Re: [mod-security-users] include snort rules
Brought to you by:
victorhora,
zimmerletw
From: Javier Fernandez-S. <jfe...@ge...> - 2005-11-17 09:15:47
|
Peter VE wrote: > >> >> >>Peter VE wrote: >> >>>Hi, >>> >>>I wrote a script that pulls down multiple sets of snort rules, and >>>converts specific rulefiles to SecFilters. >> >> You shouldn't have, there's a script included with ModSecurity >> that does just that :) > > > I'm using the ModSecurity script to convert, but it is launched from > within my own script, which BTW, are you open to sharing that script so that Ivan can add it to the util/ directory? I provided a nessus2modsec script a while back [1] which is now available there [2] and I would encourage others to do the same. These scripts are valid tools and helps other get up to speed when using mod-security. Contributing them back also makes it possible for the community to maintain them. > - downloads various sets of rules (snort, bleeding, community) > - extracts the rules > - only converts the rules that I need > - rips out some rules that I don't want/need > (after converting snort rules, I noticed that the converted file > contains a couple of SecFilter "" and SecFilter "=" entries, > which kinda break basic functionality... ) This last comment (the SecFilter "" issue) looks to me like it is because you are using an older version of the script that does not skip Snort rules that do not apply to HTTP. I provided a patch [3] to snor2modsec that fixed that. Ivan applied that patch [4] (minus the documentation I added, but that is also available in the 'snortmodsec-rules.txt' file already). If you are not willing to share the code, ut would be nice if you could tell us: - which rules you don't think apply, and should not be converted - what rules that do apply get converted to problematic SecFilters Regards Javier [1] http://sourceforge.net/mailarchive/forum.php?thread_id=5857485&forum_id=33492 [2] http://cvs.sourceforge.net/viewcvs.py/mod-security/mod_security/util/nessus2modsec.pl?rev=1.1&view=markup [3] http://sourceforge.net/mailarchive/forum.php?thread_id=5857484&forum_id=33492 [4] http://cvs.sourceforge.net/viewcvs.py/mod-security/mod_security/util/snort2modsec.pl?r1=1.1&r2=1.2 > >> >>>When I update the files with newer files, will mod_security >>>automatically use the newer file ? Or does Apache need a restart ? >> >> You need to restart Apache. >> > > Will Apache start when one of the mod_security SecFilters is wrong ? > After all, this is an automated process - there is a chance that > something is wrong with the original snort rules, or with converting > those rules into filters... > >>>If it automatically uses the newer file, what happens at the very >> >>time >> >>>the file gets overwritten? >> >> Nothing. When Apache is started rules are read in memory. What >> you do with the file afterwards is not important. >> > > Thanks ! > > >>-- >>Ivan Ristic >>Apache Security (O'Reilly) - http://www.apachesecurity.net >>Open source web application firewall - http://www.modsecurity.org >> >> >>------------------------------------------------------- >>This SF.Net email is sponsored by the JBoss Inc. Get Certified Today >>Register for a JBoss Training Course. Free Certification Exam >>for All Training Attendees Through End of 2005. For more info visit: >>http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click >>_______________________________________________ >>mod-security-users mailing list >>mod...@li... >>https://lists.sourceforge.net/lists/listinfo/mod-security-users >> >> > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by the JBoss Inc. Get Certified Today > Register for a JBoss Training Course. Free Certification Exam > for All Training Attendees Through End of 2005. For more info visit: > http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > |