HI Igor.
I found out the error was missing to include in the owasp rules, but I couldn't
compile the standalone mode in version 3 of modsecurity, can you tell if it
supports it? I'm writing a howto and sending it and already sending the link
Regards. Em sexta-feira, 1 de maio de 2020 00:19:29 GMT-4, Igor Cicimov
<ig...@encompasscorporation.com> escreveu:
Hi Ricardo,
On Fri, May 1, 2020 at 1:06 PM Ricardo Barbosa <spidersl...@yahoo.com.br> wrote:
Of course, it would be a pleasure, but I still couldn't get it to work,
following the igor script I even managed to build it but it is generating the
following log.
------------------- begin ---------------------
1588299971.657027 [07] 0 clients connected
1588299971.657000 [09] 0 clients connected
1588299974.851659 [00] <1> New Client connection accepted and assigned to
worker 01
1588299974.851698 [01] <1> read_frame_cb
1588299974.851765 [01] <1> New Frame of 129 bytes received
1588299974.851774 [01] <1> Decode HAProxy HELLO frame
1588299974.851777 [01] <1> Supported versions : 2.0
1588299974.851779 [01] <1> HAProxy maximum frame size : 16380
1588299974.851780 [01] <1> HAProxy capabilities : pipelining,async
1588299974.851789 [01] <1> HAProxy supports frame pipelining
1588299974.851797 [01] <1> HAProxy supports asynchronous frame
1588299974.851800 [01] <1> HAProxy engine id :
a9dd7313-bb7e-46e2-a50e-5987dfa4f0d2
1588299974.851803 [01] <1> Encode Agent HELLO frame
1588299974.851810 [01] <1> Agent version : 2.0
1588299974.851813 [01] <1> Agent maximum frame size : 16380
1588299974.851816 [01] <1> Agent capabilities :
1588299974.851830 [01] <1> write_frame_cb
1588299974.851856 [01] <1> Frame of 54 bytes send
1588299974.851905 [01] <1> read_frame_cb
1588299974.851916 [01] <1> New Frame of 617 bytes received
1588299974.851925 [01] <1> Decode HAProxy NOTIFY frame
1588299974.851927 [01] <1> STREAM-ID=12 - FRAME-ID=1 - unfragmented frame
received - frag_len=0 - len=617 - offset=7
1588299974.851938 [01] Process frame messages : STREAM-ID=12 - FRAME-ID=1 -
length=610 bytes
1588299974.851946 [01] Process SPOE Message 'check-request'
1588299974.852077 [01] Encode Agent ACK frame
1588299974.852088 [01] STREAM-ID=12 - FRAME-ID=1
1588299974.852090 [01] Add action : set variable code=4294967195
1588299974.852098 [01] <1> write_frame_cb
1588299974.852125 [01] <1> Frame of 30 bytes send
1588299976.656052 [01] 1 clients connected
1588299976.657844 [04] 0 clients connected
1588299976.657858 [02] 0 clients connected
----------------------1588300001.660228 [08] 0 clients connected
1588300001.660241 [09] 0 clients connected
1588300001.660250 [01] 1 clients connected
1588300004.852590 [01] <1> read_frame_cb
1588300004.852619 [01] <1> New Frame of 49 bytes received
1588300004.852632 [01] <1> Decode HAProxy DISCONNECT frame
1588300004.852640 [01] <1> Disconnect status code : 2
1588300004.852647 [01] <1> Disconnect message : a timeout occurred
1588300004.852653 [01] <1> Peer closed connection: a timeout occurred
1588300004.852660 [01] <1> Encode Agent DISCONNECT frame
1588300004.852666 [01] <1> Disconnect status code : 2
1588300004.852671 [01] <1> Disconnect message : a timeout occurred
1588300004.852685 [01] <1> write_frame_cb
1588300004.852694 [01] Failed to write frame length : Broken pipe
1588300004.852704 [01] <1> Release client
1588300006.655592 [08] 0 clients connected
1588300006.655676 [09] 0 clients connected
1588300006.655608 [03] 0 clients connected
1588300006.655685 [01] 0 clients connected
---------------------------
Any idea?
when I compile with the new version it shows me the following message:
config.status: executing depfiles commands
config.status: executing libtool commands
configure: WARNING: unrecognized options: --disable-apache2-module,
--enable-standalone-module, --enable-pcre-study, --enable-pcre-jit, --with-apxs
my config:
---------- haproxy.cfg--------
global
maxconn 50000
user haproxy
defaults
timeout connect 10s
timeout client 30s
timeout server 30s
mode http
maxconn 3000
frontend my-front
bind 0.0.0.0:80
mode http
filter spoe engine modsecurity config /opt/haproxy/spoe-modsecurity.conf
http-request deny if { var(txn.modsec.code) -m int gt 0 }
default_backend webservers
backend spoe-modsecurity
mode tcp
server modsec-spoa1 192.168.10.120:12345
backend webservers
mode http
balance roundrobin
server web1 192.168.10.81:80 check
--------------------------
------------- spoe-modsecurity.conf ------
[modsecurity]
spoe-agent modsecurity-agent
messages check-request
option var-prefix modsec
timeout hello 100ms
timeout idle 30s
timeout processing 15ms
use-backend spoe-modsecurity
spoe-message check-request
args unique-id method path query req.ver req.hdrs_bin req.body_size req.body
event on-frontend-http-request
-----------------
--------modsecurity.conf----------
SecStatusEngine On
SecRuleEngine On
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRule REQUEST_HEADERS:Content-Type "application/json" \
"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request
body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:400, \
msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible
unmatched boundary.'"
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged:
%{MATCHED_VAR_NAME}'"
SecResponseBodyAccess On
SecResponseBodyMimeType text/plain text/html text/xml
SecResponseBodyLimit 524288
SecResponseBodyLimitAction ProcessPartial
SecTmpDir /tmp/
SecDataDir /tmp/
SecDebugLog /opt/modsecurity/var/log/debug.log
SecDebugLogLevel 3
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/modsec_audit.log
SecAuditLogStorageDir /opt/modsecurity/var/audit/
SecArgumentSeparator &
SecCookieFormat 0
SecUnicodeMapFile unicode.mapping 20127
----------------------------
Any idea?
Regards.
I personally do not see any errors in the log you posted, it looks all normal
to me. Which part of the log is concerning to you? I think those timeout errors
are a normal way of closing the connection to spoe but I might be wrong :-/
Igor
