Neo Liu | 22 Jun 06:05 2010
Picon

Ask a question about regex in CRS

Hi, everyone
    The following rule comes from
rules/base_rules/modsecurity_crs_41_sql_injection_attacks.conf , but I
don't understand what does the regular expression "(?:[\\\(\)\%#]|--)"
mean. What's the meaning of "\%" in a regex?

SecRule MATCHED_VAR "(?:[\\\(\)\%#]|--)"
         "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Brian Rectanus | 22 Jun 19:04 2010

Trustwave Acquires Breach Security and with it ModSecurity

For those of you who do not already know, Trustwave has acquired Breach
Security.  With this acquisition Trustwave has also acquired ModSecurity.

Please see Breach Security's web site and the press release for more info:

http://www.breach.com/
https://www.trustwave.com/pressReleases.php?n=062210

--

-- 
Brian Rectanus
Breach Security

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Chris Datfung | 22 Jun 19:48 2010
Picon

Re: Trustwave Acquires Breach Security and with it ModSecurity

On Tue, Jun 22, 2010 at 8:04 PM, Brian Rectanus <Brian.Rectanus <at> breach.com> wrote:
For those of you who do not already know, Trustwave has acquired Breach
Security.  With this acquisition Trustwave has also acquired ModSecurity.


Congratulation! What does that mean for future CRS and ModSecurity development?

- Chris

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
Brian Rectanus | 22 Jun 19:54 2010

Re: Trustwave Acquires Breach Security and with it ModSecurity

On 06/22/2010 10:48 AM, Chris Datfung wrote:
> On Tue, Jun 22, 2010 at 8:04 PM, Brian Rectanus
> <Brian.Rectanus <at> breach.com <mailto:Brian.Rectanus <at> breach.com>> wrote:
> 
>     For those of you who do not already know, Trustwave has acquired Breach
>     Security.  With this acquisition Trustwave has also acquired
>     ModSecurity.
> 
> 
> Congratulation! What does that mean for future CRS and ModSecurity
> development?
> 

It means the support of a much bigger company behind ModSecurity. I'd
love this to be able to expand the community, get ModSecurity into more
places and allow more research and development of some long-desired
features. It will take some time to get things moving, though.

-B

--

-- 
Brian Rectanus
Breach Security

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Dimitri Yioulos | 22 Jun 20:02 2010

Re: Trustwave Acquires Breach Security and with it ModSecurity

On Tuesday 22 June 2010 1:54:45 pm Brian Rectanus 
wrote:
> On 06/22/2010 10:48 AM, Chris Datfung wrote:
> > On Tue, Jun 22, 2010 at 8:04 PM, Brian
> > Rectanus <Brian.Rectanus <at> breach.com
> > <mailto:Brian.Rectanus <at> breach.com>> wrote:
> >
> >     For those of you who do not already know,
> > Trustwave has acquired Breach Security.  With
> > this acquisition Trustwave has also acquired
> > ModSecurity.
> >
> >
> > Congratulation! What does that mean for
> > future CRS and ModSecurity development?
>
> It means the support of a much bigger company
> behind ModSecurity. I'd love this to be able to
> expand the community, get ModSecurity into more
> places and allow more research and development
> of some long-desired features. It will take
> some time to get things moving, though.
>
> -B
>
> --
> Brian Rectanus
> Breach Security
>

Brian,

Hope you and the rest of the Breach staff are 
remaining on-board.

Dimitri

--

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Júnior Moura | 22 Jun 20:25 2010
Picon

Re: Trustwave Acquires Breach Security and with it ModSecurity


I hope that modsecurity doesn't become another commercial WAF.



2010/6/22 Dimitri Yioulos <dyioulos <at> firstbhph.com>
On Tuesday 22 June 2010 1:54:45 pm Brian Rectanus
wrote:
> On 06/22/2010 10:48 AM, Chris Datfung wrote:
> > On Tue, Jun 22, 2010 at 8:04 PM, Brian
> > Rectanus <Brian.Rectanus <at> breach.com
> > <mailto:Brian.Rectanus <at> breach.com>> wrote:
> >
> >     For those of you who do not already know,
> > Trustwave has acquired Breach Security.  With
> > this acquisition Trustwave has also acquired
> > ModSecurity.
> >
> >
> > Congratulation! What does that mean for
> > future CRS and ModSecurity development?
>
> It means the support of a much bigger company
> behind ModSecurity. I'd love this to be able to
> expand the community, get ModSecurity into more
> places and allow more research and development
> of some long-desired features. It will take
> some time to get things moving, though.
>
> -B
>
> --
> Brian Rectanus
> Breach Security
>


Brian,

Hope you and the rest of the Breach staff are
remaining on-board.

Dimitri

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit.  See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

--
Mensagem verificada pelo sistema de antivírus  da Aser Security.




--
Atenciosamente,

Júnior Moura
CSO - Chief Security Officer
Cel.: +55 (62) 9954 5695
Tel.: +55 (62) 3088 5817
Tel.: +55 (61) 4063 8493
(C) 2004 - 2010 ASER Security
http://www.aser.com.br
------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
Richard Gardner | 22 Jun 20:56 2010

Re: Install/compile help on aix 6.1 with ihs 6.1

Not sure how I missed this, so I apologize for the delay.

>-----Original Message-----
>From: Brian Rectanus [mailto:Brian.Rectanus <at> breach.com] 
>Sent: Monday, June 14, 2010 3:25 PM
>To: Richard Gardner
>Cc: mod-security-users <at> lists.sourceforge.net
>Subject: Re: [mod-security-users] Install/compile help on aix 6.1 with ihs 6.1

>On 06/14/2010 11:52 AM, Richard Gardner wrote:
>> Thanks Brian, 
>> 
>> After taking a break, and following your directions I was able to get it installed and it seems to be
working. I've written a small writeup as there were a few things I had to change, I'm including it below,
just in case anybody else has to do this. 
>> 
>> Thanks for all the help.

>Excellent!  You are welcome.

>> 
>> THIS IS FOR AIX 6.1.0 and IHS 6.1.0.27 and mod_security-2.5.12
>> $IHS_HOME is a made up variable, replace with wherever you have ihs installed.
>> 
>> Before you begin the mod_security install.
>> 
>> Download the following from the AIX linux toolset and install them.
>> 
>> autoconf-2.59-1.aix5.1.noarch.rpm
>> automake-1.8.5-1.aix5.1.noarch.rpm

>Are autotools really needed?  Should only be needed if you run the
>"autogen.sh" script.  If these are needed, I may need to make some
>adjustments to the ModSecurity build.

I believe they were needed for some other rpm or possibly the pcre compile. I created a dir and just dropped
all the rpm's I needed into it, so at some point they were required, though it's possible they got included
from one of my earlier mistakes or attempts that didn't pan out. If I can free up a 6.1 box I will give it a try
without these two packages and let you know.

>> gcc-4.2.0-3.aix6.1.ppc.rpm
>> gcc-cplusplus-4.2.0-3.aix6.1.ppc.rpm
>> libgcc-4.2.0-3.aix6.1.ppc.rpm
>> libstdcplusplus-4.2.0-3.aix6.1.ppc.rpm
>> libstdcplusplus-devel-4.2.0-3.aix6.1.ppc.rpm
>> libtool-1.5.8-2.aix5.1.ppc.rpm
>> libxml2-2.6.21-4.aix5.2.ppc.rpm
>> libxml2-devel-2.6.21-4.aix5.2.ppc.rpm
>> m4-1.4.1-1.aix5.1.ppc.rpm
>> zlib-1.2.3-4.aix5.2.ppc.rpm
>> zlib-devel-1.2.3-4.aix5.2.ppc.rpm
>> 
>> You will also have to download and install a newer version of pcre. I downloaded pcre-8.0.0.tar.
>> Extract it then in the dir run ./configure
>> Then make && make install.
>> 
>> You may have to copy the pcre.h file into /$IHS_HOME/include/
>> You may also have to link the /opt/freeware/include/libxml2/libxml/ dir into /$IHS_HOME/include

>Watch out with PCRE.  IHS was probably built with a much older version
and then one of two things will happen:

>1) You will load the new PCRE runtime and IHS may be unstable not being
able to handle the newer binary interface.

>2) You will load the older PCRE runtime and ModSecurity may not be
stable as it has assumed a newer interface.

>This may crash IHS and may look relatively random and as if ModSecurity
>is crashing.  I recommend you use the same version of PCRE/APR/APR-Util
>as is used by IHS to build ModSecurity.  To do this, you may have to
>install an older PCRE RPM or PCRE from source to use the headers, etc as
>they are not normally installed by IHS/Apache.

I'll make note of the above. Yes IHS had a much older version, and when I was trying to compile mod_security it
threw back an error saying pcre was to old and required a newer version, so I downloaded the newer one and
compiled it and went on my way. So far it's running stable and we've not noticed any crashes, though I will
say this certainly does not seem ideal and if I can find a way to get it to work with the older one I would of
preferred that.

>> 
>> Go into /$IHS_HOME/build dir and edit the following files
>> edit libtool to use gcc instead of xlc
>> 
>> # The default C compiler.
>> #CC="xlc_r"
>> CC="gcc"
>> Do the same in apr_rules.mk
>> 
>> #CC=xlc
>> CC=gcc
>> And again in config_vars.mk
>> 
>> CC = gcc
>> CPP = gcc
>> Make sure you edit your path to include the gcc compiler and set CC to gcc as well.
>> 
>> export CC=/opt/freeware/bin/gcc 
>> PATH=$PATH:/opt/freeware/bin/
>> export PATH

>I am trying to solve these gcc assumptions in the next version
> (ModSecurity 2.6).  If you don't mind helping out at some point, I'd
>like to have someone available to test at least building ModScecurity
>2.6 against IHS.

I don't mind trying to help out here. Email me off list and I'll see if I can get a spare 6.1 system setup for this.

>> Then download mod_security-2.5.12.tar.gz and extract it.
>> Go into the mod_security-2.5.12/apache2 dir and run this configure command. Then run make, and make install.
>> 
>> ./configure  --with-apxs=/$IHS_HOME/bin/apxs  --enable-verbose-output
--with-apr=/$IHS_HOME/bin/apr-config --with-apu=/$IHS_HOME/bin/apu-config

>You may need to use the following configure options to work with older
>APR/PCRE:

>This if you have errors compiling:

>--disable-modsec-api

>This if you are using an older PCRE as 2.5.12 and later use some newer
>features...

>--disable-pcre-study
>--disable-pcre-match-limit
>--disable-pcre-match-limit-recursion

>> make
>> make install
>> Edit your /$IHS_HOME/conf/httpd.conf file to include the following.
>> Add the LoadModule directive:
>> 
>> LoadModule security2_module modules/mod_security2.so
>> Then add the relevant bit from the minimal-mod_security.httpd.conf file 
>> 
>> 
>> Then go down into your VirutalHost config and add the rules.
>> Restart apache/ihs and you should have it running now.

>Thanks for the writup!

>-B

Np! By the way Congrats on being acquired. 

> 
> -----Original Message-----
> From: Brian Rectanus [mailto:Brian.Rectanus <at> breach.com] 
> Sent: Monday, June 14, 2010 11:22 AM
> To: Richard Gardner
> Cc: mod-security-users <at> lists.sourceforge.net
> Subject: Re: [mod-security-users] Install/compile help on aix 6.1 with ihs 6.1
> 
> On 06/11/2010 01:47 PM, Richard Gardner wrote:
>> We are running a ihs(6.1.0.27) server on aix 6.1.0. I have been trying
> 
> This is known to have problems due to the ancient version of Apache
> being used by IHS 6.  Can you upgrade to 7?
> 
>> to install mod_security for the last 2 days with no luck. First I read
>> the documentation and ran the apxs -cia mod_security.c which seems to
> 
> That is for version 1.9.  What version are you trying to build?
> 
>> run and compile fine, but when you go to restart apache you get this:
>> "bash-3.00# ../bin/apachectl restart
>> Syntax error on line 875 of /$IHS_HOME/conf/httpd.conf:
>> Cannot load /$IHS_HOME/modules/mod_security2.so into server:
>> rtld: 0712-001 Symbol msr_log was referenced\n      from module
>> /$IHS_HOME/modules/mod_security2.so(), but a runtime definition\n
>> of the symbol was not found.\nrtld: 0712-001 Symbol sec_audit_logger was
>> referenced\n      from module
>> /$IHS_HOME/modules/mod_security2.so(), but a runtime definition\n
>> of the symbol was not found.\nrtld: 0712-001 Symbol
>> msre_ruleset_process_phase was referenced\n      from module
>> /$IHS_HOME/modules/mod_security2.so(), but a runtime definition\n
>> of the symbol was not found.\nrtld: 0712-001 Symbol msc_regexec was
>> referenced\n      from module
>> /$IHS_HOME/modules/mod_security2.so(), but a runtime definition\n
>> of the symbol was not found.\nrtld: 0712-001 Symbol msre_format_metadata
>> was referenced\n      from module
>> /$IHS_HOME/modules/mod_security2.so(), but a runtime definition\n
>> of the symbol was not found.\nrtld: 0712-001 Symbol parse_arguments was
>> referenced\n      from module
>> /$IHS_HOME/modules/mod_security2.so(), but a runtime definition\n
>> of the symbol was not found.\nrtld: 0712-001 Symbol parse_cookies_v0 was
>> referenced\n      from module
>> /$IHS_HOME/modules/mod_security2.so(), but a runtime definition\n
>> of the symbol was not found.\n\t0509-021 Additional errors occurred but
>> are not reported."
>> and later tried 
>> "./configure  --with-apxs=/$IHS_HOME/bin/apxs
>> --with-apr=/$IHS_HOME/bin/ --with-apu=/$IHS_HOME/bin/
>> --with-pcre=/usr/local/bin/  --enable-verbose-output"
>>
>> The configure runs fine, and make && make install, but you would still
>> end up with the above error on ihs restart.
> 
> The same symbol errors?  That does not sound right.  Are you sure that
> it installed mod_security2.so in the correct place and that it is the
> updated version?
> 
> 
>>
>> I've tried building older versions all the way back to 1.9.4. 1.9 will
>> build the mod_security module, but it's not current enough to fix my
>> problem, as it doesn't seem to recognize the "SecRule" and anything
>> newer that tries to build mod_security2 will fail like above.
> 
> Remove mod_security2.so from your install.  Make sure you run a "make
> clean", then rerun configure/make/make install.  Check this for any
> warnings/errors (send me the full output if you want).  Make sure that
> the mod_security2.so is installed correctly and that your config file is
> loading it from the correct path.
> 
> -B
> 

--

-- 
Brian Rectanus
Breach Security
------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Sergio | 22 Jun 20:01 2010
Picon

Re: Trustwave Acquires Breach Security and with it ModSecurity

Congratulations!

Sergio Cabrera


On Tue, Jun 22, 2010 at 11:54 AM, Brian Rectanus <Brian.Rectanus <at> breach.com> wrote:
On 06/22/2010 10:48 AM, Chris Datfung wrote:
> On Tue, Jun 22, 2010 at 8:04 PM, Brian Rectanus
> <Brian.Rectanus <at> breach.com <mailto:Brian.Rectanus <at> breach.com>> wrote:
>
>     For those of you who do not already know, Trustwave has acquired Breach
>     Security.  With this acquisition Trustwave has also acquired
>     ModSecurity.
>
>
> Congratulation! What does that mean for future CRS and ModSecurity
> development?
>

It means the support of a much bigger company behind ModSecurity. I'd
love this to be able to expand the community, get ModSecurity into more
places and allow more research and development of some long-desired
features. It will take some time to get things moving, though.

-B

--
Brian Rectanus
Breach Security

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit.  See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Gmane