Re: Breach Security Labs Alert: Nihaorr1 Attack(fwd)

Hello John,
I am guessing that you are using ModSecurity 2.1.4?  This recent
mass-SQL Injection attack is essentially an updated version of the
attack I outlined in a past Blog post -
http://blog.modsecurity.org/2008/01/sql-injection-a.html.  The only real
difference is the actual injected JS code.

Fortunately, if you are using the Core Rules, Rule ID 950001 (SQL
Injection) in the modsecurity_crs_40_generic_attacks.conf file) will
identify this attack.  When the Breach alert mentions "Customers should
verify their security settings to ensure the appropriate prevention
mechanisms are active." what we mean is that even if you are using Rule
ID 950001, you still need to check your SecRuleEngine setting along with
the disruptive action specified on the rule itself.  If you have
SecRuleEngine set to DetectionOnly, then obviously the attack would be
alerted on but not actually blocked.

Hope this info helps!

-Ryan 

> -----Original Message-----
> From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-
> security-users-bounces <at> lists.sourceforge.net] On Behalf Of John covici
> Sent: Wednesday, April 30, 2008 10:52 AM
> To: mod-security-users <at> lists.sourceforge.net
> Subject: [mod-security-users] Breach Security Labs Alert: Nihaorr1
> Attack(fwd)
> 
> Hi.  How do I make sure that a site using mod-security 2.4 is not

Re: Breach Security Labs Alert: Nihaorr1 Attack(fwd)

One quick clarification - if you want to use blocking for these rules,
use the modsecurity_crs_40_generic_attacks.conf file that is under the
"optional_rules" directory as this is the "blocking" version and has the
"deny" action applied to them.

The name of that directory is a bit misleading as it is really holding 2
different types of rules - some are the blocking versions of rules files
and some are truly optional rule sets that may be applicable in some
situations (comment spam and directory traversals).  Due to the fact
that many people call up the Mod rules using Include wild-carding in the
httpd.conf file, we thought it best to move the optional rules into a
separate directory so that they would need to be explicitly specified.

-Ryan

> -----Original Message-----
> From: Ryan Barnett
> Sent: Thursday, May 01, 2008 8:12 AM
> To: covici <at> ccs.covici.com; mod-security-users <at> lists.sourceforge.net
> Subject: RE: [mod-security-users] Breach Security Labs Alert: Nihaorr1
> Attack(fwd)
> 
> Hello John,
> I am guessing that you are using ModSecurity 2.1.4?  This recent
mass-SQL
> Injection attack is essentially an updated version of the attack I
> outlined in a past Blog post -
http://blog.modsecurity.org/2008/01/sql-
> injection-a.html.  The only real difference is the actual injected JS
> code.

SecRule REQUEST_FILENAME & ctl:ruleRemoveById

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Re: Breach Security Labs Alert: Nihaorr1 Attack(fwd)

OK, thanks.Glad to know the core rules are working for this one -- too
bad more of these organizations haven't figured this out yet.

on Thursday 05/01/2008 Ryan Barnett(Ryan.Barnett <at> Breach.com) wrote
 > Hello John,
 > I am guessing that you are using ModSecurity 2.1.4?  This recent
 > mass-SQL Injection attack is essentially an updated version of the
 > attack I outlined in a past Blog post -
 > http://blog.modsecurity.org/2008/01/sql-injection-a.html.  The only real
 > difference is the actual injected JS code.
 > 
 > Fortunately, if you are using the Core Rules, Rule ID 950001 (SQL
 > Injection) in the modsecurity_crs_40_generic_attacks.conf file) will
 > identify this attack.  When the Breach alert mentions "Customers should
 > verify their security settings to ensure the appropriate prevention
 > mechanisms are active." what we mean is that even if you are using Rule
 > ID 950001, you still need to check your SecRuleEngine setting along with
 > the disruptive action specified on the rule itself.  If you have
 > SecRuleEngine set to DetectionOnly, then obviously the attack would be
 > alerted on but not actually blocked.
 > 
 > Hope this info helps!
 > 
 > -Ryan 
 > 
 > > -----Original Message-----
 > > From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-
 > > security-users-bounces <at> lists.sourceforge.net] On Behalf Of John covici
 > > Sent: Wednesday, April 30, 2008 10:52 AM
 > > To: mod-security-users <at> lists.sourceforge.net
 > > Subject: [mod-security-users] Breach Security Labs Alert: Nihaorr1
 > > Attack(fwd)
 > > 
 > > Hi.  How do I make sure that a site using mod-security 2.4 is not
 > > vulnerable to the attack mentioned below?
 > > 
 > > Thanks.
 > > 
 > > ------- start of forwarded message -------
 > > From: "Breach.com" <emarketing <at> breach.com>
 > > To: "John" <covici <at> ccs.covici.com>
 > > Subject: Breach Security Labs Alert: Nihaorr1 Attack
 > > Date: Thu, 01 May 2008 00:43:45 +1000
 > > 
 > > --_=aspNetEmail=_cbe4e7c01221481c86ed3828b8d825ad
 > > Content-Type: text/plain;
 > > 	charset="utf-8"
 > > Content-Transfer-Encoding: quoted-printable
 > > 
 > > Click here
 > > [http://www.breach.com/emails/breach-security-labstm-alert.html]
 > > if you're having trouble viewing this email.
 > > Please add emarketing <at> breach.com [mailto:emarketing <at> breach.com] t
 > > o your address book, to ensure proper delivery into your inbox.
 > > Breach Security Labs=E2=84=A2 Alert
 > > 
 > > Tuesday, April 29, 2008
 > > 
 > > Priority: HIGH
 > > 
 > > Impact: Potential for malware to be downloaded to website
 > > visitors. PCI DSS non-compliance.
 > > 
 > > Resolution: Verify blocking policy in web application firewall
 > > and remediate code flaws.
 > > 
 > > Who: As many as 500,000 vulnerable Microsoft=C2=AE IIS web servers
 > > around the world have been attacked with a generic SQL injection,
 > > known as "nihaorr1". Some of the affected organizations
 > > include:
 > > 
 > >   * The United Nations
 > >   * The U.S. Department of Homeland Security
 > >   * The U.K. Government
 > >   * Aeroflot Russian Airlines
 > > 
 > > What:  A SQL injection is a common attack that targets web
 > > applications through user-supplied input fields, such as web
 > > forms. The goal of this attack technique is to control the SQL
 > > database behind the application for the purposes of downloading
 > > its contents, erasing it or undertaking another malicious
 > > activity.
 > > 
 > > How: This recent attack has found a common way to exploit various
 > > SQL injection vulnerabilities in websites and inject malicious
 > > JavaScript=E2=84=A2 into different pages on each site. When a
 > potential
 > > victim visits one of the infected sites, malware is downloaded to
 > > the visitor's computer.
 > > 
 > > Impact: The nihaorr1 assault on web applications is the most
 > > widely propagating application-layer attack to date. Not only has
 > > it hit hundreds of thousands of web applications around the
 > > world, but  also it has done so using a single, generic attack on
 > > these custom applications.
 > > 
 > > Additionally, organizations impacted by nihaorr1 may be
 > > classified as out of compliance with the Payment Card Industry
 > > (PCI) Data Security Standard (DSS). Requirement 6.5.6 of the PCI
 > > DSS states that organizations should:
 > > 
 > > "...Cover prevention of common coding vulnerabilities in
 > > software development processes, to include the
 > > following=E2=80=A6injection flaws (for example, structured query
 > > language (SQL) injection)."
 > > 
 > > Prevention: Perhaps the most surprising discovery associated with
 > > this attack is that it was entirely preventable. Had the
 > > developers of these web applications created them based on secure
 > > coding guidelines such as those from the Open Web Application
 > > Security Project (OWASP), their sites would have been protected.
 > > In addition, deployment of a Breach Security web application
 > > firewall prevents the attack.
 > > 
 > > Resolution: Breach Security's web application firewalls enable
 > > security organizations to pinpoint security vulnerabilities in
 > > code for quick remediation and offer continuous protection by
 > > detecting and blocking hacks before they can reach the web
 > > application. Breach Security recommends remediation of the
 > > vulnerable code as a best practice as part of the normal
 > > development life cycle.
 > > 
 > > Breach Security WebDefend=E2=84=A2 and ModSecurity Pro=E2=84=A2 M1100
 > > customers are already protected against nihaorr1. Customers
 > > should verify their security settings to ensure the appropriate
 > > prevention mechanisms are active.
 > > 
 > > For more information on this alert and other web application
 > > security news, please visit Breach Security Labs at
 > > support <at> breach.com [mailto:support <at> breach.com].
 > > 
 > > Breach Security, Inc.
 > > 
 > > 2075 Las Palmas Drive, Carlsbad, CA 92011
 > > +1 866 205 7032| +1 760 268 1924 | www.breach.com [http://www.bre
 > > ach.com/]
 > > This is a promotional message from Breach Security.
 > > 
 > > Click here to cease further contact.
 > > =C2=A9 2008 Breach Security, Inc. All rights reserved.
 > > 
 > > This email was sent to covici <at> ccs.covici.com.
 > > You can instantly unsubscribe from these emails by clicking the link
 > belo=
 > > w:
 > > http://breach.cmail5.com/u/399036/z5dillj/
 > > 
 > > --_=aspNetEmail=_cbe4e7c01221481c86ed3828b8d825ad
 > > Content-Type: text/html;
 > > 	charset="utf-8"
 > > Content-Transfer-Encoding: quoted-printable
 > > 
 > > <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
 > "http://www.w3.o=
 > > rg/TR/xhtml1/DTD/xhtml1-strict.dtd">
 > > <html xmlns=3D"http://www.w3.org/1999/xhtml">
 > > 	<head>
 > > 		<meta content=3D"text/html; charset=3Dutf-8" http-
 > > equiv=3D"Content-Type=
 > > " />
 > > 		<title>Breach Security Labs(tm) Alert :: Breach Security
 > > Inc.</title>
 > > =09
 > > </head>
 > > 	<body style=3D"text-align: center;">
 > > 		<div id=3D"container_outer" style=3D"text-align:
 > center;"><div
 > > id=3D"co=
 > > ntainer_inner" style=3D"margin: 0 auto; text-align: left; width:
 > 600px;">=
 > > 
 > > 			<table cellspacing=3D"0" border=3D"0"
 > cellpadding=3D"0"
 > > width=3D"600">=
 > > 
 > > 				<tr>
 > > 					<td style=3D"font-size: 13px;
 > line-height:
 > > 1.3; font-family: Arial, =
 > > Helvetica, sans-serif; vertical-align: top;">
 > > 						<p class=3D"notice"
 > style=3D"font-
 > > size: 10px; margin: 10px 0px 18px=
 > > ; line-height: 1.3; font-family: Arial, Helvetica, sans-serif; color:
 > #89=
 > > 8989; text-align: center;">
 > > 							<a
 > > href=3D"http://breach.cmail5.com/l/399036/z5dillj/www.breach.co=
 > > m/emails/breach-security-labstm-alert.html" title=3D"Breach Security
 > Inc.=
 > > " style=3D"color: #009dd7;">Click here</a> if you're having trouble
 > viewi=
 > > ng this email.<br />
 > > 						=09
 > > 							Please add
 > <em><a
 > > href=3D"mailto:emarketing <at> breach.com" style=3D"c=
 > > olor: #009dd7;">emarketing <at> breach.com</a></em> to your address book,
 > to e=
 > > nsure proper delivery into your inbox.
 > > 						=09
 > > 						</p>
 > > 					</td>
 > > 				</tr>
 > > 			</table>
 > > 			<table cellspacing=3D"0" class=3D"border"
 > > cellpadding=3D"0" style=3D"b=
 > > order: 1px solid #000; text-align: left;" width=3D"600">
 > > 				<tr>
 > > 					<td style=3D"font-size: 13px;
 > line-height:
 > > 1.3; font-family: Arial, =
 > > Helvetica, sans-serif; vertical-align: top;" colspan=3D"2">
 > > 						<img
 > > src=3D"http://www.breach.com/assets/images/emails/2008/04/secu=
 > > re_coding_header.jpg" height=3D"196" alt=3D"Breach: Make every
 > transactio=
 > > n a safe one" width=3D"600" />
 > > 					</td>
 > > 				</tr>
 > > 				<tr>
 > > <td class=3D"content" style=3D"font-size: 13px; line-height: 1.3;
 > padding=
 > > : 0px 25px 15px; font-family: Arial, Helvetica, sans-serif;
 > vertical-alig=
 > > n: top;" colspan=3D"2">
 > > 	<p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height:
 > > 1.3; fo=
 > > nt-family: Arial, Helvetica, sans-serif;"><strong><span
 > style=3D"color: #=
 > > 2A66A2;">Breach Security Labs&#8482; Alert</span></strong><br />
 > > Tuesday, April 29, 2008</p>
 > > 	<p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height:
 > > 1.3; fo=
 > > nt-family: Arial, Helvetica, sans-serif;"><strong><span
 > style=3D"color: r=
 > > ed;">Priority:</span></strong> <span style=3D"color: red;"><span
 > class=3D=
 > > "caps">HIGH</span></span></p>
 > > 	<p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height:
 > > 1.3; fo=
 > > nt-family: Arial, Helvetica, sans-serif;"><strong><span
 > style=3D"color: r=
 > > ed;">Impact:</span></strong> <span style=3D"color: red;">Potential for
 > ma=
 > > lware to be downloaded to website visitors. <span
 > class=3D"caps">PCI</spa=
 > > n> <span class=3D"caps">DSS</span> non-compliance.</span></p>
 > > 	<p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height:
 > > 1.3; fo=
 > > nt-family: Arial, Helvetica, sans-serif;"><strong><span
 > style=3D"color: r=
 > > ed;">Resolution:</span></strong> <span style=3D"color: red;">Verify
 > block=
 > > ing policy in web application firewall and remediate code
 > flaws.</span></=
 > > p>
 > > 	<p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height:
 > > 1.3; fo=
 > > nt-family: Arial, Helvetica, sans-serif;"><strong>Who:</strong> As
 > many a=
 > > s 500,000 vulnerable Microsoft&#174; <span class=3D"caps">IIS</span>
 > web =
 > > servers around the world have been attacked with a generic <span
 > class=3D=
 > > "caps">SQL</span> injection, known as &#8220;nihaorr1&#8221;. Some of
 > the=
 > >  affected organizations include:</p>
 > > 	<ul style=3D"margin-bottom: 0px; margin-top: 0px;">
 > > 		<li style=3D"font-size: 13px; list-style: square
 > outside;
 > > margin-bottom=
 > > : 5px; line-height: 1.3; margin-top: 0px; font-family: Arial,
 > Helvetica, =
 > > sans-serif;">The United Nations</li>
 > > 		<li style=3D"font-size: 13px; list-style: square
 > outside;
 > > margin-bottom=
 > > : 5px; line-height: 1.3; margin-top: 0px; font-family: Arial,
 > Helvetica, =
 > > sans-serif;">The U.S. Department of Homeland Security</li>
 > > 		<li style=3D"font-size: 13px; list-style: square
 > outside;
 > > margin-bottom=
 > > : 5px; line-height: 1.3; margin-top: 0px; font-family: Arial,
 > Helvetica, =
 > > sans-serif;">The U.K. Government</li>
 > > 		<li style=3D"font-size: 13px; list-style: square
 > outside;
 > > margin-bottom=
