Thread: [Mod-security-developers] ModSecurity for Java
Brought to you by:
victorhora,
zimmerletw
From: Juan c. <jua...@ow...> - 2011-06-02 06:21:11
|
Hello Guys Just a little update, Rule parser for this project is already working and supporting the 4 directives (SecRuleEngine, SecRule, SecRequestBodyAccess, SecResponseBodyAccess ) of Rule Language Porting Spec Level 1 :) I am struggling to get the Response variables working, I always get an empty string for the response body buffer :(, can anyone give me some support on this one, I might not be using the ReponseWrapper correctly. Regards, Juan Carlos Calderon |
From: Ryan B. <RBa...@tr...> - 2011-06-02 12:28:23
|
Hey Juan Carlos, Thanks for the update! Have you looked at the "MsHttpServletResponse.java" code from the old ModSecurity for Java project? http://www.modsecurity.org/download/msj-m3c.war Maybe that would help. -Ryan From: Juan calderon <jua...@ow...<mailto:jua...@ow...>> Reply-To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Date: Thu, 2 Jun 2011 00:51:39 -0500 To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Subject: [Mod-security-developers] ModSecurity for Java Hello Guys Just a little update, Rule parser for this project is already working and supporting the 4 directives (SecRuleEngine, SecRule, SecRequestBodyAccess, SecResponseBodyAccess ) of Rule Language Porting Spec Level 1 :) I am struggling to get the Response variables working, I always get an empty string for the response body buffer :(, can anyone give me some support on this one, I might not be using the ReponseWrapper correctly. Regards, Juan Carlos Calderon ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Juan C. C. R. <jua...@so...> - 2011-06-03 13:27:46
|
Yes I have, although as the implementations are different I guess there is a bug or something on the original code of OWASP Java WAF. I will leave that part to later on and make some more progress on the evaluation of the rules, keep you posted Thanks, Juan Carlos ________________________________________ De: Ryan Barnett [RBa...@tr...] Enviado el: jueves, 02 de junio de 2011 07:28 a.m. Para: mod...@li... Asunto: Re: [Mod-security-developers] ModSecurity for Java Hey Juan Carlos, Thanks for the update! Have you looked at the "MsHttpServletResponse.java" code from the old ModSecurity for Java project? http://www.modsecurity.org/download/msj-m3c.war Maybe that would help. -Ryan From: Juan calderon <jua...@ow...<mailto:jua...@ow...>> Reply-To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Date: Thu, 2 Jun 2011 00:51:39 -0500 To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Subject: [Mod-security-developers] ModSecurity for Java Hello Guys Just a little update, Rule parser for this project is already working and supporting the 4 directives (SecRuleEngine, SecRule, SecRequestBodyAccess, SecResponseBodyAccess ) of Rule Language Porting Spec Level 1 :) I am struggling to get the Response variables working, I always get an empty string for the response body buffer :(, can anyone give me some support on this one, I might not be using the ReponseWrapper correctly. Regards, Juan Carlos Calderon ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev _______________________________________________ mod-security-developers mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-developers ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php |
From: Oleg G. <ole...@ya...> - 2011-06-16 23:49:57
|
Can anyone please provide more data on this Java project? In particularly I need to know: 1. Is it stable enough to be used in production? 2. If it's not, do you have any timelines for the first version that can be used in prod? In general, I think it would be very useful for expanding the applicability of mod-security. Thanks, Oleg. ----- Original Message ---- > From: Juan Carlos Calderon Rojas <jua...@so...> > To: "mod...@li..." ><mod...@li...> > Sent: Fri, June 3, 2011 6:18:56 AM > Subject: Re: [Mod-security-developers] ModSecurity for Java > > Yes I have, although as the implementations are different I guess there is a >bug or something on the original code of OWASP Java WAF. > > I will leave that part to later on and make some more progress on the >evaluation of the rules, keep you posted > > Thanks, > Juan Carlos > > ________________________________________ > De: Ryan Barnett [RBa...@tr...] > Enviado el: jueves, 02 de junio de 2011 07:28 a.m. > Para: mod...@li... > Asunto: Re: [Mod-security-developers] ModSecurity for Java > > Hey Juan Carlos, > Thanks for the update! Have you looked at the "MsHttpServletResponse.java" >code from the old ModSecurity for Java project? > http://www.modsecurity.org/download/msj-m3c.war > > Maybe that would help. > > -Ryan > > From: Juan calderon <jua...@ow...<mailto:jua...@ow...>> > Reply-To: >"mod...@li...<mailto:mod...@li...>" > ><mod...@li...<mailto:mod...@li...>> > > Date: Thu, 2 Jun 2011 00:51:39 -0500 > To: >"mod...@li...<mailto:mod...@li...>" > ><mod...@li...<mailto:mod...@li...>> > > Subject: [Mod-security-developers] ModSecurity for Java > > Hello Guys > > Just a little update, Rule parser for this project is already working and >supporting the 4 directives (SecRuleEngine, SecRule, SecRequestBodyAccess, >SecResponseBodyAccess ) of Rule Language Porting Spec Level 1 :) > > I am struggling to get the Response variables working, I always get an empty >string for the response body buffer :(, can anyone give me some support on >this one, I might not be using the ReponseWrapper correctly. > > Regards, > Juan Carlos Calderon > > ________________________________ > This transmission may contain information that is privileged, confidential, >and/or exempt from disclosure under applicable law. If you are not the intended >recipient, you are hereby notified that any disclosure, copying, distribution, >or use of the information contained herein (including any reliance thereon) is >STRICTLY PROHIBITED. If you received this transmission in error, please >immediately contact the sender and destroy the material in its entirety, >whether in electronic or hard copy format. > > > ------------------------------------------------------------------------------ > Simplify data backup and recovery for your virtual environment with vRanger. > Installation's a snap, and flexible recovery options mean your data is safe, > secure and there when you need it. Data protection magic? > Nope - It's vRanger. Get your free trial download today. > http://p.sf.net/sfu/quest-sfdev2dev > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > ------------------------------------------------------------------------------ > Simplify data backup and recovery for your virtual environment with vRanger. > Installation's a snap, and flexible recovery options mean your data is safe, > secure and there when you need it. Discover what all the cheering's about. > Get your free trial download today. > http://p.sf.net/sfu/quest-dev2dev2 > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |
From: Ryan B. <RBa...@tr...> - 2011-06-16 23:56:07
|
Juan Carlos would be the best one to answer those questions as he is the OWASP Java WAF project lead. What Juan and I discussed is that he is updating the Java WAF code to accept ModSecurity SecRules. In order to help porting efforts to other platforms, the ModSecurity team has developed a porting specification with 2 levels - http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Rules_La nguage_Porting_Spec We realize that it may not be feasible for all functionality to be ported so we focused Level 1 on Core Features. This should allow user to add in basic ModSecurity SecRules. If you have any input on the porting specs please let us know. -Ryan On 6/16/11 7:49 PM, "Oleg Gryb" <ole...@ya...> wrote: >Can anyone please provide more data on this Java project? In particularly >I need >to know: > >1. Is it stable enough to be used in production? >2. If it's not, do you have any timelines for the first version that can >be used >in prod? > >In general, I think it would be very useful for expanding the >applicability of >mod-security. > >Thanks, >Oleg. > > > >----- Original Message ---- >> From: Juan Carlos Calderon Rojas <jua...@so...> >> To: "mod...@li..." >><mod...@li...> >> Sent: Fri, June 3, 2011 6:18:56 AM >> Subject: Re: [Mod-security-developers] ModSecurity for Java >> >> Yes I have, although as the implementations are different I guess there >>is a >>bug or something on the original code of OWASP Java WAF. >> >> I will leave that part to later on and make some more progress on the >>evaluation of the rules, keep you posted >> >> Thanks, >> Juan Carlos >> >> ________________________________________ >> De: Ryan Barnett [RBa...@tr...] >> Enviado el: jueves, 02 de junio de 2011 07:28 a.m. >> Para: mod...@li... >> Asunto: Re: [Mod-security-developers] ModSecurity for Java >> >> Hey Juan Carlos, >> Thanks for the update! Have you looked at the >>"MsHttpServletResponse.java" >>code from the old ModSecurity for Java project? >> http://www.modsecurity.org/download/msj-m3c.war >> >> Maybe that would help. >> >> -Ryan >> >> From: Juan calderon >><jua...@ow...<mailto:jua...@ow...>> >> Reply-To: >>"mod...@li...<mailto:mod-security-develo >>pe...@li...>" >> >><mod...@li...<mailto:mod-security-develo >>pe...@li...>> >> >> Date: Thu, 2 Jun 2011 00:51:39 -0500 >> To: >>"mod...@li...<mailto:mod-security-develo >>pe...@li...>" >> >><mod...@li...<mailto:mod-security-develo >>pe...@li...>> >> >> Subject: [Mod-security-developers] ModSecurity for Java >> >> Hello Guys >> >> Just a little update, Rule parser for this project is already working >>and >>supporting the 4 directives (SecRuleEngine, SecRule, >>SecRequestBodyAccess, >>SecResponseBodyAccess ) of Rule Language Porting Spec Level 1 :) >> >> I am struggling to get the Response variables working, I always get an >>empty >>string for the response body buffer :(, can anyone give me some support >>on >>this one, I might not be using the ReponseWrapper correctly. >> >> Regards, >> Juan Carlos Calderon >> >> ________________________________ >> This transmission may contain information that is privileged, >>confidential, >>and/or exempt from disclosure under applicable law. If you are not the >>intended >>recipient, you are hereby notified that any disclosure, copying, >>distribution, >>or use of the information contained herein (including any reliance >>thereon) is >>STRICTLY PROHIBITED. If you received this transmission in error, please >>immediately contact the sender and destroy the material in its >>entirety, >>whether in electronic or hard copy format. >> >> >> >>------------------------------------------------------------------------- >>----- >> Simplify data backup and recovery for your virtual environment with >>vRanger. >> Installation's a snap, and flexible recovery options mean your data is >>safe, >> secure and there when you need it. Data protection magic? >> Nope - It's vRanger. Get your free trial download today. >> http://p.sf.net/sfu/quest-sfdev2dev >> _______________________________________________ >> mod-security-developers mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-developers >> ModSecurity Services from Trustwave's SpiderLabs: >> https://www.trustwave.com/spiderLabs.php >> >>------------------------------------------------------------------------- >>----- >> Simplify data backup and recovery for your virtual environment with >>vRanger. >> Installation's a snap, and flexible recovery options mean your data is >>safe, >> secure and there when you need it. Discover what all the cheering's >>about. >> Get your free trial download today. >> http://p.sf.net/sfu/quest-dev2dev2 >> _______________________________________________ >> mod-security-developers mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-developers >> ModSecurity Services from Trustwave's SpiderLabs: >> https://www.trustwave.com/spiderLabs.php >> > >-------------------------------------------------------------------------- >---- >EditLive Enterprise is the world's most technically advanced content >authoring tool. Experience the power of Track Changes, Inline Image >Editing and ensure content is compliant with Accessibility Checking. >http://p.sf.net/sfu/ephox-dev2dev >_______________________________________________ >mod-security-developers mailing list >mod...@li... >https://lists.sourceforge.net/lists/listinfo/mod-security-developers >ModSecurity Services from Trustwave's SpiderLabs: >https://www.trustwave.com/spiderLabs.php > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Juan c. <jua...@ow...> - 2011-06-17 00:49:56
|
Hello Oleg The development is in progress and it will take 2 or 3 months more. If you need the firewall you can use the version 1 from ESAPI 2.0GA. Notice ModSecurity rules are not supported in that version. But, it is very easy to create rules for it. let me know if you need any help with that. Regards, Juan Carlos Calderon On Thu, Jun 16, 2011 at 6:49 PM, Oleg Gryb <ole...@ya...> wrote: > Can anyone please provide more data on this Java project? In particularly I > need > to know: > > 1. Is it stable enough to be used in production? > 2. If it's not, do you have any timelines for the first version that can be > used > in prod? > > In general, I think it would be very useful for expanding the applicability > of > mod-security. > > Thanks, > Oleg. > > > > ----- Original Message ---- > > From: Juan Carlos Calderon Rojas <jua...@so...> > > To: "mod...@li..." > ><mod...@li...> > > Sent: Fri, June 3, 2011 6:18:56 AM > > Subject: Re: [Mod-security-developers] ModSecurity for Java > > > > Yes I have, although as the implementations are different I guess there > is a > >bug or something on the original code of OWASP Java WAF. > > > > I will leave that part to later on and make some more progress on the > >evaluation of the rules, keep you posted > > > > Thanks, > > Juan Carlos > > > > ________________________________________ > > De: Ryan Barnett [RBa...@tr...] > > Enviado el: jueves, 02 de junio de 2011 07:28 a.m. > > Para: mod...@li... > > Asunto: Re: [Mod-security-developers] ModSecurity for Java > > > > Hey Juan Carlos, > > Thanks for the update! Have you looked at the > "MsHttpServletResponse.java" > >code from the old ModSecurity for Java project? > > http://www.modsecurity.org/download/msj-m3c.war > > > > Maybe that would help. > > > > -Ryan > > > > From: Juan calderon <jua...@ow...<mailto: > jua...@ow...>> > > Reply-To: > >"mod...@li...<mailto: > mod...@li...>" > > > ><mod...@li...<mailto: > mod...@li...>> > > > > Date: Thu, 2 Jun 2011 00:51:39 -0500 > > To: > >"mod...@li...<mailto: > mod...@li...>" > > > ><mod...@li...<mailto: > mod...@li...>> > > > > Subject: [Mod-security-developers] ModSecurity for Java > > > > Hello Guys > > > > Just a little update, Rule parser for this project is already working > and > >supporting the 4 directives (SecRuleEngine, SecRule, > SecRequestBodyAccess, > >SecResponseBodyAccess ) of Rule Language Porting Spec Level 1 :) > > > > I am struggling to get the Response variables working, I always get an > empty > >string for the response body buffer :(, can anyone give me some support > on > >this one, I might not be using the ReponseWrapper correctly. > > > > Regards, > > Juan Carlos Calderon > > > > ________________________________ > > This transmission may contain information that is privileged, > confidential, > >and/or exempt from disclosure under applicable law. If you are not the > intended > >recipient, you are hereby notified that any disclosure, copying, > distribution, > >or use of the information contained herein (including any reliance > thereon) is > >STRICTLY PROHIBITED. If you received this transmission in error, please > >immediately contact the sender and destroy the material in its entirety, > >whether in electronic or hard copy format. > > > > > > > ------------------------------------------------------------------------------ > > Simplify data backup and recovery for your virtual environment with > vRanger. > > Installation's a snap, and flexible recovery options mean your data is > safe, > > secure and there when you need it. Data protection magic? > > Nope - It's vRanger. Get your free trial download today. > > http://p.sf.net/sfu/quest-sfdev2dev > > _______________________________________________ > > mod-security-developers mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > > ModSecurity Services from Trustwave's SpiderLabs: > > https://www.trustwave.com/spiderLabs.php > > > ------------------------------------------------------------------------------ > > Simplify data backup and recovery for your virtual environment with > vRanger. > > Installation's a snap, and flexible recovery options mean your data is > safe, > > secure and there when you need it. Discover what all the cheering's > about. > > Get your free trial download today. > > http://p.sf.net/sfu/quest-dev2dev2 > > _______________________________________________ > > mod-security-developers mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > > ModSecurity Services from Trustwave's SpiderLabs: > > https://www.trustwave.com/spiderLabs.php > > > > > ------------------------------------------------------------------------------ > EditLive Enterprise is the world's most technically advanced content > authoring tool. Experience the power of Track Changes, Inline Image > Editing and ensure content is compliant with Accessibility Checking. > http://p.sf.net/sfu/ephox-dev2dev > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |
From: Oleg G. <ole...@ya...> - 2011-06-17 01:01:17
|
Juan, Ryan, Thank you for the answers. I'll try to take a closer look if time permits and let you know my thoughts. If you have any suggestion is regards of the best candidate for experiments, please let me know what it is. Oleg. > >From: Juan calderon <jua...@ow...> >To: Oleg Gryb <ol...@gr...>; mod...@li... >Sent: Thu, June 16, 2011 5:49:48 PM >Subject: Re: [Mod-security-developers] ModSecurity for Java > >Hello Oleg > >The development is in progress and it will take 2 or 3 months more. If you need >the firewall you can use the version 1 from ESAPI 2.0GA. Notice ModSecurity >rules are not supported in that version. But, it is very easy to create rules >for it. let me know if you need any help with that. > >Regards, >Juan Carlos Calderon > > >On Thu, Jun 16, 2011 at 6:49 PM, Oleg Gryb <ole...@ya...> wrote: > >Can anyone please provide more data on this Java project? In particularly I need >>to know: >> >>1. Is it stable enough to be used in production? >>2. If it's not, do you have any timelines for the first version that can be >used >>in prod? >> >>In general, I think it would be very useful for expanding the applicability of >>mod-security. >> >>Thanks, >>Oleg. >> >> >> >> >>----- Original Message ---- >>> From: Juan Carlos Calderon Rojas <jua...@so...> >>> To: "mod...@li..." >> >>><mod...@li...> >>> Sent: Fri, June 3, 2011 6:18:56 AM >>> Subject: Re: [Mod-security-developers] ModSecurity for Java >> >>> >>> Yes I have, although as the implementations are different I guess there is a >>>bug or something on the original code of OWASP Java WAF. >>> >>> I will leave that part to later on and make some more progress on the >>>evaluation of the rules, keep you posted >>> >>> Thanks, >>> Juan Carlos >>> >>> ________________________________________ >>> De: Ryan Barnett [RBa...@tr...] >>> Enviado el: jueves, 02 de junio de 2011 07:28 a.m. >>> Para: mod...@li... >>> Asunto: Re: [Mod-security-developers] ModSecurity for Java >>> >>> Hey Juan Carlos, >>> Thanks for the update! Have you looked at the "MsHttpServletResponse.java" >>>code from the old ModSecurity for Java project? >>> http://www.modsecurity.org/download/msj-m3c.war >>> >>> Maybe that would help. >>> >>> -Ryan >>> >>> From: Juan calderon <jua...@ow...<mailto:jua...@ow...>> >>> Reply-To: >>>"mod...@li...<mailto:mod...@li...>" >>> >>> >>><mod...@li...<mailto:mod...@li...>> >>> >>> >>> Date: Thu, 2 Jun 2011 00:51:39 -0500 >>> To: >>>"mod...@li...<mailto:mod...@li...>" >>> >>> >>><mod...@li...<mailto:mod...@li...>> >>> >>> >>> Subject: [Mod-security-developers] ModSecurity for Java >>> >>> Hello Guys >>> >>> Just a little update, Rule parser for this project is already working and >>>supporting the 4 directives (SecRuleEngine, SecRule, SecRequestBodyAccess, >>>SecResponseBodyAccess ) of Rule Language Porting Spec Level 1 :) >>> >>> I am struggling to get the Response variables working, I always get an empty >>>string for the response body buffer :(, can anyone give me some support on >>>this one, I might not be using the ReponseWrapper correctly. >>> >>> Regards, >>> Juan Carlos Calderon >>> >>> ________________________________ >>> This transmission may contain information that is privileged, confidential, >>>and/or exempt from disclosure under applicable law. If you are not the >>intended >>>recipient, you are hereby notified that any disclosure, copying, >distribution, >>>or use of the information contained herein (including any reliance thereon) >is >>>STRICTLY PROHIBITED. If you received this transmission in error, please >>>immediately contact the sender and destroy the material in its entirety, >>>whether in electronic or hard copy format. >>> >>> >>> >------------------------------------------------------------------------------ >>> Simplify data backup and recovery for your virtual environment with > vRanger. >>> Installation's a snap, and flexible recovery options mean your data is safe, >>> secure and there when you need it. Data protection magic? >>> Nope - It's vRanger. Get your free trial download today. >>> http://p.sf.net/sfu/quest-sfdev2dev >>> _______________________________________________ >>> mod-security-developers mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers >>> ModSecurity Services from Trustwave's SpiderLabs: >>> https://www.trustwave.com/spiderLabs.php >>> >------------------------------------------------------------------------------ >>> Simplify data backup and recovery for your virtual environment with > vRanger. >>> Installation's a snap, and flexible recovery options mean your data is safe, >>> secure and there when you need it. Discover what all the cheering's about. >>> Get your free trial download today. >>> http://p.sf.net/sfu/quest-dev2dev2 >>> _______________________________________________ >>> mod-security-developers mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers >>> ModSecurity Services from Trustwave's SpiderLabs: >>> https://www.trustwave.com/spiderLabs.php >>> >> >>------------------------------------------------------------------------------ >>EditLive Enterprise is the world's most technically advanced content >>authoring tool. Experience the power of Track Changes, Inline Image >>Editing and ensure content is compliant with Accessibility Checking. >>http://p.sf.net/sfu/ephox-dev2dev >> >>_______________________________________________ >>mod-security-developers mailing list >>mod...@li... >>https://lists.sourceforge.net/lists/listinfo/mod-security-developers >>ModSecurity Services from Trustwave's SpiderLabs: >>https://www.trustwave.com/spiderLabs.php >> > |