Print

[xerox]

Sorry i am new her, i have too many problems with the mod_securtiy2

After problems to load the extension i have a problem to "enable" the module. My configfile like this:

Code: [Select]

LoadModule security2_module modules/mod_security2.so

<IfModule mod_security2.c>

    # Turn the filtering engine On or Off
    SecFilterEngine On

   
</IfModule>
If i try to restart the Apache (x64) i became the error that the apache cant start (The request operation failed...).
If i remove al lines between the IfModule the server starts.
I use Windows Server 2008R2 Datacenter (x64) and Apache 2.4.9 (VC9), mod_security2 (2.7.6)

what make i wrong ?

can any one help me pleas ?

[Gregg]

sorry for the late response,

What does the  error.log say about this? If there is nothing there, then what does the windows Event Log say about this?

[xerox]

I try the example filter of the file readme.1st.txt:

Code: [Select]

# Basic configuration options
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off

# Handling of file uploads
# TODO Choose a folder private to Apache.
# SecUploadDir /opt/apache-frontend/tmp/
SecUploadKeepFiles Off

# Debug log
SecDebugLog logs/modsec_debug.log
SecDebugLogLevel 0

# Serial audit log
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^5
SecAuditLogParts ABIFHZ
SecAuditLogType Serial
SecAuditLog logs/modsec_audit.log

# Maximum request body size we will
# accept for buffering
SecRequestBodyLimit 131072

# Store up to 128 KB in memory
SecRequestBodyInMemoryLimit 131072

# Buffer response bodies of up to
# 512 KB in length
SecResponseBodyLimit 524288

# Verify that we've correctly processed the request body.
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).
SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
"phase:2,id:'000001',t:none,log,deny,msg:'Failed to parse request body.',severity:2"

# By default be strict with what we accept in the multipart/form-data
# request body. If the rule below proves to be too strict for your
# environment consider changing it to detection-only. You are encouraged
# _not_ to remove it altogether.
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"phase:2,id:'000002',t:none,log,deny,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_SEMICOLON_MISSING}'"

# Did we see anything that might be a boundary?
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"phase:2,id:'000003',t:none,log,deny,msg:'Multipart parser detected a possible unmatched  boundary.'"

# Test mod_security
# below rule should flag http://www.xxxx.com/?abc=../../
SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,log,deny,msg:'Drive Access'"
# WEB-CGI websendmail access
# below rule should flag http://localhost/websendmail
SecRule REQUEST_URI "/websendmail" "id:'000004'"
I become this error in the logfile:

[Fri Apr 04 21:30:31.418175 2014] [mpm_winnt:notice] [pid 160252:tid 520] AH00424: Parent: Received restart signal -- Restarting the server.
AH00526: Syntax error on line 48 of C:/server/websites/modsecurity.conf:
Error parsing actions: Invalid quoted pair at position 160: phase:2,id:'000002',t:none,log,deny,msg:'Multipart request body \t\tfailed strict validation: \t\tPE %{REQBODY_PROCESSOR_ERROR}, \t\tBQ %{MULTIPART_BOUNDARY_QUOTED}, \\
[Fri Apr 04 21:30:33.426175 2014] [mpm_winnt:notice] [pid 147708:tid 460] AH00364: Child: All worker threads have exited.

My target is the URL http://www.xxxx.com/?abc=../../ views as to prevent, so as to increase the security

[perindu]

try this in httpd.conf

AcceptFilter http none
AcceptFilter https none
EnableSendfile off
EnableMMAP off

[Gregg]

Odd, I do not see an invalid quoted pair here
SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
      "phase:2,id:'000001',t:none,log,deny,msg:'Failed to parse request body.',severity:2"

but just to be sure, add a blank space after the \ in the first line and see.