Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Peer closed connection: I/O error #76

Open
csuka opened this issue Jul 15, 2024 · 0 comments
Open

Peer closed connection: I/O error #76

csuka opened this issue Jul 15, 2024 · 0 comments

Comments

@csuka
Copy link

csuka commented Jul 15, 2024
edited
Loading

I'm using the latest version as of now, 0.13.

I've setup docker to run, and configured haproxy to use this tool.
My haproxy config:

frontend http_front
    mode http
    bind *:80
    filter spoe engine modsecurity config /etc/haproxy/spoe-modsecurity.conf
    http-request deny if { var(txn.modsec.code) -m int gt 0 }
    default_backend http_back

All works beautifully, when i send an example request like this:

[root@vm-local-1 ~]# curl 'http://localhost:80/?foo=/etc/passwd&bar=/bin/sh' -k
<html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.

I see the docker logs that the request is denied as well:

1721067956.818297 [00] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Matched phrase "...[tag ....

And then haproxy provides me with a 403, all is good.

Now, when i try the following:

[root@vm-local-1 log]# telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
POST /test HTTP/1.1
Host: test

So, I provide the arguments to telnet

POST /test HTTP/1.1
Host: test

Then, the request gets sends through the backend, with a proper response.
This is undesired, as i expected a 403 again.

The docker logs:

1721068085.616785 [00] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 1). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/modsecurity/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "252"] [id "920180"] [msg "POST without Content-Length or Transfer-Encoding headers"] [data "0"] [severity "WARNING"] [ver "OWASP_CRS/4.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "5cb4346453ee"] [uri "http://test/test"] [unique_id ""]
1721068090.620010 [05] <15> Peer closed connection: I/O error

So what i'm seeing is a bit weird.
This command request gets blocked as it should:
curl 'http://localhost:80/?foo=/etc/passwd&bar=/bin/sh'
However, when using telnet, the message is Peer closed connection: I/O error.

I've also tested this using your previous image, there i didn't had that error.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@csuka