SecRule and mod_security2

mtruong · 10-31-2006, 10:49 AM

Any body know how to get SecRule to work with mod_security2.c ? I kept on getting this error message when I start my apache-2.2.3 server:
...
[truong@gendev-lnx 2.2.3]$ ./restart
Syntax error on line 41 of /home/truong/apache/2.2.3/conf/hole/mod_security2.conf:
Internal Error: Failed to add rule to the ruleset.
httpd not running, trying to start
...

And here is line 41 of my mod_security.conf file:
...
39 # Turn on Rule Engine
40 SecRuleEngine On
41 SecRule REQUEST_URI dirty
...

Is there something I have to turn on (e.g SecFilterEngine On) ?

Thanks for your help.

- Monica

unSpawn · 11-02-2006, 06:52 AM

What's it say with SecDebugLog on and SecDebugLogLevel set to 9?

mtruong · 11-02-2006, 09:02 AM

Yes, indeed. Here is my security_config file:

<IfModule mod_security2.c>
# Maximum request body size we will
# accept for buffering
SecRequestBodyAccess On
SecRequestBodyLimit 131072
# Store up to 128 KB in memory
SecRequestBodyInMemoryLimit 131072

# Buffer response bodies of up to
# 512 KB in length
SecResponseBodyAccess Off
SecResponseBodyLimit 524288

# Debug log
SecDebugLog logs/modsec_debug.log
SecDebugLogLevel 9

# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^5
SecAuditLogParts ABIFHZ
SecAuditLogType Serial

# The name of the audit log file
SecAuditLog logs/modsec_audit.log

# Default action set
SecDefaultAction "deny,log,auditlog,status:403"

# Turn on Rule Engine
SecRuleEngine On
SecRule REQUEST_URI dirty
</IfModule>

Thus, nothing ever got written to my audit logfile.

thanks for your help.
- Monica

unSpawn · 11-02-2006, 02:22 PM

Yes, indeed.
No, I mean what does *modsec_debug.log* say?

Anyway. With httpd-2.0.46-61 (CentOS) and modsecurity-apache2-2.0.2 (RHEL) modsecurity.conf get sourced from
/etc/httpd/conf.d/ and the modsecurity2 rules are in /etc/httpd/conf.d/modsecurity2/. I added a line "SecRule REQUEST_URI|QUERY_STRING dirty" at the bottom of modsecurity.conf and tripped it with "http://localhost/dirty.rpm" allright. Notice my modsecurity.conf starts with "SecRuleEngine On" and not at the bottom:

Code:

# Basic configuration options
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off

# Handling of file uploads
# TODO Choose a folder private to Apache.
# SecUploadDir /opt/apache-frontend/tmp/
SecUploadKeepFiles Off

# Debug log
SecDebugLog logs/modsec_debug.log
SecDebugLogLevel 1

# Serial audit log
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^5
SecAuditLogParts ABIFHZ
SecAuditLogType Serial
SecAuditLog logs/modsec_audit.log

# Maximum request body size we will
# accept for buffering
SecRequestBodyLimit 131072

# Store up to 128 KB in memory
SecRequestBodyInMemoryLimit 131072

# Buffer response bodies of up to
# 512 KB in length
SecResponseBodyLimit 524288

SecRule REQUEST_URI|QUERY_STRING dirty

mtruong · 11-03-2006, 09:22 AM

Hello, thanks for your help. By moving the 'SecRuleEngine On' to the top of the configuration file, it works! The apache's error message is so miss-guided, I would not guess it.
thanks so much for your help.

- Monica

mtruong · 11-03-2006, 03:00 PM

Hello, since you are an expert in this topic, do you know what is the equivalent of this:

SecFilterSelective "POST_PAYLOAD" "(poker|gambling|casio)"

in mod_security2?

Thanks