Modsecurity newbie here...
I have installed modsecurity on iis 7.5 and got the default modescurity rules (including owasp crs ruleset) working. However they were too restrictive for a couple of Joomla sites. So the Atomicorp paid subscription version of the looked like the perfect solution so I signed up for the 30 day free trial and was looking forward to the subscription and proactive solution this provides...
I removed the default installation rules and crs rules, and installed the atomicorp rules and removed atomicorp ASL-only rules, but it didn't appear to work at all...
Upon checking my site application log, modsecurity reported the following:
Unknown command in config: < LocationMatch
I'm guessing this is an apache directive that doesn't work in IIS? Is there an alternate code for IIS that would work instead of LocationMatch?
Thanks!
Chris
Realtime security rules on IIS
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Realtime security rules on IIS
Yes, thats because IIS doesnt understand LocationMatch. Just comment those out. We'll be putting out an IIS specific ruleset shortly that doesnt include them.Unknown command in config: < LocationMatch
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Realtime security rules on IIS
Thanks! is there a workaround? I'm more than a little concerned about potential security vulnerabilities arising from disabling those rules...mikeshinn wrote: Yes, that's because IIS doesn't understand LocationMatch. Just comment those out. We'll be putting out an IIS specific ruleset shortly that doesnt include them.
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Realtime security rules on IIS
No need to worry, disabling those will not cause any vulnerabilities, those locationmatch rules are used to disable certain rules for certain applications. So commenting those out will just prevent the disabling of certain rules for certain conditions. (Thats not the only way we do that, just one of many methods we use)I'm more than a little concerned about potential security vulnerabilities arising from disabling those rules...
We'll be putting out a separate set of the rules that wont include these directives, but will use other means to accomplish the same thing, which should resolve this issue for IIS. We may release these as a special-IIS only set of rules, but our goal is to not have to do that (and just keep all the rules in one set for apache, nginx and IIS).
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Realtime security rules on IIS
Makes sense. Thanks! I'd bet some of those were Joomla specific exceptions, so I'm going to have to check and see if any of those sites are broken or partly broken...not a biggie
So...I commented all those out but seeing this a lot in the windows application log:
1) ModSecurity: ipMatch Internal Error: Invalid ip address.
2) ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first.
For the second error, I've tried setting Mod Security's data directory to various places and added all kinds of users to the folder (ie IUSR, IIS_IUSR, etc)...
For the first error - is this an IIS issue, or what is causing that?
Using ModSec 2.7.4 for iis...
So...I commented all those out but seeing this a lot in the windows application log:
1) ModSecurity: ipMatch Internal Error: Invalid ip address.
2) ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first.
For the second error, I've tried setting Mod Security's data directory to various places and added all kinds of users to the folder (ie IUSR, IIS_IUSR, etc)...
For the first error - is this an IIS issue, or what is causing that?
Using ModSec 2.7.4 for iis...
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Realtime security rules on IIS
We've been phasing out LocationMatch for several years, so its unlikely any of those would effect a modern application like Joomla. Most of the tuning these days using rule syntax.Makes sense. Thanks! I'd bet some of those were Joomla specific exceptions, so I'm going to have to check and see if any of those sites are broken or partly broken...not a biggie
So assuming you only have our rules loaded, that would means either you are missing the /etc/asl/whitelist file, or your windows system doesnt support IPv6. The only uses of that directive are for the /etc/asl/whitelist file, so if you have enabled the 00_asl_whitelist.conf file you may need to modify that to fit a path that works for windows.1) ModSecurity: ipMatch Internal Error: Invalid ip address.
Outside of that, its only used to detect localhost for a few other rules and the pattern match is always 127.0.0.1,::1
Does your system support IPv6?
So that means you've got some third party rules installed, we do not use that. But you need to define SecDataDir anyway so modsecurity can write its audit_logs. But nevertheless, that error means you're using some rules other than ours, we do not use collections. So you can only get that if you are using rules that do. So you'll either need to remove those rules, or you'll need to ask the authors of those rules for help with their rules.2) ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
-
- New Forum User
- Posts: 1
- Joined: Tue Aug 13, 2013 10:35 am
- Location: Illinois, USA
Re: Realtime security rules on IIS
Any idea when the IIS-specific version will be released? I am interested in buying a subscription to that ruleset.
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Realtime security rules on IIS
IIS compatible rules are now available for testing. LocationMatch is gone, and a full rewrite has been done to make them platform agnostic. Please contact us if you would like to be part of the beta.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone