Topic: mod_security2.5.12 can't show logs and tests fail

[maskego]

I install mod_security2.5.12 download from apachelounge.
and I install by step.
- Create .../apache2/modules/mod_security2 and copy mod_security2.so,libxml2.dll and pcre.dll to this folder
- Install the Visual C++ 2008 Redistributable Package

but,apache error.log shows below only.

[notice] Child 1408: Exit event signaled. Child process is ending.
[notice] Apache/2.2 (Win32) PHP/5.2.1 configured -- resuming normal operations
[notice] Server built: Jan 18 2010 00:37:19
[notice] Parent: Created child process 2820
[notice] Child 1408: Released the start mutex
[notice] ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/) configured.
[notice] Child 1408: All worker threads have exited.
[notice] Child 1408: Child process is exiting
[notice] Child 2820: Child process is running
[notice] Child 2820: Acquired the start mutex.
[notice] Child 2820: Starting 64 worker threads.
[notice] Child 2820: Starting thread to listen on port 80.

When I type "http://www.xxxxcom/?abc=../../"
It doesn't show 403 forbid message.It keeps the original page still.
I don't know why.

my httpd.conf below.

LoadModule php5_module C:/AppServ\php5\php5apache2_2.dll
LoadModule security2_module modules/mod_security2/mod_security2.so
LoadModule actions_module modules/mod_actions.so
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule userdir_module modules/mod_userdir.so
#LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
#LoadModule ssl_module modules/mod_ssl.so

<IfModule mod_security.c>
Include modsecurity.conf
</IfModule>

[glsmith]

use:

<IfModule security2_module>
or
<IfModule mod_security2.c>

mod_security.c is version 1.x, since the internal c file in version 2.x is mod_security2.c, your IfModule can never be TRUE

the requirement to actually call the specific c file in the <IfModule> went away with Apache 2.0, you can use the module identifier (in this case security2_module) instead.

[maskego]

Thank you very much.
It works.

and the other issue occurs.
How to use *.conf included in the optional_rules folder to prevent web attack perfectly?

regards.

[glsmith]

make sure the .conf files actually exist in the locations configured
( .../apache2/conf/modsecurity/*/*.conf)

Include conf/modsecurity/*.conf [1]
Include conf/modsecurity/base_rules/*.conf
Include conf/modsecurity/optional_rules/*.conf


[1] this should include
conf/modsecurity/modsecurity_crs_10_config.conf

thereby removing the need for
Include conf/modsecurity/modsecurity_crs_10_config.conf
otherwise you'll be including it twice (not sure it matters if if it's included twice)

[maskego]

in the 'optional_rules/modsecurity_crs_49_header_tagging.conf'

httpd.conf shows syntax errors:
httpd.conf indicates the line 1 "RequestHeader" has syntax error.

RequestHeader append X-WAF-Events "%{matched_rule-2}e" env=matched_rule-1
RequestHeader append X-WAF-Events "%{matched_rule-2}e" env=matched_rule-2
RequestHeader append X-WAF-Events "%{matched_rule-3}e" env=matched_rule-3
RequestHeader append X-WAF-Events "%{matched_rule-4}e" env=matched_rule-4
RequestHeader append X-WAF-Events "%{matched_rule-5}e" env=matched_rule-5
RequestHeader append X-WAF-Events "%{matched_rule-6}e" env=matched_rule-6
RequestHeader append X-WAF-Events "%{matched_rule-7}e" env=matched_rule-7
RequestHeader append X-WAF-Events "%{matched_rule-8}e" env=matched_rule-8
RequestHeader append X-WAF-Events "%{matched_rule-9}e" env=matched_rule-9
RequestHeader append X-WAF-Events "%{matched_rule-10}e" env=matched_rule-10
RequestHeader append X-WAF-Events "%{matched_rule-11}e" env=matched_rule-11
RequestHeader append X-WAF-Events "%{matched_rule-12}e" env=matched_rule-12
RequestHeader append X-WAF-Events "%{matched_rule-13}e" env=matched_rule-13
RequestHeader append X-WAF-Events "%{matched_rule-14}e" env=matched_rule-14
RequestHeader append X-WAF-Events "%{matched_rule-15}e" env=matched_rule-15
RequestHeader append X-WAF-Events "%{matched_rule-16}e" env=matched_rule-16
RequestHeader append X-WAF-Events "%{matched_rule-17}e" env=matched_rule-17
RequestHeader append X-WAF-Events "%{matched_rule-18}e" env=matched_rule-18
RequestHeader append X-WAF-Events "%{matched_rule-19}e" env=matched_rule-19
RequestHeader append X-WAF-Events "%{matched_rule-20}e" env=matched_rule-20
RequestHeader set X-WAF-Score "Total=%{anomaly_score}e; sqli=%{sql_injection_score}e; xss=%{xss_score}e" env=anomaly_score

SecMarker END_HEADER_TAGGING


how to fix the syntax errors?
regards.

[James Blond]

Start apache with -S parameter and tell in which line the error is.
e.g.
httpd -S

Else hunting your bug is pure guessing

[volzbalz]

gls,

I have added those three commands and verified all files exist. Unfortunately, Apache does not start.

This is my error log

[Thu Jul 01 01:48:26 2010] [notice] Child 1888: Child process is running
[Thu Jul 01 01:48:26 2010] [notice] Child 1888: Acquired the start mutex.
[Thu Jul 01 01:48:26 2010] [notice] Child 1888: Starting 64 worker threads.
[Thu Jul 01 01:48:26 2010] [notice] Child 1888: Starting thread to listen on port 80.
[Thu Jul 01 01:49:25 2010] [notice] Parent: Received shutdown signal -- Shutting down the server.
[Thu Jul 01 01:49:25 2010] [notice] Child 1888: Exit event signaled. Child process is ending.
[Thu Jul 01 01:49:26 2010] [notice] Child 1888: Released the start mutex
[Thu Jul 01 01:49:27 2010] [notice] Child 1888: All worker threads have exited.
[Thu Jul 01 01:49:27 2010] [notice] Child 1888: Child process is exiting
[Thu Jul 01 01:49:27 2010] [notice] Parent: Child process exited successfully.

These are the additions to httpd

Include conf/rules/*.conf
Include conf/rules/base_rules/*.conf
Include conf/rules/optional_rules/*.conf

All rules are in these folders, including the crs_10_config rule in the main folder.

If I set the files to a specific .conf file, everything works fine. However, I cannot use the * for multiple files. I am running the most current stable version of apache 2.2.

Any ideas?

Volz

[glsmith]

Start Apache from the command line and see if you get something there.
Also, look in your Event Viewer and see if anything is there. When things go bad before the error file is opened, they typically end up in the event viewer

[volzbalz]

After much trial and error, I figured out what optional rules are not allowing apache to start. All the base rules and all except 2 optional rules load and work. The two optional rules that will not allow apache to load and their errors are listed below. Any help on getting these two rules to work is greatly appreciated.

modsecurity_crs_55_application_defects.conf
Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration .

modsecurity_crs_49_header_tagging.conf
Invalid command 'RequestHeader', perhaps misspelled or defined by a module not included in the server configuration .

Both errors are from the event log of the computers operating system, not from Apache. It does not get that far.

Both of these rules are in the optional folder. I would like to get them working to close more holes in my personal server.

I am running Apache in virtual server mode since I have 2 domains on the same server.

Thanks,

Volz

[glsmith]

Here's how to figure this out

Look up the directive in the "Run-time Configuration Directives" in the docs

For "Header"
http://httpd.apache.org/docs/2.2/mod/mod_headers.html#header
Context tell us where the directive can be configured
Override tells what AllowOverride needs to be present
Module tells us what module needs to be loaded, "Core" means it's part of the core and not related to any module.

So looking at that.
AllowOverride needs to include "FileInfo"
mod_headers needs to be loaded.
Same for RequestHeader I'd imagine