Gagan.Bhatia | 1 Sep 08:42 2009

Problem testing ModSecurity v2.5.10-dev3 released

null

=====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
Gagan Bhatia | 1 Sep 09:09 2009

Problem testing ModSecurity v2.5.10-dev3 released


Dear Mailing List
I am tring to install ModSecurity v2.5.10-dev3 on IBM IHS 6.1 on AIX
platform
But I am not able to run the make as it is failing for xlc complier.
I think it was fixed for this version. The error is

# make
/opt/IBM/IHS/build/libtool --silent --mode=compile xlc_r -prefer-pic -O2
-qmaxmem=8192 -U__STR__ -D_THREAD_SAFE -D_USE_IRS -qHALT=E
-I/opt/IBM/IHS/include -I/opt/IBM/IHS/include -I/opt/IBM/IHS/include -O2 -g
-Wall -I/opt/IBM/IHS/include -I/opt/freeware/include
-I/usr/local/include/libxml2 -c -o mod_security2.lo mod_security2.c &&
touch mod_security2.slo
/opt/IBM/IHS/build/libtool[847]: xlc_r: not found
apxs:Error: Command failed with rc=65536
.
make: 1254-004 The error code from the last command is 1.

Can you pls tell were the things are going wrong.

Regards
Gagan Bhatia
Tata Consultancy Services
Mailto: gagan.bhatia <at> tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty.   IT Services
                  Business Solutions
                  Outsourcing
____________________________________________

=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Ivan Ristic | 1 Sep 11:12 2009
Picon

Tuning ModSecurity Console on Windows

I thought you might be interested in this:

Tuning ModSecurity Console on Windows
http://blog.ivanristic.com/2009/09/tuning-modsecurity-console-on-windows.html

I didn't know how to tune the console on Windows until today...

--

-- 
Ivan Ristic
Security assessment of your SSL servers
https://www.ssllabs.com/ssldb/

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Christian Bockermann | 1 Sep 18:18 2009

Re: limit number of connections per IP

Hi Denis!

If you want a ModSecurity-only approach, you might find some interest
in this one:

	https://secure.jwall.org/blog/2009/07/19/1248004300834.html

Best regards,
     Chris

Am 31.08.2009 um 16:14 schrieb Ryan Barnett:

> You can do this in rules, but you can also use SecGuardianLog and  
> http-guardian for rate limiting and blacklisting.  Here is a recent  
> howto - http://www.commandlineisking.com/2009/05/rate-limiting-and-dos-protection-in-mod.html
>
>
> Ryan C. Barnett
> Director of Application Security Research
> Breach Security, Inc.
> Ryan.Barnett <at> Breach.com
> www.Breach.com
>
>
> ----- Original Message -----
> From: Denis K. <sp23 <at> internode.on.net>
> To: mod-security-users <at> lists.sourceforge.net <mod-security-users <at> lists.sourceforge.net 
> >
> Sent: Mon Aug 31 10:06:11 2009
> Subject: [mod-security-users] limit number of connections per IP
>
> Hi,
>
> is mod_security able to block web visitors (based on their IP address)
> if they exceed a number of http connections made to the server,
> excluding images ?
>
> I know mod_limitipconn.c does this but I wanted to check if the trusty
> old modsec can do it perhaps using a rule of some sort..
>
> Denis
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008  
> 30-Day
> trial. Simplify your report design, integration and deployment - and  
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html
> < 
> winmail 
> .dat 
> > 
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008  
> 30-Day
> trial. Simplify your report design, integration and deployment - and  
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july_______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Brian Rectanus | 1 Sep 20:05 2009

Re: Problem testing ModSecurity v2.5.10-dev3 released

Gagan Bhatia wrote:
> Dear Mailing List
> I am tring to install ModSecurity v2.5.10-dev3 on IBM IHS 6.1 on AIX
> platform
> But I am not able to run the make as it is failing for xlc complier.
> I think it was fixed for this version. The error is
>
>
> # make
> /opt/IBM/IHS/build/libtool --silent --mode=compile xlc_r -prefer-pic -O2
> -qmaxmem=8192 -U__STR__ -D_THREAD_SAFE -D_USE_IRS -qHALT=E
> -I/opt/IBM/IHS/include -I/opt/IBM/IHS/include -I/opt/IBM/IHS/include -O2 -g
> -Wall -I/opt/IBM/IHS/include -I/opt/freeware/include
> -I/usr/local/include/libxml2 -c -o mod_security2.lo mod_security2.c&&
> touch mod_security2.slo
> /opt/IBM/IHS/build/libtool[847]: xlc_r: not found
> apxs:Error: Command failed with rc=65536
> .
> make: 1254-004 The error code from the last command is 1.
>
> Can you pls tell were the things are going wrong.

It just looks like xlc_r is not in your path.

What options did you give to configure?  And what was the output of 
configure?

-B

--

-- 
Brian Rectanus
Breach Security

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Ivan Ristic | 3 Sep 15:25 2009
Picon

Re: Has anyone ever used multiMatch?

On Mon, Aug 31, 2009 at 12:45 PM, Marc Stern<marc.stern <at> approach.be> wrote:
> Hi Ivan,

Hi Marc,

> I use it, but it is a bit limited because

It is, I agree.

> 1. it tries to map after all transformations where you may only want to map
> after certain transformations (so a "t:match" would be more efficient)

That's an excellent idea.

> 2. most of the time, you need to perform several times a transformation
> (like "t:lowercase") after other ones (decoding ones)
>
> 3. for non breaking rules, there is no way to stop the rule after the first
> match. If you increase a counter by one, it will match 5 times and your
> counter will be increased 5 times also. Obviously, you can bypass this with
> complex rules, but it is not trivial for beginners

I guess this is where transformation via Lua could make more sense, as
 you'd be able to transform things exactly in the order you need.

> Regards
>
> Marc
>
>
> Ivan Ristic wrote:
>>
>> I am really curious, has anyone ever used (or even thought about
>> using) the multiMatch action?
>>
>>
>> http://www.modsecurity.org/documentation/modsecurity-apache/2.5.9/modsecurity2-apache-reference.html#N1182A
>>
>

--

-- 
Ivan Ristic
Security assessment of your SSL servers
https://www.ssllabs.com/ssldb/

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Ivan Ristic | 3 Sep 15:28 2009
Picon

Re: Has anyone ever used multiMatch?

To respond to my own email, I've never used multiMatch. I did
encounter a situation where multiMatch would be useful, but it didn't
quite do what I needed. As an example, below is an extract from some
work that I never finished (it might have gone into the new Core
Rules, though).

------------------------
# Do not allow control characters apart from horizontal tab (9/0x09),
# line feed (10/0x0a) and carriage return (13/0x10).
#
# Ref: http://en.wikipedia.org/wiki/Control_character
# Ref: http://www.w3.org/MarkUp/html3/specialchars.html
#
SecRule ARGS " <at> validateByteRange 9,10,13,32-255" \
    t:none

# Verify for invalid bytes in HTML content.
#
SecRule ARGS " <at> validateByteRange 9,10,13,32-255" \
    t:none,t:htmlEntityDecode

# Verify for invalid bytes in JavaScript context.
#
SecRule ARGS " <at> validateByteRange 9,10,13,32-255" \
    t:none,t:htmlEntityDecode,t:jsDecode

# Verify for invalid bytes in CSS context.
#
SecRule ARGS " <at> validateByteRange 9,10,13,32-255" \
    t:none,t:htmlEntityDecode,t:cssDecode

# TODO The above could be combined into one, really.
------------------------

Three of the above rules could be combined into one using multiMatch,
but not all of them since there's a branch in the logic.

On Fri, Aug 21, 2009 at 3:46 PM, Ivan Ristic<ivan.ristic <at> gmail.com> wrote:
> I am really curious, has anyone ever used (or even thought about
> using) the multiMatch action?
>
> http://www.modsecurity.org/documentation/modsecurity-apache/2.5.9/modsecurity2-apache-reference.html#N1182A
>
> --
> Ivan Ristic
> Security assessment of your SSL servers
> https://www.ssllabs.com/ssldb/

--

-- 
Ivan Ristic
Security assessment of your SSL servers
https://www.ssllabs.com/ssldb/

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Subramanian7 S | 4 Sep 04:26 2009

Re: Tuning ModSecurity Console on Windows



Hi,

   The blog is not accessible..

Subramanian S

 


Ivan Ristic <ivan.ristic <at> gmail.com>
09/01/2009 10:12 CET

 To   mod-security-users <at> lists.sourceforge.net
 cc  
 bcc  
 Subject   [mod-security-users] Tuning ModSecurity Console on Windows
 

I thought you might be interested in this:

Tuning ModSecurity Console on Windows
http://blog.ivanristic.com/2009/09/tuning-modsecurity-console-on-windows.html

I didn't know how to tune the console on Windows until today...

--
Ivan Ristic
Security assessment of your SSL servers
https://www.ssllabs.com/ssldb/

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

ForwardSourceID:NT00004CF6

=====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
Nick Gearls | 4 Sep 12:53 2009
Picon

Re: Has anyone ever used multiMatch?

What's the exact problem of using only
   t:none,t:htmlEntityDecode,t:cssDecode,t:jsDecode

Do you see a possibility of missing an attack, or getting a false positive?

Nick

Ivan Ristic wrote:
> To respond to my own email, I've never used multiMatch. I did
> encounter a situation where multiMatch would be useful, but it didn't
> quite do what I needed. As an example, below is an extract from some
> work that I never finished (it might have gone into the new Core
> Rules, though).
> 
> ------------------------
> # Do not allow control characters apart from horizontal tab (9/0x09),
> # line feed (10/0x0a) and carriage return (13/0x10).
> #
> # Ref: http://en.wikipedia.org/wiki/Control_character
> # Ref: http://www.w3.org/MarkUp/html3/specialchars.html
> #
> SecRule ARGS " <at> validateByteRange 9,10,13,32-255" \
>     t:none
> 
> # Verify for invalid bytes in HTML content.
> #
> SecRule ARGS " <at> validateByteRange 9,10,13,32-255" \
>     t:none,t:htmlEntityDecode
> 
> # Verify for invalid bytes in JavaScript context.
> #
> SecRule ARGS " <at> validateByteRange 9,10,13,32-255" \
>     t:none,t:htmlEntityDecode,t:jsDecode
> 
> # Verify for invalid bytes in CSS context.
> #
> SecRule ARGS " <at> validateByteRange 9,10,13,32-255" \
>     t:none,t:htmlEntityDecode,t:cssDecode
> 
> # TODO The above could be combined into one, really.
> ------------------------
> 
> Three of the above rules could be combined into one using multiMatch,
> but not all of them since there's a branch in the logic.
> 
> 
> 
> On Fri, Aug 21, 2009 at 3:46 PM, Ivan Ristic<ivan.ristic <at> gmail.com> wrote:
>> I am really curious, has anyone ever used (or even thought about
>> using) the multiMatch action?
>>
>> http://www.modsecurity.org/documentation/modsecurity-apache/2.5.9/modsecurity2-apache-reference.html#N1182A
>>
>> --
>> Ivan Ristic
>> Security assessment of your SSL servers
>> https://www.ssllabs.com/ssldb/
> 

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Ivan Ristic | 4 Sep 17:01 2009
Picon

Re: Has anyone ever used multiMatch?

I don't know, I haven't thought about it. I prefer not to take
shortcuts. That way, I don't have to consider undesired consequences.

On Fri, Sep 4, 2009 at 11:53 AM, Nick Gearls<nickgearls <at> gmail.com> wrote:
> What's the exact problem of using only
>   t:none,t:htmlEntityDecode,t:cssDecode,t:jsDecode
>
> Do you see a possibility of missing an attack, or getting a false positive?
>
> Nick
>
>
> Ivan Ristic wrote:
>> To respond to my own email, I've never used multiMatch. I did
>> encounter a situation where multiMatch would be useful, but it didn't
>> quite do what I needed. As an example, below is an extract from some
>> work that I never finished (it might have gone into the new Core
>> Rules, though).
>>
>> ------------------------
>> # Do not allow control characters apart from horizontal tab (9/0x09),
>> # line feed (10/0x0a) and carriage return (13/0x10).
>> #
>> # Ref: http://en.wikipedia.org/wiki/Control_character
>> # Ref: http://www.w3.org/MarkUp/html3/specialchars.html
>> #
>> SecRule ARGS " <at> validateByteRange 9,10,13,32-255" \
>>     t:none
>>
>> # Verify for invalid bytes in HTML content.
>> #
>> SecRule ARGS " <at> validateByteRange 9,10,13,32-255" \
>>     t:none,t:htmlEntityDecode
>>
>> # Verify for invalid bytes in JavaScript context.
>> #
>> SecRule ARGS " <at> validateByteRange 9,10,13,32-255" \
>>     t:none,t:htmlEntityDecode,t:jsDecode
>>
>> # Verify for invalid bytes in CSS context.
>> #
>> SecRule ARGS " <at> validateByteRange 9,10,13,32-255" \
>>     t:none,t:htmlEntityDecode,t:cssDecode
>>
>> # TODO The above could be combined into one, really.
>> ------------------------
>>
>> Three of the above rules could be combined into one using multiMatch,
>> but not all of them since there's a branch in the logic.
>>
>>
>>
>> On Fri, Aug 21, 2009 at 3:46 PM, Ivan Ristic<ivan.ristic <at> gmail.com> wrote:
>>> I am really curious, has anyone ever used (or even thought about
>>> using) the multiMatch action?
>>>
>>> http://www.modsecurity.org/documentation/modsecurity-apache/2.5.9/modsecurity2-apache-reference.html#N1182A
>>>
>>> --
>>> Ivan Ristic
>>> Security assessment of your SSL servers
>>> https://www.ssllabs.com/ssldb/
>>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html
>

--

-- 
Ivan Ristic
Security assessment of your SSL servers
https://www.ssllabs.com/ssldb/

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html


Gmane