ModSecurity v3 for FreeBSD. Doesn't want to compile/build.

bryn1u

Well-Known Member

Reaction score: 11
Messages: 352

Code:
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
 cd ModSecurity
 git submodule init
 git submodule update
 ./build.sh
 ./configure

Code:
configure - output

ModSecurity -  for FreeBSD
 
 Mandatory dependencies
   + libInjection                                  ....
   + SecLang tests                                 ....480a2f8
 
 Optional dependencies
   + GeoIP                                         ....found 
      /usr/local/lib//libGeoIP.so, /usr/local/include
   + LibCURL                                       ....found v7.58.0
      -L/usr/local/lib -lcurl, -I/usr/local/include -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
   + YAJL                                          ....not found
   + LMDB                                          ....disabled
   + LibXML2                                       ....found v2.9.7
      -L/usr/local/lib -lxml2 -lz -llzma -L/usr/lib -lm, -I/usr/local/include/libxml2 -I/usr/include -DWITH_LIBXML2
   + SSDEEP                                        ....not found
   + LUA                                           ....not found
 
 Other Options
   + Test Utilities                                ....disabled
   + SecDebugLog                                   ....enabled
   + afl fuzzer                                    ....disabled
   + library examples                              ....enabled
   + Building parser                               ....disabled
   + Treating pm operations as critical section    ....disabled

After that. I entry "make" and:

Code:
root@proton:~/ModSecurity # make
make: "/root/ModSecurity/Makefile" line 3098: Missing dependency operator
make: "/root/ModSecurity/Makefile" line 3100: Need an operator
make: "/root/ModSecurity/Makefile" line 3102: Need an operator
make: "/root/ModSecurity/Makefile" line 3106: Missing dependency operator
make: "/root/ModSecurity/Makefile" line 3110: Need an operator
make: "/root/ModSecurity/Makefile" line 3112: Need an operator
make: "/root/ModSecurity/Makefile" line 3125: Need an operator
make: "/root/ModSecurity/Makefile" line 3127: Error in archive specification: ""
make: "/root/ModSecurity/Makefile" line 3132: warning: duplicate script for target "ifeq" ignored
make: "/root/ModSecurity/Makefile" line 3109: warning: using previous script for "ifeq" defined here
make: "/root/ModSecurity/Makefile" line 3133: Missing dependency operator
make: "/root/ModSecurity/Makefile" line 3134: warning: duplicate script for target "ifeq" ignored
make: "/root/ModSecurity/Makefile" line 3109: warning: using previous script for "ifeq" defined here
make: "/root/ModSecurity/Makefile" line 3134: warning: duplicate script for target "(no,yes)" ignored
make: "/root/ModSecurity/Makefile" line 3109: warning: using previous script for "(no,yes)" defined here
make: "/root/ModSecurity/Makefile" line 3135: Need an operator
make: "/root/ModSecurity/Makefile" line 3137: Need an operator
make: "/root/ModSecurity/Makefile" line 3138: Need an operator
make: "/root/ModSecurity/Makefile" line 3140: Need an operator
make: Fatal errors encountered -- cannot continue
make: stopped in /root/ModSecurity
root@proton:~/ModSecurity #

I have tried the same way on linux and it works. So, what is the problem under FreeBSD ?
Thanks for help.


##Edit:
Modsecurity v2 compiles and works fine. There is something wrong with v3 for FreeBSD
Someone can help ?
 
OP
B

bryn1u

Well-Known Member

Reaction score: 11
Messages: 352

Can you file a bug on https://bugs.freebsd.org if the port is broken or incomplete?

Hey,
Im asking about v3, because comparing mod_security v2 to v3 installation for apache is diffrent. For Apache v2 works great.
For apache24 with mod_security v2 there is really simple installation:
To enable mod_security in Apache edit the following file:
/usr/local/etc/apache24/modules.d/280_mod_security.conf
[/quote
Load module:
Code:
## apache modules for mod_security
LoadModule unique_id_module libexec/apache24/mod_unique_id.so
LoadModule security2_module libexec/apache24/mod_security2.so
Include /usr/local/etc/modsecurity/*.conf
When im trying v3, modules are in other localization like /usr/local/lib/libmodsecurity.3.... (dont exaclly remamber)
If i add path for libmodsecurity3... in/usr/local/etc/apache24/modules.d/280_mod_security.conf , sitll doesn't work and still can't find the libmodsecurity3.

The same for nginx. Can't find the libmodsec :(
 
OP
B

bryn1u

Well-Known Member

Reaction score: 11
Messages: 352

After compiled Nginx+ModSecurity3 from ports can't find something like that:
Code:
root@:/usr/local/libexec/nginx # find / -name "*ngx*" | grep -v /usr/ports/
/usr/local/libexec/nginx/ngx_mail_module.so
/usr/local/libexec/nginx/ngx_stream_module.so
root@:/usr/local/libexec/nginx #
Nginx documentation says about load_module modules/ngx_http_modsecurity_module.so;. I can;t find any modules related to mod_security3.
Code:
root@:/usr/local/libexec/nginx # ls
ngx_mail_module.so      ngx_stream_module.so
root@:/usr/local/libexec/nginx #
 

tobik@

Daemon
Developer

Reaction score: 1,410
Messages: 1,909

Did you compile www/nginx with the MODSECURITY3 option on?

I don't think you actually need load_module modules/ngx_http_modsecurity_module.so; when you do since it's just compiled in then.
 
OP
B

bryn1u

Well-Known Member

Reaction score: 11
Messages: 352

Did you compile www/nginx with the MODSECURITY3 option on?

I don't think you actually need load_module modules/ngx_http_modsecurity_module.so; when you do since it's just compiled in then.

Hey,
Yes i did. I run nginx with mod_sec but there is problem with interpretation. Mod_sec blocks even is in only detection mode. Either mod_sec logs nothing.

I have question about apache24 + mod_sec3. I can easy build apache with modsec v2 from ports which is great and working well. But what about v3. After installed i have a available 3 libs:
Code:
[root@proton /usr/local/etc/apache24/modules.d]# ls /usr/local/lib | grep -i modsec
libmodsecurity.a
libmodsecurity.so
libmodsecurity.so.3
libmodsecurity.so.3.0.0
Im trying to implementing for apache but i have no idea how to do it. For modsec v2 there is no problem because everything is included in 280_mod_security.conf:
Code:
## apache modules for mod_security
LoadModule unique_id_module libexec/apache24/mod_unique_id.so
LoadModule security2_module libexec/apache24/mod_security2.so
Include /usr/local/etc/modsecurity/modsecurity.conf
Include /usr/local/etc/modsecurity/owasp-modsecurity-crs/crs-setup.conf
Include /usr/local/etc/modsecurity/owasp-modsecurity-crs/rules/*.conf
Can you tell me how can i run modsec v3 under apache24 using ports ? Or the only way is compile manually ?

Thank you for your help,
 

epopen

Active Member

Reaction score: 8
Messages: 135

I work on the NGINX and Apache port from ModSecurty.
I think, this weekend, the 2 new ports are ready to landed.
Thanks you much :D👍
Last week, I tried to build successful (Both clang6 & gcc8), but got Segmentation fault when apache24 start :eek:
 

epopen

Active Member

Reaction score: 8
Messages: 135

Unfortunately, the work takes a little longer on ModSecurity-NGINX
ModSecurity-Apache is committed today or tomorrow
Hi Joneum
I had been install your hard work result @ security/modsecurity3-apache👍
Configure file /usr/local/etc/apache24/modules.d/280_mod_security.conf as below
Code:
LoadModule unique_id_module libexec/apache24/mod_unique_id.so
LoadModule security3_module libexec/apache24/mod_security3.so
<IfModule security3_module>
        modsecurity on
        modsecurity_rules_file etc/modsecurity/modsecurity.conf;
</IfModule>

But encounter Segmentation fault same my tried as below:eek:
# service apache24 start
Code:
Performing sanity check on apache24 configuration:
Segmentation fault (core dumped)
Starting apache24.
Segmentation fault (core dumped)
/usr/local/etc/rc.d/apache24: WARNING: failed to start apache24

