The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Modsec2 behaviour

Discussion in 'Security' started by santrix, Mar 25, 2010.

  1. santrix

    santrix Well-Known Member

    Joined:
    Nov 30, 2008
    Messages:
    223
    Likes Received:
    2
    Trophy Points:
    18
    I have CMC installed to control Modsec.. nice tool.. anyway, we put the 2.0.6 OWASP core rule set on last week... what a pain!!!

    So many un-labelled enries in error_log (i.e. no rule ID given) it's been a swine trying to mail down some of the problems.

    Anyway... now things are settling... I am trying to stop all of the 200 status mesages in the modsec2 audit log. I have added the following directives in the conf file

    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus ^[345]

    I'm hoping to only log 3?? 4?? and 5?? messages - I'm really not bothered wading through all of the 200's...

    However, this seems to have no impact at all on the logging... the audit log is still filling up with all of the 200 requests. Any help?

    Steve
     
  2. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    I was going to reply but nevermind. :)

    You know where to find me .... ;)

    (fyi: got your messages earlier)
     
  3. santrix

    santrix Well-Known Member

    Joined:
    Nov 30, 2008
    Messages:
    223
    Likes Received:
    2
    Trophy Points:
    18
    I do indeed, Mr Spiral, but i worked out that i was missing some quotation marks around the regex... it's all behaving nicely now, and my modsec_audot.log is growing at a more acceptable rate :D

    However, I'm still foxed by rule 960038 which was basically prevent users from clicking on links to PDF files... right clicking and downloading the file seemed to work, but trying to view the PDF in the browser caused a "HTTP header is restricted by policy" error in error_log and the audit log, although there was no mention that is was actually 960038 causing it - obviously this deny was generated from the file modsecurity_crs_30_http_policy.conf...

    However, it wasn't until after further investigation I found that the ACTUAL reason was the policy settings in modsecurity_crs.conf that were passed to modsecurity_crs_3* rules by macro expansion. Specifically:

    setvar:'tx.restricted_headers=Proxy-Connection Lock-Token Content-Range Translate via if'

    It was the Proxy-Connection header that had to be removed in order to allow in-browser downloading and viewing of PDFs. This affected Safari(mac) FF(mac) and IE(pc) as far as I tested.

    I am of the oppinion that the OWASP ruleset is far, far, FAR away from any kind of instant usability in a shared hosting environment without some considerable tuning. It would be a great help if whenever a deny took place that the rules being triggered were ALWAYS logged, as they are clearly not.

    Steve
     
Loading...

Share This Page