Re: [mod-security-users] mod_security enhancement idea
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] mod_security enhancement idea
|
From: Ivan R. <iva...@gm...> - 2006-04-10 19:51:35
|
On 4/10/06, joe barbish <joe...@ya...> wrote: > mod_security enhancement idea Hi Joe, Thank you for your suggestions. As Ryan mentioned what you're after is already supported in ModSecurity. Simply allow what's allowed and deny everything else. > This is fine if you are an internet security expert and want to analyze a= nd > capture the different methods used by attackers of web application. > Mod_security is the perfectly designed tool for this task. That's very flattering. It's not there yet but v2 will come much closer. > This is not simple coding logic and this technique is not documented or e= ven > hinted at in the manual. There are many things that are not documented nor hinted in the manual. That's because it's a reference manual. It's main purpose is to document the individual features. A book on ModSecurity, when and if I write it, will be a comprehensive source of information on what's possible to do with ModSecurity. > The usefulness of mod_security can be increased while becoming more user > friendly by making few tweaks to mod_security's source code. > > > What I purpose is this, > > Change secfilterengine on|off to > > secfilterengine on_exclusive | on_inclusive | off That would actually make the configuration process more complex because the operation of individual rules would no longer depend on the rule itself, but on the configuration of the engine too. Meaning, one would not be able to just publish a rule set for any particular purpose. Furthermore, it would prevent a combination of approaches to be used (e.g. inclusive *and* exclusive, using your terminology, at the same time) . > To an non-technical user this is straight forward and makes logical sense= s > when read. It would be even easier to have a directive that simply points to the list of acceptable resources. However, that would not solve the bigger issue. The target resource is not the only relevant parameter, you are not taking into account script parameters, cookies, parameters embedded in headers or in the URI itself. > The concept of only having to add a rule for each script that makes up th= e > web application requires no technical comprehension of how an web server > processes requests and is really on target for the general home hobbyist > level of understanding and needs. I am afraid that is not the target user level for ModSecurity. A nice & friendly GUI is a much better choice for those that do not wish to immerse themselves deep into web security issues. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
