mod sec 1.9 and apache 1.3

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Reducing number of events in the audit log

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Virusscanning on downloads with ModSecurity2?

Hi,

Is it possible to use ModSecurity 2 for virusscanning on downloads? I've 
already managed to setup virusscanning on uploads with 'SecRule FILES' and the 
ClamAV script, but I would like to have downloads scanned on virusses too.

Regards,

Arthur Fonzarelli

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Re: Virusscanning on downloads with ModSecurity2?

You should be fine if you are scanning on uploads and also using normal
OS AV scanning software to periodically scan your own data files.

Scanning on downloads seems like overkill and would introduce some
latency, depending on how it was implemented.  Unless your files are
being stored as blobs inside a DB or something, it is much easier to
just scan this at the OS level with normal AV programs.

The only catch here is that on the Unix side, the AV programs are not
trigger for "On-Access" types of scanning like they are on MS, meaning
that you have to schedule AV scanning through Cron or something.  So, if
you have some files that will only be resident on your system for a
short period of time (and this happens to fall between scheduled scans)
then targeted scanning prior to serving a file might work.

-- 
Ryan C. Barnett
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache

> -----Original Message-----
> From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-
> security-users-bounces <at> lists.sourceforge.net] On Behalf Of Arthur
> Fonzarelli
> Sent: Friday, December 01, 2006 9:49 AM
> To: mod-security-users <at> lists.sourceforge.net
> Subject: [mod-security-users] Virusscanning on downloads with
> ModSecurity2?
> 
> Hi,
> 
> Is it possible to use ModSecurity 2 for virusscanning on downloads?
I've
> already managed to setup virusscanning on uploads with 'SecRule FILES'
and
> the
> ClamAV script, but I would like to have downloads scanned on virusses
too.
> 
> Regards,
> 
> Arthur Fonzarelli
> 
> 
>
------------------------------------------------------------------------
-
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to
share
> your
> opinions on IT & business topics through brief surveys - and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE
V
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

horde becoming dead-slow after modsec2 with gotroot rules installed

Udv / Greetings!

I  already  have a HORDE portal system with apache2.2 and php5.2 built
from source, with mod_evasive and mod_security 1.9 with gotroot rules.

After  I  set  up the system to use modesecurity 2 with gotroot rules,
the whole site becoming DEAD SLOW! (takes 15 minutes to log in).

With 1.9, all ok. Any ideas?

-- 
Thomas Elias
Title: *NIX Sysadmin, PHP/Delphi/C++ programmer, Certified IBM UDB DB2 Database Administrator
mailto: eliast <at> venk.hu, eliast <at> kanizsanet.hu
Tel.: +3630/3484202
ICQ UIN: 206-714-459
Quote: "Too many people making too many problems (InFlames)"

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Re: horde becoming dead-slow after modsec2 withgotroot rules installed

My guess would be one of two things -

1) You need to compile Apache/ModSecurity to use PCRE to speed up the RegEx matching.

2) You are using way too many/unneeded rules from Gotroot.  

Don't get me wrong (Mike Shinn, if you are reading this :), Gotroot is a great resource for ModSecurity
attack signatures however most people are implementing ALL of the signatures and that is overkill.  Keep
in mind that ModSecurity is a WAF and not an IDS.  The big difference here is that IDS sensors need to have more
and more negative sigs to be able to catch attacks.  They don't really have a fear of negatively impacting
the actual connection.  When you are inline, as Modsecurity is, you need your rulesets to be tight and
efficient.  Point being, if I am an Apache shop using Java, why would I want to include 300 rules for ASP/PHP
attacks?  It will do nothing but impact my performance.

Think of it this way - GotRoot is a play on the old Got Milk commercials, right?  Well, drinking too much milk
isn't good for you either!   

-- 
Ryan C. Barnett
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache

> -----Original Message-----
> From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-
> security-users-bounces <at> lists.sourceforge.net] On Behalf Of Éliás Tamás
> Sent: Saturday, December 02, 2006 2:51 PM
> To: mod-security-users <at> lists.sourceforge.net
> Subject: [mod-security-users] horde becoming dead-slow after modsec2
> withgotroot rules installed
> 
> Udv / Greetings!
> 
> I  already  have a HORDE portal system with apache2.2 and php5.2 built
> from source, with mod_evasive and mod_security 1.9 with gotroot rules.
> 
> After  I  set  up the system to use modesecurity 2 with gotroot rules,
> the whole site becoming DEAD SLOW! (takes 15 minutes to log in).
> 
> With 1.9, all ok. Any ideas?
> 
> --
> Thomas Elias
> Title: *NIX Sysadmin, PHP/Delphi/C++ programmer, Certified IBM UDB DB2
> Database Administrator
> mailto: eliast <at> venk.hu, eliast <at> kanizsanet.hu
> Tel.: +3630/3484202
> ICQ UIN: 206-714-459
> Quote: "Too many people making too many problems (InFlames)"

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Re: horde becoming dead-slow after modsec2 with gotroot rules installed

On 12/2/06, Éliás Tamás <eliast <at> nagykanizsa.hu> wrote:
> Udv / Greetings!
>
> I  already  have a HORDE portal system with apache2.2 and php5.2 built
> from source, with mod_evasive and mod_security 1.9 with gotroot rules.
>
> After  I  set  up the system to use modesecurity 2 with gotroot rules,
> the whole site becoming DEAD SLOW! (takes 15 minutes to log in).
>
> With 1.9, all ok. Any ideas?

Having never used the Gotroot rules myself I cannot comment on the
quality and speed. Even though both rule sets are from the same source
they are different and they run on different engines. Is Mike stating
anything about the performance being (roughly) equal?

At a glance, however, there are too many rules. You should at least
try to avoid blacklist.conf and blacklist2.conf. Also, there is ample
room for optimisation.

Interestingly enough I was planning to have a short profiling session
tomorrow. Now that I've read your email I'll use the Gotroot rules for
this task.

If there's anything interesting to learn I will post it here.

--

-- 
Ivan Ristic

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Re: horde becoming dead-slow after modsec2 withgotroot rules installed

Udv / Greetings!

these are my apache and php compilation options:
#Compile settings
SET_COMPILESETTINGS="--sysconfdir=$SET_SYSCONFDIR --localstatedir=$SET_VARDATADIR
--disable-userdir \
--disable-pie --disable-actions --disable-asis --disable-cgi --disable-cgid --disable-imap \
--disable-autoindex --disable-so --disable-suexec --disable-rewrite --disable-ldap
--disable-ftp \
--disable-status --disable-info  --enable-usertrack --enable-unique-id --enable-mime-magic \
--enable-deflate --with-pcre --enable-mime --enable-ssl --with-ssl=$CLI_OSSLDIR
--enable-headers \
--enable-include"

#
# Application specific settings
#

SET_PHPCONF="--disable-all --with-config-file-path=/etc/php5-portal
--with-openssl=$CLI_OSSLDIR \
--with-zlib --with-bz2 --with-curl --enable-mbstring --enable-calendar --with-pear --without-db4 \
--with-pcre-regex --enable-memory-limit --enable-ssl --enable-dom --with-dom \
--enable-session --with-tsrm-pthreads --enable-inline-optimization --enable-libxml
--with-kerberos \
--enable-dio --with-ldap --enable-mbregex --with-png-dir=/usr --with-jpeg-dir=/usr --enable-ftp
--enable-xml \
--with-gettext --with-mcrypt --with-mhash --with-iconv --with-gd --with-gettext --with-mcrypt
--with-iconv --with-imap \
--with-imap-ssl --enable-mime-magic --with-mime-magic --enable-memcache --enable-ctype
--with-dom-xslt \
--disable-cgi --disable-safe-mode --disable-short-tags --enable-zend-memory-manager"

also I'm using some C options:

CLI_CFLAGS="-O3 -march=pentium4 -ffast-math -pipe -fomit-frame-pointer -mfpmath=sse,387 -msse2
-mmmx -msse"

the apache is running chrooted.

 > 2) You are using way too many/unneeded rules from Gotroot.

possible,  I've  never  looked it on them deeply, only when I did need
it.  with  1.9 modsec I had to tune it up to work with phpmyadmin (for
SQL scripts to work and not give an injection attack error) and horde.
I  did  these tunes for the new ruleset too. and they are working, but
DEAD slow, especially the horde framework. phpldapadmin and phpmyadmin
works fine.

> Don't get me wrong (Mike Shinn, if you are reading this :), Gotroot
> is a great resource for ModSecurity attack signatures however most

yeah, it is.

> people are implementing ALL of the signatures and that is overkill. 
> Keep in mind that ModSecurity is a WAF and not an IDS.  The big
> difference here is that IDS sensors need to have more and more
> negative sigs to be able to catch attacks.  They don't really have a
> fear of negatively impacting the actual connection.  When you are
> inline, as Modsecurity is, you need your rulesets to be tight and
> efficient.  Point being, if I am an Apache shop using Java, why
> would I want to include 300 rules for ASP/PHP attacks?  It will do
> nothing but impact my performance.

Yeah, sure. But my bosses want's secure applications in even hours, so
I  sadly  do  not  have  time  to revise and optimize. If I say: well,
security  needs  my  time,  they say no. If I say, well security means
buying  a  plus processor and some ram and pplying security rules that
we will never use, they say, ok. :(

-- 
Thomas Elias
Title: *NIX Sysadmin, PHP/Delphi/C++ programmer, Certified IBM UDB DB2 Database Administrator
mailto: eliast <at> venk.hu, eliast <at> kanizsanet.hu
Tel.: +3630/3484202
ICQ UIN: 206-714-459
Quote: "Non Omnis Moriar"

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Re: horde becoming dead-slow after modsec2 withgotroot rules installed

Udv / Greetings!

these are my apache and php compilation options:
#Compile settings
SET_COMPILESETTINGS="--sysconfdir=$SET_SYSCONFDIR --localstatedir=$SET_VARDATADIR
--disable-userdir \
--disable-pie --disable-actions --disable-asis --disable-cgi --disable-cgid --disable-imap \
--disable-autoindex --disable-so --disable-suexec --disable-rewrite --disable-ldap
--disable-ftp \
--disable-status --disable-info  --enable-usertrack --enable-unique-id --enable-mime-magic \
--enable-deflate --with-pcre --enable-mime --enable-ssl --with-ssl=$CLI_OSSLDIR
--enable-headers \
--enable-include"

#
# Application specific settings
#

SET_PHPCONF="--disable-all --with-config-file-path=/etc/php5-portal
--with-openssl=$CLI_OSSLDIR \
--with-zlib --with-bz2 --with-curl --enable-mbstring --enable-calendar --with-pear --without-db4 \
--with-pcre-regex --enable-memory-limit --enable-ssl --enable-dom --with-dom \
--enable-session --with-tsrm-pthreads --enable-inline-optimization --enable-libxml
--with-kerberos \
--enable-dio --with-ldap --enable-mbregex --with-png-dir=/usr --with-jpeg-dir=/usr --enable-ftp
--enable-xml \
--with-gettext --with-mcrypt --with-mhash --with-iconv --with-gd --with-gettext --with-mcrypt
--with-iconv --with-imap \
--with-imap-ssl --enable-mime-magic --with-mime-magic --enable-memcache --enable-ctype
--with-dom-xslt \
--disable-cgi --disable-safe-mode --disable-short-tags --enable-zend-memory-manager"

also I'm using some C options:

CLI_CFLAGS="-O3 -march=pentium4 -ffast-math -pipe -fomit-frame-pointer -mfpmath=sse,387 -msse2
-mmmx -msse"

the apache is running chrooted.

 > 2) You are using way too many/unneeded rules from Gotroot.

possible,  I've  never  looked it on them deeply, only when I did need
it.  with  1.9 modsec I had to tune it up to work with phpmyadmin (for
SQL scripts to work and not give an injection attack error) and horde.
I  did  these tunes for the new ruleset too. and they are working, but
DEAD slow, especially the horde framework. phpldapadmin and phpmyadmin
works fine.

> Don't get me wrong (Mike Shinn, if you are reading this :), Gotroot
> is a great resource for ModSecurity attack signatures however most

yeah, it is.

> people are implementing ALL of the signatures and that is overkill. 
> Keep in mind that ModSecurity is a WAF and not an IDS.  The big
> difference here is that IDS sensors need to have more and more
> negative sigs to be able to catch attacks.  They don't really have a
> fear of negatively impacting the actual connection.  When you are
> inline, as Modsecurity is, you need your rulesets to be tight and
> efficient.  Point being, if I am an Apache shop using Java, why
> would I want to include 300 rules for ASP/PHP attacks?  It will do
> nothing but impact my performance.

Yeah, sure. But my bosses want's secure applications in even hours, so
I  sadly  do  not  have  time  to revise and optimize. If I say: well,
security  needs  my  time,  they say no. If I say, well security means
buying  a  plus processor and some ram and pplying security rules that
we will never use, they say, ok. :(

-- 
Thomas Elias
Title: *NIX Sysadmin, PHP/Delphi/C++ programmer, Certified IBM UDB DB2 Database Administrator
mailto: eliast <at> venk.hu, eliast <at> kanizsanet.hu
Tel.: +3630/3484202
ICQ UIN: 206-714-459
Quote: "Non Omnis Moriar"

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

serial logging and monitoring

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users