New Blog Post - Advanced Feature of the Week: Transformation Functions

In this installment of the “Advanced Feature of the Week”, we take a look at Transformation functions.

http://blog.modsecurity.org/2010/08/advanced-feature-of-the-week-transformation-functions.html

Cheers,
Ryan

------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

New ModSecurity User Survey for 2010 is Online

Hello ModSecurity Users!  We want to hear from you.  What do you like about ModSecurity?  What don’t you
like?  What can we do better?  Now is your chance to speak up and let us know how we can make ModSecurity better. 
Please take the time to complete the brand new ModSecurity User Survey for 2010 -

http://www.surveymonkey.com/s/WWL32K8

The results of this survey will influence both the ModSecurity and OWASP Core Rule Set roadmaps so if there
are some features that you would like to see, let us know.  As an added bonus for taking the time to complete
the survey, if you provide a ModSecurity Testimonial, you will be eligible for a raffle to win a t-shirt.

Thanks for helping out and I look forward to reviewing your responses.

Ryan Barnett
ModSecurity Community Manager
OWASP ModSecurity Core Rule Set Project Leader

------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

problem with bns.branch.cm

------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Re: problem with bns.branch.cm

The free license is here:

http://www.breach.com/resources/modsecurity/free-license.txt

-B

On Thu, Sep 2, 2010 at 11:48 AM, diego subero <diego.subero <at> gmail.com> wrote:
> hi all,, i installed modsecurity console, but when i to testing my community
> console, but the licence is invalid and the web site bsn,branch is down?
> what is the solution?
>
> --
> Diego Subero
>
> ------------------------------------------------------------------------------
> This SF.net Dev2Dev email is sponsored by:
>
> Show off your parallel programming skills.
> Enter the Intel(R) Threading Challenge 2010.
> http://p.sf.net/sfu/intel-thread-sfd
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html
>
>

------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Can't load some base_rules - Apache hangs

  Hello,

Having trouble getting mod_security to load the base set of rules.    If 
I start Apache commenting out the base_rules conf files, it starts just 
fine.

> <IfModule security2_module>
>     Include 
> /usr/local/apache2/conf/Includes/mod_security2/modsecurity_crs_10_config.conf
>     # Include 
> /usr/local/apache2/conf/Includes/mod_security2/base_rules/*.conf
> </IfModule>

 From the Apache log:

> [Thu Sep 02 13:16:47 2010] [notice] ModSecurity for Apache/2.5.12 
> (http://www.modsecurity.org/) configured.
> [Thu Sep 02 13:16:48 2010] [notice] Apache/2.2.16 (Unix) 
> mod_ssl/2.2.16 OpenSSL/0.9.8n PHP/5.2.14 configured -- resuming normal 
> operations

But if I uncomment that line and try to read in the default ruleset, it 
just hangs and I have to cntl-c to quit.

> <IfModule security2_module>
>     Include 
> /usr/local/apache2/conf/Includes/mod_security2/modsecurity_crs_10_config.conf
>     Include 
> /usr/local/apache2/conf/Includes/mod_security2/base_rules/*.conf
> </IfModule>
>
> village [/usr/local/apache2/]# apachectl -e debug
> [Thu Sep 02 14:17:08 2010] [debug] mod_so.c(328): loaded file 
> /usr/local/lib/libxml2.so
> [Thu Sep 02 14:17:08 2010] [debug] mod_so.c(246): loaded module 
> php5_module
> [Thu Sep 02 14:17:08 2010] [debug] mod_so.c(246): loaded module 
> security2_module
> ^C
>
> village [/usr/local/apache2/]#
>

No output in the Apache Error log or the modsec_debug.log, even with 
debugging turned all the way up.   The only way I can get something to 
output is to build mod_sec with debugging enabled.   With that, I can 
see that it starts to parse the rules before the hang:

> village [/usr/local/apache2/]#  apachectl -e debug
>
> [Thu Sep 02 14:02:27 2010] [debug] mod_so.c(328): loaded file 
> /usr/local/lib/libxml2.so
> [Thu Sep 02 14:02:27 2010] [debug] mod_so.c(246): loaded module 
> php5_module
> [Thu Sep 02 14:02:27 2010] [debug] mod_so.c(246): loaded module 
> security2_module
> Created directory config 2855bba0 path (null)
> Rule: type=1 p1='REMOTE_ADDR' p2=' <at> unconditionalMatch' 
> p3='phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}'
> Adding rule 2909e3d0 phase=1 id="(none)".
> Rule: type=1 p1='REMOTE_ADDR' p2=' <at> unconditionalMatch' 
> p3='phase:1,t:none,nolog,pass,setvar:tx.paranoid_mode=0'
> Adding rule 2909ed70 phase=1 id="(none)".
> Rule: type=1 p1='REMOTE_ADDR' p2=' <at> unconditionalMatch' 
> p3='phase:1,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=20'
> Adding rule 2909f418 phase=1 id="(none)".
> Rule: type=1 p1='REMOTE_ADDR' p2=' <at> unconditionalMatch' 
> p3='phase:1,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=15'
> Adding rule 2909fb70 phase=1 id="(none)".
> Rule: type=1 p1='REMOTE_ADDR' p2=' <at> unconditionalMatch' 
> p3='phase:1,t:none,nolog,pass, setvar:tx.critical_anomaly_score=20, 
> setvar:tx.error_anomaly_score=15, setvar:tx.warning_anomaly_score=10, 
> setvar:tx.notice_anomaly_score=5'
> Adding rule 290a2350 phase=1 id="(none)".
> Rule: type=1 p1='REMOTE_ADDR' p2=' <at> unconditionalMatch' 
> p3='phase:1,t:none,nolog,pass,setvar:tx.max_num_args=255'
> Adding rule 290a3180 phase=1 id="(none)".
> Rule: type=1 p1='REMOTE_ADDR' p2=' <at> unconditionalMatch' 
> p3='phase:1,t:none,nolog,pass, setvar:'tx.allowed_methods=GET HEAD 
> POST OPTIONS', 
> setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded 
> multipart/form-data text/xml application/xml', 
> setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', 
> setvar:'tx.restricted_extensions=.asa .asax .ascx .axd .backup .bak 
> .bat .cdx .cer .cfg .cmd .com .config .conf .cs .csproj .csr .dat .db 
> .dbf .dll .dos .htr .htw .ida .idc .idq .inc .ini .key .licx .lnk .log 
> .mdb .old .pass .pdb .pol .printer .pwd .resources .resx .sql .sys .vb 
> .vbs .vbproj .vsdisco .webinfo .xsd .xsx', 
> setvar:'tx.restricted_headers=Proxy-Connection Lock-Token 
> Content-Range Translate via if''
> Adding rule 290a3a98 phase=1 id="(none)".
> Rule: type=0 p1='REQUEST_LINE' 
>
p2='!^(?:(?:[a-z]{3,10}\\s+(?:\\w{3,7}?://[\\w\\-\\./]*(?::\\d+)?)?/[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S]*)?|connect 
> (?:\\d{1,3}\\.){3}\\d{1,3}\\.?(?::\\d+)?|options 
> \\*)\\s+[\\w\\./]+|get /[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S]*)?)$' 
> p3='t:none,t:lowercase,phase:2,deny,log,auditlog,status:400,msg:'Invalid 
> HTTP Request Line',id:'960911',severity:'2''
>
> ^C

If I hand pick a few conf files, it does load.   Those that load are:

* modsecurity_crs_35_bad_robots.conf
* modsecurity_35_scanners.data
* modsecurity_35_bad_robots.data
* modsecurity_crs_47_common_exceptions.conf
* modsecurity_crs_42_tight_security.conf
* modsecurity_42_comment_spam.data
* modsecurity_crs_48_local_exceptions.conf
* modsecurity_crs_49_inbound_blocking.conf
* modsecurity_crs_49_enforcement.conf
* modsecurity_crs_59_outbound_blocking.conf
* modsecurity_crs_60_correlation.conf

Those that won't load are:

* modsecurity_crs_20_protocol_violations.conf
* modsecurity_crs_21_protocol_anomalies.conf
* modsecurity_crs_23_request_limits.conf
* modsecurity_crs_30_http_policy.conf
* modsecurity_crs_45_trojans.conf
* modsecurity_crs_41_xss_attacks.conf
* modsecurity_crs_41_phpids_converter.conf
* modsecurity_crs_41_phpids_filters.conf
* modsecurity_crs_41_sql_injection_attacks.conf

I'm at a loss.    I'm working on FreeBSD 8.1 and compiling everything 
from source using the latest versions of httpd (2.2.16) & modsecurity 
(2.5.12).   Configure and make never complain, and I checked that all 
the mod_sec dependencies are also up to date.   I'm not using liblua or 
libcurl.   Could that be the problem?   What else could I check?

Thanks
-Steffan

------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Re: problem with bns.branch.cm

------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

How to handle auditlog?

------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

modsecurity console

hi ,all
I use the "ModSecurity Console" to manager the alarms info.the problem 
is when I search by the ModSecurity Console.the more data and will more 
slow .Is it because I install the Console in windows ?
I want to ask, is it Console support SQL database ? what is the reason 
search so slow ?is it because each search the Console need to read the 
files but not search database ?
and is there any better tools like Console which can manager alarms info 
and do a statistics ?

------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Re: How to handle auditlog?

Hi,

I might be biased, but you might want to have a look at one of the
free available log-file applications and use mlogc to send audit-log
data to these:

    - AuditConsole, http://www.jwall.org/AuditConsole
    - ModSecurity Community Console, http://www.modsecurity.org

Regards,
    Chris

Am 03.09.2010 um 03:50 schrieb Junyong Jiang:

> Dear all,
> I want to analyze the modsecurity auditlog, and store the logs into mySQL database for further
utilization. As you all know, the log is so large, and hard to relate with mysql.
> Are there any good solution and suggestions in your use case?
> 
> Thanks in advance.
> 
> Yours sincerely
> dreamice
> ------------------------------------------------------------------------------
> This SF.net Dev2Dev email is sponsored by:
> 
> Show off your parallel programming skills.
> Enter the Intel(R) Threading Challenge 2010.
> http://p.sf.net/sfu/intel-thread-sfd_______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html

Re: modsecurity console

Hi!

Am 03.09.2010 um 03:54 schrieb ll:
> hi ,all
> I use the "ModSecurity Console" to manager the alarms info.the problem 
> is when I search by the ModSecurity Console.the more data and will more 
> slow .Is it because I install the Console in windows ?
> I want to ask, is it Console support SQL database ? what is the reason 
> search so slow ?is it because each search the Console need to read the 
> files but not search database ?
> and is there any better tools like Console which can manager alarms info 
> and do a statistics ?

The ModSecurity Console uses an internal Java Database (Apache Derby). Though
I consider derby as fast and realiable, there might be issues when the number
of events rises up.

You might try to use the AuditConsole (http://www.jwall.org/AuditConsole) which
uses an external database, e.g. MySQL or PostGres to store the events.

Best regards,

    Chris