Re: [mod-security-users] IS this firewall code bullet proof

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 4/14/06, joe barbish <joe...@ya...> wrote:
>
> I am interested in knowing if there is any other generic type rules I nee=
d
> to add to this web application rule set to make it more secure? Have I
> covered all the different request types?
>
> #############  Start of mandatory directives ###################
> # Turn the filtering engine on or off
> secfilterengine on
> # Normalize cookie support
> SecFilterNormalizeCookies On
> # Enable version 1 (RFC 2965) cookies
> SecFilterCookieFormat 1

Why did you decide to go with 1 here? I see you are using PHP and PHP
only supports version 0 cookies.

> # The logon membership process
> # This script contains both the show form and process form functions.
> # Need one rule to allow the show form function
> # and second rule chained to the POST_PAYLOAD rule for
> # the process form function.
> SecFilterSelective REQUEST_URI "^/logon.php$"                  allow
> SecFilterSelective REQUEST_URI "^/logon.php$"                  chain

You don't need (nor want) the first of the two lines above. The first
line will allow the transaction to proceed based only on the URI.
Invalid values for parameters would be allowed.

> SecFilterSelective COOKIE_PHPSESSID "^[0-9a-fA-F]{32}$"  chain
> SecFilterSelective POST_PAYLOAD        \
>                    "^id=3D[0-9a-z]{15,}$ \
>                     &pw=3D[0-9a-z]{15,}$ \
>              &userdigit=3D[0-9a-z]{5,}$  \
>                 &submit=3DSubmit$"

I don't see the above working. You are using multiple lines but you
may not be realising the empty space at the beginning of every new
line is becoming part of the regular expression. You should use one
rule per variable you want checked.

> allow
>
> # The sign up membership process
> # This script contains show form and process form functions.
> # Need one rule to allow the show form function
> # and second rule chained to the POST_PAYLOAD rule for
> # the process form function.
> SecFilterSelective REQUEST_URI "^/signup.php$"                 allow
> SecFilterSelective REQUEST_URI "^/signup.php$"
>   chain
> SecFilterSelective COOKIE_PHPSESSID "^[0-9a-fA-F]{32}$"   chain

The above will not allow requests that do not have the cookie set.

> All feedback is welcome.

You should test your configuration using real-life examples. There's a
nice utility included in the ModSecurity distribution, run-test.pl,
which sends a raw request (contained in a file) to the web server.
What you need to do is gather a bunch of requests, some valid some
not, throw them against your web server and verify the reponse status
codes are as you want them to be. That's the only way to foolproof
your configuration.

--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall