I just installed the new rules, ran configtest and got the following:
Starting httpd: httpd: Syntax error on line 218 of /etc/httpd/conf/httpd.conf: Syntax error on line 13 of /etc/httpd/conf.d/zz_mod_security.conf: Syntax error on line 467 of /etc/httpd/modsecurity.d/00_asl_rbl.conf: /etc/httpd/modsecurity.d/00_asl_rbl.conf <<\xfbI\x90pC\xca\xf4\xd9E\xd9p\x85\xcd~b\xd5\xbd> was not closed.\n/etc/httpd/modsecurity.d/00_asl_rbl.conf <@\x98\x1fd\x81\xf2\xcc\x8c\xc88<G\xa8\x82c\x88D\xb8+\xedg\x8b\x1dD!\xca\xda\x06\xc6AeW\\\xfbX\xbd\xaf\xddU\xf2?\xe1m\xad;\xfb\xf2\xa3n\x87\xa2\x15\x96\xf8\xcd\x94(zV\b\xe2\xc87\xf0k/\x8e\xc7(J\x89\xeb> was not closed.\n/etc/httpd/modsecurity.d/00_asl_rbl.conf:834: <\x07\xef\x9c\xc8v\xc1\x8eD\x90> was not closed.\n/etc/httpd/modsecurity.d/00_asl_rbl.conf:641: <+\x88\x16.\xc6*\x96G'c\x98\xaf\x8aTlG\x11\x97K\x99\xdc*\xec\x93\x19\xa6\xb1\x1cnY\x06\x98\xafC4\xb6\xa3\x8a\x13\x86kq\x99H=\xab\xce\x92E\x9f\xf3\xb0e,\xe0\xa5\x98\xc6\x96"\x1a\xdbQD8SQ\x93\x99> was not closed.\n/etc/httpd/modsecurity.d/00_asl_rbl.conf:467: <\x7f1\xf2\x16\xa4C\xdb\x02\xdb\xe5\x18\xa6\xb5\x88\x82\xb9\x8b\x0f\x8a\x1b\xd5\x99p\x94\xc0\x8f\xc0\xc2\xd7,\xb0\x18w`\x0f3> was not closed.
I am a little confused as the file mentioned is not in your list of 'files that should only be listed', however it is in your archive.
Problem with new rules?
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Problem with new rules?
are you using mod_security 2.5.x?
Re: Problem with new rules?
Package mod_security-2.5.9-1.el5.art.x86_64 already installed and latest version
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Problem with new rules?
That looks like you are loading a gzipped file as a rule file. Check the file and ungzip it.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Problem with new rules?
I downloaded your file and ran the following at the shell:
tar -xzvf modsec-2.5-free-latest.tar.gz
modsec/
modsec/10_asl_rules.conf
modsec/domain-blacklist-local.txt
modsec/domain-spam-whitelist.txt
modsec/05_asl_scanner.conf
modsec/malware-blacklist-high.txt
modsec/malware-blacklist.txt
modsec/30_asl_antimalware.conf
modsec/40_asl_apache2-rules.conf
modsec/domain-blacklist.txt
modsec/30_asl_antispam_referrer.conf
modsec/11_asl_data_loss.conf
modsec/05_asl_exclude.conf
modsec/whitelist.txt
modsec/domain-spam-whitelist.conf
modsec/00_asl_rbl.conf
modsec/99_asl_exclude.conf
modsec/trusted-domains.txt
modsec/malware-blacklist-low.txt
modsec/50_asl_rootkits.conf
modsec/60_asl_recons.conf
modsec/30_asl_antispam.conf
modsec/00_asl_whitelist.conf
modsec/trusted-domains.conf
modsec/20_asl_useragents.conf
modsec/10_asl_antimalware.conf
modsec/sql.txt
modsec/99_asl_jitp.conf
modsec/malware-blacklist-local.txt
I then moved all of the files (except the 'scanners') into the /etc/httpd/modsecurity.d folder.
I have also 'attempted' to unzip the file in question, here are the results:
unzip 00_asl_rbl.conf
Archive: 00_asl_rbl.conf
End-of-central-directory signature not found. Either this file is not
a zipfile, or it constitutes one disk of a multi-part archive. In the
latter case the central directory and zipfile comment will be found on
the last disk(s) of this archive.
unzip: cannot find zipfile directory in one of 00_asl_rbl.conf or
00_asl_rbl.conf.zip, and cannot find 00_asl_rbl.conf.ZIP, period.
I am sure that I am missing something simple here, just not sure what.
tar -xzvf modsec-2.5-free-latest.tar.gz
modsec/
modsec/10_asl_rules.conf
modsec/domain-blacklist-local.txt
modsec/domain-spam-whitelist.txt
modsec/05_asl_scanner.conf
modsec/malware-blacklist-high.txt
modsec/malware-blacklist.txt
modsec/30_asl_antimalware.conf
modsec/40_asl_apache2-rules.conf
modsec/domain-blacklist.txt
modsec/30_asl_antispam_referrer.conf
modsec/11_asl_data_loss.conf
modsec/05_asl_exclude.conf
modsec/whitelist.txt
modsec/domain-spam-whitelist.conf
modsec/00_asl_rbl.conf
modsec/99_asl_exclude.conf
modsec/trusted-domains.txt
modsec/malware-blacklist-low.txt
modsec/50_asl_rootkits.conf
modsec/60_asl_recons.conf
modsec/30_asl_antispam.conf
modsec/00_asl_whitelist.conf
modsec/trusted-domains.conf
modsec/20_asl_useragents.conf
modsec/10_asl_antimalware.conf
modsec/sql.txt
modsec/99_asl_jitp.conf
modsec/malware-blacklist-local.txt
I then moved all of the files (except the 'scanners') into the /etc/httpd/modsecurity.d folder.
I have also 'attempted' to unzip the file in question, here are the results:
unzip 00_asl_rbl.conf
Archive: 00_asl_rbl.conf
End-of-central-directory signature not found. Either this file is not
a zipfile, or it constitutes one disk of a multi-part archive. In the
latter case the central directory and zipfile comment will be found on
the last disk(s) of this archive.
unzip: cannot find zipfile directory in one of 00_asl_rbl.conf or
00_asl_rbl.conf.zip, and cannot find 00_asl_rbl.conf.ZIP, period.
I am sure that I am missing something simple here, just not sure what.
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Problem with new rules?
gunzip, not unzip.
That error is definitely because the 00_asl_rbl.conf file is somehow gzipped on your system.
That error is definitely because the 00_asl_rbl.conf file is somehow gzipped on your system.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Problem with new rules?
Okay, I ran 'gunzip'
gunzip 00_asl_rbl.conf
gunzip: 00_asl_rbl.conf: unknown suffix -- ignored
I have downloaded both files over again and tried them both on 3 different CentOS 5.3 64-bit systems and get the exact same byte count for the file in question on all systems.
so why would this be the only file in the archive that didn't get 'unzipped' but still retained the correct file name? I have downloaded previous files and gone through the same steps with no problem.
gunzip 00_asl_rbl.conf
gunzip: 00_asl_rbl.conf: unknown suffix -- ignored
I have downloaded both files over again and tried them both on 3 different CentOS 5.3 64-bit systems and get the exact same byte count for the file in question on all systems.
so why would this be the only file in the archive that didn't get 'unzipped' but still retained the correct file name? I have downloaded previous files and gone through the same steps with no problem.
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Problem with new rules?
I dunno why that would happen on your box, the archive is fine (see below). Maybe something wrong with your tar, gzip or some other binary - or maybe whatever you downloaded it with munged up the archive - equally maybe your upload tool munged the archive? Hard to say, I recommend you download it directly.
$ wget http://downloads.prometheus-group.com/d ... est.tar.gz
--2009-10-20 18:06:24-- http://downloads.prometheus-group.com/d ... est.tar.gz
Resolving downloads.prometheus-group.com...
74.208.97.167
Connecting to downloads.prometheus-group.com|74.208.97.167|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 257587 (252K) [application/x-gzip]
Saving to: `modsec-2.5-free-latest.tar.gz'
100%[======================================>] 257,587 76.7K/s in 3.3s
2009-10-20 18:06:34 (76.7 KB/s) - `modsec-2.5-free-latest.tar.gz' saved [257587/257587]
$ tar zxvf modsec-2.5-free-latest.tar.gz
modsec/
modsec/10_asl_rules.conf
modsec/domain-blacklist-local.txt
modsec/domain-spam-whitelist.txt
modsec/05_asl_scanner.conf
modsec/malware-blacklist-high.txt
modsec/malware-blacklist.txt
modsec/30_asl_antimalware.conf
modsec/40_asl_apache2-rules.conf
modsec/domain-blacklist.txt
modsec/30_asl_antispam_referrer.conf
modsec/11_asl_data_loss.conf
modsec/05_asl_exclude.conf
modsec/whitelist.txt
modsec/domain-spam-whitelist.conf
modsec/00_asl_rbl.conf
modsec/99_asl_exclude.conf
modsec/trusted-domains.txt
modsec/malware-blacklist-low.txt
modsec/50_asl_rootkits.conf
modsec/60_asl_recons.conf
modsec/30_asl_antispam.conf
modsec/00_asl_whitelist.conf
modsec/trusted-domains.conf
modsec/20_asl_useragents.conf
modsec/10_asl_antimalware.conf
modsec/sql.txt
modsec/99_asl_jitp.conf
modsec/malware-blacklist-local.txt
$ cd modsec
$ file 00_asl_rbl.conf
00_asl_rbl.conf: ASCII English text
$ cat 00_asl_rbl.conf
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# RBL rules
#
# Created by Prometheus Global (http://www.prometheus-group.com)
# Copyright 2005-2009 by Prometheus Global, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#Global RBL rules
SecRule REMOTE_ADDR "!@pmFromFile /etc/asl/whitelist" \
"chain,deny, log, id:350000,rev:2,msg:'Atomicorp.com WAF Rules - FREE/UNSUPPORTED VERSION - Global RBL Match: IP is on the xbl.spamhaus.org Blacklist',severity:'3'"
SecRule REMOTE_ADDR "@rbl xbl.spamhaus.org"
#Additional RBLs are available in the Real Time Rules
#Such as TOR exit nodes, open proxies, and more
So the archive is fine. Maybe your cache is munged somewhere? I'd try downloading the free/unsupported rules directly on your servers with wget.
$ wget http://downloads.prometheus-group.com/d ... est.tar.gz
--2009-10-20 18:06:24-- http://downloads.prometheus-group.com/d ... est.tar.gz
Resolving downloads.prometheus-group.com...
74.208.97.167
Connecting to downloads.prometheus-group.com|74.208.97.167|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 257587 (252K) [application/x-gzip]
Saving to: `modsec-2.5-free-latest.tar.gz'
100%[======================================>] 257,587 76.7K/s in 3.3s
2009-10-20 18:06:34 (76.7 KB/s) - `modsec-2.5-free-latest.tar.gz' saved [257587/257587]
$ tar zxvf modsec-2.5-free-latest.tar.gz
modsec/
modsec/10_asl_rules.conf
modsec/domain-blacklist-local.txt
modsec/domain-spam-whitelist.txt
modsec/05_asl_scanner.conf
modsec/malware-blacklist-high.txt
modsec/malware-blacklist.txt
modsec/30_asl_antimalware.conf
modsec/40_asl_apache2-rules.conf
modsec/domain-blacklist.txt
modsec/30_asl_antispam_referrer.conf
modsec/11_asl_data_loss.conf
modsec/05_asl_exclude.conf
modsec/whitelist.txt
modsec/domain-spam-whitelist.conf
modsec/00_asl_rbl.conf
modsec/99_asl_exclude.conf
modsec/trusted-domains.txt
modsec/malware-blacklist-low.txt
modsec/50_asl_rootkits.conf
modsec/60_asl_recons.conf
modsec/30_asl_antispam.conf
modsec/00_asl_whitelist.conf
modsec/trusted-domains.conf
modsec/20_asl_useragents.conf
modsec/10_asl_antimalware.conf
modsec/sql.txt
modsec/99_asl_jitp.conf
modsec/malware-blacklist-local.txt
$ cd modsec
$ file 00_asl_rbl.conf
00_asl_rbl.conf: ASCII English text
$ cat 00_asl_rbl.conf
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# RBL rules
#
# Created by Prometheus Global (http://www.prometheus-group.com)
# Copyright 2005-2009 by Prometheus Global, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#Global RBL rules
SecRule REMOTE_ADDR "!@pmFromFile /etc/asl/whitelist" \
"chain,deny, log, id:350000,rev:2,msg:'Atomicorp.com WAF Rules - FREE/UNSUPPORTED VERSION - Global RBL Match: IP is on the xbl.spamhaus.org Blacklist',severity:'3'"
SecRule REMOTE_ADDR "@rbl xbl.spamhaus.org"
#Additional RBLs are available in the Real Time Rules
#Such as TOR exit nodes, open proxies, and more
So the archive is fine. Maybe your cache is munged somewhere? I'd try downloading the free/unsupported rules directly on your servers with wget.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Problem with new rules?
Okay, I am stupid. That did work. Guess I should have tried that to begin with, thanks!