RE: [mod-security-users] mod_security rules feature request + pro duction tools ?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Well, I looked quickly on the Internet and it seems that it could =
happen
with IE-specific websites :
http://msdn.microsoft.com/library/default.asp?url=3D/workshop/author/dht=
ml/ref
erence/events.asp

Two other questions :=20
- Do you think you'll provide a simple tool to automatically download =
new
rulesets, compare them with the ones in production, detect changes and
integrate them in the production environment, like the "rule-du-jour" =
script
for spamassassin ?
- Do you know if a modsecurity log analysis tool exists ? One that =
could
generate a human-readable report daily with the different events =
detected or
blocked ?

Thanks very much for your help !

Regards,

Thomas.

-----Message d'origine-----
De=A0: Ivan Ristic [mailto:iv...@we...]=20
Envoy=E9=A0: mercredi 1 f=E9vrier 2006 13:23
=C0=A0: CASTELLE Thomas
Cc=A0: mod...@li...
Objet=A0: Re: [mod-security-users] mod_security rules feature request +
production tools ?

CASTELLE Thomas wrote:
> Hello everybody,
>=20
> The new mod_security rules project is a great thing. It is more =
generic
> than the gotroot.com files, and the files are smaller (which is, I
> think, good for performance).
>=20
> However, I have 2 small modification requests :
>=20
> - Could you add "id" and "rev" meta-data to each rules, so that we =
can
> exclude specific rules when the protected website matches false
> positives.
> It could also allow us to run automatic updates by detecting new =
rules
> or changes on existing rules.

  Yes. That's mostly the reason while the rules are still in beta.
  As soon as I assign IDs to them they will be moved to production
  status.

> - Could you modify the "JavaScript event handlers" rules, because it
> seems too generic to me.
>
> Couldn't :
>         "SecFilterSelective ARGS "onSelect""
> be instead :
>         "SecFilterSelective ARGS
> "onSelect[[:space:]]*=3D|=3D[[:space:]]*onSelect"
>=20
> For instance, some of our websites matches this because of
> "http://blablabla/test?task=3DValidationSelection"

  Makes sense. Which case would =3D[[:space:]]*onSelect" match?

--=20
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
Tel: +44 20 8141 2161, Fax: +44 87 0762 3934