Picon
Picon

[SPAM] i found the stuff

Hi,

I know you were looking for this, I found this stuff for you, take a look at http://gunintuni.keithjensen.us/aerqnz

 

Hugs, Squirrelmail Plugins Mailing List

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
SQLearn | 13 May 11:28 2016
Picon

Implement hash protection for URLs (SecHashEngine currently broken)

Hello there,

I would like to use mod_security feature SecHashMethodRx rule to prevent web
tampering attacks on my CMS.

I want to protect all my generated links (<a href>) and all my generated
form actions by appending a hash on each link's url.

According to our tests and this issue
https://github.com/SpiderLabs/ModSecurity/issues/742 the SecHashEngine is
not working in CentOS 7 and Amazon Linux because of a bug in libxml 2.9.1
library.

Could you propose a workaround for this implementation (possibly using LUA)?

Thanx in advance.

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

IT.Middleware | 13 May 09:57 2016

Issue while installing Mod security module in Apache httpd 2.4.18

Hello team,

Can anybody pls help me out with this error -- > "mlogc.c:1281: error: âCURL_SSLVERSION_TLSv1_0â undeclared (first use in this function)"

I'm installing mod security module on my linux server with apache 2.4.18 on it.
after using ./configure & executing make install command , getting the following error message ..

make[1]: Entering directory `/web/setup/modsecurity-2.9.1/mlogc'
gcc -DHAVE_CONFIG_H -I. -I../apache2  -DLINUX -D_REENTRANT -D_GNU_SOURCE -I../apache2  -I/usr/local/apr/include/apr-1 -DWITH_CURL  -g -O2  -I/usr/local/apr/include/apr-1  -MT mlogc-mlogc.o -MD -MP -MF .deps/mlogc-mlogc.Tpo -c -o mlogc-mlogc.o `test -f 'mlogc.c' || echo './'`mlogc.c
mlogc.c: In function âlogc_initâ:
mlogc.c:1281: error: âCURL_SSLVERSION_TLSv1_0â undeclared (first use in this function)
mlogc.c:1281: error: (Each undeclared identifier is reported only once
mlogc.c:1281: error: for each function it appears in.)
mlogc.c:1284: error: âCURL_SSLVERSION_TLSv1_1â undeclared (first use in this function)
mlogc.c:1287: error: âCURL_SSLVERSION_TLSv1_2â undeclared (first use in this function)
make[1]: *** [mlogc-mlogc.o] Error 1
make[1]: Leaving directory `/web/setup/modsecurity-2.9.1/mlogc'
make: *** [all-recursive] Error 1


Thanks and regards,
IT Middleware TeamDISCLAIMER:
"Information contained and transmitted by this E-MAIL including any attachment is proprietary to Axis Bank Ltd and is intended solely for the addressee/s, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. Access to this e-mail and/or to the attachment by anyone else is unauthorized. If this is a forwarded message, the content and the views expressed in this E-MAIL may not reflect those of the Bank. If you are not the intended recipient, an agent of the intended recipient or a person responsible for delivering the information to the named recipient, you are notified that any use, distribution, transmission, printing, copying or dissemination of this information in any way or in any manner is strictly prohibited.
If you are not the intended recipient of this mail kindly delete from your system and inform the sender.
There is no guarantee that the integrity of this communication has been maintained and nor is this communication free of viruses, interceptions or interference".
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Stefan Müller-Wilken | 12 May 18:55 2016
Picon

Up-to-date ruleset for 2.5.9?

Dear all,

there is one of my apache servers, where - for a number of reasons - I can't update mod_security past rev.2.5.9. Is there a source out there for updated rulesets for this deprecated revision? OWASP CRS will no longer work, so I'm looking for alternatives. Thanks for any insights!

Chers
 Stefan.

Dr. Stefan Müller-Wilken
Business Unit Manager Java Consulting

Millerntorplatz 1, 20359 Hamburg, Germany
Phone: +49 40 822259-239
Mobile: +49 173 2155804
www.acando.de

Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Geschäftsführer: Guido Ahle | Amtsgericht Hamburg, HRB 76048 | Ust.Ident-Nr.:DE208833022

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Brian A. Davis | 12 May 18:06 2016
Gravatar

Allow and ctl:ruleEngineOff

Is there any functional difference between using the allow action (w/o a phase specified) vs. ctl:ruleEngineOff? Is there processing which still occurs when using allow vs. shutting the engine off?

Thanks,
Brian
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Aydemir, Brian | 11 May 16:21 2016

Tools for modifying collections

Are there simple tools for modifying the persistent collections (e.g., IP and USER) that Mod Security
stores on disk? Or documentation on exactly what the format of those files is?

For example, I might have a rule set that ends up blocking an IP address by setting a flag in the IP collection
and checking that flag on subsequent requests. In the event that an IP address is erroneously flagged and
blocked, I’d like to be edit the collection and clear the flag, rather than wait for the flag to expire.

Thank you,
Brian
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Christian Folini | 11 May 06:45 2016

Path normalisation on REQUEST_FILENAME and REQUEST_URI

Hi there,

The online reference is quite clear when it comes to path anti-evasion:

"Note : Please note that anti-evasion transformations are not used on
REQUEST_URI, which means that you will have to specify them in the rules
that use this variable."

However, this is not what I see. ".." is normalised between phase:1 
and phase:2.

