Re: [Mod-security-developers] API Usage and Descriptions?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] API Usage and Descriptions?
|
From: Christian F. <chr...@ne...> - 2018-01-03 13:42:12
|
On Wed, Jan 03, 2018 at 12:17:07PM +0000, Felipe Costa wrote: > As of version 3, collections [SESSION and others] can be saved using > our own backend. It means that you can use memcache, redis or any other > `thing’ capable to store key-pair values. So the data will be > persistent in the backend server; Up to the backend server to limit the > time and amount of data. This is one of the biggest improvements of ModSec3 over ModSec2. Really looking forward to use this in production! Christian > > > Br., > > Felipe “Zimmerle” Costa > > Security Researcher, Lead Developer ModSecurity. > > > Trustwave | SMART SECURITY ON DEMAND > > [1]www.trustwave.com > > > > From: Jai Harpalani <jai...@mu...> > Reply-To: "mod...@li..." > <mod...@li...> > Date: Tuesday, January 2, 2018 at 3:52 PM > To: "mod...@li..." > <mod...@li...> > Subject: Re: [Mod-security-developers] API Usage and Descriptions? > > > Are the two rules below examples of how historical information can be > incorporated into rules? In general, are variables modified and then > re-examined by rules to take advantage of historical information? Are > there other ways in which historical information can be used within > rules? > > > # Increment session score on attack > SecRule REQUEST_URI "^/cgi-bin/finger$" "phase:2,id:71,t:none,t:lowercase,t:norm > alizePath,pass,setvar:SESSION.score=+10" > > # Detect too many attacks in a session > SecRule SESSION:score "@gt 50" "phase:2,id:72,pass,setvar:SESSION.blocked=1" > > > On Tue, Jan 2, 2018 at 12:08 PM, Christian Folini > <[2]chr...@ne...> wrote: > > On Tue, Jan 02, 2018 at 11:50:00AM -0600, Jai Harpalani wrote: > > Does mod security use historical information when it applies > rules? > > For example, does mod security know and use information about > prior > > http requests when applying rules to the current one? > ModSecurity is only the engine. What you are asking is part of the > rule > set. There is depends on the rules you are employing. > Generally no, but they can be written in a way to use that > information. > The Core Rule Set - the rule set with the biggest user base - > generally > does not do this. > Best, > Christian > > > > On Thu, Dec 28, 2017 at 1:21 PM, Jai Harpalani > > <[1][3]jai...@mu...> wrote: > > > > Felipe, > > Thanks for the information. I will most likely have more > questions as > > I continue working on this. > > Thanks, > > Jai > > > > On Fri, Dec 22, 2017 at 8:24 AM, Felipe Costa > <[2][4]FC...@tr...> > > wrote: > > > > Hi Jai, > > > > The idea is to have a transaction for each HTTP request. So, > > msc_new_transaction() should be called every time that a new > connection > > is established. In additional to the ModSecurity v2.x phases, > > ModSecurity v3 can also process rules for this additional URI > phase. > > That is after you got the connection details and before you get > the > > client headers. > > > > You can find more details about how to implement a connector in > the > > Transaction code: > > > > - > [3][5]https://github.com/SpiderLabs/ModSecurity/blob/v3/master/ > > src/transaction.cc > > You may also want to generate the doxygen docs: > > $ cd doc ; doxygen doxygen.cfg > > > > Notice that there is no phase on SecRules to hit the uri > processing. At > > least not yet. We are aiming to support in upcoming versions. > > > > Br., > > > > Felipe “Zimmerle” Costa > > > > Security Researcher, Lead Developer ModSecurity. > > > > > > Trustwave | SMART SECURITY ON DEMAND > > > > [4][6]www.trustwave.com > > > __________________________________________________________________ > > > > From: Jai Harpalani <[5][7]jai...@mu...> > > Sent: Wednesday, December 20, 2017 3:52:27 PM > > To: [6][8]mod...@li... > > Subject: [Mod-security-developers] API Usage and Descriptions? > > > > I have an application which already retrieves requests and > responses > > from "the wire". I'm trying to add modSecurity to check the > > requests/responses for WAF errors using: > > msc_process_request_headers(); > > msc_process_request_body(); > > msc_process_response_headers(); > > msc_process_response_body(); > > I don't want WAF to necessarily take any action, just inform > the caller > > if any problems were found. If this is possible, how is it > done? > > Also, not sure what the purpose of the below APIs is for my > specific > > application. > > msc_new_transaction(); > > msc_process_connection(t); > > msc_process_uri(); > > I was not able to locate a description of the above APIs. If > detailed > > descriptions exist, please let me know where they are located. > > Thanks. > > > > ------------------------------------------------------------ > > ------------------ > > Check out the vibrant tech community on one of the world's > most > > engaging tech sites, [9]Slashdot.org! > [7][10]http://sdm.link/slashdot > > _______________________________________________ > > mod-security-developers mailing list > > [8][11]mod...@li... > > > [9][12]https://lists.sourceforge.net/lists/listinfo/mod-security-de > > velopers > > ModSecurity Services from Trustwave's SpiderLabs: > > [10][13]https://www.trustwave.com/spiderLabs.php > > > > References > > > > 1. mailto:[14]jai...@mu... > > 2. mailto:[15]FC...@tr... > > 3. > [16]https://github.com/SpiderLabs/ModSecurity/blob/v3/master/src/tra > nsaction.cc > > 4. [17]http://www.trustwave.com/ > > 5. mailto:[18]jai...@mu... > > 6. mailto:[19]mod...@li... > > 7. [20]http://sdm.link/slashdot > > 8. mailto:[21]mod...@li... > > 9. > [22]https://lists.sourceforge.net/lists/listinfo/mod-security-develo > pers > > 10. [23]https://www.trustwave.com/spiderLabs.php > > > -------------------------------------------------------------------- > ---------- > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, [24]Slashdot.org! > [25]http://sdm.link/slashdot > > _______________________________________________ > > mod-security-developers mailing list > > [26]mod...@li... > > > [27]https://lists.sourceforge.net/lists/listinfo/mod-security-develo > pers > > ModSecurity Services from Trustwave's SpiderLabs: > > [28]https://www.trustwave.com/spiderLabs.php > -- > [29]https://www.feistyduck.com/training/modsecurity-training-course > [30]https://www.feistyduck.com/books/modsecurity-handbook/ > mailto:[31]chr...@ne... > twitter: @ChrFolini > > ----------------------------------------------------------------------- > ------- > Check out the vibrant tech community on one of the world's most > engaging tech sites, [32]Slashdot.org! [33]http://sdm.link/slashdot > _______________________________________________ > mod-security-developers mailing list > [34]mod...@li... > [35]https://lists.sourceforge.net/lists/listinfo/mod-security-developer > s > ModSecurity Services from Trustwave's SpiderLabs: > [36]https://www.trustwave.com/spiderLabs.php > > References > > 1. http://www.trustwave.com/ > 2. mailto:chr...@ne... > 3. mailto:jai...@mu... > 4. mailto:FC...@tr... > 5. https://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABihQEuWt1Q&s=5&u=https://github.com/SpiderLabs/ModSecurity/blob/v3/master/ > 6. http://www.trustwave.com/ > 7. mailto:jai...@mu... > 8. mailto:mod...@li... > 9. http://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABiFSH7L9hQ&s=5&u=http://Slashdot.org! > 10. http://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABncBGbb7gQ&s=5&u=http://sdm.link/slashdot > 11. mailto:mod...@li... > 12. https://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABiNQHeathA&s=5&u=https://lists.sourceforge.net/lists/listinfo/mod-security-de > 13. https://www.trustwave.com/spiderLabs.php > 14. mailto:jai...@mu... > 15. mailto:FC...@tr... > 16. https://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABiNVSbWujw&s=5&u=https://github.com/SpiderLabs/ModSecurity/blob/v3/master/src/transaction.cc > 17. http://www.trustwave.com/ > 18. mailto:jai...@mu... > 19. mailto:mod...@li... > 20. http://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABncBGbb7gQ&s=5&u=http://sdm.link/slashdot > 21. mailto:mod...@li... > 22. https://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABiBWE7Cu0g&s=5&u=https://lists.sourceforge.net/lists/listinfo/mod-security-developers > 23. https://www.trustwave.com/spiderLabs.php > 24. http://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABiFSH7L9hQ&s=5&u=http://Slashdot.org! > 25. http://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABncBGbb7gQ&s=5&u=http://sdm.link/slashdot > 26. mailto:mod...@li... > 27. https://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABiBWE7Cu0g&s=5&u=https://lists.sourceforge.net/lists/listinfo/mod-security-developers > 28. https://www.trustwave.com/spiderLabs.php > 29. https://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABiRSHLb6gw&s=5&u=https://www.feistyduck.com/training/modsecurity-training-course > 30. https://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABiNRG7z8jw&s=5&u=https://www.feistyduck.com/books/modsecurity-handbook/ > 31. mailto:chr...@ne... > 32. http://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABiFSH7L9hQ&s=5&u=http://Slashdot.org! > 33. http://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABncBGbb7gQ&s=5&u=http://sdm.link/slashdot > 34. mailto:mod...@li... > 35. https://scanmail.trustwave.com/?c=4062&d=_dTL2pbwruNIrz4_zH9y5TG6LjuiTdmABiBWE7Cu0g&s=5&u=https://lists.sourceforge.net/lists/listinfo/mod-security-developers > 36. https://www.trustwave.com/spiderLabs.php > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
