Should probably move this discussion to the mod-security-developers list and then report back a fix.
-- Ryan Barnett Trustwave SpiderLabs ModSecurity Project Leader OWASP ModSecurity CRS Project Leader From: "Greg Wroblewski (SPARROW)" <greg.wroblew...@microsoft.com<mailto:greg.wroblew...@microsoft.com>> Date: Fri, 10 Aug 2012 12:38:14 -0500 To: Bill Roemhild <consu...@hotmail.com<mailto:consu...@hotmail.com>>, Ryan Barnett <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>>, Breno Silva Pinto <bpi...@trustwave.com<mailto:bpi...@trustwave.com>> Cc: "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: RE: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2 I see a problem. Even when permissions are correct, the code reads the file, but then it crashes. Breno, This is all happening in: staticint msre_op_pmFromFile_param_init(msre_rule *rule, char **error_msg) with crash: > libapr-1.dll!apr_pool_cleanup_kill(apr_pool_t * p, const void * > data, int (void *)* cleanup_fn) Line 2270 C libapr-1.dll!apr_file_close(apr_file_t * file) Line 501 C ModSecurityIIS.dll!msre_op_pmFromFile_param_init(msre_rule * rule, char * * error_msg) Line 1384 C Here: while (c) { #if APR_POOL_DEBUG /* Some cheap loop detection to catch a corrupt list: */ if (c == c->next || (c->next && c == c->next->next) || (c->next && c->next->next && c == c->next->next->next)) { abort(); } #endif if (c->data == data && c->plain_cleanup_fn == cleanup_fn) { <== CRASH I cannot figure out what’s wrong, but I’ll keep looking. Greg From: Bill Roemhild [mailto:consu...@hotmail.com] Sent: Friday, August 10, 2012 9:38 AM To: Greg Wroblewski (SPARROW); Ryan Barnett Cc: owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: RE: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2 Maybe I should be asking if anyone else has been able to get this to work. ________________________________ From: consu...@hotmail.com<mailto:consu...@hotmail.com> To: greg.wroblew...@microsoft.com<mailto:greg.wroblew...@microsoft.com>; rbarn...@trustwave.com<mailto:rbarn...@trustwave.com> Date: Fri, 10 Aug 2012 08:47:39 -0700 CC: owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: Re: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2 There is not an entry listed in the event log for a missing file. I gave "IIS AppPool\DefaultAppPool" full control over the data files as I'm using IIS 7.5. Same result. I also tried adding "Network Service", even through I'm pretty sure that is wrong. Still no love. Bill ________________________________ From: greg.wroblew...@microsoft.com<mailto:greg.wroblew...@microsoft.com> To: rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>; consu...@hotmail.com<mailto:consu...@hotmail.com> CC: owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: RE: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2 Date: Thu, 9 Aug 2012 23:21:55 +0000 This is really an APR bug (we should report it or create a workaround), but the problem is in the file permissions. Read access to everyone is not enough, proper ACLs must be set as well. When the file does not exist this error gets logged in the event log: Syntax error in config file c:\inetpub\wwwroot\test.conf, line 47: Error creating rule: Could not open phrase file "c:\inetpub\wwwroot\modsecurity_35_scanners.data": The system cannot find the file specified. So you can see when it’s a permission issue or a path issue. Greg From: Ryan Barnett [mailto:rbarn...@trustwave.com]<mailto:[mailto:rbarn...@trustwave.com]> Sent: Thursday, August 9, 2012 2:45 PM To: Bill Roemhild Cc: owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>; Greg Wroblewski (SPARROW) Subject: Re: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2 You might want to try and specify a full path to the .data file. -- Ryan Barnett Researcher Lead Trustwave - SpiderLabs On Aug 9, 2012, at 5:39 PM, Bill Roemhild <consu...@hotmail.com<mailto:consu...@hotmail.com>> wrote: I've been playing around with modsecurity 2.7.0-RC2 for IIS along with the OWASP rules. When running any rule set that calls for a data file through @pmFromFile the application pool crashes. I've given read access to 'Everyone' on the data files being read without success. Anyone else run into this problem? Rule: SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_scanners.data" \ "phase:2,rev:'2.2.5',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',tag:'AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}" Crash: w3wp.exe 7.5.7601.17514 4ce7afa2 libapr-1.dll 1.4.5.0 500eaf34 c0000005 00000000000099f8 1e08 01cd7675752af369 c:\windows\system32\inetsrv\w3wp.exe C:\Windows\system32\inetsrv\libapr-1.dll b4147ab9-e268-11e1-82b3-4437e66c2115 _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
