Re: Mod_security question

Spence, Ian (ELS-CAM) wrote:
> Ivan
> 
> Can mod_security check on a token parameter in the URL?
> 
> E.g. _http://server/app?token=digestTokenValue_
> 
> I want the receiving web server to check the token value against an 
> agreed algorithm, for a start it will be MD5 digested.
> 
> I notice with the mod_security rules you can trap on certain parameter 
> values i.e. regex, but given a match can you run a script and then 
> depending on the result of the script, either reject or accept the http 
> request.

   Yes, mod_security can do that. I've added that functionality
   to the 1.9.x branch, so far only in the Apache 1.x version of
   the module. The new directive is called SecFilterExternal and it
   takes only one parameter - the name of the script to execute.

   The script will get the path to the file containing request
   parameters (only that at the moment) as its first parameter.
   Here's an example of a script that uses this feature to interface
   to SpamAssassin:

http://cvs.sourceforge.net/viewcvs.py/mod-security/mod_security/util/filter_spamc.pl?rev=1.1&view=auto

   This functionality is still rough and I plan to change the
   data exchange format before the final 1.9.x. version (e.g. to
   include the request headers). But it works and you can play with

RE: 1.9 binary windows

Ivan,

Yes, this sounds good.

Is there any other apache module that will do token processing?

I like the vast array of features in mod_security but all we need right now
is some token processing - MD5 digest/undigest etc.

Ian Spence 

-----Original Message-----
From: mod-security-users-admin <at> lists.sourceforge.net
[mailto:mod-security-users-admin <at> lists.sourceforge.net] On Behalf Of Ivan
Ristic
Sent: 02 March 2005 10:58
To: mod-security-users <at> lists.sourceforge.net
Subject: Re: [mod-security-users] 1.9 binary windows

Spence, Ian (ELS-CAM) wrote:
> Ivan,
> 
> I am interested in obtaining a binary version of mod_security 1.9 for 
> Windows. I am aware this is a development release.

   I've been told recently it does not compile on Windows. (This happens
   sometimes because I only try to build mod_security on Windows for
   the release.)

> I have downloaded the source zip from the download page but I do not 

Re: 1.9 binary windows

Spence, Ian (ELS-CAM) wrote:
> Ivan,
> 
> I am interested in obtaining a binary version of mod_security 1.9 for 
> Windows. I am aware this is a development release.

   I've been told recently it does not compile on Windows. (This happens
   sometimes because I only try to build mod_security on Windows for
   the release.)

> I have downloaded the source zip from the download page but I do not 
> have a full build environment to create a DLL etc.
> 
> I would like to test the enhancement SecFilterExternal as discussed 
> previously.

   I would love to help but I have recently reinstalled my workstation
   so I don't have a development environment either. But I've been
   planning to release a pretty solid 1.9dev2 next week and I'll make
   the effort to make it compile on Windows too. OK?

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.

RE: Mod_security question

Ivan

Our target platform is Windows server.

Given the download page states testing has stopped for Windows would you
advise on deploying 1.9 codebase on Windows? I am very interesting in
deploying your suggested enhancement "SecFilterExternal".

Ian Spence

-----Original Message-----
From: Ivan Ristic [mailto:ivanr <at> webkreator.com] 
Sent: 01 March 2005 15:04
To: Spence, Ian (ELS-CAM)
Cc: mod-security-users <at> lists.sourceforge.net
Subject: Re: Mod_security question

Spence, Ian (ELS-CAM) wrote:
> Ivan
> 
> Can mod_security check on a token parameter in the URL?
> 
> E.g. _http://server/app?token=digestTokenValue_
> 
> I want the receiving web server to check the token value against an 
> agreed algorithm, for a start it will be MD5 digested.
> 
> I notice with the mod_security rules you can trap on certain parameter 
> values i.e. regex, but given a match can you run a script and then 
> depending on the result of the script, either reject or accept the 

Re: RE: Mod_security question

Spence, Ian (ELS-CAM) wrote:
> Ivan
> 
> Our target platform is Windows server.
> 
> Given the download page states testing has stopped for Windows would you
> advise on deploying 1.9 codebase on Windows? I am very interesting in
> deploying your suggested enhancement "SecFilterExternal".

   Well, "stopped testing" is not entirely accurate. The truth is I never
   test mod_security on Windows. I develop and test on Linux, but I only
   compile and run a set of automated tests on Windows. This does not
   mean mod_security does not run or runs badly on Windows. In fact, I
   have had many reports from people who are happily running it on
   Windows. I am merely stating the facts to let people to make their
   own minds.

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click

Re: 1.9 binary windows

Spence, Ian (ELS-CAM) wrote:
> Ivan,
> 
> Yes, this sounds good.
> 
> Is there any other apache module that will do token processing?

   No, not that I know.

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click

1.9 binary windows

Where Do Web Application Firewalls Fit in the Overall Defense Strategy?

I think people on this list will find my recent blog
entry interesting:

Where Do Web Application Firewalls Fit in the Overall Defense Strategy?
http://www.modsecurity.org/blog/archives/000052.html

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click

mod_security build for windows - problem

Ivan,

A colleague of mine has tried to build the dev1.9 source but is seeing the
following error. I know you have said other people have warned of
mod_security not building on Windows. Is getpwuid the wrong method call for
windows, can we simply replace this with an alternative method? Can you
suggest any solution?

Regards,
Ian Spence 

-----Original Message-----
From: Graham, Phillip (ELS) 
Sent: 03 March 2005 15:58
To: Spence, Ian (ELS-CAM)
Subject: mod_security

Hi Ian

after much trying and searching for an answer it would seem that 1.9 does
not build on windows (it uses getpwuid - which is a function not provided on
Win32).  I've posted a question on the newsgroup - and then spotted a reply
to a message from you - which says 1.9 does not compile on windows.

Phill

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click

Re: mod_security build for windows - problem

Spence, Ian (ELS-CAM) wrote:
> Ivan,
> 
> A colleague of mine has tried to build the dev1.9 source but is seeing the
> following error. I know you have said other people have warned of
> mod_security not building on Windows. Is getpwuid the wrong method call for
> windows, can we simply replace this with an alternative method? Can you
> suggest any solution?

   If that's the only problem then simply comment out the offending
   parts. The getpwuid call only makes sense on Unix platforms anyway.

   Or surround the code with #if !(defined(WIN32)) and #endif

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click