RE: [mod-security-users] mod_security + webmail + body message
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
RE: [mod-security-users] mod_security + webmail + body message
|
From: Tomas H. S. <thi...@te...> - 2005-11-02 16:18:38
|
Thanks to both!! I am going to continue making tests with your indications. According to the table 12-1 of the book of Ivan, I believe that = THE_REQUEST=3DREQUEST_METOD + REQUEST_URI + REQUEST_PROTOCOL.=20 As he would be formulates it for POST_PAYLOAD? As it is the result of POST_PAYLOAD - THE_REQUEST? :-( Some reference to know more on headers HTTP?=20 Many thanks for you help. Tom=E1s Hidalgo Salvador thi...@te... Dpto. Sistemas Unix Tlf.: 2333 DSF Almariya -----Mensaje original----- De: Ivan Ristic [mailto:iv...@we...]=20 Enviado el: s=E1bado, 29 de octubre de 2005 21:09 Para: Ryan Barnett CC: Tomas Hidalgo Salvador; mod...@li... Asunto: Re: [mod-security-users] mod_security + webmail + body message Ryan Barnett wrote: > Tomas - Welcome to my world :) I have been using Apache/Mod_Security = as > a reverse proxy for Microsoft's Outlook Web Access and have run this > same issue. We you are dealing with webmail apps, it gets infinitely > more difficult to fine tune your filters. This is due in most part = from > the concept of mixing HTTP and SMTP. We just have no way to forecast > "expcected behavior" for what people will write in the body of their > emails. > =20 > With that being said, you can try some of the following - > =20 > 1) Turn off PostPayload scanning. > This would certainly stop these errors, but then you would also not be > monitoring a key area where attackers target. > =20 > 2) Use SecFilterSelective instead of SecFilter > SecFilter is too broad. SecFilterSelective will allow you to focus = your > search to specific request locations. The best locations to look for > attacks (exluding the post payload) are THE_REQUEST, QUERY_STRING or > choose some specific headers such as COOKIE_VAULES. So, an updated > filter would look like this - > =20 > SecFilterSelective "THE_REQUEST|COOKIE_VALUES" "/bin/chmod" Just a small correction: here you really want to use COOKIES_VALUES, because COOKIE_VALUES would only look in a cookie named "values". COOKIES_VALUES (with an "S") examines all cookies present in a request. --=20 Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
