Re: [mod-security-users] Mod_Security and Content-Encoding: gzip
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-05-01 22:59:07
|
You should be able to use a rule similar to this identify any Content-Encoding (for compression) and then disable Mod inspection/logging for it - SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" \ "phase:3,t:none,nolog,pass,ctl:auditEngine=3DOff,ruleEngine=3DOff" --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member Author: Preventing Web Attacks with Apache =20 -------------- Web Security Threat Report Webinar on May 9, 2007 (12 pm EST) Learn More About the Breach Webinar Series: http://www.breach.com/webinars.asp -------------- =20 > -----Original Message----- > From: Jim Hermann - UUN Hostmaster [mailto:hos...@uu...] > Sent: Tuesday, May 01, 2007 6:50 PM > To: Ryan Barnett; mod...@li... > Subject: RE: [mod-security-users] Mod_Security and Content-Encoding: gzip >=20 > How can I filter the RESPONSE_BODY so that mod_security does not receive > it > when the Content-Encoding is gzip? >=20 > I like the idea of checking for code leakage when the Content-Encoding is > not gzip. >=20 > Thanks. >=20 > Jim >=20 > > -----Original Message----- > > From: Ryan Barnett [mailto:Ryan.Barnett@Breach.com] > > Sent: Tuesday, May 01, 2007 12:42 PM > > To: Jim Hermann - UUN Hostmaster; > > mod...@li... > > Subject: RE: [mod-security-users] Mod_Security and > > Content-Encoding: gzip > > > > Very timely... The short answer however is - No, Mod can not handle > > compressed/gzipped data. Ofer will be releasing an update to the Core > > Rules shortly and there are some updates to address compressed content > > (from an alerting perspective). > > > > This is from the CHANGES file - > > ModSecurity does not support compressed content at the > > moment. Thus, the > > following rules have been added: > > - 960013 - Content-Encoding in request not supported > > Any incoming compressed request will be denied > > - 960051 - Content-Encoding in response not suppoted > > An outgoing compressed response will be logged to alert, but ONLY > > ONCE. > > > > -- > > Ryan C. Barnett > > ModSecurity Community Manager > > Breach Security: Director of Application Security Training > > Web Application Security Consortium (WASC) Member > > Author: Preventing Web Attacks with Apache > > > > -------------- > > Web Security Threat Report Webinar on May 9, 2007 (12 pm EST) > > Learn More About the Breach Webinar Series: > > http://www.breach.com/webinars.asp > > -------------- > > > > > > > -----Original Message----- > > > From: mod...@li... [mailto:mod- > > > sec...@li...] On Behalf Of > > Jim Hermann > > - > > > UUN Hostmaster > > > Sent: Tuesday, May 01, 2007 1:32 PM > > > To: mod...@li... > > > Subject: [mod-security-users] Mod_Security and > > Content-Encoding: gzip > > > > > > > > > Does anyone know if Mod_Security can be configured to handle > > > Content-Encoding: gzip? > > > > > > The default rules evaulate for RESPONSE_BODY for code leakage. > > However, > > > when > > > the Content-Encoding is gzip, the RESPONSE_BODY is all 8-bit > > characters > > > and > > > the mod_security rule does not work correctly. > > > > > > Here is the modsec_audit.log entry: > > > > > > --5a7c556c-A-- > > > [01/May/2007:05:47:21 --0500] U3Yd10VeaLQAACkuhwIAAAAU 66.249.65.146 > > 43002 > > > 69.94.104.180 80 > > > --5a7c556c-B-- > > > GET /modules.php?name=3DContent&pa=3Dshowpage&pid=3D535 HTTP/1.1 > > > Host: www.xxx.xxx > > > Connection: Keep-alive > > > Accept: */* > > > From: googlebot(at)googlebot.com > > > User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; > > > +http://www.google.com/bot.html) > > > Accept-Encoding: gzip > > > If-Modified-Since: Tue, 10 Apr 2007 11:41:45 GMT > > > > > > --5a7c556c-F-- > > > HTTP/1.1 200 OK > > > X-Powered-By: PHP/5.0.4 > > > Expires: Thu, 19 Nov 1981 08:52:00 GMT > > > Cache-Control: no-store, no-cache, must-revalidate, = post-check=3D0, > > > pre-check=3D0 > > > Pragma: no-cache > > > Content-Encoding: gzip > > > Vary: Accept-Encoding > > > Set-Cookie: PHPSESSID=3Drk9ed4ue5dgsc6nn455arvfkh4; path=3D/ > > > Content-Length: 15062 > > > Keep-Alive: timeout=3D15, max=3D100 > > > Connection: Keep-Alive > > > Content-Type: text/html; charset=3DISO-8859-2 > > > Content-Language: hu > > > > > > --5a7c556c-E-- > > > [snip - bunch of 8-bit characters] > > > > > > --5a7c556c-H-- > > > Message: Warning. Match of "rx > > > (?:\\b(??:i(?:nterplay|hdr|d3)|m(?vi|thd)|(?:e > > > x|jf)if|f(?:lv|ws)|varg|cws)\\b|r(?:iff\\b|ar!B)|g > > > if)|B(?:%pdf|\\.ra)\\b)" > > > against "RESPONSE_BODY" required. [id "970902"] [msg "PHP > > source code > > > leakage"] [severity "WARNING"] > > > Apache-Handler: cgi-script > > > Stopwatch: 1178016440262103 1195644 (14664 15950 1169708) > > > Response-Body-Transformed: Dechunked > > > Producer: ModSecurity v2.1.1 (Apache 2.x) > > > Server: Apache/2.0.54 (Fedora) > > > > > > --5a7c556c-Z-- > > > __________________ > > > Jim Hermann > > > Ministering to the Web > > > UUism Networks > > > www.uuism.net > > > > > > > > > > > -------------------------------------------------------------- > > ---------- > > - > > > This SF.net email is sponsored by DB2 Express > > > Download DB2 Express C - the FREE version of DB2 express and take > > > control of your XML. No limits. Just data. Click to get it now. > > > http://sourceforge.net/powerbar/db2/ > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > No virus found in this incoming message. > > Checked by AVG Free Edition. > > Version: 7.5.467 / Virus Database: 269.6.2/782 - Release > > Date: 05/01/07 02:10 AM > > > > |