store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Wed Jul 30, 2014 1:11 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 8 posts ] 
Author Message
 Post subject: Realtime security rules on IIS
Unread postPosted: Wed Jul 24, 2013 1:22 pm 
Offline
New Forum User
New Forum User

Joined: Wed Jul 24, 2013 12:04 pm
Posts: 3
Location: United States
Modsecurity newbie here...

I have installed modsecurity on iis 7.5 and got the default modescurity rules (including owasp crs ruleset) working. However they were too restrictive for a couple of Joomla sites. So the Atomicorp paid subscription version of the looked like the perfect solution so I signed up for the 30 day free trial and was looking forward to the subscription and proactive solution this provides...

I removed the default installation rules and crs rules, and installed the atomicorp rules and removed atomicorp ASL-only rules, but it didn't appear to work at all...

Upon checking my site application log, modsecurity reported the following:
Unknown command in config: < LocationMatch

I'm guessing this is an apache directive that doesn't work in IIS? Is there an alternate code for IIS that would work instead of LocationMatch?

Thanks!
Chris


Top
 Profile  
 
 Post subject: Re: Realtime security rules on IIS
Unread postPosted: Wed Jul 24, 2013 2:09 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3605
Location: Chantilly, VA
Quote:
Unknown command in config: < LocationMatch


Yes, thats because IIS doesnt understand LocationMatch. Just comment those out. We'll be putting out an IIS specific ruleset shortly that doesnt include them.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Realtime security rules on IIS
Unread postPosted: Wed Jul 24, 2013 3:09 pm 
Offline
New Forum User
New Forum User

Joined: Wed Jul 24, 2013 12:04 pm
Posts: 3
Location: United States
mikeshinn wrote:
Yes, that's because IIS doesn't understand LocationMatch. Just comment those out. We'll be putting out an IIS specific ruleset shortly that doesnt include them.


Thanks! is there a workaround? I'm more than a little concerned about potential security vulnerabilities arising from disabling those rules...


Top
 Profile  
 
 Post subject: Re: Realtime security rules on IIS
Unread postPosted: Wed Jul 24, 2013 4:45 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3605
Location: Chantilly, VA
Quote:
I'm more than a little concerned about potential security vulnerabilities arising from disabling those rules...


No need to worry, disabling those will not cause any vulnerabilities, those locationmatch rules are used to disable certain rules for certain applications. So commenting those out will just prevent the disabling of certain rules for certain conditions. (Thats not the only way we do that, just one of many methods we use)

We'll be putting out a separate set of the rules that wont include these directives, but will use other means to accomplish the same thing, which should resolve this issue for IIS. We may release these as a special-IIS only set of rules, but our goal is to not have to do that (and just keep all the rules in one set for apache, nginx and IIS).

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Realtime security rules on IIS
Unread postPosted: Thu Jul 25, 2013 2:44 pm 
Offline
New Forum User
New Forum User

Joined: Wed Jul 24, 2013 12:04 pm
Posts: 3
Location: United States
Makes sense. Thanks! I'd bet some of those were Joomla specific exceptions, so I'm going to have to check and see if any of those sites are broken or partly broken...not a biggie

So...I commented all those out but seeing this a lot in the windows application log:
1) ModSecurity: ipMatch Internal Error: Invalid ip address.
2) ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first.

For the second error, I've tried setting Mod Security's data directory to various places and added all kinds of users to the folder (ie IUSR, IIS_IUSR, etc)...

For the first error - is this an IIS issue, or what is causing that?

Using ModSec 2.7.4 for iis...


Top
 Profile  
 
 Post subject: Re: Realtime security rules on IIS
Unread postPosted: Thu Jul 25, 2013 10:45 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3605
Location: Chantilly, VA
Quote:
Makes sense. Thanks! I'd bet some of those were Joomla specific exceptions, so I'm going to have to check and see if any of those sites are broken or partly broken...not a biggie


We've been phasing out LocationMatch for several years, so its unlikely any of those would effect a modern application like Joomla. Most of the tuning these days using rule syntax.

Quote:
1) ModSecurity: ipMatch Internal Error: Invalid ip address.


So assuming you only have our rules loaded, that would means either you are missing the /etc/asl/whitelist file, or your windows system doesnt support IPv6. The only uses of that directive are for the /etc/asl/whitelist file, so if you have enabled the 00_asl_whitelist.conf file you may need to modify that to fit a path that works for windows.

Outside of that, its only used to detect localhost for a few other rules and the pattern match is always 127.0.0.1,::1

Does your system support IPv6?

Quote:
2) ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first.


So that means you've got some third party rules installed, we do not use that. But you need to define SecDataDir anyway so modsecurity can write its audit_logs. But nevertheless, that error means you're using some rules other than ours, we do not use collections. So you can only get that if you are using rules that do. So you'll either need to remove those rules, or you'll need to ask the authors of those rules for help with their rules.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Realtime security rules on IIS
Unread postPosted: Tue Aug 13, 2013 10:38 am 
Offline
New Forum User
New Forum User

Joined: Tue Aug 13, 2013 10:35 am
Posts: 1
Location: Illinois, USA
Any idea when the IIS-specific version will be released? I am interested in buying a subscription to that ruleset. :D


Top
 Profile  
 
 Post subject: Re: Realtime security rules on IIS
Unread postPosted: Sun Mar 16, 2014 3:01 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3605
Location: Chantilly, VA
IIS compatible rules are now available for testing. LocationMatch is gone, and a full rewrite has been done to make them platform agnostic. Please contact us if you would like to be part of the beta.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group