Topic: ModSecurity and mlogc 2.5.13 released

[admin]

ModSecurity and mlogc 2.5.13 is now available at the download page.

This release fixes several small issues and includes the new Slow DoS protection SecReadStateLimit directive. In addition, this release fixes quite a few small but notable bugs and includes the latest Core Ruleset (v2.0.10).

Some hassle to build on windows, with help of Breno Silva (maintainer/author) the build went fine after a source change.

The current documentation is part of Ivan's book ( https://www.feistyduck.com/books/modsecurity-handbook/ ) . So all documentation is not up to date and I advise to visit the blog http://www.modsecurity.org/ for the new features and other interesting articles.

Enjoy,

Steffen



Change log 2.5.13

* Cleaned up some mlogc code and debugging output.

* Remove the ability to use a relative path to a piped audit logger
(i.e. mlogc) as Apache does not support it in their piped loggers
and it was breaking Windows and probably other platforms that
use spaces in filesystem paths. Discovered by Tom Donovan.

* Fix memory leak freeing regex. Discovered by Tom Donovan.

* Fix some portability issues on Windows.

* Fixed Geo lookup concurrent connections bug

* Fixed Skip/SkipAfter chain bug

* Added new setvar Lua API to be used into Lua scripts

* Added PCRE messages indicates each rule that exceed match limits

* Added new Base64 transformation function called base64DecodeEx, which
can decode base64 data skipping special characters.

* Add SecReadStateLimit to limit the number of concurrent threads in BUSY connections per ip address

* Fixed redirect action was not expanding macros in chained rules

[Tjerk]

This version doesn't work on XP SP3 with httpd-2.2.17-win32-x86-openssl-0.9.8o.msi from httpd.apache.org with PHP/5.3.4 mod
It crashes when starting the httpd service.
My solution is to install the old mod_security-2.5.12-win32.zip (from a backup) this one will not crash with the same setup

[James Blond]

Is your backup also from apachelounge? I wonder how you can mix vc6 and vc9 builds.

[maskego]

I download mod_security 2.5.12 from apachelounge site.It was be installed successfully.

I post another message there.http://www.apachelounge.com/viewtopic.php?t=3793

I download mod_security2.5.13 from apachelounge site too.But,it can't install successfully.The apache web application is crashed when mod_security 2.5.13 installed.

[DmitryV]

This version ModSecurity and 2.5.13 doesn't work on Server 2008 R2
with httpd-2.2.17 from apachelounge.com with PHP 5.2.17 VC9 from php.net.
It crashes when starting the httpd service.

mod_security-2.5.12-win32.zip from apachelounge.com i`ts work!

PS: 2.5.13 - it worked! Now make out the config files that the old regulations caused the collapse module ...

Who does not run - run with roles by default, also check that the files of roles in a new package of roles, and then add their own rules, may change the syntax but until the documentation is not available on the official site.
I have installed core ruleset/2.1.1

Find what caused the collapse of the module - in version 2.5.13 crash caused instruction:
# PCRE Tuning
SecPcreMatchLimit 3000
SecPcreMatchLimitRecursion 3000

Docs:

SecPcreMatchLimit
Description:Sets the the match limit in the PCRE library. See the pcre_extra field in the pcreapi man page.

Syntax: SecPcreMatchLimit value
Example Usage: SecPcreMatchLimit 1500
Processing Phase: N/A
Scope: Global
Version: 2.5.12
Dependencies/Notes: Default is set at compile (1500 by default)
The --enable-pcre-match-limit=val configure option will set a custom default and the --disable-pcre-match-limit option will resort to the compiled PCRE library default

SecPcreMatchLimitRecursion
Description:Sets the the match limit recursion in the PCRE library. See the pcre_extra field in the pcreapi man page.

Syntax: SecPcreMatchLimitRecursion value
Example Usage: SecPcreMatchLimitRecursion 1500
Processing Phase: N/A
Scope: Global
Version: 2.5.12
Dependencies/Notes: Default is set at compile (1500 by default)

The --enable-pcre-match-limit-recursion=val configure option will set a custom default and the --disable-pcre-match-limit-recursion option will resort to the compiled PCRE library default.

[brenosilva]

Hi DmitryV,

ModSec 2.5.13 is working under Win plataform ? What did u do to run it well after find the pcre problem ?

Thanks

Breno

[DmitryV]

everything works but if you write the rules:

SecPcreMatchLimit 1500
SecPcreMatchLimitRecursion 1500

apache 2.2.17 VC9 from apachelounge.com OS Server 2008 R2 crashed module

[glsmith]

Wham bam thank you ma'am, down she goes.

BUT, it's not that easy.

Apache 2.2.17 VC6 XP Pro will not start, so this is confirmed.
Apache 2.2.17 VC9 on Vista has no problem at all with these two rules.
Apache 2.3.11-dev VC9 XP also has no problem.

So there is something else that is interacting with these and it might be the core rules. The VC6 build is using core rules, the 2.3-dev is using GotRoot rules and the Vista is just using the basic example rules since it's just for testing post build.

@maskego & Tjerk, you were right.

[DmitryV]

I tested: Insert a blank 2008 R2 Server, at first does not start, had to install Microsoft Visual C + + Redistributable Package vcredist_x86.exe ver. 9.0.30729.17, after the starts, but we have tighter error - Directive SecPcreMatchLimit and SecPcreMatchLimitRecursion cause crash httpd startup.

crash:
Apache 2.2.7 x32 from apachelounge.com
mod-security 2.2.13 x32 apachelounge.com

Apache 2.2.7 -32 Apache Haus
mod-security 2.2.13 -32 Apache Haus

works:
Apache 2.2.7 from apachelounge.com
mod-security 2.2.12 apachelounge.com

[DmitryV]

PS: Crash version 2.2.13 is included if the statement:
SecPcreMatchLimit 1500
SecPcreMatchLimitRecursion 1500
Without the instructions of the version 2.2.13 running.
Оn version 2.2.12 with these instructions - everything is normal.

[DmitryV]

Can someone rebuilds 2.5.13 a native instructions:

SecPcreMatchLimit 1500
SecPcreMatchLimitRecursion 1500

5.2.13 does not support these lines on them are crash without the module works.

[somnang]

Thank you DmitryV for the tips.

After I got the ModSecurity v2.5.12, I happen to see your post and if you are right, I might go back to testing v2.5.13 again.

I also want everyone to know that this

#
# Mitigate Slowloris-type slow HTTP attacks
#
SecReadStateLimit 100

causes ModSec v2.5.12 to give error.

Here's the actual error code echoed out.

[Sun Apr 10 00:28:01 2011] [debug] mod_so.c(246): loaded module userdir_module
Syntax error on line 10 of C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/modsecurity/experimental_rules/modsecurity_crs_11_slow_dos_protection.conf:
Invalid command 'SecReadStateLimit', perhaps misspelled or defined by a module not included in the server configuration

[glsmith]

Correct, if you read the change log for 2.5.13 you will see that directive/rule was added for 2.5.13 so it will not be in 2.5.12

* Add SecReadStateLimit to limit the number of concurrent threads in BUSY connections per ip address