headers
Ivan Ristic | 3 Jan 15:34
Gravatar

ModSecurity Rules subproject is now live


I've just made the ModSecurity Rules subproject live. The rules
are available for download straight away:

  http://www.modsecurity.org/projects/rules/

At the moment the rules consist of two parts:

  1) Hardening rules, in a form of a ModSecurity deployment
     guide.

  2) Rules to detect common web application attacks, designed
     to use ModSecurity as an web intrusion detection tool.

I am open to the idea of having part 3 for rules that deal with
specific application vulnerabilities. However, I don't have much
time to do this myself. I was wondering if there are any list
members that would be interested in contributing the rules
as the vulnerabilities are made public?

Although such specific rules are interesting for their base
value, if properly documented they can be very interesting
as mini case studies and allow new users to understand how
ModSecurity can be used.

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org
(Continue reading)

Permalink | Reply | 0 comments |
headers
lists | 3 Jan 16:14
Favicon

AuthorizeNet blocks?


I recently started using the rules at gotroot, last month. Around that time
a script I use for payment processing thru Anet is acting up. Anet is
supposed to send back TransID and AVS codes for every transaction. .. They
are not now (were before). Is it possible that modsec is partially blocking
the response and not logging it (nothing in logs).

P.S. Using 1.9.2

TIA

-Mike

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
Permalink | Reply | 1 comment |
headers
Ivan Ristic | 3 Jan 16:21
Gravatar

Re: AuthorizeNet blocks?

lists <at> 323inc.com wrote:
> 
> I recently started using the rules at gotroot, last month. Around that time
> a script I use for payment processing thru Anet is acting up. Anet is
> supposed to send back TransID and AVS codes for every transaction. .. They
> are not now (were before). Is it possible that modsec is partially blocking
> the response and not logging it (nothing in logs).

  No, unless you've explicitly disabled logging in the configuration.

  Your access logs will always contain logs of requests. Look
  there for further information.

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
Permalink | Reply | 0 comments |
headers
dubai | 4 Jan 09:32
Picon
Favicon

ad-on for mod_security

to your information see:
https://events.ccc.de/congress/2005/wiki/Gulliddos
----------
Hi there,

We now get Step2 of the ddos! We get udp-floods to
port 80. We have currently no own router in front of,
so we cant block the requests. Services on all
websites (antispam, computerbetrug and antispam) down
for 1-2 hours. Update: Our ISP is blocking the
udp-flood for us.

[1] is the biggest german "underground portal". We and
3 other german customer protection websites
(dialerschutz.de, antispam.de and computerbetrug.de)
get currently a big ddos by an unknown attacker. We
have collected a lot of information, and want to make
them public here.

It seems that the attacker build a botnet with about
5.000 zombies. We found a way to identify most of the
affected hosts. Now we blacklist all those hosts by
hi-pac (an iptables-replacement), so the site is still
up.

Here is a list with all clients we currently block:
https://events.ccc.de/congress/2005/mediawiki/images/a/a1/Ipliste.txt

(anyone knows how to upload some stuff with no
"/images" in the url? :) )
(Continue reading)

Permalink | Reply | 1 comment |
headers
Jason Edgecombe | 4 Jan 15:00
Picon

Re: ad-on for mod_security

On an interesting , but possibly relevant note:

I've noticed that the number of web spam attempts on my server has 
dropped by 90% since Jan 2. I'm not sure if this is relevant or not.

Just thought I would share.

Jason

dubai wrote:

>to your information see:
>https://events.ccc.de/congress/2005/wiki/Gulliddos
>----------
>Hi there,
>
>We now get Step2 of the ddos! We get udp-floods to
>port 80. We have currently no own router in front of,
>so we cant block the requests. Services on all
>websites (antispam, computerbetrug and antispam) down
>for 1-2 hours. Update: Our ISP is blocking the
>udp-flood for us.
>
>[1] is the biggest german "underground portal". We and
>3 other german customer protection websites
>(dialerschutz.de, antispam.de and computerbetrug.de)
>get currently a big ddos by an unknown attacker. We
>have collected a lot of information, and want to make
>them public here.
>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Chris Mazza | 6 Jan 00:33

Installation Error

Hello,

I am trying to install mod_security an I am getting the following error:

[root <at> web apache1]# /hsphere/shared/apache/bin/apxs -cia mod_security.c
gcc -DLINUX=22 -DHAVE_SET_DUMPABLE -I/usr/include/gdbm
-DDEV_RANDOM=/dev/random -DMOD_SSL=208125 -DUSE_HSREGEX -DEAPI -DEAPI_MM
-I/usr/kerberos/include -fpic -DSHARED_MODULE
-I/hsphere/shared/apache/include  -c mod_security.c
gcc -shared -o mod_security.so mod_security.o
[activating module `security' in /hsphere/local/config/httpd/httpd.conf]
cp mod_security.so /hsphere/shared/apache/libexec/mod_security.so
cp: cannot stat `mod_security.so': No such file or directory
apxs:Break: Command failed with rc=1

My info is as follows:

Linux web.hspherenet.com 2.4.21-37.ELsmp #1 SMP Wed Sep 28 14:05:46 EDT 2005
i686 i686 i386 GNU/Linux

[root <at> web bin]# ./httpd -V
Server version: Apache/1.3.34 (Unix)
Server built:   Nov  4 2005 19:46:33
Server's Module Magic Number: 19990320:18
Server compiled with....
 -D EAPI
 -D EAPI_MM
 -D EAPI_MM_CORE_PATH="/hsphere/local/var/httpd/logs/httpd.mm"
 -D HAVE_MMAP
 -D HAVE_SHMGET
(Continue reading)

Permalink | Reply | 3 comments |
headers
Tim Koelman | 7 Jan 01:18
Picon

Problems compiling mod_security on debian 3.1

Problems compiling mod_security on debian 3.1 (SARGE) Linux debian 
2.6.8-2-386
Server version: Apache/2.0.54
Server built:   Sep  5 2005 11:15:09

Compiled in modules:
 core.c
 mod_access.c
 mod_auth.c
 mod_log_config.c
 mod_logio.c
 mod_env.c
 mod_setenvif.c
 prefork.c
 http_core.c
 mod_mime.c
 mod_status.c
 mod_autoindex.c
 mod_negotiation.c
 mod_dir.c
 mod_alias.c
 mod_so.c

I get this error:

debian:~/modsecurity-apache-1.9.1/apache2# apxs2 -cai mod_security.c
/usr/bin/libtool --silent --mode=compile gcc -prefer-pic -pipe 
-I/usr/include/xmltok -I/usr/include/openssl -Wall -O2 
-DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2 -D_REENTRANT 
-D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -D_GNU_SOURCE -pipe
(Continue reading)

Permalink | Reply | 2 comments |
headers
Ivan Ristic | 7 Jan 14:14
Gravatar

Re: Problems compiling mod_security on debian 3.1

Tim Koelman wrote:
> Problems compiling mod_security on debian 3.1 (SARGE) Linux debian

  Just comment out lines 51 (#if MODULE_MAGIC_NUMBER >= 20050127)
  and 58 (#endif). I'll add the fix into 1.9.2.

  Thanks for letting me know.

--

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
Tel: +44 20 8141 2161, Fax: +44 87 0762 3934

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
Permalink | Reply | 0 comments |
headers
Ivan Ristic | 7 Jan 14:16
Gravatar

Re: Installation Error

Chris Mazza wrote:
> Hello,
> 
> I am trying to install mod_security an I am getting the following error:
> 
> [root <at> web apache1]# /hsphere/shared/apache/bin/apxs -cia mod_security.c
> gcc -DLINUX=22 -DHAVE_SET_DUMPABLE -I/usr/include/gdbm
> -DDEV_RANDOM=/dev/random -DMOD_SSL=208125 -DUSE_HSREGEX -DEAPI -DEAPI_MM
> -I/usr/kerberos/include -fpic -DSHARED_MODULE
> -I/hsphere/shared/apache/include  -c mod_security.c
> gcc -shared -o mod_security.so mod_security.o
> [activating module `security' in /hsphere/local/config/httpd/httpd.conf]
> cp mod_security.so /hsphere/shared/apache/libexec/mod_security.so
> cp: cannot stat `mod_security.so': No such file or directory
> apxs:Break: Command failed with rc=1

  I don't think it's a mod_security problem. You are probably unable
  to compile any third-party Apache module. Is there a compiler at
  all on that box? Does invoking apxs generate any files at all (in
  the same folder as the source code)?

--

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
Tel: +44 20 8141 2161, Fax: +44 87 0762 3934

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
(Continue reading)

Permalink | Reply | 0 comments |
headers
Chris Mazza | 7 Jan 16:07

Installation Error

Hello,

I have the following installed on the box as per another person's
suggestion, and it still wont work:

gcc libgcc gcc-c++ glibc glibc-devel glibc-kernheaders glibc-common
glibc-headers glibc-utils compat-gcc gcc-objc compat-gcc-c++ glibc-profile

Am I still missing something? Any help is greatly appreciated.
Thanks,
Chris Mazza

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
Permalink | Reply | 0 comments |

Gmane