[mod-security-users] RE: [Modsecurity] Soliciting Feature Requests
Brought to you by:
victorhora,
zimmerletw
From: Sander H. - O. X. <in...@or...> - 2005-08-05 15:43:36
|
Difficult. For me, it would be really on a per application basis, so for instance, a php_phpbb_rules.conf with only rules that address specific phpBB(2) vulnerabilities. And of course, one general php_rules.conf which addresses some broad php-issues. Doing it like that would make rules much more easy to manage, and in broader terms, make them more efficient to use. Big downside is, that for people hosting say a 1000 domains on one machine, it won't work, because they cannot always know which applications each of their customers is using. (not to mention that having 100 includes in your httpd.conf is also not a good idea). A sollution would be to make a semi-intelligent script, which can build a ruleset.conf from several smaller files and takes options to include or exclude specific application rulesets. A start would be to split rules up on a language basis, e.g. separate files for php, perl, coldfusion, asp, python, etc, etc. Kind Regards, Sander Holthaus Michael Shinn wrote: > Also an excellent idea Sander. Any particular way(s) you > would like to see them broken out? > > On Fri, 2005-08-05 at 04:01 +0200, Sander Holthaus - Orange XL wrote: >> I would like to see the rule-sets broken down to application specific >> rulesets and a few general rulesets. Currently, some of the rulesets >> are way to big and because of this, a lot of double entries exists. >> >> There are a few scripts which do something similiar for downloading >> custom SpamAssassin rulesets. >> >> Kind Regards, >> Sander Holthaus >> >> >> > ______________________________________________________________ >> From: mod...@go... >> [mailto:mod...@go...] On Behalf Of David >> Pinard Sent: Friday, August 05, 2005 3:42 AM >> To: mod...@go... >> Subject: Fwd: [Modsecurity] Soliciting Feature Requests >> >> >> >> >So, just in case everyone is not aware of this, please >> don't be afraid >to solicit feature requests from >> me, for either the rules or modsecurity >itself. >> I'm always happy to add something new to either and >> ultimately >the best ideas come from you guys! :-) >> >> It would be nice to have a way to automatically exclude rules >> that are unneeded or too restrictive. At the simplest level, >> a unique rule id# as the first part of the comment would >> allow a script to be written to remark out the corresponding >> rule in the appropriate config file. Each config file could >> have its own range of rule id's. I was thinking of writing >> a script to try and do this off of the existing files, >> however one simple change to the rule or comment would >> render this useless. Ideally I could automate the entire >> process to pull updates via a cron job and not have to worry >> about breaking sites. If a new rule is introduced that is >> incompatible, you'd just need to put it's ID# in the exclude >> file and rerun the script. >> >> Has anyone already done anything like this? Or is there a >> better way to accomplish the same thing? >> >> Thanks! -Dave >> >> -- >> Support our Education reform efforts at: >> www.dumpcms.com >> savecmskids.blogspot.com >> _______________________________________________ >> Modsecurity mailing list >> Mod...@go... >> http://lists.gotroot.com/mailman/listinfo/modsecurity |