ModSecurity

Hi,

Do you know where I can find core mod_security rules before regexp assemble?
Maybe it can be helpfully for my mod_security log analyzer.

Cheers,
-- 
Przemyslaw Skowron, <przemyslaw.skowron {at} gmail.com>

ok, fixed!. my problem was that I tried to skip the rule for requests 
from /contact-us/, but this directory is forged by mod_rewrite and 
non-existant....using the "real" path to the script did the trick.

-- 

kindest regards,

bad_brain
owner of suck-o.com
//hacking ~ coding ~ development//



-----------------------------

SHA1 Fingerprint
3A:78:06:30:E5:7A:4B:40:10:EB:E6:43:51:5E:58:BA:5E:F0:11:2D

MD5 Fingerprint
7B:70:D5:57:08:D6:CC:64:5A:ED:4A:BE:34:60:BF:57

-----------------------------

Hi All, 

    I found the following and would like to configure 
 my application to use the Cookie and Link Protection
defined in the article, I was wondering if the code is
in the current 2.5 code base.  If it is can you please
tell me how to enable/configure it?

http://www.modsecurity.org/blog/archives/2006/08/index.html

Thanks 

James

James Nordstrom 
Nordstrom Design Inc. 
E-mail:  james@...
US:       908-419-5597
Europe: 001/908-419-5597

I am running a simple load test (100 users); with
mod_security turned off I am at 8-10% CPU with
mod_security turned on I am at 100% CPU (100% for all
four cores)

My System is:

2x 2.4 Dual Core AMD Opterons 
32GB Ram. 
Suse 10.3 x64
Apache 2.2.8
Mod_Security 2.5 (Prod release) 
Core rules only (2.5)

I disabled outbound inspection and performance was
slightly better but not much. 

Please help.

Thanks.

James Nordstrom 
Nordstrom Design Inc. 
E-mail:  james@...
US:       908-419-5597
Europe: 001/908-419-5597

hey everybody...;)
I'm using 1.8.7-1 on Debian Sarge and had to skip a specific rule 
already twice, but now I am kinda lost in skipping the rule for a 
request made by Wordpress MU (whic uses mod rewrite). here is the rule:

SecFilterSelective REQUEST_URI "^(/admin/admin\.php|/wimpy\.swf)$" 
chain,pass
SecFilterSelective ARG_url "^http:/" skipnext:2
SecFilter "(http|https|ftp)\:/" chain
SecFilterSelective ARGS_VALUES "^http:/"

the problem is the format of the request (no file ending), here's the 
entry in the audit log:
GET 
/contact-us/?cfemail=err&cf_field_1=Your+Name&cf_field_2=&cf_field_3=http%3A%2F%2F&cf_field_4=&cforms_captcha=&cforms_cap=72d91697703eaa0d02c6c426d8fe5760&comment_post_ID=5&cforms_pl=http%3A%2F%2Ffoobar.org%2Fcontact-us%2F&cf_working=One%2520moment%2520please...&cf_failure=Please%2520fill%2520in%2520all%2520the%2520required%2520fields.&cf_codeerr=Please%2520double-check%2520your%2520verification%2520code.&cf_customerr=yyy&cf_popup=nn&sendbutton=Submit

the request is an answer to a failed form submission, and so it can 
differ depending on the type of error (false captcha entry or missing 
name for example).
so how can I skip the rule when the request  includes 
"/contact-us/?cfemail=err&"
?

thanks in advance...:)


-- 

kindest regards,

bad_brain
owner of suck-o.com
//hacking ~ coding ~ development//



-----------------------------

SHA1 Fingerprint
3A:78:06:30:E5:7A:4B:40:10:EB:E6:43:51:5E:58:BA:5E:F0:11:2D

MD5 Fingerprint
7B:70:D5:57:08:D6:CC:64:5A:ED:4A:BE:34:60:BF:57

-----------------------------

Greetings everyone,

Since we just released a very significant update to ModSecurity
yesterday with the 2.5 version, I wanted to send this note out the list.
The 2.5 release is important as it has included many features that were
identified by the user community.  This highlights the need for us
(Breach) to have a full understanding of how people are using
ModSecurity and any challenges you all are facing.  With this in mind,
we have put together the first ModSecurity User Survey -
https://www.surveymonkey.com/s.aspx?sm=ZJBOq3NwvSjnY4pIykV8fw_3d_3d

 

I urge you to please take about 5 minutes and fill out the survey.  With
this information, we will be able to map out areas where we need to
focus research and development to both the ModSecurity code itself, but
also with the rule sets and supporting tools.

 

Thanks for your time everyone.

 

-- 
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Training

Web Application Security Consortium (WASC) Member

CIS Apache Benchmark Project Lead

SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

Author: Preventing Web Attacks with Apache

Kevin,
The modsecurity_crs_30_http_policy.conf file has this info/comments for
that rule -

# Restrict file extension
#
# TODO the list of file extensions below are virtually always considered
# unsafe and not in use in any valid program. If your application uses
one 
# of these extensions, please remove it from the list of blocked
extensions.

So, if you need to allow the ".bat" extension, you would need to either
update the RegEx itself or you would need to follow the steps outlined
in this Blog post to deal with this false positive -
http://www.modsecurity.org/blog/archives/2007/02/handling_false.html

For analyzing RegExs, I would suggest that you review this Blog post -
http://www.modsecurity.org/blog/archives/2007/03/regular_express.html

By using either Expresso or RegEx Coach, you can breakdown the RegEx
into its parts.  Here is a breakdown of the 960035 RegEx for the various
file extensions -

.conf
.config
.com
.cs
.csproj
.csr
.cdx
.cer
.cfg
.cmd
.printer
.pass
.pdb
.pol
.pwd
.vb
.vbproj
.vbs
.vsdisco
.asa
.asax
.ascx
.axd
.db
.dbf
.dat
.dll
.dos
.ida
.idc
.idq
.inc
.ini
.bak
.bat
.backup
.resources
.resx
.shtm
.sql
.sys
.licx
.lnk
.log
.anyword between 0 and 5 characters followed by a ~
.webinfo
.htr
.htw
.xsd
.xsx
.key
.mdb
.old

> -----Original Message-----
> From: mod-security-users-bounces@... [mailto:mod-
> security-users-bounces@...] On Behalf Of Kevin Ross
> Sent: Thursday, February 21, 2008 6:58 PM
> To: mod-security-users@...
> Subject: [mod-security-users] rule 960035
> 
> Hi All,
> 
> Can anyone tell me where I can find a list of files that this rule is
> blocking?  We're getting an error message when one of our users is
> trying to display a .bat file.  He wants to have it display as a text
> file.  I'm hesitant to disable or circumvent the security rules, but
> what is the rationale for disabling the display of .bat files?  Is it
> that a browser might execute the files, or that it is assumed that if
a
> .bat file is exposed, it was done by accident and this rule is helping
> to protect the administrator from unwanted exposure of data?
> 
> Thanks,
> 
> Kevin
> 
>
------------------------------------------------------------------------
-
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

Congratulations to the release! The feature list is
great. Scripting supports seems the right way to go in the
future, but small enhancements like GeoIP and credit card number
detection are very nice to have as well.

Needless to say, that http://remo.netnea.com profits a lot from
@pm and possibly @pmFromFile. Thank you very much.
I'm compiling now...

best regards,

Christian

-- 
Christian Folini, Swiss Post IT, Unix / Apache Engineering
+41 (0)58 338 79 96               christian.folini@...