Re: [Mod-security-developers] API Usage and Descriptions?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] API Usage and Descriptions?
|
From: Christian F. <chr...@ne...> - 2018-01-02 19:22:44
|
Hey Jai, On Tue, Jan 02, 2018 at 12:52:24PM -0600, Jai Harpalani wrote: > Are the two rules below examples of how historical information can be > incorporated into rules? In general, are variables modified and then > re-examined by rules to take advantage of historical information? Are > there other ways in which historical information can be used within > rules? Yes, that's a standard way to accomplish this. The problem is getting it right for production use. The devil is in the details and there will be a lot of side-effects and edge cases. There are also performance considerations to take care of. Other ways: Lua and a real database springs to mind. If you want to continue this thread, it's probably time to move it over to the user's mailing list. Best, Christian > # Increment session score on attack > SecRule REQUEST_URI "^/cgi-bin/finger$" "phase:2,id:71,t:none,t:lowercase,t:norm > alizePath,pass,setvar:SESSION.score=+10" > > # Detect too many attacks in a session > SecRule SESSION:score "@gt 50" "phase:2,id:72,pass,setvar:SESSION.blocked=1" > > On Tue, Jan 2, 2018 at 12:08 PM, Christian Folini > <[1]chr...@ne...> wrote: > > On Tue, Jan 02, 2018 at 11:50:00AM -0600, Jai Harpalani wrote: > > Does mod security use historical information when it applies > rules? > > For example, does mod security know and use information about > prior > > http requests when applying rules to the current one? > ModSecurity is only the engine. What you are asking is part of the > rule > set. There is depends on the rules you are employing. > Generally no, but they can be written in a way to use that > information. > The Core Rule Set - the rule set with the biggest user base - > generally > does not do this. > Best, > Christian > > > > On Thu, Dec 28, 2017 at 1:21 PM, Jai Harpalani > > <[1][2]jai...@mu...> wrote: > > > > Felipe, > > Thanks for the information. I will most likely have more > questions as > > I continue working on this. > > Thanks, > > Jai > > > > On Fri, Dec 22, 2017 at 8:24 AM, Felipe Costa > <[2][3]FC...@tr...> > > wrote: > > > > Hi Jai, > > > > The idea is to have a transaction for each HTTP request. So, > > msc_new_transaction() should be called every time that a new > connection > > is established. In additional to the ModSecurity v2.x phases, > > ModSecurity v3 can also process rules for this additional URI > phase. > > That is after you got the connection details and before you get > the > > client headers. > > > > You can find more details about how to implement a connector in > the > > Transaction code: > > > > - [3][4]https://github.com/SpiderLabs/ModSecurity/blob/ > v3/master/ > > src/transaction.cc > > You may also want to generate the doxygen docs: > > $ cd doc ; doxygen doxygen.cfg > > > > Notice that there is no phase on SecRules to hit the uri > processing. At > > least not yet. We are aiming to support in upcoming versions. > > > > Br., > > > > Felipe “Zimmerle” Costa > > > > Security Researcher, Lead Developer ModSecurity. > > > > > > Trustwave | SMART SECURITY ON DEMAND > > > > [4][5]www.trustwave.com > > ____________________________________________________________ > ______ > > > > From: Jai Harpalani <[5][6]jai...@mu...> > > Sent: Wednesday, December 20, 2017 3:52:27 PM > > To: [6][7]mod...@li... > > Subject: [Mod-security-developers] API Usage and Descriptions? > > > > I have an application which already retrieves requests and > responses > > from "the wire". I'm trying to add modSecurity to check the > > requests/responses for WAF errors using: > > msc_process_request_headers(); > > msc_process_request_body(); > > msc_process_response_headers(); > > msc_process_response_body(); > > I don't want WAF to necessarily take any action, just inform > the caller > > if any problems were found. If this is possible, how is it > done? > > Also, not sure what the purpose of the below APIs is for my > specific > > application. > > msc_new_transaction(); > > msc_process_connection(t); > > msc_process_uri(); > > I was not able to locate a description of the above APIs. If > detailed > > descriptions exist, please let me know where they are located. > > Thanks. > > > > ------------------------------------------------------------ > > ------------------ > > Check out the vibrant tech community on one of the world's > most > > engaging tech sites, Slashdot.org! > [7][8]http://sdm.link/slashdot > > _______________________________________________ > > mod-security-developers mailing list > > [8][9]mod...@li... > > [9][10]https://lists.sourceforge.net/lists/listinfo/mod- > security-de > > velopers > > ModSecurity Services from Trustwave's SpiderLabs: > > [10][11]https://www.trustwave.com/spiderLabs.php > > > > References > > > > 1. mailto:[12]jai...@mu... > > 2. mailto:[13]FC...@tr... > > 3. [14]https://github.com/SpiderLabs/ > ModSecurity/blob/v3/master/src/transaction.cc > > 4. [15]http://www.trustwave.com/ > > 5. mailto:[16]jai...@mu... > > 6. mailto:[17]mod...@li... > > 7. [18]http://sdm.link/slashdot > > 8. mailto:[19]mod...@li... > > 9. [20]https://lists.sourceforge.net/ > lists/listinfo/mod-security-developers > > 10. [21]https://www.trustwave.com/spiderLabs.php > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! [22]http://sdm.link/slashdot > > _______________________________________________ > > mod-security-developers mailing list > > [23]mod...@li... > > [24]https://lists.sourceforge.net/lists/listinfo/mod-security- > developers > > ModSecurity Services from Trustwave's SpiderLabs: > > [25]https://www.trustwave.com/spiderLabs.php > -- > [26]https://www.feistyduck.com/training/modsecurity-training-course > [27]https://www.feistyduck.com/books/modsecurity-handbook/ > mailto:[28]chr...@ne... > twitter: @ChrFolini > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! [29]http://sdm.link/slashdot > _______________________________________________ > mod-security-developers mailing list > [30]mod...@li... > [31]https://lists.sourceforge.net/lists/listinfo/mod-security- > developers > ModSecurity Services from Trustwave's SpiderLabs: > [32]https://www.trustwave.com/spiderLabs.php > > References > > 1. mailto:chr...@ne... > 2. mailto:jai...@mu... > 3. mailto:FC...@tr... > 4. https://github.com/SpiderLabs/ModSecurity/blob/v3/master/ > 5. http://www.trustwave.com/ > 6. mailto:jai...@mu... > 7. mailto:mod...@li... > 8. http://sdm.link/slashdot > 9. mailto:mod...@li... > 10. https://lists.sourceforge.net/lists/listinfo/mod-security-de > 11. https://www.trustwave.com/spiderLabs.php > 12. mailto:jai...@mu... > 13. mailto:FC...@tr... > 14. https://github.com/SpiderLabs/ModSecurity/blob/v3/master/src/transaction.cc > 15. http://www.trustwave.com/ > 16. mailto:jai...@mu... > 17. mailto:mod...@li... > 18. http://sdm.link/slashdot > 19. mailto:mod...@li... > 20. https://lists.sourceforge.net/lists/listinfo/mod-security-developers > 21. https://www.trustwave.com/spiderLabs.php > 22. http://sdm.link/slashdot > 23. mailto:mod...@li... > 24. https://lists.sourceforge.net/lists/listinfo/mod-security-developers > 25. https://www.trustwave.com/spiderLabs.php > 26. https://www.feistyduck.com/training/modsecurity-training-course > 27. https://www.feistyduck.com/books/modsecurity-handbook/ > 28. mailto:chr...@ne... > 29. http://sdm.link/slashdot > 30. mailto:mod...@li... > 31. https://lists.sourceforge.net/lists/listinfo/mod-security-developers > 32. https://www.trustwave.com/spiderLabs.php > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
