headers
CASTELLE Thomas | 1 Feb 13:02
Picon

mod_security rules feature request + production tools ?

Hello everybody,

The new mod_security rules project is a great thing. It is more generic
than the gotroot.com files, and the files are smaller (which is, I
think, good for performance).

However, I have 2 small modification requests :

- Could you add "id" and "rev" meta-data to each rules, so that we can
exclude specific rules when the protected website matches false
positives.
It could also allow us to run automatic updates by detecting new rules
or changes on existing rules.

- Could you modify the "JavaScript event handlers" rules, because it
seems too generic to me.
Couldn't :
        "SecFilterSelective ARGS "onSelect""
be instead :
        "SecFilterSelective ARGS
"onSelect[[:space:]]*=|=[[:space:]]*onSelect"

For instance, some of our websites matches this because of
"http://blablabla/test?task=ValidationSelection"

Thanks for your help,

Regards,

Thomas.

Permalink | Reply | 1 comment |
headers
CASTELLE Thomas | 1 Feb 14:11
Picon

RE: mod_security rules feature request + pro duction tools ?

Well, I looked quickly on the Internet and it seems that it could happen with IE-specific websites : http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/reference/events.asp

Two other questions :
- Do you think you'll provide a simple tool to automatically download new rulesets, compare them with the ones in production, detect changes and integrate them in the production environment, like the "rule-du-jour" script for spamassassin ?

- Do you know if a modsecurity log analysis tool exists ? One that could generate a human-readable report daily with the different events detected or blocked ?

Thanks very much for your help !

Regards,

Thomas.

-----Message d'origine-----
De : Ivan Ristic [mailto:ivanr <at> webkreator.com]
Envoyé : mercredi 1 février 2006 13:23
À : CASTELLE Thomas
Cc : mod-security-users <at> lists.sourceforge.net
Objet : Re: [mod-security-users] mod_security rules feature request + production tools ?

CASTELLE Thomas wrote:
> Hello everybody,
>
> The new mod_security rules project is a great thing. It is more generic
> than the gotroot.com files, and the files are smaller (which is, I
> think, good for performance).
>
> However, I have 2 small modification requests :
>
> - Could you add "id" and "rev" meta-data to each rules, so that we can
> exclude specific rules when the protected website matches false
> positives.
> It could also allow us to run automatic updates by detecting new rules
> or changes on existing rules.

  Yes. That's mostly the reason while the rules are still in beta.
  As soon as I assign IDs to them they will be moved to production
  status.


> - Could you modify the "JavaScript event handlers" rules, because it
> seems too generic to me.
>
> Couldn't :
>         "SecFilterSelective ARGS "onSelect""
> be instead :
>         "SecFilterSelective ARGS
> "onSelect[[:space:]]*=|=[[:space:]]*onSelect"
>
> For instance, some of our websites matches this because of
> "http://blablabla/test?task=ValidationSelection"

  Makes sense. Which case would =[[:space:]]*onSelect" match?

--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
Tel: +44 20 8141 2161, Fax: +44 87 0762 3934

Permalink | Reply | 1 comment |
headers
Ivan Ristic | 1 Feb 13:22
Gravatar

Re: mod_security rules feature request + production tools ?

CASTELLE Thomas wrote:
> Hello everybody,
> 
> The new mod_security rules project is a great thing. It is more generic
> than the gotroot.com files, and the files are smaller (which is, I
> think, good for performance).
> 
> However, I have 2 small modification requests :
> 
> - Could you add "id" and "rev" meta-data to each rules, so that we can
> exclude specific rules when the protected website matches false
> positives.
> It could also allow us to run automatic updates by detecting new rules
> or changes on existing rules.

  Yes. That's mostly the reason while the rules are still in beta.
  As soon as I assign IDs to them they will be moved to production
  status.

> - Could you modify the "JavaScript event handlers" rules, because it
> seems too generic to me.
>
> Couldn't :
>         "SecFilterSelective ARGS "onSelect""
> be instead :
>         "SecFilterSelective ARGS
> "onSelect[[:space:]]*=|=[[:space:]]*onSelect"
> 
> For instance, some of our websites matches this because of
> "http://blablabla/test?task=ValidationSelection"

  Makes sense. Which case would =[[:space:]]*onSelect" match?

