Re: [mod-security-users] Mod_Security and Content-Encoding: gzip
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Mod_Security and Content-Encoding: gzip
|
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-05-01 22:59:07
|
You should be able to use a rule similar to this identify any
Content-Encoding (for compression) and then disable Mod
inspection/logging for it -
SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" \
"phase:3,t:none,nolog,pass,ctl:auditEngine=3DOff,ruleEngine=3DOff"
--=20
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache
=20
--------------
Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
Learn More About the Breach Webinar Series:
http://www.breach.com/webinars.asp
--------------
=20
> -----Original Message-----
> From: Jim Hermann - UUN Hostmaster [mailto:hos...@uu...]
> Sent: Tuesday, May 01, 2007 6:50 PM
> To: Ryan Barnett; mod...@li...
> Subject: RE: [mod-security-users] Mod_Security and Content-Encoding:
gzip
>=20
> How can I filter the RESPONSE_BODY so that mod_security does not
receive
> it
> when the Content-Encoding is gzip?
>=20
> I like the idea of checking for code leakage when the Content-Encoding
is
> not gzip.
>=20
> Thanks.
>=20
> Jim
>=20
> > -----Original Message-----
> > From: Ryan Barnett [mailto:Ryan.Barnett@Breach.com]
> > Sent: Tuesday, May 01, 2007 12:42 PM
> > To: Jim Hermann - UUN Hostmaster;
> > mod...@li...
> > Subject: RE: [mod-security-users] Mod_Security and
> > Content-Encoding: gzip
> >
> > Very timely... The short answer however is - No, Mod can not handle
> > compressed/gzipped data. Ofer will be releasing an update to the
Core
> > Rules shortly and there are some updates to address compressed
content
> > (from an alerting perspective).
> >
> > This is from the CHANGES file -
> > ModSecurity does not support compressed content at the
> > moment. Thus, the
> > following rules have been added:
> > - 960013 - Content-Encoding in request not supported
> > Any incoming compressed request will be denied
> > - 960051 - Content-Encoding in response not suppoted
> > An outgoing compressed response will be logged to alert, but
ONLY
> > ONCE.
> >
> > --
> > Ryan C. Barnett
> > ModSecurity Community Manager
> > Breach Security: Director of Application Security Training
> > Web Application Security Consortium (WASC) Member
> > Author: Preventing Web Attacks with Apache
> >
> > --------------
> > Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
> > Learn More About the Breach Webinar Series:
> > http://www.breach.com/webinars.asp
> > --------------
> >
> >
> > > -----Original Message-----
> > > From: mod...@li...
[mailto:mod-
> > > sec...@li...] On Behalf Of
> > Jim Hermann
> > -
> > > UUN Hostmaster
> > > Sent: Tuesday, May 01, 2007 1:32 PM
> > > To: mod...@li...
> > > Subject: [mod-security-users] Mod_Security and
> > Content-Encoding: gzip
> > >
> > >
> > > Does anyone know if Mod_Security can be configured to handle
> > > Content-Encoding: gzip?
> > >
> > > The default rules evaulate for RESPONSE_BODY for code leakage.
> > However,
> > > when
> > > the Content-Encoding is gzip, the RESPONSE_BODY is all 8-bit
> > characters
> > > and
> > > the mod_security rule does not work correctly.
> > >
> > > Here is the modsec_audit.log entry:
> > >
> > > --5a7c556c-A--
> > > [01/May/2007:05:47:21 --0500] U3Yd10VeaLQAACkuhwIAAAAU
66.249.65.146
> > 43002
> > > 69.94.104.180 80
> > > --5a7c556c-B--
> > > GET /modules.php?name=3DContent&pa=3Dshowpage&pid=3D535 HTTP/1.1
> > > Host: www.xxx.xxx
> > > Connection: Keep-alive
> > > Accept: */*
> > > From: googlebot(at)googlebot.com
> > > User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1;
> > > +http://www.google.com/bot.html)
> > > Accept-Encoding: gzip
> > > If-Modified-Since: Tue, 10 Apr 2007 11:41:45 GMT
> > >
> > > --5a7c556c-F--
> > > HTTP/1.1 200 OK
> > > X-Powered-By: PHP/5.0.4
> > > Expires: Thu, 19 Nov 1981 08:52:00 GMT
> > > Cache-Control: no-store, no-cache, must-revalidate, =
post-check=3D0,
> > > pre-check=3D0
> > > Pragma: no-cache
> > > Content-Encoding: gzip
> > > Vary: Accept-Encoding
> > > Set-Cookie: PHPSESSID=3Drk9ed4ue5dgsc6nn455arvfkh4; path=3D/
> > > Content-Length: 15062
> > > Keep-Alive: timeout=3D15, max=3D100
> > > Connection: Keep-Alive
> > > Content-Type: text/html; charset=3DISO-8859-2
> > > Content-Language: hu
> > >
> > > --5a7c556c-E--
> > > [snip - bunch of 8-bit characters]
> > >
> > > --5a7c556c-H--
> > > Message: Warning. Match of "rx
> > > (?:\\b(??:i(?:nterplay|hdr|d3)|m(?vi|thd)|(?:e
> > > x|jf)if|f(?:lv|ws)|varg|cws)\\b|r(?:iff\\b|ar!B)|g
> > > if)|B(?:%pdf|\\.ra)\\b)"
> > > against "RESPONSE_BODY" required. [id "970902"] [msg "PHP
> > source code
> > > leakage"] [severity "WARNING"]
> > > Apache-Handler: cgi-script
> > > Stopwatch: 1178016440262103 1195644 (14664 15950 1169708)
> > > Response-Body-Transformed: Dechunked
> > > Producer: ModSecurity v2.1.1 (Apache 2.x)
> > > Server: Apache/2.0.54 (Fedora)
> > >
> > > --5a7c556c-Z--
> > > __________________
> > > Jim Hermann
> > > Ministering to the Web
> > > UUism Networks
> > > www.uuism.net
> > >
> > >
> > >
> > --------------------------------------------------------------
> > ----------
> > -
> > > This SF.net email is sponsored by DB2 Express
> > > Download DB2 Express C - the FREE version of DB2 express and take
> > > control of your XML. No limits. Just data. Click to get it now.
> > > http://sourceforge.net/powerbar/db2/
> > > _______________________________________________
> > > mod-security-users mailing list
> > > mod...@li...
> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> >
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.5.467 / Virus Database: 269.6.2/782 - Release
> > Date: 05/01/07 02:10 AM
> >
> >
|