Re: [mod-security-users] Rules manageability
Brought to you by:
victorhora,
zimmerletw
From: Ofer S. <OferS@Breach.com> - 2007-06-19 09:12:57
|
Added it to the feature requests =20 ~ Ofer =20 From: Marc Stern [mailto:mar...@ad...]=20 Sent: Tuesday, June 19, 2007 9:58 AM To: Ofer Shezaf Cc: Christian Bockermann; Mod Security Subject: Re: [mod-security-users] Rules manageability =20 Yes, that's my question ;-) You seem to be quite positive about that, so I feel confident ... Marc Ofer Shezaf wrote:=20 Do you mean to offer the @contained operator for the a coming version? I think it is the only thing missing to make the method below work.=20 =20 ~ Ofer=20 =20 From: Marc Stern [mailto:mar...@ad...]=20 Sent: Monday, June 18, 2007 10:38 AM To: Ofer Shezaf Cc: Christian Bockermann; Mod Security Subject: Re: [mod-security-users] Rules manageability=20 =20 Here is one way to easily handle order: I use a separate conf file for security (pointing to other ones) - say "security.conf". I use a separate conf file for all proxy path handling - say "proxy.conf". The trick is to include "security.conf" *before* "proxy.conf", and have the rule inside a location, like:=20 * proxy.conf * <Location "/webdav"> ... SecAction "setvar:rx.allowed_method=3D'%{TX.ALLOWED_METHODS},PUT,DELETE,...'" phase:2 ... </Location> * security.conf * SecAction "setvar:rx.allowed_method=3D'GET,POST,HEAD',%{TX.ALLOWED_METHODS}" <Location "/"> SecRule REQUEST_METHOD "!@contained %{TX.ALLOWED_METHODS}" <mailto:%21@contained%25%7bTX.ALLOWED_METHODS%7d> phase:2 </Location>=20 Another solution is indeed to use:=20 * proxy.conf * SecRule REQUEST_FILENAME "/webdav" "phase:1,pass,nolog,setvar:tx.allowed_methods=3D...." * security.conf * SecAction "setvar:rx.allowed_method=3D'GET,POST,HEAD',%{TX.ALLOWED_METHODS}" SecRule REQUEST_METHOD "!@contained %{TX.ALLOWED_METHODS}" <mailto:%21@contained%25%7bTX.ALLOWED_METHODS%7d> phase:1=20 This one is better regarding security, as we can use it in phase 1. It may be a bit less readable, especially if you already have a big location with a lot of directive, so this is really a matter of personal style I guess. Anyway, both solutions would work. Ofer, could you propose this as an enhancement for (a) next version ? Thanks Marc Ofer Shezaf wrote:=20 =20 Christian wrote: =20 =20 Interestingly enough we are getting closer to your request: =20 =20 - We have request parameters - the tx collection. =20 - We have variable substitution in rules - the new non regexp =20 operators =20 such as @contains or @streq accept variable substitution in their =20 operand. =20 - We have variable substitution in actions so you can modify =20 =20 So you could maintain a tx variable containing your condition, =20 modify it =20 in a directory scope and use a single rule to test against the =20 =20 current =20 =20 value of the condition variable. =20 =20 Why aren't we there: =20 - The only thing you can do to your condition variable is add to it =20 =20 or =20 =20 replace it. No fancy string manipulation. =20 - The current operators that allow variables are pretty limited and =20 are =20 ill-adjusted to such logic as they assume the operand is part of the =20 input and not visa-versa. =20 =20 But let's assume that we would have the operator @contained =20 (opposite of =20 @contains). You could do something like that: =20 =20 SecAction "setvar:rx.allowed_method=3D'GET,POST,HEAD'" =20 =20 <Location "/webdav"> =20 SecAction =20 =09 "setvar:rx.allowed_method=3D'%{TX.ALLOWED_METHODS},PUT,DELETE.....'" =20 </Location> =20 =20 SecRule REQUEST_METHOD "!@contained %{TX.ALLOWED_METHODS}" <mailto:%21@contained%25%7bTX.ALLOWED_METHODS%7d> =20 One issue I'm not sure about is order of execution. Details... =20 =20 =20 Having looked at that I have some questions/additions: =20 =20 - setvar:rx.allowed... is meant to be setvar:tx.allowed... ? I do ask this, because using tables is sometimes a bit tricky. =20 =20 =20 =20 Yes, tx of-course. This is not a production code and as you pointed =20 later, not very useful. =20 =20 =20 - All this has to be done with phase:2 set as the =20 =20 Location-directives =20 =20 are not applied before phase-2. =20 =20 =20 True. Though sub-sectioning can be done also using a rule: =20 =20 SecRule REQUEST_FILENAME "/webdav" =20 "pass,nolog,setvar:tx.allowed_methods=3D...." =20 =20 =20 - According to Marc's e-mail I do not see the benefit of this =20 complex =20 =20 way of specifying the allowed methods for a sub-context. Just =20 =20 using =20 =20 SecRemoveRuleById and writing a new rule seems somewhat more readable =20 and cleaner to me: =20 =20 SecRule REQUEST_METHOD !