--

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
Tel: +44 20 8141 2161, Fax: +44 87 0762 3934

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Permalink | Reply | 0 comments |
headers
Ivan Ristic | 1 Feb 15:07
Gravatar

Re: mod_security rules feature request + pro duction tools ?

CASTELLE Thomas wrote:
> Well, I looked quickly on the Internet and it seems that it could happen
> with IE-specific websites :
> http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/reference/events.asp

  Yes, but that would already be handled with

  onSelect[[:space:]]*=

  I don't think the second part =[[:space:]]*onSelect is needed.

> Two other questions :
> - Do you think you'll provide a simple tool to automatically download
> new rulesets, compare them with the ones in production, detect changes
> and integrate them in the production environment, like the
> "rule-du-jour" script for spamassassin ?

  I don't have any immediate plans. It's like this: I can either choose
  to work on ModSecurity itself or on the related utilities. ModSecurity
  wins every time. I appreciate that it's not easy to start contributing
  to ModSecurity because of the complexities involved but it'd be really
  nice to see someone step up and work on the related utilities.

  (Also I am not sure there is a need for something like that because
  I don't see the generic rules changing often.)

> - Do you know if a modsecurity log analysis tool exists ? One that could
> generate a human-readable report daily with the different events
> detected or blocked ?

  No, but I am working on a commercial tool for real-time log
  aggregation and reporting at the moment. A beta should be available
  in the next couple of weeks.

--

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
Tel: +44 20 8141 2161, Fax: +44 87 0762 3934

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Permalink | Reply | 0 comments |
headers
De Vries, Richard | 2 Feb 04:09
Picon
Favicon

Error in function sec_debug_log while compiling mod_security 1.9.2 against apache 2.2.0 on solaris 9

I had several issues compiling mod_security 1.9.2 against apache 2.2.0 on Solaris 9 (sparc), but resolved most of them …. Except one:

 

$ /usr/local/apps/apache/bin/apxs -cia mod_security.c

/usr/local/apr/build-1/libtool --silent --mode=compile gcc -prefer-pic   -DSOLARIS2=9 -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -g -O2 -pthreads -I/usr/local/apache2/include  -I/usr/local/apr/include/apr-1   -I/usr/local/apr/include/apr-1 -I/usr/local/include  -c -o mod_security.lo mod_security.c && touch mod_security.slo

mod_security.c: In function `sec_debug_log':

mod_security.c:6132: `__builtin_va_alist' undeclared (first use in this function)

mod_security.c:6132: (Each undeclared identifier is reported only once

mod_security.c:6132: for each function it appears in.)

apxs:Error: Command failed with rc=65536

.

Has anyone seen/experienced this error before?

 

Thank you,

 

     Richard

Permalink | Reply | 1 comment |
headers
Peter | 2 Feb 12:26
Picon

Re: .htaccess, AUTH, and file access

I received this back from my hosting provider:

"Thank you for giving us that information. It appears that the
investigation is complete. We have determined that you are having problems
with password protection with your .xls files because you can not password
protect the .xls file extension with an .htaccess file in our shared
hosting environment, as it is processed by Tomcat."

Any ideas to circumvent this? Thx

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Permalink | Reply | 3 comments |
headers
Ivan Ristic | 2 Feb 14:17
Gravatar

Re: Re: .htaccess, AUTH, and file access

Peter wrote:
> I received this back from my hosting provider:
> 
> "Thank you for giving us that information. It appears that the
> investigation is complete. We have determined that you are having problems
> with password protection with your .xls files because you can not password
> protect the .xls file extension with an .htaccess file in our shared
> hosting environment, as it is processed by Tomcat."
> 
> Any ideas to circumvent this? Thx

  Circumvent - no. Solve the problem - possibly. If you are in control
  of your own web.xml you can configure another authentication layer
  in Tomcat.

