Re: [mod-security-users] modsecurity and spam in OWA
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] modsecurity and spam in OWA
|
From: Ivan R. <iv...@we...> - 2005-12-16 16:58:57
|
Jason Haar wrote: > This may sound like a feature instead of a bug, but I thought it might > reflect how complex Web security can actually be... > > We use an Apache reverse-proxy to protect a Microsoft Outlook Web Access > (OWA) server, and I have modsecurity-1.9.1 in there doing it's thing. > > However, I just found it blocked me from reading some nice Asian spam > someone kindly thought to send me: > > GET > /exchange/username/Inbox/%E4%B8%8A%E7%BD%91%E9%A1%BA%E5%B8%A6%E6%8C%A3%E7%BE%8E%E5%85%83.EML?Cmd=open > HTTP/1.1 > > (OWA creates links to each msg based on the Subject line) > > Anyway, I had "SecFilterForceByteRange 32 126" and it blocked that URL > as there was a char 228 in there > > Sooo, what should I block instead? Given the fact that the Webapp needs > to present almost any char (i.e. assuming a Subject line could contain > any char), could I do an exclusion list instead? i.e. accept everything > other than NULL, etc? And if so, can someone tell me what "etc" should > actually be? ;-) I've been thinking about that a lot recently. The solution is probably in anomaly detection using statistics or neural networks. Here's an interesting paper on the subject: http://www.cs.ucsb.edu/~vigna/pub/2005_kruegel_vigna_robertson_CN05.pdf -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
