.net [mailto:mod-security=
-users-bounces@lists.sourceforge.net] On Behalf Of Joe Keegan
Sent: Thursday, June 19, 2008 3:19 PM
To: mod-security-users@lists.sourceforge.net
Subject: [mod-security-users] mod_security 2.5.5 not working after install
I've followed the directions to install mod_security and the core rules, bu=
t I must have missed something since it's not working. When trying to tiger=
mod_security in testing I tried "curl http://site.com/cmd.exe" and "curl =
-A 'paros' http://site.com" expecting something to get an entry in the mods=
ec_audit.log, but it's empty.
I've look through the archives a bit, but couldn't find anything too useful=
, but hopefully I've provided the information below that will be helpful i=
n troubleshooting this. I plan to up the SecDebugLogLevel to 9 to see if an=
ything shows up, but I can't take down the web server for testing till late=
r. Any other suggestions would be awesome.
Thanks in advance for anyone who can help me troubleshoot.
-- System and file info -
# httpd -v
Server version: Apache/2.0.52
Server built: Jan 5 2006 12:31:31
# uname -a
Linux saddleback.aravo.network 2.6.9-34.ELsmp #1 SMP Wed Mar 8 00:27:03 CST=
2006 i686 i686 i386 GNU/Linux
# cat /etc/redhat-release
CentOS release 4.3 (Final)
# ls -l /usr/lib/libxml2*
-rw-r--r-- 1 root root 1203320 Jan 14 04:01 /usr/lib/libxml2.a
-rwxr-xr-x 1 root root 801 Jan 14 04:00 /usr/lib/libxml2.la
lrwxrwxrwx 1 root root 17 Jun 18 19:04 /usr/lib/libxml2.so -> libxml2=
.so.2.6.16
lrwxrwxrwx 1 root root 17 Jun 18 18:17 /usr/lib/libxml2.so.2 -> libxm=
l2.so.2.6.16
-rwxr-xr-x 1 root root 965920 Jan 14 04:01 /usr/lib/libxml2.so.2.6.16
# ls -l /usr/lib/liblua*
-rwxr-xr-x 1 root root 196832 Feb 1 05:26 /usr/lib/liblua5.1.a
-rwxr-xr-x 1 root root 156261 Feb 1 05:26 /usr/lib/liblua5.1.so
-- Apache config info --
# grep -i security /etc/httpd/conf/httpd.conf | grep -v \#
LoadModule security2_module modules/mod_security2.so
Include conf/modsecurity/*.conf
# grep LoadFile /etc/httpd/conf/httpd.conf
LoadFile /usr/lib/libxml2.so.2
LoadFile /usr/lib/liblua5.1.so
-- ModSecurity Conf --
# grep SecRuleEngine /etc/httpd/conf/modsecurity/modsecurity_crs_10_config.=
conf
SecRuleEngine On
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:x="urn:schemas-microsoft-com:office:excel" \
xmlns:p="urn:schemas-microsoft-com:office:powerpoint" \
xmlns:a="urn:schemas-microsoft-com:office:access" \
xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" \
xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" \
xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" \
xmlns:b="urn:schemas-microsoft-com:office:publisher" \
xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" \
xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" \
xmlns:oa="urn:schemas-microsoft-com:office:activation" \
xmlns:html="http://www.w3.org/TR/REC-html40" \
xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:D="DAV:" \
xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" \
xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" \
xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" \
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" \
xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" \
xmlns:udc="http://schemas.microsoft.com/data/udc" \
xmlns:xsd="http://www.w3.org/2001/XMLSchema" \
xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" \
xmlns:ec="http://www.w3.org/2001/04/xmlenc#" \
xmlns:sp="http://schemas.microsoft.com/sharepoint/" \
xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" \
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" \
xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" \
xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" \
xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" \
xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" \
xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" \
xmlns:Z="urn:schemas-microsoft-com:" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Arial","sans-serif";
color:navy;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='color:#1F497D'>I just double checked on our QA
environment, which mod_security is install and we don’t have mod_unique_id. \
It’s on our production and I just assumed it was in QA. <o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Sorry to waste everyone’s \
time.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Thanks,<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Joe<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Ryan Barnett \
[mailto:Ryan.Barnett@Breach.com] <br> <b>Sent:</b> Thursday, June 19, 2008 12:27 \
PM<br> <b>To:</b> Joe Keegan; mod-security-users@lists.sourceforge.net<br>
<b>Subject:</b> RE: [mod-security-users] mod_security 2.5.5 not working after \
install<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:navy'>Joe,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:navy'>What does the error_log say when you start up apache and then when
you send your requests?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:navy'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:navy'>This may or may not be related but another user recently was
posting with similar issues and he responded to me and said that his problem
was that he didn’t have mod_unique_id installed. Once he added it back in
everything worked fine. Can you confirm if you have that \
installed?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:navy'><o:p> </o:p></span></p>
<div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;color:navy'>-- <br>
<b><i>Ryan C. Barnett<br>
</i></b></span><span style='font-size:7.5pt;font-family:"Arial","sans-serif";
color:navy'>ModSecurity Community Manager</span><span \
style='color:navy'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif";
color:navy'>Breach Security: Director of Application Security</span><span
style='color:navy'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif";
color:navy'>Web Application Security Consortium (WASC) Member</span><span
style='color:navy'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif";
color:navy'>CIS Apache Benchmark Project Lead</span><span \
style='color:navy'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif";
color:navy'>SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC</span><span
style='color:navy'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif";
color:navy'>Author: Preventing Web Attacks with Apache<o:p></o:p></span></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div class=MsoNormal align=center style='text-align:center'><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'>
<hr size=3 width="100%" align=center>
</span></div>
<p class=MsoNormal><b><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> \
mod-security-users-bounces@lists.sourceforge.net \
[mailto:mod-security-users-bounces@lists.sourceforge.net] <b>On Behalf Of </b>Joe \
Keegan<br> <b>Sent:</b> Thursday, June 19, 2008 3:19 PM<br>
<b>To:</b> mod-security-users@lists.sourceforge.net<br>
<b>Subject:</b> [mod-security-users] mod_security 2.5.5 not working after
install</span><span style='font-size:12.0pt;font-family:"Times New \
Roman","serif"'><o:p></o:p></span></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I've followed the directions to install mod_security and the
core rules, but I must have missed something since it's not working. When
trying to tiger mod_security in testing I tried “curl
http://site.com/cmd.exe” and “curl –A ‘paros’ \
http://site.com” expecting something to get an entry in the modsec_audit.log, \
but it’s empty.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I’ve look through the archives a bit, but couldn’t \
find anything too useful, but hopefully I’ve provided the information \
below that will be helpful in troubleshooting this. I plan to up the SecDebugLogLevel
to 9 to see if anything shows up, but I can’t take down the web server for \
testing till later. Any other suggestions would be awesome.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Thanks in advance for anyone who can help me \
troubleshoot.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>-- System and file info –<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal># httpd -v<o:p></o:p></p>
<p class=MsoNormal>Server version: Apache/2.0.52<o:p></o:p></p>
<p class=MsoNormal>Server built: Jan 5 2006 12:31:31<o:p></o:p></p>
<p class=MsoNormal># uname -a<o:p></o:p></p>
<p class=MsoNormal>Linux saddleback.aravo.network 2.6.9-34.ELsmp #1 SMP Wed Mar
8 00:27:03 CST 2006 i686 i686 i386 GNU/Linux<o:p></o:p></p>
<p class=MsoNormal># cat /etc/redhat-release<o:p></o:p></p>
<p class=MsoNormal>CentOS release 4.3 (Final)<o:p></o:p></p>
<p class=MsoNormal># ls -l /usr/lib/libxml2*<o:p></o:p></p>
<p class=MsoNormal>-rw-r--r-- 1 root root 1203320 Jan 14 04:01
/usr/lib/libxml2.a<o:p></o:p></p>
<p class=MsoNormal>-rwxr-xr-x 1 root root 801 Jan
14 04:00 /usr/lib/libxml2.la<o:p></o:p></p>
<p class=MsoNormal>lrwxrwxrwx 1 root root
17 Jun 18 19:04 /usr/lib/libxml2.so -> libxml2.so.2.6.16<o:p></o:p></p>
<p class=MsoNormal>lrwxrwxrwx 1 root root
17 Jun 18 18:17 /usr/lib/libxml2.so.2 -> libxml2.so.2.6.16<o:p></o:p></p>
<p class=MsoNormal>-rwxr-xr-x 1 root root 965920 Jan 14 04:01 \
/usr/lib/libxml2.so.2.6.16<o:p></o:p></p>
<p class=MsoNormal># ls -l /usr/lib/liblua*<o:p></o:p></p>
<p class=MsoNormal>-rwxr-xr-x 1 root root 196832 Feb 1 05:26
/usr/lib/liblua5.1.a<o:p></o:p></p>
<p class=MsoNormal>-rwxr-xr-x 1 root root 156261 Feb 1 05:26
/usr/lib/liblua5.1.so<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>-- Apache config info --<o:p></o:p></p>
<p class=MsoNormal># grep -i security /etc/httpd/conf/httpd.conf | grep -v \
\#<o:p></o:p></p>
<p class=MsoNormal>LoadModule security2_module \
modules/mod_security2.so<o:p></o:p></p>
<p class=MsoNormal>Include conf/modsecurity/*.conf<o:p></o:p></p>
<p class=MsoNormal># grep LoadFile /etc/httpd/conf/httpd.conf<o:p></o:p></p>
<p class=MsoNormal>LoadFile /usr/lib/libxml2.so.2<o:p></o:p></p>
<p class=MsoNormal>LoadFile /usr/lib/liblua5.1.so<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>-- ModSecurity Conf --<o:p></o:p></p>
<p class=MsoNormal># grep SecRuleEngine \
/etc/httpd/conf/modsecurity/modsecurity_crs_10_config.conf<o:p></o:p></p>
<p class=MsoNormal>SecRuleEngine On<o:p></o:p></p>
</div>
</div>
</body>
</html>
[Attachment #4 (--===============1344111408==)]
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic