Re: [Mod-security-developers] API Usage and Descriptions?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] API Usage and Descriptions?
|
From: Felipe C. <FC...@tr...> - 2018-01-03 12:17:18
|
As of version 3, collections [SESSION and others] can be saved using our own backend. It means that you can use memcache, redis or any other `thing’ capable to store key-pair values. So the data will be persistent in the backend server; Up to the backend server to limit the time and amount of data. Br., Felipe “Zimmerle” Costa Security Researcher, Lead Developer ModSecurity. Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Jai Harpalani <jai...@mu...> Reply-To: "mod...@li..." <mod...@li...> Date: Tuesday, January 2, 2018 at 3:52 PM To: "mod...@li..." <mod...@li...> Subject: Re: [Mod-security-developers] API Usage and Descriptions? Are the two rules below examples of how historical information can be incorporated into rules? In general, are variables modified and then re-examined by rules to take advantage of historical information? Are there other ways in which historical information can be used within rules? # Increment session score on attack SecRule REQUEST_URI "^/cgi-bin/finger$" "phase:2,id:71,t:none,t:lowercase,t:normalizePath,pass,setvar:SESSION.score=+10" # Detect too many attacks in a session SecRule SESSION:score "@gt 50" "phase:2,id:72,pass,setvar:SESSION.blocked=1" On Tue, Jan 2, 2018 at 12:08 PM, Christian Folini <chr...@ne...<mailto:chr...@ne...>> wrote: On Tue, Jan 02, 2018 at 11:50:00AM -0600, Jai Harpalani wrote: > Does mod security use historical information when it applies rules? > For example, does mod security know and use information about prior > http requests when applying rules to the current one? ModSecurity is only the engine. What you are asking is part of the rule set. There is depends on the rules you are employing. Generally no, but they can be written in a way to use that information. The Core Rule Set - the rule set with the biggest user base - generally does not do this. Best, Christian > > On Thu, Dec 28, 2017 at 1:21 PM, Jai Harpalani > <[1]jai...@mu...<mailto:jai...@mu...>> wrote: > > Felipe, > Thanks for the information. I will most likely have more questions as > I continue working on this. > Thanks, > Jai > > On Fri, Dec 22, 2017 at 8:24 AM, Felipe Costa <[2]FC...@tr...<mailto:FC...@tr...>> > wrote: > > Hi Jai, > > The idea is to have a transaction for each HTTP request. So, > msc_new_transaction() should be called every time that a new connection > is established. In additional to the ModSecurity v2.x phases, > ModSecurity v3 can also process rules for this additional URI phase. > That is after you got the connection details and before you get the > client headers. > > You can find more details about how to implement a connector in the > Transaction code: > > - [3]https://github.com/SpiderLabs/ModSecurity/blob/v3/master/<https://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABihQEuWt1Q&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2fblob%2fv3%2fmaster%2f> > src/transaction.cc > You may also want to generate the doxygen docs: > $ cd doc ; doxygen doxygen.cfg > > Notice that there is no phase on SecRules to hit the uri processing. At > least not yet. We are aiming to support in upcoming versions. > > Br., > > Felipe “Zimmerle” Costa > > Security Researcher, Lead Developer ModSecurity. > > > Trustwave | SMART SECURITY ON DEMAND > > [4]www.trustwave.com<http://www.trustwave.com> > __________________________________________________________________ > > From: Jai Harpalani <[5]jai...@mu...<mailto:jai...@mu...>> > Sent: Wednesday, December 20, 2017 3:52:27 PM > To: [6]mod...@li...<mailto:mod...@li...> > Subject: [Mod-security-developers] API Usage and Descriptions? > > I have an application which already retrieves requests and responses > from "the wire". I'm trying to add modSecurity to check the > requests/responses for WAF errors using: > msc_process_request_headers(); > msc_process_request_body(); > msc_process_response_headers(); > msc_process_response_body(); > I don't want WAF to necessarily take any action, just inform the caller > if any problems were found. If this is possible, how is it done? > Also, not sure what the purpose of the below APIs is for my specific > application. > msc_new_transaction(); > msc_process_connection(t); > msc_process_uri(); > I was not able to locate a description of the above APIs. If detailed > descriptions exist, please let me know where they are located. > Thanks. > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org!<http://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABiFSH7L9hQ&s=5&u=http%3a%2f%2fSlashdot%2eorg%21> [7]http://sdm.link/slashdot<http://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABncBGbb7gQ&s=5&u=http%3a%2f%2fsdm%2elink%2fslashdot> > _______________________________________________ > mod-security-developers mailing list > [8]mod...@li...<mailto:mod...@li...> > [9]https://lists.sourceforge.net/lists/listinfo/mod-security-de<https://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABiNQHeathA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-de> > velopers > ModSecurity Services from Trustwave's SpiderLabs: > [10]https://www.trustwave.com/spiderLabs.php > > References > > 1. mailto:jai...@mu...<mailto:jai...@mu...> > 2. mailto:FC...@tr...<mailto:FC...@tr...> > 3. https://github.com/SpiderLabs/ModSecurity/blob/v3/master/src/transaction.cc<https://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABiNVSbWujw&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2fblob%2fv3%2fmaster%2fsrc%2ftransaction%2ecc> > 4. http://www.trustwave.com/ > 5. mailto:jai...@mu...<mailto:jai...@mu...> > 6. mailto:mod...@li...<mailto:mod...@li...> > 7. http://sdm.link/slashdot<http://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABncBGbb7gQ&s=5&u=http%3a%2f%2fsdm%2elink%2fslashdot> > 8. mailto:mod...@li...<mailto:mod...@li...> > 9. https://lists.sourceforge.net/lists/listinfo/mod-security-developers<https://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABiBWE7Cu0g&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers> > 10. https://www.trustwave.com/spiderLabs.php > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org!<http://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABiFSH7L9hQ&s=5&u=http%3a%2f%2fSlashdot%2eorg%21> http://sdm.link/slashdot<http://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABncBGbb7gQ&s=5&u=http%3a%2f%2fsdm%2elink%2fslashdot> > _______________________________________________ > mod-security-developers mailing list > mod...@li...<mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/mod-security-developers<https://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABiBWE7Cu0g&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers> > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php -- https://www.feistyduck.com/training/modsecurity-training-course<https://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABiRSHLb6gw&s=5&u=https%3a%2f%2fwww%2efeistyduck%2ecom%2ftraining%2fmodsecurity-training-course> https://www.feistyduck.com/books/modsecurity-handbook/<https://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABiNRG7z8jw&s=5&u=https%3a%2f%2fwww%2efeistyduck%2ecom%2fbooks%2fmodsecurity-handbook%2f> mailto:chr...@ne...<mailto:chr...@ne...> twitter: @ChrFolini ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org!<http://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABiFSH7L9hQ&s=5&u=http%3a%2f%2fSlashdot%2eorg%21> http://sdm.link/slashdot<http://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABncBGbb7gQ&s=5&u=http%3a%2f%2fsdm%2elink%2fslashdot> _______________________________________________ mod-security-developers mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-developers<https://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABiBWE7Cu0g&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers> ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php |
