[Page 1, 2, 3 Next]

Topic: mod_security v2.6 RC1 is out

[1]

Topic: mod_security v2.6 RC1 is out

[somnang]

Can someone compile this in VC9 or VC10 please?

[glsmith]

VC9 x86 or x64

This is an RC though so absolutely no guarantees other than it loads for me in 2.2.17.

Edit: use newer version available here.

[somnang]

ooh.. thank you smith.. you are awesome...

[somnang]

I just wanna let you know this module is not working. It crash Apache upon start up. I am using Apache 2.2.17 VC9 x86

[glsmith]

is possible .. being a RC
but that is what 2.5.13 was doing yes?

I am thinking something in the rules is trying to use something not implemented in windows ... would explain some things

[somnang]

I guess I am still stuck with version 2.5.12 of mod_security2.so for now.

[glsmith]

Well,

Via this thread here;
http://www.apachelounge.com/viewtopic.php?t=3781

Dmitry has identified the rules that cause the collapse of the module as

# PCRE Tuning
SecPcreMatchLimit 3000
SecPcreMatchLimitRecursion 3000

There is something to be said here. I am not sure which version of PCRE Steffen uses to build his mod_security, I used the latest (8.12) to build that.

Knowing Steffen builds Apache w/o any modification to the source, there quite frankly could be a conflict as the PCRE included in the Apache source package is 5.0 and dated 13-Sep-2004. Unfortunately, mod_security will no longer build with that version and is why there is a DLL incuded in downloads these days.

What I have found in my Apache 2.2.17 logs is;

[Tue Apr 26 13:09:10 2011] [notice] ModSecurity for Apache/2.6.0-rc1 (http://www.modsecurity.org/) configured.
[Tue Apr 26 13:09:10 2011] [notice] ModSecurity: PCRE compiled version="8.12"; loaded version="8.10 2010-06-25"
[Tue Apr 26 13:09:10 2011] [warn] ModSecurity: Loaded PCRE do not match with compiled!

So opps, I did not replace the DLL on my system. You should not see this however cause that pcre dll is 8.12.

It still seems that there could be some kind of funny goings on when it comes to the pcre linked to Apache and the one linked in the module. If there is some collision, (same function name in both but entirely different in the newer) there is room for problems since this module is loaded into Apache.

or

Maybe it is calling a function in APR that is not implemented in Windows (say setting unix file permissions), this could cause the module to crash which would bring down Apache.

Quite frankly, there are new people working on the module beginning between 2.5.12 & 2.5.13 as well as in the middle of 2.6.0. This could have something to do with it as well.

What shows in the event log after Apache crashes? Google up the 0x0000### id code and see what it says. The module may be trying to modify, lock, clear memory space it does not own. That's typically a blue screen of death event, just Windows doesn't BSOD much these days.

Once you have the error, take it to mod_security's bug reporting tracker.

I've been using 2.5.13 since the day it came out on both 2.2.17 and 2.3.11/2.3.12-dev at various levels of revisions and have had NO problem. The caveat is, on 2.2.17 I use a couple year old core rules set, on 2.3 I use the Got Root rules.

you can try commenting out these lines in your rules set;
SecPcreMatchLimit 3000
SecPcreMatchLimitRecursion 3000

If it doesn't crash then, read up on those rules and tweak them. Maybe the defaults are the problem. Maybe they are too high for what may be set in the PCRE the module is linked to. However, on a quick inspection I see;

#define MATCH_LIMIT 10000000
#define MATCH_LIMIT_RECURSION MATCH_LIMIT

so it's probably not those defaults. There's simply a lot of possibilities to the cause of the problem.

[somnang]

Thank you very much Smith for your in depth analysis on the problem. But I felt I had left something out.

I am using apache_2.2.17-x86-openssl-1.0.0d.msi compiled by Anindya via Visual C++ 2008 (VC9) compiler from what I read. Task Manager report that it is running two httpd.exe 32* processes.

My PCRE Tuning is set like so as its default:

[glsmith]

certainly, this;

#define MATCH_LIMIT 10000000
#define MATCH_LIMIT_RECURSION MATCH_LIMIT

is in config.h in the PCRE source code. You will not see that in any rules or mod_security itself.

However, seeing what I am seeing, I have a huge clue as to what that one problem is.

Windows Vista, 2008 & Win7 are a new beast, they have strong permissions in them to stop the constant daily threat of malware eating up the system that has become rampant on Windows XP and prior. Another pain is they have a very strong hold on the "Program Files" folder/s as well as Docs & Settings folders. This is where permissions really play a part. If you start Apache from a Command Prompt run as Administrator, you should not see that. Except on 2008 Server, I can not start Apache from the command prompt regardless of Admin or not regardless of where Apache is installed.

If you are running as a service I cannot see where there should be any problem, but I have never since 1998 installed Apache in that location (Apart from the very first time). I found it was so much easier to just put in C:\ApacheXX where XX is either 2, 22, 23 or nothing at all which was the case in Apache 1.3 way back when.

My suggestion is to get Apache out of Program Files and into the C root. But that will only fix the part about not being able to open the log file.

But then if commenting out these two directives/rules (your line 8 & 9);

SecPcreMatchLimit 3000
SecPcreMatchLimitRecursion 3000

still doesn't allow Apache to run "as a service", then there is something deeper going on. But if I put those in my rules, even on XP, Apache will crash. I should look back at that thread myself and see if there's a event log error id on it.

When I look it only hurt me on Windows XP w/ Apache 2.2.17 VC6 build.

[glsmith]

Other possibility;

VC9 redistributable, seems both the original and the SP1 versions are needed since no one knows what is built with which. I build with SP1, if that Apache is built with the original, or you have only installed the original, there is a possibility for problems there as well. Why SP1 doesn't seem to be backwards compatible I've never bothered to figure out, but it gets me in PHP 5.3 on one machine only.

[maskego]

I try to install to win 32 with the package mod_security-2.6.0-rc1-2.2.17-x86.zip download from this site.

The apache 2.x logs show below:

It seems no error when apache restart again.

And,how do I know the mod_security installed correctly?It's no access deny when I type http://xxx.xxx.xxx.xxx/xxx/?abc=../../

[glsmith]

This tells you it is working, at least it is loading.

[Wed Apr 27 11:13:29 2011] [notice] ModScurity for Apache/2.6.0-rc1 (http://www.modsecurity.org/) configured.

Wait a minute! APR compiled into that Apache is 1.2.12, that is way old. What version of Apache are you using? APR 1.3.0 came with Apache 2.2.9, so 2.2.8? Seriously, get with the times. There have been a slew of security related fixes since then, one being in mod_isapi which is win specific.

the ?abc=../../ won't forbid without this and it should

[maskego]

glsmith,

I install apache 2.2.8 only.And ,the package mod_security-2.6.0-rc1-2.2.17-x86.zip seems to work fine.

It's a good news of mod_security-2.6.0-rc1-2.2.17-x86.zip.

Under the same environment of my system,the mod_security 2.5.13 make apache 2.2.8 crashed.

By the way, access deny message shows when add the code you provide.

[glsmith]

I guess if it works, it works!

There could become issues somewhere cause of the 3 year old APR however.

[maskego]

I check logs again,I find the warn message shows below.
And,how to make this warning disappear?

[glsmith]

You can't.

I made the mistake of using a newer APR than what was released with 2.2.17, but that is APR 1.4.2. I'll rebuild Apache 2.2.17 and the module but even then you will still get that warning unless you upgrade to 2.2.17.

[maskego]

How to upgrade APR only?

[glsmith]

Doesn't work that way really, I guess it may be able to be done but then you have an Apache linked to a different version of APR than you have installed. Really you should upgrade the entire Apache for security reasons. What is stopping you?

[glsmith]

an r2 x86 module is there for 2.2.17

[somnang]

I have an update on what works and what does not work. I have recently done tests which you can call it a "trial-and-error" if it comes to that.

From what I can tell, these different versions of modules crash due to different Core Rule Set. So I set out to test which rules cause the crash. I use "mod_security-2.5.12-win32.zip" as supplied by this site. After I learn that it was the rule set that causes the crash, I went on and test other versions of mod_security as compiled by glsmith. Here's the list mod_security that works.

mod_security-2.5.12-win32
mod_security-2.6.0-rc1-x86
mod_security-2.6.0-rc1-2.3.11-x86
mod_security-2.6.0-rc1-2.2.17-x86-r2

Those mod_sec works if I do not use these Rules Set: