c# - ModSecurity default installation running on IIS 10.0 with CRS rule set generating a lot of errors -


i have installed modsecurity on iis 10.0 running on windows 10. "clean" install generates lot of errors visiting default iis site.

by looking @ eventvwr , making single request total of 14 new errors request localhost.

every event has following description:

the description event id 1 source modsecurity cannot found. either component raises event not installed on local computer or installation corrupted. can install or repair component on local computer.

if event originated on computer, display information had saved event.

the following information included event:

eventdata:

[client ] modsecurity: ipmatch: bad ipv4 specification "". [hostname "hostname"] [uri "/"] [unique_id "18158513704000290822"]  [client ] modsecurity: rule processing failed. [hostname "hostname"] [uri "/"] [unique_id "18158513704000290822"]  [client ] modsecurity: rule 15448555590 [id "981172"][file "c:\/program files/modsecurity iis/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "157"] - execution error - pcre limits exceeded (-8): (null). [hostname "hostname"] [uri "/"] [unique_id "18158513704000290822"]  [client ] modsecurity: rule 154485cd4a0 [id "981243"][file "c:\/program files/modsecurity iis/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "245"] - execution error - pcre limits exceeded (-8): (null). [hostname "hostname"] [uri "/"] [unique_id "18158513704000290822"]  [client ] modsecurity: ipmatch: bad ipv4 specification "". [hostname "hostname"] [uri "/"] [unique_id "18158513704000290822"]  [client ] modsecurity: rule processing failed. [hostname "hostname"] [uri "/"] [unique_id "18158513704000290822"]  [client ] modsecurity: rule 15448555590 [id "981172"][file "c:\/program files/modsecurity iis/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "157"] - execution error - pcre limits exceeded (-8): (null). [hostname "hostname"] [uri "/"] [unique_id "18158513704000290822"]  [client ] modsecurity: rule 154485cd4a0 [id "981243"][file "c:\/program files/modsecurity iis/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "245"] - execution error - pcre limits exceeded (-8): (null). [hostname "hostname"] [uri "/"] [unique_id "18158513704000290822"]  [client ] modsecurity: rule 15448555590 [id "981172"][file "c:\/program files/modsecurity iis/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "157"] - execution error - pcre limits exceeded (-8): (null). [hostname "hostname"] [uri "/iisstart.htm"] [unique_id "18158513704000290822"]  [client ] modsecurity: rule 154485cd4a0 [id "981243"][file "c:\/program files/modsecurity iis/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "245"] - execution error - pcre limits exceeded (-8): (null). [hostname "hostname"] [uri "/iisstart.htm"] [unique_id "18158513704000290822"]  [client ] modsecurity: collections_remove_stale: failed access dbm file "c:/inetpub/temp/ip": access denied. [hostname "hostname"] [uri "/iisstart.htm"] [unique_id "18158513704000290822"]  [client ] modsecurity: collections_remove_stale: failed access dbm file "c:/inetpub/temp/global": access denied. [hostname "hostname"] [uri "/iisstart.htm"] [unique_id "18158513704000290822"]  [client ] modsecurity: rule 15448555590 [id "981172"][file "c:\/program files/modsecurity iis/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "157"] - execution error - pcre limits exceeded (-8): (null). [hostname "hostname"] [uri "/iisstart.png"] [unique_id "18158513704000290823"]  [client ] modsecurity: rule 154485cd4a0 [id "981243"][file "c:\/program files/modsecurity iis/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "245"] - execution error - pcre limits exceeded (-8): (null). [hostname "hostname"] [uri "/iisstart.png"] [unique_id "18158513704000290823"]

what have done:

installed modsecurity v2.9.1 iis msi installer - 64bits , visual studio 2013 runtime (vcredist).

downloaded owasp modsecurity core rule set (crs) https://github.com/spiderlabs/owasp-modsecurity-crs , put folder in c:\program files\modsecurity iis. changed name crs-setup.conf.example crs-setup.conf.

under \rules changed request-900-exclusion-rules-before-crs.conf.example , response-999-exclusion-rules-after-crs.conf.example not contain .example.

modified modsecurity_iis.conf following:

include modsecurity.conf include modsecurity_crs_10_setup.conf include owasp_crs\base_rules\*.conf #owasp-rules include owasp-modsecurity-crs/crs-setup.conf include owasp-modsecurity-crs/rules/request-900-exclusion-rules-before-crs.conf include owasp-modsecurity-crs/rules/request-901-initialization.conf include owasp-modsecurity-crs/rules/request-905-common-exceptions.conf include owasp-modsecurity-crs/rules/request-910-ip-reputation.conf include owasp-modsecurity-crs/rules/request-911-method-enforcement.conf include owasp-modsecurity-crs/rules/request-912-dos-protection.conf include owasp-modsecurity-crs/rules/request-913-scanner-detection.conf include owasp-modsecurity-crs/rules/request-920-protocol-enforcement.conf include owasp-modsecurity-crs/rules/request-921-protocol-attack.conf include owasp-modsecurity-crs/rules/request-930-application-attack-lfi.conf include owasp-modsecurity-crs/rules/request-931-application-attack-rfi.conf include owasp-modsecurity-crs/rules/request-932-application-attack-rce.conf include owasp-modsecurity-crs/rules/request-933-application-attack-php.conf include owasp-modsecurity-crs/rules/request-941-application-attack-xss.conf include owasp-modsecurity-crs/rules/request-942-application-attack-sqli.conf include owasp-modsecurity-crs/rules/request-943-application-attack-session-fixation.conf include owasp-modsecurity-crs/rules/request-949-blocking-evaluation.conf include owasp-modsecurity-crs/rules/response-950-data-leakages.conf include owasp-modsecurity-crs/rules/response-951-data-leakages-sql.conf include owasp-modsecurity-crs/rules/response-952-data-leakages-java.conf include owasp-modsecurity-crs/rules/response-953-data-leakages-php.conf include owasp-modsecurity-crs/rules/response-954-data-leakages-iis.conf include owasp-modsecurity-crs/rules/response-959-blocking-evaluation.conf include owasp-modsecurity-crs/rules/response-980-correlation.conf include owasp-modsecurity-crs/rules/response-999-exclusion-rules-after-crs.conf

restarted iis , checked event viewer. have missed or normal behavior?

regarding description found this:

this warning. modsecurity letting know given request. "windows description" of event can ignored. @ content...

https://github.com/spiderlabs/modsecurity/issues/877#issuecomment-267712103

1. execution error - pcre limits exceeded (-8): (null):

modified modsecurity.conf values following:

secpcrematchlimit 500000 secpcrematchlimitrecursion 500000

instead of reading data eventlog started using audit log instead. can enabled via modsecurity.conf. set format json instead of native read log file programatically. remember give user iis_iusrs access logs folder , files. 

# -- audit log configuration -------------------------------------------------  # log transactions marked rule, # trigger server error (determined 5xx or 4xx, excluding 404,   # level response status codes). #  secauditlogformat json  secauditengine relevantonly secauditlogrelevantstatus "^(?:5|4(?!04))"  # log know transaction. secauditlogparts abijdefhz  # use single file logging. easier at, # assumes use audit log ocassionally. # secauditlogtype serial secauditlog c:\inetpub\logs\modsec_audit.log  # specify path concurrent audit logging. secauditlogstoragedir c:\inetpub\logs\

Comments

Post a Comment

Popular posts from this blog

javascript - Clear button on addentry page doesn't work -

this addentry blog page have made scratch , there underlying problems code particularly clear button supposed clear text entered when button clicked on doesn't work have saved html file problem. also 1 other problem submit button works doesn't pass of text index file have written php , reason whenever click on submit button redirects me index page without posting entry have made. <!doctype html> <html> <head> <script> function message() { alert("clear form?"); } </script> <style> body {background-color: beige;} h1 {color: black;} p {color: black;} textarea { width: 50%; height: 150px; padding: 12px 20px; box-sizing: border-box; border: 2px solid #ccc; border-radius: 4px; background-color: white; font-size: 16px; resize: none; } div { padding-left: 20px; } </style> </head> <meta charset="utf-8"> <link rel="stylesheet" href=".
Read more

c# - Selenium Authentication Popup preventing driver close or quit -

i have selenium automated task setup login website retrieve information. it's basic in automation. logging in , clicking 2 links. running issue proving problem. the site in question uses authentication required popup not javascript popup rather regular windows auth popup. have read isn't handled out of box selenium. i using " http://username:password@url.com " site every , site has issues on end prompt me again username/password randomly. have enter username/password twice in row when navigating there hand. since task loops continuously few hours picking needed info figured use webdriverwait verify element present on page. if authentication popup appears, element isn't present. no need care run, start over. the problem having when authentication popup displayed , hit timeout limit want close driver/browser window can start task on again. however, driver.close() , driver.quit() not doing anything. browser remains open , unloaded page still there login p
Read more

tensorflow when input_data MNIST_data , zlib.error: Error -3 while decompressing: invalid block type -

i'm geting started tensorflow,followed tutorials,but cannot download mnist data. import tensorflow tf tensorflow.examples.tutorials.mnist import input_data mnist=input_data.read_data_sets("mnist_data/",one_hot=true) print("download done!") error information: extracting mnist_data/train-images-idx3-ubyte.gz traceback (most recent call last): file "/home/sj/program/tesorflow_try.py", line 6, in <module> mnist=input_data.read_data_sets("mnist_data/",one_hot=true) file "/usr/local/lib/python2.7/dist-packages/tensorflow/contrib/learn/python/learn/datasets/mnist.py", line 213, in read_data_sets train_images = extract_images(f) file "/usr/local/lib/python2.7/dist-packages/tensorflow/contrib/learn/python/learn/datasets/mnist.py", line 60, in extract_images buf = bytestream.read(rows * cols * num_images) file "/usr/lib/python2.7/gzip.py", line 268, in read self._read(readsize) file
Read more