New presentation on the Core Rule Set

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Re: mod_security 2.x escaped plus sign (%2B) gets decoded as space

On 2/28/07, Richy Kim <richy <at> fatkid.org> wrote:
> I'm not entirely sure if this stems from a misunderstanding of standards, but I
> think I'm getting false positive 404s.
>
> I'm attempting to request a file with a plus sign in the path:
> /home/richy/public_html/richy+kim.jpg
>
> HTTP request:
> GET /richy%2Bkim.jpg
>
> gets decoded to "richy kim.jpg" and in turn results in 404 file not found.
>
> As I understand a real plus sign should be decoded to a space, but shouldn't an
> escaped plus sign %2b be really be a plus sign?
>
> When I turn off mod_security this issue doesn't appear.
>
> I'm able to reproduce this with both 2.0.4 and 2.1.

I can confirm that as a bug. The REQUEST_FILENAME variable is faulty.
When used in phase 1 it modifies one of Apache's internal variables,
which should not happen. REQUEST_FILENAME in phase 1 is used in the
Core Rules (file modsecurity_crs_20_protocol_violations.conf) so
that's probably what's causing the problem for you. Removing the
combination of REQUEST_FILENAME and phase 1 from the rules can be used
as a quick workaround.

My tests show that there are no other consequences of this bug, apart
from the false 404s you reported.

Another thing I noticed is that the value of "parsed_uri.path" (the
aforementioned internal Apache variable) changes between phases.
Apache will normalise the path between phase 1 and phase 2. We will
add this quirk to documentation and think about adding a workaround in
one of the future releases.

--

-- 
Ivan Ristic

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Pb with Mod Security Performance Log (always empty)

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Release of remo 0.1.2

Hello,

Remo 0.1.2 alpha has been released.
See the website at http://remo.netnea.com.

Remo stands for "Rule Editor for ModSecurity". It's a
project, attempting to
 - bring easier configuration to ModSecurity
 - make a whitelist/positive security model feasible for
   ModSecurity deployments

This new release brings the following new gui features:
- Support for POST arguments
- Generate a rule for a single request 
  (generate button next to the request path)

New rule generator features:
- Support for POST arguments

There is a short guide explaining the rule generation in Remo. 
See http://remo.netnea.com/twiki/bin/view/Documentation/WebHome
The point is, that Remo brings a whitelist security model.
So you have to define the *good arguments* in remo. ModSecurity
will then treat everything not matching your definition as
*bad argument*, which is dropped.

As previously, the new release can be found on the demo site
at: http://remo.netnea.com/demo/main/index

Have a good weekend everybody,

Christian Folini

--
christian.folini <at> netnea.com          -        http://www.netnea.com
ModSecurity and mod_security are trademarks of Breach Security, Inc.
netnea.com is not affiliated with Breach Security, Inc.

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

perl and chroot

Hi,

If I want to use Perl in Apache running in a chroot jail using 
mod-security, can I simply add perl as module and not worry about shared 
libraries or does perl require those files at runtime?

Thanks for any reply,
Arnold

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Compiling mod_security on Solaris 10

I ran into trouble compiling mod_security 2.1.0.  I am runing Solaris
10 06/06 x86 with Apache 2.2.4 which I compiled from source (against
an external PCRE).  During the compilation, there are a few dozen
"warning: visibility attribute not supported in this configuration;
ignored" messages and then it fails with:

/usr/local/httpd-2.2.4/build/libtool --silent --mode=link gcc -g -O2
-I/usr/local/include  -O2 -g -Wuninitialized -Wall
-Wmissing-prototypes -Wshadow -Wunused-variable -Wunused-value
-Wchar-subscripts -Wsign-compare
-L/usr/local/src/httpd-2.2.4/srclib/apr-util/xml/expat/lib      -o
mod_security2.la -rpath /usr/local/httpd-2.2.4/modules -module
-avoid-version mod_security2.lo apache2_config.lo apache2_io.lo
apache2_util.lo re.lo re_operators.lo re_actions.lo re_tfns.lo
re_variables.lo msc_logging.lo msc_xml.lo msc_multipart.lo
modsecurity.lo msc_parsers.lo msc_util.lo msc_pcre.lo persist_dbm.lo
msc_reqbody.lo
ld: fatal: relocation error: R_386_GOTOFF: file .libs/mod_security2.o:
symbol modsecurity: relocation must bind locally
collect2: ld returned 1 exit status
make: *** [mod_security2.la] Error 1

Any suggestions would be appreciated.

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Re: Pb with Mod Security Performance Log (always empty)

On 3/2/07, Alexandre B <letsstayinformed.147258369 <at> gmail.com> wrote:
> Dear all,
>
> I'm trying to use the performance log feature provided by mod_security, but
> I just can't get how it works (or how it should).

Hi Alexandre,

The feature is actually provided by Apache itself, not ModSecurity. If
it's empty that probably means the directive is placed in a subcontext
that is never processed. For example, a virtual host. Otherwise Apache
would generate one line in the file for every request processed. Try
to move the directive to the main configuration body.

>
> I'm using Apache 2.0.52 with the following modules mod_security2.c,
> mod_unique_id.c, mod_logio.c, proxy_connect.c, proxy_http.c, mod_proxy.c,
> mod_rewrite.c, mod_alias.c, mod_dir.c, mod_negotiation.c, mod_info.c,
> mod_autoindex.c, mod_status.c, mod_mime.c, mod_setenvif.c, mod_mime_magic.c,
> mod_env.c, mod_log_config.c, mod_include.c, mod_auth.c, mod_access.c,
> mod_so.c, http_core.c, prefork.c, core.c
>
> (mod_uniqueid, mod_logio, mod_log_config are required)
>
> Mod Security 2.0.4
>
> I commented out the following lines in the modsecurity_crs_10_config.conf of
> the core rules:
> LogFormat "%V %h %t %{UNIQUE_ID}e \"%r\" %>s %X | %I %O |
> %<{mod_security-time1}n %<{mod_security-time2}n %<{mod_security-time3}n %D"
> mperformance
> CustomLog /var/log/msa/modsec_performance.log mperformance
>
> I've restarted the Apache Server, the file
> /var/log/msa/modsec_performance.log is created, but
> whatever I do on my server (triggering mod security or not) this file is
> still empty.
>
> I also tried with a "simple" log format (LogFormat "%t" mperformance) but
> same result, always empty.
>
> Let me precise you that other log works good.
>
> Did I misconfigure something ?
> What result should be expected when logging performance ?
>
> I've tried to browse the doc
> (http://www.modsecurity.org/documentation/modsecurity-apache/2.1.0/modsecurity2-apache-reference.html
> ) but haven't found anything on this.
>
> Thanks for your really appreciated  help,
>
> Best regards,
>
> Alexandre
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
>

--

-- 
Ivan Ristic

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Re: perl and chroot

On 3/2/07, Arnold Daniels <info <at> adaniels.nl> wrote:
> Hi,
>
> If I want to use Perl in Apache running in a chroot jail using
> mod-security, can I simply add perl as module and not worry about shared
> libraries or does perl require those files at runtime?

I've never tried the chroot feature with mod_perl so I can't tell. I
am guessing it will work just fine as it does with mod_php. Let us
know if you find out.

>
> Thanks for any reply,
> Arnold
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>

--

-- 
Ivan Ristic

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Re: ModSecurity Cool Rules Webinar on March 7th

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Character "+" in query strings

Hello everybody,

I am in the process of writing a (positive :) ruleset for the drupal css.

Drupal knows the following request:
GET /drupal-5.0/?q=admin/user/rules&sort=desc&order=Rule+type HTTP/1.1

My problem lies with the query string argument "order".
It has the "+" character in it.

I have written the following rule (ModSecurity 2.1) to check the validity of 
this parameter:

SecRule &ARGS:order "!@eq 0" "chain,t:none,deny,id:1,status:501,..."
SecRule ARGS:order "!^([\w+]{1,16})$" "t:none"

The ModSecurity debug log says:
... Executing operator !rx with param "^([\\w+]{1,16})$" against ARGS:order.
... /drupal-5.0/][9] Target value: Rule type

So the "+" character is gone. 

The SecArgumentSeparator is left to the default, btw.

What is the problem here?

regards,

Christian

--

-- 
Had I been present at the creation, I would have given some useful 
hints for the better ordering of the universe.
-- Alfonso the Wise, 1221 - 1284

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV