mod-security-developers — Development discussion about mod_security

Re: [Mod-security-developers] [mod-security-users] Problems with @inspectFile not escaping arguments

[Felipe C. <FC...@tr...>]

Hi Gryzli,

Thank you for the report.

Do not use the @inspectFile with variables that you don’t have control. @inspectFile
was originally created to be used with the FILES_TMPNAMES [1] as cited on the
example: [2]. The content of FILES_TMPNAMES is generated by ModSecurity, therefore we
don’t need to escape.

I think you concern is more than valid. I am adding a note at the Reference manual,
so that, others users will not use it in this fashion.

Maybe what you are looking for is to use the Lua engine [3]. Using the Lua engine,
you will be able to fetch the variables using: m.getvar("FULL_REQUEST");

Notice that using FULL_REQUEST is not always a good practice because it may drop the
performance of your server a little bit.


For ModSecurity version 3, the @inspectFile may not be necessary anymore. We wish to
support natively:
 - Ruby
 - Python
 - Lua
 - Any other suggestion?


(Moving this discussion to mod...@li...)


[1] https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#files_tmpnames
[2] https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#inspectfile
[3] https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#secrulescript



Br.,
Felipe “Zimmerle” Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>










On 12/8/15, 4:50 AM, "Gryzli Bugbear" <gry...@gm...> wrote:

>Hi all,
>
>I'm trying to make some rules work, and see some very strange behaviour.
>
>I have the following rule in mod_security:
>---
>SecRule FULL_REQUEST "@inspectFile /tmp/test_script.pl" "id:159, deny,
>status:406, phase:2"
>---
>
>When I pass some request to Apache I get bunch of logs in error_log
>looking like this:
>=========
>/bin/sh: line 2: Host:: command not found
>/bin/sh: line 3: Connection:: command not found
>/bin/sh: line 4: Accept:: command not found
>/bin/sh: line 5: Upgrade-Insecure-Requests:: command not found
>/bin/sh: -c: line 6: syntax error near unexpected token `('
>/bin/sh: -c: line 6: `User-Agent: Mozilla/5.0 (X11; Linux x86_64)
>AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36'
>/bin/sh: line 2: Host:: command not found
>/bin/sh: line 3: Connection:: command not found
>/bin/sh: line 4: Accept:: command not found
>/bin/sh: line 5: Upgrade-Insecure-Requests:: command not found
>/bin/sh: -c: line 6: syntax error near unexpected token `('
>/bin/sh: -c: line 6: `User-Agent: Mozilla/5.0 (X11; Linux x86_64)
>AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36'
>===========
>
>It seems that ModSecurity is unable to correctly escape the arguments,
>which must be sent to the /tmp/test_scrip.pl, which results to execution
>tries in /bin/sh.
>
>This behavior looks extremely dangerous, cause attacker could easily use
>it to execute malicious code with Apache user.
>
>Is this a bug, or there is an option to make ModSecuriy escape correctly
>the arguments passed ?
>
>Regards,
>Gryzli
>
>------------------------------------------------------------------------------
>Go from Idea to Many App Stores Faster with Intel(R) XDK
>Give your users amazing mobile app experiences with Intel(R) XDK.
>Use one codebase in this all-in-one HTML5 development environment.
>Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
>http://scanmail.trustwave.com/?c=4062&d=sozm1oGKqts4aZ2DnwV7U8LosM7zRZ1IEmGX6zHnvw&s=5&u=http%3a%2f%2fpubads%2eg%2edoubleclick%2enet%2fgampad%2fclk%3fid%3d254741911%26iu%3d%2f4140
>_______________________________________________
>mod-security-users mailing list
>mod...@li...
>http://scanmail.trustwave.com/?c=4062&d=sozm1oGKqts4aZ2DnwV7U8LosM7zRZ1IEjaR7DO06Q&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-users
>Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>http://scanmail.trustwave.com/?c=4062&d=sozm1oGKqts4aZ2DnwV7U8LosM7zRZ1IEmTDuGrg7Q&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercial%2frules%2f
>http://scanmail.trustwave.com/?c=4062&d=sozm1oGKqts4aZ2DnwV7U8LosM7zRZ1IEmXH6ma0uA&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercial%2fsupport%2f

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] Antwort: Re: compile modsecurity --with-curl=no

[Felipe C. <FC...@tr...>]

Hi Christian,

It is natural that you cannot build the mlogc without the curl dependency,
as it is a mandatory dependency.

I will try to investigate the semaphore issue. Meanwhile, you may want to
manually cleanup the semaphores. Here is what we use on our buildbots:
https://gist.github.com/zimmerle/f4fd10f9b0485abb4872


Br.,
Felipe ³Zimmerle² Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>





From:  "chr...@go..."
<chr...@go...>
Reply-To:  "mod...@li..."
<mod...@li...>
Date:  Monday, November 16, 2015 at 11:21 AM
To:  "mod...@li..."
<mod...@li...>
Subject:  [Mod-security-developers] Antwort: Re: compile
modsecurity     --with-curl=no


Hi Felipe,

my question is related to the semaphore issue:
https://sourceforge.net/p/mod-security/mailman/message/34613832/
<http://scanmail.trustwave.com/?c=4062&d=uOfJ1hIm5YUCSUxW9Ytptg5Hx0tKkdky-0
YSeK_kkw&s=5&u=https%3a%2f%2fsourceforge%2enet%2fp%2fmod-security%2fmailman
%2fmessage%2f34613832%2f>

No, I didn't manage to compile mlogc using "--with-curl=no". The mlogc
binary will simply not be build.
Anyway, building mlogc without curl is no longer important to me. The
basic problem is the semphore issue.

I would be very grateful, if the semaphore problem could be addressed.
It's seems like many others have the same issue.
Maybe you get some idea how to figure out the problem, if you read my post
about the semaphore issue.

Best regards,
Christian




Von:        Felipe Costa <FC...@tr...>
An:        "mod...@li..."
<mod...@li...>
Datum:        13.11.2015 22:40
Betreff:        Re: [Mod-security-developers] compile modsecurity
--with-curl=no
________________________________________



Hi Christian,

Mlogc depends on curl to submit the logs to the target host. Did you
managed to compile the mlogc while using --with-curl=no ?

Br.,
Felipe ³Zimmerle² Costa

Security Researcher, SpiderLabs

Trustwave| SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>

From: "chr...@go..."
<chr...@go...>
Reply-To: "mod...@li..."
<mod...@li...>
Date: Monday, November 2, 2015 at 8:34 AM
To: "mod...@li..."
<mod...@li...>
Subject: [Mod-security-developers] compile modsecurity --with-curl=no

Dear devolopers,

I searched the mailing lists and google for my question, but didn't find
anything. Hopefully this is the right place to ask my question.


We use a modified apache httpd (2.2.29) with modsecurity 2.9.0 on RHEL 6.6
(64bit). On graceful restarts of the httpd the number semaphore arrays
start to increase till they reach the limit of 128 when mlogc is enabled.
The support of the modified httpd suggested
 to compile modsecurity "--with-curl=no". The number of semaphore arrays
is not encreasing anymore.

Now my question is which impact will this option have on modsecurity/mlogc?

Thanks in advance,
Christian
___________________________________________________________________________
_________________________
Gesellschaft: Gothaer Systems GmbH
Sitz: Gothaer Allee 1, 50969 Köln (Hausanschrift)
Aufsichtsrat: Dr. Mathias Bühring-Uhle (Vorsitzender)
Geschäftsführung: Dr. Hans Volkmar Weckesser (Vorsitzender), Hans Berg
Rechtsform: Gesellschaft mit beschränkter Haftung
Registergericht: Amtsgericht Köln, HRB 25642
USt.-IdNr. DE811850000


________________________________________

This transmission may contain information that is privileged,
confidential, and/or exempt from disclosure under applicable law. If you
are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information
 contained herein (including any reliance thereon) is strictly prohibited.
If you received this transmission in error, please immediately contact the
sender and destroy the material in its entirety, whether in electronic or
hard copy
format.--------------------------------------------------------------------
----------
_______________________________________________
mod-security-developers mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
<http://scanmail.trustwave.com/?c=4062&d=uefJ1iK4wZfAPkX8TQkCvTNjrOelkAkMds
B7bRZKBA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2
fmod-security-developers>
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php


___________________________________________________________________________
_________________________
Gesellschaft: Gothaer Systems GmbH
Sitz: Gothaer Allee 1, 50969 Köln (Hausanschrift)
Aufsichtsrat: Dr. Mathias Bühring-Uhle (Vorsitzender)
Geschäftsführung: Dr. Hans Volkmar Weckesser (Vorsitzender), Hans Berg
Rechtsform: Gesellschaft mit beschränkter Haftung
Registergericht: Amtsgericht Köln, HRB 25642
USt.-IdNr. DE811850000


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-developers] Antwort: Re: compile modsecurity --with-curl=no

[<chr...@go...>]

Hi Felipe,

my question is related to the semaphore issue: 
https://sourceforge.net/p/mod-security/mailman/message/34613832/

No, I didn't manage to compile mlogc using "--with-curl=no". The mlogc 
binary will simply not be build.
Anyway, building mlogc without curl is no longer important to me. The 
basic problem is the semphore issue.

I would be very grateful, if the semaphore problem could be addressed. 
It's seems like many others have the same issue.
Maybe you get some idea how to figure out the problem, if you read my post 
about the semaphore issue.

Best regards,
Christian




Von:    Felipe Costa <FC...@tr...>
An:     "mod...@li..." 
<mod...@li...>
Datum:  13.11.2015 22:40
Betreff:        Re: [Mod-security-developers] compile modsecurity 
--with-curl=no



Hi Christian,

Mlogc depends on curl to submit the logs to the target host. Did you 
managed to compile the mlogc while using --with-curl=no ?

Br.,
Felipe ?Zimmerle? Costa 
Security Researcher, SpiderLabs
 
Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com


From: "chr...@go..." <
chr...@go...>
Reply-To: "mod...@li..." <
mod...@li...>
Date: Monday, November 2, 2015 at 8:34 AM
To: "mod...@li..." <
mod...@li...>
Subject: [Mod-security-developers] compile modsecurity --with-curl=no

Dear devolopers, 

I searched the mailing lists and google for my question, but didn't find 
anything. Hopefully this is the right place to ask my question. 

We use a modified apache httpd (2.2.29) with modsecurity 2.9.0 on RHEL 6.6 
(64bit). On graceful restarts of the httpd the number semaphore arrays 
start to increase till they reach the limit of 128 when mlogc is enabled. 
The support of the modified httpd suggested to compile modsecurity 
"--with-curl=no". The number of semaphore arrays is not encreasing 
anymore.

Now my question is which impact will this option have on 
modsecurity/mlogc?

Thanks in advance, 
Christian 
____________________________________________________________________________________________________
Gesellschaft: Gothaer Systems GmbH
Sitz: Gothaer Allee 1, 50969 Köln (Hausanschrift)
Aufsichtsrat: Dr. Mathias Bühring-Uhle (Vorsitzender)
Geschäftsführung: Dr. Hans Volkmar Weckesser (Vorsitzender), Hans Berg
Rechtsform: Gesellschaft mit beschränkter Haftung
Registergericht: Amtsgericht Köln, HRB 25642
USt.-IdNr. DE811850000 


This transmission may contain information that is privileged, 
confidential, and/or exempt from disclosure under applicable law. If you 
are not the intended recipient, you are hereby notified that any 
disclosure, copying, distribution, or use of the information contained 
herein (including any reliance thereon) is strictly prohibited. If you 
received this transmission in error, please immediately contact the sender 
and destroy the material in its entirety, whether in electronic or hard 
copy format.
------------------------------------------------------------------------------
_______________________________________________
mod-security-developers mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php



____________________________________________________________________________________________________
Gesellschaft: Gothaer Systems GmbH
Sitz: Gothaer Allee 1, 50969 Köln (Hausanschrift)
Aufsichtsrat: Dr. Mathias Bühring-Uhle (Vorsitzender)
Geschäftsführung: Dr. Hans Volkmar Weckesser (Vorsitzender), Hans Berg
Rechtsform: Gesellschaft mit beschränkter Haftung
Registergericht: Amtsgericht Köln, HRB 25642
USt.-IdNr. DE811850000

Re: [Mod-security-developers] compile modsecurity --with-curl=no

[Felipe C. <FC...@tr...>]

Hi Christian,

Mlogc depends on curl to submit the logs to the target host. Did you managed to compile the mlogc while using --with-curl=no ?

Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>


From: "chr...@go...<mailto:chr...@go...>" <chr...@go...<mailto:chr...@go...>>
Reply-To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Date: Monday, November 2, 2015 at 8:34 AM
To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Subject: [Mod-security-developers] compile modsecurity --with-curl=no

Dear devolopers,

I searched the mailing lists and google for my question, but didn't find anything. Hopefully this is the right place to ask my question.

We use a modified apache httpd (2.2.29) with modsecurity 2.9.0 on RHEL 6.6 (64bit). On graceful restarts of the httpd the number semaphore arrays start to increase till they reach the limit of 128 when mlogc is enabled. The support of the modified httpd suggested to compile modsecurity "--with-curl=no". The number of semaphore arrays is not encreasing anymore.

Now my question is which impact will this option have on modsecurity/mlogc?

Thanks in advance,
Christian
____________________________________________________________________________________________________
Gesellschaft: Gothaer Systems GmbH
Sitz: Gothaer Allee 1, 50969 Köln (Hausanschrift)
Aufsichtsrat: Dr. Mathias Bühring-Uhle (Vorsitzender)
Geschäftsführung: Dr. Hans Volkmar Weckesser (Vorsitzender), Hans Berg
Rechtsform: Gesellschaft mit beschränkter Haftung
Registergericht: Amtsgericht Köln, HRB 25642
USt.-IdNr. DE811850000

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-developers] compile modsecurity --with-curl=no

[<chr...@go...>]

Dear devolopers,

I searched the mailing lists and google for my question, but didn't find 
anything. Hopefully this is the right place to ask my question. 

We use a modified apache httpd (2.2.29) with modsecurity 2.9.0 on RHEL 6.6 
(64bit). On graceful restarts of the httpd the number semaphore arrays 
start to increase till they reach the limit of 128 when mlogc is enabled. 
The support of the modified httpd suggested to compile modsecurity 
"--with-curl=no". The number of semaphore arrays is not encreasing 
anymore.

Now my question is which impact will this option have on 
modsecurity/mlogc?

Thanks in advance,
Christian

____________________________________________________________________________________________________
Gesellschaft: Gothaer Systems GmbH
Sitz: Gothaer Allee 1, 50969 Köln (Hausanschrift)
Aufsichtsrat: Dr. Mathias Bühring-Uhle (Vorsitzender)
Geschäftsführung: Dr. Hans Volkmar Weckesser (Vorsitzender), Hans Berg
Rechtsform: Gesellschaft mit beschränkter Haftung
Registergericht: Amtsgericht Köln, HRB 25642
USt.-IdNr. DE811850000

Re: [Mod-security-developers] Geo Lookup Mutex Error

[Phil D. <ux...@sp...>]

Right, after stracing the process I found that a semop() call was failing so when I checked the semaphores I saw:

------ Semaphore Arrays Creators/Owners --------
semid      perms      cuid       cgid       uid        gid
0          600        root       root       4294967295 4294967295
32769      600        root       root       4294967295 4294967295
65538      600        root       root       4294967295 4294967295
98307      600        root       root       4294967295 4294967295

the problem being that the NGINX workers are running as the 'nginx' user therefore unable to write to the semaphore mutex.

In https://github.com/SpiderLabs/ModSecurity/blob/master/standalone/server.c I have had to open the permissions up from 0600 to 0666:

buf.sem_perm.uid = ap_unixd_config.user_id;
buf.sem_perm.gid = ap_unixd_config.group_id;
buf.sem_perm.mode = 0666;

and once compiled and installed no more permission denied errors are generated by the geo lookup function.

Hopefully this can be fixed as I do not like have to open up writes to the world, least it better than running NGINX as root!

Thanks, Phil

----- On 28 Oct, 2015, at 16:22, Phil Daws ux...@sp... wrote:

> as a test I changed the user that NGINX was running under to be 'root' and the
> issue disappeared but obviously cannot leave it that way.
> 
> ----- On 28 Oct, 2015, at 15:28, Phil Daws ux...@sp... wrote:
> 
>> Good day,
>> 
>> I have modsecurity compiled against NGINX 1.9.5 and have enabled the Geo Loopup
>> capability.  Am having an issue that for error url request a audit entry is
>> created with the following:
>> 
>> Message: Geo Lookup: Failed to lock proc mutex: Permission denied
>> 
>> What would cause that error please ? Thanks. Phil
>> 
>> 
>> 
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
> 
> 
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php

Re: [Mod-security-developers] Geo Lookup Mutex Error

[Phil D. <ux...@sp...>]

as a test I changed the user that NGINX was running under to be 'root' and the issue disappeared but obviously cannot leave it that way.

----- On 28 Oct, 2015, at 15:28, Phil Daws ux...@sp... wrote:

> Good day,
> 
> I have modsecurity compiled against NGINX 1.9.5 and have enabled the Geo Loopup
> capability.  Am having an issue that for error url request a audit entry is
> created with the following:
> 
> Message: Geo Lookup: Failed to lock proc mutex: Permission denied
> 
> What would cause that error please ? Thanks. Phil
> 
> 
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php

[Mod-security-developers] Geo Lookup Mutex Error

[Phil D. <ux...@sp...>]

Good day,

I have modsecurity compiled against NGINX 1.9.5 and have enabled the Geo Loopup capability.  Am having an issue that for error url request a audit entry is created with the following:

Message: Geo Lookup: Failed to lock proc mutex: Permission denied

What would cause that error please ? Thanks. Phil

Re: [Mod-security-developers] Community meeting minutes

[Christian F. <chr...@ti...>]

Thank you Zimmerle.

That's an exact summary of the talk and the decisions.

There is a typo with "Lua 3.0". It's "Lua 5.3" if I'm not mistaken.

Ahoj,

Christian


On Fri, Oct 16, 2015 at 03:57:47PM +0000, Felipe Costa wrote:
> Hi,
> 
> Thank you all that participated in our first community meeting.
> 
> The meeting minutes is available here:
> https://www.modsecurity.org/developers/meetings/modsecurity.2015-10-14-19.06.html
> 
> Please let me know if something is missing.
> 
> Br.,
> Felipe "Zimmerle" Costa
> Security Researcher, SpiderLabs
> 
> Trustwave | SMART SECURITY ON DEMAND
> www.trustwave.com<http://www.trustwave.com/>
> 
> 
> ________________________________
> 
> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

> ------------------------------------------------------------------------------

> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php

[Mod-security-developers] Community meeting minutes

[Felipe C. <FC...@tr...>]

Hi,

Thank you all that participated in our first community meeting.

The meeting minutes is available here:
https://www.modsecurity.org/developers/meetings/modsecurity.2015-10-14-19.06.html

Please let me know if something is missing.

Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] log fields

[Christian F. <chr...@ti...>]

Hello José,

You are writing to the developer list of ModSecurity.

The question you are asking is obviously answered in the
documentation. When you go to http://www.modsecurity.org,
there is a tab named documentation. Under this tab, there
is a link to a "Reference Manual". This is where the
meaning of the fields in the log are explained. 

It seems you did not find these links. Are they hard to find?
Where did you look? 

If things are still unclear after reading the docs, then
please turn to the ModSecurity user mailinglist
and ask the question there.

regs,

Christian Folini


On Wed, Oct 14, 2015 at 12:38:32PM +0200, José Ignacio García Marina wrote:
> Hello everyone.
> I write because I have a list of the fields in a log of a modsecurity we have installed and want to know what's the meaning of each of the fields. Is written on the modsecurity website? Is there a place where i can check?
> Kind regards. 		 	   		  

> ------------------------------------------------------------------------------

> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php

[Mod-security-developers] log fields

[José I. G. M. <jig...@ho...>]

Hello everyone.
I write because I have a list of the fields in a log of a modsecurity we have installed and want to know what's the meaning of each of the fields. Is written on the modsecurity website? Is there a place where i can check?
Kind regards. 		 	   		  

Re: [Mod-security-developers] ModSecurity(-dev) community meeting

[Felipe C. <FC...@tr...>]

Hi,

Just a reminder that our meeting will be placed tomorrow at 7 UTC.

Please join #modsecurity at freenode. My nickname is zimmerle.

Br,
Felipe “Zimmerle” Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>






On 10/9/15, 4:29 PM, "Felipe Costa" <FC...@tr...> wrote:

>Hi Christian,
>
>Pool is open for 14th (Wed), so far the result is:
>
>http://scanmail.trustwave.com/?c=4062&d=0pWY1lLS3NLJyy6Wge1s7L1-EJSF2sqz1l
>NJ3IvrFw&s=5&u=http%3a%2f%2fdoodle%2ecom%2fpoll%2ftrgndmt946qyheid
>
>
>
>Br,
>Felipe “Zimmerle” Costa
>Security Researcher, SpiderLabs
>
>Trustwave | SMART SECURITY ON DEMAND
>www.trustwave.com <http://www.trustwave.com/>
>
>
>
>
>
>
>On 10/8/15, 1:37 AM, "Christian Folini" <chr...@ti...>
>wrote:
>
>>Felipe,
>>
>>So, did the Doodle Poll lead to a conclusive result? When is the
>>first dev community meeting happening?
>>
>>Ahoj,
>>
>>Christian
>>
>>
>>
>>On Tue, Sep 29, 2015 at 06:15:36PM +0000, Felipe Costa wrote:
>>> Hi Guys,
>>>
>>> Here goes the Doodle link:
>>>
>>>http://scanmail.trustwave.com/?c=4062&d=ofOV1nQOTw2ixkgHoSoPFqmZGnYxfbc1
>>>Q
>>>ziafp2tqg&s=5&u=http%3a%2f%2fdoodle%2ecom%2fpoll%2ftrgndmt946qyheid
>>>
>>>
>>> Christian: I am afraid that the agenda will be too big. What about
>>> two different meetings: One for ModSecurity core and another one
>>> for the OWASP rules. There are a lot of new stuff about ModSecurity v3
>>>:)
>>>
>>> Adding Sanders in the loop...
>>>
>>> Br,
>>> Felipe “Zimmerle” Costa
>>> Security Researcher, SpiderLabs
>>>
>>> Trustwave | SMART SECURITY ON DEMAND
>>> www.trustwave.com <http://www.trustwave.com/>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 9/28/15, 12:32 AM, "Christian Folini"
>>> <chr...@ti...> wrote:
>>>
>>> >Hello,
>>> >
>>> >The agenda sounds good with me.
>>> >
>>> >Am I right, the core rules are out of scope for this
>>> >dev meeting? Keeping them out makes a lot of sense.
>>> >But then the core rules are the thing that make
>>> >ModSec useful for most people and the core rules
>>> >would benefit from coverage in such a meeting a
>>> >lot. As a separate meeting is not feasible, I ask
>>> >you to consider their inclusion.
>>> >
>>> >Oct 15, 20:00 UTC does not really work for me.
>>> >
>>> >How about a doodle?
>>>
>>>>http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-sN
>>>>Y
>>>>0k
>>> >mGVNzJ-Q&s=5&u=http%3a%2f%2fdoodle%2ecom%2f
>>> >
>>> >Ahoj,
>>> >
>>> >Christian
>>> >
>>> >
>>> >
>>> >
>>> >On Tue, Sep 22, 2015 at 02:49:11PM +0000, Felipe Costa wrote:
>>> >>  Hi,
>>> >>
>>> >> My suggestion for an agenda is to go over the open pull requests and
>>> >> issues to classify
>>> >> the most important ones considering the community point of view.
>>> >>
>>> >> One specific point I think we should discuss is the format for the
>>>JSON
>>> >> audit logging,
>>> >> for that you would like to invite the authors of AuditConsole,
>>>WAF-FLE
>>> >>and
>>> >> Robert.
>>> >> Robert
>>>
>>>>>(http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-
>>>>>s
>>>>>NY
>>> >>0kuDB4ia9g&s=5&u=https%3a%2f%2fgithub%2ecom%2fp0pr0ck5) recently sent
>>>as
>>> >>a patch to make
>>> >> ModSecurity 2.9
>>> >> able to save logs in JSON, in libmodsecurity we have a different
>>>format.
>>> >>
>>> >> I also would like to explain a little bit about libModSecurity and
>>>how
>>> >>it
>>> >> can get it
>>> >> working on Apache.
>>> >>
>>> >> -
>>>
>>>>>http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-s
>>>>>N
>>>>>Y0
>>>
>>>>>hiDVdOd9w&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%
>>>>>2
>>>>>ft
>>> >>ree%2flibmodsecurity
>>> >>
>>> >>
>>> >> Is there anything that you think we can add to the agenda?
>>> >>
>>> >> October 15, sounds a good date? 20:00 UTC is good for everyone?
>>> >>
>>> >> Br,
>>> >> Felipe ³Zimmerle² Costa
>>> >> Security Researcher, SpiderLabs
>>> >>
>>> >> Trustwave | SMART SECURITY ON DEMAND
>>> >> www.trustwave.com <http://www.trustwave.com/>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> From:  Kurt Seifried <kse...@re...>
>>> >> Date:  Monday, September 21, 2015 at 1:28 PM
>>> >> To:  "mar...@ap..." <mar...@ap...>,
>>> >> "mod...@li..."
>>> >> <mod...@li...>
>>> >> Cc:  Felipe Costa <fc...@tr...>, Ryan Barnett
>>> >> <rya...@ow...>
>>> >> Subject:  Re: [Mod-security-developers] ModSecurity(-dev) community
>>> >>meeting
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> On Mon, Sep 21, 2015 at 5:34 AM, Marc Stern
>>> >> <mar...@ap...> wrote:
>>> >>
>>> >> Very good idea.
>>> >> Skype is also an option, no? Voice, screen sharing, ...
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> Does not scale well, difficult to get a proper transcript (reading
>>>is
>>> >> always faster then listening to audio/video, plus it is searchable).
>>>For
>>> >> 1:1 or a handful of people sure, but not for larger meetings.
>>> >>
>>> >>
>>> >>
>>> >> Marc Stern
>>> >> Senior Information Security Consultant - Head of Security Consulting
>>> >> Approach Belgium -
>>> >>
>>>
>>>>>http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-s
>>>>>N
>>>>>Y0
>>> >>hmMBoucoA&s=5&u=http%3a%2f%2fwww%2eapproach%2ebe
>>> >>
>>>
>>>>><http://scanmail.trustwave.com/?c=4062&d=mLCA1vH6Qk9TDnIbSGsfFdbbfQ6_R
>>>>>j
>>>>>z_
>>> >>Ye
>>> >> 4fWqXhbg&s=5&u=http%3a%2f%2fwww%2eapproach%2ebe>
>>> >> Axis Park - Rue Edouard Belin 7 - 1435 Louvain-la-Neuve
>>> >> (Mont-Saint-Guibert) - Belgium
>>> >> LinkedIn
>>> >>
>>>
>>>>><http://scanmail.trustwave.com/?c=4062&d=mLCA1vH6Qk9TDnIbSGsfFdbbfQ6_R
>>>>>j
>>>>>z_
>>> >>Yb
>>> >> 5HWfPgOQ&s=5&u=http%3a%2f%2fwww%2elinkedin%2ecom%2fin%2fmarcstern>
>>> >> ________________________________________
>>> >> This e-mail and any attachment are confidential and intended solely
>>>for
>>> >> the use of the individual to whom it is addressed. If you are not
>>>the
>>> >> intended recipient, please contact the sender and delete
>>> >>  this message and any attachment from your system. Unauthorised
>>> >> publication, use, dissemination, forwarding, printing or copying of
>>>this
>>> >> e-mail and its associated attachments is strictly prohibited.
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> Date: Fri, 18 Sep 2015 14:17:28 +0000
>>> >> From: Felipe Costa <FC...@tr...>
>>><mailto:FC...@tr...>
>>> >> Subject: [Mod-security-developers] ModSecurity(-dev) community
>>>meeting
>>> >> To: "mod...@li..."
>>> >> <mailto:mod...@li...>
>>> >>         <mod...@li...>
>>> >> <mailto:mod...@li...>
>>> >> Cc: Ryan Barnett <rya...@ow...>
>>> >><mailto:rya...@ow...>
>>> >> Message-ID: <D221A346.1478D%fc...@tr...>
>>> >> <mailto:D221A346.1478D%fc...@tr...>
>>> >>
>>> >> Hi Guys,
>>> >>
>>> >> I would like to know if you are interested to participate in a
>>>monthly
>>> >> meeting
>>> >> about the status of ModSecurity Open Source project (Issues, Pending
>>> >>merge
>>> >> requests,
>>> >> new features and etc?).
>>> >>
>>> >> Could be in the same format used in other open source projects, such
>>>as
>>> >> AppArmor:
>>> >>
>>>
>>>>>http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-s
>>>>>N
>>>>>Y0
>>>
>>>>>h7UB4nL9g&s=5&u=http%3a%2f%2fwiki%2eapparmor%2enet%2findex%2ephp%2fMee
>>>>>t
>>>>>in
>>> >>gAgenda
>>> >>
>>>
>>>>><http://scanmail.trustwave.com/?c=4062&d=mLCA1vH6Qk9TDnIbSGsfFdbbfQ6_R
>>>>>j
>>>>>z_
>>> >>Ye
>>> >>
>>>
>>>>>lHW6e2OA&s=5&u=http%3a%2f%2fwiki%2eapparmor%2enet%2findex%2ephp%2fMeet
>>>>>i
>>>>>ng
>>> >>Ag
>>> >> enda>
>>> >>
>>> >>
>>> >> We can use IRC or Hangout.
>>> >>
>>> >> Thanks,
>>> >> Felipe ?Zimmerle? Costa
>>> >> Security Researcher, SpiderLabs
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>>
>>>>>----------------------------------------------------------------------
>>>>>-
>>>>>--
>>> >>--
>>> >> ---
>>> >>
>>> >> _______________________________________________
>>> >> mod-security-developers mailing list
>>> >> mod...@li...
>>> >>
>>>
>>>>>http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-s
>>>>>N
>>>>>Y0
>>>
>>>>>kqGCd7IpA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flist
>>>>>i
>>>>>nf
>>> >>o%2fmod-security-developers
>>> >>
>>>
>>>>><http://scanmail.trustwave.com/?c=4062&d=mLCA1vH6Qk9TDnIbSGsfFdbbfQ6_R
>>>>>j
>>>>>z_
>>> >>Yb
>>> >>
>>>
>>>>>0VVfC1ag&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flisti
>>>>>n
>>>>>fo
>>> >>%2
>>> >> fmod-security-developers>
>>> >> ModSecurity Services from Trustwave's SpiderLabs:
>>> >> https://www.trustwave.com/spiderLabs.php
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >>
>>> >> --
>>> >> Kurt Seifried -- Red Hat -- Product Security -- Cloud
>>> >> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>>> >> Red Hat Product Security contact: sec...@re...
>>> >>
>>> >>
>>> >> ________________________________
>>> >>
>>> >> This transmission may contain information that is privileged,
>>> >>confidential, and/or exempt from disclosure under applicable law. If
>>>you
>>> >>are not the intended recipient, you are hereby notified that any
>>> >>disclosure, copying, distribution, or use of the information
>>>contained
>>> >>herein (including any reliance thereon) is strictly prohibited. If
>>>you
>>> >>received this transmission in error, please immediately contact the
>>> >>sender and destroy the material in its entirety, whether in
>>>electronic
>>> >>or hard copy format.
>>> >>
>>> >>
>>>
>>>>>----------------------------------------------------------------------
>>>>>-
>>>>>--
>>> >>-----
>>> >> _______________________________________________
>>> >> mod-security-developers mailing list
>>> >> mod...@li...
>>> >>
>>>
>>>>>http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-s
>>>>>N
>>>>>Y0
>>>
>>>>>kqGCd7IpA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flist
>>>>>i
>>>>>nf
>>> >>o%2fmod-security-developers
>>> >> ModSecurity Services from Trustwave's SpiderLabs:
>>> >> https://www.trustwave.com/spiderLabs.php
>>> >
>>>
>>>>-----------------------------------------------------------------------
>>>>-
>>>>--
>>> >----
>>> >_______________________________________________
>>> >mod-security-developers mailing list
>>> >mod...@li...
>>>
>>>>http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-sN
>>>>Y
>>>>0k
>>>
>>>>qGCd7IpA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistin
>>>>f
>>>>o%
>>> >2fmod-security-developers
>>> >ModSecurity Services from Trustwave's SpiderLabs:
>>> >https://www.trustwave.com/spiderLabs.php
>>>
>>>
>>> ________________________________
>>>
>>> This transmission may contain information that is privileged,
>>>confidential, and/or exempt from disclosure under applicable law. If you
>>>are not the intended recipient, you are hereby notified that any
>>>disclosure, copying, distribution, or use of the information contained
>>>herein (including any reliance thereon) is strictly prohibited. If you
>>>received this transmission in error, please immediately contact the
>>>sender and destroy the material in its entirety, whether in electronic
>>>or hard copy format.
>>>
>>>------------------------------------------------------------------------
>>>-
>>>-----
>>> _______________________________________________
>>> mod-security-developers mailing list
>>> mod...@li...
>>>
>>>http://scanmail.trustwave.com/?c=4062&d=ofOV1nQOTw2ixkgHoSoPFqmZGnYxfbc1
>>>Q
>>>z6Rdpmv_A&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistin
>>>f
>>>o%2fmod-security-developers
>>> ModSecurity Services from Trustwave's SpiderLabs:
>>> https://www.trustwave.com/spiderLabs.php
>>
>>-------------------------------------------------------------------------
>>-
>>----
>>_______________________________________________
>>mod-security-developers mailing list
>>mod...@li...
>>http://scanmail.trustwave.com/?c=4062&d=ofOV1nQOTw2ixkgHoSoPFqmZGnYxfbc1Q
>>z
>>6Rdpmv_A&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo
>>%
>>2fmod-security-developers
>>ModSecurity Services from Trustwave's SpiderLabs:
>>https://www.trustwave.com/spiderLabs.php
>
>
>________________________________
>
>This transmission may contain information that is privileged,
>confidential, and/or exempt from disclosure under applicable law. If you
>are not the intended recipient, you are hereby notified that any
>disclosure, copying, distribution, or use of the information contained
>herein (including any reliance thereon) is strictly prohibited. If you
>received this transmission in error, please immediately contact the
>sender and destroy the material in its entirety, whether in electronic or
>hard copy format.
>--------------------------------------------------------------------------
>----
>_______________________________________________
>mod-security-developers mailing list
>mod...@li...
>http://scanmail.trustwave.com/?c=4062&d=0pWY1lLS3NLJyy6Wge1s7L1-EJSF2sqz1l
>VC1I_pQQ&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%
>2fmod-security-developers
>ModSecurity Services from Trustwave's SpiderLabs:
>https://www.trustwave.com/spiderLabs.php


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] ModSecurity(-dev) community meeting

[Felipe C. <FC...@tr...>]

Hi Christian,

Pool is open for 14th (Wed), so far the result is:

http://doodle.com/poll/trgndmt946qyheid



Br,
Felipe “Zimmerle” Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>






On 10/8/15, 1:37 AM, "Christian Folini" <chr...@ti...>
wrote:

>Felipe,
>
>So, did the Doodle Poll lead to a conclusive result? When is the
>first dev community meeting happening?
>
>Ahoj,
>
>Christian
>
>
>
>On Tue, Sep 29, 2015 at 06:15:36PM +0000, Felipe Costa wrote:
>> Hi Guys,
>>
>> Here goes the Doodle link:
>>
>>http://scanmail.trustwave.com/?c=4062&d=ofOV1nQOTw2ixkgHoSoPFqmZGnYxfbc1Q
>>ziafp2tqg&s=5&u=http%3a%2f%2fdoodle%2ecom%2fpoll%2ftrgndmt946qyheid
>>
>>
>> Christian: I am afraid that the agenda will be too big. What about
>> two different meetings: One for ModSecurity core and another one
>> for the OWASP rules. There are a lot of new stuff about ModSecurity v3
>>:)
>>
>> Adding Sanders in the loop...
>>
>> Br,
>> Felipe “Zimmerle” Costa
>> Security Researcher, SpiderLabs
>>
>> Trustwave | SMART SECURITY ON DEMAND
>> www.trustwave.com <http://www.trustwave.com/>
>>
>>
>>
>>
>>
>>
>> On 9/28/15, 12:32 AM, "Christian Folini"
>> <chr...@ti...> wrote:
>>
>> >Hello,
>> >
>> >The agenda sounds good with me.
>> >
>> >Am I right, the core rules are out of scope for this
>> >dev meeting? Keeping them out makes a lot of sense.
>> >But then the core rules are the thing that make
>> >ModSec useful for most people and the core rules
>> >would benefit from coverage in such a meeting a
>> >lot. As a separate meeting is not feasible, I ask
>> >you to consider their inclusion.
>> >
>> >Oct 15, 20:00 UTC does not really work for me.
>> >
>> >How about a doodle?
>>
>>>http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-sNY
>>>0k
>> >mGVNzJ-Q&s=5&u=http%3a%2f%2fdoodle%2ecom%2f
>> >
>> >Ahoj,
>> >
>> >Christian
>> >
>> >
>> >
>> >
>> >On Tue, Sep 22, 2015 at 02:49:11PM +0000, Felipe Costa wrote:
>> >>  Hi,
>> >>
>> >> My suggestion for an agenda is to go over the open pull requests and
>> >> issues to classify
>> >> the most important ones considering the community point of view.
>> >>
>> >> One specific point I think we should discuss is the format for the
>>JSON
>> >> audit logging,
>> >> for that you would like to invite the authors of AuditConsole,
>>WAF-FLE
>> >>and
>> >> Robert.
>> >> Robert
>>
>>>>(http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-s
>>>>NY
>> >>0kuDB4ia9g&s=5&u=https%3a%2f%2fgithub%2ecom%2fp0pr0ck5) recently sent
>>as
>> >>a patch to make
>> >> ModSecurity 2.9
>> >> able to save logs in JSON, in libmodsecurity we have a different
>>format.
>> >>
>> >> I also would like to explain a little bit about libModSecurity and
>>how
>> >>it
>> >> can get it
>> >> working on Apache.
>> >>
>> >> -
>>
>>>>http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-sN
>>>>Y0
>>
>>>>hiDVdOd9w&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2
>>>>ft
>> >>ree%2flibmodsecurity
>> >>
>> >>
>> >> Is there anything that you think we can add to the agenda?
>> >>
>> >> October 15, sounds a good date? 20:00 UTC is good for everyone?
>> >>
>> >> Br,
>> >> Felipe ³Zimmerle² Costa
>> >> Security Researcher, SpiderLabs
>> >>
>> >> Trustwave | SMART SECURITY ON DEMAND
>> >> www.trustwave.com <http://www.trustwave.com/>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> From:  Kurt Seifried <kse...@re...>
>> >> Date:  Monday, September 21, 2015 at 1:28 PM
>> >> To:  "mar...@ap..." <mar...@ap...>,
>> >> "mod...@li..."
>> >> <mod...@li...>
>> >> Cc:  Felipe Costa <fc...@tr...>, Ryan Barnett
>> >> <rya...@ow...>
>> >> Subject:  Re: [Mod-security-developers] ModSecurity(-dev) community
>> >>meeting
>> >>
>> >>
>> >>
>> >>
>> >> On Mon, Sep 21, 2015 at 5:34 AM, Marc Stern
>> >> <mar...@ap...> wrote:
>> >>
>> >> Very good idea.
>> >> Skype is also an option, no? Voice, screen sharing, ...
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> Does not scale well, difficult to get a proper transcript (reading is
>> >> always faster then listening to audio/video, plus it is searchable).
>>For
>> >> 1:1 or a handful of people sure, but not for larger meetings.
>> >>
>> >>
>> >>
>> >> Marc Stern
>> >> Senior Information Security Consultant - Head of Security Consulting
>> >> Approach Belgium -
>> >>
>>
>>>>http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-sN
>>>>Y0
>> >>hmMBoucoA&s=5&u=http%3a%2f%2fwww%2eapproach%2ebe
>> >>
>>
>>>><http://scanmail.trustwave.com/?c=4062&d=mLCA1vH6Qk9TDnIbSGsfFdbbfQ6_Rj
>>>>z_
>> >>Ye
>> >> 4fWqXhbg&s=5&u=http%3a%2f%2fwww%2eapproach%2ebe>
>> >> Axis Park - Rue Edouard Belin 7 - 1435 Louvain-la-Neuve
>> >> (Mont-Saint-Guibert) - Belgium
>> >> LinkedIn
>> >>
>>
>>>><http://scanmail.trustwave.com/?c=4062&d=mLCA1vH6Qk9TDnIbSGsfFdbbfQ6_Rj
>>>>z_
>> >>Yb
>> >> 5HWfPgOQ&s=5&u=http%3a%2f%2fwww%2elinkedin%2ecom%2fin%2fmarcstern>
>> >> ________________________________________
>> >> This e-mail and any attachment are confidential and intended solely
>>for
>> >> the use of the individual to whom it is addressed. If you are not the
>> >> intended recipient, please contact the sender and delete
>> >>  this message and any attachment from your system. Unauthorised
>> >> publication, use, dissemination, forwarding, printing or copying of
>>this
>> >> e-mail and its associated attachments is strictly prohibited.
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> Date: Fri, 18 Sep 2015 14:17:28 +0000
>> >> From: Felipe Costa <FC...@tr...>
>><mailto:FC...@tr...>
>> >> Subject: [Mod-security-developers] ModSecurity(-dev) community
>>meeting
>> >> To: "mod...@li..."
>> >> <mailto:mod...@li...>
>> >>         <mod...@li...>
>> >> <mailto:mod...@li...>
>> >> Cc: Ryan Barnett <rya...@ow...>
>> >><mailto:rya...@ow...>
>> >> Message-ID: <D221A346.1478D%fc...@tr...>
>> >> <mailto:D221A346.1478D%fc...@tr...>
>> >>
>> >> Hi Guys,
>> >>
>> >> I would like to know if you are interested to participate in a
>>monthly
>> >> meeting
>> >> about the status of ModSecurity Open Source project (Issues, Pending
>> >>merge
>> >> requests,
>> >> new features and etc?).
>> >>
>> >> Could be in the same format used in other open source projects, such
>>as
>> >> AppArmor:
>> >>
>>
>>>>http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-sN
>>>>Y0
>>
>>>>h7UB4nL9g&s=5&u=http%3a%2f%2fwiki%2eapparmor%2enet%2findex%2ephp%2fMeet
>>>>in
>> >>gAgenda
>> >>
>>
>>>><http://scanmail.trustwave.com/?c=4062&d=mLCA1vH6Qk9TDnIbSGsfFdbbfQ6_Rj
>>>>z_
>> >>Ye
>> >>
>>
>>>>lHW6e2OA&s=5&u=http%3a%2f%2fwiki%2eapparmor%2enet%2findex%2ephp%2fMeeti
>>>>ng
>> >>Ag
>> >> enda>
>> >>
>> >>
>> >> We can use IRC or Hangout.
>> >>
>> >> Thanks,
>> >> Felipe ?Zimmerle? Costa
>> >> Security Researcher, SpiderLabs
>> >>
>> >>
>> >>
>> >>
>> >>
>>
>>>>-----------------------------------------------------------------------
>>>>--
>> >>--
>> >> ---
>> >>
>> >> _______________________________________________
>> >> mod-security-developers mailing list
>> >> mod...@li...
>> >>
>>
>>>>http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-sN
>>>>Y0
>>
>>>>kqGCd7IpA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flisti
>>>>nf
>> >>o%2fmod-security-developers
>> >>
>>
>>>><http://scanmail.trustwave.com/?c=4062&d=mLCA1vH6Qk9TDnIbSGsfFdbbfQ6_Rj
>>>>z_
>> >>Yb
>> >>
>>
>>>>0VVfC1ag&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistin
>>>>fo
>> >>%2
>> >> fmod-security-developers>
>> >> ModSecurity Services from Trustwave's SpiderLabs:
>> >> https://www.trustwave.com/spiderLabs.php
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >>
>> >> --
>> >> Kurt Seifried -- Red Hat -- Product Security -- Cloud
>> >> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>> >> Red Hat Product Security contact: sec...@re...
>> >>
>> >>
>> >> ________________________________
>> >>
>> >> This transmission may contain information that is privileged,
>> >>confidential, and/or exempt from disclosure under applicable law. If
>>you
>> >>are not the intended recipient, you are hereby notified that any
>> >>disclosure, copying, distribution, or use of the information contained
>> >>herein (including any reliance thereon) is strictly prohibited. If you
>> >>received this transmission in error, please immediately contact the
>> >>sender and destroy the material in its entirety, whether in electronic
>> >>or hard copy format.
>> >>
>> >>
>>
>>>>-----------------------------------------------------------------------
>>>>--
>> >>-----
>> >> _______________________________________________
>> >> mod-security-developers mailing list
>> >> mod...@li...
>> >>
>>
>>>>http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-sN
>>>>Y0
>>
>>>>kqGCd7IpA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flisti
>>>>nf
>> >>o%2fmod-security-developers
>> >> ModSecurity Services from Trustwave's SpiderLabs:
>> >> https://www.trustwave.com/spiderLabs.php
>> >
>>
>>>------------------------------------------------------------------------
>>>--
>> >----
>> >_______________________________________________
>> >mod-security-developers mailing list
>> >mod...@li...
>>
>>>http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-sNY
>>>0k
>>
>>>qGCd7IpA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinf
>>>o%
>> >2fmod-security-developers
>> >ModSecurity Services from Trustwave's SpiderLabs:
>> >https://www.trustwave.com/spiderLabs.php
>>
>>
>> ________________________________
>>
>> This transmission may contain information that is privileged,
>>confidential, and/or exempt from disclosure under applicable law. If you
>>are not the intended recipient, you are hereby notified that any
>>disclosure, copying, distribution, or use of the information contained
>>herein (including any reliance thereon) is strictly prohibited. If you
>>received this transmission in error, please immediately contact the
>>sender and destroy the material in its entirety, whether in electronic
>>or hard copy format.
>>
>>-------------------------------------------------------------------------
>>-----
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>>
>>http://scanmail.trustwave.com/?c=4062&d=ofOV1nQOTw2ixkgHoSoPFqmZGnYxfbc1Q
>>z6Rdpmv_A&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinf
>>o%2fmod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>
>--------------------------------------------------------------------------
>----
>_______________________________________________
>mod-security-developers mailing list
>mod...@li...
>http://scanmail.trustwave.com/?c=4062&d=ofOV1nQOTw2ixkgHoSoPFqmZGnYxfbc1Qz
>6Rdpmv_A&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%
>2fmod-security-developers
>ModSecurity Services from Trustwave's SpiderLabs:
>https://www.trustwave.com/spiderLabs.php


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] ModSecurity(-dev) community meeting

[Christian F. <chr...@ti...>]

Felipe,

So, did the Doodle Poll lead to a conclusive result? When is the
first dev community meeting happening?

Ahoj,

Christian



On Tue, Sep 29, 2015 at 06:15:36PM +0000, Felipe Costa wrote:
> Hi Guys,
> 
> Here goes the Doodle link:
> http://doodle.com/poll/trgndmt946qyheid
> 
> 
> Christian: I am afraid that the agenda will be too big. What about
> two different meetings: One for ModSecurity core and another one
> for the OWASP rules. There are a lot of new stuff about ModSecurity v3 :)
> 
> Adding Sanders in the loop...
> 
> Br,
> Felipe “Zimmerle” Costa
> Security Researcher, SpiderLabs
> 
> Trustwave | SMART SECURITY ON DEMAND
> www.trustwave.com <http://www.trustwave.com/>
> 
> 
> 
> 
> 
> 
> On 9/28/15, 12:32 AM, "Christian Folini"
> <chr...@ti...> wrote:
> 
> >Hello,
> >
> >The agenda sounds good with me.
> >
> >Am I right, the core rules are out of scope for this
> >dev meeting? Keeping them out makes a lot of sense.
> >But then the core rules are the thing that make
> >ModSec useful for most people and the core rules
> >would benefit from coverage in such a meeting a
> >lot. As a separate meeting is not feasible, I ask
> >you to consider their inclusion.
> >
> >Oct 15, 20:00 UTC does not really work for me.
> >
> >How about a doodle?
> >http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-sNY0k
> >mGVNzJ-Q&s=5&u=http%3a%2f%2fdoodle%2ecom%2f
> >
> >Ahoj,
> >
> >Christian
> >
> >
> >
> >
> >On Tue, Sep 22, 2015 at 02:49:11PM +0000, Felipe Costa wrote:
> >>  Hi,
> >>
> >> My suggestion for an agenda is to go over the open pull requests and
> >> issues to classify
> >> the most important ones considering the community point of view.
> >>
> >> One specific point I think we should discuss is the format for the JSON
> >> audit logging,
> >> for that you would like to invite the authors of AuditConsole, WAF-FLE
> >>and
> >> Robert.
> >> Robert
> >>(http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-sNY
> >>0kuDB4ia9g&s=5&u=https%3a%2f%2fgithub%2ecom%2fp0pr0ck5) recently sent as
> >>a patch to make
> >> ModSecurity 2.9
> >> able to save logs in JSON, in libmodsecurity we have a different format.
> >>
> >> I also would like to explain a little bit about libModSecurity and how
> >>it
> >> can get it
> >> working on Apache.
> >>
> >> -
> >>http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-sNY0
> >>hiDVdOd9w&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2ft
> >>ree%2flibmodsecurity
> >>
> >>
> >> Is there anything that you think we can add to the agenda?
> >>
> >> October 15, sounds a good date? 20:00 UTC is good for everyone?
> >>
> >> Br,
> >> Felipe ³Zimmerle² Costa
> >> Security Researcher, SpiderLabs
> >>
> >> Trustwave | SMART SECURITY ON DEMAND
> >> www.trustwave.com <http://www.trustwave.com/>
> >>
> >>
> >>
> >>
> >>
> >> From:  Kurt Seifried <kse...@re...>
> >> Date:  Monday, September 21, 2015 at 1:28 PM
> >> To:  "mar...@ap..." <mar...@ap...>,
> >> "mod...@li..."
> >> <mod...@li...>
> >> Cc:  Felipe Costa <fc...@tr...>, Ryan Barnett
> >> <rya...@ow...>
> >> Subject:  Re: [Mod-security-developers] ModSecurity(-dev) community
> >>meeting
> >>
> >>
> >>
> >>
> >> On Mon, Sep 21, 2015 at 5:34 AM, Marc Stern
> >> <mar...@ap...> wrote:
> >>
> >> Very good idea.
> >> Skype is also an option, no? Voice, screen sharing, ...
> >>
> >>
> >>
> >>
> >>
> >> Does not scale well, difficult to get a proper transcript (reading is
> >> always faster then listening to audio/video, plus it is searchable). For
> >> 1:1 or a handful of people sure, but not for larger meetings.
> >>
> >>
> >>
> >> Marc Stern
> >> Senior Information Security Consultant - Head of Security Consulting
> >> Approach Belgium -
> >>
> >>http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-sNY0
> >>hmMBoucoA&s=5&u=http%3a%2f%2fwww%2eapproach%2ebe
> >>
> >><http://scanmail.trustwave.com/?c=4062&d=mLCA1vH6Qk9TDnIbSGsfFdbbfQ6_Rjz_
> >>Ye
> >> 4fWqXhbg&s=5&u=http%3a%2f%2fwww%2eapproach%2ebe>
> >> Axis Park - Rue Edouard Belin 7 - 1435 Louvain-la-Neuve
> >> (Mont-Saint-Guibert) - Belgium
> >> LinkedIn
> >>
> >><http://scanmail.trustwave.com/?c=4062&d=mLCA1vH6Qk9TDnIbSGsfFdbbfQ6_Rjz_
> >>Yb
> >> 5HWfPgOQ&s=5&u=http%3a%2f%2fwww%2elinkedin%2ecom%2fin%2fmarcstern>
> >> ________________________________________
> >> This e-mail and any attachment are confidential and intended solely for
> >> the use of the individual to whom it is addressed. If you are not the
> >> intended recipient, please contact the sender and delete
> >>  this message and any attachment from your system. Unauthorised
> >> publication, use, dissemination, forwarding, printing or copying of this
> >> e-mail and its associated attachments is strictly prohibited.
> >>
> >>
> >>
> >>
> >>
> >> Date: Fri, 18 Sep 2015 14:17:28 +0000
> >> From: Felipe Costa <FC...@tr...> <mailto:FC...@tr...>
> >> Subject: [Mod-security-developers] ModSecurity(-dev) community meeting
> >> To: "mod...@li..."
> >> <mailto:mod...@li...>
> >>         <mod...@li...>
> >> <mailto:mod...@li...>
> >> Cc: Ryan Barnett <rya...@ow...>
> >><mailto:rya...@ow...>
> >> Message-ID: <D221A346.1478D%fc...@tr...>
> >> <mailto:D221A346.1478D%fc...@tr...>
> >>
> >> Hi Guys,
> >>
> >> I would like to know if you are interested to participate in a monthly
> >> meeting
> >> about the status of ModSecurity Open Source project (Issues, Pending
> >>merge
> >> requests,
> >> new features and etc?).
> >>
> >> Could be in the same format used in other open source projects, such as
> >> AppArmor:
> >>
> >>http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-sNY0
> >>h7UB4nL9g&s=5&u=http%3a%2f%2fwiki%2eapparmor%2enet%2findex%2ephp%2fMeetin
> >>gAgenda
> >>
> >><http://scanmail.trustwave.com/?c=4062&d=mLCA1vH6Qk9TDnIbSGsfFdbbfQ6_Rjz_
> >>Ye
> >>
> >>lHW6e2OA&s=5&u=http%3a%2f%2fwiki%2eapparmor%2enet%2findex%2ephp%2fMeeting
> >>Ag
> >> enda>
> >>
> >>
> >> We can use IRC or Hangout.
> >>
> >> Thanks,
> >> Felipe ?Zimmerle? Costa
> >> Security Researcher, SpiderLabs
> >>
> >>
> >>
> >>
> >>
> >>-------------------------------------------------------------------------
> >>--
> >> ---
> >>
> >> _______________________________________________
> >> mod-security-developers mailing list
> >> mod...@li...
> >>
> >>http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-sNY0
> >>kqGCd7IpA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinf
> >>o%2fmod-security-developers
> >>
> >><http://scanmail.trustwave.com/?c=4062&d=mLCA1vH6Qk9TDnIbSGsfFdbbfQ6_Rjz_
> >>Yb
> >>
> >>0VVfC1ag&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo
> >>%2
> >> fmod-security-developers>
> >> ModSecurity Services from Trustwave's SpiderLabs:
> >> https://www.trustwave.com/spiderLabs.php
> >>
> >>
> >>
> >>
> >>
> >>
> >> --
> >>
> >> --
> >> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> >> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> >> Red Hat Product Security contact: sec...@re...
> >>
> >>
> >> ________________________________
> >>
> >> This transmission may contain information that is privileged,
> >>confidential, and/or exempt from disclosure under applicable law. If you
> >>are not the intended recipient, you are hereby notified that any
> >>disclosure, copying, distribution, or use of the information contained
> >>herein (including any reliance thereon) is strictly prohibited. If you
> >>received this transmission in error, please immediately contact the
> >>sender and destroy the material in its entirety, whether in electronic
> >>or hard copy format.
> >>
> >>
> >>-------------------------------------------------------------------------
> >>-----
> >> _______________________________________________
> >> mod-security-developers mailing list
> >> mod...@li...
> >>
> >>http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-sNY0
> >>kqGCd7IpA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinf
> >>o%2fmod-security-developers
> >> ModSecurity Services from Trustwave's SpiderLabs:
> >> https://www.trustwave.com/spiderLabs.php
> >
> >--------------------------------------------------------------------------
> >----
> >_______________________________________________
> >mod-security-developers mailing list
> >mod...@li...
> >http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-sNY0k
> >qGCd7IpA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%
> >2fmod-security-developers
> >ModSecurity Services from Trustwave's SpiderLabs:
> >https://www.trustwave.com/spiderLabs.php
> 
> 
> ________________________________
> 
> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
> ------------------------------------------------------------------------------
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php

Re: [Mod-security-developers] mod_security test suite

[Christian F. <chr...@ti...>]

Kurt,

On Thu, Oct 01, 2015 at 08:52:48AM -0600, Kurt Seifried wrote:
> Sorry I should have been more explicit, my concern is integration testing
> more, e.g. we have a layered product sitting on top of Red Hat Enterprise
> Linux (e.g. Satellite Server, CloudForms, OpenStack, whatever), if I put
> mod_security in front of it I need to test that the whole stack works
> together, obviously one aspect of that is "Real world" testing, but in
> order to avoid false negatives (e.g. a test passes, but maybe mod_security
> didn't block it properly and some nasty data managed to get through to the
> backend) I need some simple ways to ensure I can test for false negatives
> and false positives

Through the years I used various approaches to achieve this. In the
end I returned to a self-written testsuite that uses ruby unit-testing
to fire requests at Apache/ModSec and expects certain responses.

I use this to test anything from simple requests to multi-step logins 
(expecting a session cookie at the end of the process); legitimate
requests and expected blockings.

Whenever, I write custom rules for the service I add more test
requests. Those that should pass, and those that should be blocked.

When a pen-test finds a weakness and we need to block an exploit in
ModSecurity, the exact vector of the pen-test is added to the
test suite. This makes sure the virtual patch is not disappearing
in a future release of the service.

I am not sure how I would scale this for a larger installation,
but for small standalone services, it works nicely, and I can
give my customers a ring, if their service suddenly reintroduces
old bugs.

Just my 2 cents.

Ahoj,

Christian


-- 
I have always observed that to succeed in the world one should appear
like a fool but be wise.
-- Charles de Montesquieu

Re: [Mod-security-developers] mod_security test suite

[Kurt S. <kse...@re...>]

On Thu, Oct 1, 2015 at 8:11 AM, Felipe Costa <FC...@tr...> wrote:

> Hi Kurt,
>
> At this point that particular question have too many answers :) There are
> few ways to test if an operator in behaving in the way you expect. The
> methods are described bellow.
>


Sorry I should have been more explicit, my concern is integration testing
more, e.g. we have a layered product sitting on top of Red Hat Enterprise
Linux (e.g. Satellite Server, CloudForms, OpenStack, whatever), if I put
mod_security in front of it I need to test that the whole stack works
together, obviously one aspect of that is "Real world" testing, but in
order to avoid false negatives (e.g. a test passes, but maybe mod_security
didn't block it properly and some nasty data managed to get through to the
backend) I need some simple ways to ensure I can test for false negatives
and false positives (e.g. a highly simplistic app that echoes what it got
directly back so there is no doubt if mod_security blocked it or not). In
theory this kind of stuff shouldn't happen with proper testing methodology,
but my job is not to plan for the happy scenario, it's to plan for the
failure scenario =). Belt AND suspenders and all that.

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: sec...@re...


________________________________

This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the
intended recipient, you are hereby notified that any disclosure, copying,
distribution, or use of the information contained herein (including any
reliance thereon) is strictly prohibited. If you received this transmission
in error, please immediately contact the sender and destroy the material in
its entirety, whether in electronic or hard copy format.

------------------------------------------------------------------------------
_______________________________________________
mod-security-developers mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php



-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: sec...@re...

Re: [Mod-security-developers] mod_security test suite

[Felipe C. <FC...@tr...>]

Hi Kurt,

At this point that particular question have too many answers :) There are
few ways to test if an operator in behaving in the way you expect. The
methods are described bellow.

1) Unit tests.

The unit test suite, contains tests for specific operators, as you can see
here:
https://github.com/SpiderLabs/ModSecurity/tree/master/tests/op

If you have compiled ModSecurity by your own, you should have a binary
inside the test directory that you can run to execute the tests described
in the ³.t" files.

This method does not involve execute the web server, rather it tests the
operator hooking the method that will be used by Apache, so it produce
very fast results.


2) Regression tests.

If you want to test it inside Apache (or nginx) you can write a regression
test, as demonstrated here:
https://github.com/SpiderLabs/ModSecurity/blob/master/tests/regression/misc
/00-multipart-parser.t


There is a perl script that you can execute to run those regression tests.
Those start an instance of the web server and analyze the output of the
*logs* to considere a test valid or not.

The regression tests are slower than the unit tests, but necessary if you
want to play with the variables.


3) Using the libmodsecurity

For the libmodsecurity [1] we also have the ³unit tests² and
³regression tests², the big difference is that the regression tests does
not demand a server to be started, so it produce faster results. The
request can be mimic inside a JSON:

https://github.com/SpiderLabs/ModSecurity/blob/libmodsecurity/test/test-cas
es/regression/variable-REQUEST_BODY.json


I have my own dirty script to convert from Wireshark to this JSON format
(will be published soon, as soon as I polish it a little bit)


4) Using libinjection test suite

For this particular operator you can use the libinjection test suite:

https://github.com/client9/libinjection/tree/master/tests


Not sure if Nick Galbreath is on the list, if so, he can give you more
Details about it.




[1] https://github.com/SpiderLabs/ModSecurity/tree/libmodsecurity




Br,
Felipe ³Zimmerle² Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>





From:  Kurt Seifried <kse...@re...>
Reply-To:  "mod...@li..."
<mod...@li...>
Date:  Wednesday, September 30, 2015 at 11:49 PM
To:  "mod...@li..."
<mod...@li...>
Subject:  [Mod-security-developers] mod_security test suite


Stupid question but is there a simple and good test suite for
mod_secuirty, e.g. I've whipped up a few tiny php scripts with wget to
trigger them to do things like echo back GET/POST/JSON so I can confirm if
@detectXSS blocking is behaving in
 general or not.


--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: sec...@re...


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-developers] mod_security test suite

[Kurt S. <kse...@re...>]

Stupid question but is there a simple and good test suite for mod_secuirty,
e.g. I've whipped up a few tiny php scripts with wget to trigger them to do
things like echo back GET/POST/JSON so I can confirm if @detectXSS blocking
is behaving in general or not.


--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: sec...@re...

Re: [Mod-security-developers] ModSecurity(-dev) community meeting

[Christian F. <chr...@ti...>]

Hello!

On Tue, Sep 29, 2015 at 06:15:36PM +0000, Felipe Costa wrote:
> Here goes the Doodle link:
> http://doodle.com/poll/trgndmt946qyheid

Great. Thanks.

> Christian: I am afraid that the agenda will be too big. What about
> two different meetings: One for ModSecurity core and another one
> for the OWASP rules. There are a lot of new stuff about ModSecurity v3 :)

Thought so. I think starting out with two meetings is risky.
Better start with a dev meeting and make sure it really works
like once a month or every two months, then in a 2nd step
think about a separate core rules meeting or how to integrate
them. Especially now, that the agenda is so big. Maybe the
agenda gives room for the core rules after the 2nd or 3rd
dev meeting.

Ahoj,

Christian


-- 
The world is changed by our example, not by our opinion.
-- Probably by Paulo Coelho

Re: [Mod-security-developers] ModSecurity(-dev) community meeting

[Felipe C. <FC...@tr...>]

Hi Guys,

Here goes the Doodle link:
http://doodle.com/poll/trgndmt946qyheid


Christian: I am afraid that the agenda will be too big. What about
two different meetings: One for ModSecurity core and another one
for the OWASP rules. There are a lot of new stuff about ModSecurity v3 :)

Adding Sanders in the loop...

Br,
Felipe “Zimmerle” Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>






On 9/28/15, 12:32 AM, "Christian Folini"
<chr...@ti...> wrote:

>Hello,
>
>The agenda sounds good with me.
>
>Am I right, the core rules are out of scope for this
>dev meeting? Keeping them out makes a lot of sense.
>But then the core rules are the thing that make
>ModSec useful for most people and the core rules
>would benefit from coverage in such a meeting a
>lot. As a separate meeting is not feasible, I ask
>you to consider their inclusion.
>
>Oct 15, 20:00 UTC does not really work for me.
>
>How about a doodle?
>http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-sNY0k
>mGVNzJ-Q&s=5&u=http%3a%2f%2fdoodle%2ecom%2f
>
>Ahoj,
>
>Christian
>
>
>
>
>On Tue, Sep 22, 2015 at 02:49:11PM +0000, Felipe Costa wrote:
>>  Hi,
>>
>> My suggestion for an agenda is to go over the open pull requests and
>> issues to classify
>> the most important ones considering the community point of view.
>>
>> One specific point I think we should discuss is the format for the JSON
>> audit logging,
>> for that you would like to invite the authors of AuditConsole, WAF-FLE
>>and
>> Robert.
>> Robert
>>(http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-sNY
>>0kuDB4ia9g&s=5&u=https%3a%2f%2fgithub%2ecom%2fp0pr0ck5) recently sent as
>>a patch to make
>> ModSecurity 2.9
>> able to save logs in JSON, in libmodsecurity we have a different format.
>>
>> I also would like to explain a little bit about libModSecurity and how
>>it
>> can get it
>> working on Apache.
>>
>> -
>>http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-sNY0
>>hiDVdOd9w&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2ft
>>ree%2flibmodsecurity
>>
>>
>> Is there anything that you think we can add to the agenda?
>>
>> October 15, sounds a good date? 20:00 UTC is good for everyone?
>>
>> Br,
>> Felipe ³Zimmerle² Costa
>> Security Researcher, SpiderLabs
>>
>> Trustwave | SMART SECURITY ON DEMAND
>> www.trustwave.com <http://www.trustwave.com/>
>>
>>
>>
>>
>>
>> From:  Kurt Seifried <kse...@re...>
>> Date:  Monday, September 21, 2015 at 1:28 PM
>> To:  "mar...@ap..." <mar...@ap...>,
>> "mod...@li..."
>> <mod...@li...>
>> Cc:  Felipe Costa <fc...@tr...>, Ryan Barnett
>> <rya...@ow...>
>> Subject:  Re: [Mod-security-developers] ModSecurity(-dev) community
>>meeting
>>
>>
>>
>>
>> On Mon, Sep 21, 2015 at 5:34 AM, Marc Stern
>> <mar...@ap...> wrote:
>>
>> Very good idea.
>> Skype is also an option, no? Voice, screen sharing, ...
>>
>>
>>
>>
>>
>> Does not scale well, difficult to get a proper transcript (reading is
>> always faster then listening to audio/video, plus it is searchable). For
>> 1:1 or a handful of people sure, but not for larger meetings.
>>
>>
>>
>> Marc Stern
>> Senior Information Security Consultant - Head of Security Consulting
>> Approach Belgium -
>>
>>http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-sNY0
>>hmMBoucoA&s=5&u=http%3a%2f%2fwww%2eapproach%2ebe
>>
>><http://scanmail.trustwave.com/?c=4062&d=mLCA1vH6Qk9TDnIbSGsfFdbbfQ6_Rjz_
>>Ye
>> 4fWqXhbg&s=5&u=http%3a%2f%2fwww%2eapproach%2ebe>
>> Axis Park - Rue Edouard Belin 7 - 1435 Louvain-la-Neuve
>> (Mont-Saint-Guibert) - Belgium
>> LinkedIn
>>
>><http://scanmail.trustwave.com/?c=4062&d=mLCA1vH6Qk9TDnIbSGsfFdbbfQ6_Rjz_
>>Yb
>> 5HWfPgOQ&s=5&u=http%3a%2f%2fwww%2elinkedin%2ecom%2fin%2fmarcstern>
>> ________________________________________
>> This e-mail and any attachment are confidential and intended solely for
>> the use of the individual to whom it is addressed. If you are not the
>> intended recipient, please contact the sender and delete
>>  this message and any attachment from your system. Unauthorised
>> publication, use, dissemination, forwarding, printing or copying of this
>> e-mail and its associated attachments is strictly prohibited.
>>
>>
>>
>>
>>
>> Date: Fri, 18 Sep 2015 14:17:28 +0000
>> From: Felipe Costa <FC...@tr...> <mailto:FC...@tr...>
>> Subject: [Mod-security-developers] ModSecurity(-dev) community meeting
>> To: "mod...@li..."
>> <mailto:mod...@li...>
>>         <mod...@li...>
>> <mailto:mod...@li...>
>> Cc: Ryan Barnett <rya...@ow...>
>><mailto:rya...@ow...>
>> Message-ID: <D221A346.1478D%fc...@tr...>
>> <mailto:D221A346.1478D%fc...@tr...>
>>
>> Hi Guys,
>>
>> I would like to know if you are interested to participate in a monthly
>> meeting
>> about the status of ModSecurity Open Source project (Issues, Pending
>>merge
>> requests,
>> new features and etc?).
>>
>> Could be in the same format used in other open source projects, such as
>> AppArmor:
>>
>>http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-sNY0
>>h7UB4nL9g&s=5&u=http%3a%2f%2fwiki%2eapparmor%2enet%2findex%2ephp%2fMeetin
>>gAgenda
>>
>><http://scanmail.trustwave.com/?c=4062&d=mLCA1vH6Qk9TDnIbSGsfFdbbfQ6_Rjz_
>>Ye
>>
>>lHW6e2OA&s=5&u=http%3a%2f%2fwiki%2eapparmor%2enet%2findex%2ephp%2fMeeting
>>Ag
>> enda>
>>
>>
>> We can use IRC or Hangout.
>>
>> Thanks,
>> Felipe ?Zimmerle? Costa
>> Security Researcher, SpiderLabs
>>
>>
>>
>>
>>
>>-------------------------------------------------------------------------
>>--
>> ---
>>
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>>
>>http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-sNY0
>>kqGCd7IpA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinf
>>o%2fmod-security-developers
>>
>><http://scanmail.trustwave.com/?c=4062&d=mLCA1vH6Qk9TDnIbSGsfFdbbfQ6_Rjz_
>>Yb
>>
>>0VVfC1ag&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo
>>%2
>> fmod-security-developers>
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
>>
>>
>>
>>
>>
>> --
>>
>> --
>> Kurt Seifried -- Red Hat -- Product Security -- Cloud
>> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>> Red Hat Product Security contact: sec...@re...
>>
>>
>> ________________________________
>>
>> This transmission may contain information that is privileged,
>>confidential, and/or exempt from disclosure under applicable law. If you
>>are not the intended recipient, you are hereby notified that any
>>disclosure, copying, distribution, or use of the information contained
>>herein (including any reliance thereon) is strictly prohibited. If you
>>received this transmission in error, please immediately contact the
>>sender and destroy the material in its entirety, whether in electronic
>>or hard copy format.
>>
>>
>>-------------------------------------------------------------------------
>>-----
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>>
>>http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-sNY0
>>kqGCd7IpA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinf
>>o%2fmod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>
>--------------------------------------------------------------------------
>----
>_______________________________________________
>mod-security-developers mailing list
>mod...@li...
>http://scanmail.trustwave.com/?c=4062&d=2bSI1jUdGz4klozny2jghgMn0VCy-sNY0k
>qGCd7IpA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%
>2fmod-security-developers
>ModSecurity Services from Trustwave's SpiderLabs:
>https://www.trustwave.com/spiderLabs.php


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] ModSecurity(-dev) community meeting

[Christian F. <chr...@ti...>]

Hello,

The agenda sounds good with me.

Am I right, the core rules are out of scope for this
dev meeting? Keeping them out makes a lot of sense.
But then the core rules are the thing that make
ModSec useful for most people and the core rules
would benefit from coverage in such a meeting a
lot. As a separate meeting is not feasible, I ask
you to consider their inclusion.

Oct 15, 20:00 UTC does not really work for me.

How about a doodle? http://doodle.com/

Ahoj,

Christian




On Tue, Sep 22, 2015 at 02:49:11PM +0000, Felipe Costa wrote:
>  Hi,
> 
> My suggestion for an agenda is to go over the open pull requests and
> issues to classify
> the most important ones considering the community point of view.
> 
> One specific point I think we should discuss is the format for the JSON
> audit logging,
> for that you would like to invite the authors of AuditConsole, WAF-FLE and
> Robert.
> Robert (https://github.com/p0pr0ck5) recently sent as a patch to make
> ModSecurity 2.9
> able to save logs in JSON, in libmodsecurity we have a different format.
> 
> I also would like to explain a little bit about libModSecurity and how it
> can get it
> working on Apache.
> 
> - https://github.com/SpiderLabs/ModSecurity/tree/libmodsecurity
> 
> 
> Is there anything that you think we can add to the agenda?
> 
> October 15, sounds a good date? 20:00 UTC is good for everyone?
> 
> Br,
> Felipe ³Zimmerle² Costa
> Security Researcher, SpiderLabs
> 
> Trustwave | SMART SECURITY ON DEMAND
> www.trustwave.com <http://www.trustwave.com/>
> 
> 
> 
> 
> 
> From:  Kurt Seifried <kse...@re...>
> Date:  Monday, September 21, 2015 at 1:28 PM
> To:  "mar...@ap..." <mar...@ap...>,
> "mod...@li..."
> <mod...@li...>
> Cc:  Felipe Costa <fc...@tr...>, Ryan Barnett
> <rya...@ow...>
> Subject:  Re: [Mod-security-developers] ModSecurity(-dev) community meeting
> 
> 
> 
> 
> On Mon, Sep 21, 2015 at 5:34 AM, Marc Stern
> <mar...@ap...> wrote:
> 
> Very good idea.
> Skype is also an option, no? Voice, screen sharing, ...
> 
> 
> 
> 
> 
> Does not scale well, difficult to get a proper transcript (reading is
> always faster then listening to audio/video, plus it is searchable). For
> 1:1 or a handful of people sure, but not for larger meetings.
> 
> 
> 
> Marc Stern
> Senior Information Security Consultant - Head of Security Consulting
> Approach Belgium -
> www.approach.be
> <http://scanmail.trustwave.com/?c=4062&d=mLCA1vH6Qk9TDnIbSGsfFdbbfQ6_Rjz_Ye
> 4fWqXhbg&s=5&u=http%3a%2f%2fwww%2eapproach%2ebe>
> Axis Park - Rue Edouard Belin 7 - 1435 Louvain-la-Neuve
> (Mont-Saint-Guibert) - Belgium
> LinkedIn
> <http://scanmail.trustwave.com/?c=4062&d=mLCA1vH6Qk9TDnIbSGsfFdbbfQ6_Rjz_Yb
> 5HWfPgOQ&s=5&u=http%3a%2f%2fwww%2elinkedin%2ecom%2fin%2fmarcstern>
> ________________________________________
> This e-mail and any attachment are confidential and intended solely for
> the use of the individual to whom it is addressed. If you are not the
> intended recipient, please contact the sender and delete
>  this message and any attachment from your system. Unauthorised
> publication, use, dissemination, forwarding, printing or copying of this
> e-mail and its associated attachments is strictly prohibited.
> 
> 
> 
> 
> 
> Date: Fri, 18 Sep 2015 14:17:28 +0000
> From: Felipe Costa <FC...@tr...> <mailto:FC...@tr...>
> Subject: [Mod-security-developers] ModSecurity(-dev) community meeting
> To: "mod...@li..."
> <mailto:mod...@li...>
>         <mod...@li...>
> <mailto:mod...@li...>
> Cc: Ryan Barnett <rya...@ow...> <mailto:rya...@ow...>
> Message-ID: <D221A346.1478D%fc...@tr...>
> <mailto:D221A346.1478D%fc...@tr...>
> 
> Hi Guys,
> 
> I would like to know if you are interested to participate in a monthly
> meeting
> about the status of ModSecurity Open Source project (Issues, Pending merge
> requests,
> new features and etc?).
> 
> Could be in the same format used in other open source projects, such as
> AppArmor:
> http://wiki.apparmor.net/index.php/MeetingAgenda
> <http://scanmail.trustwave.com/?c=4062&d=mLCA1vH6Qk9TDnIbSGsfFdbbfQ6_Rjz_Ye
> lHW6e2OA&s=5&u=http%3a%2f%2fwiki%2eapparmor%2enet%2findex%2ephp%2fMeetingAg
> enda>
> 
> 
> We can use IRC or Hangout.
> 
> Thanks,
> Felipe ?Zimmerle? Costa
> Security Researcher, SpiderLabs
> 
> 
> 
> 
> ---------------------------------------------------------------------------
> ---
> 
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> <http://scanmail.trustwave.com/?c=4062&d=mLCA1vH6Qk9TDnIbSGsfFdbbfQ6_Rjz_Yb
> 0VVfC1ag&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2
> fmod-security-developers>
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
> 
> 
> 
> 
> 
> 
> --
> 
> --
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> Red Hat Product Security contact: sec...@re...
> 
> 
> ________________________________
> 
> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php

Re: [Mod-security-developers] ModSecurity(-dev) community meeting

[Marc S. <mar...@ap...>]

Not possible for me on October 15. 14 is OK

Marc

Re: [Mod-security-developers] ModSecurity(-dev) community meeting

[Felipe C. <FC...@tr...>]

 Hi,

My suggestion for an agenda is to go over the open pull requests and
issues to classify
the most important ones considering the community point of view.

One specific point I think we should discuss is the format for the JSON
audit logging,
for that you would like to invite the authors of AuditConsole, WAF-FLE and
Robert.
Robert (https://github.com/p0pr0ck5) recently sent as a patch to make
ModSecurity 2.9
able to save logs in JSON, in libmodsecurity we have a different format.

I also would like to explain a little bit about libModSecurity and how it
can get it
working on Apache.

- https://github.com/SpiderLabs/ModSecurity/tree/libmodsecurity


Is there anything that you think we can add to the agenda?

October 15, sounds a good date? 20:00 UTC is good for everyone?

Br,
Felipe ³Zimmerle² Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>





From:  Kurt Seifried <kse...@re...>
Date:  Monday, September 21, 2015 at 1:28 PM
To:  "mar...@ap..." <mar...@ap...>,
"mod...@li..."
<mod...@li...>
Cc:  Felipe Costa <fc...@tr...>, Ryan Barnett
<rya...@ow...>
Subject:  Re: [Mod-security-developers] ModSecurity(-dev) community meeting




On Mon, Sep 21, 2015 at 5:34 AM, Marc Stern
<mar...@ap...> wrote:

Very good idea.
Skype is also an option, no? Voice, screen sharing, ...





Does not scale well, difficult to get a proper transcript (reading is
always faster then listening to audio/video, plus it is searchable). For
1:1 or a handful of people sure, but not for larger meetings.



Marc Stern
Senior Information Security Consultant - Head of Security Consulting
Approach Belgium -
www.approach.be
<http://scanmail.trustwave.com/?c=4062&d=mLCA1vH6Qk9TDnIbSGsfFdbbfQ6_Rjz_Ye
4fWqXhbg&s=5&u=http%3a%2f%2fwww%2eapproach%2ebe>
Axis Park - Rue Edouard Belin 7 - 1435 Louvain-la-Neuve
(Mont-Saint-Guibert) - Belgium
LinkedIn
<http://scanmail.trustwave.com/?c=4062&d=mLCA1vH6Qk9TDnIbSGsfFdbbfQ6_Rjz_Yb
5HWfPgOQ&s=5&u=http%3a%2f%2fwww%2elinkedin%2ecom%2fin%2fmarcstern>
________________________________________
This e-mail and any attachment are confidential and intended solely for
the use of the individual to whom it is addressed. If you are not the
intended recipient, please contact the sender and delete
 this message and any attachment from your system. Unauthorised
publication, use, dissemination, forwarding, printing or copying of this
e-mail and its associated attachments is strictly prohibited.





Date: Fri, 18 Sep 2015 14:17:28 +0000
From: Felipe Costa <FC...@tr...> <mailto:FC...@tr...>
Subject: [Mod-security-developers] ModSecurity(-dev) community meeting
To: "mod...@li..."
<mailto:mod...@li...>
        <mod...@li...>
<mailto:mod...@li...>
Cc: Ryan Barnett <rya...@ow...> <mailto:rya...@ow...>
Message-ID: <D221A346.1478D%fc...@tr...>
<mailto:D221A346.1478D%fc...@tr...>

Hi Guys,

I would like to know if you are interested to participate in a monthly
meeting
about the status of ModSecurity Open Source project (Issues, Pending merge
requests,
new features and etc?).

Could be in the same format used in other open source projects, such as
AppArmor:
http://wiki.apparmor.net/index.php/MeetingAgenda
<http://scanmail.trustwave.com/?c=4062&d=mLCA1vH6Qk9TDnIbSGsfFdbbfQ6_Rjz_Ye
lHW6e2OA&s=5&u=http%3a%2f%2fwiki%2eapparmor%2enet%2findex%2ephp%2fMeetingAg
enda>


We can use IRC or Hangout.

Thanks,
Felipe ?Zimmerle? Costa
Security Researcher, SpiderLabs




---------------------------------------------------------------------------
---

_______________________________________________
mod-security-developers mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
<http://scanmail.trustwave.com/?c=4062&d=mLCA1vH6Qk9TDnIbSGsfFdbbfQ6_Rjz_Yb
0VVfC1ag&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2
fmod-security-developers>
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php






--

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: sec...@re...


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] ModSecurity(-dev) community meeting

[Kurt S. <kse...@re...>]

On Mon, Sep 21, 2015 at 5:34 AM, Marc Stern <mar...@ap...> wrote:

> Very good idea.
> Skype is also an option, no? Voice, screen sharing, ...
>
>
Does not scale well, difficult to get a proper transcript (reading is
always faster then listening to audio/video, plus it is searchable). For
1:1 or a handful of people sure, but not for larger meetings.


>
> *Marc Stern*
> Senior Information Security Consultant - Head of Security Consulting
> Approach Belgium - www.approach.be
> Axis Park - Rue Edouard Belin 7 - 1435 Louvain-la-Neuve
> (Mont-Saint-Guibert) - Belgium
> LinkedIn <http://www.linkedin.com/in/marcstern>
> ------------------------------
>
> This e-mail and any attachment are confidential and intended solely for
> the use of the individual to whom it is addressed. If you are not the
> intended recipient, please contact the sender and delete this message and
> any attachment from your system. Unauthorised publication, use,
> dissemination, forwarding, printing or copying of this e-mail and its
> associated attachments is strictly prohibited.
>
>
> Date: Fri, 18 Sep 2015 14:17:28 +0000
> From: Felipe Costa <FC...@tr...> <FC...@tr...>
> Subject: [Mod-security-developers] ModSecurity(-dev) community meeting
> To: "mod...@li..." <mod...@li...>
> 	<mod...@li...> <mod...@li...>
> Cc: Ryan Barnett <rya...@ow...> <rya...@ow...>
> Message-ID: <D221A346.1478D%fc...@tr...> <D221A346.1478D%fc...@tr...>
>
> Hi Guys,
>
> I would like to know if you are interested to participate in a monthly
> meeting
> about the status of ModSecurity Open Source project (Issues, Pending merge
> requests,
> new features and etc?).
>
> Could be in the same format used in other open source projects, such as
> AppArmor:http://wiki.apparmor.net/index.php/MeetingAgenda
>
>
> We can use IRC or Hangout.
>
> Thanks,
> Felipe ?Zimmerle? Costa
> Security Researcher, SpiderLabs
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>



-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: sec...@re...