  Of course, the real question is why do they have such a confusing
  setup in the first place. A major point of having Apache in front
  of application servers is to use its facilities. It makes no sense
  to me to forward requests to application servers before authentication
  phase takes place.

--

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Permalink | Reply | 2 comments |
headers
Ivan Ristic | 2 Feb 14:32
Gravatar

Re: Error in function sec_debug_log while compiling mod_security 1.9.2 against apache 2.2.0 on solaris 9

De Vries, Richard wrote:
> I had several issues compiling mod_security 1.9.2 against apache 2.2.0
> on Solaris 9 (sparc), but resolved most of them …. Except one:
>
>
>
> $ /usr/local/apps/apache/bin/apxs -cia mod_security.c
>
> /usr/local/apr/build-1/libtool --silent --mode=compile gcc -prefer-pic
> -DSOLARIS2=9 -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -g -O2 -pthreads
> -I/usr/local/apache2/include  -I/usr/local/apr/include/apr-1
> -I/usr/local/apr/include/apr-1 -I/usr/local/include  -c -o
> mod_security.lo mod_security.c && touch mod_security.slo
>
> mod_security.c: In function `sec_debug_log':
>
> mod_security.c:6132: `__builtin_va_alist' undeclared (first use in this
> function)
>
> mod_security.c:6132: (Each undeclared identifier is reported only once
>
> mod_security.c:6132: for each function it appears in.)
>
> apxs:Error: Command failed with rc=65536
>
> .
>
> Has anyone seen/experienced this error before?

  Unfortunately I don't have access to Solaris systems to try to compile
  myself. There's no such thing as "__builtin_va_alist" in mod_security.c
  but the name is probably coming from an expanded macro "va_list". I don't
  have an idea why the macro (from stdarg.h) is incorrectly expanded. Perhaps
  "man va_start" could give you an idea.

--

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Permalink | Reply | 0 comments |
headers
Peter | 2 Feb 15:17
Picon

Re: Re: .htaccess, AUTH, and file access

On Thu, 02 Feb 2006 13:17:07 +0000, Ivan Ristic wrote:

> Peter wrote:
>> I received this back from my hosting provider:
>> 
>> "Thank you for giving us that information. It appears that the
>> investigation is complete. We have determined that you are having
>> problems with password protection with your .xls files because you can
>> not password protect the .xls file extension with an .htaccess file in
>> our shared hosting environment, as it is processed by Tomcat."
>> 
>> Any ideas to circumvent this? Thx
> 
>   Circumvent - no. Solve the problem - possibly. If you are in control of
>   your own web.xml you can configure another authentication layer in
>   Tomcat.
> 
>   Of course, the real question is why do they have such a confusing setup
>   in the first place. A major point of having Apache in front of
>   application servers is to use its facilities. It makes no sense to me to
>   forward requests to application servers before authentication phase
>   takes place.

Thank you. It did not make sense to me, but I am a novice at this. Yes, I
do have control over web.xml. Currently, only my error page is in it.
<?xml version="1.0" ?>
<web-app>
	<error-page>
		<error-code>404</error-code>
		<location>/errorpage.html</location>
	</error-page>
</web-app>

Not meaning to take up your time or that of others here, is there a URL
where I can read up on Tomcat, learn about the commands I can embed in
web.xml and where I can learn the differences between what I would put in
web.xml vs. what I would use htaccess for?

Looking forward to some heady weekend reading :) (Sarcasm intended!)

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Permalink | Reply | 1 comment |
headers
Ivan Ristic | 2 Feb 17:08
Gravatar

Re: Re: Re: .htaccess, AUTH, and file access

Peter wrote:
>
> Not meaning to take up your time or that of others here, is there a URL
> where I can read up on Tomcat, learn about the commands I can embed in
> web.xml and where I can learn the differences between what I would put in
> web.xml vs. what I would use htaccess for?
> 
> Looking forward to some heady weekend reading :) (Sarcasm intended!)

  Tomcat lives at http://tomcat.apache.org/. It appears to be well
  documented. I believe this is what you are after:

  http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html

--

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Permalink | Reply | 0 comments |

Gmane