| Author |
|
pipedevil
Joined: 01 Aug 2011
Posts: 9
|
 Posted: Mon 01 Aug '11 8:34 Post subject: Troubleshooting mod_security windows |
 |
|
Hi everybody!
I have installed mod_security2 on xampp/windows and set it up followind the README instructions.
It seems that module starts properly:
| Code: | [Mon Aug 01 09:09:19 2011] [notice] Server built: Oct 18 2010 01:58:12
[Mon Aug 01 09:09:19 2011] [notice] Parent: Created child process 2140
[Mon Aug 01 09:09:21 2011] [notice] ModSecurity for Apache/2.6.1 (http://www.modsecurity.org/) configured.
[Mon Aug 01 09:09:21 2011] [notice] ModSecurity: APR compiled version="1.4.5"; loaded version="1.4.2"
[Mon Aug 01 09:09:21 2011] [warn] ModSecurity: Loaded APR do not match with compiled!
[Mon Aug 01 09:09:21 2011] [notice] ModSecurity: PCRE compiled version="8.12"; loaded version="7.9 2009-04-11"
[Mon Aug 01 09:09:21 2011] [warn] ModSecurity: Loaded PCRE do not match with compiled!
[Mon Aug 01 09:09:21 2011] [notice] ModSecurity: LUA compiled version="Lua 5.1"
[Mon Aug 01 09:09:21 2011] [notice] ModSecurity: LIBXML compiled version="2.7.7" |
But neither Readme nor SQLinjectme ff plugin tests show me results.
I am searching for an answer more than a week, please help with the solution
 |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Mon 01 Aug '11 10:41 Post subject: |
|
|
That means that mod_sec is compiled with a newer version of APR than your apache is.
And mod_sec is compiled with PCRE 8.12 but your apache with 7.9.
Is mod_sec now available for xampp or did you download it here? |
|
| Back to top |
|
pipedevil
Joined: 01 Aug 2011
Posts: 9
|
| Posted: Mon 01 Aug '11 11:39 Post subject: Troubleshooting mod_security windows |
|
|
| I've downloaded it from apachelouge. |
|
| Back to top |
|
admin
Site Admin
Joined: 15 Oct 2005
Posts: 692
|
| Posted: Mon 01 Aug '11 12:08 Post subject: |
|
|
Did you follow the instructions in the readme and created a folder in modules and copied the two dll's ?
And did you tested it with the example in the readme ?
With only there mentioned rules.
APR is build against 2.2.19 and you are running an older version.
The warnings should not be a problem, it should work.
Steffen |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Mon 01 Aug '11 12:19 Post subject: |
|
|
It would be easy to download the apache zip from this place and override the bin,include,lib and modules folder.
Ya, I know the include folder and the lib folder are not realy nessesary, but since xampp has a lot of scripts / tools to compile stuff against the includes and libs it is saver that way. |
|
| Back to top |
|
pipedevil
Joined: 01 Aug 2011
Posts: 9
|
| Posted: Mon 01 Aug '11 12:48 Post subject: |
|
|
I have the same suggestion about warnings.
I strictly followed the instructions from Readme file, created "mod_security2" directory copied dll's, so file there and, "modsecurity_crs_10_config.conf" file and rules directories(including "base_rules")
Then I edited "modsecurity_crs_10_config.conf" and added following string at the end of the file:
| Code: | SecRule ARGS "c:/" t:normalisePathWin
SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access'"
SecRule ARGS "d:/" t:normalisePathWin |
Then performed tests listed in Readme, and have no messages in the log.
Here is httpd.conf mod_sec section:
| Code: | LoadFile bin/libxml2.dll
<IfModule security2_module>
Include "modules/mod_security2/*.conf"
Include "modules/mod_security2/base_rules/*.conf"
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
SecRuleEngine On
SecDebugLog "logs/modsec_debug"
SecRequestBodyAccess On
SecResponseBodyAccess On
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimit 10485760
SecResponseBodyMimeTypesClear
SecResponseBodyMimeType (null) text/plain text/html text/css text/xml
</IfModule>
|
|
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
| Posted: Mon 01 Aug '11 13:10 Post subject: |
|
|
You did not follow the readme, eg: LoadFile bin/libxml2.dll , when you do this then it is not picking up the one in the created folder in modules. Do you have also a Loadfile PCRE directive ?
I asked you to test only with the mentioned rules in the readme. Not merging with other rules.
And test only with the simple config mentioned in the readme and not what you show above:
SecRuleEngine On
SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace
SecAuditEngine RelevantOnly
SecAuditLogType Serial
SecAuditLog logs/mod_security2.log
## -- General rules --------------------
SecRule ARGS "c:/" t:normalisePathWin
SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access'"
SecRule ARGS "d:/" t:normalisePathWin
## -- phpBB attack --------------------
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)"
Steffen |
|
| Back to top |
|
pipedevil
Joined: 01 Aug 2011
Posts: 9
|
| Posted: Tue 02 Aug '11 9:40 Post subject: |
|
|
| Steffen wrote: | Do you have also a Loadfile PCRE directive ?
Steffen |
I don't have PCRE directive.
I've corrected, now my new httpd.conf mod_sec section looks like:
| Code: | <IfModule security2_module>
# A very quick start:
SecRuleEngine On
SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace
SecAuditEngine RelevantOnly
SecAuditLogType Serial
SecAuditLog logs/mod_security2.log
## -- General rules --------------------
SecRule ARGS "c:/" t:normalisePathWin
SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access'"
SecRule ARGS "d:/" t:normalisePathWin
## -- phpBB attack --------------------
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)"
</IfModule> |
tried | Code: | | http://<my_site>/?abc=../../ |
the same thing: no 403 error, no log messages ( |
|
| Back to top |
|
pipedevil
Joined: 01 Aug 2011
Posts: 9
|
| Posted: Tue 02 Aug '11 10:02 Post subject: |
|
|
I found the tail, mod sec works fine when I enter the following address:
| Code: | | http://<ServerName>/?abc=../../ |
but it doesn't when: | Code: | | http://<ServerAlias>/?abc=../../ |
is entered in the address bar.
Where "ServerName" and "ServerAlias" are directives from <VirtualHost *:80> container. Which looks like:
| Code: | <VirtualHost *:80>
DocumentRoot "<path>"
ServerName <ServerName>
ServerAlias <www.ServerName>
ServerAlias <www1.ServerName>
ErrorLog "logs/site-error.log"
CustomLog "logs/site-access.log" combined
</VirtualHost> |
How can I make mod sec work with ServerAlias too?? |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
| Posted: Tue 02 Aug '11 11:48 Post subject: |
|
|
Works here.
Only you can try is set SecRuleInheritance On in your vHost.
When it does not help, the best is you post your question at the mod_security list.
Steffen |
|
| Back to top |
|
pipedevil
Joined: 01 Aug 2011
Posts: 9
|
| Posted: Tue 02 Aug '11 13:31 Post subject: |
|
|
| Steffen wrote: | Works here.
Only you can try is set SecRuleInheritance On in your vHost.
When it does not help, the best is you post your question at the mod_security list.
Steffen |
Solved(without SecRuleInheritance). There was no IP address entry for ServerAlias in | Code: | | %system root%\system32\drivers\etc\hosts |
file, though I was able to open all alias pages.
 Thanks Everybody for your consideration!
Sincerely,
pipedevil |
|
| Back to top |
|
