From fdf6dd2bf3f2c87fcd5146abb60a1f9cb31951b68968ae03e3af3426e1a2ac0e Mon Sep 17 00:00:00 2001 From: Roman Drahtmueller Date: Wed, 6 Nov 2013 23:16:14 +0000 Subject: [PATCH] Accepting request 206042 from home:draht:branches:Apache:Modules - complete overhaul of this package, with update to 2.7.5. - ruleset update to 2.2.8-0-g0f07cbb. - new configuration framework private to mod_security2: /etc/apache2/conf.d/mod_security2.conf loads /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf, then /etc/apache2/mod_security2.d/*.conf , as set up based on advice in /etc/apache2/conf.d/mod_security2.conf Your configuration starting point is /etc/apache2/conf.d/mod_security2.conf - !!! Please note that mod_unique_id is needed for mod_security2 to run! - modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous linker parameter, preventing rpath in shared object. - fixes contained for the following bugs: * CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling * [bnc#768293] multi-part bypass, minor threat * CVE-2013-1915 [bnc#813190] XML external entity vulnerability * CVE-2012-4528 [bnc#789393] rule bypass * CVE-2013-2765 [bnc#822664] null pointer dereference crash - new from 2.5.9 to 2.7.5, only major changes: * GPLv2 replaced by Apache License v2 * rules are not part of the source tarball any longer, but maintaned upstream externally, and included in this package. * documentation was externalized to a wiki. Package contains the FAQ and the reference manual in html form. * renamed the term "Encryption" in directives that actually refer to hashes. See CHANGES file for more details. * new directive SecXmlExternalEntity, default off * byte conversion issues on s390x when logging fixed. * many small issues fixed that were discovered by a Coverity scanner * updated reference manual OBS-URL: https://build.opensuse.org/request/show/206042 OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=42 --- .gitattributes | 2 + ...ty-Frequently-Asked-Questions-FAQ.html.bz2 | 3 + README-SUSE-mod_security2.txt | 13 + Reference-Manual.html.bz2 | 3 + ...sp-modsecurity-crs-2.2.8-0-g0f07cbb.tar.gz | 3 + apache2-mod_security2.changes | 45 +++ apache2-mod_security2.spec | 98 +++-- mod_security2.conf | 335 +++++++++++++++--- modsecurity-apache_2.6.7.tar.gz | 3 - modsecurity-apache_2.7.5-build_fix_pcre.diff | 199 +++++++++++ modsecurity-apache_2.7.5.tar.gz | 3 + modsecurity_diagram_apache_request_cycle.jpg | 3 + rules.tar.bz2 | 3 - 13 files changed, 627 insertions(+), 86 deletions(-) create mode 100644 ModSecurity-Frequently-Asked-Questions-FAQ.html.bz2 create mode 100644 README-SUSE-mod_security2.txt create mode 100644 Reference-Manual.html.bz2 create mode 100644 SpiderLabs-owasp-modsecurity-crs-2.2.8-0-g0f07cbb.tar.gz delete mode 100644 modsecurity-apache_2.6.7.tar.gz create mode 100644 modsecurity-apache_2.7.5-build_fix_pcre.diff create mode 100644 modsecurity-apache_2.7.5.tar.gz create mode 100644 modsecurity_diagram_apache_request_cycle.jpg delete mode 100644 rules.tar.bz2 diff --git a/.gitattributes b/.gitattributes index 9b03811..73d0e79 100644 --- a/.gitattributes +++ b/.gitattributes @@ -21,3 +21,5 @@ *.xz filter=lfs diff=lfs merge=lfs -text *.zip filter=lfs diff=lfs merge=lfs -text *.zst filter=lfs diff=lfs merge=lfs -text +## Specific LFS patterns +modsecurity_diagram_apache_request_cycle.jpg filter=lfs diff=lfs merge=lfs -text diff --git a/ModSecurity-Frequently-Asked-Questions-FAQ.html.bz2 b/ModSecurity-Frequently-Asked-Questions-FAQ.html.bz2 new file mode 100644 index 0000000..6deb6f5 --- /dev/null +++ b/ModSecurity-Frequently-Asked-Questions-FAQ.html.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bab5e208e8c2aa4beeb799a4d05bceb3eb44846e75565b32b483fb5fb32023a7 +size 11838 diff --git a/README-SUSE-mod_security2.txt b/README-SUSE-mod_security2.txt new file mode 100644 index 0000000..ed8e241 --- /dev/null +++ b/README-SUSE-mod_security2.txt @@ -0,0 +1,13 @@ + +# +# Dear Administrator, +# +# mod_security2 is not activated by default upon installation of the +# apache module. +# +# Your starting point for the configuration of mod_security2 is +# /etc/apache2/conf.d/mod_security2.conf . +# Please see that file for comments on how to activate the module +# and on how to assign rules. +# + diff --git a/Reference-Manual.html.bz2 b/Reference-Manual.html.bz2 new file mode 100644 index 0000000..b86cb92 --- /dev/null +++ b/Reference-Manual.html.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:160af986e97bafad2cdbd58469115102068eff3b2f2f246f559adf7256d0dcf8 +size 60381 diff --git a/SpiderLabs-owasp-modsecurity-crs-2.2.8-0-g0f07cbb.tar.gz b/SpiderLabs-owasp-modsecurity-crs-2.2.8-0-g0f07cbb.tar.gz new file mode 100644 index 0000000..d1af24d --- /dev/null +++ b/SpiderLabs-owasp-modsecurity-crs-2.2.8-0-g0f07cbb.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:74053b91ff528ef1052da65ea56881c6849ef809074a84e01dbd8a70ec369e87 +size 279879 diff --git a/apache2-mod_security2.changes b/apache2-mod_security2.changes index ea55bbd..b14f2e0 100644 --- a/apache2-mod_security2.changes +++ b/apache2-mod_security2.changes @@ -1,3 +1,48 @@ +------------------------------------------------------------------- +Fri Aug 2 14:18:39 CEST 2013 - draht@suse.de + +- complete overhaul of this package, with update to 2.7.5. +- ruleset update to 2.2.8-0-g0f07cbb. +- new configuration framework private to mod_security2: + /etc/apache2/conf.d/mod_security2.conf loads + /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf, + then /etc/apache2/mod_security2.d/*.conf , as set up based on + advice in /etc/apache2/conf.d/mod_security2.conf + Your configuration starting point is + /etc/apache2/conf.d/mod_security2.conf +- !!! Please note that mod_unique_id is needed for mod_security2 to run! +- modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous + linker parameter, preventing rpath in shared object. +- fixes contained for the following bugs: + * CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling + * [bnc#768293] multi-part bypass, minor threat + * CVE-2013-1915 [bnc#813190] XML external entity vulnerability + * CVE-2012-4528 [bnc#789393] rule bypass + * CVE-2013-2765 [bnc#822664] null pointer dereference crash +- new from 2.5.9 to 2.7.5, only major changes: + * GPLv2 replaced by Apache License v2 + * rules are not part of the source tarball any longer, but + maintaned upstream externally, and included in this package. + * documentation was externalized to a wiki. Package contains + the FAQ and the reference manual in html form. + * renamed the term "Encryption" in directives that actually refer + to hashes. See CHANGES file for more details. + * new directive SecXmlExternalEntity, default off + * byte conversion issues on s390x when logging fixed. + * many small issues fixed that were discovered by a Coverity scanner + * updated reference manual + * wrong time calculation when logging for some timezones fixed. + * replaced time-measuring mechanism with finer granularity for + measured request/answer phases. (Stopwatch remains for compat.) + * cookie parser memory leak fix + * parsing of quoted strings in multipart Content-Disposition + headers fixed. + * SDBM deadlock fix + * @rsub memory leak fix + * cookie separator code improvements + * build failure fixes + * compile time option --enable-htaccess-config (set) + ------------------------------------------------------------------- Mon Aug 27 11:43:47 UTC 2012 - cfarrell@suse.com diff --git a/apache2-mod_security2.spec b/apache2-mod_security2.spec index bc21cf5..e03d75e 100644 --- a/apache2-mod_security2.spec +++ b/apache2-mod_security2.spec @@ -1,7 +1,7 @@ # # spec file for package apache2-mod_security2 # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,9 +17,9 @@ Name: apache2-mod_security2 -Version: 2.6.7 +Version: 2.7.5 Release: 0 -%define aversion 2.6.7 +%define aversion 2.7.5 # # BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -32,7 +32,9 @@ BuildRequires: pcre-devel %define apache apache2 %define modname mod_security2 %define tarballname modsecurity-apache_%{aversion} -# +%define refman Reference-Manual.html +%define faq ModSecurity-Frequently-Asked-Questions-FAQ.html +%define usrsharedir %{_prefix}/share/%{name} %{!?apxs: %global apxs /usr/sbin/apxs2} %{!?apache_libexecdir: %global apache_libexecdir %(%{apxs} -q LIBEXECDIR)} @@ -47,11 +49,16 @@ Requires: apache2 # Url: http://www.modsecurity.org/ Source: http://www.modsecurity.org/download/%{tarballname}.tar.gz -Source1: mod_security2.conf -Source2: rules.tar.bz2 +Source1: https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master//SpiderLabs-owasp-modsecurity-crs-2.2.8-0-g0f07cbb.tar.gz +Source2: mod_security2.conf +Source3: %{refman}.bz2 +Source4: %{faq}.bz2 +Source5: modsecurity_diagram_apache_request_cycle.jpg +Source6: README-SUSE-mod_security2.txt # +Patch0: modsecurity-apache_2.7.5-build_fix_pcre.diff Summary: ModSecurity Open Source Web Application Firewall -License: Apache-2.0 and GPL-2.0 +License: Apache-2.0 Group: Productivity/Networking/Web/Servers %description @@ -61,44 +68,73 @@ as an Apache Web server module or standalone, the purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks. +The modsecurity team also offer a commercial version of their excellent +ruleset. Please have a look at http://www.modsecurity.org/ for more details. %prep %setup -n %{tarballname} -tar -xvjpf %{S:2} +#tar -xvjpf %{S:2} +%setup -D -T -a 1 -n %{tarballname} +mv -v SpiderLabs* rules +bzip2 -dc %{SOURCE3} > %{_sourcedir}/%{refman} && touch -r %{SOURCE3} %{_sourcedir}/%{refman} +bzip2 -dc %{SOURCE4} > %{_sourcedir}/%{faq} && touch -r %{SOURCE4} %{_sourcedir}/%{faq} +%patch0 +#%patch1 +#%patch2 %build -#pushd %{apache} - ./configure - make %{?_smp_mflags} -# make -C mlogc-src/ -#popd +%configure --with-apxs=%{apxs} --enable-request-early --enable-htaccess-config +make %{?_smp_mflags} %install pushd %{apache} - install -D -m 0755 .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/%{modname}.so + install -d -m 0755 %{buildroot}%{apache_libexecdir} + install -m 0755 .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/%{modname}.so popd - install -D -m 0755 mlogc/mlogc %{buildroot}%{_sbindir}/mlogc - install -D -m 0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_sbindir}/mlogc-batch-load.pl - install -D -m 0640 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf - cp mlogc/INSTALL mlogc/INSTALL.mlogc -install -D -m 0644 %{SOURCE1} %{buildroot}%{apache_sysconfdir}/conf.d/%{modname}.conf -mkdir examples -cp -a tools examples -rm -f examples/tools/M* -chmod 644 examples/tools/* +install -D -m 0644 %{SOURCE2} %{buildroot}%{apache_sysconfdir}/conf.d/%{modname}.conf +install -d -m 0755 %{buildroot}%{apache_sysconfdir}/mod_security2.d +install -D -m 0644 %{SOURCE6} %{buildroot}%{apache_sysconfdir}/mod_security2.d +cp -a %{SOURCE6} doc +install -m 0644 %{_sourcedir}/%{faq} %{_sourcedir}/%{refman} doc +install -m 0644 %{SOURCE5} doc +install -d -m 0755 %{buildroot}/%{usrsharedir} +install -d -m 0755 %{buildroot}/%{usrsharedir}/tools +install -d -m 0755 %{buildroot}/%{usrsharedir} +rm -f rules/.gitignore rules/LICENSE +cp -a rules/util/README %{buildroot}/%{usrsharedir}/tools/README-rules-updater.txt +cp -a tools/rules-updater.pl tools/rules-updater-example.conf %{buildroot}/%{usrsharedir}/tools +find rules -type f -print0 | \ + xargs -0 chmod 644 +cp -a rules %{buildroot}/%{usrsharedir} +rm -rf %{buildroot}/%{usrsharedir}/rules/util +rm -rf %{buildroot}/%{usrsharedir}/rules/lua +rm -f %{buildroot}/%{usrsharedir}/rules/READM* +rm -f %{buildroot}/%{usrsharedir}/rules/INSTALL %{buildroot}/%{usrsharedir}/rules/CHANGELOG +mv %{buildroot}/%{usrsharedir}/rules/modsecurity_crs_10_setup.conf.example \ + %{buildroot}/%{usrsharedir}/rules/modsecurity_crs_10_setup.conf + +%clean +%{__rm} -rf %{buildroot}; +%{__rm} -f %{_sourcedir}/%{faq} %{_sourcedir}/%{refman} %files %defattr(-, root, root, 0755) %{apache_libexecdir}/%{modname}.so %config(noreplace) %{apache_sysconfdir}/conf.d/%{modname}.conf -%doc doc/Reference_Manual.html -%doc README.TXT CHANGES LICENSE modsecurity.conf-recommended -%doc mlogc/INSTALL.mlogc mlogc/mlogc-default.conf -%doc examples/ -%doc rules/ -%{_sbindir}/mlogc -%{_sbindir}/mlogc-batch-load.pl -%config(noreplace) %{_sysconfdir}/mlogc.conf +%dir %{apache_sysconfdir}/mod_security2.d +%{apache_sysconfdir}/mod_security2.d/README-SUSE-mod_security2.txt +%dir %{usrsharedir} +#%dir %{usrsharedir}/tools +#%dir %{usrsharedir}/rules +%doc README.TXT CHANGES LICENSE NOTICE authors.txt +%{usrsharedir} +#%{usrsharedir}/rules/activated_rules +#%{usrsharedir}/rules/base_rules +#%{usrsharedir}/rules/experimental_rules +#%{usrsharedir}/rules/optional_rules +#%{usrsharedir}/rules/slr_rules +%doc doc/* +#rules/util/regression_tests %changelog diff --git a/mod_security2.conf b/mod_security2.conf index fee845f..7ac6126 100644 --- a/mod_security2.conf +++ b/mod_security2.conf @@ -1,60 +1,297 @@ + +# Dear