Re: [Mod-security-developers] API Usage and Descriptions?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] API Usage and Descriptions?
|
From: Jai H. <jai...@mu...> - 2018-01-02 18:52:32
|
Are the two rules below examples of how historical information can be incorporated into rules? In general, are variables modified and then re-examined by rules to take advantage of historical information? Are there other ways in which historical information can be used within rules? # Increment session score on attack SecRule REQUEST_URI "^/cgi-bin/finger$" "phase:2,id:71,t:none,t:lowercase,t:normalizePath,pass,setvar:SESSION.score=+10" # Detect too many attacks in a session SecRule SESSION:score "@gt 50" "phase:2,id:72,pass,setvar:SESSION.blocked=1" On Tue, Jan 2, 2018 at 12:08 PM, Christian Folini < chr...@ne...> wrote: > On Tue, Jan 02, 2018 at 11:50:00AM -0600, Jai Harpalani wrote: > > Does mod security use historical information when it applies rules? > > For example, does mod security know and use information about prior > > http requests when applying rules to the current one? > > ModSecurity is only the engine. What you are asking is part of the rule > set. There is depends on the rules you are employing. > > Generally no, but they can be written in a way to use that information. > > The Core Rule Set - the rule set with the biggest user base - generally > does not do this. > > Best, > > Christian > > > > > On Thu, Dec 28, 2017 at 1:21 PM, Jai Harpalani > > <[1]jai...@mu...> wrote: > > > > Felipe, > > Thanks for the information. I will most likely have more questions as > > I continue working on this. > > Thanks, > > Jai > > > > On Fri, Dec 22, 2017 at 8:24 AM, Felipe Costa <[2] > FC...@tr...> > > wrote: > > > > Hi Jai, > > > > The idea is to have a transaction for each HTTP request. So, > > msc_new_transaction() should be called every time that a new > connection > > is established. In additional to the ModSecurity v2.x phases, > > ModSecurity v3 can also process rules for this additional URI phase. > > That is after you got the connection details and before you get the > > client headers. > > > > You can find more details about how to implement a connector in the > > Transaction code: > > > > - [3]https://github.com/SpiderLabs/ModSecurity/blob/v3/master/ > > src/transaction.cc > > You may also want to generate the doxygen docs: > > $ cd doc ; doxygen doxygen.cfg > > > > Notice that there is no phase on SecRules to hit the uri processing. > At > > least not yet. We are aiming to support in upcoming versions. > > > > Br., > > > > Felipe “Zimmerle” Costa > > > > Security Researcher, Lead Developer ModSecurity. > > > > > > Trustwave | SMART SECURITY ON DEMAND > > > > [4]www.trustwave.com > > __________________________________________________________________ > > > > From: Jai Harpalani <[5]jai...@mu...> > > Sent: Wednesday, December 20, 2017 3:52:27 PM > > To: [6]mod...@li... > > Subject: [Mod-security-developers] API Usage and Descriptions? > > > > I have an application which already retrieves requests and responses > > from "the wire". I'm trying to add modSecurity to check the > > requests/responses for WAF errors using: > > msc_process_request_headers(); > > msc_process_request_body(); > > msc_process_response_headers(); > > msc_process_response_body(); > > I don't want WAF to necessarily take any action, just inform the > caller > > if any problems were found. If this is possible, how is it done? > > Also, not sure what the purpose of the below APIs is for my specific > > application. > > msc_new_transaction(); > > msc_process_connection(t); > > msc_process_uri(); > > I was not able to locate a description of the above APIs. If detailed > > descriptions exist, please let me know where they are located. > > Thanks. > > > > ------------------------------------------------------------ > > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! [7]http://sdm.link/slashdot > > _______________________________________________ > > mod-security-developers mailing list > > [8]mod...@li... > > [9]https://lists.sourceforge.net/lists/listinfo/mod-security-de > > velopers > > ModSecurity Services from Trustwave's SpiderLabs: > > [10]https://www.trustwave.com/spiderLabs.php > > > > References > > > > 1. mailto:jai...@mu... > > 2. mailto:FC...@tr... > > 3. https://github.com/SpiderLabs/ModSecurity/blob/v3/master/ > src/transaction.cc > > 4. http://www.trustwave.com/ > > 5. mailto:jai...@mu... > > 6. mailto:mod...@li... > > 7. http://sdm.link/slashdot > > 8. mailto:mod...@li... > > 9. https://lists.sourceforge.net/lists/listinfo/mod-security- > developers > > 10. https://www.trustwave.com/spiderLabs.php > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > _______________________________________________ > > mod-security-developers mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > > ModSecurity Services from Trustwave's SpiderLabs: > > https://www.trustwave.com/spiderLabs.php > > > -- > https://www.feistyduck.com/training/modsecurity-training-course > https://www.feistyduck.com/books/modsecurity-handbook/ > mailto:chr...@ne... > twitter: @ChrFolini > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |
