How to check the installed version of modsecurity?

[Phan Thanh Bình]

Hi all, how can I check the installed version of modsecurity in linux?

Regarding crs, I can see this "OWASP ModSecurity Core Rule Set ver.3.0.2", so I assume CRS version is 3.0.2 but don't know version of modsecurity.

Thanks.

[Christian Folini]

Hi Phan,

ModSecurity announces itself in the error-log / event-log of the webserver
during startup.

Alternative: running "strings" on the module binary and look for the version.

Good luck!

Christian

> --
> You received this message because you are subscribed to the Google Groups "ModSecurity Core Rule Set project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to modsecurity-core-rule-...@owasp.org.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/65ed84d8-e6b5-4aa3-a314-144820c208f9n%40owasp.org.

[Ervin Hegedüs]

Hi Phan,

On Fri, Jan 07, 2022 at 12:08:22AM -0800, Phan Thanh Bình wrote:

> Hi all, how can I check the installed version of modsecurity in linux?

there are many ways to do that.

You can check that through your package manager (if you installed
it from any repository), eg:

$ dpkg -l "libapache2-mod-security2"
...
||/ Name Version Architecture Description
+++-========================-============-============-============================================
ii libapache2-mod-security2 2.9.3-1 amd64 Tighten web applications security for Apache

Or you can access this information throug the logs. mod_security2 make a log entry (in case of
right settints :)) at every startup:

[Fri Jan 07 09:00:52.976833 2022] [:notice] [pid 39793:tid 140063602048064] ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/) configured.
[Fri Jan 07 09:00:52.976943 2022] [:notice] [pid 39793:tid 140063602048064] ModSecurity: APR compiled version="1.6.5"; loaded version="1.6.5"
[Fri Jan 07 09:00:52.976959 2022] [:notice] [pid 39793:tid 140063602048064] ModSecurity: PCRE compiled version="8.39 "; loaded version="8.39 2016-06-14"
[Fri Jan 07 09:00:52.976971 2022] [:notice] [pid 39793:tid 140063602048064] ModSecurity: LUA compiled version="Lua 5.1"
[Fri Jan 07 09:00:52.976982 2022] [:notice] [pid 39793:tid 140063602048064] ModSecurity: YAJL compiled version="2.1.0"
[Fri Jan 07 09:00:52.976994 2022] [:notice] [pid 39793:tid 140063602048064] ModSecurity: LIBXML compiled version="2.9.4"
[Fri Jan 07 09:00:52.977005 2022] [:notice] [pid 39793:tid 140063602048064] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.

Note, that as you can see, you get many more detailed information
about the engine.

Unfortunately, libmodsecurity3 + Nginx does not have this feature
set, you will see only the connector version in the log.

And of course, as Christian wrote, you can get the information
with help of "strings" command:

$ strings /usr/lib/x86_64-linux-gnu/libmodsecurity.so | grep "ModSecurity v3"
ModSecurity v3.0.6 (

$ strings /usr/lib/apache2/modules/mod_security2.so | grep Apache/2.9
ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/)


Regards,


a.

[Phan Thanh Bình]

Thank you all. I can see the version during statup and also via .so file now. v3.0.3

Another question: how can I upgrade the modsecurity to current master in https://github.com/SpiderLabs/ModSecurity ? can I just clone github, then install it in linux with these steps below

$ ./build.sh 

$ ./configure 

$ make 

$ sudo make install

it will generate .so file, right?

then replace that to the old one.

[Ervin Hegedüs]

Hi Phan,

On Sun, Jan 09, 2022 at 10:16:09PM -0800, Phan Thanh Bình wrote:
> Thank you all. I can see the version during statup and also via .so file
> now. v3.0.3
> Another question: how can I upgrade the modsecurity to current master
> in https://github.com/SpiderLabs/ModSecurity ? can I just clone github,

if you use `git clone`,

> then install it in linux with these steps below

then you have to clone (and update) submodules too.

$ git submodule foreach git pull

before the next steps.

> $ ./build.sh
> $ ./configure
> $ make
> $ sudo make install
> it will generate .so file, right?
> then replace that to the old one.

sudo make install will replace it (if you installed the old one
with these steps too).

Don't forget to update the connector[1] too.


a.

[1]: https://github.com/SpiderLabs/ModSecurity-nginx

[Phan Thanh Bình]

Thanks. 

In our project, there is another wrapper.

I have another question, according to: https://coreruleset.org/installation/ , I checked the version modsecurity is 3.0.3, then must install iis/nginx, right? IIS for window, so in linux/centos must install nginx but I couldn't find it, checked by "nginx -v", result: -bash: nginx: command not found, how can I know which web server modsecurity/CRS is running on?

On Friday, 7 January 2022 at 15:08:22 UTC+7 Phan Thanh Bình wrote:

[Ervin Hegedüs]

Hi Phan,

On Mon, Jan 10, 2022 at 02:55:11AM -0800, Phan Thanh Bình wrote:

> I have another question, according
> to: https://coreruleset.org/installation/ , I checked the version
> modsecurity is 3.0.3, then must install iis/nginx, right? IIS for window,
> so in linux/centos must install nginx but I couldn't find it, checked by
> "nginx -v", result: -bash: nginx: command not found, how can I know which
> web server modsecurity/CRS is running on?

You can check:

sudo netstat -antp | grep 80

eg:

tcp6 0 0 :::80 :::* LISTEN 10469/apache2


In this case, the used webserver is the Apache.



a.

[Phan Thanh Bình]

I don't see apache thing, result is below:

 ESTABLISHED 994/java
ESTABLISHED 3363/navajosv2_4
 TIME_WAIT   -
606/java
 9073/npmd_agent
 1218/java
 ESTABLISHED 1218/java
ESTABLISHED 993/java
 ESTABLISHED 2225/mysqld
ESTABLISHED 2225/mysqld

Btw there is /etc/httpd  and there is result with "netstat -antp | grep httpd", ok found this because my env is centos not linux.

So it seems we are using apache for modsecurity 3.x and it's not as recommendation, right? According " With Apache HTTP Server, the recommended version of ModSecurity is v2.9.x."

On Friday, 7 January 2022 at 15:08:22 UTC+7 Phan Thanh Bình wrote:

[Christian Folini]

Hey, hey,

Navajo sounds like a commercial AdNovum Nevis server that is based on Apache
2.4 but incorporates ModSecurity 3.0.x and CRS on top. (They replaced
mod_proxy with their own mod_navajo).

You may want to talk to the paid AdNovum support if that's really the case.

Cheers,

Christian

> --
> You received this message because you are subscribed to the Google Groups "ModSecurity Core Rule Set project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to modsecurity-core-rule-...@owasp.org.

> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/24a73d6a-3805-44cf-b21d-1dc87c81cd49n%40owasp.org.

[Phan Thanh Bình]

Hi Christian,

May I ask had you worked in AdNovum before? How do you know that?

[Christian Folini]

Hi Phan,

AdNovum is a Swiss company and I'm Swiss. So let's say you come across a Nevis
server from time to time. But I have not worked on one hitherto.

Best,

Christian

[Phan Thanh Bình]

Something weird with this SecRule REQBODY_PROCESSOR_ERROR, I'm trying to follow this: https://github.com/SpiderLabs/ModSecurity/issues/2267 .

When I leave as original, as below:

SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:406, \
msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

The request is fine. But when I split a bit:

SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
"id:'200007',phase:2,t:none,log,deny,status:406, \
msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}'"

=> error, exactly at this rule.

So I wonder if MULTIPART_STRICT_ERROR includes REQBODY_PROCESSOR_ERROR or not? Or the modsecurity is already updated (maybe exclude REQBODY_PROCESSOR_ERROR out MULTIPART_STRICT_ERROR )

Thanks.

On Friday, 7 January 2022 at 15:08:22 UTC+7 Phan Thanh Bình wrote:

[Ervin Hegedüs]

Hi Phan,

On Mon, Jan 10, 2022 at 09:33:11PM -0800, Phan Thanh Bình wrote:
> Something weird with this SecRule REQBODY_PROCESSOR_ERROR, I'm trying to
> follow this: https://github.com/SpiderLabs/ModSecurity/issues/2267 .
>
> When I leave as original, as below:
> SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
> "id:'200003',phase:2,t:none,log,deny,status:406, \

...

> FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
>
> The request is fine. But when I split a bit:
>
> SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
> "id:'200007',phase:2,t:none,log,deny,status:406, \
> msg:'Multipart request body failed strict validation: \
> PE %{REQBODY_PROCESSOR_ERROR}'"
>
> => error, exactly at this rule.
>

sorry, exactly at what rule? Did you get the error message from
your rule 200007?

> So I wonder if MULTIPART_STRICT_ERROR includes REQBODY_PROCESSOR_ERROR or
> not?

based on the documentation:

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#multipart_strict_error

yes, but if you check the source code, it does NOT:

v2:
https://github.com/SpiderLabs/ModSecurity/blob/v2/master/apache2/re_variables.c#L1584-L1595
v3:
https://github.com/SpiderLabs/ModSecurity/blob/v3/master/src/request_body_processor/multipart.cc#L1078-L1085



a.


ps: I think this question is outside of the original topic. Would
you start a new thread if your question is not related to the
original?

[Phan Thanh Bình]

Did you get the error message from

your rule 200007? -> Yes

I also thought to start new thread but I think it's somehow related to the custom mod_proxy as  Christian mentioned (ah he mentioned mod_proxy not modsecurity).

Will create new thread now.

Thanks