Re: [mod-security-users] Location-specific phase 1 and phase 2 rules will (most likely) work in Mod
Brought to you by:
victorhora,
zimmerletw
From: <chr...@po...> - 2009-11-17 06:27:03
|
My bad. Sorry. Cheers, Christian -- Christian Folini, IT 222 Webserver Security Engineer -----Ursprüngliche Nachricht----- Von: Ivan Ristic [mailto:iva...@gm...] Gesendet: Montag, 16. November 2009 16:36 An: Folini Christian, IT222 extern Cc: mod...@li... Betreff: Re: [mod-security-users] Location-specific phase 1 and phase 2 rules will (most likely) work in ModSecurity 2.6! That's on my list, under #9: http://blog.ivanristic.com/2009/11/planned-usability-improvements-for-modsecurity-26.html (I know, the list is rather long :) On Mon, Nov 16, 2009 at 1:35 PM, <chr...@po...> wrote: > Hey Iwan, > > This is indeed welcome news about a welcome update. One of this stinging anomalies gone. > > A suggestion in the same direction: > It would be nice for beginners, if ModSecurity would warn them about > the following rule: > > SecRule ARGS_POST:test "test" phase:1,... > > I know, that the engine won't be able to support the users when ARGS > is used, but for ARGS_POST the case is pretty obvious, but maybe not > for beginner level users. > Actually, I believe Apache should shut down immediately. I mean Apache > is very picky about misconfigurations and people can go at great > lengths without noticing warnings in errorlogs. > > Regs, > > Christian > > -- > Christian Folini, IT 222 > Webserver Security Engineer > > > -----Ursprüngliche Nachricht----- > Von: Ivan Ristic [mailto:iva...@gm...] > Gesendet: Dienstag, 10. November 2009 19:48 > An: mod...@li... > Betreff: [mod-security-users] Location-specific phase 1 and phase 2 rules will (most likely) work in ModSecurity 2.6! > > Hi group, > > I just wanted to share with you an exciting improvement in the ModSecurity code base. The change in the code is small, but the overall (positive) impact is quite big. > > Many of you may have been bitten by the inability (of the current version of) ModSecurity to specify phase 1 rules in a <Location> configuration context. For example, this does not work at the moment: > > <Location /some/path> > SecRule ARGS test phase:1,log,deny > </Location> > > Furthermore, some things could not be configured easily. This, for example: > > <Location /some/path> > SecRequestBodyAccess Off > </Location> > > It is even impossible to change the allowed request body phase. Now, that's almost in the past. > > The good news is that in ModSecurity 2.6 there will be no more limits of this type. The configuration directives and phase 1 rules will work in the <Location> tags (in addition to phase 2 rules, which already do). I'd like to think that this is the first of many small changes that we are going to introduce to ModSecurity to make it much easier to use. For too long we've tolerated some annoying problems in the name of backward compatibility. > > -- > Ivan Ristic > Security assessment of your SSL servers https://www.ssllabs.com/ssldb/ > > ---------------------------------------------------------------------- > -------- Let Crystal Reports handle the reporting - Free Crystal > Reports 2008 30-Day trial. Simplify your report design, integration > and deployment - and focus on what you do best, core application > coding. Discover what's new with Crystal Reports now. > http://p.sf.net/sfu/bobj-july > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > > ---------------------------------------------------------------------- > -------- Let Crystal Reports handle the reporting - Free Crystal > Reports 2008 30-Day trial. Simplify your report design, integration > and deployment - and focus on what you do best, core application > coding. Discover what's new with Crystal Reports now. > http://p.sf.net/sfu/bobj-july > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > -- Ivan Ristic Security assessment of your SSL servers https://www.ssllabs.com/ssldb/ |