Announcement

Collapse
No announcement yet.

I have upgraded mod_security to 2.5.10

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • I have upgraded mod_security to 2.5.10

    I can no longer post on my forum after updating mod_security to 2.5.10.

    I have followed http://www.vbulletin.com/go/modsecurity which fixed the admincp.

    Errorlog:

    [Tue Nov 10 02:13:11 2009] [error] [client 10.10.1.2] ModSecurity: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score (score 15): ASP/JSP source code leakage"] [hostname "www.xxxxxxxxxx.com"] [uri "/new/forumdisplay.php"]

    [Tue Nov 10 02:15:07 2009] [error] [client 10.10.1.2] ModSecurity: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score (score 60): Detects JavaScript location/document property access and window access obfuscation"] [hostname "www.xxxxxxxx.com"] [uri "/new/newthread.php"]

    I don't want to have to disable mod_security for the whole site.
    Can anyone advice on configuring mod_security, please.
    Last edited by Satviewers; Tue 10 Nov '09, 8:48am.
    www.ezhost365.com

  • #2
    You need to configure your mod_security rules better to allow vBulletin to operate. It even tells you which rules its matching.

    Comment


    • #3
      Originally posted by Zachery View Post
      You need to configure your mod_security rules better to allow vBulletin to operate. It even tells you which rules its matching.
      Hi,

      Can you advise on how to configure the mod_security rules for the logs I posted.

      I should be able to go from there then, with any other problems with it thanks.
      www.ezhost365.com

      Comment


      • #4
        No, you need to do this yourself. I don't know your rules, review the rules that are breaking the site and adjust/remove them as nessary.

        Comment


        • #5
          Its a standard install. I have made no changes to it.


          modsecurity_crs_60_correlation.conf
          Code:
          SecRule &TX:'/LEAKAGE\\\/ERRORS/' "@ge 1" \
              "chain,phase:5,t:none,log,pass,severity:'0',msg:'Correlated Successful Attack Identified: Inbound Attack (%{tx.inbound_tx_msg}) + Outbound Data Leakage (%{tx.msg}) - (Transactional Anomaly Score: %{TX.ANOMALY_SCORE})'"
                  SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none,skipAfter:END_CORRELATION"
          
          # Correlated Attack Attempt 
          #
          SecRule &TX:'/AVAILABILITY\\\/APP_NOT_AVAIL/' "@ge 1" \
              "chain,phase:5,t:none,log,pass,severity:'1',msg:'Correlated Attack Attempt Identified: Inbound Attack (%{tx.inbound_tx_msg}) + Outbound Application Error (%{tx.msg}) - (Transactional Anomaly Score %{TX.ANOMALY_SCORE})'"
              SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none,skipAfter:END_CORRELATION"
          
          # Alert on High Anomaly Scores
          #
          #SecRule TX:ANOMALY_SCORE "@ge 40" \
          #    "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"
          
          # Alert on any anomalies
          #
          SecRule TX:ANOMALY_SCORE "@ge 5" \
              "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"
          
          SecMarker END_CORRELATION
          www.ezhost365.com

          Comment


          • #6
            You should contact the makers of mod_security or a forum about it for more help.

            Why are you running mod_security?

            Comment


            • #7
              I'm another one that have mod_security 2 on his server. I think that people use mod_sec for security purposes. Since it's clear that VB4 has problems with mod_sec (i've had VB 3.8.4 and never had any problem with mod_sec, now I've updated and I've many problems. Other script I've installed doesn't have any problem with it) shouldn't be simpler for you to post instructions on how to disable it for the forum or how to configure correctly to work with VB4.

              I think that service is not to tell to a customer to ask to the maker of mod_sec since the problem is not mod_sec but VB4 that interfere in any way with it. Service is helping the customer.

              Comment


              • #8
                mod_security period has caused a considerable ammount of trouble to vBulletin over the years. If you're going to install and configure a security program you should likely be more familiar with it. What is mod_security actually doing for you aside from not letting your vbulletin 4 installation not operate correctly?

                there is no "default" ruleset, they provide you a list of preconfigured rules which you can choose to use/not use. You need to look over your logs, and adjust your rules.

                Comment

                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                Working...
                X