any one can help for this issue :
configure: looking for Apache module support via DSO through APXS

Hi. I want to install Mod-Security on Apache ( I use Ubuntu ).
When I configure with this code
./configure

The result will be:

checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
configure: looking for Apache module support via DSO through APXS
configure: found APXS at /usr/bin/apxs2
configure: looking for libmodsecurity
configure: error: couldn't find libmodsecurity

I'm not even sure that the package is already installed (truly) or no...
Help Me Pls...

In the past during the transition from ModSecurity 1 to ModSecurity 2, it was chosen to rename the module as mod_security2.so. Naturally the version 3 will be called mod_security3 and so on.

After a recent discussion on the mailing list, some users bought to our attention that the name of the module should be only mod_security. That will make easy further upgrades, as it may not need to change anything configuration wise, only upgrade their systems with newer version.

The benefit of that should be well study, as the consequences. Depending on the results we should move forward to rename it or not.

When I send a request_uri is "/index.php?act=seller_center&op=statistics&rand=24954191" and my rule is "SecRule REQUEST_URI "@beginswith /index.php?act=store"
"id:1004,phase:1,pass,nolog,
ctl:ruleRemoveById=949110" but rule id 1004 that his uri is not match the "/index.php?act=seller_center&op=statistics&rand=24954191"，and I found the request I send has match the rule that his id is 1004 why？ The operator beginwith is not a exact match？

I feel logging events is a nice thing to have but for the more severe attacks we need a more aggressive firewall solution... for example right now in my apache logs I get automated scanners which most of us probley do as well

54.39.182.83 - - [01/Feb/2019:18:09:12 -0800] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 403 1930 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:12 -0800] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 403 1917 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:12 -0800] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 403 1917 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:13 -0800] "GET /pma/scripts/setup.php HTTP/1.1" 403 1910 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:13 -0800] "GET /myadmin/scripts/setup.php HTTP/1.1" 403 1914 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:13 -0800] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 403 1914 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:13 -0800] "GET /mysql/scripts/setup.php HTTP/1.1" 403 1912 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:14 -0800] "GET /admin/scripts/setup.php HTTP/1.1" 403 1912 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:14 -0800] "GET /dbadmin/scripts/setup.php HTTP/1.1" 403 1914 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:14 -0800] "GET /PMA/scripts/setup.php HTTP/1.1" 403 1910 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:14 -0800] "GET /sqladmin/scripts/setup.php HTTP/1.1" 403 1915 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:15 -0800] "GET /db/scripts/setup.php HTTP/1.1" 403 1909 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:15 -0800] "GET /cpadmin/scripts/setup.php HTTP/1.1" 403 1914 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:15 -0800] "GET /sqladm/scripts/setup.php HTTP/1.1" 403 1913 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:15 -0800] "GET /phpMyAdmin2/scripts/setup.php HTTP/1.1" 403 1918 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:16 -0800] "GET /my/scripts/setup.php HTTP/1.1" 403 1909 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:16 -0800] "GET /cpadmindb/scripts/setup.php HTTP/1.1" 403 1916 "-" "ZmEu"

Looks like modesecurity does its job and gives back a 403 here which is great but now we have a stupid IP address up to no good and scanning our webserver which could probley escalate to more severe attacks later on.

I feel that bad guys should not only have the request blocked but the attacking IP as well so that it gets DROP in the iptables firewall after the first detection

54.39.182.83 - - [01/Feb/2019:18:09:12 -0800] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 403 1930 "-" "ZmEu"

followed by...

iptables -I INPUT -s 54.39.182.83 -j DROP
iptables -I FORWARD -s 54.39.182.83 -j DROP
iptables -I OUTPUT -d 54.39.182.83 -j DROP

if you get tons of false positives with this solution the end user will probley let you know in some fashion that they can no longer access your webserver

Performance is a key element, specially in large deployments. We don't want the user to disappointed by the bad performance results after an upgrade.

Notice however that the expectancy of performance change a little bit, later throughout was prioritized over latency. In version 3 latency is treated as the most important factor.

This is in reference to the issue which I created recently here .

The GET requests containing attack signatures are not detected. However the same signatures sent over POST are detected.

Im using
latest modsecurity version with owasp CRS 3.0 and my environment is setup correct.
I'm facing this issue since I pulled this commit

Use the Log Parser utility to make sure that results aren't different from version 2 to version 3.

Use the OWASP version 3.

The log parser utility is available here:
https://github.com/SpiderLabs/ModSecurity-log-utilities

One of the main goals of having the test solution is to speed up the development process and improve the QA. We already have different sets of tests listed below:

• Tests for ModSecurity/nginx
  https://github.com/SpiderLabs/ModSecurity-nginx/tree/master/tests
• Tests for ModSecurity version 2
  https://github.com/SpiderLabs/ModSecurity/tree/master/tests/regression
• Tests for libModSecurity
  https://github.com/SpiderLabs/ModSecurity/tree/v3/master/test/test-cases/regression
• Tests for the OWASP CRS
  https://github.com/SpiderLabs/OWASP-CRS-regressions

We have to have a manner to run those tests against Apache/ModSecurity3, so that we can make sure that the Apache binding is acting in the same fashion of the other bindings. Also, we may want to have Apache specific tests.

Notice that the version 2 test solution may not be the optimal here, as it is very slow. It is important to have those tests running as fast as possible.

hi guys
i compiled libmodsecurity and it's installed in /usr/local/modsecurity/lib.
when i tried to compile apache connector it says : Libmodsecurity not found.
I put /usr/local/modsecurity/lib in /etc/ld.so.conf + ldconfig but didn't work. then i copied * in /usr/local/modsecurity/lib to /usr/lib.

whereis libmodsecurity --> libmodsecurity: /usr/lib/libmodsecurity.so /usr/lib/libmodsecurity.la /usr/lib/libmodsecurity.a /usr/local/lib/libmodsecurity.so /usr/local/lib/libmodsecurity.la /usr/local/lib/libmodsecurity.a

apache-connector --> ./configure and it says : ModSecurity headers not found

I checked find_libmodsec.m4 and it seems that everything is ok. I have this dir:/usr/local/modsecurity/
and modsecurity is in : /usr/local/modsecurity/include/modsecurity. but i don't know what is wrong ?
im tired of testing if anyone could help me i would appreciate it.

Using the latest libmodsecurity and ModSecurity-apache connector, section F of the audit log shows lots of duplicates.

---rs603yed---F-- HTTP/1.1 200 Connection: close Connection: close Connection: close Connection: close Connection: close Connection: close Connection: close Connection: close Connection: close Connection: close Transfer-Encoding: chunked Transfer-Encoding: chunked Transfer-Encoding: chunked Transfer-Encoding: chunked Transfer-Encoding: chunked Transfer-Encoding: chunked Transfer-Encoding: chunked Transfer-Encoding: chunked Transfer-Encoding: chunked Transfer-Encoding: chunked Content-Type: text/html;charset=UTF-8 Content-Type: text/html;charset=UTF-8 Content-Type: text/html;charset=UTF-8 Content-Type: text/html;charset=UTF-8 Content-Type: text/html;charset=UTF-8 Content-Type: text/html;charset=UTF-8 Content-Type: text/html;charset=UTF-8 Content-Type: text/html;charset=UTF-8 Content-Type: text/html;charset=UTF-8 Content-Type: text/html;charset=UTF-8

Using ModSecurity-apache connector (latest), post body injections are not inspected. When compared with the exact same post body with a different server running ModSecurity 2.9.1, it it properly blocked (403 forbidden). Something is wrong that its not inspecting the post body.

Using the same servers, if I use a <script> tag in the referer header, both systems block it. So it appears request headers are inspected, but post body is not.

Hi All:

I trying use modsecurity3 with Apache 2.4 on FreeBSD 12.0 amd64.
I pulled latest commit for modsecurity-apache connector and build successful.
(Output: /usr/local/libexec/apache24/mod_security3.so)
And add below line into httpd.conf (Exist modsecurity2 removed).
LoadModule security3_module libexec/apache24/mod_security3.so

Start Apache but got error as below.
.# service apache24 restart
Performing sanity check on apache24 configuration:
Segmentation fault (core dumped)

FreeBSD default compiler: Clang/LLVM 6.0.1.
Build by "gcc8" got same issue.

Please let me know what is going wrong/debug hint.
Thanks a lot.

• State that the project is currently under development
• State the milestones and the development phase
• State the compilation instructions

In general we should mimic what we have here:
https://github.com/SpiderLabs/ModSecurity-nginx

Hello,

This is what I did :

I first compiled libmodsecurity in /usr/local/httpd-2.4.33 and edited the configure to find libmodsecurity

Here is my script

export LIBRARY_PATH=/usr/local/httpd-2.4.33/lib/
cd /somepath/ModSecurity-apache-master
./autogen.sh
./configure --with-apxs=/usr/local/httpd-2.4.33/bin/apxs --with-libmodsecurity=/usr/local/httpd-2.4.33
make -j4
make install

So now I can't find the module and I don't know how to install it with apache

Can you help please?

Hi,

I have raised an issue here describing chain rules syntax. I'm posting it here as suggested by @victorhora .

Kindly let me know what is wrong.

The build process should be clear and informative to the user. If something fails, the error message should be clear enough to allow the user to figure the problem by himself. Otherwise we will have more requests in the community that we can answer. It worth to spent that time now.

We are refactoring the modsecurity-docker repository, and we saw that the ModSecurity-apache binary is built in the Dockerfile from source.

And while the installation process is simple, we would prefer to simply install a binary or a package for a target platform, for several reasons:

• Building, testing and attaching a version number should be part of the release process of the software, not the build process of a Docker image.
• ModSecurity binaries we ship with an image should be available also separately, outside of the Docker image.
• If there are any dependencies they should be covered by the software's build process to make installation easy on and independent from installation processes of ModSecurity's target platforms.

Are you planning on releasing ModSecurity-apache packages here on GitHub? Is there anything that we can help you with getting that realized?

It is very important that this module behave in the same manner for different Apache versions:

• Version 2.0
• Version 2.2
• Version 2.4
• Trunk (aka 2.5)

If not possible to behave in the exactly same manner, a pretty print error message should be presented to the user.

Change the code to have it using the same coding style that we have on others v3 connectors.

Currently implementation is not looking into all phases that we current support on libModSecurity. It it mandatory to have it working on all the phases.

As part of the first milestone, we have to have:

• Configuration directive to: enable, disable or place ModSecurity in detection only mode.
• Configuration to load the rules, from: file, remote location, local injection.

Those should be very similar to what we have at the ModSecurity-nginx connector.

Later, as a second milestone we can improve that to actually support ModSecurity directives among the Apache ones.

Notice: Configuration merge should be applied and respected in all scenarios.

The connector name later will appear in the logs, so we want to have it pretty print. Also, we want to make sure that are no memory leaks, so cleanup the ModSecurity initialization will be also need.

https://github.com/SpiderLabs/ModSecurity-apache/blob/master/apache_http_modsecurity.c#L129-L132

The Apache configuration directives are available in v2 here:
https://github.com/SpiderLabs/ModSecurity/blob/v2/master/apache2/apache2_config.c#L3180-L3923

This functionality have to be mimic-ed into something related on version 3. In case of an error, the error message could differ a little bit but to logic should prevail. Run time errors should be treated in run time. Startup error should be handled into startup phase.

A feature that is not supported in v3 any longer, should generate a warning but it should not block the web server startup.

A special note on memory consumption. Memory consumption to load the configurations was proved to be a critical point in may use case. Therefore it should be treated with special attention.

@Goron1606 commented on Fri Aug 31 2018

Hello,

Am using,

ModSecurity v3.0.2 (Linux)
ModSecurity-Apache v0.1.1-beta connector
OWASP_CRS/3.0.2

In 2.x version I use to see unique_id in logs.

Example:-

[Fri Aug 31 02:03:53.739234 2018] 
[:error] 
[pid 29998] 
[client 192.168.4.13] 
ModSecurity: Warning. Pattern match "^[\\\\d.+$" at REQUEST_HEADERS:Host. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] 
[line "792"] 
[id "920350"] 
[msg "Host header is a numeric IP address"] 
[data "192.168.4.251"] 
[severity "WARNING"] 
[ver "OWASP_CRS/3.1.0"] 
[tag "application-multi"] 
[tag "language-multi"]
 [tag "platform-multi"] 
[tag "attack-protocol"] 
[tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] 
[tag "WASCTC/WASC-21"] 
[tag "OWASP_TOP_10/A7"] 
[tag "PCI/6.5.10"] 
[hostname "192.168.4.251"]
 [uri "/login.php"] 
[unique_id "W4kEeX8AAQEAAHUu-mgAAAAA"]

However, In 3.0.2 version i don't see unique_id in the audit logs. There is only id and server_id parameters.

{
  "transaction": {
    "client_ip": "192.168.4.18",
    "time_stamp": "Fri Aug 31 16:52:59 2018",
    "server_id": "0f06644c20899021750765326d9572e94fb287b9",
    "client_port": 50486,
    "host_ip": "example.com",
    "host_port": 0,
    "id": "15357145790.848493",
    "request": {
      "method": "GET",
      "http_version": 1.1,
      "uri": "/admin.htm",
      "headers": {
        "Host": "example.com",
        "Connection": "keep-alive",
        "Cache-Control": "max-age=0",
        "Upgrade-Insecure-Requests": "1",
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/68.0.3440.106 Chrome/68.0.3440.106 Safari/537.36",
        "DNT": "1",
        "Cookie": "autho=456dfgdfg",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
        "Accept-Encoding": "gzip, deflate",
        "Accept-Language": "en-US,en;q=0.9"
      }
    },
    "response": {
      "http_code": 403,
      "headers": {}
    },
    "producer": {
      "modsecurity": "ModSecurity v3.0.2 (Linux)",
      "connector": "ModSecurity-Apache v0.1.1-beta",
      "secrules_engine": "Enabled",
      "components": [
        "OWASP_CRS/3.0.2\""
      ]
    },
    "messages": []
  }
}

How can I relate the server's UNIQUE_ID given by mod_unique_id with the mod-security audit logs.

Is there anything am missing?
How can I deduce a relationship from audit logs with UNIQUE_ID?

Please let me know.

@victorhora commented on Fri Aug 31 2018

I think this is not implemented for the Apache connector. In libModSecurity, unique transaction IDs are generated by modsecurity::utils::generate_transaction_unique_id() so as not to rely on an external module and become more independent.

I finally managed to get libmodsecurity and modsecurity-apache compiled and installed, both from upstream latest versions.

However, it seems none of the commands are recognized although the apache module is loaded:

NEXUSIV /etc/apache2/modules.d # /etc/init.d/apache2 start
 * apache2 has detected an error in your setup:
AH00526: Syntax error on line 7 of /etc/apache2/modules.d/79_mod_security.conf:
Invalid command 'SecDataDir', perhaps misspelled or defined by a module not included in the server configuration
 * ERROR: apache2 failed to start
NEXUSIV /etc/apache2/modules.d #

Now my questions are:

• Is libmodsecurity3 / apache useable at all?
• is there any documentation on difference / configuration between 2.x and 3.x?

Hi,

I am trying to get Apache2 to use modsecrity3 however itcomplains about a problem with the supplied crs-setup.conf. The error that is given is:

Rules error. File: /etc/apache2/modsec/owasp-modsecurity-crs/crs-setup.conf. Line: 771. Column: 31. SecDefaultActions can only be placed once per phase and configuration context. Phase 1 was informed already.

However, this is the same file that I successfully used for Nginx and only contains the following, uncommented, configuration:

SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"
SecCollectionTimeout 600
SecAction \
 "id:900990,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.crs_setup_version=302"

Line 771 is the

t:none,\

line.

Any help would be much appreciated.

Thanks!

Debug messages are just welcomed when it is asked for. Uses Apache debugging schema instead of using hard-coded comments and code snippets.

I notice the README was last updated 2 years ago. I'm wondering if all the information contained there is still current, for example this statement:

NOTICE: libmodsecurity is not feature complete and it is not considerable stable, so use is undertaken at your own risk.

That's referring to the core project (not this connector)? If so, then it is at least stable now AFAIK if not feature complete.

Thanks.

We tested the ModSecurity-apache connector with libmodsecurity and with the recent fix I was provided, I can get requests going through, but there's a significant volume of segmentation faults that we're seeing.

I can send a request through Burpsuite and get a response and sometimes I would get a blank response (segfault). The error was logged in the apache error_log (/var/log/httpd). We tested this with Centos7 using Apache 2.4 yum install.

despite of everything compiled fine "make install" does not install mod_security3.so
into the apache modules folder. I have httpd version 2.4.33.
is it a normal v3 behavior?

Hello.

I managed to successfully install libModsecurity and make it work with apache2 :

• Ubuntu 18.04
• LibModsecurity v3.0.2
• Apache 2.4.29 (from apt lists)

I followed the steps described in this Dockerfile.

However I encountered some dysfunctions while configuring my virtual hosts, that I think should be reported. My virtualHost use the "modsecurity_rules_file" directive pointing to a security.conf, as following :

modsecurity_rules_file  /etc/apache2/sites-enabled/waf-lab-www.lab/security.conf

I figured out that if this line is followed by a empty line, this error is shown in the journalctl :

Failed to open the file: /etc/apache2/sites-enabled/waf-lab-www.lab/security.conf\n

Removing the empty line make the path correct, so my configuration was successfully imported. However , the file was still not parsed correctly, as show the following journalctl error message

waf-v3 apachectl[1144]: Rules error. File: /etc/apache2/sites-enabled/waf-lab-www.lab/security.conf. Line: 2. Column: 61. Invalid input:  SecAuditLog\t\t"/var/log/apache2/waf-lab-www.lab/security.log

I managed to make it work removing the tabulations in my file and replacing them by white spaces.

My VHost File :

<VirtualHost *:80>
        ServerName      waf-lab-www.lab
        ServerAlias     waf-lab-www

        Redirect         "/"                            "https://waf-lab-www.lab/"

</VirtualHost>

<VirtualHost *:443>
        ServerName      waf-lab-www.lab
        ServerAlias     waf-lab-www

        CustomLog       /var/log/apache2/waf-lab-www.lab/access.log     common
        ErrorLog        /var/log/apache2/waf-lab-www.lab/error.log

        SSLEngine       On
        SSLProxyCheckPeerCN     On
        SSLProxyEngine          On
        SSLCertificateFile      "/etc/ssl/certs/waf-lab-www.lab.crt"
        SSLCertificateKeyFile   "/etc/ssl/private/waf-lab-www.lab.key"

        <Proxy *>
                Redirect permanent      "/normal.php"                   "/redirected.php"
        </Proxy>

        ProxyPreserveHost       On
        ProxyRequests           On
        ProxyPass               "/"                             "http://192.168.56.50/"
        ProxyPassReverse        "/"                             "http://192.168.56.50/"

        modsecurity_rules_file '/etc/apache2/sites-enabled/waf-lab-www.lab/security.conf'
</VirtualHost>

Imported security.conf :

SecRuleEngine On
SecAuditLog "/var/log/apache2/waf-lab-www.lab/security.log"
SecAuditLogFormat JSON

PS : Thank you for this great library :)

Please update the README with some basic usage instructions. For example, something like this:

Usage

Add the following configuration to your Apache httpd.conf

LoadModule security3_module modules/mod_security3.so
modsecurity on
modsecurity_rules_file /path/to/your/modsecurity_rules.conf

Hello,
i compiled libmodesecurity.so v3 and then i also compiled the apache connector.
when i load the module in my httpd.conf with this directive:

LoadModule security3_module modules/mod_security3.so

I get the following error:

Starting httpd: httpd: Syntax error on line 202 of /etc/httpd/conf/httpd.conf: Cannot load /etc/httpd/modules/mod_security3.so into server: /etc/httpd/modules/mod_security3.so: undefined symbol: msc_update_status_code  [FAILED]

What msc_update_status_code is? I couldn't found anything relate to that.

I lead to compile by myself the whole library because with the precompiled version in the centos 6 i couldn't use the modsecurity directive:

SecAuditLogFormat JSON

Do you know if with the modsecurity v3 i will have this directive enabled for httpd in centos 6?
Thank you

Antonio

Howdy,

This connector requires a newer version of autoconf that CentOS 6.x does not provide. Are there direct requirements that would keep this connector from using CentOS 6.x?

 ~/git/ModSecurity-apache ‹master› # ./autogen.sh
configure.ac:3: error: Autoconf version 2.68 or higher is required
configure.ac:3: the top level
autom4te: /usr/bin/m4 failed with exit status: 63
aclocal: autom4te failed with exit status: 63
autoreconf: aclocal failed with exit status: 63

Hi everyone,

I'm compiling the recent ModSecurity V3 with the Apache connector. ModSecurity is compiled with these options

./configure --prefix=/opt/modsecurity --enable-parser-generation --without-lua

My Apache (2.4.29) is located at /opt/apache/
So my configure arguments for the connector are

./configure --prefix=/opt/modsecurity --with-apxs=/opt/apache-2.4.29/bin/apxs --with-apache=/opt/apache-2.4.29/bin/httpd --with-libmodsecurity=/opt/modsecurity/

but somehow this parameter is not recognized:

checking for a BSD-compatible install... /usr/bin/ginstall -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/gmkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
configure: looking for Apache module support via DSO through APXS
configure: found APXS at /opt/apache-2.4.29/bin/apxs
configure: looking for libmodsecurity
configure: error: couldn't find libmodsecurity

is this a known error? My config.log is attached.

Thanks and regards,
Daniel
config.log

Hello,

I would like to package modsecurity-apache for Archlinux but I am encountering the following issues :

./configure --prefix=/usr --with-libmodsecurity=/usr/lib
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
configure: looking for Apache module support via DSO through APXS
configure: found APXS at /usr/sbin/apxs
configure: looking for libmodsecurity
configure: error: couldn't find libmodsecurity

make DESTDIR="$pkgdir/" install
...
/usr/share/apr-1/build/libtool --mode=install install ./src/.libs/mod_security3.so /usr/lib/httpd/modules/
libtool: install: install ./src/.libs/mod_security3.so /usr/lib/httpd/modules/mod_security3.so
install: cannot create regular file '/usr/lib/httpd/modules/mod_security3.so': Permission denied
apxs:Error: Command failed with rc=65536

The workaround for configure is :

V3LIB=/usr/lib/libmodsecurity.so ./configure --prefix=/usr --with-libmodsecurity=/usr/lib

The workaround for install is to patch the makefile to remove the -i flag of the apxs command and do a manual copy to the expected destination.

Could you consider fixing the configure script, please, and honor the DESTDIR variable at make install stage ?

Thank you very much in advance !
Cheers.

Hello!

Do you know something about packaging for Debian?
AFAIK only v2 is packaged although lib v3 is available but that cannot be used directly in Apache 2.4.x
Thanks.

I want to install latest stable modsecurity for apache on Ubuntu and Centos.
But when I am installing using 'yum install mod_security' it is installing 2.9.2 version.
The 3.0.3 version is not available in repositories?
I would have to install it by compiling source code only?

I'm using
ModSecurity v3.0.3 (Linux)

I pulled latest commit for modsecurity-apache just to test whether post data is accessible by ARGS_POST.

I'm getting the below error in apache error logs.

[Thu Nov 22 11:57:20.005976 2018] [core:notice] [pid 3768] AH00051: child pid 3823 exit signal Segmentation fault (11), possible coredump in /etc/apache2
[Thu Nov 22 11:57:20.015739 2018] [watchdog:debug] [pid 3832] mod_watchdog.c(565): AH02980: Watchdog: nothing configured?
[Thu Nov 22 11:57:20.016621 2018] [proxy:debug] [pid 3832] proxy_util.c(1785): AH00925: initializing worker proxy:reverse shared
[Thu Nov 22 11:57:20.016965 2018] [proxy:debug] [pid 3832] proxy_util.c(1827): AH00927: initializing worker proxy:reverse local
[Thu Nov 22 11:57:20.017503 2018] [proxy:debug] [pid 3832] proxy_util.c(1878): AH00931: initialized single connection worker in child 3832 for (*)

Please let me know what is going wrong.

Originally posted by @Goron1606 in #22 (comment)

Hi All:

I trying use modsecurity3 with Apache 2.4 on FreeBSD 12.0 amd64.
I pulled latest commit for modsecurity-apache connector.

FreeBSD default compiler: Clang/LLVM 6.0.1
So part of ./configure result as below.
.# ./configure --with-libmodsecurity=/usr/local
checking for gcc...
checking for cc... cc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether cc accepts -g... yes
checking for cc option to accept ISO C89... none needed
checking whether cc understands -c and -o together... yes
checking dependency style of cc... none
checking how to run the C preprocessor... cc -E
checking for ANSI C header files... yes

Later, test the issue #59 tried to build by "gcc8"
Part of ./configure result as below.
.# ./configure --with-libmodsecurity=/usr/local CC=/usr/local/bin/gcc8
checking for gcc... /usr/local/bin/gcc8
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking whether we are using the GNU C compiler... yes
checking whether /usr/local/bin/gcc8 accepts -g... yes
checking for /usr/local/bin/gcc8 option to accept ISO C89... none needed
checking whether /usr/local/bin/gcc8 understands -c and -o together... yes
checking dependency style of /usr/local/bin/gcc8... none
checking how to run the C preprocessor... /usr/local/bin/gcc8 -E
checking for gcc... (cached) /usr/local/bin/gcc8
checking whether we are using the GNU C compiler... (cached) yes
checking whether /usr/local/bin/gcc8 accepts -g... (cached) yes
checking for /usr/local/bin/gcc8 option to accept ISO C89... (cached) none needed
checking whether /usr/local/bin/gcc8 understands -c and -o together... (cached) yes
checking dependency style of /usr/local/bin/gcc8... (cached) none

But make always use system "cc"(Clang/LLVM 6.0.1)
Argument "CC" won't work look like.

Please let me know what is going wrong.
Thanks a lot.

ModSecurity apache connector is based on the ModSecurity version 2 module. The version 3 is using the same hooks of version 2, but for some reason the directories and locations directives are not being merged as expected, therefore leading to configuration errors.

The configuration merge should happens in the same fashion for version 2 and 3.

what is the process to setup "apt-get install libmodsecurity3" ?
I could only find information on nginx but not apache.

At the module startup we should have a banner to tell the version and everything else that may help during issue reporting process.

on Solaris 11 make failed

uname -a
SunOS 5.11 11.3 sun4v sparc sun4v

./autogen.sh
/usr/share/aclocal/aalib.m4:12: warning: underquoted definition of AM_PATH_AALIB
/usr/share/aclocal/aalib.m4:12: run info '(automake)Extending aclocal'
/usr/share/aclocal/aalib.m4:12: or see http://www.gnu.org/software/automake/manual/automake.html#Extending-aclocal
configure.ac:8: installing ./install-sh' configure.ac:8: installing ./missing

./configure --with-apache=/opt/IBMIHS/bin/httpd --with-apxs=/opt/IBMIHS/bin/apxs --with-libmodsecurity=/usr/local/modsecurity
checking for a BSD-compatible install... /usr/bin/ginstall -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/gmkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
configure: looking for Apache module support via DSO through APXS
configure: found APXS at /opt/IBMIHS/bin/apxs
checking for style of include used by make... GNU
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking dependency style of gcc... none
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/ggrep
checking for egrep... /usr/bin/ggrep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
configure: looking for libmodsecurity
checking for msc_init in -lmodsecurity... yes
checking modsecurity/modsecurity.h usability... yes
checking modsecurity/modsecurity.h presence... yes
checking for modsecurity/modsecurity.h... yes
checking if apache is wanted... yes
expr: syntax error
expr: syntax error
checking apache modules... in /opt/IBMIHS/modules
checking for perl... /usr/bin/perl
Loaded Modules:
core_module (static)
mpm_worker_module (static)
http_module (static)
suexec_module (static)
so_module (static)
authz_host_module (shared)
auth_basic_module (shared)
authn_file_module (shared)
authz_user_module (shared)
include_module (shared)
log_config_module (shared)
env_module (shared)
expires_module (shared)
headers_module (shared)
unique_id_module (shared)
setenvif_module (shared)
proxy_module (shared)
proxy_http_module (shared)
mime_module (shared)
autoindex_module (shared)
asis_module (shared)
info_module (shared)
cgid_module (shared)
dir_module (shared)
actions_module (shared)
alias_module (shared)
rewrite_module (shared)
status_module (shared)
mpmstats_module (shared)
backtrace_module (shared)
whatkilledus_module (shared)
Syntax OK
Loaded Modules:
core_module (static)
mpm_worker_module (static)
http_module (static)
suexec_module (static)
so_module (static)
authz_host_module (shared)
auth_basic_module (shared)
authn_file_module (shared)
authz_user_module (shared)
include_module (shared)
log_config_module (shared)
env_module (shared)
expires_module (shared)
headers_module (shared)
unique_id_module (shared)
setenvif_module (shared)
proxy_module (shared)
proxy_http_module (shared)
mime_module (shared)
autoindex_module (shared)
asis_module (shared)
info_module (shared)
cgid_module (shared)
dir_module (shared)
actions_module (shared)
alias_module (shared)
rewrite_module (shared)
status_module (shared)
mpmstats_module (shared)
backtrace_module (shared)
whatkilledus_module (shared)
Syntax OK
Found Apache with MPM Worker, .
./configure[4396]: [: argument expected
./configure[4399]: [: argument expected
checking for gcc... (cached) gcc
checking whether we are using the GNU C compiler... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking for gcc option to accept ISO C89... (cached) none needed
checking dependency style of gcc... (cached) none
configure: creating ./config.status
config.status: creating Makefile
config.status: creating build/apxs-wrapper
config.status: creating tests/regression/server_root/conf/httpd.conf
config.status: creating tests/regression/misc/40-secRemoteRules.t
config.status: creating tests/regression/misc/60-pmfromfile-external.t
config.status: creating tests/regression/misc/50-ipmatchfromfile-external.t
config.status: creating tests/run-regression-tests.pl
config.status: executing depfiles commands

make
chmod +x build/apxs-wrapper
build/apxs-wrapper
/opt/IBMIHS/build/libtool --silent --mode=compile cc -prefer-pic -DSOLARIS2=10 -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -D_LARGEFILE64_SOURCE -g -I/opt/IBMIHS/include -I/opt/IBMIHS/include -I/opt/IBMIHS/include -fPIC -O0 -I/usr/local/modsecurity/include/ -c -o src/mod_security3.lo src/mod_security3.c && touch src/mod_security3.slo
/opt/IBMIHS/build/libtool: line 848: cc: command not found
apxs:Error: Command failed with rc=65536
.
*** Error code 1
make: Fatal error: Command failed for target `all'

One of the ModSecurity logging features depending on write content on the webserver logging. In order to write in the webserver log, we need to create an wrapper/callback inside this apache module, that wrapper will be called by libModSecurity, presenting some content to be saved.

The callback used with the nginx implementation is available here:
https://github.com/SpiderLabs/ModSecurity-nginx/blob/master/src/ngx_http_modsecurity_log.c#L25-L32

It seems like the code deserves a refactoring to put all the headers in the right place. It seems that we have files just for headers inclusions, that does not sounds elegant.

Currently all the files belongs to the root of the repository. We may want to change that, to have the sources under `src', a directory for the tests and so on.

The repository organization should follow the others ModSecurity bindings directories, as the example of the nginx module:
https://github.com/SpiderLabs/ModSecurity-nginx

Hello dev teams,

I installed Apache + Modsecurity v3 using this connector. I added CRS and tested it with CRS regression. I had many errors. And then i found that request body cannot be read. I checked source code and compared to Modsecurity v2. Then I saw that it lacked of code before msc_process_request_body (in hook_request_late). In Modsecurity v2, there is code before that function to read request body.

Pulling my hair out with this.

I built libmodsecurity from source, and it seems to of installed properly... Here's what I get:

$ ls -halF /usr/local/modsecurity/lib/

drwxr-xr-x    3 root     root        4.0K Jan 30 20:10 ./
drwxr-xr-x    5 root     root        4.0K Jan 30 20:10 ../
-rw-r--r--    1 root     root       83.7M Jan 30 20:09 libmodsecurity.a
-rwxr-xr-x    1 root     root        1.0K Jan 30 20:09 libmodsecurity.la*
lrwxrwxrwx    1 root     root          23 Jan 30 20:09 libmodsecurity.so -> libmodsecurity.so.3.0.3*
lrwxrwxrwx    1 root     root          23 Jan 30 20:10 libmodsecurity.so.3 -> libmodsecurity.so.3.0.3*
-rwxr-xr-x    1 root     root       45.8M Jan 30 20:09 libmodsecurity.so.3.0.3*
drwxr-xr-x    2 root     root        4.0K Jan 30 20:10 pkgconfig/

Looks like it's installed...

$ pwd

/usr/src/ModSecurity-apache

That's where https://github.com/SpiderLabs/ModSecurity-apache is cloned to...

./configure

checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... ./install-sh -c -d
checking for gawk... no
checking for mawk... no
checking for nawk... no
checking for awk... awk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
configure: looking for Apache module support via DSO through APXS
configure: found APXS at /usr/local/apache2/bin/apxs
checking for style of include used by make... GNU
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking dependency style of gcc... none
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
configure: looking for libmodsecurity
checking for msc_init in -lmodsecurity... no
configure: error: ModSecurity libraries not found!

Is what I get when trying to run the configure script.

Is there an option or something I should be passing somewhere to tell the Apache Connector where the libmodsecurity files are? If so, where is any of this documented?

I'm very new to compiling C/C++, and haven't ever really done it before, so sorry if this is really basic stuff.

This is on Alpine, running in a Docker container.

Thanks!