Consider this call (using netcat, as curl does normalisation of its
own):

$> netcat localhost 80
GET /subfolder/../index.html HTTP/1.0

This results in:

Phase 1 : REQUEST_FILENAME (---------------) : /subfolder/../index.html
Phase 1 : REQUEST_FILENAME (t:normalizePath) : /index.html
Phase 1 : REQUEST_URI (--------------------) : /subfolder/../index.html
Phase 1 : REQUEST_URI (-----t:normalizePath) : /index.html
Phase 1 : REQUEST_URI_RAW (----------------) : /subfolder/../index.html
Phase 1 : REQUEST_URI_RAW (-t:normalizePath) : /index.html

Phase 2 : REQUEST_FILENAME (---------------) : /index.html
Phase 2 : REQUEST_FILENAME (t:normalizePath) : /index.html
Phase 2 : REQUEST_URI (--------------------) : /index.html
Phase 2 : REQUEST_URI (-----t:normalizePath) : /index.html
Phase 2 : REQUEST_URI_RAW (----------------) : /subfolder/../index.html
Phase 2 : REQUEST_URI_RAW (-t:normalizePath) : /index.html

Am I reading the reference guide wrong?

Ahoj,

Christian

--

-- 
The ability to quote is a serviceable substitute for wit.
-- W. Somerset Maugham 

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Brian A. Davis | 10 May 19:26 2016
Gravatar

Temporarily changing variable value for a specific transaction

I have a particular form which allows the number of arguments to bypass the tx.max_num_args=255 value specification in modsecurity_crs_10_config.conf.

Is there a way to change this variable to a larger value just for a specific REQUEST_FILENAME? I don't want to increase it to a larger value for all my transactions, and I don't want to turn this rule off for this particular POST.

Thanks,
Brian
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Alireza.M | 8 May 10:15 2016
Picon
Gravatar

problem with a form

Hi i have this problem :
​--7874056f-A--
[08/May/2016:11:46:40 +0200] Vy8K9X8AAAEAAHojfiAAAAAG 85.9.66.4 5860 192.168.101.42 80
--7874056f-B--
POST /page.php?type=component_sections&id=363&t2=INSF&sid=130 HTTP/1.1
Host: www.domain.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.domain.com/page.php?type=component_sections&id=363&t2=INSF&sid=130
Cookie: PHPSESSID=ac769q5keepd9vnqjm2aaaihs1; language=en-US; color=24; res=1366x768
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------77101076017708
Content-Length: 103713

--7874056f-F--
HTTP/1.1 200 OK
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=15, max=150
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

--7874056f-H--
Message: Access allowed (phase 1). Pattern match "^5\\.9\\.22\\.5$" at REMOTE_ADDR. [file "/etc/httpd/conf.d/modsecurity.conf"] [line "30"] [id "10005"]
Apache-Error: [file "/builddir/build/BUILD/php-5.5.30/sapi/apache2handler/sapi_apache2.c"] [line 325] [level 3] PHP Notice:  Use of undefined constant _APP - assumed '_APP' in /var/www/html/page.php on line 7, referer: http://www.domain.com/page.php?type=component_sections&id=363&t2=INSF&sid=130
Apache-Error: [file "/builddir/build/BUILD/php-5.5.30/sapi/apache2handler/sapi_apache2.c"] [line 325] [level 3] PHP Notice:  Undefined variable: _SESSION in /var/www/html/page.php on line 7, referer: http://www.domain.com/page.php?type=component_sections&id=363&t2=INSF&sid=130
Apache-Error: [file "/builddir/build/BUILD/php-5.5.30/sapi/apache2handler/sapi_apache2.c"] [line 325] [level 3] PHP Notice:  Undefined offset: 1 in /var/www/html/components/cms/Form/fns.inc.php on line 754, referer: http://www.domain.com/page.php?type=component_sections&id=363&t2=INSF&sid=130

​how can i skip this restriction?
thanks​
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Christian Folini | 8 May 07:00 2016

ARGS and phase:1

Hi there,

When phase:1 was joined with phase:2 / phase:request, we got
--enable-request-early. I switched it on and never looked back.
I worked generally in the main server context and life was good.

However, today I did look back and wanted to check out the behaviour in
detail.

I constructed a rule id collision as follows:

SecRule REQUEST_URI	".*" 	"phase:1,id:1,pass,log,capture,msg:'Main Phase:1: : %{TX.0}'"

<Location />
  SecRule REQUEST_URI	".*" 	"phase:1,id:1,pass,log,capture,msg:'Location / Phase:1: : %{TX.0}'"
</Location>

And it works - meaning the Location-/-rule is not even loaded.

Reading the classical announcement from Ivan on the topic
https://sourceforge.net/p/mod-security/mailman/message/23947426/
I was under the impression, the 2nd rule would be loaded and run just
fine:

> The configuration directives and phase 1 rules will work
> in the <Location> tags (in addition to phase 2 rules, which already
> do).

CHANGES file:

>* Moved phase 1 to be run in the same Apache hook as phase 2. This means
>  that you can now have phase 1 rules in <Location> tags and, more
>  importantly, override server configuration in <Location> and others.
>  (MODSEC-98) [Ivan Ristic]

The Reference Manual reads: Phase Request Headers 
> Note : Rules in this phase can not leverage Apache scope directives
> (Directory, Location, LocationMatch, etc...) as the post-read-request
> hook does not have this information yet. The exception here is the
> VirtualHost directive. If you want to use ModSecurity rules inside
> Apache locations, then they should run in Phase 2. Refer to the Apache
> Request Cycle/ModSecurity Processing Phases diagram.

There seems to be a contradiction here.

Also, I did test this with --enable-request-early and with default:
Identical behaviour.

Anybody can point me to the part of the story which I missed out?

Ahoj,

Christian

-- 
The horizon of many people is a circle with zero radius 
which they call their point of view.
-- Albert Einstein

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Darvin Rivera Aguilar | 7 May 17:57 2016
Picon

Black List

Greetings to all.
How I can implement a blacklist?

Darvin.

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/


Gmane