kwenu | 31 Aug 12:16 2011
Picon

Re: Testing some policy/size-limit rules.

Since compiling apache and modsecurity to use external PCRE library version 1.3.12

I have suffered from PCRE limit detections on rule  950901

This i disabled putting the following "SecRuleRemoveById 950901" in modsecurity_crs_60_customrules.conf

Now the following rules are in file modsecurity_crs_15_customrules.conf

SecRule REQUEST_HEADERS:Host "! <at> rx (^$)" \
   "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=950901;!REQUEST_COOKIES:s_pers"

SecRule REQUEST_HEADERS:Host "! <at> rx (^$)" \
   "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981172;!REQUEST_COOKIES:s_sess"

SecRule REQUEST_HEADERS:Host "! <at> rx (^$)" \
   "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981172;!REQUEST_COOKIES:s_pers"

SecRule REQUEST_HEADERS:Host "! <at> rx (^$)" \
   "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981211;!REQUEST_COOKIES:s_sess"
     
SecRule REQUEST_HEADERS:Host "! <at> rx (^$)" \
   "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981211;!REQUEST_COOKIES:s_pers"

Are appending targets as below taken from modsec_debug.log

Rule a93fb08: SecRule "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|! REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers |

Rather than append once and once only its behaving recursively - what im I doing wrong ????

On 30/08/11 15:53, Ryan Barnett wrote:
What are you trying to do here? Create some custom rules that restrict the size of the payload of the parameter named "name"? -Ryan On 8/30/11 10:33 AM, "Usman Waheed" <usmanw <at> opera.com> wrote:
Hi, I am testing out the default rules that come with mod_security in my test setup and have the following below in my config files. For some reason this rule does not trigger when i set the size of a text input field to 100+ characters. For example in my test form (method: POST) i have: <input type=text name="unamebbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb bbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc cccccccc"></td> Appreciate if i could get some pointers. I also tried with ARGS_GET_NAMES instead of ARGS_NAMES but no luck. Thanks, Usman ## Limit argument name length (modsecurity_crs_10_config.conf) SecAction "phase:1,id:'981212',t:none,nolog,pass,setvar:tx.arg_name_length=100" ## modsecurity_crs_23_request_limits.conf SecRule &TX:ARG_NAME_LENGTH " <at> eq 1" "chain,phase:2,t:none,block,msg:'Argument name too long',id:'960209',severity:'4',rev:'2.2.1'" SecRule &ARGS_NAMES " <at> gt %{tx.arg_name_length}" "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx .notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score}, setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" -------------------------------------------------------------------------- ---- Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/application-security.php
------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/application-security.php

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
Usman Waheed | 31 Aug 12:34 2011
Picon

Re: Testing some policy/size-limit rules.

Thanks Ryan, that worked on the value to the arg: name.
I then tried with ARGS_POST_NAMES to restrict the length_size of the  
params (not their values) and that worked as well.

Cheers.

> Try -
>
> SecRule ARGS:name " <at> gt 10" "phase:2,t:none,t:length,block,msg:'Name
> Parameter Payload Too
> Large.',id:'960209',severity:'4',rev:'2.2.1',setvar:'tx.msg=%{rule.msg}',se
> tvar:tx.anomaly_score=+%{tx
> .notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},s
> etvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
>
> -Ryan
>
> On 8/30/11 10:59 AM, "Usman Waheed" <usmanw <at> opera.com> wrote:
>
>> Thats right, restrict the name_size of the parameter (name) to not more
>> than 10 characters long.
>>
>>> What are you trying to do here?  Create some custom rules that restrict
>>> the size of the payload of the parameter named "name"?
>>>
>>> -Ryan
>>>
>>> On 8/30/11 10:33 AM, "Usman Waheed" <usmanw <at> opera.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> I am testing out the default rules that come with mod_security in my
>>>> test
>>>>
>>>> setup and have the following below in my config files. For some reason
>>>> this rule does not trigger when i set the size of a text input field  
>>>> to
>>>> 100+ characters.
>>>>
>>>> For example in my test form (method: POST) i have:
>>>> <input type=text
>>>>
>>>> name="unamebbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
>>>> bb
>>>>
>>>> bbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
>>>> cc
>>>> cccccccc"></td>
>>>>
>>>> Appreciate if i could get some pointers.
>>>>
>>>> I also tried with ARGS_GET_NAMES instead of ARGS_NAMES but no luck.
>>>>
>>>> Thanks,
>>>> Usman
>>>>
>>>> ## Limit argument name length (modsecurity_crs_10_config.conf)
>>>> SecAction
>>>> "phase:1,id:'981212',t:none,nolog,pass,setvar:tx.arg_name_length=100"
>>>>
>>>> ## modsecurity_crs_23_request_limits.conf
>>>> SecRule &TX:ARG_NAME_LENGTH " <at> eq 1"
>>>> "chain,phase:2,t:none,block,msg:'Argument name too
>>>> long',id:'960209',severity:'4',rev:'2.2.1'"
>>>>         SecRule &ARGS_NAMES " <at> gt %{tx.arg_name_length}"
>>>>
>>>> "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{
>>>> tx
>>>>
>>>> .notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score
>>>> },
>>>>
>>>> setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var
>>>> }"
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>> --
>>>> ----
>>>> Special Offer -- Download ArcSight Logger for FREE!
>>>> Finally, a world-class log management solution at an even better
>>>> price-free! And you'll get a free "Love Thy Logs" t-shirt when you
>>>> download Logger. Secure your free ArcSight Logger TODAY!
>>>> http://p.sf.net/sfu/arcsisghtdev2dev
>>>> _______________________________________________
>>>> mod-security-users mailing list
>>>> mod-security-users <at> lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>> ModSecurity Services from Trustwave's SpiderLabs:
>>>> https://www.trustwave.com/application-security.php
>>>
>>
>>
>> --
>> Using Opera's revolutionary email client: http://www.opera.com/mail/
>>
>> --------------------------------------------------------------------------
>> ----
>> Special Offer -- Download ArcSight Logger for FREE!
>> Finally, a world-class log management solution at an even better
>> price-free! And you'll get a free "Love Thy Logs" t-shirt when you
>> download Logger. Secure your free ArcSight Logger TODAY!
>> http://p.sf.net/sfu/arcsisghtdev2dev
>> _______________________________________________
>> mod-security-users mailing list
>> mod-security-users <at> lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/application-security.php
>

--

-- 
Using Opera's revolutionary email client: http://www.opera.com/mail/

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php

Rechtberger Friedrich | 31 Aug 13:35 2011
Picon

Usage of "SecRuleUpdateTargetById" in chained rules possible?


Hi,

Is it possible to use "ctl:ruleUpdateTargetById" or
"SecRuleUpdateTargetById" in chained Rules?
I want to remove ARGS:text from the target of the second rule in the
rule '950801' chain.  

Exception Rule:
---------------
SecRule REQUEST_BASENAME " <at> rx (?i)message.php"
"phase:1,t:none,log,pass,ctl:ruleUpdateTargetById=950801;!ARGS:text"

950801 CRS-Rule:
-----------------
SecRule TX:CRS_VALIDATE_UTF8_ENCODING " <at> eq 1"
"chain,phase:2,rev:'2.2.1',t:none,block,msg:'UTF8 Encoding Abuse Attack
Attempt',id:'950801',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-2
0',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/6.5.2',sever
ity:'5'"
	SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES " <at> validateUtf8Encoding"
"setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomal
y_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},
setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{ma
tched_var}"

Best Regards
Fritz

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php

Breno Silva | 31 Aug 14:55 2011
Picon

Re: Testing some policy/size-limit rules.

Kwenu,

Try this  ctl:ruleUpdateTargetById=950901;!REQUEST_COOKIES:s_pers;!REQUEST_COOKIES:s_pers

Breno

On Wed, Aug 31, 2011 at 5:16 AM, kwenu <uzoka_a <at> yahoo.co.uk> wrote:
Since compiling apache and modsecurity to use external PCRE library version 1.3.12

I have suffered from PCRE limit detections on rule  950901

This i disabled putting the following "SecRuleRemoveById 950901" in modsecurity_crs_60_customrules.conf

Now the following rules are in file modsecurity_crs_15_customrules.conf

SecRule REQUEST_HEADERS:Host "! <at> rx (^$)" \
   "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=950901;!REQUEST_COOKIES:s_pers"

SecRule REQUEST_HEADERS:Host "! <at> rx (^$)" \
   "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981172;!REQUEST_COOKIES:s_sess"

SecRule REQUEST_HEADERS:Host "! <at> rx (^$)" \
   "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981172;!REQUEST_COOKIES:s_pers"

SecRule REQUEST_HEADERS:Host "! <at> rx (^$)" \
   "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981211;!REQUEST_COOKIES:s_sess"
     
SecRule REQUEST_HEADERS:Host "! <at> rx (^$)" \
   "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981211;!REQUEST_COOKIES:s_pers"

Are appending targets as below taken from modsec_debug.log

Rule a93fb08: SecRule "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers |

Rather than append once and once only its behaving recursively - what im I doing wrong ????


On 30/08/11 15:53, Ryan Barnett wrote:
What are you trying to do here? Create some custom rules that restrict the size of the payload of the parameter named "name"? -Ryan On 8/30/11 10:33 AM, "Usman Waheed" <usmanw <at> opera.com> wrote:
Hi, I am testing out the default rules that come with mod_security in my test setup and have the following below in my config files. For some reason this rule does not trigger when i set the size of a text input field to 100+ characters. For example in my test form (method: POST) i have: <input type=text name="unamebbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb bbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc cccccccc"></td> Appreciate if i could get some pointers. I also tried with ARGS_GET_NAMES instead of ARGS_NAMES but no luck. Thanks, Usman ## Limit argument name length (modsecurity_crs_10_config.conf) SecAction "phase:1,id:'981212',t:none,nolog,pass,setvar:tx.arg_name_length=100" ## modsecurity_crs_23_request_limits.conf SecRule &TX:ARG_NAME_LENGTH " <at> eq 1" "chain,phase:2,t:none,block,msg:'Argument name too long',id:'960209',severity:'4',rev:'2.2.1'" SecRule &ARGS_NAMES " <at> gt %{tx.arg_name_length}" "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx .notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score}, setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" -------------------------------------------------------------------------- ---- Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/application-security.php
------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/application-security.php


------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php


------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
kwenu | 31 Aug 16:29 2011
Picon

Re: Testing some policy/size-limit rules.

Still the same - im using crs_2.2.2 as directed by Ryan

Ever since i recompiled against apache 2.2.19 ive had major problems with segmentation faults and now rules are behaving differently after compiling against apr v 1.3.12 and pcre v 8.x

I cant see what the issue is - im using the same files from crs_2.2.1 but im getting PCRE exceptions on rule 950901

Im on holiday tomo and friday and have a meeting today to update on the status of this

Is there anything you can suggest here - does secruleupdatetarget etc work when using anomaly mode ??

On 31/08/11 13:55, Breno Silva wrote:
Kwenu,

Try this  ctl:ruleUpdateTargetById=950901;!REQUEST_COOKIES:s_pers;!REQUEST_COOKIES:s_pers

Breno

On Wed, Aug 31, 2011 at 5:16 AM, kwenu <uzoka_a <at> yahoo.co.uk> wrote:
Since compiling apache and modsecurity to use external PCRE library version 1.3.12

I have suffered from PCRE limit detections on rule  950901

This i disabled putting the following "SecRuleRemoveById 950901" in modsecurity_crs_60_customrules.conf

Now the following rules are in file modsecurity_crs_15_customrules.conf

SecRule REQUEST_HEADERS:Host "! <at> rx (^$)" \
   "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=950901;!REQUEST_COOKIES:s_pers"

SecRule REQUEST_HEADERS:Host "! <at> rx (^$)" \
   "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981172;!REQUEST_COOKIES:s_sess"

SecRule REQUEST_HEADERS:Host "! <at> rx (^$)" \
   "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981172;!REQUEST_COOKIES:s_pers"

SecRule REQUEST_HEADERS:Host "! <at> rx (^$)" \
   "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981211;!REQUEST_COOKIES:s_sess"
     
SecRule REQUEST_HEADERS:Host "! <at> rx (^$)" \
   "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981211;!REQUEST_COOKIES:s_pers"

Are appending targets as below taken from modsec_debug.log

Rule a93fb08: SecRule "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|! REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers |

Rather than append once and once only its behaving recursively - what im I doing wrong ????


On 30/08/11 15:53, Ryan Barnett wrote:
What are you trying to do here? Create some custom rules that restrict the size of the payload of the parameter named "name"? -Ryan On 8/30/11 10:33 AM, "Usman Waheed" <usmanw <at> opera.com> wrote:
Hi, I am testing out the default rules that come with mod_security in my test setup and have the following below in my config files. For some reason this rule does not trigger when i set the size of a text input field to 100+ characters. For example in my test form (method: POST) i have: <input type=text name="unamebbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb bbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc cccccccc"></td> Appreciate if i could get some pointers. I also tried with ARGS_GET_NAMES instead of ARGS_NAMES but no luck. Thanks, Usman ## Limit argument name length (modsecurity_crs_10_config.conf) SecAction "phase:1,id:'981212',t:none,nolog,pass,setvar:tx.arg_name_length=100" ## modsecurity_crs_23_request_limits.conf SecRule &TX:ARG_NAME_LENGTH " <at> eq 1" "chain,phase:2,t:none,block,msg:'Argument name too long',id:'960209',severity:'4',rev:'2.2.1'" SecRule &ARGS_NAMES " <at> gt %{tx.arg_name_length}" "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx .notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score}, setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" -------------------------------------------------------------------------- ---- Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/application-security.php
------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/application-security.php


------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php



------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
Reindl Harald | 31 Aug 16:43 2011
Picon

Re: Testing some policy/size-limit rules.


Am 31.08.2011 16:29, schrieb kwenu:
> Still the same - im using crs_2.2.2 as directed by Ryan
> 
> Ever since i recompiled against apache 2.2.19 ive had major problems with segmentation faults and now
rules are
> behaving differently after compiling against apr v 1.3.12 and pcre v 8.x

do you not think your APR is a little bit old?
ModSecurity: APR compiled version="1.4.5"; loaded version="1.4.5"

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
kwenu | 31 Aug 17:00 2011
Picon

Re: Testing some policy/size-limit rules.

I agree hence why we are rebuilding 2.2.20 using non-bundled apr 1.4.5

Hopefully this will resume its predictable behaviour though  - however i the main reason for usign 1.3.12 was to solve the segmentation faults i was  getting

Using an external APR might greatly help



On 31/08/11 15:43, Reindl Harald wrote:
Am 31.08.2011 16:29, schrieb kwenu:
Still the same - im using crs_2.2.2 as directed by Ryan Ever since i recompiled against apache 2.2.19 ive had major problems with segmentation faults and now rules are behaving differently after compiling against apr v 1.3.12 and pcre v 8.x
do you not think your APR is a little bit old? ModSecurity: APR compiled version="1.4.5"; loaded version="1.4.5" ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/application-security.php

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
Ken Brucker | 31 Aug 18:12 2011

Re: Testing some policy/size-limit rules.

[ Resending from subscribed account ]

How does one get the generic rule (960209) to work though?

I was just experimenting with it as well and it has not been working.  I have the following in my config:

SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_name_length=90"

Looking at the related rule in modsecurity_crs_23_request_limits.conf, I think the problem is in the chained rule:

SecRule &ARGS_NAMES " <at> gt %{tx.arg_name_length}" ...

By my read of the docs &ARGS_NAMES is the count of how many ARGS_NAMES there are, not the length of each.

In my testing I've found that by removing '&' from the above syntax the rule behaves as expected.  There's another length based test in rule 960208 that will break in a similar way.

Using CRS 2.2.1 btw.

-- Ken

On Aug 30, 2011, at 10:03 AM, Ryan Barnett wrote:

Try -

SecRule ARGS:name " <at> gt 10" "phase:2,t:none,t:length,block,msg:'Name
Parameter Payload Too
Large.',id:'960209',severity:'4',rev:'2.2.1',setvar:'tx.msg=%{rule.msg}',se
tvar:tx.anomaly_score=+%{tx
.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},s
etvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"

-Ryan

On 8/30/11 10:59 AM, "Usman Waheed" <usmanw <at> opera.com> wrote:

Thats right, restrict the name_size of the parameter (name) to not more
than 10 characters long.

What are you trying to do here?  Create some custom rules that restrict
the size of the payload of the parameter named "name"?

-Ryan

On 8/30/11 10:33 AM, "Usman Waheed" <usmanw <at> opera.com> wrote:

Hi,

I am testing out the default rules that come with mod_security in my
test

setup and have the following below in my config files. For some reason
this rule does not trigger when i set the size of a text input field to
100+ characters.

For example in my test form (method: POST) i have:
<input type=text

name="unamebbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
bb

bbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
cc
cccccccc"></td>

Appreciate if i could get some pointers.

I also tried with ARGS_GET_NAMES instead of ARGS_NAMES but no luck.

Thanks,
Usman

## Limit argument name length (modsecurity_crs_10_config.conf)
SecAction
"phase:1,id:'981212',t:none,nolog,pass,setvar:tx.arg_name_length=100"

## modsecurity_crs_23_request_limits.conf
SecRule &TX:ARG_NAME_LENGTH " <at> eq 1"
"chain,phase:2,t:none,block,msg:'Argument name too
long',id:'960209',severity:'4',rev:'2.2.1'"
       SecRule &ARGS_NAMES " <at> gt %{tx.arg_name_length}"

"t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{
tx

.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score
},

setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var
}"









------------------------------------------------------------------------
--
----
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php



--
Using Opera's revolutionary email client: http://www.opera.com/mail/

--------------------------------------------------------------------------
----
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php



------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
Ryan Barnett | 31 Aug 18:20 2011

Re: Testing some policy/size-limit rules.

Yep, good catch.  I have fixed these and they will be synced to SVN soon.

Thanks.

--
Ryan Barnett

From: Ken Brucker <Ken <at> pumastudios.com<mailto:Ken <at> pumastudios.com>>
Date: Wed, 31 Aug 2011 11:12:15 -0500
To: Ryan Barnett <ryan.barnett <at> owasp.org<mailto:ryan.barnett <at> owasp.org>>
Cc:
"mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>" <mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>>
Subject: Re: [mod-security-users] Testing some policy/size-limit rules.

[ Resending from subscribed account ]

How does one get the generic rule (960209) to work though?

I was just experimenting with it as well and it has not been working.  I have the following in my config:

SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_name_length=90"

Looking at the related rule in modsecurity_crs_23_request_limits.conf, I think the problem is in the
chained rule:

SecRule &ARGS_NAMES " <at> gt %{tx.arg_name_length}" ...

By my read of the docs &ARGS_NAMES is the count of how many ARGS_NAMES there are, not the length of each.

In my testing I've found that by removing '&' from the above syntax the rule behaves as expected.  There's
another length based test in rule 960208 that will break in a similar way.

Using CRS 2.2.1 btw.

-- Ken

On Aug 30, 2011, at 10:03 AM, Ryan Barnett wrote:

Try -

SecRule ARGS:name " <at> gt 10" "phase:2,t:none,t:length,block,msg:'Name
Parameter Payload Too
Large.',id:'960209',severity:'4',rev:'2.2.1',setvar:'tx.msg=%{rule.msg}',se
tvar:tx.anomaly_score=+%{tx
.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},s
etvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"

-Ryan

On 8/30/11 10:59 AM, "Usman Waheed" <usmanw <at> opera.com<mailto:usmanw <at> opera.com>> wrote:

Thats right, restrict the name_size of the parameter (name) to not more
than 10 characters long.

What are you trying to do here?  Create some custom rules that restrict
the size of the payload of the parameter named "name"?

-Ryan

On 8/30/11 10:33 AM, "Usman Waheed" <usmanw <at> opera.com<mailto:usmanw <at> opera.com>> wrote:

Hi,

I am testing out the default rules that come with mod_security in my
test

setup and have the following below in my config files. For some reason
this rule does not trigger when i set the size of a text input field to
100+ characters.

For example in my test form (method: POST) i have:
<input type=text

name="unamebbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
bb

bbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
cc
cccccccc"></td>

Appreciate if i could get some pointers.

I also tried with ARGS_GET_NAMES instead of ARGS_NAMES but no luck.

Thanks,
Usman

## Limit argument name length (modsecurity_crs_10_config.conf)
SecAction
"phase:1,id:'981212',t:none,nolog,pass,setvar:tx.arg_name_length=100"

## modsecurity_crs_23_request_limits.conf
SecRule &TX:ARG_NAME_LENGTH " <at> eq 1"
"chain,phase:2,t:none,block,msg:'Argument name too
long',id:'960209',severity:'4',rev:'2.2.1'"
       SecRule &ARGS_NAMES " <at> gt %{tx.arg_name_length}"

"t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{
tx

.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score
},

setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var
}"

------------------------------------------------------------------------
--
----
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php

--
Using Opera's revolutionary email client: http://www.opera.com/mail/

--------------------------------------------------------------------------
----
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php

________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php

Ryan Barnett | 31 Aug 23:17 2011

Implementing OWASP AppSensor Detection Points in the OWASP ModSecurity Core Rule Set

Please forgive the cross postings, but I wanted to make sure that all relevant parties were informed of this update.  I have begun the process of implementing the OWASP AppSensor Detection Points (https://www.owasp.org/index.php/AppSensor_DetectionPoints) within the OWASP ModSecurity Core Rule Set (https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project).  

I am pleased to announce that I have just made an update to the OWASP CRS SVN repository that fully implements the Request Exception (RE) category - https://www.owasp.org/index.php/AppSensor_DetectionPoints#RequestException.  See the following blog post for more details - http://blog.spiderlabs.com/2011/08/implementing-appsensor-detection-points-in-modsecurity.html

The major change in this version vs. the earlier one outlined in this blog post (http://blog.spiderlabs.com/2011/02/modsecurity-advanced-topic-of-the-week-real-time-application-profiling.html) is that both the profiling and detection logic has been moved to Lua scripts.  With the increased logic capabilities of Lua, we are now able to more accurately profile the application in real-time by analyzing traffic and automatically generating profiles for the following resource characteristics -
  • Enforcing the expected Request Method(s)
  • Enforce the number of expected parameters (min-max range)
  • Enforce parameter names 
  • Enforce parameter lengths (min-max range)
  • Enforce Character Classes
    • Flag (e.g. - /path/to/foo.php?param)
    • Digits  (e.g. - /path/to/foo.php?param=1234) 
    • Alpha  (e.g. - /path/to/foo.php?param=abcd)
    • AlphaNumeric  (e.g. - /path/to/foo.php?param=abcd1234)
    • Email  (e.g. - /path/to/foo.php?param=foo <at> bar.com)
    • Path  (e.g. - /path/to/foo.php?param=/dir/somefile.txt)
    • URL  (e.g. - /path/to/foo.php?param=http://somehost/dir/file.txt)
    • SafeText  (e.g. - /path/to/foo.php?param=some_data-12)
The updated rules files are in the /experimental_rules directory - http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/experimental_rules/
Look in the /lua folder to find the 2 scripts - http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/lua/

I encourage people to test out these new rules and to report back their experiences – both good and bad.

FYI – I also wanted to thank Josh Zlatin for assisting with the initial Lua script creation.

Cheers.

--
Ryan Barnett
OWASP ModSecurity Core Rule Set Project Leader
------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php

Gmane