Re: how to except a url

>> How exactly do you make an exception for a specific script and arg?
>> SecRule REQUEST_FILENAME "^/myscripts/script\.php$" "nolog,allow"
>> SecRule ARGS:message
>[Ryan Barnett] What version of ModSecurity are you using?  From your use
>of SecRule, I am assuming v2.x.  So, is your intent to disable rule
>processing entirely for the /myscripts/script.php file or for any
>argument whose name is "message" or a combination of both where you just
>want to exclude the message parameter on that one page?

2.1.2

I am interested in the solutions to all three examples you name.

However what I intended to ask for was the third.  "a combination of
both where you just want to exclude the message parameter on that
one page".

Can you provide an example please?

--

-- 
Best regards,
 donnydark                            mailto:donnydark <at> gmail.com

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

xml parsing

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Re: Mod_security reasonable when using digestauthentication?

While it is certainly preferable, security-wise, to have a closed
accessible only to a small group of users, but I don't think that this
shorten your vulnerability list to brute force and DOS. Some things I
can think of are:

+ Apache vulnerabilities, many of them ModSecurity would protect you
from.

+ Misconfiguraion or malicious change of configuration, especially
someone removing digest authentication from parts of the site.

+ And then of course, when you say brute force, chances are that some
passwords will be weak enough to require you to erect further security
berries. 

+ Did I say insider threat? I once had a conversation with someone who
said that his company uses token based client side certificates, but
when I inquired further I found that they had 15,000(!) partners using
the system and getting a token was not that hard.

~ Ofer

> -----Original Message-----
> From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-
> security-users-bounces <at> lists.sourceforge.net] On Behalf Of Sami
Noponen
> Sent: Friday, August 31, 2007 1:24 PM
> To: mod-security-users <at> lists.sourceforge.net
> Subject: [mod-security-users] Mod_security reasonable when using
> digestauthentication?
> 
> Hi,
> I'm using Apache(2.2) web server for personal use only. Server is
> protected with digest authentication and SSL.  Does the mod_security
> bring any additional security to this kind of configuration? There are
> no "open" pages for anyone to view, everything is protected with
> digest authentication. Only vulnerabilities therefore are brute force
> and DoS attacks.
> 
> -Sami Noponen
> 
>
-----------------------------------------------------------------------
> --
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a
browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

More false posives (960015, 960009) :(

Hi all, another time..
little by little im understanding rules set on my server. But i can't understand some rules hits logs. I look
for some information about it in google, but i cant to interpret some errors..

For example i get next error in all images i upload to my server, and i use it in my blog:

[Mon Sep 03 06:30:56 2007] [error] [client 192.168.1.110] ModSecurity: Warning. Match of "rx ^OPTIONS$"
against "REQUEST_METHOD" required. [id "960015"] [msg "Request Missing an Accept Header"] [severity
"CRITICAL"] [hostname "www.bermejator.com"] [uri
"/wp-content/uploads/2007/08/illustration.gif"] [unique_id "o4UhxsCoAW4AAIH5WjwAAAAD"]

I know rx is a regular expression operator, but i dont know the meaning of this between my images and my server...

I get the same error, in another script, without relationship with images:
[Mon Sep 03 06:39:12 2007] [error] [client 192.168.1.110] ModSecurity: Warning. Match of "rx ^OPTIONS$"
against "REQUEST_METHOD" required. [id "960015"] [msg "Request Missing an Accept Header"] [severity
"CRITICAL"] [hostname "www.bermejator.com"] [uri
"/wp-cron.php?check=ea0263e935ff651669c4bcdeaf21b16b"] [unique_id "wRrq5cCoAW4AAIH6XFwAAAAE"]

This script get my another error, with "eq" (i know its a numerical comparison operator) but dunno why it is generated:
[Mon Sep 03 06:39:12 2007] [error] [client 192.168.1.110] ModSecurity: Warning. Operator EQ match: 0.
[id "960009"] [msg "Request Missing a User Agent Header"] [severity "WARNING"] [hostname
"www.bermejator.com"] [uri "/wp-cron.php?check=ea0263e935ff651669c4bcdeaf21b16b"] [unique_id "wRrq5cCoAW4AAIH6XFwAAAAE"]

I think i have to avoid false positives
(http://www.modsecurity.org/blog/archives/2007/02/handling_false.html) but don't understand
why the errors before, are false positives.

Sorry with my english, and thank u for help
Rubén Lara

_________________________________________________________________
Llama a tus amigos de PC a PC: ¡Es GRATIS!
http://get.live.com/messenger/overview
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Re: More false posives (960015, 960009) :(

Hi Ruben,

The "rx ^OPTIONS$" part of the message is a bit misleading as ModSecurity logs just one of the conditions in
the rule, so you should examine the msg part as it is more descriptive: "Request Missing an Accept Header"
(Or "User-Agent header" for the 2nd event, the explanation is similar). 

Why do you get those? I will try to answer, but I may need more information.

The rule triggers when a request does not include an Accept HTTP header. When a browser issue a request, it
will always have an Accept header, so this event should not normally be issued for browser access. 

So when does it happen? When an abnormal request is issued by an automated software or manually. It is
therefore a very effective defense against the bad guys that run robots and scanners against your site. On
the other hand it will block an automation software that you may intentionally use, for example a software
that issue a request periodically to test that the site is working. 

Apache itself has, in newer versions, such a "pinger" as part of the system, and while the Core Rule Set skip
this rule for a request from this pinger, we found out that the request generated is not always the same and
we may miss it from time to time. Maybe this is your problem.

If you would send the audit log of this alert, we would be able to analyze what is the exact reason in your
setup. As Ryan wrote in his blog post - audit logs are your best friend when resolving FPs.

~ Ofer

Ofer Shezaf
ofers <at> breach.com, Phone:+972-9-9560036 #212, Cell: +972-54-4431119
CTO, Breach Security; Chair, OWASP Israel; Leader, ModSecurity Core Rule Set Project

> -----Original Message-----
> From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-
> security-users-bounces <at> lists.sourceforge.net] On Behalf Of Ruben Lara
> Sent: Monday, September 03, 2007 8:06 AM
> To: mod-security-users <at> lists.sourceforge.net
> Subject: [mod-security-users] More false posives (960015, 960009) :(
> 
> 
> Hi all, another time..
> little by little im understanding rules set on my server. But i can't
> understand some rules hits logs. I look for some information about it
> in google, but i cant to interpret some errors..
> 
> For example i get next error in all images i upload to my server, and i
> use it in my blog:
> 
> [Mon Sep 03 06:30:56 2007] [error] [client 192.168.1.110] ModSecurity:
> Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [id
> "960015"] [msg "Request Missing an Accept Header"] [severity
> "CRITICAL"] [hostname "www.bermejator.com"] [uri "/wp-
> content/uploads/2007/08/illustration.gif"] [unique_id
> "o4UhxsCoAW4AAIH5WjwAAAAD"]
> 
> I know rx is a regular expression operator, but i dont know the meaning
> of this between my images and my server...
> 
> I get the same error, in another script, without relationship with
> images:
> [Mon Sep 03 06:39:12 2007] [error] [client 192.168.1.110] ModSecurity:
> Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [id
> "960015"] [msg "Request Missing an Accept Header"] [severity
> "CRITICAL"] [hostname "www.bermejator.com"] [uri "/wp-
> cron.php?check=ea0263e935ff651669c4bcdeaf21b16b"] [unique_id
> "wRrq5cCoAW4AAIH6XFwAAAAE"]
> 
> 
> This script get my another error, with "eq" (i know its a numerical
> comparison operator) but dunno why it is generated:
> [Mon Sep 03 06:39:12 2007] [error] [client 192.168.1.110] ModSecurity:
> Warning. Operator EQ match: 0. [id "960009"] [msg "Request Missing a
> User Agent Header"] [severity "WARNING"] [hostname
> "www.bermejator.com"] [uri "/wp-
> cron.php?check=ea0263e935ff651669c4bcdeaf21b16b"] [unique_id
> "wRrq5cCoAW4AAIH6XFwAAAAE"]
> 
> I think i have to avoid false positives
> (http://www.modsecurity.org/blog/archives/2007/02/handling_false.html)
> but don't understand why the errors before, are false positives.
> 
> Sorry with my english, and thank u for help
> Rubén Lara
> 
> _________________________________________________________________
> Llama a tus amigos de PC a PC: ¡Es GRATIS!
> http://get.live.com/messenger/overview
> -----------------------------------------------------------------------
> --
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Re: More false posives (960015, 960009) :(

Hi Ruben!

I hope the following gives a little insight in how to look at the
error-logs of ModSecurity.

On Mon, 2007-09-03 at 05:06 +0000, Ruben Lara wrote:
> Hi all, another time..
> little by little im understanding rules set on my server. But i can't understand some rules hits logs. I
look for some information about it in google, but i cant to interpret some errors..
> 
> For example i get next error in all images i upload to my server, and i use it in my blog:
> 
> [Mon Sep 03 06:30:56 2007] [error] [client 192.168.1.110] ModSecurity: Warning. Match of "rx
^OPTIONS$" against "REQUEST_METHOD" required. [id "960015"] [msg "Request Missing an Accept Header"]
[severity "CRITICAL"] [hostname "www.bermejator.com"] [uri
"/wp-content/uploads/2007/08/illustration.gif"] [unique_id "o4UhxsCoAW4AAIH5WjwAAAAD"]
> 
> I know rx is a regular expression operator, but i dont know the meaning of this between my images and my server...
> 
> I get the same error, in another script, without relationship with images:
> [Mon Sep 03 06:39:12 2007] [error] [client 192.168.1.110] ModSecurity: Warning. Match of "rx
^OPTIONS$" against "REQUEST_METHOD" required. [id "960015"] [msg "Request Missing an Accept Header"]
[severity "CRITICAL"] [hostname "www.bermejator.com"] [uri
"/wp-cron.php?check=ea0263e935ff651669c4bcdeaf21b16b"] [unique_id "wRrq5cCoAW4AAIH6XFwAAAAE"]

The corresponding rules in the core-rules ruleset (I assume you're using
these), are preceded with the following comment (have a look at
modsecurty_crs_21_protocol_anomalies.conf):

    # Do not accept requests without common headers.
    #
    # Implies either an attacker or a legitimate automation client.
    #

This is what that's all about:
In GENERAL there is a set of headers that a http-client sends to a
server. This is the "Accept"-header, which states what content-types are
acceptable for the client to get back, the "Host"-header that holds the
servers name (required since HTTP 1.1, required for virtual hosts) and
so on.

Some of these are generally not set for special requests. For example an
OPTIONS-request does not need to set an "Accept"-header as the server
response will have no contents except simple-text of options that are
allowed for the URL given in the request. 

Thus, check for an "Accept"-header is excluded by chaining the checking
rule with a check like REQUEST_METHOD == "OPTIONS". In your above
message a request arrives that has no "Accept"-header set and is not
matching an OPTIONS-request. 

Most probably its some crawler or the like.

> This script get my another error, with "eq" (i know its a numerical comparison operator) but dunno why it is generated:
> [Mon Sep 03 06:39:12 2007] [error] [client 192.168.1.110] ModSecurity: Warning. Operator EQ match: 0.
[id "960009"] [msg "Request Missing a User Agent Header"] [severity "WARNING"] [hostname
"www.bermejator.com"] [uri "/wp-cron.php?check=ea0263e935ff651669c4bcdeaf21b16b"] [unique_id "wRrq5cCoAW4AAIH6XFwAAAAE"]
> 

You're right, "eq" is a numerical comparison. What it does in your case,
is to compare the number of "User-Agent"-header lines in the request
(with 1, I guess). Look at this:

[1]    SecRule &REQUEST_HEADERS:X-Powered-By "@eq 2" "log,deny"

The REQUEST_HEADERS variable is actually an associative collection,
holding all request-header values that contained in your request. With
the ':X-Powered-By' you select the values within that collection, that
refer to the name "X-Powered-By". By prefixing the hole
variable-selection with an ampersand '&', ModSecurity will NOT return
the VALUE of refered to by 'X-Powered-By', but the COUNT, ie the number
of occurences of values that are refered to by 'X-Powered-By' within the
REQUEST_HEADERS collection.

Thus, in the example line [1] above ModSecurity will check if a request
holds 'X-Powered-By' EXACTLY two times.

The corresponding rule in your case just checks if the request header
'User-Agent' is missing, by comparing its count with 0.

Regards,
    Chris

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Re: More false posives (960015, 960009) :(

Hi all
I send you my modsec_audit.log reference to Match of "rx ^OPTIONS$" against "REQUEST_METHOD"

I add next directives to my virtualhost to try debug the maximum possible  but dunno if i do that correctly:
SecRule REQUEST_METHOD "rx ^OPTIONS$" phase:1,log,pass,ctl:debugLogLevel=9

But not generate nothing in my modsec_debug.log

Here is a piece of modesec_audit.log
--8853ba07-A--
[03/Sep/2007:17:16:59 +0200] qfGTfcCoAW4AAJD0VV4AAAAB 66.196.97.168 44314 192.168.1.110 80
--8853ba07-B--
GET / HTTP/1.0
Host: bermejator.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

--8853ba07-F--
HTTP/1.0 200 OK
X-Pingback: http://www.bermejator.com/xmlrpc.php
Content-Length: 36278
Connection: close
Content-Type: text/html; charset=UTF-8

--8853ba07-H--
Message: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [id "960015"] [msg
"Request Missing an Accept Header"] [severity "CRITICAL"]
Stopwatch: 1188832618845053 733893 (317 1134 299990)
Producer: ModSecurity v2.1.1 (Apache 2.x)
Server: Apache/2.2.4 (FreeBSD)

--8853ba07-Z--

--8853ba07-A--
[03/Sep/2007:17:17:05 +0200] qkKtQsCoAW4AAJD1VcAAAAAC 66.196.97.168 44379 192.168.1.110 80
--8853ba07-B--
GET / HTTP/1.0
Host: bermejator.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

--8853ba07-F--
HTTP/1.0 200 OK
X-Pingback: http://www.bermejator.com/xmlrpc.php
Content-Length: 36278
Connection: close
Content-Type: text/html; charset=UTF-8

--8853ba07-H--
Message: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [id "960015"] [msg
"Request Missing an Accept Header"] [severity "CRITICAL"]
Stopwatch: 1188832624160066 846711 (329 1147 300357)
Producer: ModSecurity v2.1.1 (Apache 2.x)
Server: Apache/2.2.4 (FreeBSD)

--8853ba07-Z--

Thank u for help
Rubén Lara

----------------------------------------> Subject: RE: [mod-security-users] More false posives
(960015, 960009) :(> Date: Mon, 3 Sep 2007 04:49:19 -0400> From: OferS <at> Breach.com> To:
bermejator <at> hotmail.com; mod-security-users <at> lists.sourceforge.net>> Hi Ruben,>> The "rx
^OPTIONS$" part of the message is a bit misleading as ModSecurity logs just one of the conditions in the
rule, so you should examine the msg part as it is more descriptive: "Request Missing an Accept Header" (Or
"User-Agent header" for the 2nd event, the explanation is similar).>> Why do you get those? I will try to
answer, but I may need more information.>> The rule triggers when a request does not include an Accept HTTP
header. When a browser issue a request, it will always have an Accept header, so this event should not
normally be issued for browser access.>> So when does it happen? When an abnormal request is issued by an
automated software or manually. It is therefore a very effective defense against the bad guys that run
robots and scanners against your site. On the other hand it will block an automation software that you may
intentionally use, for example a software that issue a request periodically to test that the site is
working.>> Apache itself has, in newer versions, such a "pinger" as part of the system, and while the Core
Rule Set skip this rule for a request from this pinger, we found out that the request generated is not always
the same and we may miss it from time to time. Maybe this is your problem.>> If you would send the audit log of
this alert, we would be able to analyze what is the exact reason in your setup. As Ryan wrote in his blog post -
audit logs are your best friend when resolving FPs.>> ~ Ofer>>> Ofer Shezaf> ofers <at> breach.com,
Phone:+972-9-9560036 #212, Cell: +972-54-4431119> CTO, Breach Security; Chair, OWASP Israel;
Leader, ModSecurity Core Rule Set Project>>>>>>>> -----Original Message----->> From:
mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod->>
security-users-bounces <at> lists.sourceforge.net] On Behalf Of Ruben Lara>> Sent: Monday, September
03, 2007 8:06 AM>> To: mod-security-users <at> lists.sourceforge.net>> Subject: [mod-security-users]
More false posives (960015, 960009) :(>>>>>> Hi all, another time..>> little by little im understanding
rules set on my server. But i can't>> understand some rules hits logs. I look for some information about
it>> in google, but i cant to interpret some errors..>>>> For example i get next error in all images i upload
to my server, and i>> use it in my blog:>>>> [Mon Sep 03 06:30:56 2007] [error] [client 192.168.1.110]
ModSecurity:>> Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [id>> "960015"]
[msg "Request Missing an Accept Header"] [severity>> "CRITICAL"] [hostname "www.bermejator.com"]
[uri "/wp->> content/uploads/2007/08/illustration.gif"] [unique_id>>
"o4UhxsCoAW4AAIH5WjwAAAAD"]>>>> I know rx is a regular expression operator, but i dont know the
meaning>> of this between my images and my server...>>>> I get the same error, in another script, without
relationship with>> images:>> [Mon Sep 03 06:39:12 2007] [error] [client 192.168.1.110]
ModSecurity:>> Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [id>> "960015"]
[msg "Request Missing an Accept Header"] [severity>> "CRITICAL"] [hostname "www.bermejator.com"]
[uri "/wp->> cron.php?check=ea0263e935ff651669c4bcdeaf21b16b"] [unique_id>>
"wRrq5cCoAW4AAIH6XFwAAAAE"]>>>>>> This script get my another error, with "eq" (i know its a
numerical>> comparison operator) but dunno why it is generated:>> [Mon Sep 03 06:39:12 2007] [error]
[client 192.168.1.110] ModSecurity:>> Warning. Operator EQ match: 0. [id "960009"] [msg "Request
Missing a>> User Agent Header"] [severity "WARNING"] [hostname>> "www.bermejator.com"] [uri "/wp->>
cron.php?check=ea0263e935ff651669c4bcdeaf21b16b"] [unique_id>>
"wRrq5cCoAW4AAIH6XFwAAAAE"]>>>> I think i have to avoid false positives>>
(http://www.modsecurity.org/blog/archives/2007/02/handling_false.html)>> but don't
understand why the errors before, are false positives.>>>> Sorry with my english, and thank u for help>>
Rubén Lara>>>> _________________________________________________________________>> Llama a
tus amigos de PC a PC: ¡Es GRATIS!>> http://get.live.com/messenger/overview>>
----------------------------------------------------------------------->> -->> This SF.net
email is sponsored by: Splunk Inc.>> Still grepping through log files to find problems? Stop.>> Now
Search log events and configuration files using AJAX and a browser.>> Download your FREE copy of Splunk
now>> http://get.splunk.com/>> _______________________________________________>>
mod-security-users mailing list>> mod-security-users <at> lists.sourceforge.net>> https://lists.sourceforge.net/lists/listinfo/mod-security-users

_________________________________________________________________
Llama a tus amigos de PC a PC: ¡Es GRATIS!
http://get.live.com/messenger/overview
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Re: yahoo and rule 960014

This alert means that a client was attempting to use your web server as a proxy by requesting that your web
server access a page on another website.  Attackers will often use open proxies to send their malicious
requests through so that they can hide their true IP address from the target website.

-- 
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache

> -----Original Message-----
> From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-
> security-users-bounces <at> lists.sourceforge.net] On Behalf Of Ruben Lara
> Sent: Friday, August 31, 2007 12:50 AM
> To: mod-security-users <at> lists.sourceforge.net
> Subject: [mod-security-users] yahoo and rule 960014
> 
> 
> Hi all:
> 
> 
> What is the meaning of this¿?
> 
> [31/Aug/2007:04:34:41 +0200]
> [www.yahoo.com/sid#8166b28][rid#82be050][/][1] Access denied with code 400
> (phase 2). Pattern match "^http:/" at REQUEST_URI_RAW. [id "960014"] [msg
> "Proxy access attempt"] [severity "CRITICAL"]
> 
> 
> Thank u for your help
> Rubén Lara
> _________________________________________________________________
> Consigue el nuevo Windows Live Messenger
> http://get.live.com/messenger/overview
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Re: Mod_security reasonable when usingdigestauthentication?

Another thing to consider, what happens if tomorrow a new openssl
vulnerability is announced?  This happened a number of years ago where
many Apache installs were compromised due to a vuln in their SSL
package.  To help mitigate this, you could use ModSecurity to implement
chroot.

-- 
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache

> -----Original Message-----
> From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-
> security-users-bounces <at> lists.sourceforge.net] On Behalf Of Ofer Shezaf
> Sent: Sunday, September 02, 2007 11:08 AM
> To: Sami Noponen; mod-security-users <at> lists.sourceforge.net
> Subject: Re: [mod-security-users] Mod_security reasonable when
> usingdigestauthentication?
> 
> While it is certainly preferable, security-wise, to have a closed
> accessible only to a small group of users, but I don't think that this
> shorten your vulnerability list to brute force and DOS. Some things I
> can think of are:
> 
> + Apache vulnerabilities, many of them ModSecurity would protect you
> from.
> 
> + Misconfiguraion or malicious change of configuration, especially
> someone removing digest authentication from parts of the site.
> 
> + And then of course, when you say brute force, chances are that some
> passwords will be weak enough to require you to erect further security
> berries.
> 
> + Did I say insider threat? I once had a conversation with someone who
> said that his company uses token based client side certificates, but
> when I inquired further I found that they had 15,000(!) partners using
> the system and getting a token was not that hard.
> 
> ~ Ofer
> 
> > -----Original Message-----
> > From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-
> > security-users-bounces <at> lists.sourceforge.net] On Behalf Of Sami
> Noponen
> > Sent: Friday, August 31, 2007 1:24 PM
> > To: mod-security-users <at> lists.sourceforge.net
> > Subject: [mod-security-users] Mod_security reasonable when using
> > digestauthentication?
> >
> > Hi,
> > I'm using Apache(2.2) web server for personal use only. Server is
> > protected with digest authentication and SSL.  Does the mod_security
> > bring any additional security to this kind of configuration? There
are
> > no "open" pages for anyone to view, everything is protected with
> > digest authentication. Only vulnerabilities therefore are brute
force
> > and DoS attacks.
> >
> > -Sami Noponen
> >
> >
>
-----------------------------------------------------------------------
> > --
> > This SF.net email is sponsored by: Splunk Inc.
> > Still grepping through log files to find problems?  Stop.
> > Now Search log events and configuration files using AJAX and a
> browser.
> > Download your FREE copy of Splunk now >>  http://get.splunk.com/
> > _______________________________________________
> > mod-security-users mailing list
> > mod-security-users <at> lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 
>
------------------------------------------------------------------------
-
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a
browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Re: how to except a url

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users