I’ll go through a false positive example I found on my blog. False positives are inevitable, so it’s not a bad idea to run mod_security for a few weeks on detect only. Here’s the url that was raising the alarm. The trigger was in the url. http://chesterton.id.au/blog/2007/11/20/blue-tongue-harmonica-talk-cd/ Here’s what modsec_audit.log looked like –f8a03521-A– [21/Mar/2011:07:54:47 +1100] [...]
In my previous post I didn’t mention how to turn on the audit log, so without explanation, you put the following in your config. SecAuditEngine RelevantOnly SecAuditLogType serial SecAuditLogParts ABCFHZ We already set SecAuditLog to /var/log/modsecurity/SecAuditLog/modsec_audit.log in the previous post, which has to be writable by the web server user, www-data for ubuntu/debian. So after [...]
Some time ago, I changed my setup from nginx + spawn-fcgi to nginx + apache so I could play with mod_security. Well, one of my clients got pwned by some sql injection vulnerability, so I finally got to put it in practice. In a nut shell, mod_security is an apache module that scans http(s) traffic [...]