^(GET|POST|HEAD)$ "phase:2,id:123" =20 =20 <Location "/webdav"> =20 SecRuleInheritance On =20 SecRuleRemoveById 123 =20 =20 SecRule REQUEST_METHOD !^(GET|POST|PUT|DELETE)$ "phase:2" =20 </Location> =20 =20 =20 The problem Marc raised, and I find very true, is that using =20 SecRemoveById completely eliminates the original, so updates to the =20 original are not preserved. Using TX, if a new method is added to the =20 original (GET|POST|HEAD), it would be propagated to the sub context. =20 Using SecRuleRemoveByID is would not. =20 =20 Saying that, my code was just a demonstration of a potential roadmap. I even used a non-existing operator. Today, only your way will work. =20 =20 =20 =20 The complex tx-table setup (Don't get me wrong - I really like =20 ModSecurity's tables and use them a lot) does not help on forgetting =20 "replacement-rules" - or did I miss anything? =20 =20 Using chained rules you could also have your specialized rules in =20 one part of your conf-file - which might help on the "forgetting"- =20 thing: =20 =20 # specialized rule for webdav-app/location =20 # =20 SecRule REQUEST_URI ^/webdav "phase:2,chain,skip:1,id:123" =20 SecRule ARGS "@validateByteRange 5,9,10,13,32-126" =20 =20 # general rule for all other webapps =20 # =20 SecRule ARGS "@validateByteRange 9, 10,13,32-126" "phase:2,id:123" =20 =20 As the first two lines are glued together by "chain", this snippet =20 defines exactly 2 rules of which the last one is skipped in case of =20 the uri starting with /webdav =20 =20 These a just my two cent. I think this is somewhat related to "style" =20 on writing rulesets and thus a quite nice topic for discussing. Perhaps there are other advices on how to handle that ;-) =20 =20 =20 =20 I hope I made it clear where I think it is not style anymore: when you =20 copy the original rule when making an exception, you lose any future =20 changes to the original rule. Ideally exceptions could be a delta from =20 the existing rule and not copy it. We are not there yet. =20 =20 Another upcoming addition to ModSecurity engine that will help in this =20 would be a RemoveByID action. It will enable the use other request parts such as source IP or a parameter value as exception conditions. Since =20 SecRemoveRuleByID is currently a directive it is limited to the global =20 scope or to Apache location scopes. =20 =20 ~ Ofer =20 =20 =20 =20 -----Original Message----- =20 From: mod...@li... [mailto:mod- =20 sec...@li...] On Behalf Of Marc =20 =20 Stern =20 =20 Sent: Friday, June 15, 2007 12:43 PM =20 To: Mod Security =20 Subject: [mod-security-users] Rules manageability =20 =20 I'm quite prolix today ;-) =20 =20 I'm trying to find a better way to manage some rules, depending on =20 the =20 location. This is very important in the context of a reverse proxy =20 serving several applications. =20 =20 Concrete example (just one between others): I'm blocking, by =20 =20 default, =20 =20 all characters outside some ranges =20 SecRule ARGS "@validateByteRange 9, 10, 13, 32-126" =20 phase:2,id:xxx =20 =20 In case I have an application using another character (say 5), the =20 =20 only =20 =20 ways I found to have it working are =20 - adding the character for all applications (easy but insecure =20 approach) =20 - inside the location, remove the rule, and create a brand new one =20 Although the second approach is better regarding security, it is =20 quite =20 difficult to manage; if I ever want to modify the main rule (xxx), =20 =20 I =20 =20 do =20 =20 not have to forget to change all "replacement" rules for the =20 different =20 locations. =20 =20 Is there a way, maybe with the new features in the development =20 =20 version, =20 =20 to do something like =20 - define a variable containing a range (or the complete rule =20 =20 string =20 =20 like "@validateByteRange 9, 10, 13, 32-126") =20 - inside each location, extend this variable with additional data =20 - check the rule against the variable =20 =20 Any other mechanism is obviously welcome. =20 =20 Marc =20 =20 =20 =20 =20 =20 |