Re: RBL for script-kiddies?

Hi.

> Also, there was a past email thread on inspecting returned RBL data here
> -
> http://permalink.gmane.org/gmane.comp.apache.mod-security.user/2990

By the way: is the feature you mentioned in that posting implemented already?

Bye, Mike

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

Re: RBL for script-kiddies?

Ryan Barnett wrote:
> We are using the @rbl operator and pointing to zen.spamhaus.org
> (http://www.spamhaus.org/zen/) on the WASC Distributed Open Proxy
> Honeypot Project vmware images.  You might want to look at it as it
> combines many of the different blocklists.
>
> Also, there was a past email thread on inspecting returned RBL data here
> -
> http://permalink.gmane.org/gmane.comp.apache.mod-security.user/2990
>
> Hope this helps.
>
>   
Becareful with this RBL. I used it to block (comment) spam on my blog
and a trac site. But zen includes PBL which is not a list of malicious
ip's but includes dynamic ip ranges as well. For email that may make
sense, but for comments on a blog or wiki edits this is too strict. I'm
sticking with sbl-xbl.spamhaus.org against spam.

Cheers,
Victor

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

Re: RBL for script-kiddies?

On 1.11.2007, at 13:39, Victor Julien wrote:

> Ryan Barnett wrote:
>> We are using the @rbl operator and pointing to zen.spamhaus.org
>> (http://www.spamhaus.org/zen/) on the WASC Distributed Open Proxy
>> Honeypot Project vmware images.  You might want to look at it as it
>> combines many of the different blocklists.
>>
>> Also, there was a past email thread on inspecting returned RBL data  
>> here
>> -
>> http://permalink.gmane.org/gmane.comp.apache.mod-security.user/2990
>>
>> Hope this helps.
>>
>>
> Becareful with this RBL. I used it to block (comment) spam on my blog
> and a trac site. But zen includes PBL which is not a list of malicious
> ip's but includes dynamic ip ranges as well. For email that may make
> sense, but for comments on a blog or wiki edits this is too strict.  
> I'm
> sticking with sbl-xbl.spamhaus.org against spam.

What Victor said. PBL is never to be used by anything else but end  
point mail servers (not mail relays), because it consists of  
legitimate IP addresses that are not expected to initiate outgoing  
SMTP (by means of the provider's AUP, not technically - e.g. dynamic  
IPs given out by ISPs). These are usually the web site visitors that  
you want to let in... ;)

Re: RBL for script-kiddies?

Excellent info, thanks for sharing guys.

-- 
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache

 > -----Original Message-----
> From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-
> security-users-bounces <at> lists.sourceforge.net] On Behalf Of Filip Hajny
> Sent: Thursday, November 01, 2007 9:00 AM
> To: mod-security-users <at> lists.sourceforge.net
> Subject: Re: [mod-security-users] RBL for script-kiddies?
> 
> On 1.11.2007, at 13:39, Victor Julien wrote:
> 
> > Ryan Barnett wrote:
> >> We are using the @rbl operator and pointing to zen.spamhaus.org
> >> (http://www.spamhaus.org/zen/) on the WASC Distributed Open Proxy
> >> Honeypot Project vmware images.  You might want to look at it as it
> >> combines many of the different blocklists.
> >>
> >> Also, there was a past email thread on inspecting returned RBL data
> >> here
> >> -
> >> http://permalink.gmane.org/gmane.comp.apache.mod-security.user/2990

Re: RBL for script-kiddies?

I'm still manually toasting IP's which trigger modsec rules. Haven't got 
round to writing a script yet but maybe there is an rbl for iptables 
updating?

I had intended to write a script to scan the log file and add any ip address 
with dodgy stuff such as roo t ki t attempts straight to the firewall - no 
if's, no buts they get toasted.

Currently though I look at the log file, see what has been attempted and 
manually type in the ip address which takes up a bit of time each day.

The only RBL's I could find are for mail - every mail that comes in is 
checked via RBL. I don't like that idea for http as there is obviously an 
overhead. So is there any source of bad IP's I can download every hour and 
synchronise with my iptables? It seems such a waste to continually call out 
and check IP's to let them through or not when maintaining a list via 
iptables would be so much slicker.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

Re: RBL for script-kiddies?

Jerry wrote:
> I'm still manually toasting IP's which trigger modsec rules. Haven't got 
> round to writing a script yet but maybe there is an rbl for iptables 
> updating?
>
> I had intended to write a script to scan the log file and add any ip address 
> with dodgy stuff such as roo t ki t attempts straight to the firewall - no 
> if's, no buts they get toasted.
>
> Currently though I look at the log file, see what has been attempted and 
> manually type in the ip address which takes up a bit of time each day.
>
> The only RBL's I could find are for mail - every mail that comes in is 
> checked via RBL. I don't like that idea for http as there is obviously an 
> overhead. So is there any source of bad IP's I can download every hour and 
> synchronise with my iptables? It seems such a waste to continually call out 
> and check IP's to let them through or not when maintaining a list via 
> iptables would be so much slicker.
>
>   
The overhead is not bad when you limit the rbl lookups to certain
actions at certain uri's only. For example:

SecRule REQUEST_METHOD "^post$" "log,deny,chain,msg:'LOCAL comment
spammer at rbl list.dsbl.org',severity:7"
SecRule REQUEST_URI "(wp-(comments-post|trackback)\.php|/trackback$)"
"chain"
SecRule REMOTE_ADDR "@rbl list.dsbl.org"

This makes sure the lookup is _only_ performed when someone tries to

Re: RBL for script-kiddies?

I guess that's fair enough for general static server with low comments 
posting. But I got this database server which I have tuned to the max for 
best performance.

If I can stop any kind of access to the site at the firewall then a) httpd 
has less to do, b) modsec has less to do, c) the server can get on with 
other stuff.

Having a downloaded list of dodgy IP's means that I can update the firewall 
regularily and stop the stuff coming in full stop.

I have a downloadable list of IP addresses per country which I use to block 
rogue countries but I don't have anything for the various home adsl / 
comprimised servers / proxies which plague the site daily.

The kind of stuff I am on about include the current exploits such as:

Match of "rx ^apache.*perl"
h t t p : //am ygi rl.c ha t .ru / im ages /i mag e.txt

Ro ot kit attack: Generic Attempt to install ro ot k it
h tt p: //am y ru.h 18. ru/ im a ges/c s.t xt?

I'd not want to let these in through the security cordon and then run an RBL 
check on them. I'd much rather download a list of IP's which have done this 
kind of thing within the past week and block them in their tracks.

> The overhead is not bad when you limit the rbl lookups to certain
> actions at certain uri's only. For example:
>

Reminder: ModSecurity Training at WASC/OWASP AppSec Conference in San Jose, Nov. 12th - 13th

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Re: mlogc build on RHEL 3.0

I know I am late on this response, but that worked.
thanks

Brian Rectanus wrote:
> Hi Brandon,
>
> Please try the latest mlogc, version 1.4.2 from BSN (bsn.breach.com).
> This version builds a dynamic binary by default.  If you need a static
> binary, then you can build with "make static".
>
> Let us know your results.
>
> thanks,
> -B
>
> Brandon Spruth wrote:
>> mlogc seems to have four dependencies as
>> documented in the "BUILD" documentation libapr1, libcurl, libpcre and
>> openssl. I have satisfied these requirements however I am receiving
>> build errors on my RHEL 3.0 OS.  Below are the build errors.
>>
>>
>> [root <at> host /opt/src/mlogc-src_1.4.1]# make
>> /opt/src/apache_2.0/mlogc-src_1.4.1/./srclib/install/curl/lib/libcurl.
>> a(strerror.o)(.text+0x2fa): In function `Curl_strerror':
>> /opt/src/apache_2.0/mlogc-src_1.4.1/srclib/build/curl-7.16.1/lib/strer
>> ror.c:641: undefined reference to `__xpg_strerror_r'
>> collect2: ld returned 1 exit status
>> chmod: failed to get attributes of `mlogc': No such file or directory
>>
>> Build finished.  Please follow the INSTALL instructions to complete
>> the install.
>>
>> I am uncertain if these errors are related to the dependencies that
>> are much newer than the RHEL 3.0 installs we have in our environment.
>>  Below are the versions I have installed.  I do realize that this
>> build, is a static library build and you have the source packaged
>> with your mlogc tar ball, so I may be taking a shot in the dark with my
>> analysis.
>>
>> (RHEL 3.0) build
>> openssl-0.9.7a-33.17
>> curl-7.10.6-8.rhel3
>> pcre-3.9-10.2
>>
>> Any idea on why I am receiving this error?
>>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
>

--
==================================================================
Brandon Spruth
brandon <at> infosec.bz
http://www.infosec.bz
gpg key id: 0x9EE7FF8B
gpg fingerprint: 04C6 29F2 86EE 6E50 6165 9817 8701 1C30 9EE7 FF8B
==================================================================

Problem at BSN webcast and rule in ModSecurity2_Webcast_Jan2007.pdf.

Hi guys,

Today I accessed the BSN and was reading the
documentation called ModSecurity2_Webcast_Jan2007.pdf,
it's really nice. I tried one of the examples showed:

#
Other rules
#

#Blocking users by time
SecDataDir /var/tmp

SecAction initcol:ip=%{REMOTE_ADDR},nolog,pass
SecRule IP:BLOCKED "@gt 0"

SecRule REQUEST_URI "^(/news\.php)"
"chain,pass,log,setvar:ip.score=+15,id:1111,severity:4,msg:'Positive
Model - testing block.'"
SecRule ARGS_NAMES "!^(id)$"

SecRule IP:SCORE "@ge 30"
"setvar:ip.blocked=3600,deprecatevar:ip.blocked=1/1"

#
Other rules
#

However it doesn't work properly, it trigger this
errors in log in EVERY page that I access:

[Thu Nov 01 09:16:22 2007] [error] [client
xxx.xxx.xxx.xxx] ModSecurity: Warning. Operator GT
match: 0. [hostname "localhost"] [uri "/index.htm"]
[unique_id "cv80heCoAUEAAERtAs8AAAbA"]
[Thu Nov 01 09:16:22 2007] [error] [client
xxx.xxx.xxx.xxx] ModSecurity: Warning. Operator GE
match: 30. [hostname "localhost"] [uri "/index.htm"]
[unique_id "cv80heCoAUEAAERtAs8AAAbA"]
[Thu Nov 01 09:16:23 2007] [error] [client
xxx.xxx.xxx.xxx] ModSecurity: Warning. Operator GT
match: 0. [hostname "localhost"] [uri "/favico.ico"]
[unique_id "hfusidhfoowjkf93mfeinefS"]
[Thu Nov 01 09:16:23 2007] [error] [client
xxx.xxx.xxx.xxx] ModSecurity: Warning. Operator GE
match: 30. [hostname "localhost"] [uri "/favico.ico"]
[unique_id "hfusidhfoowjkf93mfeinefS"]

And not only in news.php and where the paramter is not
id. 

The other problem is related with ModSecurity 2.0
Webcast, 10 January 2007, when I click in it and
register I get this error:

Invalid Request  

   This URL is invalid. Please contact the publisher
or your site administrator.  

  

© 2007 Breach Security, Inc. All rights reserved.  
Privacy | Terms of Service | Request information about
WebEx services  

I tried in IE and Firefox and both failed. :(

Suggestion: Provide this documentation in .pdf,
preferable with copy rights, so we can copy rules more
easy.

Thank you.

Regards,

      Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento!
http://br.mail.yahoo.com/

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/