Apache mod-security

Strange problem

Hi all. I'm experiencing a strange issue with my modsec install. Modsec is installed on its own Apache server as a reverse proxy for a IIS website. Neither of our IP address ranges can get to access our website although any other IPs can. I tested this on my iphone and it worked at the same time as our corporate IP was blocked. I could also see lots of activity in the modsec and apache logs. However I could not see our IP in any logs (access, error, modsec). I bypassed the modsec server and I could access the site without issue. I rebooted the server and put it back inline and again the same issue occured. I have checked iptables, syslog etc. and can't see anything in them. Has anyone experienced this before. At this stage I'm not sure if its Apache or modsec. Any help is appreciated. Thanks.

Sean

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

headers

Sean O'Sullivan | 23 Jan 12:56

Re: Strange problem

Scrath that, this seems to be an apache problem. I loaded apache without modsec and the problem is still happening. Thanks anyway, now on to the ubuntu forums.

Sean

From: dits_ltd <at> hotmail.com
To: mod-security-users <at> lists.sourceforge.net
Date: Mon, 23 Jan 2012 11:41:10 +0000
Subject: [mod-security-users] Strange problem

.ExternalClass .ecxhmmessage P {padding:0px;} .ExternalClass body.ecxhmmessage {font-size:10pt;font-family:Tahoma;}

------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

headers

Josh Amishav-Zlatin | 23 Jan 12:57

Re: Strange problem

On Mon, Jan 23, 2012 at 1:41 PM, Sean O'Sullivan <dits_ltd <at> hotmail.com> wrote:
> Hi all.  I'm experiencing a strange issue with my modsec install.  Modsec is
> installed on its own Apache server as a reverse proxy for a IIS website.
> Neither of our IP address ranges can get to access our website although any
> other IPs can.  I tested this on my iphone and it worked at the same time as
> our corporate IP was blocked.  I could also see lots of activity in the
> modsec and apache logs.  However I could not see our IP in any logs
> (access, error, modsec).  I bypassed the modsec server and I could access
> the site without issue.  I rebooted the server and put it back inline and
> again the same issue occured.  I have checked iptables, syslog etc. and
> can't see anything in them.  Has anyone experienced this before.  At this
> stage I'm not sure if its Apache or modsec.  Any help is appreciated.

Hi Sean,

What interface is Apache listening on? Have you checked where your
corporate traffic to the WAF is getting stopped? There are a number of
tools you can use to check, one way is tcptraceroute
<YourModSecServer> <Port>.

--
 - Josh

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/