# ModSecurity v3 for FreeBSD. Doesn't want to compile/build.



## bryn1u (Mar 20, 2018)

```
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
 cd ModSecurity
 git submodule init
 git submodule update
 ./build.sh
 ./configure
```


```
configure - output

ModSecurity -  for FreeBSD
 
 Mandatory dependencies
   + libInjection                                  ....
   + SecLang tests                                 ....480a2f8
 
 Optional dependencies
   + GeoIP                                         ....found 
      /usr/local/lib//libGeoIP.so, /usr/local/include
   + LibCURL                                       ....found v7.58.0
      -L/usr/local/lib -lcurl, -I/usr/local/include -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
   + YAJL                                          ....not found
   + LMDB                                          ....disabled
   + LibXML2                                       ....found v2.9.7
      -L/usr/local/lib -lxml2 -lz -llzma -L/usr/lib -lm, -I/usr/local/include/libxml2 -I/usr/include -DWITH_LIBXML2
   + SSDEEP                                        ....not found
   + LUA                                           ....not found
 
 Other Options
   + Test Utilities                                ....disabled
   + SecDebugLog                                   ....enabled
   + afl fuzzer                                    ....disabled
   + library examples                              ....enabled
   + Building parser                               ....disabled
   + Treating pm operations as critical section    ....disabled
```

After that. I entry "make" and:


```
root@proton:~/ModSecurity # make
make: "/root/ModSecurity/Makefile" line 3098: Missing dependency operator
make: "/root/ModSecurity/Makefile" line 3100: Need an operator
make: "/root/ModSecurity/Makefile" line 3102: Need an operator
make: "/root/ModSecurity/Makefile" line 3106: Missing dependency operator
make: "/root/ModSecurity/Makefile" line 3110: Need an operator
make: "/root/ModSecurity/Makefile" line 3112: Need an operator
make: "/root/ModSecurity/Makefile" line 3125: Need an operator
make: "/root/ModSecurity/Makefile" line 3127: Error in archive specification: ""
make: "/root/ModSecurity/Makefile" line 3132: warning: duplicate script for target "ifeq" ignored
make: "/root/ModSecurity/Makefile" line 3109: warning: using previous script for "ifeq" defined here
make: "/root/ModSecurity/Makefile" line 3133: Missing dependency operator
make: "/root/ModSecurity/Makefile" line 3134: warning: duplicate script for target "ifeq" ignored
make: "/root/ModSecurity/Makefile" line 3109: warning: using previous script for "ifeq" defined here
make: "/root/ModSecurity/Makefile" line 3134: warning: duplicate script for target "(no,yes)" ignored
make: "/root/ModSecurity/Makefile" line 3109: warning: using previous script for "(no,yes)" defined here
make: "/root/ModSecurity/Makefile" line 3135: Need an operator
make: "/root/ModSecurity/Makefile" line 3137: Need an operator
make: "/root/ModSecurity/Makefile" line 3138: Need an operator
make: "/root/ModSecurity/Makefile" line 3140: Need an operator
make: Fatal errors encountered -- cannot continue
make: stopped in /root/ModSecurity
root@proton:~/ModSecurity #
```

I have tried the same way on linux and it works. So, what is the problem under FreeBSD ?
Thanks for help.


##Edit:
Modsecurity v2 compiles and works fine. There is something wrong with v3 for FreeBSD
Someone can help ?


----------



## tobik@ (Mar 20, 2018)

It needs GNU make. Run `gmake` in the last step.

Btw, it's also available as a port: www/mod_security3.


----------



## bryn1u (Mar 20, 2018)

tobik@ said:


> It needs GNU make. Run `gmake` in the last step.
> 
> Btw, it's also available as a port: www/mod_security3.


Thank you. gmake works. From ports it's not complete. Only ModSecurity v2 works good.


----------



## tobik@ (Mar 20, 2018)

Can you file a bug on https://bugs.freebsd.org if the port is broken or incomplete?


----------



## bryn1u (Mar 21, 2018)

tobik@ said:


> Can you file a bug on https://bugs.freebsd.org if the port is broken or incomplete?



Hey,
Im asking about v3, because comparing mod_security v2 to v3 installation for apache is diffrent. For Apache v2 works great.
For apache24 with mod_security v2 there is really simple installation:


> To enable mod_security in Apache edit the following file:
> /usr/local/etc/apache24/modules.d/280_mod_security.conf
> [/quote
> Load module:
> ...



The same for nginx. Can't find the libmodsec


----------



## bryn1u (Mar 21, 2018)

After compiled Nginx+ModSecurity3 from ports can't find something like that:

```
root@:/usr/local/libexec/nginx # find / -name "*ngx*" | grep -v /usr/ports/
/usr/local/libexec/nginx/ngx_mail_module.so
/usr/local/libexec/nginx/ngx_stream_module.so
root@:/usr/local/libexec/nginx #
```
Nginx documentation says about `load_module modules/ngx_http_modsecurity_module.so;`. I can;t find any modules related to mod_security3.

```
root@:/usr/local/libexec/nginx # ls
ngx_mail_module.so      ngx_stream_module.so
root@:/usr/local/libexec/nginx #
```


----------



## tobik@ (Mar 22, 2018)

Did you compile www/nginx with the MODSECURITY3 option on?

I don't think you actually need `load_module modules/ngx_http_modsecurity_module.so;` when you do since it's just compiled in then.


----------



## bryn1u (Mar 25, 2018)

tobik@ said:


> Did you compile www/nginx with the MODSECURITY3 option on?
> 
> I don't think you actually need `load_module modules/ngx_http_modsecurity_module.so;` when you do since it's just compiled in then.



Hey,
Yes i did. I run nginx with mod_sec but there is problem with interpretation. Mod_sec blocks even is in only detection mode. Either mod_sec logs nothing. 

I have question about apache24 + mod_sec3. I can easy build apache with modsec v2 from ports which is great and working well. But what about v3. After installed i have a available 3 libs:

```
[root@proton /usr/local/etc/apache24/modules.d]# ls /usr/local/lib | grep -i modsec
libmodsecurity.a
libmodsecurity.so
libmodsecurity.so.3
libmodsecurity.so.3.0.0
```
Im trying to implementing for apache but i have no idea how to do it. For modsec v2 there is no problem because everything is included in `280_mod_security.conf`:

```
## apache modules for mod_security
LoadModule unique_id_module libexec/apache24/mod_unique_id.so
LoadModule security2_module libexec/apache24/mod_security2.so
Include /usr/local/etc/modsecurity/modsecurity.conf
Include /usr/local/etc/modsecurity/owasp-modsecurity-crs/crs-setup.conf
Include /usr/local/etc/modsecurity/owasp-modsecurity-crs/rules/*.conf
```
Can you tell me how can i run modsec v3 under apache24 using ports ? Or the only way is compile manually ?

Thank you for your help,


----------



## epopen (Apr 23, 2019)

bryn1u said:


> Can you tell me how can i run modsec v3 under apache24 using ports ? Or the only way is compile manually ?



Hi
It need  ModSecurity v3 Apache Connector 
But the connector doesn't include ports now and future because no maintainer can be handle as PR 227917.
I tried to build it and got error.


----------



## joneum@ (May 2, 2019)

epopen said:


> Hi
> It need  ModSecurity v3 Apache Connector
> But the connector doesn't include ports now and future because no maintainer can be handle as PR 227917.
> I tried to build it and got error.


I work on the NGINX and Apache port from ModSecurty.
I think, this weekend, the 2 new ports are ready to landed.


----------



## epopen (May 2, 2019)

joneum@ said:


> I work on the NGINX and Apache port from ModSecurty.
> I think, this weekend, the 2 new ports are ready to landed.


Thanks you much 
Last week, I tried to build successful (Both clang6 & gcc8), but got Segmentation fault when apache24 start


----------



## joneum@ (May 6, 2019)

Unfortunately, the work takes a little longer on ModSecurity-NGINX
ModSecurity-Apache is committed today or tomorrow


----------



## epopen (May 7, 2019)

joneum@ said:


> Unfortunately, the work takes a little longer on ModSecurity-NGINX
> ModSecurity-Apache is committed today or tomorrow


Thanks your hard work very much


----------



## epopen (May 8, 2019)

joneum@ said:


> Unfortunately, the work takes a little longer on ModSecurity-NGINX
> ModSecurity-Apache is committed today or tomorrow


Hi Joneum
I had been install your hard work result @ security/modsecurity3-apache
Configure file /usr/local/etc/apache24/modules.d/280_mod_security.conf as below

```
LoadModule unique_id_module libexec/apache24/mod_unique_id.so
LoadModule security3_module libexec/apache24/mod_security3.so
<IfModule security3_module>
        modsecurity on
        modsecurity_rules_file etc/modsecurity/modsecurity.conf;
</IfModule>
```

But encounter Segmentation fault same my tried as below
`# service apache24 start`

```
Performing sanity check on apache24 configuration:
Segmentation fault (core dumped)
Starting apache24.
Segmentation fault (core dumped)
/usr/local/etc/rc.d/apache24: WARNING: failed to start apache24
```

I tried to use `gdb` and got result as below.

```
(gdb) core httpd.core
[New LWP 101164]
bCore was generated by `/usr/local/sbin/httpd'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00000008031199e8 in vtable for __cxxabiv1::__si_class_type_info () from /lib/libcxxrt.so.1
(gdb) where
#0  0x00000008031199e8 in vtable for __cxxabiv1::__si_class_type_info () from /lib/libcxxrt.so.1
#1  0x00000008022d3016 in __dynamic_cast () from /usr/local/lib/gcc8/libstdc++.so.6
#2  0x00000008023527b0 in bool std::has_facet<std::ctype<char> >(std::locale const&) () from /usr/local/lib/gcc8/libstdc++.so.6
#3  0x0000000802346004 in std::basic_ios<char, std::char_traits<char> >::_M_cache_locale(std::locale const&) () from /usr/local/lib/gcc8/libstdc++.so.6
#4  0x0000000802346480 in std::basic_ios<char, std::char_traits<char> >::init(std::basic_streambuf<char, std::char_traits<char> >*) ()
   from /usr/local/lib/gcc8/libstdc++.so.6
#5  0x00000008022e69d3 in std::ios_base::Init::Init() () from /usr/local/lib/gcc8/libstdc++.so.6
#6  0x0000000801ec54f0 in ?? () from /usr/local/lib/libmodsecurity.so.3
#7  0x00000008002a60db in objlist_call_init (list=<optimized out>, lockstate=<optimized out>) at /usr/src/libexec/rtld-elf/rtld.c:2678
#8  0x00000008002aa6c9 in dlopen_object (name=0x800be0400 "z\270", <incomplete sequence \325>, fd=<optimized out>, refobj=<optimized out>, lo_flags=2, 
    mode=258, lockstate=0x800000002) at /usr/src/libexec/rtld-elf/rtld.c:3389
#9  0x00000008002a7136 in rtld_dlopen (name=0x800a7c660 "/usr/local/libexec/apache24/mod_security3.so", fd=-1, mode=<optimized out>)
    at /usr/src/libexec/rtld-elf/rtld.c:3264
#10 0x00000008005a3b60 in apr_dso_load () from /usr/local/lib/libapr-1.so.0
#11 0x000000000028e871 in dso_load ()
#12 0x000000000028e594 in load_module ()
#13 0x000000000025b0d5 in invoke_cmd ()
#14 0x0000000000258233 in ap_build_config_sub ()
#15 0x000000000025873b in ap_build_config ()
#16 0x0000000000258e39 in ap_process_resource_config ()
#17 0x000000000025908f in process_resource_config_nofnmatch ()
#18 0x0000000000259419 in process_resource_config_fnmatch ()
#19 0x00000000002592bd in process_resource_config_fnmatch ()
#20 0x00000000002592bd in process_resource_config_fnmatch ()
#21 0x00000000002592bd in process_resource_config_fnmatch ()
#22 0x00000000002592bd in process_resource_config_fnmatch ()
#23 0x00000000002592bd in process_resource_config_fnmatch ()
#24 0x0000000000258fcd in ap_process_fnmatch_configs ()
#25 0x000000000027f200 in include_config ()
#26 0x000000000025b09c in invoke_cmd ()
#27 0x0000000000258233 in ap_build_config_sub ()
#28 0x000000000025873b in ap_build_config ()
#29 0x0000000000258e39 in ap_process_resource_config ()
#30 0x000000000025a2a0 in ap_read_config ()
#31 0x00000000002555e8 in main ()
(gdb)
```

How can I debug the problem?
Thanks you a lot.


----------



## epopen (Jan 21, 2020)

Hi Joneum

Status update.
Yesterday, I saw  security/modsecurity3 updated to 3.0.4, so upgrade it.
And all of dependence ports update to up latest below list..
www/apache24
security/modsecurity3
security/modsecurity3-apache
lang/gcc9

Result: Got same segmentation fault error.
I tried to use  devel/gdb and got result as below.

```
(gdb) core httpd.core
[New LWP 101190]
Core was generated by `/usr/local/sbin/httpd'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00000008032a3a18 in ?? ()
(gdb) where
#0  0x00000008032a3a18 in ?? ()
#1  0x00000008024ecc56 in ?? ()
#2  0x0000000802839ea0 in ?? ()
#3  0x00007fffffffc9a0 in ?? ()
#4  0x0000000000000000 in ?? ()
```

All of debug symbol disappeared 
Thanks a lot


----------



## epopen (Jan 8, 2021)

Fix impossible about segmentation fault error I assume.
security/modsecurity3  was removed.


----------



## SirDice (Jan 8, 2021)

epopen said:


> Fix impossible about segmentation fault error I assume.
> security/modsecurity3 was removed.


Port is still there, nothing has been removed. https://svnweb.freebsd.org/ports/head/security/modsecurity3/

If you're referring to the package, then yes, that could happen if the port fails to build for whatever reason. That said, I can't find any build failures on http://pkg-status.freebsd.org. And the package for security/modsecurity3-apache was built successfully, which can only happen if modsecurity3 was successful too.



			http://beefy6.nyi.freebsd.org/data/121amd64-default/560362/logs/modsecurity3-apache-0.0.9.b1.19_1.log
		


But, just because something was built successfully is no guarantee the application actually works. So there could be bugs in the module itself. If you have problems with it the best course of action would be to open a PR or add your findings to an existing one.


----------

