I can confirm that setting the App Pool setting of "Enable 32-Bit Applications" to True does work. Thanks for your help guys. Bill
From: greg.wroblew...@microsoft.com To: bpi...@trustwave.com; consu...@hotmail.com; rbarn...@trustwave.com CC: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: RE: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2 Date: Sat, 11 Aug 2012 00:25:30 +0000 Re: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2 Yep, the cleanup list in the pool is broken. This is one of those non-deterministic bugs, you need a little bit of luck to hit it. The thing that worked for me was switching to 32-bit application pool. Greg From: Breno Silva Pinto [mailto:bpi...@trustwave.com] Sent: Friday, August 10, 2012 11:09 AM To: Greg Wroblewski (SPARROW); Bill Roemhild; Ryan Barnett Cc: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2 Maybe for some reason "c" == NULL or pointing to a wrong addr ? On 8/10/12 12:38 PM, "Greg Wroblewski (SPARROW)" <greg.wroblew...@microsoft.com> wrote: I see a problem. Even when permissions are correct, the code reads the file, but then it crashes. Breno, This is all happening in: static int msre_op_pmFromFile_param_init(msre_rule *rule, char **error_msg) with crash: > libapr-1.dll!apr_pool_cleanup_kill(apr_pool_t * p, const void * > data, int (void *)* cleanup_fn) Line 2270 C libapr-1.dll!apr_file_close(apr_file_t * file) Line 501 C ModSecurityIIS.dll!msre_op_pmFromFile_param_init(msre_rule * rule, char * * error_msg) Line 1384 C Here: while (c) { #if APR_POOL_DEBUG /* Some cheap loop detection to catch a corrupt list: */ if (c == c->next || (c->next && c == c->next->next) || (c->next && c->next->next && c == c->next->next->next)) { abort(); } #endif if (c->data == data && c->plain_cleanup_fn == cleanup_fn) { ç CRASH I cannot figure out what’s wrong, but I’ll keep looking. Greg From: Bill Roemhild [mailto:consu...@hotmail.com] Sent: Friday, August 10, 2012 9:38 AM To: Greg Wroblewski (SPARROW); Ryan Barnett Cc: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: RE: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2 Maybe I should be asking if anyone else has been able to get this to work. From: consu...@hotmail.com To: greg.wroblew...@microsoft.com; rbarn...@trustwave.com Date: Fri, 10 Aug 2012 08:47:39 -0700 CC: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2 There is not an entry listed in the event log for a missing file. I gave "IIS AppPool\DefaultAppPool" full control over the data files as I'm using IIS 7.5. Same result. I also tried adding "Network Service", even through I'm pretty sure that is wrong. Still no love. Bill From: greg.wroblew...@microsoft.com To: rbarn...@trustwave.com; consu...@hotmail.com CC: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: RE: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2 Date: Thu, 9 Aug 2012 23:21:55 +0000 This is really an APR bug (we should report it or create a workaround), but the problem is in the file permissions. Read access to everyone is not enough, proper ACLs must be set as well. When the file does not exist this error gets logged in the event log: Syntax error in config file c:\inetpub\wwwroot\test.conf, line 47: Error creating rule: Could not open phrase file "c:\inetpub\wwwroot\modsecurity_35_scanners.data": The system cannot find the file specified. So you can see when it’s a permission issue or a path issue. Greg From: Ryan Barnett [mailto:rbarn...@trustwave.com] Sent: Thursday, August 9, 2012 2:45 PM To: Bill Roemhild Cc: owasp-modsecurity-core-rule-set@lists.owasp.org; Greg Wroblewski (SPARROW) Subject: Re: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2 You might want to try and specify a full path to the .data file. -- Ryan Barnett Researcher Lead Trustwave - SpiderLabs On Aug 9, 2012, at 5:39 PM, Bill Roemhild <consu...@hotmail.com> wrote: I've been playing around with modsecurity 2.7.0-RC2 for IIS along with the OWASP rules. When running any rule set that calls for a data file through @pmFromFile the application pool crashes. I've given read access to 'Everyone' on the data files being read without success. Anyone else run into this problem? Rule: SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_scanners.data" \ "phase:2,rev:'2.2.5',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',tag:'AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}" Crash: w3wp.exe 7.5.7601.17514 4ce7afa2 libapr-1.dll 1.4.5.0 500eaf34 c0000005 00000000000099f8 1e08 01cd7675752af369 c:\windows\system32\inetsrv\w3wp.exe C:\Windows\system32\inetsrv\libapr-1.dll b4147ab9-e268-11e1-82b3-4437e66c2115 _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
