mod_security filtering Output Content

[jfreak53]

These are my version's:

[email protected] [~]# grep -i release /home/cpeasyapache/src/modsecurity-apache_1.9.5/apache2/mod_security.c

#define MODULE_RELEASE "1.9.5"
#define MODULE_NAME_FULL (MODULE_NAME " v" MODULE_RELEASE " (Apache 2.x)")
ap_log_error(APLOG_MARK, APLOG_NOTICE | APLOG_NOERRNO, 0, s, "mod_security/%s configured - %s", MODULE_RELEASE, real_server_signature);
ap_log_error(APLOG_MARK, APLOG_NOTICE | APLOG_NOERRNO, 0, s, "mod_security/%s configured", MODULE_RELEASE);

Httpd:

Server version: Apache/2.2.21 (Unix)
Server built: Oct 28 2011 11:34:38
Cpanel::Easy::Apache v3.6.2 rev9999

I am trying to get mod_security to filter output content in an HTML page. I have tried putting this:

SecFilterScanOutput On

SecFilterSelective OUTPUT "content to filter"

In many different files with no success:

/usr/local/apache/conf/includes/pre_main_2.conf
/usr/local/apache/conf/httpd.conf
/usr/local/apache/conf/modsec2.conf
/usr/local/apache/conf/mod_security.conf

None of those files seem to allow this to work. Once I insert the code above in one of those files I restart httpd then I run an html page on one of my domains with that content, and all works fine.

So it's not filtering. Am I missing something? Or is it in the wrong place? Thanks.

 

[minosjl]

hi,

Did you tried these rules in .htaccess of your particular domain ?

 

[jfreak53]

No, I want it to work server wide not just one domain. Thanks.

 

[jfreak53]

Any thoughts?

 

[mtindor]

I thought modsecurity 1.9.5 was for earlier releases of Apache. Are you sure you aren't using modsecurity 2.6.3 on your Apache 2.2.21? I think EasyApache by default compiles modsecurity 2.6.3 if you choose to install modsecurity via EasyApache. What you're referencing is modsecurity 1.9.5.

Also, if you want it to work serverwide, shouldn't you be putting those options in the modsec2.user.conf file?

Typically with Apache 2.2.x you'd be using Modsecurity 2.x. And you'd have /usr/local/apache/conf/modsec2.conf. And modsec2.conf (which may be modified during EasyApache builds) then calls modsec2.user.conf [where you would put your own specific custom settings for serverwide options in modsecurity].

mike

Mike

 

[jfreak53]

Yes, it's 1.9.5, and I have recompiled apache and that is always what it compiles to. The version's above are the ones that it spits out when I check version information.

When I put the commands above in the user.conf file and restart httpd this is what I get:

 

[mikegotroot]

Modsecurity 1.9.5 can't filter output. That capability wasn't add until the 2.x tree, so you'll need modsecurity 2.x to do that with modsecurity (2.6.5 is the latest stable version). If you want to filter output, and you must use modsecurity 1.9.x you will need to use a different tool like mod_sed. Heres an example of how to do that with mod_sed:

http://www.gotroot.com/downloads/ftp/iframe/00_ASL_iframe_protection.conf
http://www.gotroot.com/downloads/ftp/iframe/remove-bad-iframes.txt

More advanced mod_sed rules combined with mod_security rules are available here:

https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules

The 99_asl_redactor.conf contains the most up to date mod_sed rules.