I tried to use gdb and got result as below.
Code:
(gdb) core httpd.core
[New LWP 101164]
bCore was generated by `/usr/local/sbin/httpd'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00000008031199e8 in vtable for __cxxabiv1::__si_class_type_info () from /lib/libcxxrt.so.1
(gdb) where
#0  0x00000008031199e8 in vtable for __cxxabiv1::__si_class_type_info () from /lib/libcxxrt.so.1
#1  0x00000008022d3016 in __dynamic_cast () from /usr/local/lib/gcc8/libstdc++.so.6
#2  0x00000008023527b0 in bool std::has_facet<std::ctype<char> >(std::locale const&) () from /usr/local/lib/gcc8/libstdc++.so.6
#3  0x0000000802346004 in std::basic_ios<char, std::char_traits<char> >::_M_cache_locale(std::locale const&) () from /usr/local/lib/gcc8/libstdc++.so.6
#4  0x0000000802346480 in std::basic_ios<char, std::char_traits<char> >::init(std::basic_streambuf<char, std::char_traits<char> >*) ()
   from /usr/local/lib/gcc8/libstdc++.so.6
#5  0x00000008022e69d3 in std::ios_base::Init::Init() () from /usr/local/lib/gcc8/libstdc++.so.6
#6  0x0000000801ec54f0 in ?? () from /usr/local/lib/libmodsecurity.so.3
#7  0x00000008002a60db in objlist_call_init (list=<optimized out>, lockstate=<optimized out>) at /usr/src/libexec/rtld-elf/rtld.c:2678
#8  0x00000008002aa6c9 in dlopen_object (name=0x800be0400 "z\270", <incomplete sequence \325>, fd=<optimized out>, refobj=<optimized out>, lo_flags=2, 
    mode=258, lockstate=0x800000002) at /usr/src/libexec/rtld-elf/rtld.c:3389
#9  0x00000008002a7136 in rtld_dlopen (name=0x800a7c660 "/usr/local/libexec/apache24/mod_security3.so", fd=-1, mode=<optimized out>)
    at /usr/src/libexec/rtld-elf/rtld.c:3264
#10 0x00000008005a3b60 in apr_dso_load () from /usr/local/lib/libapr-1.so.0
#11 0x000000000028e871 in dso_load ()
#12 0x000000000028e594 in load_module ()
#13 0x000000000025b0d5 in invoke_cmd ()
#14 0x0000000000258233 in ap_build_config_sub ()
#15 0x000000000025873b in ap_build_config ()
#16 0x0000000000258e39 in ap_process_resource_config ()
#17 0x000000000025908f in process_resource_config_nofnmatch ()
#18 0x0000000000259419 in process_resource_config_fnmatch ()
#19 0x00000000002592bd in process_resource_config_fnmatch ()
#20 0x00000000002592bd in process_resource_config_fnmatch ()
#21 0x00000000002592bd in process_resource_config_fnmatch ()
#22 0x00000000002592bd in process_resource_config_fnmatch ()
#23 0x00000000002592bd in process_resource_config_fnmatch ()
#24 0x0000000000258fcd in ap_process_fnmatch_configs ()
#25 0x000000000027f200 in include_config ()
#26 0x000000000025b09c in invoke_cmd ()
#27 0x0000000000258233 in ap_build_config_sub ()
#28 0x000000000025873b in ap_build_config ()
#29 0x0000000000258e39 in ap_process_resource_config ()
#30 0x000000000025a2a0 in ap_read_config ()
#31 0x00000000002555e8 in main ()
(gdb)

How can I debug the problem?:-/
Thanks you a lot.:D
 

epopen

Active Member

Reaction score: 8
Messages: 135

Hi Joneum

Status update.
Yesterday, I saw security/modsecurity3 updated to 3.0.4, so upgrade it.
And all of dependence ports update to up latest below list..
www/apache24
security/modsecurity3
security/modsecurity3-apache
lang/gcc9

Result: Got same segmentation fault error.
I tried to use devel/gdb and got result as below.
Code:
(gdb) core httpd.core
[New LWP 101190]
Core was generated by `/usr/local/sbin/httpd'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00000008032a3a18 in ?? ()
(gdb) where
#0  0x00000008032a3a18 in ?? ()
#1  0x00000008024ecc56 in ?? ()
#2  0x0000000802839ea0 in ?? ()
#3  0x00007fffffffc9a0 in ?? ()
#4  0x0000000000000000 in ?? ()

All of debug symbol disappeared 😨
Thanks a lot
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 10,745
Messages: 36,547

Fix impossible about segmentation fault error I assume.
security/modsecurity3 was removed.
Port is still there, nothing has been removed. https://svnweb.freebsd.org/ports/head/security/modsecurity3/

If you're referring to the package, then yes, that could happen if the port fails to build for whatever reason. That said, I can't find any build failures on http://pkg-status.freebsd.org. And the package for security/modsecurity3-apache was built successfully, which can only happen if modsecurity3 was successful too.


But, just because something was built successfully is no guarantee the application actually works. So there could be bugs in the module itself. If you have problems with it the best course of action would be to open a PR or add your findings to an existing one.
 
Top