Re: [Mod-security-developers] 2.9.0-RC1 test results
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] 2.9.0-RC1 test results
|
From: Ryan B. <RBa...@tr...> - 2014-11-26 03:42:53
|
Walter, Please see this blog post I did about using @fuzzyHash operator - http://blog.spiderlabs.com/2014/11/modsecurity-advanced-topic-of-the-week-detecting-malware-with-fuzzy-hashing.html Hopefully this will help with some testing. Ryan Barnett Senior Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Walter Hop <mo...@sp...<mailto:mo...@sp...>> Reply-To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Date: Tuesday, November 25, 2014 5:43 PM To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Subject: Re: [Mod-security-developers] 2.9.0-RC1 test results 2) High prio: Undiagnosed persistent crash. https://gist.github.com/lifeforms/4356643edfe8f39c2991<http://scanmail.trustwave.com/?c=4062&d=mYb11GfxNXS5cIjJ4hTdkjqKeLDfsoZGAe3WPGO1uw&s=5&u=https%3a%2f%2fgist%2egithub%2ecom%2flifeforms%2f4356643edfe8f39c2991> Got the same crash on a second test box today. I have updated the gist with information from a debug build: https://gist.github.com/lifeforms/4356643edfe8f39c2991<http://scanmail.trustwave.com/?c=4062&d=mYb11GfxNXS5cIjJ4hTdkjqKeLDfsoZGAe3WPGO1uw&s=5&u=https%3a%2f%2fgist%2egithub%2ecom%2flifeforms%2f4356643edfe8f39c2991> This crash appears to be serious. I don’t think I’ve ever seen ModSecurity segfault while parsing a request before. Since it starts happening on a random moment of the day, I’m a bit concerned this might be a remote DoS vuln, so I’m reverting to 2.7.7 on the public boxes. I have kept some core files, but it’s been a long time since I worked with gdb so let me know if I should extract more info out of them. Is there a way to enable asserts in the code so we can find out why/when node is unset? 5) I have tested @fuzzyHash and could not get it to work. My experiences are in this gist: https://gist.github.com/lifeforms/660e995254aba740856e<http://scanmail.trustwave.com/?c=4062&d=mYb11GfxNXS5cIjJ4hTdkjqKeLDfsoZGAbnQODC06A&s=5&u=https%3a%2f%2fgist%2egithub%2ecom%2flifeforms%2f660e995254aba740856e> Sorry I couldn’t bring more positive news! Cheers, WH -- Walter Hop | PGP key: https://lifeforms.nl/pgp<http://scanmail.trustwave.com/?c=4062&d=mYb11GfxNXS5cIjJ4hTdkjqKeLDfsoZGAe2HPTbi7w&s=5&u=https%3a%2f%2flifeforms%2enl%2fpgp> ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
