LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   SecRule and mod_security2 (https://www.linuxquestions.org/questions/linux-security-4/secrule-and-mod_security2-497242/)

mtruong 10-31-2006 10:49 AM
SecRule and mod_security2
 
Any body know how to get SecRule to work with mod_security2.c ? I kept on getting this error message when I start my apache-2.2.3 server:
...
[truong@gendev-lnx 2.2.3]$ ./restart
Syntax error on line 41 of /home/truong/apache/2.2.3/conf/hole/mod_security2.conf:
Internal Error: Failed to add rule to the ruleset.
httpd not running, trying to start
...

And here is line 41 of my mod_security.conf file:
...
39 # Turn on Rule Engine
40 SecRuleEngine On
41 SecRule REQUEST_URI dirty
...

Is there something I have to turn on (e.g SecFilterEngine On) ?

Thanks for your help.

- Monica

unSpawn 11-02-2006 06:52 AM
What's it say with SecDebugLog on and SecDebugLogLevel set to 9?

mtruong 11-02-2006 09:02 AM
Yes, indeed. Here is my security_config file:

<IfModule mod_security2.c>
# Maximum request body size we will
# accept for buffering
SecRequestBodyAccess On
SecRequestBodyLimit 131072
# Store up to 128 KB in memory
SecRequestBodyInMemoryLimit 131072

# Buffer response bodies of up to
# 512 KB in length
SecResponseBodyAccess Off
SecResponseBodyLimit 524288

# Debug log
SecDebugLog logs/modsec_debug.log
SecDebugLogLevel 9

# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^5
SecAuditLogParts ABIFHZ
SecAuditLogType Serial

# The name of the audit log file
SecAuditLog logs/modsec_audit.log

# Default action set
SecDefaultAction "deny,log,auditlog,status:403"

# Turn on Rule Engine
SecRuleEngine On
SecRule REQUEST_URI dirty
</IfModule>

Thus, nothing ever got written to my audit logfile.

thanks for your help.
- Monica

unSpawn 11-02-2006 02:22 PM
Yes, indeed.
No, I mean what does *modsec_debug.log* say?

Anyway. With httpd-2.0.46-61 (CentOS) and modsecurity-apache2-2.0.2 (RHEL) modsecurity.conf get sourced from
/etc/httpd/conf.d/ and the modsecurity2 rules are in /etc/httpd/conf.d/modsecurity2/. I added a line "SecRule REQUEST_URI|QUERY_STRING dirty" at the bottom of modsecurity.conf and tripped it with "http://localhost/dirty.rpm" allright. Notice my modsecurity.conf starts with "SecRuleEngine On" and not at the bottom:
Code:
# Basic configuration options
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off

# Handling of file uploads
# TODO Choose a folder private to Apache.
# SecUploadDir /opt/apache-frontend/tmp/
SecUploadKeepFiles Off

# Debug log
SecDebugLog logs/modsec_debug.log
SecDebugLogLevel 1

# Serial audit log
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^5
SecAuditLogParts ABIFHZ
SecAuditLogType Serial
SecAuditLog logs/modsec_audit.log

# Maximum request body size we will
# accept for buffering
SecRequestBodyLimit 131072

# Store up to 128 KB in memory
SecRequestBodyInMemoryLimit 131072

# Buffer response bodies of up to
# 512 KB in length
SecResponseBodyLimit 524288

SecRule REQUEST_URI|QUERY_STRING dirty

mtruong 11-03-2006 09:22 AM
Hello, thanks for your help. By moving the 'SecRuleEngine On' to the top of the configuration file, it works! The apache's error message is so miss-guided, I would not guess it.
thanks so much for your help.

- Monica

mtruong 11-03-2006 03:00 PM
Hello, since you are an expert in this topic, do you know what is the equivalent of this:

SecFilterSelective "POST_PAYLOAD" "(poker|gambling|casio)"

in mod_security2?

Thanks


All times are GMT -5. The time now is 03:25 AM.