Apache2 - mod_security
Edward Krack
ekrack at sigecom.net
Sat Feb 17 10:37:12 UTC 2007
On Sat, 2007-02-17 at 01:43 -0600, Edward Krack wrote:
> "GET / HTTP/1.0" 200 272 "-" "-"
> "SEARCH /\x90\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
> \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ 414 330 "-" "-"
> "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 306 "-" "-"
>
> I've been trying to figure out HOW-TO enable mod_security in
> /etc/apache2/mods-available/mod-security.load
>
> to
>
> Include /etc/apache2/mods-enabled/*.load
> Include /etc/apache2/mods-enabled/*.conf
>
> And what rule would I use to BLOCK the repeating SEARCH and POST?
cp /etc/apache2/mods-available/mod-security.load /etc/apache2/mods-enabled/mod-security.load
cd /etc/apache2/mods-enabled && ln -fs ../mods-available/mod-security.load
cd /etc/apache2/mods-enabled && ln -fs ../mods-available/cgi.load
echo 'Include /usr/share/doc/mod-security-common/examples/httpd2.conf.example-full' > /etc/apache2/conf.d/mod-security.conf
/etc/init.d/apache2 reload
cd /usr/share/mod-security/tests
./run-test.pl localhost *.test
Test "01 Simple keyword filter": OK
Test "02 Self referencing directories": OK
Test "03 Evasion via path traversal": OK
Test "04 Evasion via a double slash in the path": OK
Test "05 Mixed case addresses": OK
Test "06 Evasion via URL encoding": OK
Test "07 Special characters in the path": OK
Test "08 Invalid URI encoding in parameters": OK
Test "09 Directory traversal in parameters": OK
Test "10 Keyword in POST": OK
Test "11 XSS attack": OK
Test "12 HTML forbidden": OK
Test "13 SQL injection": OK
Test "14 Redirect action (requires 302)": OK
Test "15 Not an attack (requires 200)": OK
Test "16 Request without Host header": OK
Test "17 Request without User-Agent header": OK
Test "18 Keyword in POST only": OK
Test "19 Keyword in POST only, negative (requires 200)": OK
Test "20 Keyword in QUERY_STRING only": OK
Test "21 Keyword in QUERY_STRING only, negative (requires 200)": OK
Test "22 Keyword in ARGS, method GET": OK
Test "23 Keyword in ARGS, method POST": OK
Test "24 Keyword in single variable": OK
Test "25 Keyword in single variable, negative (requires 200)": OK
Test "26 Keyword variable exclusion (requires 200)": OK
Test "27 Keyword variable exclusion, negative": OK
Test "28 Simple keyword inverted pattern": OK
Test "29 Filter variable names": OK
Test "30 Filter variable values": OK
Test "31 Test for the URL encoding plus bug": OK
Test "32 SQL injection 2: SELECT test": OK
Test "33 XSS attack 2": OK
Test "34 Invalid byte range in parameters": OK
Test "35 Invalid byte range in the URL": OK
Test "37 URL decoding bug 2": OK
Test "38 Unicode test 1": OK
Test "39 Unicode test 2": OK
Test "40 Unicode test 3": OK
Test "41 post variable parsing bug test #1 (requires 200)": OK
Test "42 post variable parsing bug test #2": OK
Test "43 post range check bug": OK
Test "44 normalisation bug": OK
Test "45 null byte attack": OK
Test "43 multipart/form-data test": OK
Test "47 test action "allow" (requires 200)": OK
Test "48 chained rules test #1": OK
Test "49 chained rules test #2 (requires 200)": OK
Test "50 chained rules test #3 (requires 200)": OK
Test "51 skipnext test 1, without a parameter (requires 200)": OK
Test "52 skipnext test2 , with a parameter (requires 200)": OK
Test "53 named cookie test": OK
Test "54 named cookie test, positive (requires 200)": OK
Test "55 cookie names test": OK
Test "56 cookie values test": OK
Test "57 regex hex escape test": Failed (status = 200)
Test "69 bug false url encoding valudation test (requires 200)": Failed (status = 500)
Test "70 bug bad ARGS filtering (requires 200)": Failed (status = 500)
Guess I'm getting closer. It'll take time.
Edward Krack
More information about the ubuntu-users
mailing list