administrator/webmaster, +# +# Welcome to /etc/apache2/conf.d/mod_security2.conf, the starting point for +# the configuration of mod_security2. +# Please read this text down to line 63 for information about activation +# and configuration of the mod_security2 apache module. +# +# To activate mod_security2, its apache module must be configured to be +# loaded when apache starts. The mod_security2 apache module depends on +# the module mod_unique_id to be able to run. This means that both apache +# modules must be activated/loaded when apache starts. + +# Change the configuration to load these two modules by adding the two +# module names "security2" and "unique_id" to the variable APACHE_MODULES +# in /etc/sysconfig/apache2 . You can do that manually, or use the tools +# a2enmod (enable apache module) and a2dismod (disable apache module). +# These two tools expect the name of the module without the leading +# "mod_" as an argument! +# +# note: /etc/sysconfig/apache2 is evaluated upon apache start by the apache +# start script /etc/init.d/apache2 . Changes in APACHE_MODULES are then +# visible in /etc/apache2/sysconfig.d/loadmodule.conf, changed by the start +# script. +# +# example for the use of a2enmod/a2dismod: +# +# a2enmod security2 # enable module security2 +# a2enmod unique_id # enable module unique_id +# +# a2dismod security2 # disable +# a2dismod unique_id # % + +# +# This file /etc/apache2/conf.d/mod_security2.conf makes some basic +# configuration settings, then loads +# /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf +# which is the baseline for the rules that can be loaded later. +# +# Afterwards, all files named *.conf in /etc/apache2/mod_security2.d are read. +# For the rules you wish to apply, place a symlink to the rules file there. +# +# About the rules; The OWASP ModSecurity Core Rule Set version 2.2.7 +# is contained in this package, a splendid set of rules made to provide for a +# decent basic and even advanced protection. The rules files are contained +# in the directory /usr/share/apache2-mod_security2/rules/. +# +# Example (use all of the basic rules that come with the package): +# +# cd /etc/apache2/mod_security2.d +# for i in /usr/share/apache2-mod_security2/rules/base_rules/mod*; do +# ln -s $i . +# done +# +# At last, simply restart apache: +# rcapache2 restart +# +# In doubt, please consult the valuable online documentation on the project's +# website, which is the authoritative source for documentation. +# For offline reading, the webpages for the Reference Guide and the FAQ are +# located in the package's documentation directory, in the state of 2013/01: +# /usr/share/doc/packages/apache2-mod_security2 +# +# Roman Drahtmueller , SUSE, 20130118. +# + + + - # Basic configuration options - SecRuleEngine On - SecRequestBodyAccess On - SecResponseBodyAccess Off - # Handling of file uploads - # TODO Choose a folder private to Apache. - # SecUploadDir /opt/apache-frontend/tmp/ - SecUploadKeepFiles Off +# -- Rule engine initialization ---------------------------------------------- - # Debug log - SecDebugLog /var/log/apache2/modsec_debug.log - SecDebugLogLevel 0 +# Enable ModSecurity, attaching it to every transaction. Use detection +# only to start with, because that minimises the chances of post-installation +# disruption. +# +SecRuleEngine DetectionOnly - # Serial audit log - SecAuditEngine RelevantOnly - SecAuditLogRelevantStatus ^5 - SecAuditLogParts ABIFHZ - SecAuditLogType Serial - SecAuditLog /var/log/apache2/modsec_audit.log - # Maximum request body size we will - # accept for buffering - SecRequestBodyLimit 131072 +# -- Request body handling --------------------------------------------------- - # Store up to 128 KB in memory - SecRequestBodyInMemoryLimit 131072 +# Allow ModSecurity to access request bodies. If you don't, ModSecurity +# won't be able to see any POST parameters, which opens a large security +# hole for attackers to exploit. +# +SecRequestBodyAccess On - # Buffer response bodies of up to - # 512 KB in length - SecResponseBodyLimit 524288 - # Verify that we've correctly processed the request body. - # As a rule of thumb, when failing to process a request body - # you should reject the request (when deployed in blocking mode) - # or log a high-severity alert (when deployed in detection-only mode). - SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \ - "phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2" +# Enable XML request body parser. +# Initiate XML Processor in case of xml content-type +# +SecRule REQUEST_HEADERS:Content-Type "text/xml" \ + "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" - # By default be strict with what we accept in the multipart/form-data - # request body. If the rule below proves to be too strict for your - # environment consider changing it to detection-only. You are encouraged - # _not_ to remove it altogether. - SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ - "phase:2,t:none,log,deny,msg:'Multipart request body \ - failed strict validation: \ - PE %{REQBODY_PROCESSOR_ERROR}, \ - BQ %{MULTIPART_BOUNDARY_QUOTED}, \ - BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ - DB %{MULTIPART_DATA_BEFORE}, \ - DA %{MULTIPART_DATA_AFTER}, \ - HF %{MULTIPART_HEADER_FOLDING}, \ - LF %{MULTIPART_LF_LINE}, \ - SM %{MULTIPART_SEMICOLON_MISSING}'" - # Did we see anything that might be a boundary? - SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ - "phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'" +# -- XML external entity loading by libxml2. +# Defaults to off. +SecXmlExternalEntity Off + +# Maximum request body size we will accept for buffering. If you support +# file uploads then the value given on the first line has to be as large +# as the largest file you are willing to accept. The second value refers +# to the size of data, with files excluded. You want to keep that value as +# low as practical. +# +SecRequestBodyLimit 13107200 +SecRequestBodyNoFilesLimit 131072 + +# Store up to 128 KB of request body data in memory. When the multipart +# parser reachers this limit, it will start using your hard disk for +# storage. That is slow, but unavoidable. +# +SecRequestBodyInMemoryLimit 131072 + +# What do do if the request body size is above our configured limit. +# Keep in mind that this setting will automatically be set to ProcessPartial +# when SecRuleEngine is set to DetectionOnly mode in order to minimize +# disruptions when initially deploying ModSecurity. +# +SecRequestBodyLimitAction Reject + +# Verify that we've correctly processed the request body. +# As a rule of thumb, when failing to process a request body +# you should reject the request (when deployed in blocking mode) +# or log a high-severity alert (when deployed in detection-only mode). +# +SecRule REQBODY_ERROR "!@eq 0" \ +"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" + +# By default be strict with what we accept in the multipart/form-data +# request body. If the rule below proves to be too strict for your +# environment consider changing it to detection-only. You are encouraged +# _not_ to remove it altogether. +# +SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ +"id:'200002',phase:2,t:none,log,deny,status:44, \ +msg:'Multipart request body failed strict validation: \ +PE %{REQBODY_PROCESSOR_ERROR}, \ +BQ %{MULTIPART_BOUNDARY_QUOTED}, \ +BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ +DB %{MULTIPART_DATA_BEFORE}, \ +DA %{MULTIPART_DATA_AFTER}, \ +HF %{MULTIPART_HEADER_FOLDING}, \ +LF %{MULTIPART_LF_LINE}, \ +SM %{MULTIPART_MISSING_SEMICOLON}, \ +IQ %{MULTIPART_INVALID_QUOTING}, \ +IP %{MULTIPART_INVALID_PART}, \ +IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ +FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" + +# Did we see anything that might be a boundary? +# +SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ +"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'" + +# PCRE Tuning +# We want to avoid a potential RegEx DoS condition +# +SecPcreMatchLimit 1000 +SecPcreMatchLimitRecursion 1000 + +# Some internal errors will set flags in TX and we will need to look for these. +# All of these are prefixed with "MSC_". The following flags currently exist: +# +# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded. +# +SecRule TX:/^MSC_/ "!@streq 0" \ + "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" + + +# -- Response body handling -------------------------------------------------- + +# Allow ModSecurity to access response bodies. +# You should have this directive enabled in order to identify errors +# and data leakage issues. +# +# Do keep in mind that enabling this directive does increases both +# memory consumption and response latency. +# +SecResponseBodyAccess On + +# Which response MIME types do you want to inspect? You should adjust the +# configuration below to catch documents but avoid static files +# (e.g., images and archives). +# +SecResponseBodyMimeType text/plain text/html text/xml + +# Buffer response bodies of up to 512 KB in length. +SecResponseBodyLimit 524288 + +# What happens when we encounter a response body larger than the configured +# limit? By default, we process what we have and let the rest through. +# That's somewhat less secure, but does not break any legitimate pages. +# +SecResponseBodyLimitAction ProcessPartial + + +# -- Filesystem configuration ------------------------------------------------ + +# The location where ModSecurity stores temporary files (for example, when +# it needs to handle a file upload that is larger than the configured limit). +# +# This default setting is chosen due to all systems have /tmp available however, +# this is less than ideal. It is recommended that you specify a location that's private. +# +SecTmpDir /tmp/ + +# The location where ModSecurity will keep its persistent data. This default setting +# is chosen due to all systems have /tmp available however, it +# too should be updated to a place that other users can't access. +# +SecDataDir /tmp/ + + +# -- File uploads handling configuration ------------------------------------- + +# The location where ModSecurity stores intercepted uploaded files. This +# location must be private to ModSecurity. You don't want other users on +# the server to access the files, do you? +# +#SecUploadDir /opt/modsecurity/var/upload/ + +# By default, only keep the files that were determined to be unusual +# in some way (by an external inspection script). For this to work you +# will also need at least one file inspection rule. +# +#SecUploadKeepFiles RelevantOnly + +# Uploaded files are by default created with permissions that do not allow +# any other user to access them. You may need to relax that if you want to +# interface ModSecurity to an external program (e.g., an anti-virus). +# +#SecUploadFileMode 0600 + + +# -- Debug log configuration ------------------------------------------------- + +# The default debug log configuration is to duplicate the error, warning +# and notice messages from the error log. +# +#SecDebugLog /var/log/apache2/modsec_debug.log +#SecDebugLogLevel 3 + +# -- Audit log configuration ------------------------------------------------- + +# Log the transactions that are marked by a rule, as well as those that +# trigger a server error (determined by a 5xx or 4xx, excluding 404, +# level response status codes). +# +SecAuditEngine RelevantOnly +SecAuditLogRelevantStatus "^(?:5|4(?!04))" + +# Log everything we know about a transaction. +SecAuditLogParts ABIJDEFHZ + +# Use a single file for logging. This is much easier to look at, but +# assumes that you will use the audit log only ocassionally. +# +SecAuditLogType Serial +SecAuditLog /var/log/apache2/modsec_audit.log + +# Specify the path for concurrent audit logging. +#SecAuditLogStorageDir /opt/modsecurity/var/audit/ + + +# -- Miscellaneous ----------------------------------------------------------- + +# Use the most commonly used application/x-www-form-urlencoded parameter +# separator. There's probably only one application somewhere that uses +# something else so don't expect to change this value. +# +SecArgumentSeparator & + +# Settle on version 0 (zero) cookies, as that is what most applications +# use. Using an incorrect cookie version may open your installation to +# evasion attacks (against the rules that examine named cookies). +# +SecCookieFormat 0 + +# Specify your Unicode Code Point. +# This mapping is used by the t:urlDecodeUni transformation function +# to properly map encoded data to your language. Properly setting +# these directives helps to reduce false positives and negatives. +# +#SecUnicodeCodePage 20127 +#SecUnicodeMapFile unicode.mapping + + + + + + +Include /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf +# as set up with symlinks for files that are placed here: +Include /etc/apache2/mod_security2.d/*.conf + diff --git a/modsecurity-apache_2.6.7.tar.gz b/modsecurity-apache_2.6.7.tar.gz deleted file mode 100644 index cd8df78..0000000 --- a/modsecurity-apache_2.6.7.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3fa05e2be9e8a6e99747defe0df35ace99ba44683afef5205819db9706c03f29 -size 785852 diff --git a/modsecurity-apache_2.7.5-build_fix_pcre.diff b/modsecurity-apache_2.7.5-build_fix_pcre.diff new file mode 100644 index 0000000..5df5ef1 --- /dev/null +++ b/modsecurity-apache_2.7.5-build_fix_pcre.diff @@ -0,0 +1,199 @@ +diff -rNU 30 ../modsecurity-apache_2.7.5-o/apache2/Makefile.am ./apache2/Makefile.am +--- ../modsecurity-apache_2.7.5-o/apache2/Makefile.am 2013-07-28 05:58:49.000000000 +0200 ++++ ./apache2/Makefile.am 2013-08-01 15:08:21.000000000 +0200 +@@ -17,61 +17,61 @@ + mod_security2_la_CFLAGS = @APXS_CFLAGS@ @APR_CFLAGS@ @APU_CFLAGS@ \ + @PCRE_CFLAGS@ @LIBXML2_CFLAGS@ @LUA_CFLAGS@ @MODSEC_EXTRA_CFLAGS@ @CURL_CFLAGS@ + mod_security2_la_CPPFLAGS = @APR_CPPFLAGS@ @PCRE_CPPFLAGS@ @LIBXML2_CPPFLAGS@ + mod_security2_la_LIBADD = @APR_LDADD@ @APU_LDADD@ @PCRE_LDADD@ @LIBXML2_LDADD@ @LUA_LDADD@ + + if AIX + mod_security2_la_LDFLAGS = -module -avoid-version \ + @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + endif + + if HPUX + mod_security2_la_LDFLAGS = -module -avoid-version \ + @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + endif + + if MACOSX + mod_security2_la_LDFLAGS = -module -avoid-version \ + @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + endif + + if SOLARIS + mod_security2_la_LDFLAGS = -module -avoid-version \ + @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + endif + + if LINUX +-mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version -R @PCRE_LD_PATH@ \ ++mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ + @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + endif + + if FREEBSD + mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ + @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + endif + + if OPENBSD + mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ + @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + endif + + if NETBSD + mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ + @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + endif + + if LINUX + install-exec-hook: $(pkglib_LTLIBRARIES) + @echo "Removing unused static libraries..."; \ + for m in $(pkglib_LTLIBRARIES); do \ + base=`echo $$m | sed 's/\..*//'`; \ + rm -f $(DESTDIR)$(pkglibdir)/$$base.*a; \ + install -D -m444 $(DESTDIR)$(pkglibdir)/$$base.so $(DESTDIR)$(APXS_MODULES)/$$base.so; \ + done +diff -rNU 30 ../modsecurity-apache_2.7.5-o/apache2/Makefile.in ./apache2/Makefile.in +--- ../modsecurity-apache_2.7.5-o/apache2/Makefile.in 2013-07-28 05:59:01.000000000 +0200 ++++ ./apache2/Makefile.in 2013-08-01 15:08:56.000000000 +0200 +@@ -303,61 +303,61 @@ + #include_HEADERS = re.h modsecurity.h msc_logging.h msc_multipart.h \ + # msc_parsers.h msc_pcre.h msc_util.h msc_xml.h \ + # persist_dbm.h apache2.h msc_geo.h acmp.h utf8tables.h \ + # msc_lua.h msc_release.h + mod_security2_la_SOURCES = mod_security2.c \ + apache2_config.c apache2_io.c apache2_util.c \ + re.c re_operators.c re_actions.c re_tfns.c \ + re_variables.c msc_logging.c msc_xml.c \ + msc_multipart.c modsecurity.c msc_parsers.c \ + msc_util.c msc_pcre.c persist_dbm.c msc_reqbody.c \ + msc_geo.c msc_gsb.c msc_crypt.c msc_tree.c msc_unicode.c acmp.c msc_lua.c msc_release.c \ + libinjection/libinjection_sqli.c + + mod_security2_la_CFLAGS = @APXS_CFLAGS@ @APR_CFLAGS@ @APU_CFLAGS@ \ + @PCRE_CFLAGS@ @LIBXML2_CFLAGS@ @LUA_CFLAGS@ @MODSEC_EXTRA_CFLAGS@ @CURL_CFLAGS@ + + mod_security2_la_CPPFLAGS = @APR_CPPFLAGS@ @PCRE_CPPFLAGS@ @LIBXML2_CPPFLAGS@ + mod_security2_la_LIBADD = @APR_LDADD@ @APU_LDADD@ @PCRE_LDADD@ @LIBXML2_LDADD@ @LUA_LDADD@ + @AIX_TRUE@mod_security2_la_LDFLAGS = -module -avoid-version \ + @AIX_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @AIX_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + + @FREEBSD_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ + @FREEBSD_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @FREEBSD_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + + @HPUX_TRUE@mod_security2_la_LDFLAGS = -module -avoid-version \ + @HPUX_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @HPUX_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + +-@LINUX_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version -R @PCRE_LD_PATH@ \ ++@LINUX_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ + @LINUX_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @LINUX_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + + @MACOSX_TRUE@mod_security2_la_LDFLAGS = -module -avoid-version \ + @MACOSX_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @MACOSX_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + + @NETBSD_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ + @NETBSD_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @NETBSD_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + + @OPENBSD_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ + @OPENBSD_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @OPENBSD_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + + @SOLARIS_TRUE@mod_security2_la_LDFLAGS = -module -avoid-version \ + @SOLARIS_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @SOLARIS_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + + all: modsecurity_config_auto.h + $(MAKE) $(AM_MAKEFLAGS) all-am + + .SUFFIXES: + .SUFFIXES: .c .lo .o .obj + $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ +diff -rNU 30 ../modsecurity-apache_2.7.5-o/configure ./configure +--- ../modsecurity-apache_2.7.5-o/configure 2013-07-28 05:59:03.000000000 +0200 ++++ ./configure 2013-08-01 15:02:59.000000000 +0200 +@@ -13103,61 +13103,62 @@ + if test -e "${x}/bin/${PCRE_CONFIG}"; then + pcre_path="${x}/bin" + break + elif test -e "${x}/${PCRE_CONFIG}"; then + pcre_path="${x}" + break + else + pcre_path="" + fi + done + if test -n "$pcre_path"; then + break + fi + done + + if test -n "${pcre_path}"; then + if test "${pcre_path}" != "no"; then + PCRE_CONFIG="${pcre_path}/${PCRE_CONFIG}" + fi + { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${PCRE_CONFIG}" >&5 + $as_echo "${PCRE_CONFIG}" >&6; } + PCRE_VERSION="`${PCRE_CONFIG} --version`" + if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: pcre VERSION: $PCRE_VERSION" >&5 + $as_echo "$as_me: pcre VERSION: $PCRE_VERSION" >&6;}; fi + PCRE_CFLAGS="`${PCRE_CONFIG} --cflags`" + if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: pcre CFLAGS: $PCRE_CFLAGS" >&5 + $as_echo "$as_me: pcre CFLAGS: $PCRE_CFLAGS" >&6;}; fi + PCRE_LDADD="`${PCRE_CONFIG} --libs`" + if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: pcre LDADD: $PCRE_LDADD" >&5 + $as_echo "$as_me: pcre LDADD: $PCRE_LDADD" >&6;}; fi +- PCRE_LD_PATH="/`${PCRE_CONFIG} --libs | cut -d'/' -f2,3,4,5,6 | cut -d ' ' -f1`" ++# PCRE_LD_PATH="/`${PCRE_CONFIG} --libs | cut -d'/' -f2,3,4,5,6 | cut -d ' ' -f1`" ++ PCRE_LD_PATH="" + if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: pcre PCRE_LD_PATH: $PCRE_LD_PATH" >&5 + $as_echo "$as_me: pcre PCRE_LD_PATH: $PCRE_LD_PATH" >&6;}; fi + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + $as_echo "no" >&6; } + fi + + + + + + + + + + if test -z "${PCRE_VERSION}"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: *** pcre library not found." >&5 + $as_echo "$as_me: *** pcre library not found." >&6;} + as_fn_error "pcre library is required" "$LINENO" 5 + else + { $as_echo "$as_me:${as_lineno-$LINENO}: using pcre v${PCRE_VERSION}" >&5 + $as_echo "$as_me: using pcre v${PCRE_VERSION}" >&6;} + + fi + + if test "$build_apache2_module" -ne 0 -o "$build_mlogc" -ne 0; then + + + # Check whether --with-apr was given. + if test "${with_apr+set}" = set; then : diff --git a/modsecurity-apache_2.7.5.tar.gz b/modsecurity-apache_2.7.5.tar.gz new file mode 100644 index 0000000..6f8078c --- /dev/null +++ b/modsecurity-apache_2.7.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9e907536278d8da80d3dbb29aeffe9c4ec37ce9b641035b2da64e993135647a2 +size 1045387 diff --git a/modsecurity_diagram_apache_request_cycle.jpg b/modsecurity_diagram_apache_request_cycle.jpg new file mode 100644 index 0000000..b31317a --- /dev/null +++ b/modsecurity_diagram_apache_request_cycle.jpg @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4366e727c511bccbf56ec646dd0961c65c8054fdc235ab26e06e3faf08052f6d +size 46799 diff --git a/rules.tar.bz2 b/rules.tar.bz2 deleted file mode 100644 index dcd63ce..0000000 --- a/rules.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5b025dd7e2fc74aebf4bbf671ef238325737cc8a5da9e1eda6c9f739d5d2226b -size 33001