 > > : 5px; line-height: 1.3; margin-top: 0px; font-family: Arial,
 > Helvetica, =
 > > sans-serif;">Aeroflot Russian Airlines</li>
 > > 	</ul>
 > > 	<p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height:
 > > 1.3; fo=
 > > nt-family: Arial, Helvetica, sans-serif;"><strong>What:</strong>  A
 > <span=
 > >  class=3D"caps">SQL</span> injection is a common attack that targets
 > web =
 > > applications through user-supplied input fields, such as web forms.
 > The g=
 > > oal of this attack technique is to control the <span
 > class=3D"caps">SQL</=
 > > span> database behind the application for the purposes of downloading
 > its=
 > >  contents, erasing it or undertaking another malicious activity.</p>
 > > 	<p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height:
 > > 1.3; fo=
 > > nt-family: Arial, Helvetica, sans-serif;"><strong>How:</strong> This
 > rece=
 > > nt attack has found a common way to exploit various <span
 > class=3D"caps">=
 > > SQL</span> injection vulnerabilities in websites and inject malicious
 > Jav=
 > > aScript&#8482; into different pages on each site. When a potential
 > victim=
 > >  visits one of the infected sites, malware is downloaded to the
 > visitor&#=
 > > 8217;s computer.</p>
 > > 	<p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height:
 > > 1.3; fo=
 > > nt-family: Arial, Helvetica, sans-serif;"><strong>Impact:</strong> The
 > ni=
 > > haorr1 assault on web applications is the most widely propagating
 > applica=
 > > tion-layer attack to date. Not only has it hit hundreds of thousands
 > of w=
 > > eb applications around the world, but  also it has done so using a
 > single=
 > > , generic attack on these custom applications.  </p>
 > > 	<p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height:
 > > 1.3; fo=
 > > nt-family: Arial, Helvetica, sans-serif;">Additionally, organizations
 > imp=
 > > acted by nihaorr1 may be classified as out of compliance with the
 > Payment=
 > >  Card Industry (<span class=3D"caps">PCI</span>) Data Security
 > Standard (=
 > > <span class=3D"caps">DSS</span>). Requirement 6.5.6 of the <span
 > class=3D=
 > > "caps">PCI</span> <span class=3D"caps">DSS</span> states that
 > organizatio=
 > > ns should: </p>
 > > 	<p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height:
 > > 1.3; fo=
 > > nt-family: Arial, Helvetica, sans-serif;">&#8220;...Cover prevention
 > of c=
 > > ommon coding vulnerabilities in software development processes, to
 > includ=
 > > e the following&#8230;injection flaws (for example, structured query
 > lang=
 > > uage (<span class=3D"caps">SQL</span>) injection).&#8221;</p>
 > > 	<p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height:
 > > 1.3; fo=
 > > nt-family: Arial, Helvetica, sans-serif;"><strong>Prevention:</strong>
 > Pe=
 > > rhaps the most surprising discovery associated with this attack is
 > that i=
 > > t was entirely preventable. Had the developers of these web
 > applications =
 > > created them based on secure coding guidelines such as those from the
 > Ope=
 > > n Web Application Security Project (<span
 > class=3D"caps">OWASP</span>), t=
 > > heir sites would have been protected. In addition, deployment of a
 > Breach=
 > >  Security web application firewall prevents the attack.</p>
 > > 	<p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height:
 > > 1.3; fo=
 > > nt-family: Arial, Helvetica, sans-serif;"><strong>Resolution:</strong>
 > Br=
 > > each Security&#8217;s web application firewalls enable security
 > organizat=
 > > ions to pinpoint security vulnerabilities in code for quick
 > remediation a=
 > > nd offer continuous protection by detecting and blocking hacks before
 > the=
 > > y can reach the web application. Breach Security recommends
 > remediation o=
 > > f the vulnerable code as a best practice as part of the normal
 > developmen=
 > > t life cycle.</p>
 > > 	<p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height:
 > > 1.3; fo=
 > > nt-family: Arial, Helvetica, sans-serif;">Breach Security
 > WebDefend&#8482=
 > > ; and ModSecurity Pro&#8482; M1100 customers are already protected
 > agains=
 > > t nihaorr1. Customers should verify their security settings to ensure
 > the=
 > >  appropriate prevention mechanisms are active.</p>
 > > 	<p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height:
 > > 1.3; fo=
 > > nt-family: Arial, Helvetica, sans-serif;">For more information on this
 > al=
 > > ert and other web application security news, please visit Breach
 > Security=
 > >  Labs at <a
 > href=3D"http://breach.cmail5.com/l/399036/z5dillj/www.breach.=
 > > com/" style=3D"color: #009dd7;">www.breach.com</a> or email <a
 > href=3D"ma=
 > > ilto:support <at> breach.com" style=3D"color:
 > #009dd7;">support <at> breach.com</a>=
 > > .</p>
 > > 					</td>
 > > 				</tr>
 > > 				<tr>
 > > 					<td class=3D"border_top"
 > style=3D"font-size:
 > > 13px; background: #000;=
 > >  line-height: 1.3; font-family: Arial, Helvetica, sans-serif;
 > vertical-al=
 > > ign: top; border-top: 1px solid #000;" colspan=3D"2">
 > > 						<img
 > > src=3D"http://breach.cmail5.com/email/399036/wwwbreachcom/asse=
 > > ts/templates/breach/images/flyers/breach_html4_04.gif" height=3D"7"
 > > alt=3D=
 > > "---" style=3D"display: block;" width=3D"600" />
 > > 						<table cellspacing=3D"0"
 > > class=3D"footer" border=3D"0" cellpadding=3D=
 > > "0" style=3D"font-size: 10px; background: #000; line-height: 1;
 > font-fami=
 > > ly: Arial, Helvetica, sans-serif; color: #898989; width: 100%;">
 > > 							<tr>
 > > 								<td
 > style=3D"font-size:
 > > 10px; line-height: 1.3; padding: 10px 15p=
 > > x; font-family: Arial, Helvetica, sans-serif; vertical-align: top;
 > text-a=
 > > lign: left;">
 > >
 > Breach Security,
 > > Inc.<br />
 > >
 > 2075 Las Palmas
 > > Drive, Carlsbad, CA 92011<br />
 > >
 > +1 866 205 7032| +1
 > > 760 268 1924 | <a href=3D"http://breach.cmai=
 > > l5.com/l/399036/z5dillj/www.breach.com/" style=3D"color:
 > #898989;">www.br=
 > > each.com</a>
 > > 								</td>
 > > 								<td
 > style=3D"font-size:
 > > 10px; line-height: 1.3; padding: 10px 15p=
 > > x; font-family: Arial, Helvetica, sans-serif; vertical-align: top;
 > text-a=
 > > lign: right;">
 > >
 > This is a
 > > promotional message from Breach Security.<br />
 > >
 > <a
 > > href=3D"http://breach.cmail5.com/u/399036/z5dillj/" style=3D"=
 > > color: #ccc;">Click here</a> to cease further contact.<br />
 > >
 > &copy; 2008 Breach
 > > Security, Inc. All rights reserved.
 > > 								</td>
 > > 							</tr>
 > > 						</table>
 > > 					</td>
 > > 				</tr>
 > > 			</table>
 > > 		</div></div>
 > > 	<img src=3D"http://breach.cmail5.com/o/399036/z5dillj/o.gif"
 > > width=3D"1"=
 > >  height=3D"1" border=3D"0"></body>
 > > </html>
 > > 
 > > 
 > > --_=aspNetEmail=_cbe4e7c01221481c86ed3828b8d825ad--
 > > ------- end of forwarded message -------
 > > 
 > > --
 > > Your life is like a penny.  You're going to lose it.  The question is:
 > > How do
 > > you spend it?
 > > 
 > >          John Covici
 > >          covici <at> ccs.covici.com
 > > 
 > >
 > ------------------------------------------------------------------------
 > -
 > > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
 > > Don't miss this year's exciting event. There's still time to save
 > $100.
 > > Use priority code J8TL2D2.
 > >
 > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/j
 > av
 > > aone
 > > _______________________________________________
 > > mod-security-users mailing list
 > > mod-security-users <at> lists.sourceforge.net
 > > https://lists.sourceforge.net/lists/listinfo/mod-security-users

--

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

         John Covici
         covici <at> ccs.covici.com

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

OWASP AppSec Europe 2008

I thought it would be useful to copy & paste my blog post about the
forthcoming AppSec conference here. Please have a look at the last
paragraph, where I propose to use these conferences for bi-yearly
ModSecurity user meetings.

Judging from the list of talks alone, it looks like OWASP AppSec
Europe in Belgium is going to be a great conference, especially if you
are interested in web application firewalls and ModSecurity:

   1. I will be giving a talk on web application firewall evaluation
(Evaluation Criteria for Web Application Firewalls), which will be
based on the Web Application Firewall Evaluation Criteria (WAFEC)
project.
   2. Christian Folini will be discussing the REMO project (Positive
ModSecurity rulesets / Input validation).
   3. Alexander Meisel will be talking about how to best use a web
application firewall (Best Practices Guide: Web Application
Firewalls), which is based on the document of the same name (available
in German, as PDF).
   4. Mario Heiderich will be promoting the PHPIDS project (PHPIDS
Monitoring attack surface activity).

Ofer Shezaf, the Core Rules guru, and Ryan Barnett, the ModSecurity
Community Manager will be there (Ofer will be giving his talk about
web hacking trends: Trends in Web Hacking Incidents: What's Hot in
2008), as will be Christian Bockermann (it is rumoured), who has been
working on some very interesting software related to ModSecurity.

Finally, Ryan is going to be teaching a two-day ModSecurity training
course, which will cover a lot of ground, starting from the basics and
into the advanced stuff. This is a great-value course, and I urge you
to register if you are a ModSecurity user. You will not only find out
about stuff you never knew existed in ModSecurity, but we will also
give a thorough overview of various web application security issues.

In the recent survey, many people expressed a desire to meet with
other ModSecurity users. Our community is large, but it's very diverse
and spread geographically, and probably not yet large enough for
regular local meetings. It strikes me that OWASP conferences may be a
great opportunity for us to meet twice a year—once in Europe, and then
the second time in the US. If you will be coming to the conference in
Belgium and you are a ModSecurity user, please send me an email. With
enough people interested, we may be able to organise a meeting.

--

-- 
Ivan Ristic

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Possible output filter errors?

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Re: Possible output filter errors?

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

any way to get IIS to log X-Forward-For instead of REMOTE_ADDR?

Hi there

We are using modsecurity on Apache to protect backend IIS servers (ie a 
WAF), and of course, one downside is that all the IIS Logs now report 
the WAF's IP address instead of the real Internet IP of the client.

For backend Apache servers this is easy to fix (I'll put it here for 
others and Google)

LogFormat "%h %l ...." internal
LogFormat "%{X-Forwarded-For}i %l ...." external

setEnvIf Remote_Addr "^ip.of.modsecurity.server$" isWAF

CustomLog /var/log/httpd/access_log internal env=!isWAF
CustomLog /var/log/httpd/access_log external env=isWAF

...however IIS has nothing like that. How are others doing it? I've 
looked around Google and found something from 2005 - but a couple of 
releases of IIS have come out since then, so I don't know how valid 
they'd be anymore...

Thanks

--

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Re: any way to get IIS to log X-Forward-For instead of REMOTE_ADDR?

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Re: any way to get IIS to log X-Forward-For instead of REMOTE_ADDR?

In the Linux world and my current configuration, I use
mod_extract_forwarded2 to get the "X-Forwarded-For"
header before Apache AND before modsecurity.

If my memory serves me right there is a
mod_extract_forward module for the Windows version of
Apache...  (Not sure about IIS though).

If you are running something older than 2.1.4 you will
also need to re-compile modsecurity and change the
following line in mod_security2.c....  Whatever module
you chose to use make sure it is somewhere in the
below constant.

    static const char *postread_beforeme_list[] = {
        "mod_rpaf.c",
        "mod_extract_forwarded2.c",
        "mod_breach_realip.c",
        "mod_breach_trans.c",
        "mod_unique_id.c",
        NULL

Good luck...

Russ

--- Jason Haar <Jason.Haar <at> trimble.co.nz> wrote:

> Hi there
> 
> We are using modsecurity on Apache to protect
> backend IIS servers (ie a 
> WAF), and of course, one downside is that all the
> IIS Logs now report 
> the WAF's IP address instead of the real Internet IP
> of the client.
> 
> For backend Apache servers this is easy to fix (I'll
> put it here for 
> others and Google)
> 
> LogFormat "%h %l ...." internal
> LogFormat "%{X-Forwarded-For}i %l ...." external
> 
> setEnvIf Remote_Addr "^ip.of.modsecurity.server$"
> isWAF
> 
> CustomLog /var/log/httpd/access_log internal
> env=!isWAF
> CustomLog /var/log/httpd/access_log external
> env=isWAF
> 
> ...however IIS has nothing like that. How are others
> doing it? I've 
> looked around Google and found something from 2005 -
> but a couple of 
> releases of IIS have come out since then, so I don't
> know how valid 
> they'd be anymore...
> 
> Thanks
> 
> -- 
> Cheers
> 
> Jason Haar
> Information Security Manager, Trimble Navigation
> Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063
> 5EBB FE1D 66D1
> 
> 
>
-------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008
> JavaOne(SM) Conference 
> Don't miss this year's exciting event. There's still
> time to save $100. 
> Use priority code J8TL2D2. 
>
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 

      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone